kubeasz/roles/kube-node/templates/kubelet.service.j2

41 lines
1.5 KiB
Django/Jinja

[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
#--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest
ExecStart={{ bin_dir }}/kubelet \
--address={{ inventory_hostname }} \
--allow-privileged=true \
--anonymous-auth=false \
--client-ca-file={{ ca_dir }}/ca.pem \
--cluster-dns={{ CLUSTER_DNS_SVC_IP }} \
--cluster-domain={{ CLUSTER_DNS_DOMAIN }} \
--cni-bin-dir={{ bin_dir }} \
--cni-conf-dir=/etc/cni/net.d \
--fail-swap-on=false \
--hairpin-mode hairpin-veth \
--hostname-override={{ inventory_hostname }} \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
--max-pods={{ MAX_PODS }} \
--network-plugin=cni \
--pod-infra-container-image=mirrorgooglecontainers/pause-amd64:3.1 \
--register-node=true \
--root-dir={{ KUBELET_ROOT_DIR }} \
--tls-cert-file={{ ca_dir }}/kubelet.pem \
--tls-private-key-file={{ ca_dir }}/kubelet-key.pem \
--v=2
#kubelet cAdvisor 默认在所有接口监听 4194 端口的请求, 以下iptables限制内网访问
ExecStartPost=/sbin/iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 4194 -j ACCEPT
ExecStartPost=/sbin/iptables -A INPUT -s 172.16.0.0/12 -p tcp --dport 4194 -j ACCEPT
ExecStartPost=/sbin/iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 4194 -j ACCEPT
ExecStartPost=/sbin/iptables -A INPUT -p tcp --dport 4194 -j DROP
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target