Deploy ExternalDNS

In this section you will configure and deploy ExternalDNS using an IAM role to provide it with permissions to manage DNS records on Route 53.

Choose one of the following options to deploy ExternalDNS:

Option 1: Deploy ExternalDNS Automatically (preferred)

Deploy ExternalDNS by following the on-screen instructions on the rok-deploy user interface.

If rok-deploy is not already running, start it with:

root@rok-tools:~# rok-deploy --run-from eks-alb-edns

Proceed to the Summary section.

Option 2: Deploy ExternalDNS Manually

If you want to deploy ExternalDNS manually, follow the instructions below.


If you have exposed EKF with ALB, it means you already have an ExternalDNS deployment. In this case, you may have already run part of this procedure. However, run this procedure again, as you need to make extra configurations.


  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Restore the required context from previous sections:

    root@rok-tools:~/ops/deployments# source <(cat deploy/env.{eks-alb-zone,eks-alb-iam-edns,serving-eks-alb-zone})
    root@rok-tools:~/ops/deployments# export EKS_ALB_ZONE_DOMAIN EKS_ALB_IAM_EDNS_ROLE SERVING_EKS_ALB_ZONE_DOMAIN


    EKS_ALB_ZONE_DOMAIN may be unset if you have not gone through Deploy ExternalDNS already.

  3. Edit rok/external-dns/overlays/deploy/kustomization.yaml and use eks as base:

    bases: - ../eks #- ../gke
  4. Edit rok/external-dns/overlays/deploy/kustomization.yaml and enable only the sa and deploy patches:

    patches: - path: patches/sa.yaml #- path: patches/sa-gcp.yaml - target: kind: Deployment name: external-dns path: patches/deploy.yaml #- target: # kind: Deployment # name: external-dns # path: patches/deploy-gcp.yaml
  5. Render the ExternalDNS deployment patch template with the variables you have specified:

    root@rok-tools:~/ops/deployments# j2 \ > rok/external-dns/overlays/deploy/patches/deploy.yaml.j2 \ > -o rok/external-dns/overlays/deploy/patches/deploy.yaml
  6. Obtain the ARN of the IAM role for ExternalDNS:

    root@rok-tools:~/ops/deployments# export ROLE_ARN=$(aws iam get-role \ > --role-name ${EKS_ALB_IAM_EDNS_ROLE?} \ > --query Role.Arn \ > --output text)
  7. Render the ExternalDNS service account patch template with the variables you have specified:

    root@rok-tools:~/ops/deployments# j2 rok/external-dns/overlays/deploy/patches/sa.yaml.j2 \ > -o rok/external-dns/overlays/deploy/patches/sa.yaml
  8. Edit rok/external-dns/overlays/deploy/kustomization.yaml and enable the domain-filter-serving patch:

    patches: ... - target: kind: Deployment name: external-dns path: patches/domain-filter-serving.yaml
  9. Render the domain related patch template with the variables you have specified:

    root@rok-tools:~/ops/deployments# j2 \ > rok/external-dns/overlays/deploy/patches/domain-filter-serving.yaml.j2 \ > -o rok/external-dns/overlays/deploy/patches/domain-filter-serving.yaml
  10. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Deploy ExternalDNS"
  11. Deploy ExternalDNS:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/external-dns/overlays/deploy


  1. Verify that the ExternalDNS deployment is up-and-running. Verify field READY is 1/1:

    root@rok-tools:~# kubectl get deploy/external-dns NAME READY UP-TO-DATE AVAILABLE AGE external-dns 1/1 1 1 1m


You have successfully deployed ExternalDNS and allowed it to access your Amazon Route 53 hosted zone.

What’s Next

The next step is to create an ACM certificate for your domain.