调整kubelet默认禁用system-reserved

roles/kube-node/defaults/main.yml

@@ -14,6 +14,9 @@ MAX_PODS: 110
 # 配置为kube组件（kubelet,kube-proxy,dockerd等）预留的资源量
 KUBE_RESERVED_ENABLED: "yes"
 KUBE_RESERVED: "cpu=200m,memory=500Mi,ephemeral-storage=1Gi"
+# k8s 官方不建议草率开启 system-reserved, 除非你基于长期监控，了解系统的资源占用状况；并且随着系统运行时间，需要适当增加资源预留
+SYS_RESERVED_ENABLED: "no"
+# 以下系统预留设置基于 4c/8g 虚机，最小化安装系统服务，如果使用高性能物理机请适当增加数值
 SYS_RESERVED: "cpu=200m,memory=500Mi,ephemeral-storage=1Gi"
 
 # 配置kubelet的hard eviction条件

roles/kube-node/templates/kubelet.service.j2

@@ -4,7 +4,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 
 [Service]
 WorkingDirectory=/var/lib/kubelet
-{% if KUBE_RESERVED_ENABLED == "yes" %}
+{% if KUBE_RESERVED_ENABLED == "yes" or SYS_RESERVED_ENABLED == "yes" %}
 ExecStartPre=/bin/mkdir -p /sys/fs/cgroup/cpuset/system.slice/kubelet.service
 ExecStartPre=/bin/mkdir -p /sys/fs/cgroup/hugetlb/system.slice/kubelet.service
 ExecStartPre=/bin/mkdir -p /sys/fs/cgroup/memory/system.slice/kubelet.service
@@ -38,10 +38,12 @@ ExecStart={{ bin_dir }}/kubelet \
   --tls-private-key-file={{ ca_dir }}/kubelet-key.pem \
   --cgroups-per-qos=true \
   --cgroup-driver=cgroupfs \
+  --enforce-node-allocatable=pods{% if KUBE_RESERVED_ENABLED == "yes" %},kube-reserved{% endif %}{% if SYS_RESERVED_ENABLED == "yes" %},system-reserved{% endif %} \
 {% if KUBE_RESERVED_ENABLED == "yes" %}
-  --enforce-node-allocatable=pods,kube-reserved,system-reserved \
   --kube-reserved={{ KUBE_RESERVED }} \
   --kube-reserved-cgroup=/system.slice/kubelet.service \
+{% endif %}
+{% if SYS_RESERVED_ENABLED == "yes" %}
   --system-reserved={{ SYS_RESERVED }} \
   --system-reserved-cgroup=/system.slice \
 {% endif %}