### docker 优化配置
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": [
"https://wli8urvv.mirror.aliyuncs.com",
"https://docker.mirrors.ustc.edu.cn",
"https://hub-mirror.c.163.com",
"https://registry.docker-cn.com"
],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-opts": {
"max-size": "300m",
"max-file":"5"
},
"max-concurrent-downloads": 10,
"max-concurrent-uploads": 5,
"live-restore": true
}
EOF
systemctl daemon-reload && systemctl restart docker
### controller-magager 下发证书期限延长
vim /usr/lib/systemd/system/kube-controller-manager.service
--cluster-signing-duration=87600h0m0s
--feature-gates=RotateKubeletServerCertificate=true ##高版本已经默认开启
实操提示:k8s版本小于1.19.0版,添加第一个参数为
--experimental-cluster-signing-duration=87600h0m0s
### kubelet 提高tls安全加密方式
vim /etc/systemd/system/kubelet.service.d/10-kubelet.conf
Environment="KUBELET_EXTRA_ARGS=--node-labels=node.kubernetes.io/node='' --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 --image-pull-progress-deadline=30m"
systemctl daemon-reload&& systemctl restart kubelet.service
#设置k8s的加密方式,防止漏洞扫描
--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
#下载镜像的时间,防止镜像下载很慢情况下超时
--image-pull-progress-deadline=30m
### kubelet 预留资源配置
cat /etc/kubernetes/kubelet-conf.yml
# kube-reserved 是为了给诸如 kubelet、container runtime、node problem detector 等 kubernetes 系统守护进程争取资源预留。这并不代表要给以 pod 形式运行的系统守护进程保留资源。
kubeReserved: # 配置 kube 资源预留
cpu: 1000m
memory: 2Gi
ephemeral-storage: 2Gi
# system-reserved 用于为诸如 sshd、udev 等系统守护进程争取资源预留。system-reserved 也应该为 kernel 预留 内存,因为目前 kernel 使用的内存并不记在 Kubernetes 的 pod 上。同时还推荐为用户登录会话预留资源(systemd 体系中的 user.slice)。
systemReserved: # 配置系统资源预留
cpu: 500m
memory: 1Gi
ephemeral-storage: 2Gi
# 当节点上的可用内存降至保留值以下时,kubelet 将尝试 驱逐 pod
evictionHard: # 配置硬驱逐阈值
memory.available: "300Mi"
nodefs.available: "10%"
### 节点node roles lable配置
kubectl label nodes k8s01 node-role.kubernetes.io/master=
#取消lable配置
kubectl label nodes k8s01 node-role.kubernetes.io/master-
VIM Linux Life