我的书签
添加书签
移除书签部署KubeEdge
iSulad
iSulad 是一个轻量级容器 runtime 守护程序,专为 IOT 和 Cloud 基础设施而设计,具有轻便、快速且不受硬件规格和体系结构限制的特性,可以被更广泛地应用在云、IoT、边缘计算等多个场景。
组件版本
节点规划
| 节点 | 位置 | 组件 |
|---|---|---|
| 9.63.252.224 | 云侧(cloud) | k8s(master)、isulad、cloudcore |
| 9.63.252.227 | 端侧(edge) | isulad、edgecore |
环境准备
以下设置需要在cloud和edge端均配置
配置iSulad
以下设置需要在cloud和edge端均配置
# 安装iSulad$ yum install -y iSulad# 配置iSulad(只列出修改项)$ cat /etc/isulad/daemon.json{"registry-mirrors": ["docker.io"],"insecure-registries": ["k8s.gcr.io","quay.io","hub.oepkgs.net"],"pod-sandbox-image": "k8s.gcr.io/pause:3.2", # pause镜像设置"network-plugin": "cni", # 置空表示禁用cni网络插件则下面两个路径失效,安装插件后重启isulad即可"cni-bin-dir": "/opt/cni/bin","cni-conf-dir": "/etc/cni/net.d",}# 如果不能直接访问外网,则需要配置proxy,否则不需要$ cat /usr/lib/systemd/system/isulad.service[Service]Type=notifyEnvironment="HTTP_PROXY=http://..."Environment="HTTPS_PROXY=http://..."# 重启iSulad并设置为开机自启$ systemctl daemon-reload && systemctl restart isulad
安装k8s组件
k8s组件只需要在云侧安装部署
# cri-tools 网络工具$ wget --no-check-certificate https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.20.0/crictl-v1.20.0-linux-amd64.tar.gz$ tar zxvf crictl-v1.20.0-linux-amd64.tar.gz -C /usr/local/bin# cni 网络插件$ wget --no-check-certificate https://github.com/containernetworking/plugins/releases/download/v0.9.0/cni-plugins-linux-amd64-v0.9.0.tgz$ mkdir -p /opt/cni/bin$ tar -zxvf cni-plugins-linux-amd64-v0.9.0.tgz -C /opt/cni/bin# master节点执行$ yum install kubernetes-master kubernetes-kubeadm kubernetes-client kubernetes-kubelet# 开机启动kubelet$ systemctl enable kubelet --now
k8s组件只需要在云侧安装部署
# 注意,init之前需要取消系统环境中的proxy$ unset `env | grep -iE "tps?_proxy" | cut -d= -f1`$ env | grep proxy# 使用kubeadm init$ kubeadm init --kubernetes-version v1.20.2 --pod-network-cidr=10.244.0.0/16 --upload-certs --cri-socket=/var/run/isulad.sock# 默认k8s组件镜像是gcr.k8s.io,可以使用--image-repository=xxx 来使用自定义镜像仓库地址(测试自己的k8s镜像)# 注意这里的pod-network-cidr网段不能和宿主机的网段重复,否则网络不通# 先init再配置网络Your Kubernetes control-plane has initialized successfully!To start using your cluster, you need to run the following as a regular user:mkdir -p $HOME/.kubesudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/configYou should now deploy a pod network to the cluster.Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:https://kubernetes.io/docs/concepts/cluster-administration/addons/Then you can join any number of worker nodes by running the following on each as root:...# 根据提示执行mkdir -p $HOME/.kubecp -i /etc/kubernetes/admin.conf $HOME/.kube/configchown $(id -u):$(id -g) $HOME/.kube/config# 这个命令复制了admin.conf(kubeadm帮我们自动初始化好的kubectl配置文件)# 这里包含了认证信息等相关信息的非常重要的一些配置。# 重置(如果init出现问题可以重置)$ kubeadm reset 重置# 如果出现 Unable to read config path "/etc/kubernetes/manifests"$ mkdir -p /etc/kubernetes/manifests
配置网络
Calico网络插件在edge节点无法运行, 所以这里使用flannel代替,已有用户在KubeEdge社区提交
# 下载flannel网络插件$ wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml# 准备云侧网络配置$ cp kube-flannel.yml kube-flannel-cloud.yml# 修改云侧网络配置diff --git a/kube-flannel.yml b/kube-flannel.ymlindex c7edaef..f3846b9 100644--- a/kube-flannel.yml+++ b/kube-flannel.yml@@ -134,7 +134,7 @@ data:apiVersion: apps/v1kind: DaemonSetmetadata:- name: kube-flannel-ds+ name: kube-flannel-cloud-dsnamespace: kube-systemlabels:tier: node@@ -158,6 +158,8 @@ spec:operator: Invalues:- linux+ - key: node-role.kubernetes.io/agent+ operator: DoesNotExisthostNetwork: truepriorityClassName: system-node-criticaltolerations:# 准备端侧网络配置$ cp kube-flannel.yml kube-flannel-edge.yml# 修改端侧网络配置diff --git a/kube-flannel.yml b/kube-flannel.ymlindex c7edaef..66a5b5b 100644--- a/kube-flannel.yml+++ b/kube-flannel.yml@@ -134,7 +134,7 @@ data:apiVersion: apps/v1kind: DaemonSetmetadata:- name: kube-flannel-ds+ name: kube-flannel-edge-dsnamespace: kube-systemlabels:tier: node@@ -158,6 +158,8 @@ spec:operator: Invalues:- linux+ - key: node-role.kubernetes.io/agent+ operator: ExistshostNetwork: truepriorityClassName: system-node-criticaltolerations:@@ -186,6 +188,7 @@ spec:args:- --ip-masq- --kube-subnet-mgr+ - --kube-api-url=http://127.0.0.1:10550resources:requests:cpu: "100m"# 这里的--kube-api-url为端侧edgecore监听地址# 配置calico网络插件$ kubectl apply -f kube-flannel-cloud.yml$ kubectl apply -f kube-flannel-edge.yml# 查看节点状态$ kubectl get node -ANAME STATUS ROLES AGE VERSIONcloud.kubeedge Ready control-plane,master 4h11m v1.20.2
如果使用kubeadm部署的k8s集群,那么kube-proxy会下发到端侧节点,但是edgecore无法与kube-proxy并存,所以要修改kube-proxy 的daemonset节点亲和性,禁止在端侧部署kube-proxy
$ kubectl edit ds kube-proxy -n kube-system# 添加以下配置spec:affinity:nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchExpressions:- key: node-role.kubernetes.io/agentoperator: DoesNotExist
iSulad配置
KubeEdge 端侧edgecore监听端口10350与iSulad websocket端口冲突,端侧无法启动edgecore
解决办法:修改iSulad配置(/etc/isulad/daemon.json)中的websocket-server-listening-port的字段为10351
diff --git a/daemon.json b/daemon.jsonindex 3333590..336154e 100644--- a/daemon.json+++ b/daemon.json@@ -31,6 +31,7 @@"hub.oepkgs.net"],"pod-sandbox-image": "k8s.gcr.io/pause:3.2",+ "websocket-server-listening-port": 10351,"native.umask": "secure","network-plugin": "cni","cni-bin-dir": "/opt/cni/bin",
修改完配置文件之后,重启iSulad。
如果使用keadm进行集群部署,则只需要在云侧和端侧均安装kubeedge-keadmrpm包即可。
$ yum install kubeedge-keadm
部署云侧
初始化集群
# --advertise-address为云侧IP$ keadm init --advertise-address="9.63.252.224" --kubeedge-version=1.8.0Kubernetes version verification passed, KubeEdge installation will start...W0829 10:41:56.541877 420383 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinitionW0829 10:41:57.253214 420383 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinitionW0829 10:41:59.778672 420383 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinitionW0829 10:42:00.488838 420383 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinitionkubeedge-v1.8.0-linux-amd64.tar.gz checksum:checksum_kubeedge-v1.8.0-linux-amd64.tar.gz.txt content:[Run as service] start to download service file for cloudcore[Run as service] success to download service file for cloudcorekubeedge-v1.8.0-linux-amd64/kubeedge-v1.8.0-linux-amd64/edge/kubeedge-v1.8.0-linux-amd64/edge/edgecorekubeedge-v1.8.0-linux-amd64/cloud/kubeedge-v1.8.0-linux-amd64/cloud/csidriver/kubeedge-v1.8.0-linux-amd64/cloud/csidriver/csidriverkubeedge-v1.8.0-linux-amd64/cloud/admission/kubeedge-v1.8.0-linux-amd64/cloud/admission/admissionkubeedge-v1.8.0-linux-amd64/cloud/cloudcore/kubeedge-v1.8.0-linux-amd64/cloud/cloudcore/cloudcorekubeedge-v1.8.0-linux-amd64/versionKubeEdge cloudcore is running, For logs visit: /var/log/kubeedge/cloudcore.logCloudCore started
此时cloudcore正在运行,但是并未使用systemd管理,且没有开启dynamiccontroller(对应edgecore中的list watch功能),需要修改配置
修改配置
# 修改/etc/kubeedge/config/cloudcore.yaml# 开启dynamic controllerdiff --git a/cloudcore.yaml b/cloudcore.yamlindex 28235a9..313375c 100644--- a/cloudcore.yaml+++ b/cloudcore.yaml@@ -1,7 +1,3 @@apiVersion: cloudcore.config.kubeedge.io/v1alpha1commonConfig:tunnelPort: 10350@@ -67,7 +63,7 @@ modules:load:updateDeviceStatusWorkers: 1dynamicController:- enable: false+ enable: true # 开启dynamicController以支持edgecore的listwatch功能edgeController:buffer:configMapEvent: 1@@ -119,5 +115,3 @@ modules:restTimeout: 60syncController:enable: true# 云侧cloudcore可以通过systemd管理# 拷贝cloudcore.service到/usr/lib/systemd/system$ cp /etc/kubeedge/cloudcore.service /usr/lib/systemd/system# 杀掉当前cloudcore进程$ pkill cloudcore$ systemctl restart cloudcore# 查看cloudcore是否运行$ systemctl status cloudcore● cloudcore.serviceLoaded: loaded (/usr/lib/systemd/system/cloudcore.service disabled; vendor preset: disabled)Active: active (running) since Sun 2021-08-29 10:50:14 CST; 4s agoMain PID: 424578 (cloudcore)Tasks: 36 (limit: 202272)Memory: 44.2MCPU: 112msCGroup: /system.slice/cloudcore.service└─424578 /usr/local/bin/cloudcoreAug 29 10:50:15 cloud.kubeedge cloudcore[424578]: I0829 10:50:15.845792 424578 upstream.go:121] start upstream controllerAug 29 10:50:15 cloud.kubeedge cloudcore[424578]: I0829 10:50:15.846586 424578 downstream.go:870] Start downstream devicecontrollerAug 29 10:50:15 cloud.kubeedge cloudcore[424578]: I0829 10:50:15.849475 424578 downstream.go:566] start downstream controllerAug 29 10:50:15 cloud.kubeedge cloudcore[424578]: I0829 10:50:15.946110 424578 server.go:243] Ca and CaKey don't exist in local directory, and will read from the secretAug 29 10:50:15 cloud.kubeedge cloudcore[424578]: I0829 10:50:15.951806 424578 server.go:288] CloudCoreCert and key don't exist in local directory, and will read from the >Aug 29 10:50:15 cloud.kubeedge cloudcore[424578]: I0829 10:50:15.959661 424578 signcerts.go:100] Succeed to creating tokenAug 29 10:50:15 cloud.kubeedge cloudcore[424578]: I0829 10:50:15.959716 424578 server.go:44] start unix domain socket serverAug 29 10:50:15 cloud.kubeedge cloudcore[424578]: I0829 10:50:15.959973 424578 uds.go:71] listening on: //var/lib/kubeedge/kubeedge.sockAug 29 10:50:15 cloud.kubeedge cloudcore[424578]: I0829 10:50:15.966693 424578 server.go:64] Starting cloudhub websocket serverAug 29 10:50:17 cloud.kubeedge cloudcore[424578]: I0829 10:50:17.847150 424578 upstream.go:63] Start upstream devicecontroller
至此,云侧的cloudcore已部署完成,接下来部署端侧edgecore
部署端侧
同样,在端侧机器上使用keadm加入云侧
修改iSulad配置
加入云侧
# 在云侧获取token$ keadm gettoken28c25d3b137593f5bbfb776cf5b19866ab9727cab9e97964dd503f87cd52cbde.eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MzAyOTE4MTV9.aGUyCi9gdysVtMu0DQzrD5TcV_DcXob647YeqcOxKDA# 在端侧使用keadm join 加入云侧# --cloudcore-ipport是必须要加入的参数,10000是cloudcore默认端口$ keadm join --cloudcore-ipport=9.63.252.224:10000 --kubeedge-version=1.8.0 --token=28c25d3b137593f5bbfb776cf5b19866ab9727cab9e97964dd503f87cd52cbde.eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MzAyOTE4MTV9.aGUyCi9gdysVtMu0DQzrD5TcV_DcXob647YeqcOxKDAHost has mosquit+ already installed and running. Hence skipping the installation steps !!!kubeedge-v1.8.0-linux-amd64.tar.gz checksum:checksum_kubeedge-v1.8.0-linux-amd64.tar.gz.txt content:[Run as service] start to download service file for edgecore[Run as service] success to download service file for edgecorekubeedge-v1.8.0-linux-amd64/kubeedge-v1.8.0-linux-amd64/edge/kubeedge-v1.8.0-linux-amd64/edge/edgecorekubeedge-v1.8.0-linux-amd64/cloud/kubeedge-v1.8.0-linux-amd64/cloud/csidriver/kubeedge-v1.8.0-linux-amd64/cloud/csidriver/csidriverkubeedge-v1.8.0-linux-amd64/cloud/admission/kubeedge-v1.8.0-linux-amd64/cloud/admission/admissionkubeedge-v1.8.0-linux-amd64/cloud/cloudcore/kubeedge-v1.8.0-linux-amd64/cloud/cloudcore/cloudcorekubeedge-v1.8.0-linux-amd64/versionKubeEdge edgecore is running, For logs visit: journalctl -u edgecore.service -b
修改配置
# 端侧edgecore可以通过systemd管理# 拷贝edgecore.service到/usr/lib/systemd/system$ cp /etc/kubeedge/edgecore.service /usr/lib/systemd/system# 修改edgecore配置$ vim /etc/kubeedge/config/edgecore.yamldiff --git a/edgecore.yaml b/edgecore.yamlindex 165e24b..efbfd49 100644--- a/edgecore.yaml+++ b/edgecore.yaml@@ -32,7 +32,7 @@ modules:server: 9.63.252.224:10000writeDeadline: 15edgeMesh:- enable: true+ enable: false # 关闭edgeMeshlbStrategy: RoundRobinlistenInterface: docker0listenPort: 40001@@ -73,10 +73,10 @@ modules:podSandboxImage: kubeedge/pause:3.1registerNode: trueregisterNodeNamespace: default- remoteImageEndpoint: unix:///var/run/dockershim.sock- remoteRuntimeEndpoint: unix:///var/run/dockershim.sock+ remoteImageEndpoint: unix:///var/run/isulad.sock+ remoteRuntimeEndpoint: unix:///var/run/isulad.sockruntimeRequestTimeout: 2- runtimeType: docker+ runtimeType: remote # iSulad类型为remotevolumeStatsAggPeriod: 60000000000eventBus:enable: true@@ -97,7 +97,7 @@ modules:enable: truemetaServer:debug: false- enable: false+ enable: true # 开启listwatchpodStatusSyncInterval: 60remoteQueryTimeout: 60serviceBus:# 杀掉当前edgecore进程$ pkill edgecore# 重启edgecore$ systemctl restart edgecore
检查端侧是否已经加入云侧
# 回到云侧,发现已经有了端侧节点$ kubectl get node -ANAME STATUS ROLES AGE VERSIONcloud.kubeedge Ready control-plane,master 19h v1.20.2edge.kubeedge Ready agent,edge 5m16s v1.19.3-kubeedge-v1.8.0
至此,使用keadm部署KubeEdge集群已经完成,接下来我们测试一下从云侧下发任务到端侧
部署应用
部署nginx
# KubeEdge提供了一个nginx模板,我们可以直接使用$ kubectl apply -f $GOPATH/src/github.com/kubeedge/kubeedge/build/deployment.yamldeployment.apps/nginx-deployment created# 查看是否部署到了端侧default nginx-deployment-77f96fbb65-fnp7n 1/1 Running 0 37s 10.244.2.4 edge.kubeedge <none> <none># 可以看到,已经成功部署到了edge节点
测试功能
# 测试功能是否正常# 进入端侧节点,curl nginx的IP:10.244.2.4$ curl 10.244.2.4:80<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style>body {width: 35em;margin: 0 auto;font-family: Tahoma, Verdana, Arial, sans-serif;}</style></head><body><h1>Welcome to nginx!</h1><p>If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.</p><a href="http://nginx.org/">nginx.org</a>.<br/>Commercial support is available at<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p></body></html>
至此,部署KubeEdge+iSulad已经全流程打通
用户也可以使用二进制部署kubeedge集群。 只需要使用两个rpm包: cloudcore(云侧) 和edgecore(端侧)
部署云侧
安装cloudcorerpm包
$ yum install kubeedge-cloudcore
创建CRD
$ kubectl apply -f /etc/kubeedge/crds/devices/devices_v1alpha2_device.yaml$ kubectl apply -f /etc/kubeedge/crds/devices/devices_v1alpha2_devicemodel.yaml$ kubectl apply -f /etc/kubeedge/crds/reliablesyncs/cluster_objectsync_v1alpha1.yaml$ kubectl apply -f /etc/kubeedge/crds/reliablesyncs/objectsync_v1alpha1.yaml
准备配置文件
$ cloudcore --defaultconfig > /etc/kubeedge/config/cloudcore.yaml
并按照使用keadm部署修改cloudcore相关配置
运行cloudcore
$ pkill cloudcore$ systemctl start cloudcore
安装edgecorerpm包
准备配置文件
$ edgecore --defaultconfig > /etc/kubeedge/config/edgecore.yaml
并按照使用keadm部署修改edgecore相关配置
$ kubectl get secret -nkubeedge tokensecret -o=jsonpath='{.data.tokendata}' | base64 -d1c4ff11289a14c59f2cbdbab726d1857262d5bda778ddf0de34dd59d125d3f69.eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MzE0ODM3MzN9.JY77nMVDHIKD9ipo03Y0mSbxief9qOvJ4yMNx1yZpp0# 将获取到的token添加到配置文件中sed -i -e "s|token: .*|token: ${token}|g" /etc/kubeedge/config/edgecore.yaml# token变量的值来自于之前步骤
运行edgecre
$ pkill edgecore$ systemctl start edgecore
kube-flannel-cloud.yml
# 使用场景:云侧---apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata:name: psp.flannel.unprivilegedannotations:seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/defaultseccomp.security.alpha.kubernetes.io/defaultProfileName: docker/defaultapparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/defaultapparmor.security.beta.kubernetes.io/defaultProfileName: runtime/defaultspec:privileged: falsevolumes:- configMap- secret- emptyDir- hostPathallowedHostPaths:- pathPrefix: "/etc/cni/net.d"- pathPrefix: "/etc/kube-flannel"- pathPrefix: "/run/flannel"readOnlyRootFilesystem: false# Users and groupsrunAsUser:rule: RunAsAnysupplementalGroups:rule: RunAsAnyfsGroup:rule: RunAsAny# Privilege EscalationallowPrivilegeEscalation: falsedefaultAllowPrivilegeEscalation: false# CapabilitiesallowedCapabilities: ['NET_ADMIN', 'NET_RAW']defaultAddCapabilities: []requiredDropCapabilities: []# Host namespaceshostPID: falsehostIPC: falsehostNetwork: truehostPorts:- min: 0max: 65535# SELinuxseLinux:# SELinux is unused in CaaSPrule: 'RunAsAny'---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: flannelrules:- apiGroups: ['extensions']resources: ['podsecuritypolicies']verbs: ['use']resourceNames: ['psp.flannel.unprivileged']- apiGroups:- ""resources:- podsverbs:- get- apiGroups:- ""resources:- nodesverbs:- list- watch- apiGroups:- ""resources:- nodes/statusverbs:- patch---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:name: flannelroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: flannelsubjects:- kind: ServiceAccountname: flannelnamespace: kube-system---apiVersion: v1kind: ServiceAccountmetadata:name: flannelnamespace: kube-system---kind: ConfigMapapiVersion: v1metadata:name: kube-flannel-cfgnamespace: kube-systemlabels:tier: nodeapp: flanneldata:cni-conf.json: |{"name": "cbr0","cniVersion": "0.3.1","plugins": [{"type": "flannel","delegate": {"hairpinMode": true,"isDefaultGateway": true}},{"type": "portmap","capabilities": {"portMappings": true}}]}net-conf.json: |{"Network": "10.244.0.0/16","Backend": {"Type": "vxlan"}}---apiVersion: apps/v1kind: DaemonSetmetadata:name: kube-flannel-cloud-dsnamespace: kube-systemlabels:tier: nodeapp: flannelspec:selector:matchLabels:app: flanneltemplate:metadata:labels:tier: nodeapp: flannelspec:affinity:nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchExpressions:- key: kubernetes.io/osoperator: Invalues:- linux- key: node-role.kubernetes.io/agentoperator: DoesNotExisthostNetwork: truepriorityClassName: system-node-criticaltolerations:- operator: Existseffect: NoScheduleserviceAccountName: flannelinitContainers:- name: install-cniimage: quay.io/coreos/flannel:v0.14.0command:- cpargs:- -f- /etc/kube-flannel/cni-conf.json- /etc/cni/net.d/10-flannel.conflistvolumeMounts:- name: cnimountPath: /etc/cni/net.d- name: flannel-cfgmountPath: /etc/kube-flannel/containers:- name: kube-flannelimage: quay.io/coreos/flannel:v0.14.0command:- /opt/bin/flanneldargs:- --ip-masq- --kube-subnet-mgrresources:requests:cpu: "100m"memory: "50Mi"limits:cpu: "100m"memory: "50Mi"securityContext:privileged: falsecapabilities:add: ["NET_ADMIN", "NET_RAW"]env:- name: POD_NAMEvalueFrom:fieldRef:fieldPath: metadata.name- name: POD_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespacevolumeMounts:- name: runmountPath: /run/flannel- name: flannel-cfgmountPath: /etc/kube-flannel/volumes:- name: runhostPath:path: /run/flannel- name: cnihostPath:path: /etc/cni/net.d- name: flannel-cfgconfigMap:name: kube-flannel-cfg
kube-flannel-edge.yml
# 使用场景:云侧---apiVersion: policy/v1beta1kind: PodSecurityPolicymetadata:name: psp.flannel.unprivilegedannotations:seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/defaultseccomp.security.alpha.kubernetes.io/defaultProfileName: docker/defaultapparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/defaultapparmor.security.beta.kubernetes.io/defaultProfileName: runtime/defaultspec:privileged: falsevolumes:- configMap- secret- emptyDir- hostPathallowedHostPaths:- pathPrefix: "/etc/cni/net.d"- pathPrefix: "/etc/kube-flannel"- pathPrefix: "/run/flannel"readOnlyRootFilesystem: false# Users and groupsrunAsUser:rule: RunAsAnysupplementalGroups:rule: RunAsAnyfsGroup:rule: RunAsAny# Privilege EscalationallowPrivilegeEscalation: falsedefaultAllowPrivilegeEscalation: false# CapabilitiesallowedCapabilities: ['NET_ADMIN', 'NET_RAW']defaultAddCapabilities: []requiredDropCapabilities: []# Host namespaceshostPID: falsehostIPC: falsehostNetwork: truehostPorts:- min: 0max: 65535# SELinuxseLinux:# SELinux is unused in CaaSPrule: 'RunAsAny'---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata:name: flannelrules:- apiGroups: ['extensions']resources: ['podsecuritypolicies']verbs: ['use']resourceNames: ['psp.flannel.unprivileged']- apiGroups:- ""resources:- podsverbs:- get- apiGroups:- ""resources:- nodesverbs:- list- watch- apiGroups:- ""resources:- nodes/statusverbs:- patch---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:name: flannelroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: flannelsubjects:- kind: ServiceAccountname: flannelnamespace: kube-system---apiVersion: v1kind: ServiceAccountmetadata:name: flannelnamespace: kube-system---kind: ConfigMapapiVersion: v1metadata:name: kube-flannel-cfglabels:tier: nodeapp: flanneldata:cni-conf.json: |{"name": "cbr0","cniVersion": "0.3.1","plugins": [{"delegate": {"hairpinMode": true,"isDefaultGateway": true}},{"type": "portmap","capabilities": {"portMappings": true}}]}net-conf.json: |{"Network": "10.244.0.0/16","Backend": {"Type": "vxlan"}}---apiVersion: apps/v1kind: DaemonSetmetadata:name: kube-flannel-edge-dsnamespace: kube-systemlabels:tier: nodeapp: flannelspec:selector:matchLabels:app: flanneltemplate:metadata:labels:tier: nodeapp: flannelspec:affinity:nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchExpressions:- key: kubernetes.io/osoperator: Invalues:- linux- key: node-role.kubernetes.io/agentoperator: ExistshostNetwork: truepriorityClassName: system-node-criticaltolerations:- operator: Existseffect: NoScheduleserviceAccountName: flannelinitContainers:- name: install-cniimage: quay.io/coreos/flannel:v0.14.0command:- cpargs:- -f- /etc/kube-flannel/cni-conf.json- /etc/cni/net.d/10-flannel.conflistvolumeMounts:- name: cnimountPath: /etc/cni/net.d- name: flannel-cfgmountPath: /etc/kube-flannel/containers:- name: kube-flannelimage: quay.io/coreos/flannel:v0.14.0command:- /opt/bin/flanneldargs:- --ip-masq- --kube-subnet-mgr- --kube-api-url=http://127.0.0.1:10550resources:requests:cpu: "100m"memory: "50Mi"limits:cpu: "100m"memory: "50Mi"securityContext:privileged: falsecapabilities:add: ["NET_ADMIN", "NET_RAW"]env:- name: POD_NAMEvalueFrom:fieldRef:fieldPath: metadata.name- name: POD_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespacevolumeMounts:- name: runmountPath: /run/flannel- name: flannel-cfgmountPath: /etc/kube-flannel/volumes:- name: runhostPath:path: /run/flannel- name: cnihostPath:path: /etc/cni/net.d- name: flannel-cfgconfigMap:name: kube-flannel-cfg
cloudcore.service
# 使用场景:云侧# 文件位置:/usr/lib/systemd/system/cloudcore.service[Unit]Description=cloudcore.service[Service]Type=simpleExecStart=/usr/local/bin/cloudcoreRestart=alwaysRestartSec=10[Install]WantedBy=multi-user.target
cloudcore.yaml
# 使用场景:云侧# 文件位置:/etc/kubeedge/config/cloudcore.yamlapiVersion: cloudcore.config.kubeedge.io/v1alpha1commonConfig:tunnelPort: 10351kind: CloudCorekubeAPIConfig:burst: 200contentType: application/vnd.kubernetes.protobufkubeConfig: /root/.kube/configmaster: ""qps: 100modules:cloudHub:advertiseAddress:- 9.63.252.224dnsNames:- ""edgeCertSigningDuration: 365enable: truehttps:address: 0.0.0.0enable: trueport: 10002keepaliveInterval: 30nodeLimit: 1000quic:address: 0.0.0.0enable: falsemaxIncomingStreams: 10000port: 10001tlsCAFile: /etc/kubeedge/ca/rootCA.crttlsCAKeyFile: /etc/kubeedge/ca/rootCA.keytlsCertFile: /etc/kubeedge/certs/server.crttlsPrivateKeyFile: /etc/kubeedge/certs/server.keytokenRefreshDuration: 12unixsocket:address: unix:///var/lib/kubeedge/kubeedge.sockenable: truewebsocket:address: 0.0.0.0enable: trueport: 10000writeTimeout: 30cloudStream:enable: falsestreamPort: 10003tlsStreamCAFile: /etc/kubeedge/ca/streamCA.crttlsStreamCertFile: /etc/kubeedge/certs/stream.crttlsStreamPrivateKeyFile: /etc/kubeedge/certs/stream.keytlsTunnelCAFile: /etc/kubeedge/ca/rootCA.crttlsTunnelCertFile: /etc/kubeedge/certs/server.crttlsTunnelPrivateKeyFile: /etc/kubeedge/certs/server.keytunnelPort: 10004deviceController:buffer:deviceEvent: 1deviceModelEvent: 1updateDeviceStatus: 1024context:receiveModule: devicecontrollerresponseModule: cloudhubsendModule: cloudhubenable: trueload:updateDeviceStatusWorkers: 1dynamicController:enable: trueedgeController:buffer:configMapEvent: 1deletePod: 1024endpointsEvent: 1podEvent: 1queryConfigMap: 1024queryEndpoints: 1024queryNode: 1024queryPersistentVolume: 1024queryPersistentVolumeClaim: 1024querySecret: 1024queryService: 1024queryVolumeAttachment: 1024ruleEndpointsEvent: 1rulesEvent: 1secretEvent: 1serviceAccountToken: 1024serviceEvent: 1updateNode: 1024updateNodeStatus: 1024updatePodStatus: 1024context:receiveModule: edgecontrollerresponseModule: cloudhubsendModule: cloudhubsendRouterModule: routerenable: trueload:ServiceAccountTokenWorkers: 4UpdateRuleStatusWorkers: 4deletePodWorkers: 4queryConfigMapWorkers: 4queryEndpointsWorkers: 4queryNodeWorkers: 4queryPersistentVolumeClaimWorkers: 4queryPersistentVolumeWorkers: 4querySecretWorkers: 4queryServiceWorkers: 4queryVolumeAttachmentWorkers: 4updateNodeStatusWorkers: 1updateNodeWorkers: 4updatePodStatusWorkers: 1nodeUpdateFrequency: 10router:address: 0.0.0.0enable: falseport: 9443restTimeout: 60syncController:enable: true
edgecore.service
# 使用场景:端侧# 文件位置:/etc/systemd/system/edgecore.service[Unit]Description=edgecore.service[Service]Type=simpleExecStart=/usr/local/bin/edgecoreRestart=alwaysRestartSec=10[Install]WantedBy=multi-user.target
edgecore.yaml
# 使用场景:端侧# 文件位置:/etc/kubeedge/config/edgecore.yamlapiVersion: edgecore.config.kubeedge.io/v1alpha1database:aliasName: defaultdataSource: /var/lib/kubeedge/edgecore.dbdriverName: sqlite3kind: EdgeCoremodules:dbTest:enable: falsedeviceTwin:enable: trueedgeHub:enable: trueheartbeat: 15httpServer: https://9.63.252.224:10002projectID: e632aba927ea4ac2b575ec1603d56f10quic:enable: falsehandshakeTimeout: 30readDeadline: 15server: 9.63.252.227:10001writeDeadline: 15rotateCertificates: truetlsCaFile: /etc/kubeedge/ca/rootCA.crttlsCertFile: /etc/kubeedge/certs/server.crttlsPrivateKeyFile: /etc/kubeedge/certs/server.keytoken: # 这里填写从云侧获取的tokenwebsocket:enable: truehandshakeTimeout: 30readDeadline: 15server: 9.63.252.224:10000writeDeadline: 15edgeMesh:enable: falselbStrategy: RoundRobinlistenInterface: docker0listenPort: 40001subNet: 9.251.0.0/16edgeStream:enable: falsehandshakeTimeout: 30readDeadline: 15server: 9.63.252.224:10004tlsTunnelCAFile: /etc/kubeedge/ca/rootCA.crttlsTunnelCertFile: /etc/kubeedge/certs/server.crttlsTunnelPrivateKeyFile: /etc/kubeedge/certs/server.keywriteDeadline: 15edged:cgroupDriver: cgroupfscgroupRoot: ""cgroupsPerQOS: trueclusterDNS: ""clusterDomain: ""cniBinDir: /opt/cni/bincniCacheDirs: /var/lib/cni/cachecniConfDir: /etc/cni/net.dconcurrentConsumers: 5devicePluginEnabled: falsedockerAddress: unix:///var/run/docker.sockedgedMemoryCapacity: 7852396000enable: trueenableMetrics: truegpuPluginEnabled: falsehostnameOverride: edge.kubeedgeimageGCHighThreshold: 80imageGCLowThreshold: 40imagePullProgressDeadline: 60maximumDeadContainersPerPod: 1networkPluginMTU: 1500nodeIP: 9.63.252.227nodeStatusUpdateFrequency: 10podSandboxImage: kubeedge/pause:3.1registerNode: trueregisterNodeNamespace: defaultremoteImageEndpoint: unix:///var/run/isulad.sockremoteRuntimeEndpoint: unix:///var/run/isulad.sockruntimeRequestTimeout: 2runtimeType: remotevolumeStatsAggPeriod: 60000000000eventBus:enable: trueeventBusTLS:enable: falsetlsMqttCAFile: /etc/kubeedge/ca/rootCA.crttlsMqttCertFile: /etc/kubeedge/certs/server.crttlsMqttPrivateKeyFile: /etc/kubeedge/certs/server.keymqttMode: 2mqttQOS: 0mqttRetain: falsemqttServerExternal: tcp://127.0.0.1:1883mqttServerInternal: tcp://127.0.0.1:1884mqttSessionQueueSize: 100metaManager:contextSendGroup: hubcontextSendModule: websocketenable: truemetaServer:debug: falseenable: truepodStatusSyncInterval: 60remoteQueryTimeout: 60enable: false
