From 84760323d69185f96ade2bac08fd7d71b09d2185 Mon Sep 17 00:00:00 2001
From: gjmzj <jmgaozz@hotmail.com>
Date: Fri, 28 Apr 2023 21:56:38 +0800
Subject: [PATCH] add limits for pids #1265

---
 docs/guide/harbor.md                             | 2 +-
 roles/kube-node/templates/kubelet-config.yaml.j2 | 8 ++++++--
 roles/kube-node/vars/main.yml                    | 3 +++
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/docs/guide/harbor.md b/docs/guide/harbor.md
index 4e41030..6e92302 100644
--- a/docs/guide/harbor.md
+++ b/docs/guide/harbor.md
@@ -198,7 +198,7 @@ type: kubernetes.io/dockerconfigjson
 # 停止 harbor
  docker-compose down -v
 # 修改配置
- vim harbor.cfg
+ vim harbor.yml
 # 执行./prepare已更新配置到docker-compose.yml文件
  ./prepare
 # 启动 harbor
diff --git a/roles/kube-node/templates/kubelet-config.yaml.j2 b/roles/kube-node/templates/kubelet-config.yaml.j2
index 727823a..db951e2 100644
--- a/roles/kube-node/templates/kubelet-config.yaml.j2
+++ b/roles/kube-node/templates/kubelet-config.yaml.j2
@@ -54,7 +54,9 @@ imageMinimumGCAge: 2m0s
 {% if KUBE_RESERVED_ENABLED == "yes" %}
 kubeReservedCgroup: /podruntime.slice
 kubeReserved:
+  cpu: 200m
   memory: 400Mi
+  pid: 1000
 {% endif %}
 kubeAPIBurst: 100
 kubeAPIQPS: 50
@@ -65,7 +67,7 @@ nodeLeaseDurationSeconds: 40
 nodeStatusReportFrequency: 1m0s
 nodeStatusUpdateFrequency: 10s
 oomScoreAdj: -999
-podPidsLimit: -1
+podPidsLimit: {{ POD_MAX_PIDS }}
 port: 10250
 # disable readOnlyPort 
 readOnlyPort: 0
@@ -81,7 +83,9 @@ syncFrequency: 1m0s
 {% if SYS_RESERVED_ENABLED == "yes" %}
 systemReservedCgroup: /system.slice
 systemReserved:
-  memory: 1000Mi
+  cpu: 200m
+  memory: 500Mi
+  pid: 5000
 {% endif %}
 tlsCertFile: {{ ca_dir }}/kubelet.pem
 tlsPrivateKeyFile: {{ ca_dir }}/kubelet-key.pem
diff --git a/roles/kube-node/vars/main.yml b/roles/kube-node/vars/main.yml
index 0ce653f..a3a6e7a 100644
--- a/roles/kube-node/vars/main.yml
+++ b/roles/kube-node/vars/main.yml
@@ -6,3 +6,6 @@ CGROUP_DRIVER: "systemd"
 
 # coredns 服务地址，根据SERVICE_CIDR 设置，默认选择网段第二个地址
 CLUSTER_DNS_SVC_IP: "{{ SERVICE_CIDR.split('.')[0] }}.{{ SERVICE_CIDR.split('.')[1] }}.{{ SERVICE_CIDR.split('.')[2] }}.{{ SERVICE_CIDR.split('.')[3]|int + 2 }}"
+
+# pod-max-pids
+POD_MAX_PIDS: 1024