自签名证书和4层负载均衡的cluster.yml 文件模板

RKE 使用 cluster.yml 文件安装和配置您的 Kubernetes 集群。

如果您使用配置如下所示,您可以使用这个 cluster.yml 模板安装和配置集群。

详情请参考RKE 文档

  1. nodes:
  3.   - address: <IP> # hostname or IP to access nodes
  5.     user: <USER> # root user (usually 'root')
  7.     role: [controlplane, etcd, worker] # K8s roles for node
  9.     ssh_key_path: <PEM_FILE> # path to PEM file
  11.   - address: <IP>
  13.     user: <USER>
  15.     role: [controlplane, etcd, worker]
  17.     ssh_key_path: <PEM_FILE>
  19.   - address: <IP>
  21.     user: <USER>
  23.     role: [controlplane, etcd, worker]
  25.     ssh_key_path: <PEM_FILE>
  27. services:
  29.   etcd:
  31.     snapshot: true
  33.     creation: 6h
  35.     retention: 24h
  37. addons: |-
  39.   ---
  41.   kind: Namespace
  43.   apiVersion: v1
  45.   metadata:
  47.     name: cattle-system
  49.   ---
  51.   kind: ServiceAccount
  53.   apiVersion: v1
  55.   metadata:
  57.     name: cattle-admin
  59.     namespace: cattle-system
  61.   ---
  63.   kind: ClusterRoleBinding
  65.   apiVersion: rbac.authorization.k8s.io/v1
  67.   metadata:
  69.     name: cattle-crb
  71.     namespace: cattle-system
  73.   subjects:
  75.   - kind: ServiceAccount
  77.     name: cattle-admin
  79.     namespace: cattle-system
  81.   roleRef:
  83.     kind: ClusterRole
  85.     name: cluster-admin
  87.     apiGroup: rbac.authorization.k8s.io
  89.   ---
  91.   apiVersion: v1
  93.   kind: Secret
  95.   metadata:
  97.     name: cattle-keys-ingress
  99.     namespace: cattle-system
  101.   type: Opaque
  103.   data:
  105.     tls.crt: <BASE64_CRT>  # ssl cert for ingress. If selfsigned, must be signed by same CA as cattle server
  107.     tls.key: <BASE64_KEY>  # ssl key for ingress. If selfsigned, must be signed by same CA as cattle server
  109.   ---
  111.   apiVersion: v1
  113.   kind: Secret
  115.   metadata:
  117.     name: cattle-keys-server
  119.     namespace: cattle-system
  121.   type: Opaque
  123.   data:
  125.     cacerts.pem: <BASE64_CA>  # CA cert used to sign cattle server cert and key
  127.   ---
  129.   apiVersion: v1
  131.   kind: Service
  133.   metadata:
  135.     namespace: cattle-system
  137.     name: cattle-service
  139.     labels:
  141.       app: cattle
  143.   spec:
  145.     ports:
  147.     - port: 80
  149.       targetPort: 80
  151.       protocol: TCP
  153.       name: http
  155.     - port: 443
  157.       targetPort: 443
  159.       protocol: TCP
  161.       name: https
  163.     selector:
  165.       app: cattle
  167.   ---
  169.   apiVersion: extensions/v1beta1
  171.   kind: Ingress
  173.   metadata:
  175.     namespace: cattle-system
  177.     name: cattle-ingress-http
  179.     annotations:
  181.       nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
  183.       nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"   # Max time in seconds for ws to remain shell window open
  185.       nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"   # Max time in seconds for ws to remain shell window open
  187.   spec:
  189.     rules:
  191.     - host: <FQDN>  # FQDN to access cattle server
  193.       http:
  195.         paths:
  197.         - backend:
  199.             serviceName: cattle-service
  201.             servicePort: 80
  203.     tls:
  205.     - secretName: cattle-keys-ingress
  207.       hosts:
  209.       - <FQDN>      # FQDN to access cattle server
  211.   ---
  213.   kind: Deployment
  215.   apiVersion: extensions/v1beta1
  217.   metadata:
  219.     namespace: cattle-system
  221.     name: cattle
  223.   spec:
  225.     replicas: 1
  227.     template:
  229.       metadata:
  231.         labels:
  233.           app: cattle
  235.       spec:
  237.         serviceAccountName: cattle-admin
  239.         containers:
  241.         # Rancher install via RKE addons is only supported up to v2.0.8
  243.         - image: rancher/rancher:v2.0.8
  245.           imagePullPolicy: Always
  247.           name: cattle-server
  249.   #       env:
  251.   #       - name: HTTP_PROXY
  253.   #         value: "http://your_proxy_address:port"
  255.   #       - name: HTTPS_PROXY
  257.   #         value: "http://your_proxy_address:port"
  259.   #       - name: NO_PROXY
  261.   #         value: "localhost,127.0.0.1,0.0.0.0,10.43.0.0/16,your_network_ranges_that_dont_need_proxy_to_access"
  263.           livenessProbe:
  265.             httpGet:
  267.               path: /ping
  269.               port: 80
  271.             initialDelaySeconds: 60
  273.             periodSeconds: 60
  275.           readinessProbe:
  277.             httpGet:
  279.               path: /ping
  281.               port: 80
  283.             initialDelaySeconds: 20
  285.             periodSeconds: 10
  287.           ports:
  289.           - containerPort: 80
  291.             protocol: TCP
  293.           - containerPort: 443
  295.             protocol: TCP
  297.           volumeMounts:
  299.           - mountPath: /etc/rancher/ssl
  301.             name: cattle-keys-volume
  303.             readOnly: true
  305.         volumes:
  307.         - name: cattle-keys-volume
  309.           secret:
  311.             defaultMode: 420
  313.             secretName: cattle-keys-server