优化代码

2025-03-05 17:34:09 +08:00
parent 84ecf9d0e6
commit 77cafaf0a1
17 changed files with 414 additions and 43 deletions
--- a/47-202412-甘肃移动/cluster-20250221-security.yml
+++ b/47-202412-甘肃移动/cluster-20250221-security.yml
@@ -0,0 +1,178 @@
+nodes:
+#masternode配置
+  - address: 10.215.66.85
+    user: rke-installer
+    role:
+      - controlplane
+      - etcd
+      - worker
+    internal_address: 10.215.66.85
+    labels:
+      ingress-deploy: true
+ #worker-1到worker-5加入集群
+  - address: 10.215.66.86
+    user: rke-installer
+    role:
+      - worker
+    internal_address: 10.215.66.86
+  - address: 10.215.66.87
+    user: rke-installer
+    role:
+      - worker
+    internal_address: 10.215.66.87 
+  - address: 10.215.66.88
+    user: rke-installer
+    role:
+      - worker
+    internal_address: 10.215.66.88
+  - address: 10.215.66.90
+    user: rke-installer
+    role:
+      - worker
+    internal_address: 10.215.66.90
+ #worker-5资源低，用于跑mysql
+  - address: 10.215.66.91
+    user: rke-installer
+    role:
+      - worker
+    internal_address: 10.215.66.91
+    labels:
+      mysql-deploy: true
+
+
+# 默认值为false，如果设置为true，当发现不支持的Docker版本时，RKE不会报错
+ignore_docker_version: true
+
+# Set the name of the Kubernetes cluster
+cluster_name: rke-cluster
+
+#kubernetes_version: v1.18.16-rancher1-1
+kubernetes_version: v1.20.4-rancher1-1
+
+ssh_key_path: /home/rke-installer/.ssh/id_rsa
+
+services:
+  etcd:
+    backup_config:
+      enabled: false
+      interval_hours: 72
+      retention: 3
+      safe_timestamp: false
+      timeout: 300
+    creation: 12h
+    extra_args:
+        election-timeout: 5000
+        heartbeat-interval: 500
+        cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
+    gid: 0
+    retention: 72h
+    snapshot: false
+    uid: 0
+
+  kube-api:
+    # IP range for any services created on Kubernetes
+    # This must match the service_cluster_ip_range in kube-controller
+    service_cluster_ip_range: 10.74.0.0/16
+    # Expose a different port range for NodePort services
+    service_node_port_range: 30000-40000
+    always_pull_images: true
+    pod_security_policy: false
+    # Add additional arguments to the kubernetes API server
+    # This WILL OVERRIDE any existing defaults
+    extra_args:
+      # Enable audit log to stdout
+      audit-log-path: "-"
+      # Increase number of delete workers
+      delete-collection-workers: 3
+      # Set the level of log output to debug-level
+      v: 1
+  kube-controller:
+    # CIDR pool used to assign IP addresses to pods in the cluster
+    cluster_cidr: 10.100.0.0/16
+    # IP range for any services created on Kubernetes
+    # This must match the service_cluster_ip_range in kube-api
+    service_cluster_ip_range: 10.74.0.0/16
+  kubelet:
+    # Base domain for the cluster
+    cluster_domain: cluster.local
+    # IP address for the DNS service endpoint
+    cluster_dns_server: 10.74.0.10
+    # Fail if swap is on
+    fail_swap_on: true
+    # Set max pods to 250 instead of default 110
+    extra_args:
+      max-pods: 122
+    # Optionally define additional volume binds to a service
+  scheduler:
+    extra_args:
+      # Set the level of log output to warning-level
+      v: 0
+      tls-cipher-suites: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
+
+
+authentication:
+  strategy: x509
+  sans:
+    - "10.215.66.85"
+
+authorization:
+  mode: rbac
+
+addon_job_timeout: 30
+
+# Specify network plugin-in (canal, calico, flannel, weave, or none)
+network:
+  mtu: 1440
+  options:
+    flannel_backend_type: vxlan
+  plugin: calico
+  #add by zxc@241129
+  #  calico_network_provider:
+  #  ipip:
+  #    mode: cross-subnet
+  #    interface: ens160
+  tolerations:
+    - key: "node.kubernetes.io/unreachable"
+      operator: "Exists"
+      effect: "NoExecute"
+      tolerationseconds: 300
+    - key: "node.kubernetes.io/not-ready"
+      operator: "Exists"
+      effect: "NoExecute"
+      tolerationseconds: 300
+
+# Specify DNS provider (coredns or kube-dns)
+dns:
+  provider: coredns
+  nodelocal: {}
+  tolerations:
+    - key: "node.kubernetes.io/unreachable"
+      operator: "Exists"
+      effect: "NoExecute"
+      tolerationseconds: 300
+    - key: "node.kubernetes.io/not-ready"
+      operator: "Exists"
+      effect: "NoExecute"
+      tolerationseconds: 300
+
+ingress:
+  provider: nginx
+  default_backend: true
+  http_port: 0
+  https_port: 0
+  extra_envs:
+    - name: TZ
+      value: Asia/Shanghai
+  node_selector:
+    ingress-deploy: true
+  options:
+    use-forwarded-headers: "true"
+
+private_registries:
+  - url: 10.215.66.85:8033 # 私有镜像库地址
+    user: admin
+    password: "Test@2"
+    is_default: true
+#注：nodes：ip改为master及worker的ip
+#authentication：ip改为master的ip
+#private_registries：ip改为master的ip