mirror of https://github.com/easzlab/kubeasz.git
41 lines
1.5 KiB
Django/Jinja
41 lines
1.5 KiB
Django/Jinja
[Unit]
|
|
Description=Kubernetes Kubelet
|
|
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
|
|
After=docker.service
|
|
Requires=docker.service
|
|
|
|
[Service]
|
|
WorkingDirectory=/var/lib/kubelet
|
|
#--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest
|
|
ExecStart={{ bin_dir }}/kubelet \
|
|
--address={{ inventory_hostname }} \
|
|
--allow-privileged=true \
|
|
--anonymous-auth=false \
|
|
--client-ca-file={{ ca_dir }}/ca.pem \
|
|
--cluster-dns={{ CLUSTER_DNS_SVC_IP }} \
|
|
--cluster-domain={{ CLUSTER_DNS_DOMAIN }} \
|
|
--cni-bin-dir={{ bin_dir }} \
|
|
--cni-conf-dir=/etc/cni/net.d \
|
|
--fail-swap-on=false \
|
|
--hairpin-mode hairpin-veth \
|
|
--hostname-override={{ inventory_hostname }} \
|
|
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
|
|
--max-pods={{ MAX_PODS }} \
|
|
--network-plugin=cni \
|
|
--pod-infra-container-image=mirrorgooglecontainers/pause-amd64:3.1 \
|
|
--register-node=true \
|
|
--root-dir={{ KUBELET_ROOT_DIR }} \
|
|
--tls-cert-file={{ ca_dir }}/kubelet.pem \
|
|
--tls-private-key-file={{ ca_dir }}/kubelet-key.pem \
|
|
--v=2
|
|
#kubelet cAdvisor 默认在所有接口监听 4194 端口的请求, 以下iptables限制内网访问
|
|
ExecStartPost=/sbin/iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 4194 -j ACCEPT
|
|
ExecStartPost=/sbin/iptables -A INPUT -s 172.16.0.0/12 -p tcp --dport 4194 -j ACCEPT
|
|
ExecStartPost=/sbin/iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 4194 -j ACCEPT
|
|
ExecStartPost=/sbin/iptables -A INPUT -p tcp --dport 4194 -j DROP
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|