堂-DayDayUP VIM Linux Life
堂-DayDayUP
VIM Linux Life

Kubernetes 常用简单优化

已发表 -更新 
### docker 优化配置
cat > /etc/docker/daemon.json <<EOF
{
    "registry-mirrors": [
       "https://wli8urvv.mirror.aliyuncs.com",
       "https://docker.mirrors.ustc.edu.cn",
       "https://hub-mirror.c.163.com",
       "https://registry.docker-cn.com"
     ],
    "exec-opts": ["native.cgroupdriver=systemd"],
    "log-opts": {
        "max-size": "300m",
        "max-file":"5"
     },
    "max-concurrent-downloads": 10,
    "max-concurrent-uploads": 5,
    "live-restore": true
}
EOF
systemctl daemon-reload && systemctl restart docker

<strong>### controller-magager 下发证书期限延长</strong>
vim /usr/lib/systemd/system/kube-controller-manager.service 
 --cluster-signing-duration=87600h0m0s 
 --feature-gates=RotateKubeletServerCertificate=true   ##高版本已经默认开启
    实操提示:k8s版本小于1.19.0版,添加第一个参数为
 --experimental-cluster-signing-duration=87600h0m0s 

<strong>### kubelet 提高tls安全加密方式</strong>
vim /etc/systemd/system/kubelet.service.d/10-kubelet.conf
Environment="KUBELET_EXTRA_ARGS=--node-labels=node.kubernetes.io/node='' --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 --image-pull-progress-deadline=30m"
systemctl daemon-reload && systemctl restart kubelet.service
#设置k8s的加密方式,防止漏洞扫描
--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
#下载镜像的时间,防止镜像下载很慢情况下超时
--image-pull-progress-deadline=30m  

<strong>### kubelet 预留资源配置</strong>
cat /etc/kubernetes/kubelet-conf.yml
# kube-reserved 是为了给诸如 kubelet、container runtime、node problem detector 等 kubernetes 系统守护进程争取资源预留。这并不代表要给以 pod 形式运行的系统守护进程保留资源。
kubeReserved:  # 配置 kube 资源预留
  cpu: 1000m
  memory: 2Gi
  ephemeral-storage: 2Gi
# system-reserved 用于为诸如 sshd、udev 等系统守护进程争取资源预留。system-reserved 也应该为 kernel 预留 内存,因为目前 kernel 使用的内存并不记在 Kubernetes 的 pod 上。同时还推荐为用户登录会话预留资源(systemd 体系中的 user.slice)。
systemReserved:  # 配置系统资源预留
  cpu: 500m
  memory: 1Gi
  ephemeral-storage: 2Gi  
# 当节点上的可用内存降至保留值以下时,kubelet 将尝试 驱逐 pod
evictionHard:  # 配置硬驱逐阈值
  memory.available: "300Mi"
  nodefs.available: "10%"

<strong>### 节点node roles lable配置</strong>
kubectl  label nodes k8s01 node-role.kubernetes.io/master=
#取消lable配置
kubectl  label nodes k8s01 node-role.kubernetes.io/master-