Configuring the Kubernetes Deployment Environment
- The SELinux security mechanism enabled by default on Linux prevents some ports on the container network from being enabled. As a result, services for
virtualization scenarios cannot be deployed. This is the behavior of Linux itself, and Kunpeng BoostKit for Virtualization does not provide a solution to this issue. If you want to use SELinux in your own system, please find a solution by yourself. - We provide a method for quickly disabling SELinux. The SELinux configuration method provided in Kunpeng BoostKit for Virtualization is for reference only. You need to evaluate the method and bear related risks.
- Disabling SELinux may cause security issues. If you do not plan to enable SELinux, it is recommended that an end-to-end solution be used to eliminate the risks caused by disabling SELinux. You shall bear the security risks by yourself. If you need to enable SELinux, configure fine-grained security rules based on actual SELinux issues to ensure system security.
Configure the Kubernetes deployment environment on the management and compute nodes.
Procedure
- Disable the firewall.
systemctl stop firewalld && systemctl disable firewalld
- Disable SELinux.
setenforce 0 sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
- Disable the swap partition.
- Disable the swap partition temporarily.
swapoff -a
- Comment out swap in /etc/fstab.
vi /etc/fstab #/dev/mapper/centos-swap swap swap defaults 0 0
- Disable the swap partition temporarily.
- Check whether the swap partition is disabled.
cat /proc/swaps
If the following information is displayed, the swap partition is disabled:
- Load the kernel module.
cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf overlay br_netfilter EOF sudo modprobe overlay sudo modprobe br_netfilter
- Set and apply the sysctl parameters. These parameters are still valid after the OS is restarted.
- If the OS is CentOS 8.1, run the following commands:
cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 EOF sudo sysctl --system
- If the OS is openEuler 20.03, run the following commands:
cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 EOF cat <<EOF | sudo tee /etc/sysctl.conf net.ipv4.ip_forward = 1 EOF sudo sysctl -p /etc/sysctl.d/99-kubernetes-cri.conf sudo sysctl -p /etc/sysctl.conf
- If the OS is CentOS 8.1, run the following commands:
- Enable iptables to check bridged traffic.
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf br_netfilter EOF cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF sudo sysctl --system
Parent topic: Deploying the Kubernetes Cluster