在Kubernetes(AWS EKS)节点修补上获得修补(无更改)
我的目标是覆盖运行集群中的默认Kubelet配置在Kubernetes(AWS EKS)节点修补上获得修补(无更改),kubernetes,kubectl,Kubernetes,Kubectl,我的目标是覆盖运行集群中的默认Kubelet配置 "imageGCHighThresholdPercent": 85, "imageGCLowThresholdPercent": 80, 到 可能的选项是为每个节点应用节点修补程序 我使用以下命令通过kubeclt代理获取kubelet配置 curl -sSL "http://localhost:8001/api/v1/nodes/ip-172-31-20-135.eu-west-1.compute.internal/proxy/configz
"imageGCHighThresholdPercent": 85,
"imageGCLowThresholdPercent": 80,
到
可能的选项是为每个节点应用节点修补程序
我使用以下命令通过kubeclt代理获取kubelet配置
curl -sSL "http://localhost:8001/api/v1/nodes/ip-172-31-20-135.eu-west-1.compute.internal/proxy/configz" | python3 -m json.tool
输出是
{
"kubeletconfig": {
....
"imageGCHighThresholdPercent": 85,
"imageGCLowThresholdPercent": 80,
.....
}
}
下面是我用来更新这两个值的命令
kubectl patch node ip-172-31-20-135.eu-west-1.compute.internal -p '{"kubeletconfig":{"imageGCHighThresholdPercent":60,"imageGCLowThresholdPercent":40}}'
不幸的是,库贝特把我还给了我
节点/ip-172-31-20-135.eu-west-1.compute.internal patched(无更改)
因此,这一变化没有任何影响
想想我做错了什么
谢谢修补节点对象不起作用,因为这些配置不是节点对象的一部分 实现这一点的方法是更新kubernetes节点中的kubelet配置文件并重新启动kubelet进程
systemctl status kubelet
应告知kubelet是否由配置文件启动,以及文件的位置
root@kind-control-plane:/var/lib/kubelet# systemctl status kubelet
kubelet.service - kubelet: The Kubernetes Node Agent
Loaded: loaded (/kind/systemd/kubelet.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/kubelet.service.d
└─10-kubeadm.conf
Active: active (running) since Tue 2020-04-14 08:43:14 UTC; 2 days ago
Docs: http://kubernetes.io/docs/
Main PID: 639 (kubelet)
Tasks: 20 (limit: 2346)
Memory: 59.6M
CGroup: /docker/f01f57e1ef7aa7a1a8197e0e79be15415c580da33a7d048512e22418a88e0317/system.slice/kubelet.service
└─639 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime=remote --c
ontainer-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false --node-ip=172.17.0.2 --fail-swap-on=false
正如上面在kubeadm的集群设置中所看到的,kubelet是通过位于/var/lib/kubelet/config.yaml
编辑要添加的配置文件
ImageGCHighThresholdPercent: 60
ImageGCHighThresholdPercent: 40
使用systemctl Restart kubelet.service重新启动kubelet
如果集群不是使用kubelet配置文件启动的,则在启动kubelet时创建一个新的并传递配置文件。修补节点对象不起作用,因为这些配置不是节点对象的一部分 实现这一点的方法是更新kubernetes节点中的kubelet配置文件并重新启动kubelet进程
systemctl status kubelet
应告知kubelet是否由配置文件启动,以及文件的位置
root@kind-control-plane:/var/lib/kubelet# systemctl status kubelet
kubelet.service - kubelet: The Kubernetes Node Agent
Loaded: loaded (/kind/systemd/kubelet.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/kubelet.service.d
└─10-kubeadm.conf
Active: active (running) since Tue 2020-04-14 08:43:14 UTC; 2 days ago
Docs: http://kubernetes.io/docs/
Main PID: 639 (kubelet)
Tasks: 20 (limit: 2346)
Memory: 59.6M
CGroup: /docker/f01f57e1ef7aa7a1a8197e0e79be15415c580da33a7d048512e22418a88e0317/system.slice/kubelet.service
└─639 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --container-runtime=remote --c
ontainer-runtime-endpoint=/run/containerd/containerd.sock --fail-swap-on=false --node-ip=172.17.0.2 --fail-swap-on=false
正如上面在kubeadm的集群设置中所看到的,kubelet是通过位于/var/lib/kubelet/config.yaml
编辑要添加的配置文件
ImageGCHighThresholdPercent: 60
ImageGCHighThresholdPercent: 40
使用systemctl Restart kubelet.service重新启动kubelet
如果集群不是使用kubelet配置文件启动的,则在启动kubelet时创建一个新的并传递配置文件。当您使用EKS时,您必须配置提供启动实例所需的信息。启动实例时必须指定AMI。当需要具有相同配置的多个实例时,可以从单个AMI启动多个实例。当需要具有不同配置的实例时,可以使用不同的AMI来启动实例 首先创建文件夹
/var/lib/kubelet
,并将kubeconfig模板文件放入其中,内容如下:
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority: CERTIFICATE_AUTHORITY_FILE
server: MASTER_ENDPOINT
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubelet
name: kubelet
current-context: kubelet
users:
- name: kubelet
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: /usr/bin/heptio-authenticator-aws
args:
- "token"
- "-i"
- "CLUSTER_NAME"
[Unit]
Description=Kubernetes Kubelet
Documentation=[https://github.com/kubernetes/kubernetes](https://github.com/kubernetes/kubernetes)
After=docker.service
Requires=docker.service
[Service]
ExecStart=/usr/bin/kubelet \
--address=0.0.0.0 \
--authentication-token-webhook \
--authorization-mode=Webhook \
--allow-privileged=true \
--cloud-provider=aws \
--cluster-dns=DNS_CLUSTER_IP \
--cluster-domain=cluster.local \
--cni-bin-dir=/opt/cni/bin \
--cni-conf-dir=/etc/cni/net.d \
--container-runtime=docker \
--max-pods=MAX_PODS \
--node-ip=INTERNAL_IP \
--network-plugin=cni \
--pod-infra-container-image=602401143452.dkr.ecr.REGION.amazonaws.com/eks/pause-amd64:3.1 \
--cgroup-driver=cgroupfs \
--register-node=true \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--feature-gates=RotateKubeletServerCertificate=true \
--anonymous-auth=false \
--client-ca-file=CLIENT_CA_FILE \
--image-gc-high-threshold=60 \
--image-gc-low-threshold=40
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
然后创建模板文件/etc/systemd/system/kubelet.service
,内容如下:
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority: CERTIFICATE_AUTHORITY_FILE
server: MASTER_ENDPOINT
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubelet
name: kubelet
current-context: kubelet
users:
- name: kubelet
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: /usr/bin/heptio-authenticator-aws
args:
- "token"
- "-i"
- "CLUSTER_NAME"
[Unit]
Description=Kubernetes Kubelet
Documentation=[https://github.com/kubernetes/kubernetes](https://github.com/kubernetes/kubernetes)
After=docker.service
Requires=docker.service
[Service]
ExecStart=/usr/bin/kubelet \
--address=0.0.0.0 \
--authentication-token-webhook \
--authorization-mode=Webhook \
--allow-privileged=true \
--cloud-provider=aws \
--cluster-dns=DNS_CLUSTER_IP \
--cluster-domain=cluster.local \
--cni-bin-dir=/opt/cni/bin \
--cni-conf-dir=/etc/cni/net.d \
--container-runtime=docker \
--max-pods=MAX_PODS \
--node-ip=INTERNAL_IP \
--network-plugin=cni \
--pod-infra-container-image=602401143452.dkr.ecr.REGION.amazonaws.com/eks/pause-amd64:3.1 \
--cgroup-driver=cgroupfs \
--register-node=true \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--feature-gates=RotateKubeletServerCertificate=true \
--anonymous-auth=false \
--client-ca-file=CLIENT_CA_FILE \
--image-gc-high-threshold=60 \
--image-gc-low-threshold=40
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
您必须添加标志image gc high threshold
和image gc low threshold
,并指定适当的值
--image-gc-high-threshold int32 The percent of disk usage after which image garbage collection is always run. (default 85)
--image-gc-low-threshold int32 The percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. (default 80)
请看一看:。当您使用EKS时,您必须配置提供启动实例所需的信息。启动实例时必须指定AMI。当需要具有相同配置的多个实例时,可以从单个AMI启动多个实例。当需要具有不同配置的实例时,可以使用不同的AMI来启动实例 首先创建文件夹
/var/lib/kubelet
,并将kubeconfig模板文件放入其中,内容如下:
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority: CERTIFICATE_AUTHORITY_FILE
server: MASTER_ENDPOINT
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubelet
name: kubelet
current-context: kubelet
users:
- name: kubelet
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: /usr/bin/heptio-authenticator-aws
args:
- "token"
- "-i"
- "CLUSTER_NAME"
[Unit]
Description=Kubernetes Kubelet
Documentation=[https://github.com/kubernetes/kubernetes](https://github.com/kubernetes/kubernetes)
After=docker.service
Requires=docker.service
[Service]
ExecStart=/usr/bin/kubelet \
--address=0.0.0.0 \
--authentication-token-webhook \
--authorization-mode=Webhook \
--allow-privileged=true \
--cloud-provider=aws \
--cluster-dns=DNS_CLUSTER_IP \
--cluster-domain=cluster.local \
--cni-bin-dir=/opt/cni/bin \
--cni-conf-dir=/etc/cni/net.d \
--container-runtime=docker \
--max-pods=MAX_PODS \
--node-ip=INTERNAL_IP \
--network-plugin=cni \
--pod-infra-container-image=602401143452.dkr.ecr.REGION.amazonaws.com/eks/pause-amd64:3.1 \
--cgroup-driver=cgroupfs \
--register-node=true \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--feature-gates=RotateKubeletServerCertificate=true \
--anonymous-auth=false \
--client-ca-file=CLIENT_CA_FILE \
--image-gc-high-threshold=60 \
--image-gc-low-threshold=40
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
然后创建模板文件/etc/systemd/system/kubelet.service
,内容如下:
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority: CERTIFICATE_AUTHORITY_FILE
server: MASTER_ENDPOINT
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubelet
name: kubelet
current-context: kubelet
users:
- name: kubelet
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: /usr/bin/heptio-authenticator-aws
args:
- "token"
- "-i"
- "CLUSTER_NAME"
[Unit]
Description=Kubernetes Kubelet
Documentation=[https://github.com/kubernetes/kubernetes](https://github.com/kubernetes/kubernetes)
After=docker.service
Requires=docker.service
[Service]
ExecStart=/usr/bin/kubelet \
--address=0.0.0.0 \
--authentication-token-webhook \
--authorization-mode=Webhook \
--allow-privileged=true \
--cloud-provider=aws \
--cluster-dns=DNS_CLUSTER_IP \
--cluster-domain=cluster.local \
--cni-bin-dir=/opt/cni/bin \
--cni-conf-dir=/etc/cni/net.d \
--container-runtime=docker \
--max-pods=MAX_PODS \
--node-ip=INTERNAL_IP \
--network-plugin=cni \
--pod-infra-container-image=602401143452.dkr.ecr.REGION.amazonaws.com/eks/pause-amd64:3.1 \
--cgroup-driver=cgroupfs \
--register-node=true \
--kubeconfig=/var/lib/kubelet/kubeconfig \
--feature-gates=RotateKubeletServerCertificate=true \
--anonymous-auth=false \
--client-ca-file=CLIENT_CA_FILE \
--image-gc-high-threshold=60 \
--image-gc-low-threshold=40
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
您必须添加标志image gc high threshold
和image gc low threshold
,并指定适当的值
--image-gc-high-threshold int32 The percent of disk usage after which image garbage collection is always run. (default 85)
--image-gc-low-threshold int32 The percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. (default 80)
请看一看:。谢谢您的详细解释,我忘了提到kube正在AWS的EKS上运行。所以我不确定我是否能够访问/var/lib/kubelet/config.yaml并运行systemctl restart kubelet.services谢谢详细的解释,我忘了提到kube是在AWS的EKS上运行的。因此,我不确定是否能够访问/var/lib/kubelet/config.yaml并运行systemctl restart kubelet.serviceHi MaggieO,您的解决方案是有意义的。我假设它在集群设置阶段工作得很好。对于已经运行的EKS节点组,是否有任何方法可以实现相同的目标。你认为通过ssh一个接一个地连接到每个节点,是否可以得到相同的结果?或者你有更好的建议。谢谢,我认为您可以在已经运行的EKS节点组上实现这一点-请看:。当需要具有相同配置的多个实例时,可以从单个AMI启动多个实例。当需要具有不同配置的实例时,可以使用不同的AMI来启动实例。有帮助吗?嗨,MaggieO,你的解决方案很有意义。我假设它在集群设置阶段工作得很好。对于已经运行的EKS节点组,是否有任何方法可以实现相同的目标。你认为通过ssh一个接一个地连接到每个节点,是否可以得到相同的结果?或者你有更好的建议。谢谢,我认为您可以在已经运行的EKS节点组上实现这一点-请看:。当需要具有相同配置的多个实例时,可以从单个AMI启动多个实例。当需要具有不同配置的实例时,可以使用不同的AMI来启动实例。有帮助吗?