k8s

异常现象 集群中某个节点etcd无法启动，其他节点正常 systemctl status etcd ● etcd.service - etcd Loaded: loaded (/etc/systemd/system/etcd.service; enabled; vendor preset: disabled) Active: activating (auto-restart) (Result: exit-code) since Thu 2025-09-18 09:59:47 CST; 7s ago Process: 7427 ExecStart=/usr/local/bin/etcd (code=exited, status=2) Main PID: 7427 (code=exited, status=2) Sep 18 09:59:47 k8s-master1 systemd[1]: etcd.service: main process exited, code=exited, status=2/INVALIDARGUMENT Sep 18 09:59:47 k8s-master1 systemd[1]: Failed to start etcd. Sep 18 09:59:47 k8s-master1 systemd[1]: Unit etcd.service entered failed state. Sep 18 09:59:47 k8s-master1 systemd[1]: etcd....

K8s Cert-Manager 证书申请 手动申请证书 namespace=<项目名称> domain=<申请证书的域名> domain_name=$(echo ${domain} | sed 's/\./-/g') # 在需要使用证书的项目（namespace）下创建Certificate 这里以 kubesphere-system 为例 cat <<EOF | kubectl apply -f - apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: cert-${domain_name} namespace: ${namespace} spec: secretName: tls-${domain_name} commonName: dnsNames: - "*.${domain}" issuerRef: name: letsencrypt-prod kind: ClusterIssuer EOF # 等待几分钟后查看证书 READY 状态 watch -n 1 "kubectl get certificate -n ${namespace}" Ingress自动证书 kind: Ingress apiVersion: networking.k8s.io/v1 metadata: name: docs-jsecode-com namespace: docs annotations: cert-manager.io/cluster-issuer: letsencrypt-prod kubesphere....

Ingress ModSecurity防护 Ingress Controller 全局配置 # 编辑集群网关 添加如下配置选项 data: enable-modsecurity: "true" enable-owasp-modsecurity-crs: "true" modsecurity-snippet: | SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecAuditEngine RelevantOnly SecAuditLogParts ABIJDEFHZ # Ingress 单路由配置 kind: Ingress apiVersion: networking.k8s.io/v1 metadata: name: xxxxx namespace: tools annotations: nginx.ingress.kubernetes.io/enable-modsecurity: 'false' # 关闭 nginx.ingress.kubernetes.io/modsecurity-snippet: | SecRuleEngine On #拦截恶意请求 #SecRuleEngine DetectionOnly #仅记录，不拦截 nginx.ingress.kubernetes.io/whitelist-source-range: 'x.x.x.x' 误判处理 kind: Ingress apiVersion: networking.k8s.io/v1 metadata: namespace: xxxx annotations: nginx.ingress.kubernetes.io/modsecurity-snippet: | # 移除指定ID的规则 SecRule REQUEST_URI "@rx ^/(js|cdn)/.*\.(js|css)$" "id:1000001,phase:1,nolog,pass,ctl:ruleRemoveById=959100" 辅助调试...

以Bitnami为例 git clone https://github.com/bitnami/charts.git cd charts/bitnami helm dep build redis helm package redis --destination ../repo cd ../repo/ helm repo index . --url https://charts.xxxx.com/charts cp *.tgz /usr/share/nginx/html/charts/ cp *.yaml /usr/share/nginx/html/charts/ 完整脚本 #!/bin/sh # 设置当任意一行命令执行失败时退出脚本 set -e # 参数校验和使用提示 if [ $# -ne 2 ]; then echo "Usage: $0 <module> <version>" echo "Example: $0 mysql 8.13.4" exit 1 fi module=$1 version=$2 echo "Starting to build Helm chart for module: ${module}, version: ${version}" # 切换到Helm charts目录，如果失败则退出脚本 cd /helm/charts || exit # 获取最新的远程分支和标签信息 git fetch --tags origin # 检查指定的模块和版本是否存在 if !...

在k8s节点上执行 密码生成 htpasswd -c auth <用户名> # 输入密码 创建保密字典 namespace=<K8s项目名称> kubectl create secret generic basic-auth --from-file=auth -n ${namespace} Ingress配置密钥 添加注解 nginx.ingress.kubernetes.io/auth-type: basic # 对应保密字典 nginx.ingress.kubernetes.io/auth-secret: basic-auth # 错误提示 nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required!'