kubeasz/roles/kube-node/templates/kubelet.service.j2

41 lines
1.5 KiB
Plaintext
Raw Normal View History

2017-11-11 19:14:21 +08:00
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
#--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest
ExecStart={{ bin_dir }}/kubelet \
--address={{ inventory_hostname }} \
2018-09-11 20:46:46 +08:00
--allow-privileged=true \
--anonymous-auth=false \
2018-05-17 22:51:15 +08:00
--client-ca-file={{ ca_dir }}/ca.pem \
2017-11-11 19:14:21 +08:00
--cluster-dns={{ CLUSTER_DNS_SVC_IP }} \
--cluster-domain={{ CLUSTER_DNS_DOMAIN }} \
2018-09-11 20:46:46 +08:00
--cni-bin-dir={{ bin_dir }} \
--cni-conf-dir=/etc/cni/net.d \
--fail-swap-on=false \
2018-09-11 20:46:46 +08:00
--hairpin-mode hairpin-veth \
--hostname-override={{ inventory_hostname }} \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
--max-pods={{ MAX_PODS }} \
--network-plugin=cni \
--pod-infra-container-image=mirrorgooglecontainers/pause-amd64:3.1 \
--register-node=true \
2018-08-29 22:16:50 +08:00
--root-dir={{ KUBELET_ROOT_DIR }} \
2018-09-11 20:46:46 +08:00
--tls-cert-file={{ ca_dir }}/kubelet.pem \
--tls-private-key-file={{ ca_dir }}/kubelet-key.pem \
2017-11-11 19:14:21 +08:00
--v=2
#kubelet cAdvisor 默认在所有接口监听 4194 端口的请求, 以下iptables限制内网访问
ExecStartPost=/sbin/iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 4194 -j ACCEPT
ExecStartPost=/sbin/iptables -A INPUT -s 172.16.0.0/12 -p tcp --dport 4194 -j ACCEPT
ExecStartPost=/sbin/iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 4194 -j ACCEPT
ExecStartPost=/sbin/iptables -A INPUT -p tcp --dport 4194 -j DROP
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target