安全加固指南 - v2.5.0 - CIS1.5

本文讲解了如何使您的集群符合互联网安全中心发布的 Kubernetes 安全基准,保护集群中节点的安全。安装 Kubernetes 之前,请按照本指南进行操作。加固指南旨在与特定版本的 CIS Kubernetes Benchmark,Kubernetes 和 Rancher 一起使用。

加固指南旨在与特定版本的 CIS Kubernetes Benchmark,Kubernetes 和 Rancher 一起使用:

加固指南版本Rancher 版本CIS Benchmark 版本Kubernetes 版本
加固指南 v2.5.0Rancher v2.5.0Benchmark v1.5Kubernetes v1.15

概览

下面的安全加固指南是针对在生产环境的 Rancher v2.5.0 中使用 Kubernetes v1.15 版本的集群。它概述了如何满足互联网安全中心(CIS)提出的 Kubernetes 安全标准。

有关如果根据官方 CIS 基准评估集群的更多详细信息,请参阅CIS Benchmark Rancher 自测指南 - Rancher v2.5.0

已知问题

如果注册自定义节点时只提供了公共 IP,在 CIS 1.5 加固设置中,将无法正常在 Rancher UI 中使用执行命令行查看日志功能。

  • 如果注册自定义节点时只提供了公共 IP,在 CIS 1.5 加固设置中,将无法正常在 Rancher UI 中使用执行命令行查看日志功能。如果想要使用上述两个功能,请在注册自定义节点时提供私有 IP 地址。
  • default_pod_security_policy_template_id:restricted时,Rancher 在默认的 service account 中创建角色绑定集群角色绑定。CIS 1.5 要求默认 service account 没有绑定任何角色,不提供 service account 的 token,不分配特定的权限。

配置内核运行时参数

对于集群中的所有类型的节点,都建议使用以下的sysctl配置。在/etc/sysctl.d/90-kubelet.conf中设置以下参数:

  1. vm.overcommit_memory=1
  3. vm.panic_on_oom=0
  5. kernel.panic=10
  7. kernel.panic_on_oops=1
  9. kernel.keys.root_maxbytes=25000000

Copy

执行sysctl -p /etc/sysctl.d/90-kubelet.conf来启用配置。

配置etcd用户和组

在安装 RKE 之前,需要设置etcd服务的用户帐户和组。etcd用户的uidgid将在 RKE 的config.yml中使用,以在安装期间为文件和目录设置适当的权限。

以下命令使用52034作为uidgid的例子。任何有效的未使用的uidgid也可以用来代替52034

创建etcd用户和组

要创建etcd组,请运行以下控制台命令。

  1. addgroup --gid 52034 etcd
  3. useradd --comment "etcd service account" --uid 52034 --gid 52034 etcd

Copy

使用etcd用户的uidgid更新 RKE 的 config.yml文件:

  1. services:
  3.   etcd:
  5.     gid: 52034
  7.     uid: 52034

Copy

default服务账号的automountServiceAccountToken设置为 false

Kubernetes 提供了一个默认服务账号(Service Account),如果集群的工作负载中没有为 Pod 分配任何特定服务账号,那么它将会使用这个default的服务账号。在需要从 Pod 访问 Kubernetes API 的情况下,应为该 Pod 创建一个特定的服务账号,并向该服务账号授予权限。这个default的服务账户应该被设置为不提供服务账号令牌(service account token)和任何权限。将automountServiceAccountToken设置为 false 之后,Kubernetes 在启动 Pod 时,将不会自动注入default服务账户。

对于标准 RKE 安装中包括defaultkube-system在内的每个命名空间,default服务账户必须包含这个值。

  1. automountServiceAccountToken: false

Copy

把下面的 yaml 另存为account_update.yaml

  1. apiVersion: v1
  3. kind: ServiceAccount
  5. metadata:
  7.   name: default
  9. automountServiceAccountToken: false

Copy

创建一个名称为account_update.sh的脚本。通过运行chmod +x account_update.sh,使这个脚本有执行权限。

  1. #!/bin/bash -e
  6. for namespace in $(kubectl get namespaces -o custom-columns=NAME:.metadata.name --no-headers); do
  8.   kubectl patch serviceaccount default -n ${namespace} -p "$(cat account_update.yaml)"
  10. done

Copy

确保所有命名空间均已定义网络策略

在同一个 Kubernetes 集群上运行不同的应用程序会产生一个风险,那就是应用可能受到相邻应用程序的攻击。为了确保容器只能与预期的容器进行通信,网络细分是必不可少的。通过设置网络策略(Network Policy),可以设置哪些 Pod 之间可以通信,以及是否可以和其他网络端点进行通信。

网络策略是作用于命名空间范围的。将网络策略应用于给定命名空间时,所有不被这个策略允许的流量将被拒绝。然而,如果命名空间中没有设置网络策略,那么进出这个命名空间中 Pod 的所有流量都将被允许。要使用网络策略,必须启用 CNI(容器网络接口)插件。本指南使用canal提供策略实施。您可以在这里找到有关 CNI 插件的其他信息。

在集群上启用 CN​​I 插件后,您可以设置一个默认的网络策略。下面是一个宽松的网络策略示例,仅供参考。如果您想要允许到某个命名空间内所有 Pod 的流量(即使已经添加了一些策略,使得一些 Pods 被隔离了),您可以创建一个策略,明确允许该命名空间中的所有流量。将以下yaml另存为 default-allow-all.yaml。额外关于网络策略的信息,请查看Kubernetes 官方文档

重要

这个NetworkPolicy示例不建议在生产环境中使用。

  1. ---
  3. apiVersion: networking.k8s.io/v1
  5. kind: NetworkPolicy
  7. metadata:
  9.   name: default-allow-all
  11. spec:
  13.   podSelector: {}
  15.   ingress:
  17.     - {}
  19.   egress:
  21.     - {}
  23.   policyTypes:
  25.     - Ingress
  27.     - Egress

Copy

创建一个名称为apply_networkPolicy_to_all_ns.sh的脚本。通过运行chmod +x apply_networkPolicy_to_all_ns.sh,使这个脚本有执行权限

  1. #!/bin/bash -e
  6. for namespace in $(kubectl get namespaces -o custom-columns=NAME:.metadata.name --no-headers); do
  8.   kubectl apply -f default-allow-all.yaml -n ${namespace}
  10. done

Copy

运行脚本,以使全部的命名空间使用这个default-allow-all.yaml文件中的宽松NetworkPolicy

加固的 RKE cluster.yml 配置参考

您可以用这个供您参考的cluster.yml,通过 RKE CLI 来创建安全加固的 Rancher Kubernetes Engine(RKE)集群。有关每个配置的详细信息,请参阅RKE 文档。这个cluster.yml问号不包括所需的nodes指令,它将根据你的环境而变化。有关如何节点配置的文档可以参考RKE 节点配置示例

  1. # If you intend to deploy Kubernetes in an air-gapped environment,
  3. # please consult the documentation on how to configure custom RKE images.
  5. kubernetes_version: "v1.15.9-rancher1-1"
  7. enable_network_policy: true
  9. default_pod_security_policy_template_id: "restricted"
  11. # the nodes directive is required and will vary depending on your environment
  13. # documentation for node configuration can be found here:
  15. # https://docs.rancher.cn/docs/rke/config-options/nodes/_index
  17. services:
  19.   etcd:
  21.     uid: 52034
  23.     gid: 52034
  25.   kube-api:
  27.     pod_security_policy: true
  29.     secrets_encryption_config:
  31.       enabled: true
  33.     audit_log:
  35.       enabled: true
  37.     admission_configuration:
  39.     event_rate_limit:
  41.       enabled: true
  43.   kube-controller:
  45.     extra_args:
  47.       feature-gates: "RotateKubeletServerCertificate=true"
  49.   scheduler:
  51.     image: ""
  53.     extra_args: {}
  55.     extra_binds: []
  57.     extra_env: []
  59.   kubelet:
  61.     generate_serving_certificate: true
  63.     extra_args:
  65.       feature-gates: "RotateKubeletServerCertificate=true"
  67.       protect-kernel-defaults: "true"
  69.       tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
  71.     extra_binds: []
  73.     extra_env: []
  75.     cluster_domain: ""
  77.     infra_container_image: ""
  79.     cluster_dns_server: ""
  81.     fail_swap_on: false
  83.   kubeproxy:
  85.     image: ""
  87.     extra_args: {}
  89.     extra_binds: []
  91.     extra_env: []
  93. network:
  95.   plugin: ""
  97.   options: {}
  99.   mtu: 0
  101.   node_selector: {}
  103. authentication:
  105.   strategy: ""
  107.   sans: []
  109.   webhook: null
  111. addons: |
  113.   ---
  115.   apiVersion: v1
  117.   kind: Namespace
  119.   metadata:
  121.     name: ingress-nginx
  123.   ---
  125.   apiVersion: rbac.authorization.k8s.io/v1
  127.   kind: Role
  129.   metadata:
  131.     name: default-psp-role
  133.     namespace: ingress-nginx
  135.   rules:
  137.   - apiGroups:
  139.     - extensions
  141.     resourceNames:
  143.     - default-psp
  145.     resources:
  147.     - podsecuritypolicies
  149.     verbs:
  151.     - use
  153.   ---
  155.   apiVersion: rbac.authorization.k8s.io/v1
  157.   kind: RoleBinding
  159.   metadata:
  161.     name: default-psp-rolebinding
  163.     namespace: ingress-nginx
  165.   roleRef:
  167.     apiGroup: rbac.authorization.k8s.io
  169.     kind: Role
  171.     name: default-psp-role
  173.   subjects:
  175.   - apiGroup: rbac.authorization.k8s.io
  177.     kind: Group
  179.     name: system:serviceaccounts
  181.   - apiGroup: rbac.authorization.k8s.io
  183.     kind: Group
  185.     name: system:authenticated
  187.   ---
  189.   apiVersion: v1
  191.   kind: Namespace
  193.   metadata:
  195.     name: cattle-system
  197.   ---
  199.   apiVersion: rbac.authorization.k8s.io/v1
  201.   kind: Role
  203.   metadata:
  205.     name: default-psp-role
  207.     namespace: cattle-system
  209.   rules:
  211.   - apiGroups:
  213.     - extensions
  215.     resourceNames:
  217.     - default-psp
  219.     resources:
  221.     - podsecuritypolicies
  223.     verbs:
  225.     - use
  227.   ---
  229.   apiVersion: rbac.authorization.k8s.io/v1
  231.   kind: RoleBinding
  233.   metadata:
  235.     name: default-psp-rolebinding
  237.     namespace: cattle-system
  239.   roleRef:
  241.     apiGroup: rbac.authorization.k8s.io
  243.     kind: Role
  245.     name: default-psp-role
  247.   subjects:
  249.   - apiGroup: rbac.authorization.k8s.io
  251.     kind: Group
  253.     name: system:serviceaccounts
  255.   - apiGroup: rbac.authorization.k8s.io
  257.     kind: Group
  259.     name: system:authenticated
  261.   ---
  263.   apiVersion: policy/v1beta1
  265.   kind: PodSecurityPolicy
  267.   metadata:
  269.     name: restricted
  271.   spec:
  273.     requiredDropCapabilities:
  275.     - NET_RAW
  277.     privileged: false
  279.     allowPrivilegeEscalation: false
  281.     defaultAllowPrivilegeEscalation: false
  283.     fsGroup:
  285.       rule: RunAsAny
  287.     runAsUser:
  289.       rule: MustRunAsNonRoot
  291.     seLinux:
  293.       rule: RunAsAny
  295.     supplementalGroups:
  297.       rule: RunAsAny
  299.     volumes:
  301.     - emptyDir
  303.     - secret
  305.     - persistentVolumeClaim
  307.     - downwardAPI
  309.     - configMap
  311.     - projected
  313.   ---
  315.   apiVersion: rbac.authorization.k8s.io/v1
  317.   kind: ClusterRole
  319.   metadata:
  321.     name: psp:restricted
  323.   rules:
  325.   - apiGroups:
  327.     - extensions
  329.     resourceNames:
  331.     - restricted
  333.     resources:
  335.     - podsecuritypolicies
  337.     verbs:
  339.     - use
  341.   ---
  343.   apiVersion: rbac.authorization.k8s.io/v1
  345.   kind: ClusterRoleBinding
  347.   metadata:
  349.     name: psp:restricted
  351.   roleRef:
  353.     apiGroup: rbac.authorization.k8s.io
  355.     kind: ClusterRole
  357.     name: psp:restricted
  359.   subjects:
  361.   - apiGroup: rbac.authorization.k8s.io
  363.     kind: Group
  365.     name: system:serviceaccounts
  367.   - apiGroup: rbac.authorization.k8s.io
  369.     kind: Group
  371.     name: system:authenticated
  373.   ---
  375.   apiVersion: v1
  377.   kind: ServiceAccount
  379.   metadata:
  381.     name: tiller
  383.     namespace: kube-system
  385.   ---
  387.   apiVersion: rbac.authorization.k8s.io/v1
  389.   kind: ClusterRoleBinding
  391.   metadata:
  393.     name: tiller
  395.   roleRef:
  397.     apiGroup: rbac.authorization.k8s.io
  399.     kind: ClusterRole
  401.     name: cluster-admin
  403.   subjects:
  405.   - kind: ServiceAccount
  407.     name: tiller
  409.     namespace: kube-system
  414. addons_include: []
  416. system_images:
  418.   etcd: ""
  420.   alpine: ""
  422.   nginx_proxy: ""
  424.   cert_downloader: ""
  426.   kubernetes_services_sidecar: ""
  428.   kubedns: ""
  430.   dnsmasq: ""
  432.   kubedns_sidecar: ""
  434.   kubedns_autoscaler: ""
  436.   coredns: ""
  438.   coredns_autoscaler: ""
  440.   kubernetes: ""
  442.   flannel: ""
  444.   flannel_cni: ""
  446.   calico_node: ""
  448.   calico_cni: ""
  450.   calico_controllers: ""
  452.   calico_ctl: ""
  454.   calico_flexvol: ""
  456.   canal_node: ""
  458.   canal_cni: ""
  460.   canal_flannel: ""
  462.   canal_flexvol: ""
  464.   weave_node: ""
  466.   weave_cni: ""
  468.   pod_infra_container: ""
  470.   ingress: ""
  472.   ingress_backend: ""
  474.   metrics_server: ""
  476.   windows_pod_infra_container: ""
  478. ssh_key_path: ""
  480. ssh_cert_path: ""
  482. ssh_agent_auth: false
  484. authorization:
  486.   mode: ""
  488.   options: {}
  490. ignore_docker_version: false
  492. private_registries: []
  494. ingress:
  496.   provider: ""
  498.   options: {}
  500.   node_selector: {}
  502.   extra_args: {}
  504.   dns_policy: ""
  506.   extra_envs: []
  508.   extra_volumes: []
  510.   extra_volume_mounts: []
  512. cluster_name: ""
  514. prefix_path: ""
  516. addon_job_timeout: 0
  518. bastion_host:
  520.   address: ""
  522.   port: ""
  524.   user: ""
  526.   ssh_key: ""
  528.   ssh_key_path: ""
  530.   ssh_cert: ""
  532.   ssh_cert_path: ""
  534. monitoring:
  536.   provider: ""
  538.   options: {}
  540.   node_selector: {}
  542. restore:
  544.   restore: false
  546.   snapshot_name: ""
  548. dns: null

Copy

安全加固的 RKE 模板配置参考

这个 RKE 参考模板提供了安装安全加固的 Kubenetes 所需的配置。RKE 模板用于配置 Kubernetes 和定义 Rancher 设置。请参阅Rancher 文档获得更多安装和 RKE 模板的详细信息。

  1. #
  3. # Cluster Config
  5. #
  7. default_pod_security_policy_template_id: restricted
  9. docker_root_dir: /var/lib/docker
  11. enable_cluster_alerting: false
  13. enable_cluster_monitoring: false
  15. enable_network_policy: true
  17. #
  19. # Rancher Config
  21. #
  23. rancher_kubernetes_engine_config:
  25.   addon_job_timeout: 30
  27.   addons: |-
  29.     ---
  31.     apiVersion: v1
  33.     kind: Namespace
  35.     metadata:
  37.       name: ingress-nginx
  39.     ---
  41.     apiVersion: rbac.authorization.k8s.io/v1
  43.     kind: Role
  45.     metadata:
  47.       name: default-psp-role
  49.       namespace: ingress-nginx
  51.     rules:
  53.     - apiGroups:
  55.       - extensions
  57.       resourceNames:
  59.       - default-psp
  61.       resources:
  63.       - podsecuritypolicies
  65.       verbs:
  67.       - use
  69.     ---
  71.     apiVersion: rbac.authorization.k8s.io/v1
  73.     kind: RoleBinding
  75.     metadata:
  77.       name: default-psp-rolebinding
  79.       namespace: ingress-nginx
  81.     roleRef:
  83.       apiGroup: rbac.authorization.k8s.io
  85.       kind: Role
  87.       name: default-psp-role
  89.     subjects:
  91.     - apiGroup: rbac.authorization.k8s.io
  93.       kind: Group
  95.       name: system:serviceaccounts
  97.     - apiGroup: rbac.authorization.k8s.io
  99.       kind: Group
  101.       name: system:authenticated
  103.     ---
  105.     apiVersion: v1
  107.     kind: Namespace
  109.     metadata:
  111.       name: cattle-system
  113.     ---
  115.     apiVersion: rbac.authorization.k8s.io/v1
  117.     kind: Role
  119.     metadata:
  121.       name: default-psp-role
  123.       namespace: cattle-system
  125.     rules:
  127.     - apiGroups:
  129.       - extensions
  131.       resourceNames:
  133.       - default-psp
  135.       resources:
  137.       - podsecuritypolicies
  139.       verbs:
  141.       - use
  143.     ---
  145.     apiVersion: rbac.authorization.k8s.io/v1
  147.     kind: RoleBinding
  149.     metadata:
  151.       name: default-psp-rolebinding
  153.       namespace: cattle-system
  155.     roleRef:
  157.       apiGroup: rbac.authorization.k8s.io
  159.       kind: Role
  161.       name: default-psp-role
  163.     subjects:
  165.     - apiGroup: rbac.authorization.k8s.io
  167.       kind: Group
  169.       name: system:serviceaccounts
  171.     - apiGroup: rbac.authorization.k8s.io
  173.       kind: Group
  175.       name: system:authenticated
  177.     ---
  179.     apiVersion: policy/v1beta1
  181.     kind: PodSecurityPolicy
  183.     metadata:
  185.       name: restricted
  187.     spec:
  189.       requiredDropCapabilities:
  191.       - NET_RAW
  193.       privileged: false
  195.       allowPrivilegeEscalation: false
  197.       defaultAllowPrivilegeEscalation: false
  199.       fsGroup:
  201.         rule: RunAsAny
  203.       runAsUser:
  205.         rule: MustRunAsNonRoot
  207.       seLinux:
  209.         rule: RunAsAny
  211.       supplementalGroups:
  213.         rule: RunAsAny
  215.       volumes:
  217.       - emptyDir
  219.       - secret
  221.       - persistentVolumeClaim
  223.       - downwardAPI
  225.       - configMap
  227.       - projected
  229.     ---
  231.     apiVersion: rbac.authorization.k8s.io/v1
  233.     kind: ClusterRole
  235.     metadata:
  237.       name: psp:restricted
  239.     rules:
  241.     - apiGroups:
  243.       - extensions
  245.       resourceNames:
  247.       - restricted
  249.       resources:
  251.       - podsecuritypolicies
  253.       verbs:
  255.       - use
  257.     ---
  259.     apiVersion: rbac.authorization.k8s.io/v1
  261.     kind: ClusterRoleBinding
  263.     metadata:
  265.       name: psp:restricted
  267.     roleRef:
  269.       apiGroup: rbac.authorization.k8s.io
  271.       kind: ClusterRole
  273.       name: psp:restricted
  275.     subjects:
  277.     - apiGroup: rbac.authorization.k8s.io
  279.       kind: Group
  281.       name: system:serviceaccounts
  283.     - apiGroup: rbac.authorization.k8s.io
  285.       kind: Group
  287.       name: system:authenticated
  289.     ---
  291.     apiVersion: v1
  293.     kind: ServiceAccount
  295.     metadata:
  297.       name: tiller
  299.       namespace: kube-system
  301.     ---
  303.     apiVersion: rbac.authorization.k8s.io/v1
  305.     kind: ClusterRoleBinding
  307.     metadata:
  309.       name: tiller
  311.     roleRef:
  313.       apiGroup: rbac.authorization.k8s.io
  315.       kind: ClusterRole
  317.       name: cluster-admin
  319.     subjects:
  321.     - kind: ServiceAccount
  323.       name: tiller
  325.       namespace: kube-system
  327.   ignore_docker_version: true
  329.   kubernetes_version: v1.15.9-rancher1-1
  331.   #
  333.   #   If you are using calico on AWS
  335.   #
  337.   #    network:
  339.   #      plugin: calico
  341.   #      calico_network_provider:
  343.   #        cloud_provider: aws
  345.   #
  347.   # # To specify flannel interface
  349.   #
  351.   #    network:
  353.   #      plugin: flannel
  355.   #      flannel_network_provider:
  357.   #      iface: eth1
  359.   #
  361.   # # To specify flannel interface for canal plugin
  363.   #
  365.   #    network:
  367.   #      plugin: canal
  369.   #      canal_network_provider:
  371.   #        iface: eth1
  373.   #
  375.   network:
  377.     mtu: 0
  379.     plugin: canal
  381.   #
  383.   #    services:
  385.   #      kube-api:
  387.   #        service_cluster_ip_range: 10.43.0.0/16
  389.   #      kube-controller:
  391.   #        cluster_cidr: 10.42.0.0/16
  393.   #        service_cluster_ip_range: 10.43.0.0/16
  395.   #      kubelet:
  397.   #        cluster_domain: cluster.local
  399.   #        cluster_dns_server: 10.43.0.10
  401.   #
  403.   services:
  405.     etcd:
  407.       backup_config:
  409.         enabled: false
  411.         interval_hours: 12
  413.         retention: 6
  415.         safe_timestamp: false
  417.       creation: 12h
  419.       extra_args:
  421.         election-timeout: "5000"
  423.         heartbeat-interval: "500"
  425.       gid: 52034
  427.       retention: 72h
  429.       snapshot: false
  431.       uid: 52034
  433.     kube_api:
  435.       always_pull_images: false
  437.       audit_log:
  439.         enabled: true
  441.       event_rate_limit:
  443.         enabled: true
  445.       pod_security_policy: true
  447.       secrets_encryption_config:
  449.         enabled: true
  451.       service_node_port_range: 30000-32767
  453.     kube_controller:
  455.       extra_args:
  457.         address: 127.0.0.1
  459.         feature-gates: RotateKubeletServerCertificate=true
  461.         profiling: "false"
  463.         terminated-pod-gc-threshold: "1000"
  465.     kubelet:
  467.       extra_args:
  469.         anonymous-auth: "false"
  471.         event-qps: "0"
  473.         feature-gates: RotateKubeletServerCertificate=true
  475.         make-iptables-util-chains: "true"
  477.         protect-kernel-defaults: "true"
  479.         streaming-connection-idle-timeout: 1800s
  481.         tls-cipher-suites: >-
  483.           TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
  485.       fail_swap_on: false
  487.       generate_serving_certificate: true
  489.     scheduler:
  491.       extra_args:
  493.         address: 127.0.0.1
  495.         profiling: "false"
  497.   ssh_agent_auth: false
  499. windows_prefered_cluster: false

Copy

安全加固的 Ubuntu 18.04 LTS cloud-config参考配置

这个供您参考的cloud-config通常被用于云基础架构环境中,来进行计算实例的配置管理。这个参考配置了在安装 kubernetes 之前需要的 Ubuntu 操作系统级别的设置。

  1. #cloud-config
  3. packages:
  5.   - curl
  7.   - jq
  9. runcmd:
  11.   - sysctl -w vm.overcommit_memory=1
  13.   - sysctl -w kernel.panic=10
  15.   - sysctl -w kernel.panic_on_oops=1
  17.   - curl https://releases.rancher.com/install-docker/18.09.sh | sh
  19.   - usermod -aG docker ubuntu
  21.   - return=1; while [ $return != 0 ]; do sleep 2; docker ps; return=$?; done
  23.   - addgroup --gid 52034 etcd
  25.   - useradd --comment "etcd service account" --uid 52034 --gid 52034 etcd
  27. write_files:
  29.   - path: /etc/sysctl.d/kubelet.conf
  31.     owner: root:root
  33.     permissions: "0644"
  35.     content: |
  37.       vm.overcommit_memory=1
  39.       kernel.panic=10
  41.       kernel.panic_on_oops=1

Copy