[k8s]k8s api-server启动systemd参数分析
cat> kube-apiserver.service <<EOF ...ExecStart=/usr/local/bin/kube-apiserver \\
#++++++++++++++++++++++++++++++++++++++++++
#必需区
#++++++++++++++++++++++++++++++++++++++++++
--service-cluster-ip-range=10.254.0.0/16 \\
--etcd-servers=http://192.168.14.132:2379
#++++++++++++++++++++++++++++++++++++++++++
# 监听ip区---http https 监听的ip+port
#++++++++++++++++++++++++++++++++++++++++++
--apiserver-count=3 \\(default 1)
--advertise-address=192.168.14.132 \\ #告诉别人在我是谁[ members of the cluster][默认 --bind-address]
--insecure-bind-address=192.168.14.132 \\ #非安全端口监听的ip(default 127.0.0.1)
--insecure-port=8080 \\ # 非安全端口监听的端口(默认8080)
--bind-address=0.0.0.0 \\ # 安全端口监听的ip(default 0.0.0.0)
--secure-port=6443 \\ # 安全端口(默认6443)
--service-node-port-range=30000-65535 \\(default 30000-32767)
--runtime-config=rbac.authorization.k8s.io/v1alpha1 \\ # 打开或关闭针对某个api版本支持
#++++++++++++++++++++++++++++++++++++++++++
# 授权区----授权模式 准入插件 是否允许容器特权
#++++++++++++++++++++++++++++++++++++++++++
--authorization-mode=RBAC \\ # 授权模式(default "AlwaysAllow")
--admission-control=ServiceAccount,DefaultStorageClass,ResourceQuota(基于pod和容器的配额),LimitRanger(基于ns的配额),NamespaceLifecycle(随着ns被删其包含的资源也被删除) \\ 值得注意的是他还有 AlwaysPullImages这个控制参数
--allow-privileged=true \\ # docker run --privileged
--enable-swagger-ui=true \\
#Enable to allow secrets of type 'bootstrap.kubernetes.io/token' in the 'kube-system' namespace to be used for TLS bootstrapping authentication.
--experimental-bootstrap-token-auth \\
#(If set, the file that will be used to secure the secure port of the API server via token authentication.)
--token-auth-file=/etc/kubernetes/token.csv \\
#++++++++++++++++++++++++++++++++++++++++++
# 证书区
#++++++++++++++++++++++++++++++++++++++++++
--client-ca-file=/etc/kubernetes/ssl/ca.crt \\
--service-account-key-file=/etc/kubernetes/ssl/ca.key \\
--tls-cert-file=/etc/kubernetes/ssl/server.crt \\
--tls-private-key-file=/etc/kubernetes/ssl/server.key \\
--etcd-cafile=/etc/kubernetes/ssl/ca.pem \\
--etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem \\
--etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem \\
--etcd-servers=https://192.168.14.132:2379,https://192.168.14.133:2379,https://192.168.14.134:2379\\
#++++++++++++++++++++++++++++++++++++++++++
# 日志区
#++++++++++++++++++++++++++++++++++++++++++
--audit-log-path=/var/log/kubernetes/apiserver.log \\ #审计日志路径
--audit-log-maxsize=100 \\#日志文件最大大小(单位MB),超过后自动做轮转(默认为100MB)
--audit-log-maxbackup=3 \\#旧日志文件最多保留个数
--audit-log-maxage=30 \\#旧日志最长保留天数
--event-ttl=1h \\
--logtostderr=false \\ #不输出到
----log-dir=/root/logs \\ 输出到文件夹
--v=2 #级别0比级别2输出的日志少
页:
[1]