08、cilium使用vxlan部署的参数优化

#如有必要，删除历史cilium组件
kubectl delete ds/cilium -n kube-system ; kubectl delete deploy/hubble-relay -n kube-system ; kubectl delete deploy/hubble-ui -n kube-system ; kubectl delete deploy/cilium-operator -n kube-system ;kubectl delete cm cilium-config ; kubectl delete secret cilium-operator-token* ; kubectl delete secret cilium-token ; kubectl delete crds ciliumclusterwidenetworkpolicies.cilium.io ciliumendpoints.cilium.io ciliumexternalworkloads.cilium.io ciliumidentities.cilium.io ciliumnetworkpolicies.cilium.io ciliumnodes.cilium.io ;kubectl delete clusterrolebinding cilium cilium-operator  ;  kubectl delete clusterrole cilium cilium-operator;  kubectl delete cm cilium cilium-operator;kubectl delete sa cilium cilium-operator -n kube-system;kubectl delete cm/cilium-config -n kube-system
#如有必要，更新cilium证书
kubectl delete secret generic -n kube-system cilium-etcd-secrets
kubectl create secret generic -n kube-system cilium-etcd-secrets \
    --from-file=etcd-client-ca.crt=/etc/kubernetes/pki/etcd/ca.crt \
    --from-file=etcd-client.key=/etc/kubernetes/pki/etcd/healthcheck-client.key \
    --from-file=etcd-client.crt=/etc/kubernetes/pki/etcd/healthcheck-client.crt
#更新cilium
helm upgrade cilium ./cilium --namespace kube-system \
--set identityAllocationMode=kvstore \
--set etcd.enabled=true \
--set etcd.ssl=true \
--set "etcd.endpoints[0]=https://10.8.119.11:2379" \
--set "etcd.endpoints[1]=https://10.8.119.12:2379" \
--set "etcd.endpoints[2]=https://10.8.119.13:2379" \
--set operator.prometheus.enabled=false \
--set kubeProxyReplacement=strict \
--set hubble.enabled=false \
--set hubble.relay.enabled=false \
--set hubble.ui.enabled=false \
--set operator.replicas=3 \
--set ipam.operator.clusterPoolIPv4PodCIDR=10.126.0.0/16 \
--set ipam.mode=kubernetes \
--set k8sServiceHost=10.8.119.168 \
--set k8sServicePort=6443 \
--set hostFirewall.enabled=true \
--set nodePort.enabled=true \
--set hostServices.enable=true \
--set bpf.clockProbe=true \
--set bpf.waitForMount=true \
--set bpf.preallocateMaps=true \
--set bpf.lbMapMax=262144 \
--set cni.chainingMode=portmap \
--set hostServices.enabled=true \
--set hostPort.enabled=false \
--set cluster.name="zl-pro-cluster" \
--set tunnel="vxlan" \
--set cluster.id="2" \
--set l7Proxy=false \
--set installIptablesRules=false \
--set bpf.masquerade=true
ssh-agent /bin/bash
ssh-add 
#备份kube-proxy
kubectl get ds/kube-proxy -n kube-system -o yaml >kube-proxy.yaml
kubectl get cm/kube-proxy -n kube-system -o yaml >kube-proxy-cm.yaml
#删除kube-proxy
kubectl delete ds/kube-proxy -n kube-system
kubectl delete cm/kube-proxy -n kube-system
#删除ipvs规则
ansible 'k8snode' -e 'ansible_python_interpreter=/usr/bin/python3' -m shell  -a "apt -o Acquire::http::proxy="http://10.5.15.22:3128/" update'
ansible 'k8snode' -e 'ansible_python_interpreter=/usr/bin/python3' -m shell -a "apt-get -o Acquire::http::proxy="http://10.5.15.22:3128/" install ipvsadm -y "
ansible 'k8snode' -e 'ansible_python_interpreter=/usr/bin/python3' -m shell -a "ipvsadm --clear"
ansible 'k8snode' -e 'ansible_python_interpreter=/usr/bin/python3' -m shell -a "ip link delete kube-ipvs0"
#终止iptables规则
ansible 'k8snode' -e 'ansible_python_interpreter=/usr/bin/python3' -m shell -a "iptables -F && systemctl restart kubelet"
更新失败回滚方案：
kubectl apply -f kube-proxy-cm.yaml
kubectl apply -f kube-proxy.yaml
helm rollout cilium 1
文档更新时间: 2023-12-25 13:42 作者：张尚