title: cluster.yml 文件示例 description: 您可通过编辑 RKE 的集群配置文件cluster.yml,完成多种配置选项。以下是最小文件示例和完整文件示例。 keywords:

  • rancher
  • rancher中文
  • rancher中文文档
  • rancher官网
  • rancher文档
  • Rancher
  • rancher 中文
  • rancher 中文文档
  • rancher cn
  • RKE
  • cluster.yml 文件示例

您可通过编辑 RKE 的集群配置文件cluster.yml,完成多种配置选项。以下是最小文件示例和完整文件示例。

说明:如果您使用的是 Rancher v2.0.5 或 v2.0.6,使用集群配置文件,配置集群选项时,服务名称不能含有除了英文字母和下划线外的其他字符。

最小文件示例

  1. nodes:
  2.   - address: 1.2.3.4
  3.     user: ubuntu
  4.     role:
  5.       - controlplane
  6.       - etcd
  7.       - worker

完整文件示例

  1. nodes:
  2.   - address: 1.1.1.1
  3.     user: ubuntu
  4.     role:
  5.       - controlplane
  6.       - etcd
  7.       port: 2222
  8.       docker_socket: /var/run/docker.sock
  9.     - address: 2.2.2.2
  10.       user: ubuntu
  11.       role:
  12.         - worker
  13.       ssh_key_path: /home/user/.ssh/id_rsa
  14.       ssh_key: |-
  15.         -----BEGIN RSA PRIVATE KEY-----
  16.         -----END RSA PRIVATE KEY-----
  17.       ssh_cert_path: /home/user/.ssh/test-key-cert.pub
  18.       ssh_cert: |-
  19.         ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3Bl....
  20.     - address: example.com
  21.       user: ubuntu
  22.       role:
  23.         - worker
  24.       hostname_override: node3
  25.       internal_address: 192.168.1.6
  26.       labels:
  27.         app: ingress
  28.       taints:
  29.         - key: test-key
  30.           value: test-value
  31.           effect: NoSchedule
  32. # If set to true, RKE will not fail when unsupported Docker version
  33. # are found
  34. ignore_docker_version: false
  36. # Enable running cri-dockerd
  37. # Up to Kubernetes 1.23, kubelet contained code called dockershim 
  38. # to support Docker runtime. The replacement is called cri-dockerd 
  39. # and should be enabled if you want to keep using Docker as your
  40. # container runtime
  41. # Only available to enable in Kubernetes 1.21 and higher
  42. enable_cri_dockerd: true
  44. # Cluster level SSH private key
  45. # Used if no ssh information is set for the node
  46. ssh_key_path: ~/.ssh/test
  47. # Enable use of SSH agent to use SSH private keys with passphrase
  48. # This requires the environment `SSH_AUTH_SOCK` configured pointing
  49. #to your SSH agent which has the private key added
  50. ssh_agent_auth: true
  51. # List of registry credentials
  52. # If you are using a Docker Hub registry, you can omit the `url`
  53. # or set it to `docker.io`
  54. # is_default set to `true` will override the system default
  55. # registry set in the global settings
  56. private_registries:
  57.      - url: registry.com
  58.        user: Username
  59.        password: password
  60.        is_default: true
  61. # Bastion/Jump host configuration
  62. bastion_host:
  63.     address: x.x.x.x
  64.     user: ubuntu
  65.     port: 22
  66.     ssh_key_path: /home/user/.ssh/bastion_rsa
  67. # or
  68. #   ssh_key: |-
  69. #     -----BEGIN RSA PRIVATE KEY-----
  70. #
  71. #     -----END RSA PRIVATE KEY-----
  72. # Set the name of the Kubernetes cluster
  73. cluster_name: mycluster
  74. # The Kubernetes version used. The default versions of Kubernetes
  75. # are tied to specific versions of the system images.
  76. #
  77. # For RKE v0.2.x and below, the map of Kubernetes versions and their system images is
  78. # located here:
  79. # https://github.com/rancher/types/blob/release/v2.2/apis/management.cattle.io/v3/k8s_defaults.go
  80. #
  81. # For RKE v0.3.0 and above, the map of Kubernetes versions and their system images is
  82. # located here:
  83. # https://github.com/rancher/kontainer-driver-metadata/blob/master/rke/k8s_rke_system_images.go
  84. #
  85. # In case the kubernetes_version and kubernetes image in
  86. # system_images are defined, the system_images configuration
  87. # will take precedence over kubernetes_version.
  88. kubernetes_version: v1.10.3-rancher2
  89. # System Images are defaulted to a tag that is mapped to a specific
  90. # Kubernetes Version and not required in a cluster.yml.
  91. # Each individual system image can be specified if you want to use a different tag.
  92. #
  93. # For RKE v0.2.x and below, the map of Kubernetes versions and their system images is
  94. # located here:
  95. # https://github.com/rancher/types/blob/release/v2.2/apis/management.cattle.io/v3/k8s_defaults.go
  96. #
  97. # For RKE v0.3.0 and above, the map of Kubernetes versions and their system images is
  98. # located here:
  99. # https://github.com/rancher/kontainer-driver-metadata/blob/master/rke/k8s_rke_system_images.go
  100. #
  101. system_images:
  102.     kubernetes: rancher/hyperkube:v1.10.3-rancher2
  103.     etcd: rancher/coreos-etcd:v3.1.12
  104.     alpine: rancher/rke-tools:v0.1.9
  105.     nginx_proxy: rancher/rke-tools:v0.1.9
  106.     cert_downloader: rancher/rke-tools:v0.1.9
  107.     kubernetes_services_sidecar: rancher/rke-tools:v0.1.9
  108.     kubedns: rancher/k8s-dns-kube-dns-amd64:1.14.8
  109.     dnsmasq: rancher/k8s-dns-dnsmasq-nanny-amd64:1.14.8
  110.     kubedns_sidecar: rancher/k8s-dns-sidecar-amd64:1.14.8
  111.     kubedns_autoscaler: rancher/cluster-proportional-autoscaler-amd64:1.0.0
  112.     pod_infra_container: rancher/pause-amd64:3.1
  113. services:
  114.     etcd:
  115.       # Custom uid/guid for etcd directory and files
  116.       uid: 52034
  117.       gid: 52034
  118.       # if external etcd is used
  119.       # path: /etcdcluster
  120.       # external_urls:
  121.       #   - https://etcd-example.com:2379
  122.       # ca_cert: |-
  123.       #   -----BEGIN CERTIFICATE-----
  124.       #   xxxxxxxxxx
  125.       #   -----END CERTIFICATE-----
  126.       # cert: |-
  127.       #   -----BEGIN CERTIFICATE-----
  128.       #   xxxxxxxxxx
  129.       #   -----END CERTIFICATE-----
  130.       # key: |-
  131.       #   -----BEGIN PRIVATE KEY-----
  132.       #   xxxxxxxxxx
  133.       #   -----END PRIVATE KEY-----
  134.     # Note for Rancher v2.0.5 and v2.0.6 users: If you are configuring
  135.     # Cluster Options using a Config File when creating Rancher Launched
  136.     # Kubernetes, the names of services should contain underscores
  137.     # only: `kube_api`.
  138.     kube-api:
  139.       # IP range for any services created on Kubernetes
  140.       # This must match the service_cluster_ip_range in kube-controller
  141.       service_cluster_ip_range: 10.43.0.0/16
  142.       # Expose a different port range for NodePort services
  143.       service_node_port_range: 30000-32767
  144.       pod_security_policy: false
  145.       # Encrypt secret data at Rest
  146.       # Available as of v0.3.1
  147.       secrets_encryption_config:
  148.         enabled: true
  149.         custom_config:
  150.           apiVersion: apiserver.config.k8s.io/v1
  151.           kind: EncryptionConfiguration
  152.           resources:
  153.           - resources:
  154.             - secrets
  155.             providers:
  156.             - aescbc:
  157.                 keys:
  158.                 - name: k-fw5hn
  159.                   secret: RTczRjFDODMwQzAyMDVBREU4NDJBMUZFNDhCNzM5N0I=
  160.             - identity: {}
  161.       # Enable audit logging
  162.       # Available as of v1.0.0
  163.       audit_log:
  164.         enabled: true
  165.         configuration:
  166.           max_age: 6
  167.           max_backup: 6
  168.           max_size: 110
  169.           path: /var/log/kube-audit/audit-log.json
  170.           format: json
  171.           policy:
  172.             apiVersion: audit.k8s.io/v1 # This is required.
  173.             kind: Policy
  174.             omitStages:
  175.               - "RequestReceived"
  176.             rules:
  177.               # Log pod changes at RequestResponse level
  178.               - level: RequestResponse
  179.                 resources:
  180.                 - group: ""
  181.                   # Resource "pods" doesn't match requests to any subresource of pods,
  182.                   # which is consistent with the RBAC policy.
  183.                   resources: ["pods"]
  184.       # Using the EventRateLimit admission control enforces a limit on the number of events
  185.       # that the API Server will accept in a given time period
  186.       # Available as of v1.0.0
  187.       event_rate_limit:
  188.         enabled: true
  189.         configuration:
  190.           apiVersion: eventratelimit.admission.k8s.io/v1alpha1
  191.           kind: Configuration
  192.           limits:
  193.           - type: Server
  194.             qps: 6000
  195.             burst: 30000
  196.       # Enable AlwaysPullImages Admission controller plugin
  197.       # Available as of v0.2.0
  198.       always_pull_images: false
  199.       # Add additional arguments to the kubernetes API server
  200.       # This WILL OVERRIDE any existing defaults
  201.       extra_args:
  202.         # Enable audit log to stdout
  203.         audit-log-path: "-"
  204.         # Increase number of delete workers
  205.         delete-collection-workers: 3
  206.         # Set the level of log output to debug-level
  207.         v: 4
  208.     # Note for Rancher 2 users: If you are configuring Cluster Options
  209.     # using a Config File when creating Rancher Launched Kubernetes,
  210.     # the names of services should contain underscores only:
  211.     # `kube_controller`. This only applies to Rancher v2.0.5 and v2.0.6.
  212.     kube-controller:
  213.       # CIDR pool used to assign IP addresses to pods in the cluster
  214.       cluster_cidr: 10.42.0.0/16
  215.       # IP range for any services created on Kubernetes
  216.       # This must match the service_cluster_ip_range in kube-api
  217.       service_cluster_ip_range: 10.43.0.0/16
  218.       # Add additional arguments to the kubernetes API server
  219.       # This WILL OVERRIDE any existing defaults
  220.       extra_args:
  221.         # Set the level of log output to debug-level
  222.         v: 4
  223.         # Enable RotateKubeletServerCertificate feature gate
  224.         feature-gates: RotateKubeletServerCertificate=true
  225.         # Enable TLS Certificates management
  226.         # https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
  227.         cluster-signing-cert-file: "/etc/kubernetes/ssl/kube-ca.pem"
  228.         cluster-signing-key-file: "/etc/kubernetes/ssl/kube-ca-key.pem"
  229.     kubelet:
  230.       # Base domain for the cluster
  231.       cluster_domain: cluster.local
  232.       # IP address for the DNS service endpoint
  233.       cluster_dns_server: 10.43.0.10
  234.     # Fail if swap is on
  235.     fail_swap_on: false
  236.     # Configure pod-infra-container-image argument
  237.       pod-infra-container-image: "k8s.gcr.io/pause:3.2"
  238.       # Generate a certificate signed by the kube-ca Certificate Authority
  239.       # for the kubelet to use as a server certificate
  240.       # Available as of v1.0.0
  241.       generate_serving_certificate: true
  242.       extra_args:
  243.         # Set max pods to 250 instead of default 110
  244.         max-pods: 250
  245.         # Enable RotateKubeletServerCertificate feature gate
  246.         feature-gates: RotateKubeletServerCertificate=true
  247.       # Optionally define additional volume binds to a service
  248.       extra_binds:
  249.         - "/usr/libexec/kubernetes/kubelet-plugins:/usr/libexec/kubernetes/kubelet-plugins"
  250.     scheduler:
  251.       extra_args:
  252.         # Set the level of log output to debug-level
  253.         v: 4
  254.     kubeproxy:
  255.       extra_args:
  256.         # Set the level of log output to debug-level
  257.         v: 4
  258. # Currently, only authentication strategy supported is x509.
  259. # You can optionally create additional SANs (hostnames or IPs) to
  260. # add to the API server PKI certificate.
  261. # This is useful if you want to use a load balancer for the
  262. # control plane servers.
  263. authentication:
  264.   strategy: x509
  265.   sans:
  266.     - "10.18.160.10"
  267.     - "my-loadbalancer-1234567890.us-west-2.elb.amazonaws.com"
  269. # Kubernetes Authorization mode
  270. # Use `mode: rbac` to enable RBAC
  271. # Use `mode: none` to disable authorization
  272. authorization:
  273.   mode: rbac
  275. # If you want to set a Kubernetes cloud provider, you specify
  276. # the name and configuration
  277. cloud_provider:
  278.   name: aws
  280. # Add-ons are deployed using kubernetes jobs. RKE will give
  281. # up on trying to get the job status after this timeout in seconds..
  282. addon_job_timeout: 30
  284. # Specify network plugin-in (canal, calico, flannel, weave, or none)
  285. network:
  286.   plugin: canal
  287.   # Specify MTU
  288.   mtu: 1400
  289.   options:
  290.     # Configure interface to use for Canal
  291.     canal_iface: eth1
  292.     canal_flannel_backend_type: vxlan
  293.     # Available as of v1.2.6
  294.     canal_autoscaler_priority_class_name: system-cluster-critical
  295.     canal_priority_class_name: system-cluster-critical
  296.   # Available as of v1.2.4
  297.   tolerations:
  298.   - key: "node.kubernetes.io/unreachable"
  299.     operator: "Exists"
  300.     effect: "NoExecute"
  301.     tolerationseconds: 300
  302.   - key: "node.kubernetes.io/not-ready"
  303.     operator: "Exists"
  304.     effect: "NoExecute"
  305.     tolerationseconds: 300
  306.   # Available as of v1.1.0
  307.   update_strategy:
  308.     strategy: RollingUpdate
  309.     rollingUpdate:
  310.       maxUnavailable: 6
  312. # Specify DNS provider (coredns or kube-dns)
  313. dns:
  314.   provider: coredns
  315.   # Available as of v1.1.0
  316.   update_strategy:
  317.     strategy: RollingUpdate
  318.     rollingUpdate:
  319.       maxUnavailable: 20%
  320.       maxSurge: 15%
  321.   linear_autoscaler_params:
  322.     cores_per_replica: 0.34
  323.     nodes_per_replica: 4
  324.     prevent_single_point_failure: true
  325.     min: 2
  326.     max: 3
  327. # Specify monitoring provider (metrics-server)
  328. monitoring:
  329.   provider: metrics-server
  330.   # Available as of v1.1.0
  331.   update_strategy:
  332.     strategy: RollingUpdate
  333.     rollingUpdate:
  334.       maxUnavailable: 8
  335. # Currently only nginx ingress provider is supported.
  336. # To disable ingress controller, set `provider: none`
  337. # `node_selector` controls ingress placement and is optional
  338. ingress:
  339.   provider: nginx
  340.   node_selector:
  341.     app: ingress
  342.   # Available as of v1.1.0
  343.   update_strategy:
  344.     strategy: RollingUpdate
  345.     rollingUpdate:
  346.       maxUnavailable: 5
  347. # All add-on manifests MUST specify a namespace
  348. addons: |-
  349.   ---
  350.   apiVersion: v1
  351.   kind: Pod
  352.   metadata:
  353.     name: my-nginx
  354.     namespace: default
  355.   spec:
  356.     containers:
  357.     - name: my-nginx
  358.       image: nginx
  359.       ports:
  360.       - containerPort: 80
  362. addons_include:
  363.   - https://raw.githubusercontent.com/rook/rook/master/cluster/examples/kubernetes/rook-operator.yaml
  364.   - https://raw.githubusercontent.com/rook/rook/master/cluster/examples/kubernetes/rook-cluster.yaml
  365.   - /path/to/manifest