Pi-hole

Deploy Pi-hole DNS sinkhole on Kubernetes using the official pihole/pihole container image. Provides network-wide ad blocking via DNS filtering with optional Unbound recursive DNS.

Key Features

• Network-Wide Ad Blocking — DNS-level filtering for all devices
• Custom DNS Records — Local A records, CNAME records, and dnsmasq config
• Unbound Sidecar — Optional recursive DNS resolver for privacy
• Pi-hole v6+ — Modern configuration via FTLCONF environment variables
• Prometheus Metrics — pihole-exporter sidecar with ServiceMonitor
• Ingress Support — Configurable ingress with TLS for web admin
• DNSSEC Validation — Optional DNS Security Extensions

Installation

HTTPS repository:

helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm install pihole helmforge/pihole

OCI registry:

helm install pihole oci://ghcr.io/helmforgedev/helm/pihole

Basic Example

# values.yaml
admin:
  password: 'change-me'

pihole:
  timezone: UTC
  upstreamDns: '1.1.1.1;1.0.0.1'

dns:
  customRecords:
    - '192.168.1.1 router.home'
    - '192.168.1.10 nas.home'

serviceDns:
  type: LoadBalancer
  loadBalancerIP: '192.168.1.53'

persistence:
  enabled: true
  size: 1Gi

Unbound Example

unbound:
  enabled: true

pihole:
  dnssec: true

serviceDns:
  type: LoadBalancer
  loadBalancerIP: '192.168.1.53'

Key Values

Key	Default	Description
pihole.timezone	UTC	Timezone for logs
pihole.upstreamDns	8.8.8.8;8.8.4.4	Upstream DNS servers
pihole.dnssec	false	Enable DNSSEC validation
admin.password	""	Admin password (auto-generated if empty)
dns.customRecords	[]	Local DNS A records
dns.cnameRecords	[]	Custom CNAME records
unbound.enabled	false	Enable Unbound recursive DNS
metrics.enabled	false	Enable Prometheus metrics
ingress.enabled	false	Enable ingress for web admin
serviceDns.type	LoadBalancer	DNS service type
serviceDns.loadBalancerIP	—	Fixed IP for DNS
persistence.enabled	true	Enable persistent storage
persistence.size	1Gi	PVC size

More Information

See the source code and full values reference on GitHub.