文章目录
1 关闭防火墙
关闭 kubernetes 所有节点的防火墙服务。
1.1 关闭 firewalld 防火墙服务
systemctl stop firewalld
systemctl disable firewalld
1.2 修改 /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
将上边配置文件中 SELINUX 设置成 disabled。可通过 getenforce 指令来获取 selinux 的状态。
getenforce
输出信息是:Disabled。表示当前系统 selinux 已经被设置为 disabled。
2. 调整节点名称
2.1 修改 /etc/hosts 配置
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.0.1 hecs-92531-0003 hecs-92531-0003
192.168.0.200 k8s-master1
192.168.0.145 k8s-master2
192.168.0.233 k8s-node1
2.2 修改节点名称
hostnamectl set-hostname 节点名称
切记将节点名称与 /etc/hosts 配置文件中的节点名称与IP地址对应上。
3. 添加 NetworkManager 配置
cat > /etc/NetworkManager/conf.d/calico.conf <<EOF
[keyfile]
unmanaged-devices=interface-name:cali*;interface-name:tunl*;interface-name:vxlan.calico;interface-name:wireguard.cali
EOF
4. 安装基础软件包
yum install curl conntrack ipvsadm ipset iptables jq sysstat libseccomp rsync wget jq psmisc vim net-tools -y
5. 加载 ip_netfilter 模块
modprobe overlay
modprobe br_netfilter
lsmod | grep br_netfilter
6. 修改系统配置
- 添加 ivps 配置信息
cat >/etc/modules-load.d/ipvs.conf <<EOF
ip_vs
ip_vs_lc
ip_vs_wlc
ip_vs_rr
ip_vs_wrr
ip_vs_lblc
ip_vs_lblcr
ip_vs_dh
ip_vs_sh
ip_vs_nq
ip_vs_sed
ip_vs_ftp
ip_vs_sh
nf_conntrack
ip_tables
ip_set
xt_set
ipt_set
ipt_rpfilter
ipt_REJECT
overlay
br_netfilter
EOF
- 执行下面命令让配置生效
systemctl enable --now systemd-modules-load.service
- 添加 ipvs.module 配置
cat > /etc/sysconfig/modules/ipvs.module <<EOF
modprobe -- ip_vs
modprobe -- ip_vs_sh
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- nf_conntrack
EOF
- 执行下边命令让配置生效
chmod 755 /etc/sysconfig/modules/ipvs.module
/etc/sysconfig/modules/ipvs.module
- 创建 /etc/sysctl.d/k8s.conf 配置
net.ipv4.tcp_keepalive_time=600
net.ipv4.tcp_keepalive_intvl=30
net.ipv4.tcp_keepalive_probes=10
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce=2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2
net.ipv4.ip_nonlocal_bind=1
net.ipv4.ip_local_port_range=45001 65000
net.ipv4.ip_forward=1
net.ipv4.tcp_max_tw_buckets=6000
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_synack_retries=2
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
net.netfilter.nf_conntrack_max=2310720
net.ipv6.neigh.default.gc_thresh1=8192
net.ipv6.neigh.default.gc_thresh2=32768
net.ipv6.neigh.default.gc_thresh3=65536
net.core.netdev_max_backlog=16384
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_max_syn_backlog = 8096
net.core.somaxconn=32768
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=524288
fs.file-max=52706963
fs.nr_open=52706963
kernel.pid_max = 4194303
net.bridge.bridge-nf-call-arptables=1
vm.swappiness=0
vm.overcommit_memory=1
vm.panic_on_oom=0
vm.max_map_count=262144
- 执行下边命令让配置生效
sysctl -p /etc/sysctl.d/k8s.conf
7. 检查已加载模块信息
lsmod | grep -e ip_vs -e nf_conntrack
8 修改资源限制配置
修改 /etc/security/limits.conf 文件,添加如下内容,修改完成后的效果如下图所示。
* soft core unlimited
* hard core unlimited
* soft nproc 1000000
* hard nproc 1000000
* soft nofile 1000000
* hard nofile 1000000
* soft memlock 32000
* hard memlock 32000
* soft msgqueue 8192000
9. 重启系统
reboot