2017-11-11 19:14:21 +08:00
|
|
|
[Unit]
|
|
|
|
Description=Kubernetes Kubelet
|
|
|
|
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
|
|
|
|
After=docker.service
|
|
|
|
Requires=docker.service
|
|
|
|
|
|
|
|
[Service]
|
|
|
|
WorkingDirectory=/var/lib/kubelet
|
|
|
|
#--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest
|
|
|
|
ExecStart={{ bin_dir }}/kubelet \
|
|
|
|
--address={{ NODE_IP }} \
|
|
|
|
--hostname-override={{ NODE_IP }} \
|
2017-12-19 17:46:34 +08:00
|
|
|
--pod-infra-container-image={{ POD_INFRA_CONTAINER_IMAGE }} \
|
2017-11-11 19:14:21 +08:00
|
|
|
--experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \
|
|
|
|
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
|
|
|
|
--cert-dir={{ ca_dir }} \
|
2017-12-31 10:25:56 +08:00
|
|
|
--network-plugin=cni \
|
|
|
|
--cni-conf-dir=/etc/cni/net.d \
|
|
|
|
--cni-bin-dir={{ bin_dir }} \
|
2017-11-11 19:14:21 +08:00
|
|
|
--cluster-dns={{ CLUSTER_DNS_SVC_IP }} \
|
|
|
|
--cluster-domain={{ CLUSTER_DNS_DOMAIN }} \
|
2017-12-04 20:20:17 +08:00
|
|
|
--hairpin-mode hairpin-veth \
|
2017-11-11 19:14:21 +08:00
|
|
|
--allow-privileged=true \
|
2017-11-21 11:27:06 +08:00
|
|
|
--fail-swap-on=false \
|
2017-11-11 19:14:21 +08:00
|
|
|
--logtostderr=true \
|
|
|
|
--v=2
|
|
|
|
#kubelet cAdvisor 默认在所有接口监听 4194 端口的请求, 以下iptables限制内网访问
|
|
|
|
ExecStartPost=/sbin/iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 4194 -j ACCEPT
|
|
|
|
ExecStartPost=/sbin/iptables -A INPUT -s 172.16.0.0/12 -p tcp --dport 4194 -j ACCEPT
|
|
|
|
ExecStartPost=/sbin/iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 4194 -j ACCEPT
|
|
|
|
ExecStartPost=/sbin/iptables -A INPUT -p tcp --dport 4194 -j DROP
|
|
|
|
Restart=on-failure
|
|
|
|
RestartSec=5
|
|
|
|
|
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|