cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": [
"https://wli8urvv.mirror.aliyuncs.com",
"https://docker.mirrors.ustc.edu.cn",
"https://hub-mirror.c.163.com",
"https://registry.docker-cn.com"
],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-opts": {
"max-size": "300m",
"max-file":"5"
},
"max-concurrent-downloads": 10,
"max-concurrent-uploads": 5,
"live-restore": true
}
EOF
systemctl daemon-reload && systemctl restart docker
<strong>### controller-magager 下发证书期限延长</strong>
vim /usr/lib/systemd/system/kube-controller-manager.service
--cluster-signing-duration=87600h0m0s
--feature-gates=RotateKubeletServerCertificate=true ##高版本已经默认开启
实操提示:k8s版本小于1.19.0版,添加第一个参数为
--experimental-cluster-signing-duration=87600h0m0s
<strong>### kubelet 提高tls安全加密方式</strong>
vim /etc/systemd/system/kubelet.service.d/10-kubelet.conf
Environment="KUBELET_EXTRA_ARGS=--node-labels=node.kubernetes.io/node='' --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 --image-pull-progress-deadline=30m"
systemctl daemon-reload && systemctl restart kubelet.service
--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
--image-pull-progress-deadline=30m
<strong>### kubelet 预留资源配置</strong>
cat /etc/kubernetes/kubelet-conf.yml
kubeReserved: # 配置 kube 资源预留
cpu: 1000m
memory: 2Gi
ephemeral-storage: 2Gi
systemReserved: # 配置系统资源预留
cpu: 500m
memory: 1Gi
ephemeral-storage: 2Gi
evictionHard: # 配置硬驱逐阈值
memory.available: "300Mi"
nodefs.available: "10%"
<strong>### 节点node roles lable配置</strong>
kubectl label nodes k8s01 node-role.kubernetes.io/master=
kubectl label nodes k8s01 node-role.kubernetes.io/master-