Server node
我这里禁用了servicelb,traefik,network-policy, kube-proxy
ingress可以后面装,cni直接用cilium替换掉
cluster-init开启了高可用集群初始化,再加两个Server node就是etcd高可用了
vim config.yaml
token: <rand_String>
tls-san:
- <host_name>
- <your_ip>
cluster-cidr: 10.42.0.0/16,2001:cafe:42:0::/56
service-cidr: 10.43.0.0/16,2001:cafe:42:1::/112
node-ip: <your_ip>
disable:
- servicelb
- traefik
flannel-backend: none
node-external-ip: <your_public_ip>
disable-network-policy: true
disable-kube-proxy: true
cluster-init: true安装Server node:
mkdir -p /etc/rancher/k3s && cp ~/config.yaml /etc/rancher/k3s/config.yaml
curl -sfL https://get.k3s.io | sh -s - server
Agent node
token: <cat /var/lib/rancher/k3s/server/token>
server: <server_node_host_or_ip>:6443
node-ip: <agent_node_ip>
node-external-ip: <agent_node_public_ip>安装Agent node:
mkdir -p /etc/rancher/k3s && cp ~/config.yaml /etc/rancher/k3s/config.yaml
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="agent" sh -s
Clilum
这里是wireguard透明加密的隧道模式,详细配置可以去 https://docs.cilium.io/en/stable/
helm upgrade --install cilium cilium/cilium \
--namespace kube-system \
--set kubeProxyReplacement=true \
--set k8sServiceHost=<server_node_ip> \
--set k8sServicePort=6443 \
--set encryption.enabled=true \
--set encryption.type=wireguard \
--set encryption.nodeEncryption=true \
--set prometheus.enabled=true \
--set operator.prometheus.enabled=true \
--set hubble.enabled=true \
--set hubble.metrics.enableOpenMetrics=true \
--set hubble.metrics.enabled="{dns,drop,tcp,flow,port-distribution,icmp,httpV2:exemplars=true;labelsContext=source_ip\,source_namespace\,source_workload\,destination_ip\,destination_namespace\,destination_workload\,traffic_direction}" \
--set ipam.operator.clusterPoolIPv4PodCIDRList=10.41.0.0/16 \
--set ipam.operator.clusterPoolIPv4MaskSize=24
Comments NOTHING