Kubernetes1.18.5 Cilium安装

本文转载自查看原文 2021-08-23 15:20 131 Kubernetes安装配置

本文档基于阿里云平台，自建Kubernetes平台部署文档，版本是v1.18.5

Kubernetes组件安装

各组件如下

组件	描述
docker	Container runtime 需要在集群中的每个节点部署
kubelet	Kubernetes集群守护组件，用来启动Pod & Container及与kubernetes-apiserver通信，及一些监控，需要在集群中的每个节点都要部署
kubectl	用来与集群通信的命令行工具，通常在集群的Contorl-plane节点部署
kubeadm	用来初始化集群的指令，通常安装城Control-plane节点

版本差异说明

Kubernetes官方建议，组件各版本尽量保持一致，如果有不一致的情况，需要参考官方的版本差异说明，如下

Kubernetes 版本与版本间的偏差策略

Kubeadm 特定的版本偏差策略

具体Kubernetes组件安装略过，参考官方文档

集群初始化

准备条件

一个阿里云SLB
至少三台Contorl-plane节点
若干台Worker-node节点

具体过程

创建阿里云SLB（条件该SLB需要分配一个公网地址，同时监听端口是6443，需要公网地址的原因是因为在初始化过程中报错，需要引入一个公网地址来绕过）

修改各Control-plane节点的/etc/hosts文件，如下

# 节点1
<root@PROD-K8S-CP1 ~># cat /etc/hosts
::1    localhost    localhost.localdomain    localhost6    localhost6.localdomain6
127.0.0.1    localhost    localhost.localdomain    localhost4    localhost4.localdomain4
10.1.0.252    PROD-K8S-CP1    PROD-K8S-CP1
10.1.0.252 apiserver.qiangyun.com

# 节点2
<root@PROD-K8S-CP2 ~># cat /etc/hosts
::1    localhost    localhost.localdomain    localhost6    localhost6.localdomain6
127.0.0.1    localhost    localhost.localdomain    localhost4    localhost4.localdomain4
10.1.0.251    PROD-K8S-CP2    PROD-K8S-CP2
10.1.0.251 apiserver.qiangyun.com

# 节点3
<root@PROD-K8S-CP3 ~># cat /etc/hosts
::1    localhost    localhost.localdomain    localhost6    localhost6.localdomain6
127.0.0.1    localhost    localhost.localdomain    localhost4    localhost4.localdomain4
10.1.0.1    PROD-K8S-CP3    PROD-K8S-CP3
10.1.0.1 apiserver.qiangyun.com

初始化

kubeadm init \
    --skip-phases=addon/kube-proxy \
    --apiserver-cert-extra-sans=121.xxx.xxx.xxx,127.0.0.1,10.1.0.252,10.1.0.251,10.1.0.1,10.1.0.2 \
    --control-plane-endpoint=apiserver.qiangyun.com \
    --apiserver-advertise-address=10.1.0.252 \
    --pod-network-cidr=172.21.0.0/20 \
    --service-cidr=10.12.0.0/24 \
    --upload-certs \
    --kubernetes-version=v1.18.5 \
    --v=5

<root@PROD-K8S-CP1 ~># kubeadm init \
>     --skip-phases=addon/kube-proxy \
>     --apiserver-cert-extra-sans=121.xxx.xxx.xxx,127.0.0.1,10.1.0.252,10.1.0.251,10.1.0.1,10.1.0.2 \
>     --control-plane-endpoint=apiserver.qiangyun.com \
>     --apiserver-advertise-address=10.1.0.252 \
>     --pod-network-cidr=172.21.0.0/20 \
>     --service-cidr=10.12.0.0/24 \
>     --upload-certs \
>     --kubernetes-version=v1.18.5 \
>     --v=5
I0823 16:02:18.611433    6956 initconfiguration.go:103] detected and using CRI socket: /var/run/dockershim.sock
W0823 16:02:18.612369    6956 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[init] Using Kubernetes version: v1.18.5
[preflight] Running pre-flight checks
I0823 16:02:18.612654    6956 checks.go:577] validating Kubernetes and kubeadm version
I0823 16:02:18.612680    6956 checks.go:166] validating if the firewall is enabled and active
I0823 16:02:18.675049    6956 checks.go:201] validating availability of port 6443
I0823 16:02:18.675196    6956 checks.go:201] validating availability of port 10259
I0823 16:02:18.675229    6956 checks.go:201] validating availability of port 10257
I0823 16:02:18.675256    6956 checks.go:286] validating the existence of file /etc/kubernetes/manifests/kube-apiserver.yaml
I0823 16:02:18.675552    6956 checks.go:286] validating the existence of file /etc/kubernetes/manifests/kube-controller-manager.yaml
I0823 16:02:18.675563    6956 checks.go:286] validating the existence of file /etc/kubernetes/manifests/kube-scheduler.yaml
I0823 16:02:18.675574    6956 checks.go:286] validating the existence of file /etc/kubernetes/manifests/etcd.yaml
I0823 16:02:18.675585    6956 checks.go:432] validating if the connectivity type is via proxy or direct
I0823 16:02:18.675624    6956 checks.go:471] validating http connectivity to first IP address in the CIDR
I0823 16:02:18.675651    6956 checks.go:471] validating http connectivity to first IP address in the CIDR
I0823 16:02:18.675664    6956 checks.go:102] validating the container runtime
I0823 16:02:18.859600    6956 checks.go:128] validating if the service is enabled and active
I0823 16:02:18.967047    6956 checks.go:335] validating the contents of file /proc/sys/net/bridge/bridge-nf-call-iptables
I0823 16:02:18.967094    6956 checks.go:335] validating the contents of file /proc/sys/net/ipv4/ip_forward
I0823 16:02:18.967120    6956 checks.go:649] validating whether swap is enabled or not
I0823 16:02:18.967148    6956 checks.go:376] validating the presence of executable conntrack
I0823 16:02:18.967176    6956 checks.go:376] validating the presence of executable ip
I0823 16:02:18.967190    6956 checks.go:376] validating the presence of executable iptables
I0823 16:02:18.967205    6956 checks.go:376] validating the presence of executable mount
I0823 16:02:18.967240    6956 checks.go:376] validating the presence of executable nsenter
I0823 16:02:18.967259    6956 checks.go:376] validating the presence of executable ebtables
I0823 16:02:18.967273    6956 checks.go:376] validating the presence of executable ethtool
I0823 16:02:18.967287    6956 checks.go:376] validating the presence of executable socat
I0823 16:02:18.967307    6956 checks.go:376] validating the presence of executable tc
I0823 16:02:18.967320    6956 checks.go:376] validating the presence of executable touch
I0823 16:02:18.967338    6956 checks.go:520] running all checks
I0823 16:02:19.037352    6956 checks.go:406] checking whether the given node name is reachable using net.LookupHost
I0823 16:02:19.037475    6956 checks.go:618] validating kubelet version
I0823 16:02:19.077279    6956 checks.go:128] validating if the service is enabled and active
I0823 16:02:19.092014    6956 checks.go:201] validating availability of port 10250
I0823 16:02:19.092071    6956 checks.go:201] validating availability of port 2379
I0823 16:02:19.092097    6956 checks.go:201] validating availability of port 2380
I0823 16:02:19.092123    6956 checks.go:249] validating the existence and emptiness of directory /var/lib/etcd
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
I0823 16:02:19.125348    6956 checks.go:838] image exists: k8s.gcr.io/kube-apiserver:v1.18.5
I0823 16:02:19.164350    6956 checks.go:844] pulling k8s.gcr.io/kube-controller-manager:v1.18.5
I0823 16:02:56.306614    6956 checks.go:844] pulling k8s.gcr.io/kube-scheduler:v1.18.5
I0823 16:03:11.013674    6956 checks.go:844] pulling k8s.gcr.io/kube-proxy:v1.18.5
I0823 16:03:18.148748    6956 checks.go:844] pulling k8s.gcr.io/pause:3.2
I0823 16:03:20.591560    6956 checks.go:844] pulling k8s.gcr.io/etcd:3.4.3-0
I0823 16:03:52.643687    6956 checks.go:844] pulling k8s.gcr.io/coredns:1.6.7
I0823 16:04:00.559856    6956 kubelet.go:64] Stopping the kubelet
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[certs] Using certificateDir folder "/etc/kubernetes/pki"
I0823 16:04:00.686175    6956 certs.go:103] creating a new certificate authority for ca
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [prod-k8s-cp1 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local apiserver.qiangyun.com] and IPs [10.12.0.1 10.1.0.252 121.40.18.75 127.0.0.1 10.1.0.252 10.1.0.251 10.1.0.1 10.1.0.2]
[certs] Generating "apiserver-kubelet-client" certificate and key
I0823 16:04:01.101542    6956 certs.go:103] creating a new certificate authority for front-proxy-ca
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
I0823 16:04:02.185320    6956 certs.go:103] creating a new certificate authority for etcd-ca
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [prod-k8s-cp1 localhost] and IPs [10.1.0.252 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [prod-k8s-cp1 localhost] and IPs [10.1.0.252 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
I0823 16:04:03.236847    6956 certs.go:69] creating new public/private key files for signing service account users
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
I0823 16:04:03.348004    6956 kubeconfig.go:79] creating kubeconfig file for admin.conf
[kubeconfig] Writing "admin.conf" kubeconfig file
I0823 16:04:03.482899    6956 kubeconfig.go:79] creating kubeconfig file for kubelet.conf
[kubeconfig] Writing "kubelet.conf" kubeconfig file
I0823 16:04:03.943898    6956 kubeconfig.go:79] creating kubeconfig file for controller-manager.conf
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
I0823 16:04:04.071250    6956 kubeconfig.go:79] creating kubeconfig file for scheduler.conf
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
I0823 16:04:04.179856    6956 manifests.go:91] [control-plane] getting StaticPodSpecs
I0823 16:04:04.180100    6956 manifests.go:104] [control-plane] adding volume "ca-certs" for component "kube-apiserver"
I0823 16:04:04.180107    6956 manifests.go:104] [control-plane] adding volume "etc-pki" for component "kube-apiserver"
I0823 16:04:04.180112    6956 manifests.go:104] [control-plane] adding volume "k8s-certs" for component "kube-apiserver"
I0823 16:04:04.186013    6956 manifests.go:121] [control-plane] wrote static Pod manifest for component "kube-apiserver" to "/etc/kubernetes/manifests/kube-apiserver.yaml"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
I0823 16:04:04.186031    6956 manifests.go:91] [control-plane] getting StaticPodSpecs
W0823 16:04:04.186073    6956 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
I0823 16:04:04.186219    6956 manifests.go:104] [control-plane] adding volume "ca-certs" for component "kube-controller-manager"
I0823 16:04:04.186225    6956 manifests.go:104] [control-plane] adding volume "etc-pki" for component "kube-controller-manager"
I0823 16:04:04.186230    6956 manifests.go:104] [control-plane] adding volume "flexvolume-dir" for component "kube-controller-manager"
I0823 16:04:04.186235    6956 manifests.go:104] [control-plane] adding volume "k8s-certs" for component "kube-controller-manager"
I0823 16:04:04.186240    6956 manifests.go:104] [control-plane] adding volume "kubeconfig" for component "kube-controller-manager"
I0823 16:04:04.186851    6956 manifests.go:121] [control-plane] wrote static Pod manifest for component "kube-controller-manager" to "/etc/kubernetes/manifests/kube-controller-manager.yaml"
[control-plane] Creating static Pod manifest for "kube-scheduler"
I0823 16:04:04.186869    6956 manifests.go:91] [control-plane] getting StaticPodSpecs
W0823 16:04:04.186910    6956 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
I0823 16:04:04.187052    6956 manifests.go:104] [control-plane] adding volume "kubeconfig" for component "kube-scheduler"
I0823 16:04:04.187378    6956 manifests.go:121] [control-plane] wrote static Pod manifest for component "kube-scheduler" to "/etc/kubernetes/manifests/kube-scheduler.yaml"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
I0823 16:04:04.187871    6956 local.go:72] [etcd] wrote Static Pod manifest for a local etcd member to "/etc/kubernetes/manifests/etcd.yaml"
I0823 16:04:04.187883    6956 waitcontrolplane.go:87] [wait-control-plane] Waiting for the API server to be healthy
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 20.001413 seconds
I0823 16:04:24.190509    6956 uploadconfig.go:108] [upload-config] Uploading the kubeadm ClusterConfiguration to a ConfigMap
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
I0823 16:04:24.199465    6956 uploadconfig.go:122] [upload-config] Uploading the kubelet component config to a ConfigMap
[kubelet] Creating a ConfigMap "kubelet-config-1.18" in namespace kube-system with the configuration for the kubelets in the cluster
I0823 16:04:24.204090    6956 uploadconfig.go:127] [upload-config] Preserving the CRISocket information for the control-plane node
I0823 16:04:24.204102    6956 patchnode.go:30] [patchnode] Uploading the CRI Socket information "/var/run/dockershim.sock" to the Node API object "prod-k8s-cp1" as an annotation
[upload-certs] Storing the certificates in Secret "kubeadm-certs" in the "kube-system" Namespace
[upload-certs] Using certificate key:
7f415dbe35dcd1618686d970daa7cade1922996f4c4bdaca24d86923f98e04bf
[mark-control-plane] Marking the node prod-k8s-cp1 as control-plane by adding the label "node-role.kubernetes.io/master=''"
[mark-control-plane] Marking the node prod-k8s-cp1 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[bootstrap-token] Using token: wtq34u.sk1bwt4lsphcxdfl
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
I0823 16:04:25.239429    6956 clusterinfo.go:45] [bootstrap-token] loading admin kubeconfig
I0823 16:04:25.239785    6956 clusterinfo.go:53] [bootstrap-token] copying the cluster from admin.conf to the bootstrap kubeconfig
I0823 16:04:25.239999    6956 clusterinfo.go:65] [bootstrap-token] creating/updating ConfigMap in kube-public namespace
I0823 16:04:25.241498    6956 clusterinfo.go:79] creating the RBAC rules for exposing the cluster-info ConfigMap in the kube-public namespace
I0823 16:04:25.244262    6956 kubeletfinalize.go:88] [kubelet-finalize] Assuming that kubelet client certificate rotation is enabled: found "/var/lib/kubelet/pki/kubelet-client-current.pem"
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
I0823 16:04:25.244970    6956 kubeletfinalize.go:132] [kubelet-finalize] Restarting the kubelet to enable client certificate rotation
I0823 16:04:25.504316    6956 request.go:557] Throttling request took 184.037078ms, request: POST:https://apiserver.qiangyun.com:6443/api/v1/namespaces/kube-system/configmaps?timeout=10s
I0823 16:04:25.704312    6956 request.go:557] Throttling request took 194.29686ms, request: POST:https://apiserver.qiangyun.com:6443/api/v1/namespaces/kube-system/serviceaccounts?timeout=10s
I0823 16:04:25.905932    6956 request.go:557] Throttling request took 185.370582ms, request: POST:https://apiserver.qiangyun.com:6443/api/v1/namespaces/kube-system/services?timeout=10s
[addons] Applied essential addon: CoreDNS

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of the control-plane node running the following command on each as root:

  kubeadm join apiserver.qiangyun.com:6443 --token wtq34u.sk1bwt4lsphcxdfl \
    --discovery-token-ca-cert-hash sha256:99169fbe986dbba56c840f55fe10e00890ff70f9343acf4dac70954a9df9500b \
    --control-plane --certificate-key 7f415dbe35dcd1618686d970daa7cade1922996f4c4bdaca24d86923f98e04bf

Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join apiserver.qiangyun.com:6443 --token wtq34u.sk1bwt4lsphcxdfl \
    --discovery-token-ca-cert-hash sha256:99169fbe986dbba56c840f55fe10e00890ff70f9343acf4dac70954a9df9500b

# 初始化后配置

<root@PROD-K8S-CP1 /etc/kubernetes># mkdir -p $HOME/.kube
<root@PROD-K8S-CP1 /etc/kubernetes># cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
<root@PROD-K8S-CP1 /etc/kubernetes># chown $(id -u):$(id -g) $HOME/.kube/config
<root@PROD-K8S-CP1 /etc/kubernetes># kubectl get nodes
NAME STATUS ROLES AGE VERSION
prod-k8s-cp1 NotReady master 3m5s v1.18.5

修改PROD-K8S-CP2/PROD-K8S-CP3的/etc/hosts，如下

<root@PROD-K8S-CP2 ~># cat /etc/hosts
::1    localhost    localhost.localdomain    localhost6    localhost6.localdomain6
127.0.0.1    localhost    localhost.localdomain    localhost4    localhost4.localdomain4
10.1.0.251    PROD-K8S-CP2    PROD-K8S-CP2
#10.1.0.251    apiserver.qiangyun.com
121.40.18.75    apiserver.qiangyun.com

PROD-K8S-CP2/PROD-K8S-CP3添加到集群中

<root@PROD-K8S-CP2 ~># kubeadm join apiserver.qiangyun.com:6443 --token wtq34u.sk1bwt4lsphcxdfl     --discovery-token-ca-cert-hash sha256:99169fbe986dbba56c840f55fe10e00890ff70f9343acf4dac70954a9df9500b     --control-plane --certificate-key 7f415dbe35dcd1618686d970daa7cade1922996f4c4bdaca24d86923f98e04bf
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
W0823 16:12:52.708215    7821 configset.go:76] Warning: No kubeproxy.config.k8s.io/v1alpha1 config is loaded. Continuing without it: configmaps "kube-proxy" is forbidden: User "system:bootstrap:wtq34u" cannot get resource "configmaps" in API group "" in the namespace "kube-system"
[preflight] Running pre-flight checks before initializing the new control plane instance
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[download-certs] Downloading the certificates in Secret "kubeadm-certs" in the "kube-system" Namespace
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [prod-k8s-cp2 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local apiserver.qiangyun.com] and IPs [10.12.0.1 10.1.0.251 121.40.18.75 127.0.0.1 10.1.0.252 10.1.0.251 10.1.0.1 10.1.0.2]
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [prod-k8s-cp2 localhost] and IPs [10.1.0.251 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [prod-k8s-cp2 localhost] and IPs [10.1.0.251 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[certs] Using the existing "sa" key
[kubeconfig] Generating kubeconfig files
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
W0823 16:15:40.233981    7821 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
W0823 16:15:40.238842    7821 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
[control-plane] Creating static Pod manifest for "kube-scheduler"
W0823 16:15:40.240758    7821 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
[check-etcd] Checking that the etcd cluster is healthy
[kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.18" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
[etcd] Announced new etcd member joining to the existing etcd cluster
[etcd] Creating static Pod manifest for "etcd"
[etcd] Waiting for the new etcd member to join the cluster. This can take up to 40s
{"level":"warn","ts":"2021-08-23T16:15:53.543+0800","caller":"clientv3/retry_interceptor.go:61","msg":"retrying of unary invoker failed","target":"passthrough:///https://10.1.0.251:2379","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = context deadline exceeded"}
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[mark-control-plane] Marking the node prod-k8s-cp2 as control-plane by adding the label "node-role.kubernetes.io/master=''"
[mark-control-plane] Marking the node prod-k8s-cp2 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]

This node has joined the cluster and a new control plane instance was created:

* Certificate signing request was sent to apiserver and approval was received.
* The Kubelet was informed of the new secure connection details.
* Control plane (master) label and taint were applied to the new node.
* The Kubernetes control plane instances scaled up.
* A new etcd member was added to the local/stacked etcd cluster.

To start administering your cluster from this node, you need to run the following as a regular user:

    mkdir -p $HOME/.kube
    sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    sudo chown $(id -u):$(id -g) $HOME/.kube/config

Run 'kubectl get nodes' to see this node join the cluster.

<root@PROD-K8S-CP2 ~># 
<root@PROD-K8S-CP2 ~># 
<root@PROD-K8S-CP2 ~># mkdir -p $HOME/.kube && cp -i /etc/kubernetes/admin.conf $HOME/.kube/config && chown $(id -u):$(id -g) $HOME/.kube/config
<root@PROD-K8S-CP2 ~># kubectl get nodes
NAME           STATUS     ROLES    AGE    VERSION
prod-k8s-cp1   NotReady   master   13m    v1.18.5
prod-k8s-cp2   NotReady   master   102s   v1.18.5

还原PROD-K8S-CP2/PROD-K8S-CP3的/etc/hosts，如下

<root@PROD-K8S-CP3 /etc/kubernetes># cat /etc/hosts
::1    localhost    localhost.localdomain    localhost6    localhost6.localdomain6
127.0.0.1    localhost    localhost.localdomain    localhost4    localhost4.localdomain4
10.1.0.1    PROD-K8S-CP3    PROD-K8S-CP3
10.1.0.1    apiserver.qiangyun.com

安装kube-router，如下（具体安装要求，参考官方文档）

apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-router
  namespace: kube-system
 
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kube-router
  namespace: kube-system
rules:
  - apiGroups:
    - ""
    resources:
      - namespaces
      - pods
      - services
      - nodes
      - endpoints
    verbs:
      - list
      - get
      - watch
  - apiGroups:
    - "networking.k8s.io"
    resources:
      - networkpolicies
    verbs:
      - list
      - get
      - watch
  - apiGroups:
    - extensions
    resources:
      - networkpolicies
    verbs:
      - get
      - list
      - watch
 
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kube-router
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kube-router
subjects:
- kind: ServiceAccount
  name: kube-router
  namespace: kube-system
 
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    k8s-app: kube-router
    tier: node
  name: kube-router
  namespace: kube-system
spec:
  selector:
    matchLabels:
      k8s-app: kube-router
      tier: node
  template:
    metadata:
      labels:
        k8s-app: kube-router
        tier: node
    spec:
      priorityClassName: system-node-critical
      serviceAccountName: kube-router
      serviceAccount: kube-router
      containers:
      - name: kube-router
        image: docker.io/cloudnativelabs/kube-router
        imagePullPolicy: IfNotPresent
        args:
        - "--run-router=true"
        - "--run-firewall=false"
        - "--run-service-proxy=false"
        # 平滑重启BGP路由(默认true)
        - "--bgp-graceful-restart=true"
        # 从Pod到集群外部通信走SANT(默认true)
        - "--enable-pod-egress=false"
        # 启用CNI插件。 如果要与另一个CNI插件一起使用kube-router功能，请禁用（默认true）
        - "--enable-cni=false"
        ##########################################################
        #       """以上选项在配置Cilium时必须设置的参数"""
        ###########################################################
        #
        # 启用与具有相同ASN的节点的对等，如果禁用将仅与外部BGP对等体对等（默认为true
        - "--enable-ibgp=false"
        # enable ip in ip(默认true)
        - "--enable-overlay=false"
        # 将服务的群集IP添加到RIB，以便将其发布给Peer BGP
        #- "--advertise-cluster-ip=true"
        # 将外部服务IP添加到RIB，以便将其发布给Peer BGP
        #- "--advertise-external-ip=true"
        #- "--advertise-loadbalancer-ip=true"
        - "--metrics-port=20245"
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: "apiserver.qiangyun.com"
        - name: KUBERNETES_SERVICE_PORT
          value: "6443"
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        livenessProbe:
          httpGet:
            path: /healthz
            port: 20244
          initialDelaySeconds: 10
          periodSeconds: 3
        resources:
          requests:
            cpu: 250m
            memory: 250Mi
          limits:
            cpu: 1
            memory: 1024Mi
        securityContext:
          privileged: true
        volumeMounts:
        - name: xtables-lock
          mountPath: /run/xtables.lock
          readOnly: false
        - mountPath: /etc/localtime
          name: localtime
      hostNetwork: true
      tolerations:
      - effect: NoSchedule
        operator: Exists
      - key: CriticalAddonsOnly
        operator: Exists
      - effect: NoExecute
        operator: Exists
      volumes:
        - name: xtables-lock
          hostPath:
            path: /run/xtables.lock
            type: FileOrCreate
        - hostPath:
            path: /etc/localtime
            type: ""
          name: localtime

执行命令

<root@PROD-K8S-CP1 ~># kubectl apply -f kube-router.yaml 
serviceaccount/kube-router created
clusterrole.rbac.authorization.k8s.io/kube-router created
clusterrolebinding.rbac.authorization.k8s.io/kube-router created
daemonset.apps/kube-router created

<root@PROD-K8S-CP1 ~># dps
8b8080abd924    Up 1 second    k8s_kube-router_kube-router-x4p8p_kube-system_5e0ae98b-4379-468e-adb0-b8d53afb0f8c_0
41ed7a23568b    Up 58 minutes    k8s_kube-scheduler_kube-scheduler-prod-k8s-cp1_kube-system_3415bde3e2a04810cc416f7719a3f6aa_1
19c04a8d26b9    Up 58 minutes    k8s_kube-controller-manager_kube-controller-manager-prod-k8s-cp1_kube-system_42925a280ad1a6ea64e50a34fd744ba8_1
a06439059dbc    Up About an hour    k8s_kube-apiserver_kube-apiserver-prod-k8s-cp1_kube-system_db90a051e75b886b7e4c824ce338d134_0
7fd5eb50599a    Up About an hour    k8s_etcd_etcd-prod-k8s-cp1_kube-system_9adeb44bb2242e1393bcb109f3d4da5e_0

<root@PROD-K8S-CP1 ~># docker logs -f 8b8
I0823 09:14:18.098022       1 version.go:21] Running /usr/local/bin/kube-router version v1.3.1, built on 2021-08-13T15:31:53+0000, go1.16.7
I0823 09:14:18.200175       1 metrics_controller.go:174] Starting metrics controller
I0823 09:14:18.213300       1 network_routes_controller.go:1260] Could not find annotation `kube-router.io/bgp-local-addresses` on node object so BGP will listen on node IP: 10.1.0.252 address.
I0823 09:14:18.271081       1 network_routes_controller.go:222] Setting MTU of kube-bridge interface to: 1500
E0823 09:14:18.271644       1 network_routes_controller.go:233] Failed to enable netfilter for bridge. Network policies and service proxy may not work: exit status 1
I0823 09:14:18.271685       1 network_routes_controller.go:249] Starting network route controller
I0823 09:14:18.273840       1 network_routes_controller.go:991] Could not find BGP peer info for the node in the node annotations so skipping configuring peer.

<root@PROD-K8S-CP1 ~># kubectl get pods -n kube-system -o wide | grep kube-router
kube-router-fdpjj                      1/1     Running   0          84s   10.1.0.251    prod-k8s-cp2   <none>           <none>
kube-router-s8h9q                      1/1     Running   0          84s   10.1.17.229   prod-k8s-wn2   <none>           <none>
kube-router-t7whm                      1/1     Running   0          84s   10.1.0.1      prod-k8s-cp3   <none>           <none>
kube-router-v68b2                      1/1     Running   0          84s   10.1.17.230   prod-k8s-wn1   <none>           <none>
kube-router-x4p8p                      1/1     Running   0          84s   10.1.0.252    prod-k8s-cp1   <none>           <none>

扩展信息

## 扩展信息，如下
## gobgp命令示例 https://github.com/osrg/gobgp/blob/master/docs/sources/cli-command-syntax.md
## BGP Peers配置 https://github.com/cloudnativelabs/kube-router/blob/master/docs/bgp.md (默认情况下,不需要自定义指定ASN,默认为64512并且是NODE-TO-NODE MESH)

安装helm及添加cilium.repo

<root@PROD-K8S-CP1 ~># export http_proxy=http://10.1.0.160:1087 && export https_proxy=http://10.1.0.160:1087
<root@PROD-K8S-CP1 ~># curl -SLO https://get.helm.sh/helm-v3.2.3-linux-amd64.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12.3M  100 12.3M    0     0  3802k      0  0:00:03  0:00:03 --:--:-- 3802k

<root@PROD-K8S-CP1 ~># tar -zxvf helm-v3.2.3-linux-amd64.tar.gz
linux-amd64/
linux-amd64/README.md
linux-amd64/LICENSE
linux-amd64/helm

<root@PROD-K8S-CP1 ~># mv linux-amd64/helm /usr/bin/helm
<root@PROD-K8S-CP1 ~># helm repo add cilium https://helm.cilium.io/
"cilium" has been added to your repositories
<root@PROD-K8S-CP1 ~># helm search repo
NAME             CHART VERSION    APP VERSION    DESCRIPTION                                       
cilium/cilium    1.10.3           1.10.3         eBPF-based Networking, Security, and Observability

安装Cilium DSR模式

helm install cilium cilium/cilium --version 1.9.4 \
    --namespace kube-system \
    --set tunnel=disabled \
    --set autoDirectNodeRoutes=true \
    --set kubeProxyReplacement=strict \
    --set loadBalancer.mode=hybrid \
    --set nativeRoutingCIDR=172.21.0.0/20 \
    --set ipam.operator.clusterPoolIPv4PodCIDR=172.21.0.0/20 \
    --set ipam.operator.clusterPoolIPv4MaskSize=26 \
    --set k8sServiceHost=apiserver.qiangyun.com \
    --set k8sServicePort=6443

<root@PROD-K8S-CP1 ~># helm install cilium cilium/cilium --version 1.9.4 \
>     --namespace kube-system \
>     --set tunnel=disabled \
>     --set autoDirectNodeRoutes=true \
>     --set kubeProxyReplacement=strict \
>     --set loadBalancer.mode=hybrid \
>     --set nativeRoutingCIDR=172.21.0.0/20 \
>     --set ipam.operator.clusterPoolIPv4PodCIDR=172.21.0.0/20 \
>     --set ipam.operator.clusterPoolIPv4MaskSize=26 \
>     --set k8sServiceHost=apiserver.qiangyun.com \
>     --set k8sServicePort=6443
NAME: cilium
LAST DEPLOYED: Mon Aug 23 18:35:27 2021
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
You have successfully installed Cilium with Hubble.

Your release version is 1.9.4.

For any further help, visit https://docs.cilium.io/en/v1.9/gettinghelp

查看创建结果，如下

<root@PROD-K8S-CP1 ~># kubectl get pods  -n kube-system -o wide | grep cilium
cilium-5w2gs                           1/1     Running   0          2m27s   10.1.0.1      prod-k8s-cp3   <none>           <none>
cilium-9zf99                           1/1     Running   0          2m27s   10.1.17.230   prod-k8s-wn1   <none>           <none>
cilium-mpg9w                           1/1     Running   0          2m27s   10.1.0.252    prod-k8s-cp1   <none>           <none>
cilium-nrh96                           1/1     Running   0          2m27s   10.1.0.251    prod-k8s-cp2   <none>           <none>
cilium-operator-66bf5877c7-tctj5       1/1     Running   0          2m27s   10.1.17.230   prod-k8s-wn1   <none>           <none>
cilium-operator-66bf5877c7-x7mnh       1/1     Running   0          2m27s   10.1.17.229   prod-k8s-wn2   <none>           <none>
cilium-t2d5r                           1/1     Running   0          2m27s   10.1.17.229   prod-k8s-wn2   <none>           <none>

查看cilium-agent启动日志

<root@PROD-K8S-CP1 ~># docker logs -f c88
level=info msg="Skipped reading configuration file" reason="Config File \"ciliumd\" Not Found in \"[/root]\"" subsys=config
level=info msg="Started gops server" address="127.0.0.1:9890" subsys=daemon
level=info msg="Memory available for map entries (0.003% of 8065806336B): 20164515B" subsys=config
level=info msg="option bpf-ct-global-tcp-max set by dynamic sizing to 131072" subsys=config
level=info msg="option bpf-ct-global-any-max set by dynamic sizing to 65536" subsys=config
level=info msg="option bpf-nat-global-max set by dynamic sizing to 131072" subsys=config
level=info msg="option bpf-neigh-global-max set by dynamic sizing to 131072" subsys=config
level=info msg="option bpf-sock-rev-map-max set by dynamic sizing to 65536" subsys=config
level=info msg="  --agent-health-port='9876'" subsys=daemon
level=info msg="  --agent-labels=''" subsys=daemon
level=info msg="  --allow-icmp-frag-needed='true'" subsys=daemon
level=info msg="  --allow-localhost='auto'" subsys=daemon
level=info msg="  --annotate-k8s-node='true'" subsys=daemon
level=info msg="  --api-rate-limit='map[]'" subsys=daemon
level=info msg="  --auto-create-cilium-node-resource='true'" subsys=daemon
level=info msg="  --auto-direct-node-routes='true'" subsys=daemon
level=info msg="  --blacklist-conflicting-routes='false'" subsys=daemon
level=info msg="  --bpf-compile-debug='false'" subsys=daemon
level=info msg="  --bpf-ct-global-any-max='262144'" subsys=daemon
level=info msg="  --bpf-ct-global-tcp-max='524288'" subsys=daemon
level=info msg="  --bpf-ct-timeout-regular-any='1m0s'" subsys=daemon
level=info msg="  --bpf-ct-timeout-regular-tcp='6h0m0s'" subsys=daemon
level=info msg="  --bpf-ct-timeout-regular-tcp-fin='10s'" subsys=daemon
level=info msg="  --bpf-ct-timeout-regular-tcp-syn='1m0s'" subsys=daemon
level=info msg="  --bpf-ct-timeout-service-any='1m0s'" subsys=daemon
level=info msg="  --bpf-ct-timeout-service-tcp='6h0m0s'" subsys=daemon
level=info msg="  --bpf-fragments-map-max='8192'" subsys=daemon
level=info msg="  --bpf-lb-acceleration='disabled'" subsys=daemon
level=info msg="  --bpf-lb-algorithm='random'" subsys=daemon
level=info msg="  --bpf-lb-maglev-hash-seed='JLfvgnHc2kaSUFaI'" subsys=daemon
level=info msg="  --bpf-lb-maglev-table-size='16381'" subsys=daemon
level=info msg="  --bpf-lb-map-max='65536'" subsys=daemon
level=info msg="  --bpf-lb-mode='snat'" subsys=daemon
level=info msg="  --bpf-map-dynamic-size-ratio='0.0025'" subsys=daemon
level=info msg="  --bpf-nat-global-max='524288'" subsys=daemon
level=info msg="  --bpf-neigh-global-max='524288'" subsys=daemon
level=info msg="  --bpf-policy-map-max='16384'" subsys=daemon
level=info msg="  --bpf-root=''" subsys=daemon
level=info msg="  --bpf-sock-rev-map-max='262144'" subsys=daemon
level=info msg="  --certificates-directory='/var/run/cilium/certs'" subsys=daemon
level=info msg="  --cgroup-root=''" subsys=daemon
level=info msg="  --cluster-id=''" subsys=daemon
level=info msg="  --cluster-name='default'" subsys=daemon
level=info msg="  --clustermesh-config='/var/lib/cilium/clustermesh/'" subsys=daemon
level=info msg="  --cmdref=''" subsys=daemon
level=info msg="  --config=''" subsys=daemon
level=info msg="  --config-dir='/tmp/cilium/config-map'" subsys=daemon
level=info msg="  --conntrack-gc-interval='0s'" subsys=daemon
level=info msg="  --crd-wait-timeout='5m0s'" subsys=daemon
level=info msg="  --datapath-mode='veth'" subsys=daemon
level=info msg="  --debug='false'" subsys=daemon
level=info msg="  --debug-verbose=''" subsys=daemon
level=info msg="  --device=''" subsys=daemon
level=info msg="  --devices=''" subsys=daemon
level=info msg="  --direct-routing-device=''" subsys=daemon
level=info msg="  --disable-cnp-status-updates='true'" subsys=daemon
level=info msg="  --disable-conntrack='false'" subsys=daemon
level=info msg="  --disable-endpoint-crd='false'" subsys=daemon
level=info msg="  --disable-envoy-version-check='false'" subsys=daemon
level=info msg="  --disable-iptables-feeder-rules=''" subsys=daemon
level=info msg="  --dns-max-ips-per-restored-rule='1000'" subsys=daemon
level=info msg="  --egress-masquerade-interfaces=''" subsys=daemon
level=info msg="  --egress-multi-home-ip-rule-compat='false'" subsys=daemon
level=info msg="  --enable-auto-protect-node-port-range='true'" subsys=daemon
level=info msg="  --enable-bandwidth-manager='false'" subsys=daemon
level=info msg="  --enable-bpf-clock-probe='true'" subsys=daemon
level=info msg="  --enable-bpf-masquerade='true'" subsys=daemon
level=info msg="  --enable-bpf-tproxy='false'" subsys=daemon
level=info msg="  --enable-endpoint-health-checking='true'" subsys=daemon
level=info msg="  --enable-endpoint-routes='false'" subsys=daemon
level=info msg="  --enable-external-ips='true'" subsys=daemon
level=info msg="  --enable-health-check-nodeport='true'" subsys=daemon
level=info msg="  --enable-health-checking='true'" subsys=daemon
level=info msg="  --enable-host-firewall='false'" subsys=daemon
level=info msg="  --enable-host-legacy-routing='false'" subsys=daemon
level=info msg="  --enable-host-port='true'" subsys=daemon
level=info msg="  --enable-host-reachable-services='false'" subsys=daemon
level=info msg="  --enable-hubble='true'" subsys=daemon
level=info msg="  --enable-identity-mark='true'" subsys=daemon
level=info msg="  --enable-ip-masq-agent='false'" subsys=daemon
level=info msg="  --enable-ipsec='false'" subsys=daemon
level=info msg="  --enable-ipv4='true'" subsys=daemon
level=info msg="  --enable-ipv4-fragment-tracking='true'" subsys=daemon
level=info msg="  --enable-ipv6='false'" subsys=daemon
level=info msg="  --enable-ipv6-ndp='false'" subsys=daemon
level=info msg="  --enable-k8s-api-discovery='false'" subsys=daemon
level=info msg="  --enable-k8s-endpoint-slice='true'" subsys=daemon
level=info msg="  --enable-k8s-event-handover='false'" subsys=daemon
level=info msg="  --enable-l7-proxy='true'" subsys=daemon
level=info msg="  --enable-local-node-route='true'" subsys=daemon
level=info msg="  --enable-local-redirect-policy='false'" subsys=daemon
level=info msg="  --enable-monitor='true'" subsys=daemon
level=info msg="  --enable-node-port='false'" subsys=daemon
level=info msg="  --enable-policy='default'" subsys=daemon
level=info msg="  --enable-remote-node-identity='true'" subsys=daemon
level=info msg="  --enable-selective-regeneration='true'" subsys=daemon
level=info msg="  --enable-session-affinity='true'" subsys=daemon
level=info msg="  --enable-svc-source-range-check='true'" subsys=daemon
level=info msg="  --enable-tracing='false'" subsys=daemon
level=info msg="  --enable-well-known-identities='false'" subsys=daemon
level=info msg="  --enable-xt-socket-fallback='true'" subsys=daemon
level=info msg="  --encrypt-interface=''" subsys=daemon
level=info msg="  --encrypt-node='false'" subsys=daemon
level=info msg="  --endpoint-interface-name-prefix='lxc+'" subsys=daemon
level=info msg="  --endpoint-queue-size='25'" subsys=daemon
level=info msg="  --endpoint-status=''" subsys=daemon
level=info msg="  --envoy-log=''" subsys=daemon
level=info msg="  --exclude-local-address=''" subsys=daemon
level=info msg="  --fixed-identity-mapping='map[]'" subsys=daemon
level=info msg="  --flannel-master-device=''" subsys=daemon
level=info msg="  --flannel-uninstall-on-exit='false'" subsys=daemon
level=info msg="  --force-local-policy-eval-at-source='true'" subsys=daemon
level=info msg="  --gops-port='9890'" subsys=daemon
level=info msg="  --host-reachable-services-protos='tcp,udp'" subsys=daemon
level=info msg="  --http-403-msg=''" subsys=daemon
level=info msg="  --http-idle-timeout='0'" subsys=daemon
level=info msg="  --http-max-grpc-timeout='0'" subsys=daemon
level=info msg="  --http-request-timeout='3600'" subsys=daemon
level=info msg="  --http-retry-count='3'" subsys=daemon
level=info msg="  --http-retry-timeout='0'" subsys=daemon
level=info msg="  --hubble-disable-tls='false'" subsys=daemon
level=info msg="  --hubble-event-queue-size='0'" subsys=daemon
level=info msg="  --hubble-flow-buffer-size='4095'" subsys=daemon
level=info msg="  --hubble-listen-address=':4244'" subsys=daemon
level=info msg="  --hubble-metrics=''" subsys=daemon
level=info msg="  --hubble-metrics-server=''" subsys=daemon
level=info msg="  --hubble-socket-path='/var/run/cilium/hubble.sock'" subsys=daemon
level=info msg="  --hubble-tls-cert-file='/var/lib/cilium/tls/hubble/server.crt'" subsys=daemon
level=info msg="  --hubble-tls-client-ca-files='/var/lib/cilium/tls/hubble/client-ca.crt'" subsys=daemon
level=info msg="  --hubble-tls-key-file='/var/lib/cilium/tls/hubble/server.key'" subsys=daemon
level=info msg="  --identity-allocation-mode='crd'" subsys=daemon
level=info msg="  --identity-change-grace-period='5s'" subsys=daemon
level=info msg="  --install-iptables-rules='true'" subsys=daemon
level=info msg="  --ip-allocation-timeout='2m0s'" subsys=daemon
level=info msg="  --ip-masq-agent-config-path='/etc/config/ip-masq-agent'" subsys=daemon
level=info msg="  --ipam='cluster-pool'" subsys=daemon
level=info msg="  --ipsec-key-file=''" subsys=daemon
level=info msg="  --iptables-lock-timeout='5s'" subsys=daemon
level=info msg="  --iptables-random-fully='false'" subsys=daemon
level=info msg="  --ipv4-node='auto'" subsys=daemon
level=info msg="  --ipv4-pod-subnets=''" subsys=daemon
level=info msg="  --ipv4-range='auto'" subsys=daemon
level=info msg="  --ipv4-service-loopback-address='169.254.42.1'" subsys=daemon
level=info msg="  --ipv4-service-range='auto'" subsys=daemon
level=info msg="  --ipv6-cluster-alloc-cidr='f00d::/64'" subsys=daemon
level=info msg="  --ipv6-mcast-device=''" subsys=daemon
level=info msg="  --ipv6-node='auto'" subsys=daemon
level=info msg="  --ipv6-pod-subnets=''" subsys=daemon
level=info msg="  --ipv6-range='auto'" subsys=daemon
level=info msg="  --ipv6-service-range='auto'" subsys=daemon
level=info msg="  --ipvlan-master-device='undefined'" subsys=daemon
level=info msg="  --join-cluster='false'" subsys=daemon
level=info msg="  --k8s-api-server=''" subsys=daemon
level=info msg="  --k8s-force-json-patch='false'" subsys=daemon
level=info msg="  --k8s-heartbeat-timeout='30s'" subsys=daemon
level=info msg="  --k8s-kubeconfig-path=''" subsys=daemon
level=info msg="  --k8s-namespace='kube-system'" subsys=daemon
level=info msg="  --k8s-require-ipv4-pod-cidr='false'" subsys=daemon
level=info msg="  --k8s-require-ipv6-pod-cidr='false'" subsys=daemon
level=info msg="  --k8s-service-cache-size='128'" subsys=daemon
level=info msg="  --k8s-service-proxy-name=''" subsys=daemon
level=info msg="  --k8s-sync-timeout='3m0s'" subsys=daemon
level=info msg="  --k8s-watcher-endpoint-selector='metadata.name!=kube-scheduler,metadata.name!=kube-controller-manager,metadata.name!=etcd-operator,metadata.name!=gcp-controller-manager'" subsys=daemon
level=info msg="  --k8s-watcher-queue-size='1024'" subsys=daemon
level=info msg="  --keep-config='false'" subsys=daemon
level=info msg="  --kube-proxy-replacement='strict'" subsys=daemon
level=info msg="  --kube-proxy-replacement-healthz-bind-address=''" subsys=daemon
level=info msg="  --kvstore=''" subsys=daemon
level=info msg="  --kvstore-connectivity-timeout='2m0s'" subsys=daemon
level=info msg="  --kvstore-lease-ttl='15m0s'" subsys=daemon
level=info msg="  --kvstore-opt='map[]'" subsys=daemon
level=info msg="  --kvstore-periodic-sync='5m0s'" subsys=daemon
level=info msg="  --label-prefix-file=''" subsys=daemon
level=info msg="  --labels=''" subsys=daemon
level=info msg="  --lib-dir='/var/lib/cilium'" subsys=daemon
level=info msg="  --log-driver=''" subsys=daemon
level=info msg="  --log-opt='map[]'" subsys=daemon
level=info msg="  --log-system-load='false'" subsys=daemon
level=info msg="  --masquerade='true'" subsys=daemon
level=info msg="  --max-controller-interval='0'" subsys=daemon
level=info msg="  --metrics=''" subsys=daemon
level=info msg="  --monitor-aggregation='medium'" subsys=daemon
level=info msg="  --monitor-aggregation-flags='all'" subsys=daemon
level=info msg="  --monitor-aggregation-interval='5s'" subsys=daemon
level=info msg="  --monitor-queue-size='0'" subsys=daemon
level=info msg="  --mtu='0'" subsys=daemon
level=info msg="  --nat46-range='0:0:0:0:0:FFFF::/96'" subsys=daemon
level=info msg="  --native-routing-cidr='172.21.0.0/20'" subsys=daemon
level=info msg="  --node-port-acceleration='disabled'" subsys=daemon
level=info msg="  --node-port-algorithm='random'" subsys=daemon
level=info msg="  --node-port-bind-protection='true'" subsys=daemon
level=info msg="  --node-port-mode='hybrid'" subsys=daemon
level=info msg="  --node-port-range='30000,32767'" subsys=daemon
level=info msg="  --policy-audit-mode='false'" subsys=daemon
level=info msg="  --policy-queue-size='100'" subsys=daemon
level=info msg="  --policy-trigger-interval='1s'" subsys=daemon
level=info msg="  --pprof='false'" subsys=daemon
level=info msg="  --preallocate-bpf-maps='false'" subsys=daemon
level=info msg="  --prefilter-device='undefined'" subsys=daemon
level=info msg="  --prefilter-mode='native'" subsys=daemon
level=info msg="  --prepend-iptables-chains='true'" subsys=daemon
level=info msg="  --prometheus-serve-addr=''" subsys=daemon
level=info msg="  --proxy-connect-timeout='1'" subsys=daemon
level=info msg="  --proxy-prometheus-port='0'" subsys=daemon
level=info msg="  --read-cni-conf=''" subsys=daemon
level=info msg="  --restore='true'" subsys=daemon
level=info msg="  --sidecar-istio-proxy-image='cilium/istio_proxy'" subsys=daemon
level=info msg="  --single-cluster-route='false'" subsys=daemon
level=info msg="  --skip-crd-creation='false'" subsys=daemon
level=info msg="  --socket-path='/var/run/cilium/cilium.sock'" subsys=daemon
level=info msg="  --sockops-enable='false'" subsys=daemon
level=info msg="  --state-dir='/var/run/cilium'" subsys=daemon
level=info msg="  --tofqdns-dns-reject-response-code='refused'" subsys=daemon
level=info msg="  --tofqdns-enable-dns-compression='true'" subsys=daemon
level=info msg="  --tofqdns-endpoint-max-ip-per-hostname='50'" subsys=daemon
level=info msg="  --tofqdns-max-deferred-connection-deletes='10000'" subsys=daemon
level=info msg="  --tofqdns-min-ttl='0'" subsys=daemon
level=info msg="  --tofqdns-pre-cache=''" subsys=daemon
level=info msg="  --tofqdns-proxy-port='0'" subsys=daemon
level=info msg="  --tofqdns-proxy-response-max-delay='100ms'" subsys=daemon
level=info msg="  --trace-payloadlen='128'" subsys=daemon
level=info msg="  --tunnel='disabled'" subsys=daemon
level=info msg="  --version='false'" subsys=daemon
level=info msg="  --write-cni-conf-when-ready=''" subsys=daemon
level=info msg="     _ _ _" subsys=daemon
level=info msg=" ___|_| |_|_ _ _____" subsys=daemon
level=info msg="|  _| | | | | |     |" subsys=daemon
level=info msg="|___|_|_|_|___|_|_|_|" subsys=daemon
level=info msg="Cilium 1.9.4 07b62884c 2021-02-03T11:45:44-08:00 go version go1.15.7 linux/amd64" subsys=daemon
level=info msg="cilium-envoy  version: 1177896bebde79915fe5f9092409bf0254084b4e/1.14.5/Modified/RELEASE/BoringSSL" subsys=daemon
level=info msg="clang (10.0.0) and kernel (5.11.1) versions: OK!" subsys=linux-datapath
level=info msg="linking environment: OK!" subsys=linux-datapath
level=info msg="BPF system config check: NOT OK." error="Kernel Config file not found" subsys=linux-datapath
level=info msg="Detected mounted BPF filesystem at /sys/fs/bpf" subsys=bpf
level=info msg="Valid label prefix configuration:" subsys=labels-filter
level=info msg=" - :io.kubernetes.pod.namespace" subsys=labels-filter
level=info msg=" - :io.cilium.k8s.namespace.labels" subsys=labels-filter
level=info msg=" - :app.kubernetes.io" subsys=labels-filter
level=info msg=" - !:io.kubernetes" subsys=labels-filter
level=info msg=" - !:kubernetes.io" subsys=labels-filter
level=info msg=" - !:.*beta.kubernetes.io" subsys=labels-filter
level=info msg=" - !:k8s.io" subsys=labels-filter
level=info msg=" - !:pod-template-generation" subsys=labels-filter
level=info msg=" - !:pod-template-hash" subsys=labels-filter
level=info msg=" - !:controller-revision-hash" subsys=labels-filter
level=info msg=" - !:annotation.*" subsys=labels-filter
level=info msg=" - !:etcd_node" subsys=labels-filter
level=info msg="Auto-disabling \"enable-bpf-clock-probe\" feature since KERNEL_HZ cannot be determined" error="Cannot probe CONFIG_HZ" subsys=daemon
level=info msg="Using autogenerated IPv4 allocation range" subsys=node v4Prefix=10.252.0.0/16
level=info msg="Initializing daemon" subsys=daemon
level=info msg="Establishing connection to apiserver" host="https://apiserver.qiangyun.com:6443" subsys=k8s
level=info msg="Connected to apiserver" subsys=k8s
level=info msg="Inheriting MTU from external network interface" device=eth0 ipAddr=10.1.0.252 mtu=1500 subsys=mtu
level=info msg="Trying to auto-enable \"enable-node-port\", \"enable-external-ips\", \"enable-host-reachable-services\", \"enable-host-port\", \"enable-session-affinity\" features" subsys=daemon
level=info msg="Restored services from maps" failed=0 restored=0 subsys=service
level=info msg="Reading old endpoints..." subsys=daemon
level=info msg="No old endpoints found." subsys=daemon
level=info msg="Envoy: Starting xDS gRPC server listening on /var/run/cilium/xds.sock" subsys=envoy-manager
level=error msg="Command execution failed" cmd="[iptables -t mangle -n -L CILIUM_PRE_mangle]" error="exit status 1" subsys=iptables
level=warning msg="iptables: No chain/target/match by that name." subsys=iptables
level=info msg="Waiting until all Cilium CRDs are available" subsys=k8s
level=info msg="All Cilium CRDs have been found and are available" subsys=k8s
level=info msg="Creating or updating CiliumNode resource" node=prod-k8s-cp1 subsys=nodediscovery
level=info msg="Successfully created CiliumNode resource" subsys=nodediscovery
level=info msg="Retrieved node information from cilium node" nodeName=prod-k8s-cp1 subsys=k8s
level=warning msg="Waiting for k8s node information" error="required IPv4 PodCIDR not available" subsys=k8s
level=info msg="Retrieved node information from cilium node" nodeName=prod-k8s-cp1 subsys=k8s
level=warning msg="Waiting for k8s node information" error="required IPv4 PodCIDR not available" subsys=k8s
level=info msg="Retrieved node information from cilium node" nodeName=prod-k8s-cp1 subsys=k8s
level=info msg="Received own node information from API server" ipAddr.ipv4=10.1.0.252 ipAddr.ipv6="<nil>" k8sNodeIP=10.1.0.252 labels="map[beta.kubernetes.io/arch:amd64 beta.kubernetes.io/os:linux kubernetes.io/arch:amd64 kubernetes.io/hostname:prod-k8s-cp1 kubernetes.io/os:linux node-role.kubernetes.io/master:]" nodeName=prod-k8s-cp1 subsys=k8s v4Prefix=172.21.0.128/26 v6Prefix="<nil>"
level=info msg="k8s mode: Allowing localhost to reach local endpoints" subsys=daemon
level=info msg="Using auto-derived devices for BPF node port" devices="[eth0]" directRoutingDevice=eth0 subsys=daemon
level=info msg="Enabling k8s event listener" subsys=k8s-watcher
level=info msg="Waiting until all pre-existing resources related to policy have been received" subsys=k8s-watcher
level=info msg="Removing stale endpoint interfaces" subsys=daemon
level=info msg="Skipping kvstore configuration" subsys=daemon
level=info msg="Initializing node addressing" subsys=daemon
level=info msg="Initializing cluster-pool IPAM" subsys=ipam v4Prefix=172.21.0.128/26 v6Prefix="<nil>"
level=info msg="Restoring endpoints..." subsys=daemon
level=info msg="Endpoints restored" failed=0 restored=0 subsys=daemon
level=info msg="Addressing information:" subsys=daemon
level=info msg="  Cluster-Name: default" subsys=daemon
level=info msg="  Cluster-ID: 0" subsys=daemon
level=info msg="  Local node-name: prod-k8s-cp1" subsys=daemon
level=info msg="  Node-IPv6: <nil>" subsys=daemon
level=info msg="  External-Node IPv4: 10.1.0.252" subsys=daemon
level=info msg="  Internal-Node IPv4: 172.21.0.149" subsys=daemon
level=info msg="  IPv4 allocation prefix: 172.21.0.128/26" subsys=daemon
level=info msg="  IPv4 native routing prefix: 172.21.0.0/20" subsys=daemon
level=info msg="  Loopback IPv4: 169.254.42.1" subsys=daemon
level=info msg="  Local IPv4 addresses:" subsys=daemon
level=info msg="  - 10.1.0.252" subsys=daemon
level=info msg="Creating or updating CiliumNode resource" node=prod-k8s-cp1 subsys=nodediscovery
level=info msg="Adding local node to cluster" node="{prod-k8s-cp1 default [{InternalIP 10.1.0.252} {CiliumInternalIP 172.21.0.149}] 172.21.0.128/26 <nil> 172.21.0.186 <nil> 0 local 0 map[beta.kubernetes.io/arch:amd64 beta.kubernetes.io/os:linux kubernetes.io/arch:amd64 kubernetes.io/hostname:prod-k8s-cp1 kubernetes.io/os:linux node-role.kubernetes.io/master:] 6}" subsys=nodediscovery
level=info msg="Annotating k8s node" subsys=daemon v4CiliumHostIP.IPv4=172.21.0.149 v4Prefix=172.21.0.128/26 v4healthIP.IPv4=172.21.0.186 v6CiliumHostIP.IPv6="<nil>" v6Prefix="<nil>" v6healthIP.IPv6="<nil>"
level=info msg="Initializing identity allocator" subsys=identity-cache
level=info msg="Cluster-ID is not specified, skipping ClusterMesh initialization" subsys=daemon
level=info msg="Setting up BPF datapath" bpfClockSource=ktime bpfInsnSet=v2 subsys=datapath-loader
level=info msg="Setting sysctl" subsys=datapath-loader sysParamName=net.core.bpf_jit_enable sysParamValue=1
level=info msg="Setting sysctl" subsys=datapath-loader sysParamName=net.ipv4.conf.all.rp_filter sysParamValue=0
level=info msg="Setting sysctl" subsys=datapath-loader sysParamName=kernel.unprivileged_bpf_disabled sysParamValue=1
level=info msg="Setting sysctl" subsys=datapath-loader sysParamName=kernel.timer_migration sysParamValue=0
level=info msg="All pre-existing resources related to policy have been received; continuing" subsys=k8s-watcher
level=warning msg="Unable to install direct node route {Ifindex: 0 Dst: 172.21.0.64/26 Src: <nil> Gw: 10.1.17.230 Flags: [] Table: 0}" error="route to destination 10.1.17.230 contains gateway 10.1.0.253, must be directly reachable" subsys=linux-datapath
level=info msg="Adding new proxy port rules for cilium-dns-egress:36775" proxy port name=cilium-dns-egress subsys=proxy
level=info msg="Serving cilium node monitor v1.2 API at unix:///var/run/cilium/monitor1_2.sock" subsys=monitor-agent
level=info msg="Validating configured node address ranges" subsys=daemon
level=info msg="Starting connection tracking garbage collector" subsys=daemon
level=info msg="Starting IP identity watcher" subsys=ipcache
level=info msg="Initial scan of connection tracking completed" subsys=ct-gc
level=info msg="Regenerating restored endpoints" numRestored=0 subsys=daemon
level=info msg="Datapath signal listener running" subsys=signal
level=info msg="Creating host endpoint" subsys=daemon
level=info msg="Finished regenerating restored endpoints" regenerated=0 subsys=daemon total=0
level=info msg="New endpoint" containerID= datapathPolicyRevision=0 desiredPolicyRevision=0 endpointID=2855 ipv4= ipv6= k8sPodName=/ subsys=endpoint
level=info msg="Resolving identity labels (blocking)" containerID= datapathPolicyRevision=0 desiredPolicyRevision=0 endpointID=2855 identityLabels="k8s:node-role.kubernetes.io/master,reserved:host" ipv4= ipv6= k8sPodName=/ subsys=endpoint
level=info msg="Identity of endpoint changed" containerID= datapathPolicyRevision=0 desiredPolicyRevision=0 endpointID=2855 identity=1 identityLabels="k8s:node-role.kubernetes.io/master,reserved:host" ipv4= ipv6= k8sPodName=/ oldIdentity="no identity" subsys=endpoint
level=info msg="Launching Cilium health daemon" subsys=daemon
level=info msg="Launching Cilium health endpoint" subsys=daemon
level=info msg="Started healthz status API server" address="127.0.0.1:9876" subsys=daemon
level=info msg="Initializing Cilium API" subsys=daemon
level=info msg="Daemon initialization completed" bootstrapTime=6.500397391s subsys=daemon
level=info msg="Configuring Hubble server" eventQueueSize=4096 maxFlows=4095 subsys=hubble
level=info msg="Serving cilium API at unix:///var/run/cilium/cilium.sock" subsys=daemon
level=info msg="Beginning to read perf buffer" startTime="2021-08-23 10:36:14.089494941 +0000 UTC m=+6.563405298" subsys=monitor-agent
level=info msg="Starting local Hubble server" address="unix:///var/run/cilium/hubble.sock" subsys=hubble
level=warning msg="Unable to install direct node route {Ifindex: 0 Dst: 172.21.1.0/26 Src: <nil> Gw: 10.1.17.229 Flags: [] Table: 0}" error="route to destination 10.1.17.229 contains gateway 10.1.0.253, must be directly reachable" subsys=linux-datapath
level=info msg="New endpoint" containerID= datapathPolicyRevision=0 desiredPolicyRevision=0 endpointID=626 ipv4= ipv6= k8sPodName=/ subsys=endpoint
level=info msg="Resolving identity labels (blocking)" containerID= datapathPolicyRevision=0 desiredPolicyRevision=0 endpointID=626 identityLabels="reserved:health" ipv4= ipv6= k8sPodName=/ subsys=endpoint
level=info msg="Identity of endpoint changed" containerID= datapathPolicyRevision=0 desiredPolicyRevision=0 endpointID=626 identity=4 identityLabels="reserved:health" ipv4= ipv6= k8sPodName=/ oldIdentity="no identity" subsys=endpoint
level=info msg="Compiled new BPF template" BPFCompilationTime=1.594668719s file-path=/var/run/cilium/state/templates/070a939417b8306206efe78af3771c70091cd452/bpf_host.o subsys=datapath-loader
level=info msg="Rewrote endpoint BPF program" containerID= datapathPolicyRevision=0 desiredPolicyRevision=1 endpointID=2855 identity=1 ipv4= ipv6= k8sPodName=/ subsys=endpoint
level=info msg="Compiled new BPF template" BPFCompilationTime=1.294100586s file-path=/var/run/cilium/state/templates/2cd0c716a4b47bc3fea14439429e6798308a71a1/bpf_lxc.o subsys=datapath-loader
level=info msg="Rewrote endpoint BPF program" containerID= datapathPolicyRevision=0 desiredPolicyRevision=1 endpointID=626 identity=4 ipv4= ipv6= k8sPodName=/ subsys=endpoint
level=info msg="regenerating all endpoints" reason="one or more identities created or deleted" subsys=endpoint-manager
level=info msg="Waiting for Hubble server TLS certificate and key files to be created" subsys=hubble
level=warning msg="Unable to install direct node route {Ifindex: 0 Dst: 172.21.0.64/26 Src: <nil> Gw: 10.1.17.230 Flags: [] Table: 0}" error="route to destination 10.1.17.230 contains gateway 10.1.0.253, must be directly reachable" subsys=linux-datapath
level=warning msg="Unable to install direct node route {Ifindex: 0 Dst: 172.21.1.0/26 Src: <nil> Gw: 10.1.17.229 Flags: [] Table: 0}" error="route to destination 10.1.17.229 contains gateway 10.1.0.253, must be directly reachable" subsys=linux-datapath
level=info msg="Serving cilium health API at unix:///var/run/cilium/health.sock" subsys=health-server
level=warning msg="Unable to install direct node route {Ifindex: 0 Dst: 172.21.0.64/26 Src: <nil> Gw: 10.1.17.230 Flags: [] Table: 0}" error="route to destination 10.1.17.230 contains gateway 10.1.0.253, must be directly reachable" subsys=linux-datapath
level=warning msg="Unable to install direct node route {Ifindex: 0 Dst: 172.21.1.0/26 Src: <nil> Gw: 10.1.17.229 Flags: [] Table: 0}" error="route to destination 10.1.17.229 contains gateway 10.1.0.253, must be directly reachable" subsys=linux-datapath

以上日志后面为什么有报错，因为在安装时指定的模式是DSR模式，DSR模式必须要求后端服务器在一个网段中，报错是因为CP与WN不在一个网段内，解决方案可以使用endpoints路由的方式

level=warning msg="Unable to install direct node route {Ifindex: 0 Dst: 172.21.0.64/26 Src: <nil> Gw: 10.1.17.230 Flags: [] Table: 0}" error="route to destination 10.1.17.230 contains gateway 10.1.0.253, must be directly reachable" subsys=linux-datapath
level=warning msg="Unable to install direct node route {Ifindex: 0 Dst: 172.21.1.0/26 Src: <nil> Gw: 10.1.17.229 Flags: [] Table: 0}" error="route to destination 10.1.17.229 contains gateway 10.1.0.253, must be directly reachable" subsys=linux-datapath
level=info msg="Serving cilium health API at unix:///var/run/cilium/health.sock" subsys=health-server
level=warning msg="Unable to install direct node route {Ifindex: 0 Dst: 172.21.0.64/26 Src: <nil> Gw: 10.1.17.230 Flags: [] Table: 0}" error="route to destination 10.1.17.230 contains gateway 10.1.0.253, must be directly reachable" subsys=linux-datapath
level=warning msg="Unable to install direct node route {Ifindex: 0 Dst: 172.21.1.0/26 Src: <nil> Gw: 10.1.17.229 Flags: [] Table: 0}" error="route to destination 10.1.17.229 contains gateway 　　, must be directly reachable" subsys=linux-datapath

endpointRouters 模式，如下

helm install cilium cilium/cilium --version 1.9.4 \
    --namespace kube-system \
    --set tunnel=disabled \
    --set endpointRoutes.enabled=true \
    --set kubeProxyReplacement=strict \
    --set loadBalancer.mode=hybrid\
    --set nativeRoutingCIDR=172.21.0.0/20 \
    --set ipam.operator.clusterPoolIPv4PodCIDR=172.21.0.0/20 \
    --set ipam.operator.clusterPoolIPv4MaskSize=26 \
    --set k8sServiceHost=apiserver.qiangyun.com \
    --set k8sServicePort=6443

<root@PROD-K8S-CP1 ~># docker logs -f a34
level=info msg="Skipped reading configuration file" reason="Config File \"ciliumd\" Not Found in \"[/root]\"" subsys=config
level=info msg="Started gops server" address="127.0.0.1:9890" subsys=daemon
level=info msg="Memory available for map entries (0.003% of 8065818624B): 20164546B" subsys=config
level=info msg="option bpf-ct-global-tcp-max set by dynamic sizing to 131072" subsys=config
level=info msg="option bpf-ct-global-any-max set by dynamic sizing to 65536" subsys=config
level=info msg="option bpf-nat-global-max set by dynamic sizing to 131072" subsys=config
level=info msg="option bpf-neigh-global-max set by dynamic sizing to 131072" subsys=config
level=info msg="option bpf-sock-rev-map-max set by dynamic sizing to 65536" subsys=config
level=info msg="  --agent-health-port='9876'" subsys=daemon
level=info msg="  --agent-labels=''" subsys=daemon
level=info msg="  --allow-icmp-frag-needed='true'" subsys=daemon
level=info msg="  --allow-localhost='auto'" subsys=daemon
level=info msg="  --annotate-k8s-node='true'" subsys=daemon
level=info msg="  --api-rate-limit='map[]'" subsys=daemon
level=info msg="  --auto-create-cilium-node-resource='true'" subsys=daemon
level=info msg="  --auto-direct-node-routes='false'" subsys=daemon
level=info msg="  --blacklist-conflicting-routes='false'" subsys=daemon
level=info msg="  --bpf-compile-debug='false'" subsys=daemon
level=info msg="  --bpf-ct-global-any-max='262144'" subsys=daemon
level=info msg="  --bpf-ct-global-tcp-max='524288'" subsys=daemon
level=info msg="  --bpf-ct-timeout-regular-any='1m0s'" subsys=daemon
level=info msg="  --bpf-ct-timeout-regular-tcp='6h0m0s'" subsys=daemon
level=info msg="  --bpf-ct-timeout-regular-tcp-fin='10s'" subsys=daemon
level=info msg="  --bpf-ct-timeout-regular-tcp-syn='1m0s'" subsys=daemon
level=info msg="  --bpf-ct-timeout-service-any='1m0s'" subsys=daemon
level=info msg="  --bpf-ct-timeout-service-tcp='6h0m0s'" subsys=daemon
level=info msg="  --bpf-fragments-map-max='8192'" subsys=daemon
level=info msg="  --bpf-lb-acceleration='disabled'" subsys=daemon
level=info msg="  --bpf-lb-algorithm='random'" subsys=daemon
level=info msg="  --bpf-lb-maglev-hash-seed='JLfvgnHc2kaSUFaI'" subsys=daemon
level=info msg="  --bpf-lb-maglev-table-size='16381'" subsys=daemon
level=info msg="  --bpf-lb-map-max='65536'" subsys=daemon
level=info msg="  --bpf-lb-mode='snat'" subsys=daemon
level=info msg="  --bpf-map-dynamic-size-ratio='0.0025'" subsys=daemon
level=info msg="  --bpf-nat-global-max='524288'" subsys=daemon
level=info msg="  --bpf-neigh-global-max='524288'" subsys=daemon
level=info msg="  --bpf-policy-map-max='16384'" subsys=daemon
level=info msg="  --bpf-root=''" subsys=daemon
level=info msg="  --bpf-sock-rev-map-max='262144'" subsys=daemon
level=info msg="  --certificates-directory='/var/run/cilium/certs'" subsys=daemon
level=info msg="  --cgroup-root=''" subsys=daemon
level=info msg="  --cluster-id=''" subsys=daemon
level=info msg="  --cluster-name='default'" subsys=daemon
level=info msg="  --clustermesh-config='/var/lib/cilium/clustermesh/'" subsys=daemon
level=info msg="  --cmdref=''" subsys=daemon
level=info msg="  --config=''" subsys=daemon
level=info msg="  --config-dir='/tmp/cilium/config-map'" subsys=daemon
level=info msg="  --conntrack-gc-interval='0s'" subsys=daemon
level=info msg="  --crd-wait-timeout='5m0s'" subsys=daemon
level=info msg="  --datapath-mode='veth'" subsys=daemon
level=info msg="  --debug='false'" subsys=daemon
level=info msg="  --debug-verbose=''" subsys=daemon
level=info msg="  --device=''" subsys=daemon
level=info msg="  --devices=''" subsys=daemon
level=info msg="  --direct-routing-device=''" subsys=daemon
level=info msg="  --disable-cnp-status-updates='true'" subsys=daemon
level=info msg="  --disable-conntrack='false'" subsys=daemon
level=info msg="  --disable-endpoint-crd='false'" subsys=daemon
level=info msg="  --disable-envoy-version-check='false'" subsys=daemon
level=info msg="  --disable-iptables-feeder-rules=''" subsys=daemon
level=info msg="  --dns-max-ips-per-restored-rule='1000'" subsys=daemon
level=info msg="  --egress-masquerade-interfaces=''" subsys=daemon
level=info msg="  --egress-multi-home-ip-rule-compat='false'" subsys=daemon
level=info msg="  --enable-auto-protect-node-port-range='true'" subsys=daemon
level=info msg="  --enable-bandwidth-manager='false'" subsys=daemon
level=info msg="  --enable-bpf-clock-probe='true'" subsys=daemon
level=info msg="  --enable-bpf-masquerade='true'" subsys=daemon
level=info msg="  --enable-bpf-tproxy='false'" subsys=daemon
level=info msg="  --enable-endpoint-health-checking='true'" subsys=daemon
level=info msg="  --enable-endpoint-routes='true'" subsys=daemon
level=info msg="  --enable-external-ips='true'" subsys=daemon
level=info msg="  --enable-health-check-nodeport='true'" subsys=daemon
level=info msg="  --enable-health-checking='true'" subsys=daemon
level=info msg="  --enable-host-firewall='false'" subsys=daemon
level=info msg="  --enable-host-legacy-routing='false'" subsys=daemon
level=info msg="  --enable-host-port='true'" subsys=daemon
level=info msg="  --enable-host-reachable-services='false'" subsys=daemon
level=info msg="  --enable-hubble='true'" subsys=daemon
level=info msg="  --enable-identity-mark='true'" subsys=daemon
level=info msg="  --enable-ip-masq-agent='false'" subsys=daemon
level=info msg="  --enable-ipsec='false'" subsys=daemon
level=info msg="  --enable-ipv4='true'" subsys=daemon
level=info msg="  --enable-ipv4-fragment-tracking='true'" subsys=daemon
level=info msg="  --enable-ipv6='false'" subsys=daemon
level=info msg="  --enable-ipv6-ndp='false'" subsys=daemon
level=info msg="  --enable-k8s-api-discovery='false'" subsys=daemon
level=info msg="  --enable-k8s-endpoint-slice='true'" subsys=daemon
level=info msg="  --enable-k8s-event-handover='false'" subsys=daemon
level=info msg="  --enable-l7-proxy='true'" subsys=daemon
level=info msg="  --enable-local-node-route='true'" subsys=daemon
level=info msg="  --enable-local-redirect-policy='false'" subsys=daemon
level=info msg="  --enable-monitor='true'" subsys=daemon
level=info msg="  --enable-node-port='false'" subsys=daemon
level=info msg="  --enable-policy='default'" subsys=daemon
level=info msg="  --enable-remote-node-identity='true'" subsys=daemon
level=info msg="  --enable-selective-regeneration='true'" subsys=daemon
level=info msg="  --enable-session-affinity='true'" subsys=daemon
level=info msg="  --enable-svc-source-range-check='true'" subsys=daemon
level=info msg="  --enable-tracing='false'" subsys=daemon
level=info msg="  --enable-well-known-identities='false'" subsys=daemon
level=info msg="  --enable-xt-socket-fallback='true'" subsys=daemon
level=info msg="  --encrypt-interface=''" subsys=daemon
level=info msg="  --encrypt-node='false'" subsys=daemon
level=info msg="  --endpoint-interface-name-prefix='lxc+'" subsys=daemon
level=info msg="  --endpoint-queue-size='25'" subsys=daemon
level=info msg="  --endpoint-status=''" subsys=daemon
level=info msg="  --envoy-log=''" subsys=daemon
level=info msg="  --exclude-local-address=''" subsys=daemon
level=info msg="  --fixed-identity-mapping='map[]'" subsys=daemon
level=info msg="  --flannel-master-device=''" subsys=daemon
level=info msg="  --flannel-uninstall-on-exit='false'" subsys=daemon
level=info msg="  --force-local-policy-eval-at-source='true'" subsys=daemon
level=info msg="  --gops-port='9890'" subsys=daemon
level=info msg="  --host-reachable-services-protos='tcp,udp'" subsys=daemon
level=info msg="  --http-403-msg=''" subsys=daemon
level=info msg="  --http-idle-timeout='0'" subsys=daemon
level=info msg="  --http-max-grpc-timeout='0'" subsys=daemon
level=info msg="  --http-request-timeout='3600'" subsys=daemon
level=info msg="  --http-retry-count='3'" subsys=daemon
level=info msg="  --http-retry-timeout='0'" subsys=daemon
level=info msg="  --hubble-disable-tls='false'" subsys=daemon
level=info msg="  --hubble-event-queue-size='0'" subsys=daemon
level=info msg="  --hubble-flow-buffer-size='4095'" subsys=daemon
level=info msg="  --hubble-listen-address=':4244'" subsys=daemon
level=info msg="  --hubble-metrics=''" subsys=daemon
level=info msg="  --hubble-metrics-server=''" subsys=daemon
level=info msg="  --hubble-socket-path='/var/run/cilium/hubble.sock'" subsys=daemon
level=info msg="  --hubble-tls-cert-file='/var/lib/cilium/tls/hubble/server.crt'" subsys=daemon
level=info msg="  --hubble-tls-client-ca-files='/var/lib/cilium/tls/hubble/client-ca.crt'" subsys=daemon
level=info msg="  --hubble-tls-key-file='/var/lib/cilium/tls/hubble/server.key'" subsys=daemon
level=info msg="  --identity-allocation-mode='crd'" subsys=daemon
level=info msg="  --identity-change-grace-period='5s'" subsys=daemon
level=info msg="  --install-iptables-rules='true'" subsys=daemon
level=info msg="  --ip-allocation-timeout='2m0s'" subsys=daemon
level=info msg="  --ip-masq-agent-config-path='/etc/config/ip-masq-agent'" subsys=daemon
level=info msg="  --ipam='cluster-pool'" subsys=daemon
level=info msg="  --ipsec-key-file=''" subsys=daemon
level=info msg="  --iptables-lock-timeout='5s'" subsys=daemon
level=info msg="  --iptables-random-fully='false'" subsys=daemon
level=info msg="  --ipv4-node='auto'" subsys=daemon
level=info msg="  --ipv4-pod-subnets=''" subsys=daemon
level=info msg="  --ipv4-range='auto'" subsys=daemon
level=info msg="  --ipv4-service-loopback-address='169.254.42.1'" subsys=daemon
level=info msg="  --ipv4-service-range='auto'" subsys=daemon
level=info msg="  --ipv6-cluster-alloc-cidr='f00d::/64'" subsys=daemon
level=info msg="  --ipv6-mcast-device=''" subsys=daemon
level=info msg="  --ipv6-node='auto'" subsys=daemon
level=info msg="  --ipv6-pod-subnets=''" subsys=daemon
level=info msg="  --ipv6-range='auto'" subsys=daemon
level=info msg="  --ipv6-service-range='auto'" subsys=daemon
level=info msg="  --ipvlan-master-device='undefined'" subsys=daemon
level=info msg="  --join-cluster='false'" subsys=daemon
level=info msg="  --k8s-api-server=''" subsys=daemon
level=info msg="  --k8s-force-json-patch='false'" subsys=daemon
level=info msg="  --k8s-heartbeat-timeout='30s'" subsys=daemon
level=info msg="  --k8s-kubeconfig-path=''" subsys=daemon
level=info msg="  --k8s-namespace='kube-system'" subsys=daemon
level=info msg="  --k8s-require-ipv4-pod-cidr='false'" subsys=daemon
level=info msg="  --k8s-require-ipv6-pod-cidr='false'" subsys=daemon
level=info msg="  --k8s-service-cache-size='128'" subsys=daemon
level=info msg="  --k8s-service-proxy-name=''" subsys=daemon
level=info msg="  --k8s-sync-timeout='3m0s'" subsys=daemon
level=info msg="  --k8s-watcher-endpoint-selector='metadata.name!=kube-scheduler,metadata.name!=kube-controller-manager,metadata.name!=etcd-operator,metadata.name!=gcp-controller-manager'" subsys=daemon
level=info msg="  --k8s-watcher-queue-size='1024'" subsys=daemon
level=info msg="  --keep-config='false'" subsys=daemon
level=info msg="  --kube-proxy-replacement='strict'" subsys=daemon
level=info msg="  --kube-proxy-replacement-healthz-bind-address=''" subsys=daemon
level=info msg="  --kvstore=''" subsys=daemon
level=info msg="  --kvstore-connectivity-timeout='2m0s'" subsys=daemon
level=info msg="  --kvstore-lease-ttl='15m0s'" subsys=daemon
level=info msg="  --kvstore-opt='map[]'" subsys=daemon
level=info msg="  --kvstore-periodic-sync='5m0s'" subsys=daemon
level=info msg="  --label-prefix-file=''" subsys=daemon
level=info msg="  --labels=''" subsys=daemon
level=info msg="  --lib-dir='/var/lib/cilium'" subsys=daemon
level=info msg="  --log-driver=''" subsys=daemon
level=info msg="  --log-opt='map[]'" subsys=daemon
level=info msg="  --log-system-load='false'" subsys=daemon
level=info msg="  --masquerade='true'" subsys=daemon
level=info msg="  --max-controller-interval='0'" subsys=daemon
level=info msg="  --metrics=''" subsys=daemon
level=info msg="  --monitor-aggregation='medium'" subsys=daemon
level=info msg="  --monitor-aggregation-flags='all'" subsys=daemon
level=info msg="  --monitor-aggregation-interval='5s'" subsys=daemon
level=info msg="  --monitor-queue-size='0'" subsys=daemon
level=info msg="  --mtu='0'" subsys=daemon
level=info msg="  --nat46-range='0:0:0:0:0:FFFF::/96'" subsys=daemon
level=info msg="  --native-routing-cidr='172.21.0.0/20'" subsys=daemon
level=info msg="  --node-port-acceleration='disabled'" subsys=daemon
level=info msg="  --node-port-algorithm='random'" subsys=daemon
level=info msg="  --node-port-bind-protection='true'" subsys=daemon
level=info msg="  --node-port-mode='hybrid'" subsys=daemon
level=info msg="  --node-port-range='30000,32767'" subsys=daemon
level=info msg="  --policy-audit-mode='false'" subsys=daemon
level=info msg="  --policy-queue-size='100'" subsys=daemon
level=info msg="  --policy-trigger-interval='1s'" subsys=daemon
level=info msg="  --pprof='false'" subsys=daemon
level=info msg="  --preallocate-bpf-maps='false'" subsys=daemon
level=info msg="  --prefilter-device='undefined'" subsys=daemon
level=info msg="  --prefilter-mode='native'" subsys=daemon
level=info msg="  --prepend-iptables-chains='true'" subsys=daemon
level=info msg="  --prometheus-serve-addr=''" subsys=daemon
level=info msg="  --proxy-connect-timeout='1'" subsys=daemon
level=info msg="  --proxy-prometheus-port='0'" subsys=daemon
level=info msg="  --read-cni-conf=''" subsys=daemon
level=info msg="  --restore='true'" subsys=daemon
level=info msg="  --sidecar-istio-proxy-image='cilium/istio_proxy'" subsys=daemon
level=info msg="  --single-cluster-route='false'" subsys=daemon
level=info msg="  --skip-crd-creation='false'" subsys=daemon
level=info msg="  --socket-path='/var/run/cilium/cilium.sock'" subsys=daemon
level=info msg="  --sockops-enable='false'" subsys=daemon
level=info msg="  --state-dir='/var/run/cilium'" subsys=daemon
level=info msg="  --tofqdns-dns-reject-response-code='refused'" subsys=daemon
level=info msg="  --tofqdns-enable-dns-compression='true'" subsys=daemon
level=info msg="  --tofqdns-endpoint-max-ip-per-hostname='50'" subsys=daemon
level=info msg="  --tofqdns-max-deferred-connection-deletes='10000'" subsys=daemon
level=info msg="  --tofqdns-min-ttl='0'" subsys=daemon
level=info msg="  --tofqdns-pre-cache=''" subsys=daemon
level=info msg="  --tofqdns-proxy-port='0'" subsys=daemon
level=info msg="  --tofqdns-proxy-response-max-delay='100ms'" subsys=daemon
level=info msg="  --trace-payloadlen='128'" subsys=daemon
level=info msg="  --tunnel='disabled'" subsys=daemon
level=info msg="  --version='false'" subsys=daemon
level=info msg="  --write-cni-conf-when-ready=''" subsys=daemon
level=info msg="     _ _ _" subsys=daemon
level=info msg=" ___|_| |_|_ _ _____" subsys=daemon
level=info msg="|  _| | | | | |     |" subsys=daemon
level=info msg="|___|_|_|_|___|_|_|_|" subsys=daemon
level=info msg="Cilium 1.9.4 07b62884c 2021-02-03T11:45:44-08:00 go version go1.15.7 linux/amd64" subsys=daemon
level=info msg="cilium-envoy  version: 1177896bebde79915fe5f9092409bf0254084b4e/1.14.5/Modified/RELEASE/BoringSSL" subsys=daemon
level=info msg="clang (10.0.0) and kernel (5.11.1) versions: OK!" subsys=linux-datapath
level=info msg="linking environment: OK!" subsys=linux-datapath
level=info msg="BPF system config check: NOT OK." error="Kernel Config file not found" subsys=linux-datapath
level=info msg="Detected mounted BPF filesystem at /sys/fs/bpf" subsys=bpf
level=info msg="Valid label prefix configuration:" subsys=labels-filter
level=info msg=" - :io.kubernetes.pod.namespace" subsys=labels-filter
level=info msg=" - :io.cilium.k8s.namespace.labels" subsys=labels-filter
level=info msg=" - :app.kubernetes.io" subsys=labels-filter
level=info msg=" - !:io.kubernetes" subsys=labels-filter
level=info msg=" - !:kubernetes.io" subsys=labels-filter
level=info msg=" - !:.*beta.kubernetes.io" subsys=labels-filter
level=info msg=" - !:k8s.io" subsys=labels-filter
level=info msg=" - !:pod-template-generation" subsys=labels-filter
level=info msg=" - !:pod-template-hash" subsys=labels-filter
level=info msg=" - !:controller-revision-hash" subsys=labels-filter
level=info msg=" - !:annotation.*" subsys=labels-filter
level=info msg=" - !:etcd_node" subsys=labels-filter
level=info msg="Auto-disabling \"enable-bpf-clock-probe\" feature since KERNEL_HZ cannot be determined" error="Cannot probe CONFIG_HZ" subsys=daemon
level=info msg="Using autogenerated IPv4 allocation range" subsys=node v4Prefix=10.252.0.0/16
level=info msg="Initializing daemon" subsys=daemon
level=info msg="Establishing connection to apiserver" host="https://apiserver.qiangyun.com:6443" subsys=k8s
level=info msg="Connected to apiserver" subsys=k8s
level=info msg="Inheriting MTU from external network interface" device=eth0 ipAddr=10.1.0.252 mtu=1500 subsys=mtu
level=info msg="Trying to auto-enable \"enable-node-port\", \"enable-external-ips\", \"enable-host-reachable-services\", \"enable-host-port\", \"enable-session-affinity\" features" subsys=daemon
level=info msg="BPF host routing is incompatible with enable-endpoint-routes. Falling back to legacy host routing (enable-host-legacy-routing=true)." subsys=daemon
level=info msg="Restored services from maps" failed=0 restored=3 subsys=service
level=info msg="Reading old endpoints..." subsys=daemon
level=info msg="Envoy: Starting xDS gRPC server listening on /var/run/cilium/xds.sock" subsys=envoy-manager
level=info msg="No old endpoints found." subsys=daemon
level=error msg="Command execution failed" cmd="[iptables -t mangle -n -L CILIUM_PRE_mangle]" error="exit status 1" subsys=iptables
level=warning msg="iptables: No chain/target/match by that name." subsys=iptables
level=info msg="Waiting until all Cilium CRDs are available" subsys=k8s
level=info msg="All Cilium CRDs have been found and are available" subsys=k8s
level=info msg="Creating or updating CiliumNode resource" node=prod-k8s-cp1 subsys=nodediscovery
level=info msg="Retrieved node information from cilium node" nodeName=prod-k8s-cp1 subsys=k8s
level=info msg="Received own node information from API server" ipAddr.ipv4=10.1.0.252 ipAddr.ipv6="<nil>" k8sNodeIP=10.1.0.252 labels="map[beta.kubernetes.io/arch:amd64 beta.kubernetes.io/os:linux kubernetes.io/arch:amd64 kubernetes.io/hostname:prod-k8s-cp1 kubernetes.io/os:linux node-role.kubernetes.io/master:]" nodeName=prod-k8s-cp1 subsys=k8s v4Prefix=172.21.0.128/26 v6Prefix="<nil>"
level=info msg="k8s mode: Allowing localhost to reach local endpoints" subsys=daemon
level=info msg="Using auto-derived devices for BPF node port" devices="[eth0]" directRoutingDevice=eth0 subsys=daemon
level=info msg="Enabling k8s event listener" subsys=k8s-watcher
level=info msg="Removing stale endpoint interfaces" subsys=daemon
level=info msg="Waiting until all pre-existing resources related to policy have been received" subsys=k8s-watcher
level=info msg="Skipping kvstore configuration" subsys=daemon
level=info msg="Restored router address from node_config" file=/var/run/cilium/state/globals/node_config.h ipv4=172.21.0.155 ipv6="<nil>" subsys=node
level=info msg="Initializing node addressing" subsys=daemon
level=info msg="Initializing cluster-pool IPAM" subsys=ipam v4Prefix=172.21.0.128/26 v6Prefix="<nil>"
level=info msg="Restoring endpoints..." subsys=daemon
level=info msg="Endpoints restored" failed=0 restored=0 subsys=daemon
level=info msg="Addressing information:" subsys=daemon
level=info msg="  Cluster-Name: default" subsys=daemon
level=info msg="  Cluster-ID: 0" subsys=daemon
level=info msg="  Local node-name: prod-k8s-cp1" subsys=daemon
level=info msg="  Node-IPv6: <nil>" subsys=daemon
level=info msg="  External-Node IPv4: 10.1.0.252" subsys=daemon
level=info msg="  Internal-Node IPv4: 172.21.0.155" subsys=daemon
level=info msg="  IPv4 allocation prefix: 172.21.0.128/26" subsys=daemon
level=info msg="  IPv4 native routing prefix: 172.21.0.0/20" subsys=daemon
level=info msg="  Loopback IPv4: 169.254.42.1" subsys=daemon
level=info msg="  Local IPv4 addresses:" subsys=daemon
level=info msg="  - 10.1.0.252" subsys=daemon
level=info msg="Creating or updating CiliumNode resource" node=prod-k8s-cp1 subsys=nodediscovery
level=info msg="Adding local node to cluster" node="{prod-k8s-cp1 default [{InternalIP 10.1.0.252} {CiliumInternalIP 172.21.0.155}] 172.21.0.128/26 <nil> 172.21.0.146 <nil> 0 local 0 map[beta.kubernetes.io/arch:amd64 beta.kubernetes.io/os:linux kubernetes.io/arch:amd64 kubernetes.io/hostname:prod-k8s-cp1 kubernetes.io/os:linux node-role.kubernetes.io/master:] 6}" subsys=nodediscovery
level=info msg="Annotating k8s node" subsys=daemon v4CiliumHostIP.IPv4=172.21.0.155 v4Prefix=172.21.0.128/26 v4healthIP.IPv4=172.21.0.146 v6CiliumHostIP.IPv6="<nil>" v6Prefix="<nil>" v6healthIP.IPv6="<nil>"
level=info msg="Initializing identity allocator" subsys=identity-cache
level=info msg="Cluster-ID is not specified, skipping ClusterMesh initialization" subsys=daemon
level=info msg="Setting up BPF datapath" bpfClockSource=ktime bpfInsnSet=v2 subsys=datapath-loader
level=info msg="Setting sysctl" subsys=datapath-loader sysParamName=net.core.bpf_jit_enable sysParamValue=1
level=info msg="Setting sysctl" subsys=datapath-loader sysParamName=net.ipv4.conf.all.rp_filter sysParamValue=0
level=info msg="Setting sysctl" subsys=datapath-loader sysParamName=kernel.unprivileged_bpf_disabled sysParamValue=1
level=info msg="Setting sysctl" subsys=datapath-loader sysParamName=kernel.timer_migration sysParamValue=0
level=info msg="regenerating all endpoints" reason="one or more identities created or deleted" subsys=endpoint-manager
level=info msg="All pre-existing resources related to policy have been received; continuing" subsys=k8s-watcher
level=info msg="Adding new proxy port rules for cilium-dns-egress:36923" proxy port name=cilium-dns-egress subsys=proxy
level=info msg="Serving cilium node monitor v1.2 API at unix:///var/run/cilium/monitor1_2.sock" subsys=monitor-agent
level=info msg="Validating configured node address ranges" subsys=daemon
level=info msg="Starting connection tracking garbage collector" subsys=daemon
level=info msg="Starting IP identity watcher" subsys=ipcache
level=info msg="Initial scan of connection tracking completed" subsys=ct-gc
level=info msg="Regenerating restored endpoints" numRestored=0 subsys=daemon
level=info msg="Datapath signal listener running" subsys=signal
level=info msg="Creating host endpoint" subsys=daemon
level=info msg="Finished regenerating restored endpoints" regenerated=0 subsys=daemon total=0
level=info msg="New endpoint" containerID= datapathPolicyRevision=0 desiredPolicyRevision=0 endpointID=1631 ipv4= ipv6= k8sPodName=/ subsys=endpoint
level=info msg="Resolving identity labels (blocking)" containerID= datapathPolicyRevision=0 desiredPolicyRevision=0 endpointID=1631 identityLabels="k8s:node-role.kubernetes.io/master,reserved:host" ipv4= ipv6= k8sPodName=/ subsys=endpoint
level=info msg="Identity of endpoint changed" containerID= datapathPolicyRevision=0 desiredPolicyRevision=0 endpointID=1631 identity=1 identityLabels="k8s:node-role.kubernetes.io/master,reserved:host" ipv4= ipv6= k8sPodName=/ oldIdentity="no identity" subsys=endpoint
level=info msg="Launching Cilium health daemon" subsys=daemon
level=info msg="Launching Cilium health endpoint" subsys=daemon
level=info msg="Started healthz status API server" address="127.0.0.1:9876" subsys=daemon
level=info msg="Initializing Cilium API" subsys=daemon
level=info msg="Daemon initialization completed" bootstrapTime=5.273111833s subsys=daemon
level=info msg="Configuring Hubble server" eventQueueSize=4096 maxFlows=4095 subsys=hubble
level=info msg="Serving cilium API at unix:///var/run/cilium/cilium.sock" subsys=daemon
level=info msg="Beginning to read perf buffer" startTime="2021-08-23 11:50:02.907610703 +0000 UTC m=+5.334524512" subsys=monitor-agent
level=info msg="Starting local Hubble server" address="unix:///var/run/cilium/hubble.sock" subsys=hubble
level=info msg="New endpoint" containerID= datapathPolicyRevision=0 desiredPolicyRevision=0 endpointID=2993 ipv4= ipv6= k8sPodName=/ subsys=endpoint
level=info msg="Resolving identity labels (blocking)" containerID= datapathPolicyRevision=0 desiredPolicyRevision=0 endpointID=2993 identityLabels="reserved:health" ipv4= ipv6= k8sPodName=/ subsys=endpoint
level=info msg="Identity of endpoint changed" containerID= datapathPolicyRevision=0 desiredPolicyRevision=0 endpointID=2993 identity=4 identityLabels="reserved:health" ipv4= ipv6= k8sPodName=/ oldIdentity="no identity" subsys=endpoint
level=info msg="Compiled new BPF template" BPFCompilationTime=1.573768687s file-path=/var/run/cilium/state/templates/c2ab4c32b5e410ece1e4936f2ee4756c6b636151/bpf_host.o subsys=datapath-loader
level=info msg="Rewrote endpoint BPF program" containerID= datapathPolicyRevision=0 desiredPolicyRevision=1 endpointID=1631 identity=1 ipv4= ipv6= k8sPodName=/ subsys=endpoint
level=info msg="Compiled new BPF template" BPFCompilationTime=1.308964876s file-path=/var/run/cilium/state/templates/43718f4689bfffe78a6ab433df688d2f9e7bc41a/bpf_lxc.o subsys=datapath-loader
level=info msg="Rewrote endpoint BPF program" containerID= datapathPolicyRevision=0 desiredPolicyRevision=1 endpointID=2993 identity=4 ipv4= ipv6= k8sPodName=/ subsys=endpoint
level=info msg="Waiting for Hubble server TLS certificate and key files to be created" subsys=hubble
level=info msg="Serving cilium health API at unix:///var/run/cilium/health.sock" subsys=health-server
level=info msg="Conntrack garbage collector interval recalculated" deleteRatio=0.001922607421875 newInterval=7m30s subsys=map-ct

调整Kubernetes组件的时区及资源限额，直接编辑/etc/kubernetes/manifests/下的文件，一台一台来，先修改etcd

# 时区调整
    volumeMounts:
...
    - mountPath: /etc/localtime
      name: localtime

  volumes:
...
  - hostPath:
      path: /etc/localtime
      type: ""
    name: localtime

---------------------------------------------------------

# 资源限额
    resources: 
      requests:
        cpu: 100m
        memory: 1024Mi
      limits:
        cpu: 2
        memory: 4096Mi

设置SYS区节点的label（使用lens直接编辑）

# PROD-SYS-K8S-WN1/2
kubernetes.io/env: sys
    kubernetes.io/ingress: prod
    kubernetes.io/resource: addons

为SYS区节点设置污点驱逐

<root@PROD-K8S-CP1 ~># kubectl taint node prod-sys-k8s-wn1 resource=addons:NoExecute
node/prod-sys-k8s-wn1 tainted
<root@PROD-K8S-CP1 ~># kubectl taint node prod-sys-k8s-wn2 resource=addons:NoExecute
node/prod-sys-k8s-wn2 tainted

<root@PROD-K8S-CP1 ~># kubectl describe nodes prod-sys-k8s-wn1
Name:               prod-sys-k8s-wn1
Roles:              worker
Labels:             beta.kubernetes.io/arch=amd64
                    beta.kubernetes.io/os=linux
                    kubernetes.io/arch=amd64
                    kubernetes.io/env=sys
                    kubernetes.io/hostname=prod-sys-k8s-wn1
                    kubernetes.io/ingress=prod
                    kubernetes.io/os=linux
                    kubernetes.io/resource=addons
                    node-role.kubernetes.io/worker=worker
Annotations:        io.cilium.network.ipv4-cilium-host: 172.21.1.177
                    io.cilium.network.ipv4-health-ip: 172.21.1.185
                    io.cilium.network.ipv4-pod-cidr: 172.21.1.128/26
                    kubeadm.alpha.kubernetes.io/cri-socket: /var/run/dockershim.sock
                    node.alpha.kubernetes.io/ttl: 0
                    volumes.kubernetes.io/controller-managed-attach-detach: true
CreationTimestamp:  Mon, 23 Aug 2021 20:11:52 +0800
Taints:             resource=addons:NoExecute <root@PROD-K8S-CP1 ~># kubectl describe nodes prod-sys-k8s-wn2
Name:               prod-sys-k8s-wn2
Roles:              worker
Labels:             beta.kubernetes.io/arch=amd64
                    beta.kubernetes.io/os=linux
                    kubernetes.io/arch=amd64
                    kubernetes.io/env=sys
                    kubernetes.io/hostname=prod-sys-k8s-wn2
                    kubernetes.io/ingress=prod
                    kubernetes.io/os=linux
                    kubernetes.io/resource=addons
                    node-role.kubernetes.io/worker=worker
Annotations:        io.cilium.network.ipv4-cilium-host: 172.21.1.65
                    io.cilium.network.ipv4-health-ip: 172.21.1.117
                    io.cilium.network.ipv4-pod-cidr: 172.21.1.64/26
                    kubeadm.alpha.kubernetes.io/cri-socket: /var/run/dockershim.sock
                    node.alpha.kubernetes.io/ttl: 0
                    volumes.kubernetes.io/controller-managed-attach-detach: true
CreationTimestamp:  Mon, 23 Aug 2021 20:12:06 +0800
Taints:             resource=addons:NoExecute

调整corn-dns / cilium-operator的节点亲和性，lens编辑

# 调整core-dns的污点容忍
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
        - key: resource
          value: addons
          effect: NoExecute

# 调整core-dns的节点亲和性
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: kubernetes.io/resource
                    operator: In
                    values:
                      - addons
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchExpressions:
                  - key: k8s-app
                    operator: In
                    values:
                      - kube-dns
              topologyKey: kubernetes.io/hostname

------------------------------------------------------------------------------

# 调整cilium-operator的污点容忍
      tolerations:
        - operator: Exists

# 调整cilium-operator的节点亲和性
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: kubernetes.io/resource
                    operator: In
                    values:
                      - addons
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchExpressions:
                  - key: io.cilium/app
                    operator: In
                    values:
                      - operator
              topologyKey: kubernetes.io/hostname

调整core-dns、ciliume-agent、ciliume-operator的资源限额，lens直接修改

# core-dns
          resources:
            limits:
              cpu: '2'
              memory: 512Mi
            requests:
              cpu: 100m
              memory: 70Mi

----------------------------------------------

# cilium-operator
          resources:
            limits:
              cpu: '2'
              memory: 1Gi
            requests:
              cpu: 100m
              memory: 70Mi

----------------------------------------------

# cilium-agent
# 注意修改位置，请勿在initContainers执行，资源限额
          resources:
            limits:
              cpu: '2'
              memory: 1Gi
            requests:
              cpu: 100m
              memory: 100Mi

设置系统资源预留

maxPods: 32
systemReserved:
  cpu: 300m
  memory: 500Mi
kubeReserved:
  cpu: 300m
  memory: 500Mi
evictionHard:
  memory.available: "300Mi"
  nodefs.available: "15%"
  nodefs.inodesFree: "5%"
  imagefs.available: "15%"
evictionMinimumReclaim:
  memory.available: "0Mi"
  nodefs.available: "20Gi"
  imagefs.available: "10Gi"

快捷方式

mkdir /var/log/kubernetes && sed -i 's/KUBELET_EXTRA_ARGS=/KUBELET_EXTRA_ARGS=--logtostderr=false --log-dir=\/var\/log\/kubernetes/g' /etc/sysconfig/kubelet && 
sed -i '16a maxPods: 32 \
systemReserved: \
  cpu: 300m \
  memory: 300Mi \
kubeReserved: \
  cpu: 300m \
  memory: 200Mi \
evictionHard: \
  memory.available: "300Mi" \
  nodefs.available: "15%" \
  nodefs.inodesFree: "5%" \
  imagefs.available: "15%" \
evictionMinimumReclaim: \
  memory.available: "0Mi" \
  nodefs.available: "20Gi" \
  imagefs.available: "10Gi"' /var/lib/kubelet/config.yaml

Priority设置

apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
  name: base-resource
globalDefault: false
value: 9999
description: "system base resource"

---
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
  name: provider-service
globalDefault: false
value: 8888
description: "dubbo provider service"

---
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
  name: consumer-service
globalDefault: false
value: 7777
description: "dubbo consumer service"

---
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
  name: admin-service
globalDefault: false
value: 6666
description: "system management"

---
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
  name: monitor-service
globalDefault: false
value: 5555
description: "system monitor service for prometheus"

免责声明！

本站转载的文章为个人学习借鉴使用，本站对版权不负任何法律责任。如果侵犯了您的隐私权益，请联系本站邮箱yoyou2525@163.com删除。

猜您在找 使用 kubeadm 部署 v1.18.5 版本 Kubernetes集群 CentOS 8搭建Kubernetes-k8s集群-1.18.5 kubeadm高可用安装k8s集群1.18.5 Cilium路由模式（一）利用kubernetes 安装 Kubernetes Dashboard [Kubernetes]安装和配置kubectl Kubernetes安装报错总结 kubeadm方式安装kubernetes Kubernetes kubeadm 安装记录 CentOS7安装Kubernetes