Deploy ExternalDNS

In this section you will configure and deploy ExternalDNS using Workload Identity to provide it with permissions to manage DNS records on Google Cloud DNS.


If you are not going to use Cloud DNS to assign an FQDN to your Load Balancer, you can use Cloud Endpoints or edit /etc/hosts manually. You will find instructions for the aforemetioned alternatives in the guide that follows. You may proceed to the What’s Next section.


  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Specify the name for the service account for ExternalDNS:

    root@rok-tools:~/ops/deployments# export EDNS_SERVICE_ACCOUNT_NAME=<EDNS_SERVICE_ACCOUNT_NAME>

    Replace <EDNS_SERVICE_ACCOUNT_NAME> with your desired service account name. For example:

    root@rok-tools:~/ops/deployments# export EDNS_SERVICE_ACCOUNT_NAME=external-dns


    This must be between 6 and 30 characters, and can contain lowercase alphanumeric characters and dashes.

  3. Create the service account for ExternalDNS:

    root@rok-tools:~/ops/deployments# gcloud iam service-accounts create ${EDNS_SERVICE_ACCOUNT_NAME?} \
    >     --display-name=${EDNS_SERVICE_ACCOUNT_NAME?}
  4. Specify the service account email:

    root@rok-tools:~/ops/deployments# export EDNS_SERVICE_ACCOUNT=${EDNS_SERVICE_ACCOUNT_NAME?}@${PROJECT_ID?}
  5. Bind the service account to the DNS admin role:

    root@rok-tools:~/ops/deployments# gcloud projects add-iam-policy-binding ${PROJECT_ID?} \
    >     --member="serviceAccount:${EDNS_SERVICE_ACCOUNT?}" \
    >     --role=roles/dns.admin \
    >     --condition=None
  6. Link the Google Cloud service account to the Kubernetes service account that ExternalDNS will run under, that is the external-dns service account in the default namespace:

    root@rok-tools:~/ops/deployments# gcloud iam service-accounts add-iam-policy-binding ${EDNS_SERVICE_ACCOUNT?} \
    >     --member="serviceAccount:${PROJECT_ID?}[default/external-dns]" \
    >     --role=roles/iam.workloadIdentityUser
  7. Edit rok/external-dns/overlays/deploy/kustomization.yaml and use gke as base:

    #- ../eks
    - ../gke
  8. Edit rok/external-dns/overlays/deploy/kustomization.yaml and enable only the sa-gcp and deploy-gcp patches:

    #- path: patches/sa.yaml
    - path: patches/sa-gcp.yaml
    #- target:
    #    kind: Deployment
    #    name: external-dns
    #  path: patches/deploy.yaml
    - target:
        kind: Deployment
        name: external-dns
      path: patches/deploy-gcp.yaml
  9. Edit rok/external-dns/overlays/deploy/patches/deploy-gcp.yaml and set --domain-filter and --google-project to your domain and project ID respectively:

    -  # <-- Update this line with you DOMAIN
    - --google-project=myproject  # <-- Update this line with your PROJECT_ID
  10. Edit rok/external-dns/overlays/deploy/patches/sa-gcp.yaml and set the Workload Identity related annotation to the name of your Google Cloud service account for ExternalDNS:  # <-- Update this line with your EDNS_SERVICE_ACCOUNT
  11. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Deploy ExternalDNS on GKE"
  12. Deploy ExternalDNS:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/external-dns/overlays/deploy


  1. Verify that the ExternalDNS deployment is up-and-running. Verify field READY is 1/1:

    root@rok-tools:~/ops/deployments# kubectl get deploy/external-dns
    external-dns   1/1     1            1           1m


You have successfully deployed ExternalDNS and allowed it to access your Cloud DNS managed zone.

What’s Next

The next step is to assign a proper FQDN to your Load Balancer IP address.