diff --git a/01.prepare.yml b/01.prepare.yml index 5560d14..d1b252e 100644 --- a/01.prepare.yml +++ b/01.prepare.yml @@ -4,11 +4,14 @@ - ca # 集群节点的公共配置任务 -- hosts: kube-cluster +- hosts: + - kube-cluster + - etcd + - lb roles: - prepare -# 可选,多master部署时的负载均衡配置 +# [可选]多master部署时的负载均衡配置 - hosts: lb roles: - lb diff --git a/03.kubectl.yml b/03.kubectl.yml index 24076e2..53e0579 100644 --- a/03.kubectl.yml +++ b/03.kubectl.yml @@ -1,3 +1,5 @@ -- hosts: kube-cluster +- hosts: + - kube-cluster + - lb roles: - kubectl diff --git a/90.setup.yml b/90.setup.yml index ae86b8a..522d7fc 100644 --- a/90.setup.yml +++ b/90.setup.yml @@ -4,11 +4,14 @@ - ca # 集群节点的公共配置任务 -- hosts: kube-cluster +- hosts: + - kube-cluster + - etcd + - lb roles: - prepare -# 可选,多master部署时的负载均衡配置 +# [可选]多master部署时的负载均衡配置 - hosts: lb roles: - lb @@ -17,10 +20,18 @@ roles: - etcd -- hosts: kube-cluster +- hosts: + - kube-cluster + - lb roles: - kubectl + +- hosts: kube-cluster + roles: - docker + +- hosts: kube-cluster + roles: - calico - hosts: kube-master diff --git a/95.clean.yml b/95.clean.yml index cc84af1..fc1f577 100644 --- a/95.clean.yml +++ b/95.clean.yml @@ -28,7 +28,7 @@ shell: iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat - name: 清理网络 - shell: "ip link del docker0; ip link del tunl0" + shell: "ip link del docker0; ip link del tunl0; systemctl restart networking" ignore_errors: true - hosts: kube-node diff --git a/roles/kube-master/templates/kube-apiserver.service.j2 b/roles/kube-master/templates/kube-apiserver.service.j2 index 911b1be..9a1c37f 100644 --- a/roles/kube-master/templates/kube-apiserver.service.j2 +++ b/roles/kube-master/templates/kube-apiserver.service.j2 @@ -9,7 +9,7 @@ ExecStart={{ bin_dir }}/kube-apiserver \ --bind-address={{ NODE_IP }} \ --insecure-bind-address=127.0.0.1 \ --authorization-mode=Node,RBAC \ - --runtime-config=rbac.authorization.k8s.io/v1beta1 \ + --runtime-config=rbac.authorization.k8s.io/v1 \ --kubelet-https=true \ --anonymous-auth=false \ --basic-auth-file={{ ca_dir }}/basic-auth.csv \ diff --git a/roles/kube-node/templates/kubelet.service.j2 b/roles/kube-node/templates/kubelet.service.j2 index 1c5a154..c5f81ae 100644 --- a/roles/kube-node/templates/kubelet.service.j2 +++ b/roles/kube-node/templates/kubelet.service.j2 @@ -13,7 +13,6 @@ ExecStart={{ bin_dir }}/kubelet \ --pod-infra-container-image=mirrorgooglecontainers/pause-amd64:3.0 \ --experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \ --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \ - --require-kubeconfig \ --cert-dir={{ ca_dir }} \ --network-plugin=cni \ --cni-conf-dir=/etc/cni/net.d \ @@ -22,6 +21,7 @@ ExecStart={{ bin_dir }}/kubelet \ --cluster-domain={{ CLUSTER_DNS_DOMAIN }} \ --hairpin-mode promiscuous-bridge \ --allow-privileged=true \ + --fail-swap-on=false \ --logtostderr=true \ --v=2 #kubelet cAdvisor 默认在所有接口监听 4194 端口的请求, 以下iptables限制内网访问