部署參數調整 (Tar 交付)
notifications
設定檔只需要在第一次建置時修改同時寫回部署主機上,未來只要執行 ${HOME}/outputs/start-kubespray.sh 就可以自動載入先前所有設定
請根據目標主機的 OS 選擇對應設定調整
進入容器後,RHEL 因為預設的設定問題會造成ssh超時,建議執行下列指令
cat > ~/.ssh/config << EOF
GSSAPIAuthentication no
GSSAPIDelegateCredentials no
EOF
修正 Kubespray 官方設定,補上套件支援
cat > /kubespray/roles/kubernetes/preinstall/vars/debian-12.yml << EOF
---
required_pkgs:
- python3-apt
- gnupg
- apt-transport-https
- software-properties-common
- conntrack
- iptables
- apparmor
- libseccomp2
- mergerfs
EOF
生成 Inventory 檔 (Optional) link
此處我們使用工具來自動生成 Inventory 檔案 (YAML 格式),如已經有既定的 Inventory 檔亦可使用
# Example: declare -a IPS=(192.168.1.2 192.168.1.3 192.168.1.4)
declare -a IPS=(<target-server-1-IP> <target-server-2-IP> <target-server-3-IP>)
cd /kubespray && cp -rfp inventory/sample/* /inventory/
CONFIG_FILE=/inventory/hosts.yml python3 contrib/inventory_builder/inventory.py ${IPS[@]}
調整 Inventory 設定 link
產生部署節點設定檔 link
- 修改 ansible_user,請填寫前面步驟創建的
部署專用帳號名稱
- 設定各節點 Hostname (範例為:master1, worker1, worker2)
- 決定各目標節點功能,如控制節點 (Control Plane)、運算節點 (Worker Node)、etcd 執行節點
以下為範例 (請根據實際狀況調整,切勿 Copy/Paste)
cat > /inventory/hosts.yml << EOF
all:
vars:
ansible_user: <部署專用帳號>
hosts:
master1:
ansible_host: <Master Node IP>
ip: <Master Node IP>
access_ip: <Master Node IP>
worker1:
ansible_host: <Worker Node 1 IP>
ip: <Worker Node 1 IP>
access_ip: <Worker Node 1 IP>
worker2:
ansible_host: <Worker Node 2 IP>
ip: <Worker Node 2 IP>
access_ip: <Worker Node 2 IP>
children:
kube_control_plane:
hosts:
master1:
kube_node:
hosts:
worker1:
worker2:
etcd:
hosts:
master1:
k8s_cluster:
children:
kube_control_plane:
kube_node:
calico_rr:
hosts: {}
EOF
修改腳本執行時套件下載路徑 link
修改 /inventory/group_vars/all/offline.yml 內套件下載位置
以下為調整指令範例 (請看下面解釋根據實際狀況調整,切勿 Copy/Paste)
`L2`: 請更換為部署主機之 IP
`L4`-`L6`: 請務必確認 `REGISTRY_HOST` 與 `REGISTRY_PORT` 是否與前面 Container Registry 設定相同
`L2`-`L17`: 請務必確認 `REGISTRY_REPO` 是否與前面 Container Repository 設定相同
cat > /inventory/group_vars/all/offline.yml << EOF
http_server: "http://<部署主機 IP>"
registry_host: "<REGISTRY_HOST>:<REGISTRY_PORT>"
containerd_insecure_registries:
"<REGISTRY_HOST>:<REGISTRY_PORT>": "http://<REGISTRY_HOST>:<REGISTRY_PORT>"
files_repo: "{{ http_server }}/files"
yum_repo: "{{ http_server }}/rpms"
ubuntu_repo: "{{ http_server }}/debs"
# Registry overrides
kube_image_repo: "{{ registry_host }}"
gcr_image_repo: "{{ registry_host }}"
docker_image_repo: "{{ registry_host }}"
quay_image_repo: "{{ registry_host }}"
github_image_repo: "{{ registry_host }}"
# Download URLs: See roles/download/defaults/main.yml of kubespray.
kubeadm_download_url: "{{ files_repo }}/kubernetes/{{ kube_version }}/kubeadm"
kubectl_download_url: "{{ files_repo }}/kubernetes/{{ kube_version }}/kubectl"
kubelet_download_url: "{{ files_repo }}/kubernetes/{{ kube_version }}/kubelet"
# etcd is optional if you **DON'T** use etcd_deployment=host
etcd_download_url: "{{ files_repo }}/kubernetes/etcd/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
cni_download_url: "{{ files_repo }}/kubernetes/cni/cni-plugins-linux-{{ image_arch }}-{{ cni_version }}.tgz"
crictl_download_url: "{{ files_repo }}/kubernetes/cri-tools/crictl-{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
# If using Calico
calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
# If using Calico with kdd
calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_version }}.tar.gz"
# If using Cilium
ciliumcli_download_url: "{{ files_repo }}/cilium-linux-{{ image_arch }}.tar.gz"
runc_download_url: "{{ files_repo }}/runc/{{ runc_version }}/runc.{{ image_arch }}"
nerdctl_download_url: "{{ files_repo }}/nerdctl-{{ nerdctl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
containerd_download_url: "{{ files_repo }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz"
EOF
`L2`: 請更換為公司內部 Container Registry 域名
`L4`-`L6`:
- 請務必確認 `REGISTRY_HOST` 與 `REGISTRY_PORT` 是否與前面 Registry 設定相同
- 如為 `HTTPS` Container Registry 請移除 L4-L6
`L2`-`L17`:
- 請務必確認 `REGISTRY_REPO` 是否與前面 Repository 設定相同
- 通常建議為 `library` 的 Repository,例如 `registry.dummy.com/library`
cat > /inventory/group_vars/all/offline.yml << EOF
http_server: "http://<部署主機 IP>"
registry_host: "<REGISTRY_HOST>:<REGISTRY_PORT>"
containerd_insecure_registries:
"<REGISTRY_HOST>:<REGISTRY_PORT>": "http://<REGISTRY_HOST>:<REGISTRY_PORT>"
files_repo: "{{ http_server }}/files"
yum_repo: "{{ http_server }}/rpms"
ubuntu_repo: "{{ http_server }}/debs"
# Registry overrides
kube_image_repo: "{{ registry_host }}/<REGISTRY_REPO>"
gcr_image_repo: "{{ registry_host }}/<REGISTRY_REPO>"
docker_image_repo: "{{ registry_host }}/<REGISTRY_REPO>"
quay_image_repo: "{{ registry_host }}/<REGISTRY_REPO>"
github_image_repo: "{{ registry_host }}/<REGISTRY_REPO>"
# Download URLs: See roles/download/defaults/main.yml of kubespray.
kubeadm_download_url: "{{ files_repo }}/kubernetes/{{ kube_version }}/kubeadm"
kubectl_download_url: "{{ files_repo }}/kubernetes/{{ kube_version }}/kubectl"
kubelet_download_url: "{{ files_repo }}/kubernetes/{{ kube_version }}/kubelet"
# etcd is optional if you **DON'T** use etcd_deployment=host
etcd_download_url: "{{ files_repo }}/kubernetes/etcd/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
cni_download_url: "{{ files_repo }}/kubernetes/cni/cni-plugins-linux-{{ image_arch }}-{{ cni_version }}.tgz"
crictl_download_url: "{{ files_repo }}/kubernetes/cri-tools/crictl-{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
# If using Calico
calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
# If using Calico with kdd
calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_version }}.tar.gz"
# If using Cilium
ciliumcli_download_url: "{{ files_repo }}/cilium-linux-{{ image_arch }}.tar.gz"
runc_download_url: "{{ files_repo }}/runc/{{ runc_version }}/runc.{{ image_arch }}"
nerdctl_download_url: "{{ files_repo }}/nerdctl-{{ nerdctl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
containerd_download_url: "{{ files_repo }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz"
EOF
設定 Kubernetes CNI link
修改 kube_network_plugin 成所需的 CNI
vim /inventory/group_vars/k8s_cluster/k8s-cluster.yml
主流常見的 eBPF CNI 解決方案,需確認此次安裝版本 Linux Kernel 是否符合需求
kube_network_plugin: cilium
Kubespray 官方預設
kube_network_plugin: calico
使用時,務必確認所有節點都有設定 Default Gateway
kube_network_plugin: flannel
- 儘管內部驗證三者可以切換安裝,但考量到生產環境複雜度仍不建議隨意更換
warning
以下設定一般不需要更動與調整,除非該環境有遇到下列狀況才需要進行修改
修正 RHEL 訂閱錯誤 link
如果出現 RHEL 訂閱錯誤 (subscription error) 時才需要進行以下設定調整
於 /inventory/group_vars/all/all.yml 增加下列設定
cat >> /inventory/group_vars/all/all.yml << EOF
rhel_enable_repos: false
EOF
調整 hostNetwork: true 模式下 DNS 解析設定 link
如目標主機並未指定上游 DNS 主機時可能會出現部分異常,請調整 /inventory/group_vars/k8s_cluster/k8s-cluster.yml 的 resolvconf_mode 改成下列樣式
# Can be docker_dns, host_resolvconf or none
resolvconf_mode: none
如該環境皆有指定 DNS 主機,可以保持官方原始設定 host_resolvconf,詳細參數設定含義請參考官方文件
沒有設定上游 DNS 查詢主機時 link
info
企業內部主機通常皆設有上游 DNS 主機,可以忽略此步驟。若無,則現階段 NodeLocalDNS 有臭蟲,故須多作設定迴避此問題
原本的設定檔並未設定 upstream_dns_servers,將導致 Local DNS => Global DNS => Local DNS 一直循環。
修正 /inventory/group_vars/all/all.yml 改成下列樣式
## Upstream dns servers
upstream_dns_servers: []
# - 8.8.8.8
# - 8.8.4.4