K8s

K8s Cert-Manager 证书申请 手动申请证书 namespace=<项目名称> domain=<申请证书的域名> domain_name=$(echo ${domain} | sed 's/\./-/g') # 在需要使用证书的项目（namespace）下创建Certificate 这里以 kubesphere-system 为例 cat <<EOF | kubectl apply -f - apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: cert-${domain_name} namespace: ${namespace} spec: secretName: tls-${domain_name} commonName: dnsNames: - "*.${domain}" issuerRef: name: letsencrypt-prod kind: ClusterIssuer EOF # 等待几分钟后查看证书 READY 状态 watch -n 1 "kubectl get certificate -n ${namespace}" Ingress自动证书 kind: Ingress apiVersion: networking.k8s.io/v1 metadata: name: docs-jsecode-com namespace: docs annotations: cert-manager.io/cluster-issuer: letsencrypt-prod kubesphere....

Ingress ModSecurity防护 Ingress Controller 全局配置 # 编辑集群网关 添加如下配置选项 data: enable-modsecurity: "true" enable-owasp-modsecurity-crs: "true" modsecurity-snippet: | SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecAuditEngine RelevantOnly SecAuditLogParts ABIJDEFHZ # Ingress 单路由配置 kind: Ingress apiVersion: networking.k8s.io/v1 metadata: name: xxxxx namespace: tools annotations: nginx.ingress.kubernetes.io/enable-modsecurity: 'false' # 关闭 nginx.ingress.kubernetes.io/modsecurity-snippet: | SecRuleEngine On #拦截恶意请求 #SecRuleEngine DetectionOnly #仅记录，不拦截 nginx.ingress.kubernetes.io/whitelist-source-range: 'x.x.x.x' 误判处理 kind: Ingress apiVersion: networking.k8s.io/v1 metadata: namespace: xxxx annotations: nginx.ingress.kubernetes.io/modsecurity-snippet: | # 移除指定ID的规则 SecRule REQUEST_URI "@rx ^/(js|cdn)/.*\.(js|css)$" "id:1000001,phase:1,nolog,pass,ctl:ruleRemoveById=959100" 辅助调试...

以Bitnami为例 git clone https://github.com/bitnami/charts.git cd charts/bitnami helm dep build redis helm package redis --destination ../repo cd ../repo/ helm repo index . --url https://charts.xxxx.com/charts cp *.tgz /usr/share/nginx/html/charts/ cp *.yaml /usr/share/nginx/html/charts/ 完整脚本 #!/bin/sh # 设置当任意一行命令执行失败时退出脚本 set -e # 参数校验和使用提示 if [ $# -ne 2 ]; then echo "Usage: $0 <module> <version>" echo "Example: $0 mysql 8.13.4" exit 1 fi module=$1 version=$2 echo "Starting to build Helm chart for module: ${module}, version: ${version}" # 切换到Helm charts目录，如果失败则退出脚本 cd /helm/charts || exit # 获取最新的远程分支和标签信息 git fetch --tags origin # 检查指定的模块和版本是否存在 if !...

在k8s节点上执行 密码生成 htpasswd -c auth <用户名> # 输入密码 创建保密字典 namespace=<K8s项目名称> kubectl create secret generic basic-auth --from-file=auth -n ${namespace} Ingress配置密钥 添加注解 nginx.ingress.kubernetes.io/auth-type: basic # 对应保密字典 nginx.ingress.kubernetes.io/auth-secret: basic-auth # 错误提示 nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required!'

1 软硬件资源准备 1.1 服务器资源 主机名 IP 类型 配置 备注 k8s-lb1 172.20.1.81 虚机 4C/8GB/50GB 负载均衡器 HAProxy+Keepalived k8s-lb2 172.20.1.82 虚机 4C/8GB/50GB 负载均衡器 HAProxy+Keepalived k8s-master1 172.20.1.78 虚机 6C/48GB/50GB+100GB k8s控制平面节点 k8s-master2 172.20.1.79 虚机 6C/48GB/50GB+100GB k8s控制平面节点 k8s-master3 172.20.1.80 虚机 6C/48GB/50GB+100GB k8s控制平面节点 k8s-node1 172.20.1.71 物理机 48C/384GB/480GBx2 RAID1+480GBx4/Tesla P4 k8s工作节点 + Ceph OSD + GPU k8s-node2 172.20.1.72 物理机 48C/384GB/480GBx2 RAID1+480GBx4/Tesla P4 k8s工作节点 + Ceph OSD + GPU k8s-node3 172.20.1.73 物理机 48C/384GB/480GBx2 RAID1+480GBx4/Tesla P4 k8s工作节点 + Ceph OSD + GPU k8s-node4 172....