1. kubelet代码入口
kubelet的main函数源码入口如下,代码路径为kubernetes/cmd/kubelet/kubelet.go
image.png
main入口,借助cobra生成脚手即程序次级入口,如有疑问,建议查查cobra工具使用及解析,网上资料较多
func main() {
#rand以时间戳为基底的随机种子
rand.Seed(time.Now().UnixNano())
#通过cobra生成的脚手架,即通过app.NewKubeletCommand()构建了kubelet主逻辑,后续深入分析
command := app.NewKubeletCommand()
#日志初始化配置,及预设好程序退出前做日志清理
logs.InitLogs()
defer logs.FlushLogs()
#通过前面构建,做完前置准备工作后,此处通过command.Execute()发功,发动机转(run)起来
if err := command.Execute(); err != nil {
os.Exit(1)
}
}
进入app.NewKubeletCommand(),定义参数模板,构建command结构体,然后解析不同的参数,最后落入Run函数的kubelet逻辑核心入口
#构建cobra.Command结构体并返回
func NewKubeletCommand() *cobra.Command {
#定义参数解析结构体,flag为命令传参,config为配置文件解析参数
cleanFlagSet := pflag.NewFlagSet(componentKubelet, pflag.ContinueOnError)
cleanFlagSet.SetNormalizeFunc(cliflag.WordSepNormalizeFunc)
kubeletFlags := options.NewKubeletFlags()
kubeletConfig, err := options.NewKubeletConfiguration()
// programmer error
if err != nil {
klog.Fatal(err)
}
#构建cobra.Command结构体
cmd := &cobra.Command{
Use: componentKubelet,
Long: `The kubelet is the primary "node agent" that runs on each`
DisableFlagParsing: true,
#Run对应的是入口核心函数,下一章节将展开重点解析
Run: func(cmd *cobra.Command, args []string) {...}
}
#kubeletFlags引用cleanFlagSet,并将config文件解析出的kubelet参数,纳入进cleanFlagSet,用以启动执行kubelet逻辑使用,最后从cleanFlagSet解析全局通用参数
kubeletFlags.AddFlags(cleanFlagSet)
options.AddKubeletConfigFlags(cleanFlagSet, kubeletConfig)
options.AddGlobalFlags(cleanFlagSet)
#设置命令帮助开关
cleanFlagSet.BoolP("help", "h", false, fmt.Sprintf("help for %s", cmd.Name()))
#添加命令用法及帮助的支线逻辑
const usageFmt = "Usage:\n %s\n\nFlags:\n%s"
cmd.SetUsageFunc(func(cmd *cobra.Command) error {
fmt.Fprintf(cmd.OutOrStderr(), usageFmt, cmd.UseLine(), cleanFlagSet.FlagUsagesWrapped(2))
return nil
})
cmd.SetHelpFunc(func(cmd *cobra.Command, args []string) {
fmt.Fprintf(cmd.OutOrStdout(), "%s\n\n"+usageFmt, cmd.Long, cmd.UseLine(), cleanFlagSet.FlagUsagesWrapped(2))
})
return cmd
}
2. 参数构建
kubelet定义的参数结构体如下:
#通过pflag库构建,构建通用命令的Flag集(cleanFlagSet ),且
cleanFlagSet := pflag.NewFlagSet(componentKubelet, pflag.ContinueOnError)
cleanFlagSet.SetNormalizeFunc(cliflag.WordSepNormalizeFunc)
#通过自定义options库,构建kubeletFlags
kubeletFlags := options.NewKubeletFlags()
#通过自定义options库,构建kubeletConfig
kubeletConfig, err := options.NewKubeletConfiguration()
首先,我们看看cleanFlagSet,通过pflag库生成,pflag为第三方的命令行参数解析包,它相对标准库flag具有更强大的功能并且和更丰富的特性,如需细究可参考(https://www.cnblogs.com/saryli/p/13329445.html),我们先看看pflag.NewFlagSet函数及其传入参数componentKubelet与pflag.ContinueOnError:
#定义cleanFlagSet ,后续是解析
cleanFlagSet := pflag.NewFlagSet(componentKubelet, pflag.ContinueOnError)
#####分割线#####
#参数componentKubelet定义
const (
componentKubelet = "kubelet"
)
#参数pflag.ContinueOnError定义
const (
// ContinueOnError will return an err from Parse() if an error is found
ContinueOnError ErrorHandling = iota
)
#####分割线#####
# 通过传入参数name和errorHandling,简单构建FlagSet结构体并返回
func NewFlagSet(name string, errorHandling ErrorHandling) *FlagSet {
f := &FlagSet{
name: name,
errorHandling: errorHandling,
argsLenAtDash: -1,
interspersed: true,
SortFlags: true,
}
return f
}
#####分割线#####
#flagSet结构体详情,即通用参数配置
// A FlagSet represents a set of defined flags.
type FlagSet struct {
// Usage is the function called when an error occurs while parsing flags.
// The field is a function (not a method) that may be changed to point to
// a custom error handler.
#使用说明
Usage func()
// SortFlags is used to indicate, if user wants to have sorted flags in
// help/usage messages.
SortFlags bool
// ParseErrorsWhitelist is used to configure a whitelist of errors
ParseErrorsWhitelist ParseErrorsWhitelist
name string
parsed bool
actual map[NormalizedName]*Flag
orderedActual []*Flag
sortedActual []*Flag
formal map[NormalizedName]*Flag
orderedFormal []*Flag
sortedFormal []*Flag
shorthands map[byte]*Flag
args []string // arguments after flags
argsLenAtDash int // len(args) when a '--' was located when parsing, or -1 if no --
errorHandling ErrorHandling
output io.Writer // nil means stderr; use out() accessor
interspersed bool // allow interspersed option/non-option args
normalizeNameFunc func(f *FlagSet, name string) NormalizedName
addedGoFlagSets []*goflag.FlagSet
}
#调用标准化设置函数,即参数转换,如:正常参数应该是geturl,可能某人A使用时传入getURL,B使用时传入--getUrl,此处正式为保证差别不大的不同方式传参,可以正常解析出来
cleanFlagSet.SetNormalizeFunc(cliflag.WordSepNormalizeFunc)
#传入转换函数作为标准化执行体,此处为将flag带的下划线"_",转换为横杠"-"
// WordSepNormalizeFunc changes all flags that contain "_" separators
func WordSepNormalizeFunc(f *pflag.FlagSet, name string) pflag.NormalizedName {
if strings.Contains(name, "_") {
return pflag.NormalizedName(strings.Replace(name, "_", "-", -1))
}
return pflag.NormalizedName(name)
}
#####分割线#####
#根据传入的转换函数,对参数做标准化转换
// SetNormalizeFunc allows you to add a function which can translate flag names.
// Flags added to the FlagSet will be translated and then when anything tries to
// look up the flag that will also be translated. So it would be possible to create
// a flag named "getURL" and have it translated to "geturl". A user could then pass
// "--getUrl" which may also be translated to "geturl" and everything will work.
func (f *FlagSet) SetNormalizeFunc(n func(f *FlagSet, name string) NormalizedName) {
#记录下传入的函数
f.normalizeNameFunc = n
f.sortedFormal = f.sortedFormal[:0]
for fname, flag := range f.formal {
#通过normalizeFlagName获取传入的转换函数,并对每一个flag实施转换
nname := f.normalizeFlagName(flag.Name)
if fname == nname {
continue
}
flag.Name = string(nname)
delete(f.formal, fname)
f.formal[nname] = flag
if _, set := f.actual[fname]; set {
delete(f.actual, fname)
f.actual[nname] = flag
}
}
}
#normalizeFlagName执行逻辑如下,先通过GetNormalizeFunc()获取函数句柄,然后执行
func (f *FlagSet) normalizeFlagName(name string) NormalizedName {
n := f.GetNormalizeFunc()
return n(f, name)
}
#GetNormalizeFunc详解,即获取注册进来的转换函数,如果没有注册函数,则返回默认库原参数
// GetNormalizeFunc returns the previously set NormalizeFunc of a function which
// does no translation, if not set previously.
func (f *FlagSet) GetNormalizeFunc() func(f *FlagSet, name string) NormalizedName {
if f.normalizeNameFunc != nil {
return f.normalizeNameFunc
}
#未注册转换函数,将指定name的flag转换为string返回
return func(f *FlagSet, name string) NormalizedName { return NormalizedName(name) }
}
#定义NormalizedName 为string
// NormalizedName is a flag name that has been normalized according to rules
// for the FlagSet (e.g. making '-' and '_' equivalent).
type NormalizedName string
其次,再重点关注kubeletFlags的构建,由k8s内部构建的options库生成,我们看看NewKubeletFlags函数及传入参数cliflag.WordSepNormalizeFunc:
#kubeletFlags构建
kubeletFlags := options.NewKubeletFlags()
#####分割线#####
#NewKubeletFlags函数实现,根据运行平台(linux/windows)确定docker的RuntimeEndpoint,即dockershim的rpc通信入口,dockershim主要负责kubelet与docker之间通信转换
// NewKubeletFlags will create a new KubeletFlags with default values
func NewKubeletFlags() *KubeletFlags {
remoteRuntimeEndpoint := ""
if runtime.GOOS == "linux" {
#linux平台,dockershim的通unix socket入口为"unix:///var/run/dockershim.sock"
remoteRuntimeEndpoint = "unix:///var/run/dockershim.sock"
} else if runtime.GOOS == "windows" {
#windows平台,dockershim的通unix socket入口为"npipe:////./pipe/dockershim"
remoteRuntimeEndpoint = "npipe:////./pipe/dockershim"
}
#构建KubeletFlags并返回,其中KubeletFlags结构体的参数详情,我们将在第3章节中展开详细解析
return &KubeletFlags{
ContainerRuntimeOptions: *NewContainerRuntimeOptions(),
CertDirectory: "/var/lib/kubelet/pki",
RootDirectory: defaultRootDir,
MasterServiceNamespace: metav1.NamespaceDefault,
MaxContainerCount: -1,
MaxPerPodContainerCount: 1,
MinimumGCAge: metav1.Duration{Duration: 0},
NonMasqueradeCIDR: "10.0.0.0/8",
RegisterSchedulable: true,
RemoteRuntimeEndpoint: remoteRuntimeEndpoint,
NodeLabels: make(map[string]string),
RegisterNode: true,
SeccompProfileRoot: filepath.Join(defaultRootDir, "seccomp"),
// prior to the introduction of this flag, there was a hardcoded cap of 50 images
EnableCAdvisorJSONEndpoints: false,
}
}
最后,我们看看kubeletConfig的构建过程
#kubeletConfig构建
kubeletConfig, err := options.NewKubeletConfiguration()
#####分割线#####
#NewKubeletConfiguration实现了kubeletConfig构建细节,通过kubelet.config.k8s.io下的resource类型KubeletConfiguration定义,后续第3章节将重点解析该类resource做展开解析
// NewKubeletConfiguration will create a new KubeletConfiguration with default values
func NewKubeletConfiguration() (*kubeletconfig.KubeletConfiguration, error) {
#构建注册表,并配置好CodecFactory,用于序列化成yaml/json/raw等格式数据,通过client-go生成的通用性模板代码,此处未用上,一般当通过apiserver数据交互时有用
scheme, _, err := kubeletscheme.NewSchemeAndCodecs()
if err != nil {
return nil, err
}
#创建基于v1beta1的KubeletConfiguration空配置
versioned := &v1beta1.KubeletConfiguration{}
#注册表将v1beta1版本作为首选默认配置使用方式
scheme.Default(versioned)
#创建默认基线版本的KubeletConfiguration空配置
config := &kubeletconfig.KubeletConfiguration{}
#将v1beta1版本转换为基线版本
if err := scheme.Convert(versioned, config, nil); err != nil {
return nil, err
}
#将通用配置注入生成默认配置
applyLegacyDefaults(config)
return config, nil
}
#进入NewSchemeAndCodecs可以看到,主要创建新Scheme、并将基线版本与v1beta1的kubeletconfig关联kind注册入Scheme,然后配置序列化编码器,后续将对Scheme做专文分析,此处不做深入剖析
func NewSchemeAndCodecs(mutators ...serializer.CodecFactoryOptionsMutator) (*runtime.Scheme, *serializer.CodecFactory, error) {
#创建scheme
scheme := runtime.NewScheme()
#通过AddToScheme,将通用基线版本kubeletconfig相关资源如:KubeletConfiguration、SerializedNodeConfigSource注入scheme
if err := kubeletconfig.AddToScheme(scheme); err != nil {
return nil, nil, err
}
#通过AddToScheme,将v1beta1版本kubeletconfig相关资源如:KubeletConfiguration、SerializedNodeConfigSource、CredentialProviderConfig注入scheme
if err := kubeletconfigv1beta1.AddToScheme(scheme); err != nil {
return nil, nil, err
}
#对scheme构建序列化、编解码、版本转换流程工厂
codecs := serializer.NewCodecFactory(scheme, mutators...)
return scheme, &codecs, nil
}
3. 参数解析
3.1 flag参数列表
KubeletFlags 结构体如下:
// KubeletFlags contains configuration flags for the Kubelet.
// A configuration field should go in KubeletFlags instead of KubeletConfiguration if any of these are true:
// - its value will never, or cannot safely be changed during the lifetime of a node, or
// - its value cannot be safely shared between nodes at the same time (e.g. a hostname);
// KubeletConfiguration is intended to be shared between nodes.
// In general, please try to avoid adding flags or configuration fields,
// we already have a confusingly large amount of them.
type KubeletFlags struct {
#KubConfig 配置文件路径,该文件主要存放apiserver的访问入口及token,和KubeletConfigFile配置不一样,KubeletConfigFile主要存放kubelet启动参数,两者容易搞混,得注意
KubeConfig string
#TLS Bootstrap配置文件路径
BootstrapKubeconfig string
#以下两个参数均作为测试用,ChaosChance 如果大于 0.0 ,将引入随机客户端错误及延迟
// Insert a probability of random errors during calls to the master.
#ChaosChance 如果大于 0.0 ,将引入随机客户端错误及延迟
ChaosChance float64
// Crash immediately, rather than eating panics.
#ReallyCrashForTesting为true,异常时直接触发crash错误,而忽略panic处理
ReallyCrashForTesting bool
#以下是对node节点做身份标示调整的参数
// HostnameOverride is the hostname used to identify the kubelet instead
// of the actual hostname.
#HostnameOverride 配置后,node信息上报时对节点hostname作重命名
HostnameOverride string
// NodeIP is IP address of the node.
// If set, kubelet will use this IP address for the node.
#NodeIP 配置后,node信息上报时对节点IP将被替换为该配置值
NodeIP string
#container runtime的参数,结构体,主要有镜像、网络等配置参数,后续给出详细
// Container-runtime-specific options.
config.ContainerRuntimeOptions
#CertDirectory用于存放认证信息如:证书、密钥文件的目录,此类认证信息用于与apiserver通信或kubelet server本身的访问认证
// certDirectory is the directory where the TLS certs are located.
// If tlsCertFile and tlsPrivateKeyFile are provided, this flag will be ignored.
CertDirectory string
#CloudProvider 用于指定云厂商,可选使用,比如:对接云厂商的存储、网络等各种组件,将k8s、node托管到云厂商
// cloudProvider is the provider for cloud services.
// +optional
CloudProvider string
#CloudProvider 用于指定云厂商相关配置文件路径,可选使用
// cloudConfigFile is the path to the cloud provider configuration file.
// +optional
CloudConfigFile string
#RootDirectory 指定kubelet管理的根目录,如:volume卷,挂载文件等pod运行时依赖文件管理,一般默认路径为/var/lib/k8s/kubelet
// rootDirectory is the directory path to place kubelet files (volume
// mounts,etc).
RootDirectory string
#DynamicConfigDir 是与DynamicKubeletConfig feature gate一起配合使用的,主要用于kubelet动态热加载配置
// The Kubelet will use this directory for checkpointing downloaded configurations and tracking configuration health.
// The Kubelet will create this directory if it does not already exist.
// The path may be absolute or relative; relative paths are under the Kubelet's current working directory.
// Providing this flag enables dynamic kubelet configuration.
// To use this flag, the DynamicKubeletConfig feature gate must be enabled.
DynamicConfigDir cliflag.StringFlag
#KubeletConfigFile 是kubelet本身的配置文件路径,该文件内容即存放后续KubeletConfiguration 结构体对应的配置内容
// The Kubelet will load its initial configuration from this file.
// The path may be absolute or relative; relative paths are under the Kubelet's current working directory.
// Omit this flag to use the combination of built-in default configuration values and flags.
KubeletConfigFile string
#RegisterNode为true,则自动通过apiserver注册节点信息,默认开启
// registerNode enables automatic registration with the apiserver.
RegisterNode bool
#RegisterWithTaints 配合上面RegisterNode使用,主要是在注册节点信息时,把节点的taint信息也一起上报
// registerWithTaints are an array of taints to add to a node object when
// the kubelet registers itself. This only takes effect when registerNode
// is true and upon the initial registration of the node.
RegisterWithTaints []core.Taint
#WindowsService 当kubelet运行在windows系统上时,该参数必须为true
// WindowsService should be set to true if kubelet is running as a service on Windows.
// Its corresponding flag only gets registered in Windows builds.
WindowsService bool
#WindowsPriorityClass 用于在windows系统中,设置kubelet进程的优先级,默认级别是NORMAL_PRIORITY_CLASS
// WindowsPriorityClass sets the priority class associated with the Kubelet process
// Its corresponding flag only gets registered in Windows builds
// The default priority class associated with any process in Windows is NORMAL_PRIORITY_CLASS. Keeping it as is
// to maintain backwards compatibility.
// Source: https://docs.microsoft.com/en-us/windows/win32/procthread/scheduling-priorities
WindowsPriorityClass string
#RemoteRuntimeEndpoint 是用于指定container runtime 的rpc访问入口,目前在 Linux 上支持 unix 套接字,在 windows 上支持 tcp 。例如:‘unix:///var/run/dockershim.sock’,‘tcp://localhost:3735’(默认‘unix:///var/run/dockershim.sock’)
// remoteRuntimeEndpoint is the endpoint of remote runtime service
RemoteRuntimeEndpoint string
#RemoteImageEndpoint 适用于指定Image 管理的rpc访问入口,默认
// remoteImageEndpoint is the endpoint of remote image service
RemoteImageEndpoint string
#ExperimentalMounterPath 用于指定挂载工具的路径,不设置则为默认路径
// experimentalMounterPath is the path of mounter binary. Leave empty to use the default mount path
ExperimentalMounterPath string
#ExperimentalCheckNodeCapabilitiesBeforeMount 如果设置为 true , kubelet 将在执行 mount 之前检查基础节点所需组件的执行文件,检查失败,则mount 操作失败
// This flag, if set, enables a check prior to mount operations to verify that the required components
// (binaries, etc.) to mount the volume are available on the underlying node. If the check is enabled
// and fails the mount operation fails.
ExperimentalCheckNodeCapabilitiesBeforeMount bool
#ExperimentalNodeAllocatableIgnoreEvictionThreshold 设置为 true ,计算节点分配时硬清理阈值将被忽略,用于做调度管理,默认为false,详细可参考:https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md
// This flag, if set, will avoid including `EvictionHard` limits while computing Node Allocatable.
// Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) doc for more information.
ExperimentalNodeAllocatableIgnoreEvictionThreshold bool
#NodeLabels 用于设置节点的labels信息,在注册给apiserver时,上报过去
// Node Labels are the node labels to add when registering the node in the cluster
NodeLabels map[string]string
#LockFilePath 适用于设置kubelet文件锁路径,配合下面的开关使用
// lockFilePath is the path that kubelet will use to as a lock file.
// It uses this file as a lock to synchronize with other kubelet processes
// that may be running.
LockFilePath string
#ExitOnLockContention 用于kubelet避重的开关,配合上面LockFilePath使用
// ExitOnLockContention is a flag that signifies to the kubelet that it is running
// in "bootstrap" mode. This requires that 'LockFilePath' has been set.
// This will cause the kubelet to listen to inotify events on the lock file,
// releasing it and exiting when another process tries to open that file.
ExitOnLockContention bool
#SeccompProfileRoot 用于指定seccomp配置文件目录,默认/var/lib/kubelet/seccomp,主要用作容器安全配置,Seccomp(Secure computing mode) 是一个 Linux 内核安全模块,可用于应用进程允许使用的系统调用
// seccompProfileRoot is the directory path for seccomp profiles.
SeccompProfileRoot string
#以下是已经废弃的参数,就不做深入分析了,当前k8s源码版本为1.22,即1.22后这些参数都将废弃掉
// DEPRECATED FLAGS
// minimumGCAge is the minimum age for a finished container before it is
// garbage collected.
MinimumGCAge metav1.Duration
// maxPerPodContainerCount is the maximum number of old instances to
// retain per container. Each container takes up some disk space.
MaxPerPodContainerCount int32
// maxContainerCount is the maximum number of old instances of containers
// to retain globally. Each container takes up some disk space.
MaxContainerCount int32
// masterServiceNamespace is The namespace from which the kubernetes
// master services should be injected into pods.
MasterServiceNamespace string
// registerSchedulable tells the kubelet to register the node as
// schedulable. Won't have any effect if register-node is false.
// DEPRECATED: use registerWithTaints instead
RegisterSchedulable bool
// nonMasqueradeCIDR configures masquerading: traffic to IPs outside this range will use IP masquerade.
NonMasqueradeCIDR string
// This flag, if set, instructs the kubelet to keep volumes from terminated pods mounted to the node.
// This can be useful for debugging volume related issues.
KeepTerminatedPodVolumes bool
// EnableCAdvisorJSONEndpoints enables some cAdvisor endpoints that will be removed in future versions
EnableCAdvisorJSONEndpoints bool
}
3.2 config参数列表
KubeletConfiguration 结构体,此处为v1beta1版本的,与基线版本略有差异,从该结构体可以看出,其结构与k8s资源一样,有metadata、kind,甚至有关联的Group(kubelet.config.k8s.io)和Version(v1beta1),
#GroupName 即KubeletConfiguration 资源归属的Group
// GroupName is the group name used in this package
const GroupName = "kubelet.config.k8s.io"
#####分割线#####
#以下是KubeletConfiguration 详解
// KubeletConfiguration contains the configuration for the Kubelet
type KubeletConfiguration struct {
#metav1.TypeMeta,k8s资源KubeletConfiguration的元数据信息,承载APIversion及Kind信息的
metav1.TypeMeta `json:",inline"`
#EnableServer 即kubelet 是否开启https server的开关,kubelet server监听本地10250端口,默认为true
// enableServer enables Kubelet's secured server.
// Note: Kubelet's insecure port is controlled by the readOnlyPort option.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may disrupt components that interact with the Kubelet server.
// Default: true
EnableServer *bool `json:"enableServer,omitempty"`
#StaticPodPath k8s支持static pod模式,该参数即本地static pod的配置文件所在路径
// staticPodPath is the path to the directory containing local (static) pods to
// run, or the path to a single static pod file.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// the set of static pods specified at the new path may be different than the
// ones the Kubelet initially started with, and this may disrupt your node.
// Default: ""
// +optional
StaticPodPath string `json:"staticPodPath,omitempty"`
#SyncFrequency 即kubelet 对比同步在运行容器和配置之间的最大时间间隔 (默认 1m0s),即修改了pod配置,最多1m后开始更新容器,若调小后,可能会带来性能压力,特别是节点上pod持续增加的情况
// syncFrequency is the max period between synchronizing running
// containers and config.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// shortening this duration may have a negative performance impact, especially
// as the number of Pods on the node increases. Alternatively, increasing this
// duration will result in longer refresh times for ConfigMaps and Secrets.
// Default: "1m"
// +optional
SyncFrequency metav1.Duration `json:"syncFrequency,omitempty"`
#SyncFrequency 即kubelet 检测本地static pod配置文件以获取新的static pod部署数据的周期,默认20s,同样若调小后,可能会带来性能压力,特别是节点上pod持续增加的情况
// fileCheckFrequency is the duration between checking config files for
// new data
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// shortening the duration will cause the Kubelet to reload local Static Pod
// configurations more frequently, which may have a negative performance impact.
// Default: "20s"
// +optional
FileCheckFrequency metav1.Duration `json:"fileCheckFrequency,omitempty"`
#HTTPCheckFrequency 即kubelet通过http的方式,检测远程的static pod配置文件以获取新的static pod部署数据的周期,默认20s,同样若调小后,可能会带来性能压力,特别是节点上pod持续增加的情况
// httpCheckFrequency is the duration between checking http for new data
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// shortening the duration will cause the Kubelet to poll staticPodURL more
// frequently, which may have a negative performance impact.
// Default: "20s"
// +optional
HTTPCheckFrequency metav1.Duration `json:"httpCheckFrequency,omitempty"`
#StaticPodURL 即通过http 方式部署的static pod配置文件URL ,kubelet通过该URL拉取static pod 配置以运行该pod
// staticPodURL is the URL for accessing static pods to run
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// the set of static pods specified at the new URL may be different than the
// ones the Kubelet initially started with, and this may disrupt your node.
// Default: ""
// +optional
StaticPodURL string `json:"staticPodURL,omitempty"`
#StaticPodURLHeader 即通过http方式拉起批量static pod时,配置访问各URL所需要的http header信息
// staticPodURLHeader is a map of slices with HTTP headers to use when accessing the podURL
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may disrupt the ability to read the latest set of static pods from StaticPodURL.
// Default: nil
// +optional
StaticPodURLHeader map[string][]string `json:"staticPodURLHeader,omitempty"`
#Address 即指定kubelet本地server绑定的IP地址,默认是0.0.0.0
// address is the IP address for the Kubelet to serve on (set to 0.0.0.0
// for all interfaces).
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may disrupt components that interact with the Kubelet server.
// Default: "0.0.0.0"
// +optional
Address string `json:"address,omitempty"`
#Port 即指定kubelet本地server监听的端口,默认10250,访问该端口一般需要认证,可通过该端口查看kubelet信息或传入部分参数
// port is the port for the Kubelet to serve on.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may disrupt components that interact with the Kubelet server.
// Default: 10250
// +optional
Port int32 `json:"port,omitempty"`
#ReadOnlyPort 即指定kubelet本地server只读服务的监听端口,无需认证,默认关闭,一般设置为10255端口,通过该端口访问一些基本只读信息
// readOnlyPort is the read-only port for the Kubelet to serve on with
// no authentication/authorization.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may disrupt components that interact with the Kubelet server.
// Default: 0 (disabled)
// +optional
ReadOnlyPort int32 `json:"readOnlyPort,omitempty"`
#TLSCertFile 即kubelet tls 认证的证书文件路径,默认为空
// tlsCertFile is the file containing x509 Certificate for HTTPS. (CA cert,
// if any, concatenated after server cert). If tlsCertFile and
// tlsPrivateKeyFile are not provided, a self-signed certificate
// and key are generated for the public address and saved to the directory
// passed to the Kubelet's --cert-dir flag.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may disrupt components that interact with the Kubelet server.
// Default: ""
// +optional
TLSCertFile string `json:"tlsCertFile,omitempty"`
#TLSPrivateKeyFile 即kubelet 的TLS私钥文件路径,默认为空
// tlsPrivateKeyFile is the file containing x509 private key matching tlsCertFile
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may disrupt components that interact with the Kubelet server.
// Default: ""
// +optional
TLSPrivateKeyFile string `json:"tlsPrivateKeyFile,omitempty"`
#TLSCipherSuites 即给出TLS通信加密的方式或算法,如:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
// TLSCipherSuites is the list of allowed cipher suites for the server.
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may disrupt components that interact with the Kubelet server.
// Default: nil
// +optional
TLSCipherSuites []string `json:"tlsCipherSuites,omitempty"`
#TLSMinVersion 即指定kubelet加密通信支持的最低TLS版本,默认为空
// TLSMinVersion is the minimum TLS version supported.
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may disrupt components that interact with the Kubelet server.
// Default: ""
// +optional
TLSMinVersion string `json:"tlsMinVersion,omitempty"`
#RotateCertificates 即kubelet的证书更新开关,开启后,kubelet将会向certificates.k8s.io API申请新的认证授权,但这个申请需要一个权威认证机构做认证签名,默认关闭
// rotateCertificates enables client certificate rotation. The Kubelet will request a
// new certificate from the certificates.k8s.io API. This requires an approver to approve the
// certificate signing requests.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// disabling it may disrupt the Kubelet's ability to authenticate with the API server
// after the current certificate expires.
// Default: false
// +optional
RotateCertificates bool `json:"rotateCertificates,omitempty"`
#ServerTLSBootstrap 即kubelet TLSBootstrap开关,支持kubelet通过远程获取证书,默认关闭使用时必须保证RotateKubeletServerCertificate feature gate开启
// serverTLSBootstrap enables server certificate bootstrap. Instead of self
// signing a serving certificate, the Kubelet will request a certificate from
// the certificates.k8s.io API. This requires an approver to approve the
// certificate signing requests. The RotateKubeletServerCertificate feature
// must be enabled.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// disabling it will stop the renewal of Kubelet server certificates, which can
// disrupt components that interact with the Kubelet server in the long term,
// due to certificate expiration.
// Default: false
// +optional
ServerTLSBootstrap bool `json:"serverTLSBootstrap,omitempty"`
#Authentication 即指定kubelet 的本地server通过什么方式认证,可支持x509,webhook或anonymous匿名访问,可选配置
// authentication specifies how requests to the Kubelet's server are authenticated
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may disrupt components that interact with the Kubelet server.
// Defaults:
// anonymous:
// enabled: false
// webhook:
// enabled: true
// cacheTTL: "2m"
// +optional
Authentication KubeletAuthentication `json:"authentication"`
#Authorization 即指定kubelet 本地server的授权方式,支持两种模式:AlwaysAllow与Webhook,可选使用
// authorization specifies how requests to the Kubelet's server are authorized
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may disrupt components that interact with the Kubelet server.
// Defaults:
// mode: Webhook
// webhook:
// cacheAuthorizedTTL: "5m"
// cacheUnauthorizedTTL: "30s"
// +optional
Authorization KubeletAuthorization `json:"authorization"`
#RegistryPullQPS 即限制kubelet 拉取镜像时的并发数,默认5个
// registryPullQPS is the limit of registry pulls per second.
// Set to 0 for no limit.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may impact scalability by changing the amount of traffic produced
// by image pulls.
// Default: 5
// +optional
RegistryPullQPS *int32 `json:"registryPullQPS,omitempty"`
#RegistryBurst 即指定kubelet 遇突发情况,最大镜像拉取并发数,仅临时允许,默认10个
// registryBurst is the maximum size of bursty pulls, temporarily allows
// pulls to burst to this number, while still not exceeding registryPullQPS.
// Only used if registryPullQPS > 0.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may impact scalability by changing the amount of traffic produced
// by image pulls.
// Default: 10
// +optional
RegistryBurst int32 `json:"registryBurst,omitempty"`
#EventRecordQPS 即指定kubelet 每秒记录的最多事件数,默认是5个,如果设置为0,则不限制
// eventRecordQPS is the maximum event creations per second. If 0, there
// is no limit enforced.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may impact scalability by changing the amount of traffic produced by
// event creations.
// Default: 5
// +optional
EventRecordQPS *int32 `json:"eventRecordQPS,omitempty"`
#EventBurst 即指定kubelet 遇突发情况,每秒记录的最多事件数,默认是10个,仅临时允许,作弹性调和使用
// eventBurst is the maximum size of a burst of event creations, temporarily
// allows event creations to burst to this number, while still not exceeding
// eventRecordQPS. Only used if eventRecordQPS > 0.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may impact scalability by changing the amount of traffic produced by
// event creations.
// Default: 10
// +optional
EventBurst int32 `json:"eventBurst,omitempty"`
#EnableDebuggingHandlers 即kubelet 是否支持常用调试、运行、查看pod操作(如:exec、attach、logs等)的开关,默认开启
// enableDebuggingHandlers enables server endpoints for log access
// and local running of containers and commands, including the exec,
// attach, logs, and portforward features.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// disabling it may disrupt components that interact with the Kubelet server.
// Default: true
// +optional
EnableDebuggingHandlers *bool `json:"enableDebuggingHandlers,omitempty"`
#EnableContentionProfiling 即kubelet 如果开启了性能分析,该开关将控制是否启用锁竞争分析
// enableContentionProfiling enables lock contention profiling, if enableDebuggingHandlers is true.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// enabling it may carry a performance impact.
// Default: false
// +optional
EnableContentionProfiling bool `json:"enableContentionProfiling,omitempty"`
#HealthzPort 即kubelet 本地的健康检查端口,默认10248
// healthzPort is the port of the localhost healthz endpoint (set to 0 to disable)
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may disrupt components that monitor Kubelet health.
// Default: 10248
// +optional
HealthzPort *int32 `json:"healthzPort,omitempty"`
#HealthzBindAddress 即kubelet 本地的健康检查绑定IP,默认127.0.0.1
// healthzBindAddress is the IP address for the healthz server to serve on
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may disrupt components that monitor Kubelet health.
// Default: "127.0.0.1"
// +optional
HealthzBindAddress string `json:"healthzBindAddress,omitempty"`
#OOMScoreAdj 即设置kubelet 进程的oom_score-adj,取值区间为[-1000, 1000],通过该值调优,可以尽量避免kubelet因oom被杀掉,导致影响整个节点上的pod运行
// oomScoreAdj is The oom-score-adj value for kubelet process. Values
// must be within the range [-1000, 1000].
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may impact the stability of nodes under memory pressure.
// Default: -999
// +optional
OOMScoreAdj *int32 `json:"oomScoreAdj,omitempty"`
#ClusterDomain 指定集群的DNS域,可选设置,若指定,kubelet将该配置打入容器的host 搜索域,默认为空,可选使用
// clusterDomain is the DNS domain for this cluster. If set, kubelet will
// configure all containers to search this domain in addition to the
// host's search domains.
// Dynamic Kubelet Config (beta): Dynamically updating this field is not recommended,
// as it should be kept in sync with the rest of the cluster.
// Default: ""
// +optional
ClusterDomain string `json:"clusterDomain,omitempty"`
#ClusterDNS 即指定集群的DNS服务器的IP地址,可选设置,若指定,kubelet将该IP列表打入容器中的hosts配置中去,默认为空
// clusterDNS is a list of IP addresses for the cluster DNS server. If set,
// kubelet will configure all containers to use this for DNS resolution
// instead of the host's DNS servers.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// changes will only take effect on Pods created after the update. Draining
// the node is recommended before changing this field.
// Default: nil
// +optional
ClusterDNS []string `json:"clusterDNS,omitempty"`
#StreamingConnectionIdleTimeout 即kubelet的数据流链接最大空闲时间,超过后将自动关闭,默认4h
// streamingConnectionIdleTimeout is the maximum time a streaming connection
// can be idle before the connection is automatically closed.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may impact components that rely on infrequent updates over streaming
// connections to the Kubelet server.
// Default: "4h"
// +optional
StreamingConnectionIdleTimeout metav1.Duration
`json:"streamingConnectionIdleTimeout,omitempty"`
#NodeStatusUpdateFrequency 即kubelet 统计检测node节点状态的频率,默认10s,如果lease feature gate未打开,该频率也即kubelet通过apiserver上报心跳的频率
// nodeStatusUpdateFrequency is the frequency that kubelet computes node
// status. If node lease feature is not enabled, it is also the frequency that
// kubelet posts node status to master.
// Note: When node lease feature is not enabled, be cautious when changing the
// constant, it must work with nodeMonitorGracePeriod in nodecontroller.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may impact node scalability, and also that the node controller's
// nodeMonitorGracePeriod must be set to N*NodeStatusUpdateFrequency,
// where N is the number of retries before the node controller marks
// the node unhealthy.
// Default: "10s"
// +optional
NodeStatusUpdateFrequency metav1.Duration `json:"nodeStatusUpdateFrequency,omitempty"`
#NodeStatusReportFrequency 即kubelet 通过apiserver更新node节点状态的周期
// nodeStatusReportFrequency is the frequency that kubelet posts node
// status to master if node status does not change. Kubelet will ignore this
// frequency and post node status immediately if any change is detected. It is
// only used when node lease feature is enabled. nodeStatusReportFrequency's
// default value is 1m. But if nodeStatusUpdateFrequency is set explicitly,
// nodeStatusReportFrequency's default value will be set to
// nodeStatusUpdateFrequency for backward compatibility.
// Default: "1m"
// +optional
NodeStatusReportFrequency metav1.Duration `json:"nodeStatusReportFrequency,omitempty"`
--------------------------------------------------------------------------------------
#NodeLeaseDurationSeconds 即kubelet 的NodeLease 更新周期,配合NodeLease feature使用,NodeLease 是k8s新特性,用于优化kubelet通过apiserver上报信息的效率,减轻了 API Server 的负担
// nodeLeaseDurationSeconds is the duration the Kubelet will set on its corresponding Lease,
// when the NodeLease feature is enabled. This feature provides an indicator of node
// health by having the Kubelet create and periodically renew a lease, named after the node,
// in the kube-node-lease namespace. If the lease expires, the node can be considered unhealthy.
// The lease is currently renewed every 10s, per KEP-0009. In the future, the lease renewal interval
// may be set based on the lease duration.
// Requires the NodeLease feature gate to be enabled.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// decreasing the duration may reduce tolerance for issues that temporarily prevent
// the Kubelet from renewing the lease (e.g. a short-lived network issue).
// Default: 40
// +optional
NodeLeaseDurationSeconds int32 `json:"nodeLeaseDurationSeconds,omitempty"`
#ImageMinimumGCAge 即kubelet 设置未使用镜像的最短存在时长,超过后kubelet将会启动镜像自动清理,释放空间,默认2m
// imageMinimumGCAge is the minimum age for an unused image before it is
// garbage collected.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may trigger or delay garbage collection, and may change the image overhead
// on the node.
// Default: "2m"
// +optional
ImageMinimumGCAge metav1.Duration `json:"imageMinimumGCAge,omitempty"`
#ImageGCHighThresholdPercent 即kubelet 限制镜像强制回收的磁盘上限临界值,默认磁盘占用超过85%,强制启动镜像回收,将未使用的镜像清理掉,以释放磁盘空间
// imageGCHighThresholdPercent is the percent of disk usage after which
// image garbage collection is always run. The percent is calculated as
// this field value out of 100.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may trigger or delay garbage collection, and may change the image overhead
// on the node.
// Default: 85
// +optional
ImageGCHighThresholdPercent *int32 `json:"imageGCHighThresholdPercent,omitempty"`
#ImageGCLowThresholdPercent 即kubelet 限制镜像强制回收的磁盘下限临界值,默认磁盘占用低于80%,将不会触发镜像回收策略
// imageGCLowThresholdPercent is the percent of disk usage before which
// image garbage collection is never run. Lowest disk usage to garbage
// collect to. The percent is calculated as this field value out of 100.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may trigger or delay garbage collection, and may change the image overhead
// on the node.
// Default: 80
// +optional
ImageGCLowThresholdPercent *int32 `json:"imageGCLowThresholdPercent,omitempty"`
#VolumeStatsAggPeriod 即kubelet 计算统计pods磁盘使用情况的频率,默认1m
// How frequently to calculate and cache volume disk usage for all pods
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// shortening the period may carry a performance impact.
// Default: "1m"
// +optional
VolumeStatsAggPeriod metav1.Duration `json:"volumeStatsAggPeriod,omitempty"`
#KubeletCgroups 即kubelet cgroup配置信息的根目录
// kubeletCgroups is the absolute name of cgroups to isolate the kubelet in
// Dynamic Kubelet Config (beta): This field should not be updated without a full node
// reboot. It is safest to keep this value the same as the local config.
// Default: ""
// +optional
KubeletCgroups string `json:"kubeletCgroups,omitempty"`
#SystemCgroups 即系统非内核进程的cgroup配置目录
// systemCgroups is absolute name of cgroups in which to place
// all non-kernel processes that are not already in a container. Empty
// for no container. Rolling back the flag requires a reboot.
// Dynamic Kubelet Config (beta): This field should not be updated without a full node
// reboot. It is safest to keep this value the same as the local config.
// Default: ""
// +optional
SystemCgroups string `json:"systemCgroups,omitempty"`
#CgroupRoot 即kubelet 设置用于管理pods资源使用及配额限制的cgroup根目录
// cgroupRoot is the root cgroup to use for pods. This is handled by the
// container runtime on a best effort basis.
// Dynamic Kubelet Config (beta): This field should not be updated without a full node
// reboot. It is safest to keep this value the same as the local config.
// Default: ""
// +optional
CgroupRoot string `json:"cgroupRoot,omitempty"`
#CgroupsPerQOS 即cgroup按QOS模式(Guaranteed/Burstable/BestEffort)做分级管理的设置开关,默认开启
// Enable QoS based Cgroup hierarchy: top level cgroups for QoS Classes
// And all Burstable and BestEffort pods are brought up under their
// specific top level QoS cgroup.
// Dynamic Kubelet Config (beta): This field should not be updated without a full node
// reboot. It is safest to keep this value the same as the local config.
// Default: true
// +optional
CgroupsPerQOS *bool `json:"cgroupsPerQOS,omitempty"`
#CgroupDriver 即cgroup管理的引擎,支持cgroupfs或systemd,默认cgroupfs
// driver that the kubelet uses to manipulate cgroups on the host (cgroupfs or systemd)
// Dynamic Kubelet Config (beta): This field should not be updated without a full node
// reboot. It is safest to keep this value the same as the local config.
// Default: "cgroupfs"
// +optional
CgroupDriver string `json:"cgroupDriver,omitempty"`
#CPUManagerPolicy 用于设置cpu的使用策略,即cpuset能力,对pod进行绑定cpu分配使用,支持none和static,默认为none,设置为static,则开启cpuset,配合CPUManager feature使用
// CPUManagerPolicy is the name of the policy to use.
// Requires the CPUManager feature gate to be enabled.
// Dynamic Kubelet Config (beta): This field should not be updated without a full node
// reboot. It is safest to keep this value the same as the local config.
// Default: "none"
// +optional
CPUManagerPolicy string `json:"cpuManagerPolicy,omitempty"`
#CPUManagerReconcilePeriod CPU manager会定期通过CRI对资源状态进行更新,以使内存、CPU实际使用数量与cgroupfs保持一致。Kubelet通过该参数值设置资源状态更新频率,默认10s,若未指定,则默认为与--node-status-update-frequency的值相同,配合CPUManager feature使用
// CPU Manager reconciliation period.
// Requires the CPUManager feature gate to be enabled.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// shortening the period may carry a performance impact.
// Default: "10s"
// +optional
CPUManagerReconcilePeriod metav1.Duration `json:"cpuManagerReconcilePeriod,omitempty"`
#TopologyManagerPolicy 该参数主要用于性能优化,kubelet 创建pod时,开启该特性后,将根据node的numa结构做资源分配管理,支持四种策略None,BestEffort,Restricted和SingleNumaNode,用于设置numa亲和性,优化线程执行效率,配合TopologyManager feature使用
// TopologyManagerPolicy is the name of the policy to use.
// Policies other than "none" require the TopologyManager feature gate to be enabled.
// Dynamic Kubelet Config (beta): This field should not be updated without a full node
// reboot. It is safest to keep this value the same as the local config.
// Default: "none"
// +optional
TopologyManagerPolicy string `json:"topologyManagerPolicy,omitempty"
#TopologyManagerScope 即TopologyManagerPolicy的作用范围,支持container和pod两类,默认为container,同样,配合TopologyManager feature使用
// TopologyManagerScope represents the scope of topology hint generation
// that topology manager requests and hint providers generate.
// "pod" scope requires the TopologyManager feature gate to be enabled.
// Default: "container"
// +optional
TopologyManagerScope string `json:"topologyManagerScope,omitempty"`
#QOSReserved 即设置系统为不通过 QOS模式的资源预留比例,当前只支持memory,配合QOSReserved feature使用
// qosReserved is a set of resource name to percentage pairs that specify
// the minimum percentage of a resource reserved for exclusive use by the
// guaranteed QoS tier.
// Currently supported resources: "memory"
// Requires the QOSReserved feature gate to be enabled.
// Dynamic Kubelet Config (beta): This field should not be updated without a full node
// reboot. It is safest to keep this value the same as the local config.
// Default: nil
// +optional
QOSReserved map[string]string `json:"qosReserved,omitempty"`
#RuntimeRequestTimeout 即kubelet 设置所有运行时请求(pull, logs, exec and attach)的超时时限,默认2m
// runtimeRequestTimeout is the timeout for all runtime requests except long running
// requests - pull, logs, exec and attach.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may disrupt components that interact with the Kubelet server.
// Default: "2m"
// +optional
RuntimeRequestTimeout metav1.Duration `json:"runtimeRequestTimeout,omitempty"`
#HairpinMode 用于 kubelet 如何设置 hairpin NAT(“发夹”转换), 该模式允许后端Endpoint在访问本身Service时能够再次loadbalance回本身,可选设置值为 promiscuous-bridge、hairpin-veth和 none,默认 promiscuous-bridge
// hairpinMode specifies how the Kubelet should configure the container
// bridge for hairpin packets.
// Setting this flag allows endpoints in a Service to loadbalance back to
// themselves if they should try to access their own Service. Values:
// "promiscuous-bridge": make the container bridge promiscuous.
// "hairpin-veth": set the hairpin flag on container veth interfaces.
// "none": do nothing.
// Generally, one must set --hairpin-mode=hairpin-veth to achieve hairpin NAT,
// because promiscuous-bridge assumes the existence of a container bridge named cbr0.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may require a node reboot, depending on the network plugin.
// Default: "promiscuous-bridge"
// +optional
HairpinMode string `json:"hairpinMode,omitempty"`
#MaxPods 即限定node节点上可以运行的pod数,默认110个
// maxPods is the number of pods that can run on this Kubelet.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// changes may cause Pods to fail admission on Kubelet restart, and may change
// the value reported in Node.Status.Capacity[v1.ResourcePods], thus affecting
// future scheduling decisions. Increasing this value may also decrease performance,
// as more Pods can be packed into a single node.
// Default: 110
// +optional
MaxPods int32 `json:"maxPods,omitempty"`
#PodCIDR kubelet指定pod IP所在的CIDR,仅在standalone模式中起效,在cluster模式时,由master管理组件设置,默认为空
// The CIDR to use for pod IP addresses, only used in standalone mode.
// In cluster mode, this is obtained from the master.
// Dynamic Kubelet Config (beta): This field should always be set to the empty default.
// It should only set for standalone Kubelets, which cannot use Dynamic Kubelet Config.
// Default: ""
// +optional
PodCIDR string `json:"podCIDR,omitempty"`
#PodPidsLimit 即通过kubelet 配置,限定pod的最大进程数,默认为-1,不做限制
// PodPidsLimit is the maximum number of pids in any pod.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// lowering it may prevent container processes from forking after the change.
// Default: -1
// +optional
PodPidsLimit *int64 `json:"podPidsLimit,omitempty"`
#ResolverConfig 用于指定容器内使用的DNS解析配置文件,默认/etc/resolv.conf
// ResolverConfig is the resolver configuration file used as the basis
// for the container DNS resolution configuration.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// changes will only take effect on Pods created after the update. Draining
// the node is recommended before changing this field.
// Default: "/etc/resolv.conf"
// +optional
ResolverConfig string `json:"resolvConf,omitempty"`
#RunOnce 即kubelet 从本地 manifest 或者 URL 指定的 manifest 读取并运行结束就退出,设置为true表示在创建完Pod后立即退出kubelet进程,和 --api-servers 、--enable-server 互斥,默认false
// RunOnce causes the Kubelet to check the API server once for pods,
// run those in addition to the pods specified by static pod files, and exit.
// Default: false
// +optional
RunOnce bool `json:"runOnce,omitempty"`
#CPUCFSQuota 即kubelet 是否开启cpu公平调度(cfs)算法,来保证指定了limits配置的容器使用
// cpuCFSQuota enables CPU CFS quota enforcement for containers that
// specify CPU limits.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// disabling it may reduce node stability.
// Default: true
// +optional
CPUCFSQuota *bool `json:"cpuCFSQuota,omitempty"`
#CPUCFSQuotaPeriod 即kubelet指定 cpu公平调度(cfs)的时间调度分配单位,默认100ms
// CPUCFSQuotaPeriod is the CPU CFS quota period value, cpu.cfs_period_us.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// limits set for containers will result in different cpu.cfs_quota settings. This
// will trigger container restarts on the node being reconfigured.
// Default: "100ms"
// +optional
CPUCFSQuotaPeriod *metav1.Duration `json:"cpuCFSQuotaPeriod,omitempty"`
#NodeStatusMaxImages 限制Node.Status.Images中的镜像数量,默认50,若设置为-1,则不限制
// nodeStatusMaxImages caps the number of images reported in Node.Status.Images.
// Note: If -1 is specified, no cap will be applied. If 0 is specified, no image is returned.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// different values can be reported on node status.
// Default: 50
// +optional
NodeStatusMaxImages *int32 `json:"nodeStatusMaxImages,omitempty"`
#MaxOpenFiles 即kubelet 进程能打开的最大文件数,默认1000000
// maxOpenFiles is Number of files that can be opened by Kubelet process.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may impact the ability of the Kubelet to interact with the node's filesystem.
// Default: 1000000
// +optional
MaxOpenFiles int64 `json:"maxOpenFiles,omitempty"`
#ContentType 即kubelet 向apiserver发http请求时,指定的contentType ,默认是application/vnd.kubernetes.protobuf
// contentType is contentType of requests sent to apiserver.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may impact the ability for the Kubelet to communicate with the API server.
// If the Kubelet loses contact with the API server due to a change to this field,
// the change cannot be reverted via dynamic Kubelet config.
// Default: "application/vnd.kubernetes.protobuf"
// +optional
ContentType string `json:"contentType,omitempty"`
#KubeAPIQPS 即kubelet 与apiserver通信时的QPS限制,默认为5
// kubeAPIQPS is the QPS to use while talking with kubernetes apiserver
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may impact scalability by changing the amount of traffic the Kubelet
// sends to the API server.
// Default: 5
// +optional
KubeAPIQPS *int32 `json:"kubeAPIQPS,omitempty"`
#KubeAPIBurst 即突发场景下,kubelet 与apiserver通信时的临时QPS上限,默认为10
// kubeAPIBurst is the burst to allow while talking with kubernetes apiserver
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may impact scalability by changing the amount of traffic the Kubelet
// sends to the API server.
// Default: 10
// +optional
KubeAPIBurst int32 `json:"kubeAPIBurst,omitempty"`
#SerializeImagePulls 即kubelet 串行拉取镜像开关,开启后kubelet每次只拉一个镜像,默认开启,在docker低于1.9版本,或引用aufs做后端存储驱动时,建议按默认值来,不要随意改动
// serializeImagePulls when enabled, tells the Kubelet to pull images one
// at a time. We recommend *not* changing the default value on nodes that
// run docker daemon with version < 1.9 or an Aufs storage backend.
// Issue #10959 has more details.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may impact the performance of image pulls.
// Default: true
// +optional
SerializeImagePulls *bool `json:"serializeImagePulls,omitempty"`
#EvictionHard 用于设置node硬性驱逐的关联参数及临界值,即node节点资源使用超过配置的这些参数临界值后,kubelet 强制发起发起驱逐pod,可传具体值,也可用百分比传值,默认memory可用值低于100Mi,或node可用磁盘空间低于10%,或inode可用数低于5%,或镜像存储空间低于15%,则触发驱逐
// Map of signal names to quantities that defines hard eviction thresholds. For example: {"memory.available": "300Mi"}.
// To explicitly disable, pass a 0% or 100% threshold on an arbitrary resource.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may trigger or delay Pod evictions.
// Default:
// memory.available: "100Mi"
// nodefs.available: "10%"
// nodefs.inodesFree: "5%"
// imagefs.available: "15%"
// +optional
EvictionHard map[string]string `json:"evictionHard,omitempty"`
#EvictionSoft 即kubelet软性驱逐的关联参数及临界值,当超过该配置值后,不一定会触发驱逐,默认为空
// Map of signal names to quantities that defines soft eviction thresholds.
// For example: {"memory.available": "300Mi"}.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may trigger or delay Pod evictions, and may change the allocatable reported
// by the node.
// Default: nil
// +optional
EvictionSoft map[string]string `json:"evictionSoft,omitempty"`
#EvictionSoftGracePeriod 即kubelet 针对不同指标,在触发各个软性驱逐之间,设置优雅等待时间间隔,避免频繁触发驱逐,可选使用
// Map of signal names to quantities that defines grace periods for each soft eviction signal.
// For example: {"memory.available": "30s"}.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may trigger or delay Pod evictions.
// Default: nil
// +optional
EvictionSoftGracePeriod map[string]string `json:"evictionSoftGracePeriod,omitempty"`
#EvictionPressureTransitionPeriod 即kubelet 在清理驱逐压力状态之前,需要等待的时间,默认5m,可选设置
// Duration for which the kubelet has to wait before transitioning out of an eviction pressure condition.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// lowering it may decrease the stability of the node when the node is overcommitted.
// Default: "5m"
// +optional
EvictionPressureTransitionPeriod metav1.Duration `json:"evictionPressureTransitionPeriod,omitempty"`
#EvictionMaxPodGracePeriod 在软性驱逐场景中,停掉pod所允许的最大优雅等待时间,默认为0,可选设置
// Maximum allowed grace period (in seconds) to use when terminating pods in
// response to a soft eviction threshold being met. This value effectively caps
// the Pod's TerminationGracePeriodSeconds value during soft evictions.
// Note: Due to issue #64530, the behavior has a bug where this value currently just
// overrides the grace period during soft eviction, which can increase the grace
// period from what is set on the Pod. This bug will be fixed in a future release.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// lowering it decreases the amount of time Pods will have to gracefully clean
// up before being killed during a soft eviction.
// Default: 0
// +optional
EvictionMaxPodGracePeriod int32 `json:"evictionMaxPodGracePeriod,omitempty"`
#EvictionMinimumReclaim 用于指定驱逐触发时,最小的回收保证资源量,如:{"imagefs.available": "2Gi"},默认为空
// Map of signal names to quantities that defines minimum reclaims, which describe the minimum
// amount of a given resource the kubelet will reclaim when performing a pod eviction while
// that resource is under pressure. For example: {"imagefs.available": "2Gi"}
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may change how well eviction can manage resource pressure.
// Default: nil
// +optional
EvictionMinimumReclaim map[string]string `json:"evictionMinimumReclaim,omitempty"`
#PodsPerCore 即设置每个cpu core能承载的最大pod数,与MaxPods配合使用,两者取其小,默认为0,即不做限制
// podsPerCore is the maximum number of pods per core. Cannot exceed MaxPods.
// If 0, this field is ignored.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// changes may cause Pods to fail admission on Kubelet restart, and may change
// the value reported in Node.Status.Capacity[v1.ResourcePods], thus affecting
// future scheduling decisions. Increasing this value may also decrease performance,
// as more Pods can be packed into a single node.
// Default: 0
// +optional
PodsPerCore int32 `json:"podsPerCore,omitempty"`
#EnableControllerAttachDetach 设置Attach/Detach controller管理调度到该node上volume的attachment/detachment操作开关,打开时,将允许通过controller做该操作,来取代kubelet 的attach/detach对volume操作管理
// enableControllerAttachDetach enables the Attach/Detach controller to
// manage attachment/detachment of volumes scheduled to this node, and
// disables kubelet from executing any attach/detach operations
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// changing which component is responsible for volume management on a live node
// may result in volumes refusing to detach if the node is not drained prior to
// the update, and if Pods are scheduled to the node before the
// volumes.kubernetes.io/controller-managed-attach-detach annotation is updated by the
// Kubelet. In general, it is safest to leave this value set the same as local config.
// Default: true
// +optional
EnableControllerAttachDetach *bool `json:"enableControllerAttachDetach,omitempty"`
#ProtectKernelDefaults 内核参数保护开关,开启时,如果内核参数异常,将导致kubelet错误,除非kubelet将内核参数修改到符合预期
// protectKernelDefaults, if true, causes the Kubelet to error if kernel
// flags are not as it expects. Otherwise the Kubelet will attempt to modify
// kernel flags to match its expectation.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// enabling it may cause the Kubelet to crash-loop if the Kernel is not configured as
// Kubelet expects.
// Default: false
// +optional
ProtectKernelDefaults bool `json:"protectKernelDefaults,omitempty"`
#MakeIPTablesUtilChains 即kubelet 是否将 iptables 规则在主机上生效,默认为true,即生效
// If true, Kubelet ensures a set of iptables rules are present on host.
// These rules will serve as utility rules for various components, e.g. KubeProxy.
// The rules will be created based on IPTablesMasqueradeBit and IPTablesDropBit.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// disabling it will prevent the Kubelet from healing locally misconfigured iptables rules.
// Default: true
// +optional
MakeIPTablesUtilChains *bool `json:"makeIPTablesUtilChains,omitempty"`
#IPTablesMasqueradeBit 用于标记 SNAT 数据包的 fwmark 掩码位,取值范围[0,31],默认14,请将此参数与 kube-proxy 中的相应参数匹配使用
// iptablesMasqueradeBit is the bit of the iptables fwmark space to mark for SNAT
// Values must be within the range [0, 31]. Must be different from other mark bits.
// Warning: Please match the value of the corresponding parameter in kube-proxy.
// TODO: clean up IPTablesMasqueradeBit in kube-proxy
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it needs to be coordinated with other components, like kube-proxy, and the update
// will only be effective if MakeIPTablesUtilChains is enabled.
// Default: 14
// +optional
IPTablesMasqueradeBit *int32 `json:"iptablesMasqueradeBit,omitempty"`
#IPTablesDropBit 用于标记丢弃数据包的 fwmark 空间位,取值范围[0,31],默认 15
// iptablesDropBit is the bit of the iptables fwmark space to mark for dropping packets.
// Values must be within the range [0, 31]. Must be different from other mark bits.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it needs to be coordinated with other components, like kube-proxy, and the update
// will only be effective if MakeIPTablesUtilChains is enabled.
// Default: 15
// +optional
IPTablesDropBit *int32 `json:"iptablesDropBit,omitempty"`
#FeatureGates 即kubelet 使用到的feature 列表,这些feature 一般是beta版本的试用功能特性,尚未被推广纳入正式功能,可选使用
// featureGates is a map of feature names to bools that enable or disable alpha/experimental
// features. This field modifies piecemeal the built-in default values from
// "k8s.io/kubernetes/pkg/features/kube_features.go".
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider the
// documentation for the features you are enabling or disabling. While we
// encourage feature developers to make it possible to dynamically enable
// and disable features, some changes may require node reboots, and some
// features may require careful coordination to retroactively disable.
// Default: nil
// +optional
FeatureGates map[string]bool `json:"featureGates,omitempty"`
#FailSwapOn 即让kubelet检测是否使用了swap的开关,默认开启,开启后,一旦kubelet启动时检测到使用了swap,则启动失败
// failSwapOn tells the Kubelet to fail to start if swap is enabled on the node.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// setting it to true will cause the Kubelet to crash-loop if swap is enabled.
// Default: true
// +optional
FailSwapOn *bool `json:"failSwapOn,omitempty"`
#ContainerLogMaxSize 即自定义kubelet对容器日志采集文件最大空空间,默认为10Mi
// A quantity defines the maximum size of the container log file before it is rotated.
// For example: "5Mi" or "256Ki".
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may trigger log rotation.
// Default: "10Mi"
// +optional
ContainerLogMaxSize string `json:"containerLogMaxSize,omitempty"`
#ContainerLogMaxFiles 即自定义kubelet对容器日志采集文件最大数量,默认为5
// Maximum number of container log files that can be present for a container.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// lowering it may cause log files to be deleted.
// Default: 5
// +optional
ContainerLogMaxFiles *int32 `json:"containerLogMaxFiles,omitempty"`
#ConfigMapAndSecretChangeDetectionStrategy 即kubelet 对configmap和secret变动的检测机制,默认是Watch被动发现,也是configmap和secret managers的运行模式
// ConfigMapAndSecretChangeDetectionStrategy is a mode in which
// config map and secret managers are running.
// Default: "Watch"
// +optional
ConfigMapAndSecretChangeDetectionStrategy ResourceChangeDetectionStrategy `json:"configMapAndSecretChangeDetectionStrategy,omitempty"`
#SystemReserved 用于配置为System进程预留的资源量,比如—system-reserved=cpu=500m,memory=4Gi,ephemeral-storage=4Gi
/* the following fields are meant for Node Allocatable */
// systemReserved is a set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G)
// pairs that describe resources reserved for non-kubernetes components.
// Currently only cpu and memory are supported.
// See http://kubernetes.io/docs/user-guide/compute-resources for more detail.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may not be possible to increase the reserved resources, because this
// requires resizing cgroups. Always look for a NodeAllocatableEnforced event
// after updating this field to ensure that the update was successful.
// Default: nil
// +optional
SystemReserved map[string]string `json:"systemReserved,omitempty"`
#KubeReserved 为Kubernetes组件保留的计算资源,例如docker daemon、kubelet、kube-proxy等,比如—kube-reserved=cpu=1000m,memory=8Gi,ephemeral-storage=16Gi
// A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs
// that describe resources reserved for kubernetes system components.
// Currently cpu, memory and local storage for root file system are supported.
// See http://kubernetes.io/docs/user-guide/compute-resources for more detail.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may not be possible to increase the reserved resources, because this
// requires resizing cgroups. Always look for a NodeAllocatableEnforced event
// after updating this field to ensure that the update was successful.
// Default: nil
// +optional
KubeReserved map[string]string `json:"kubeReserved,omitempty"`
#ReservedSystemCPUs 即给系统线程或k8s相关线程预留的cpu资源,此处配置将覆盖system-reserved和kube-reserved配置
// This ReservedSystemCPUs option specifies the cpu list reserved for the host level system threads and kubernetes related threads.
// This provide a "static" CPU list rather than the "dynamic" list by system-reserved and kube-reserved.
// This option overwrites CPUs provided by system-reserved and kube-reserved.
ReservedSystemCPUs string `json:"reservedSystemCPUs,omitempty"`
#ShowHiddenMetricsForVersion 即kubelet 显示已过期的指
// The previous version for which you want to show hidden metrics.
// Only the previous minor version is meaningful, other values will not be allowed.
// The format is <major>.<minor>, e.g.: '1.16'.
// The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics,
// rather than being surprised when they are permanently removed in the release after that.
// Default: ""
// +optional
ShowHiddenMetricsForVersion string `json:"showHiddenMetricsForVersion,omitempty"`
#SystemReservedCgroup 即kubelet指定系统资源预留的cgroup,如果你设置了–system-reserved,那么请一定要设置对应的cgroup,并且该cgroup目录要事先创建好(/sys/fs/cgroup/{subsystem}/system.slice),否则kubelet将不会自动创建导致kubelet启动失败。比如设置为system-reserved-cgroup=/system.slice,需要在每个subsystem的根目录下创建system.slice目录
// This flag helps kubelet identify absolute name of top level cgroup used to enforce `SystemReserved` compute resource reservation for OS system daemons.
// Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) doc for more information.
// Dynamic Kubelet Config (beta): This field should not be updated without a full node
// reboot. It is safest to keep this value the same as the local config.
// Default: ""
// +optional
SystemReservedCgroup string `json:"systemReservedCgroup,omitempty"`
#KubeReservedCgroup 即kubelet 指定system资源预留的 cgroup,如果你设置了–kube-reserved,那么请一定要设置对应的cgroup,并且该cgroup目录要事先创建好(/sys/fs/cgroup/{subsystem}/kubelet.slice),否则kubelet将不会自动创建导致kubelet启动失败。比如设置为kube-reserved-cgroup=/kubelet.slice,需要在每个subsystem的根目录下创建kubelet.slice目录
// This flag helps kubelet identify absolute name of top level cgroup used to enforce `KubeReserved` compute resource reservation for Kubernetes node system daemons.
// Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) doc for more information.
// Dynamic Kubelet Config (beta): This field should not be updated without a full node
// reboot. It is safest to keep this value the same as the local config.
// Default: ""
// +optional
KubeReservedCgroup string `json:"kubeReservedCgroup,omitempty"`
#EnforceNodeAllocatable node需要展示的可分配配置列表,即通过获取node信息,看到的Allocatable 字段详细内容,可设置如:`none`, `pods`, `system-reserved` & `kube-reserved`等,默认是pods
// This flag specifies the various Node Allocatable enforcements that Kubelet needs to perform.
// This flag accepts a list of options. Acceptable options are `none`, `pods`, `system-reserved` & `kube-reserved`.
// If `none` is specified, no other options may be specified.
// Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) doc for more information.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// removing enforcements may reduce the stability of the node. Alternatively, adding
// enforcements may reduce the stability of components which were using more than
// the reserved amount of resources; for example, enforcing kube-reserved may cause
// Kubelets to OOM if it uses more than the reserved resources, and enforcing system-reserved
// may cause system daemons to OOM if they use more than the reserved resources.
// Default: ["pods"]
// +optional
EnforceNodeAllocatable []string `json:"enforceNodeAllocatable,omitempty"`
#AllowedUnsafeSysctls 即允许pod进行不安全的内核参数调整,给出指定的内核参数调整模块,如:kernel.shm*, kernel.msg*, kernel.sem, fs.mqueue.*, and net.*等,默认为空
// A comma separated whitelist of unsafe sysctls or sysctl patterns (ending in *).
// Unsafe sysctl groups are kernel.shm*, kernel.msg*, kernel.sem, fs.mqueue.*, and net.*.
// These sysctls are namespaced but not allowed by default. For example: "kernel.msg*,net.ipv4.route.min_pmtu"
// Default: []
// +optional
AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty"`
#VolumePluginDir 即指定第三方卷操作插件的存放目录
// volumePluginDir is the full path of the directory in which to search
// for additional third party volume plugins.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changing
// the volumePluginDir may disrupt workloads relying on third party volume plugins.
// Default: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/"
// +optional
VolumePluginDir string `json:"volumePluginDir,omitempty"`
#ProviderID 即第三方云厂商的全局唯一实例ID,用于标示指定的node节点
// providerID, if set, sets the unique id of the instance that an external provider (i.e. cloudprovider)
// can use to identify a specific node.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may impact the ability of the Kubelet to interact with cloud providers.
// Default: ""
// +optional
ProviderID string `json:"providerID,omitempty"`
#KernelMemcgNotification 如果启用, kubelet 将可以通过接收内核 memcg 被动通知,以判定是否达到内存清理阈值,而不一定是kubelet主动轮询
// kernelMemcgNotification, if set, the kubelet will integrate with the kernel memcg notification
// to determine if memory eviction thresholds are crossed rather than polling.
// Dynamic Kubelet Config (beta): If dynamically updating this field, consider that
// it may impact the way Kubelet interacts with the kernel.
// Default: false
// +optional
KernelMemcgNotification bool `json:"kernelMemcgNotification,omitempty"`
#Logging 即kubelet进行日志记录的相关配置,默认设置记录格式为text
// Logging specifies the options of logging.
// Refer [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) for more information.
// Defaults:
// Format: text
// + optional
Logging componentbaseconfigv1alpha1.LoggingConfiguration `json:"logging,omitempty"`
#EnableSystemLogHandler 即kubelet 是否允许通过host:port/logs/访问系统日志,默认为true
// enableSystemLogHandler enables system logs via web interface host:port/logs/
// Default: true
// +optional
EnableSystemLogHandler *bool `json:"enableSystemLogHandler,omitempty"`
#ShutdownGracePeriod 即node应该延迟关闭的优雅等待时间,以等待pod终止,指定节点延迟关闭的总持续时间,这是 regular pod 和 critical pod 终止的总宽限期,默认30s
// ShutdownGracePeriod specifies the total duration that the node should delay the shutdown and total grace period for pod termination during a node shutdown.
// Default: "30s"
// +optional
ShutdownGracePeriod metav1.Duration `json:"shutdownGracePeriod,omitempty"`
#ShutdownGracePeriodCriticalPods 即指定node应该延迟关闭的优雅等待时间,在节点关闭期间指定用于终止关键 Pod的持续时间,该值应小于上面 `ShutdownGracePeriod`
// ShutdownGracePeriodCriticalPods specifies the duration used to terminate critical pods during a node shutdown. This should be less than ShutdownGracePeriod.
// For example, if ShutdownGracePeriod=30s, and ShutdownGracePeriodCriticalPods=10s, during a node shutdown the first 20 seconds would be reserved for gracefully terminating normal pods, and the last 10 seconds would be reserved for terminating critical pods.
// Default: "10s"
// +optional
ShutdownGracePeriodCriticalPods metav1.Duration `json:"shutdownGracePeriodCriticalPods,omitempty"`
}
4. kubelet参数加载
上面的流程是声明及构建参数结构体,接下来是对参数的配置定义及管理,其中具体的传入参数值解析、校验、加载是在Run函数中,由后续调用cobra的execute()触发主逻辑流程
#定义kubelet的flags参数(即KubeletConfiguration结构体内定义的相关参数,包括ContainerRuntime、os相关参数),并将对应变量添加到cleanFlagSet
kubeletFlags.AddFlags(cleanFlagSet)
#定义kubelet的config参数(即KubeletFlags结构体内定义的相关参数),并将对应变量添加到cleanFlagSet
options.AddKubeletConfigFlags(cleanFlagSet, kubeletConfig)
#定义kubelet的全局参数(包含Klog日志、Cadvisor、CredentialProvider、版本等全局信息参数),并将对应变量添加到cleanFlagSet
options.AddGlobalFlags(cleanFlagSet)
#通过cleanFlagSet设置帮助指引参数
cleanFlagSet.BoolP("help", "h", false, fmt.Sprintf("help for %s", cmd.Name()))
5. 总结
我们再回头对kubelet参数做个总结
- kubelet的参数录入主要通过flag和config的方式
- flag主要支持一些静态配置项,不能在集群中各个Nodes之间共享的配置集,config主要承载可动态修改的配置项,可以在各个node间共享使用
- config支持通过configmap做动态配置,并实现热加载的方式,保证kubelet的配置可动态变动调优
