add limits for pids #1265

docs/guide/harbor.md

@@ -198,7 +198,7 @@ type: kubernetes.io/dockerconfigjson
 # 停止 harbor
  docker-compose down -v
 # 修改配置
- vim harbor.cfg
+ vim harbor.yml
 # 执行./prepare已更新配置到docker-compose.yml文件
  ./prepare
 # 启动 harbor

roles/kube-node/templates/kubelet-config.yaml.j2

@@ -54,7 +54,9 @@ imageMinimumGCAge: 2m0s
 {% if KUBE_RESERVED_ENABLED == "yes" %}
 kubeReservedCgroup: /podruntime.slice
 kubeReserved:
+  cpu: 200m
   memory: 400Mi
+  pid: 1000
 {% endif %}
 kubeAPIBurst: 100
 kubeAPIQPS: 50
@@ -65,7 +67,7 @@ nodeLeaseDurationSeconds: 40
 nodeStatusReportFrequency: 1m0s
 nodeStatusUpdateFrequency: 10s
 oomScoreAdj: -999
-podPidsLimit: -1
+podPidsLimit: {{ POD_MAX_PIDS }}
 port: 10250
 # disable readOnlyPort 
 readOnlyPort: 0
@@ -81,7 +83,9 @@ syncFrequency: 1m0s
 {% if SYS_RESERVED_ENABLED == "yes" %}
 systemReservedCgroup: /system.slice
 systemReserved:
-  memory: 1000Mi
+  cpu: 200m
+  memory: 500Mi
+  pid: 5000
 {% endif %}
 tlsCertFile: {{ ca_dir }}/kubelet.pem
 tlsPrivateKeyFile: {{ ca_dir }}/kubelet-key.pem

roles/kube-node/vars/main.yml

@@ -6,3 +6,6 @@ CGROUP_DRIVER: "systemd"
 
 # coredns 服务地址，根据SERVICE_CIDR 设置，默认选择网段第二个地址
 CLUSTER_DNS_SVC_IP: "{{ SERVICE_CIDR.split('.')[0] }}.{{ SERVICE_CIDR.split('.')[1] }}.{{ SERVICE_CIDR.split('.')[2] }}.{{ SERVICE_CIDR.split('.')[3]|int + 2 }}"
+
+# pod-max-pids
+POD_MAX_PIDS: 1024