K8s调整节点kubelet硬驱逐策略

来自三线的随记
Admin讨论 | 贡献2023年12月22日 (五) 17:57的版本
--eviction-hard=nodefs.available<5Gi,imagefs.available<5Gi

添加到kubelet service environment就好(此配置方法在DEPRECATED阶段) 

[Service]
Environment="***"

ps: 驱逐相关的doc:

https://kubernetes.io/docs/concepts/scheduling-eviction/node-pressure-eviction/

https://blog.tianfeiyu.com/2020/02/06/kubelet_garbage_collect/ (部分内容过时)

https://kubernetes.io/docs/concepts/architecture/garbage-collection/


PS2: 通过请求k8s-apiserver接口,可以获知节点当前配置具体值

apiserver的认证绕过可以通过 kubectl proxy --port=8001 等方法实现 

curl ${k8s-apiserver}/api/v1/nodes/${nodeName}/proxy/configz 
{
  "kubeletconfig": {
    "staticPodPath": "/etc/kubernetes/kubelet/manifests",
    "syncFrequency": "1m0s",
    "fileCheckFrequency": "20s",
    "httpCheckFrequency": "20s",
    "address": "0.0.0.0",
    "port": 10250,
    "readOnlyPort": 10255,
    "tlsCertFile": "/var/lib/kubelet/pki/kubelet.crt",
    "tlsPrivateKeyFile": "/var/lib/kubelet/pki/kubelet.key",
    "rotateCertificates": true,
    "authentication": {
      "x509": {
        "clientCAFile": "/etc/kubernetes/certs/ca.crt"
      },
      "webhook": {
        "enabled": true,
        "cacheTTL": "2m0s"
      },
      "anonymous": {
        "enabled": false
      }
    },
    "authorization": {
      "mode": "Webhook",
      "webhook": {
        "cacheAuthorizedTTL": "5m0s",
        "cacheUnauthorizedTTL": "30s"
      }
    },
    "registryPullQPS": 5,
    "registryBurst": 10,
    "eventRecordQPS": 5,
    "eventBurst": 10,
    "enableDebuggingHandlers": true,
    "healthzPort": 10248,
    "healthzBindAddress": "127.0.0.1",
    "oomScoreAdj": -999,
    "clusterDomain": "cluster.local",
    "clusterDNS": [
      "172.31.0.10"
    ],
    "streamingConnectionIdleTimeout": "4h0m0s",
    "nodeStatusUpdateFrequency": "10s",
    "nodeStatusReportFrequency": "10s",
    "nodeLeaseDurationSeconds": 40,
    "imageMinimumGCAge": "2m0s",
    "imageGCHighThresholdPercent": 85,
    "imageGCLowThresholdPercent": 80,
    "volumeStatsAggPeriod": "1m0s",
    "cgroupsPerQOS": true,
    "cgroupDriver": "cgroupfs",
    "cpuManagerPolicy": "none",
    "cpuManagerReconcilePeriod": "10s",
    "topologyManagerPolicy": "none",
    "runtimeRequestTimeout": "2m0s",
    "hairpinMode": "promiscuous-bridge",
    "maxPods": 250,
    "podPidsLimit": 8192,
    "resolvConf": "/etc/resolv.conf",
    "cpuCFSQuota": true,
    "cpuCFSQuotaPeriod": "100ms",
    "maxOpenFiles": 1000000,
    "contentType": "application/vnd.kubernetes.protobuf",
    "kubeAPIQPS": 5,
    "kubeAPIBurst": 10,
    "serializeImagePulls": true,
    "evictionHard": {
      "imagefs.available": "15%",
      "memory.available": "100Mi",
      "nodefs.available": "10%",
      "nodefs.inodesFree": "5%"
    },
    "evictionPressureTransitionPeriod": "5m0s",
    "enableControllerAttachDetach": true,
    "makeIPTablesUtilChains": true,
    "iptablesMasqueradeBit": 14,
    "iptablesDropBit": 15,
    "featureGates": {
      "CSIMigration": false,
      "EphemeralContainers": true
    },
    "failSwapOn": true,
    "containerLogMaxSize": "10Mi",
    "containerLogMaxFiles": 5,
    "configMapAndSecretChangeDetectionStrategy": "Watch",
    "systemReserved": {
      "cpu": "500m",
      "memory": "512Mi",
      "pid": "100"
    },
    "enforceNodeAllocatable": [
      "pods"
    ]
  }
}
取自“https://wiki.sanxian.tech/index.php?title=K8s调整节点kubelet硬驱逐策略&oldid=1512