节点需求
操作系统
Ubuntu 16.04 (64-bit)
Red Hat Enterprise Linux 7.5 (64-bit)
RancherOS 1.4 (64-bit)
Windows Server version 1803 (64-bit)
硬件
Hardware requirements scale based on the size of your Rancher deployment. Provision each individual node according to the requirements.
大小 | 集群数 | 节点数 | CPU核数 | 内存 |
---|---|---|---|---|
Small | Up to 5 | Up to 50 | 4 | 16GB |
Medium | Up to 100 | Up to 500 | 8 | 32GB |
Large | Over 100 | Over 500 | Contact Rancher |
Docker版本
需要以下版本
1.12.6
1.13.1
17.03.2
17.06 (Windows系统)
网络配置
节点IP
每个节点服务器需有静态IP。DHCP环境下需设置DHCP保留,保证每次该节点都被分配相同IP。
端口需求
如果采用HA模式部署Rancher,某些端口必须保证是打开状态。具体打开哪些端口要根据托管群集节点的服务器类型而定。例如,当节点服务器部署在基础设施(infrastructure)上,服务器的SSH端口必须打开。具体对应关系请参照下表:
Rancher节点:
运行rancher/ranche
容器 的节点
Rancher 节点 - 入站规则
协议 | 端口 | 源节点 | 说明 |
---|---|---|---|
TCP | 80 | Load balancer/proxy that does external SSL termination | Rancher UI/API when external SSL termination is used |
TCP | 443 | etcd nodes controlplane nodes worker nodes Hosted/Imported Kubernetes any that needs to be able to use UI/API | Rancher agent, Rancher UI/API, kubectl |
Rancher 节点 - 出站规则
协议 | 端口 | 目标节点 | 说明 |
---|---|---|---|
TCP | 22 | Any node IP from a node created using Node Driver | SSH provisioning of nodes using Node Driver |
TCP | 443 | 35.160.43.145/32 35.167.242.46/32 52.33.59.17/32 | git.rancher.io (catalogs) |
TCP | 2376 | Any node IP from a node created using Node Driver | Docker daemon TLS port used by Docker Machine |
TCP | 6443 | Hosted/Imported Kubernetes API | Kubernetes apiserver |
etcd 节点
etcd 节点 - 入站规则
Protocol | Port | Source | Description |
---|---|---|---|
TCP | 2376 | Rancher nodes | Docker daemon TLS port used by Docker Machine (only needed when using Node Driver/Templates) |
TCP | 2379 | etcd nodes controlplane nodes | etcd client requests |
TCP | 2380 | etcd nodes controlplane nodes | etcd peer communication |
UDP | 8472 | etcd nodes controlplane nodes worker nodes | Canal/Flannel VXLAN overlay networking |
TCP | 9099 | etcd node itself (local traffic, not across nodes) See Local node traffic | Canal/Flannel livenessProbe/readinessProbe |
TCP | 10250 | controlplane nodes | kubelet |
etcd 节点 - 出站规则
Protocol | Port | Destination | Description |
---|---|---|---|
TCP | 443 | Rancher nodes | Rancher agent |
TCP | 2379 | etcd nodes | etcd client requests |
TCP | 2380 | etcd nodes | etcd peer communication |
TCP | 6443 | controlplane nodes | Kubernetes apiserver |
UDP | 8472 | etcd nodes controlplane nodes worker nodes | Canal/Flannel VXLAN overlay networking |
TCP | 9099 | etcd node itself (local traffic, not across nodes)See Local node traffic | Canal/Flannel livenessProbe/readinessProbe |
控制(control plane)节点
控制节点 - 入站规则
Protocol | Port | Source | Description |
---|---|---|---|
TCP | 80 | Any that consumes Ingress services | Ingress controller (HTTP) |
TCP | 443 | Any that consumes Ingress services | Ingress controller (HTTPS) |
TCP | 2376 | Rancher nodes | Docker daemon TLS port used by Docker Machine(only needed when using Node Driver/Templates) |
TCP | 6443 | etcd nodes controlplane nodes worker nodes | Kubernetes apiserver |
UDP | 8472 | etcd nodes controlplane nodes worker nodes | Canal/Flannel VXLAN overlay networking |
TCP | 9099 | controlplane node itself (local traffic, not across nodes) See Local node traffic | Canal/Flannel livenessProbe/readinessProbe |
TCP | 10250 | controlplane nodes | kubelet |
TCP | 10254 | controlplane node itself (local traffic, not across nodes) See Local node traffic | Ingress controller livenessProbe/readinessProbe |
TCP/UDP | 30000-32767 | Any source that consumes NodePort services | NodePort port range |
控制节点 - 出站规则
Protocol | Port | Destination | Description |
---|---|---|---|
TCP | 443 | Rancher nodes | Rancher agent |
TCP | 2379 | etcd nodes | etcd client requests |
TCP | 2380 | etcd nodes | etcd peer communication |
UDP | 8472 | etcd nodes controlplane nodes worker nodes | Canal/Flannel VXLAN overlay networking |
TCP | 9099 | controlplane node itself (local traffic, not across nodes) See Local node traffic | Canal/Flannel livenessProbe/readinessProbe |
TCP | 10250 | etcd nodes controlplane nodesworker nodes | kubelet |
TCP | 10254 | controlplane node itself (local traffic, not across nodes) See Local node traffic | Ingress controller livenessProbe/readinessProbe |
工作节点
工作节点 - 入站规则
Protocol | Port | Source | Description |
---|---|---|---|
TCP | 80 | Any that consumes Ingress services | Ingress controller (HTTP) |
TCP | 443 | Any that consumes Ingress services | Ingress controller (HTTPS) |
TCP | 2376 | Rancher nodes | Docker daemon TLS port used by Docker Machine(only needed when using Node Driver/Templates) |
UDP | 8472 | etcd nodes controlplane nodes worker nodes | Canal/Flannel VXLAN overlay networking |
TCP | 9099 | worker node itself (local traffic, not across nodes) See Local node traffic | Canal/Flannel livenessProbe/readinessProbe |
TCP | 10250 | controlplane nodes | kubelet |
TCP | 10254 | worker node itself (local traffic, not across nodes) See Local node traffic | Ingress controller livenessProbe/readinessProbe |
TCP/UDP | 30000-32767 | Any source that consumes NodePort services | NodePort port range |
工作节点 - 出站规则
Protocol | Port | Destination | Description |
---|---|---|---|
TCP | 443 | Rancher nodes | Rancher agent |
TCP | 6443 | controlplane nodes | Kubernetes apiserver |
UDP | 8472 | etcd nodes controlplane nodes worker nodes | Canal/Flannel VXLAN overlay networking |
TCP | 9099 | worker node itself (local traffic, not across nodes) See Local node traffic | Canal/Flannel livenessProbe/readinessProbe |
TCP | 10254 | worker node itself (local traffic, not across nodes) See Local node traffic | Ingress controller livenessProbe/readinessProbe |
本地节点通信规则
Kubernetes 的健康检查服务(livenessProbe
和readinessProbe
)是在本机运行的,多数情况下此通信也是被默认允许的。但是如果节点所在主机防火墙(如iptables
)策略比较严格,或者节点有多个接口 (multihomed),此通信将被阻止。在这种情况下,必须配置防火墙(本地主机)或者安全组(AWS或OpenStack等云主机)来允许此通信。但要注意的是,在安全组嵌套其他安全组作为规则时,仅适用于该节点/实例的私有接口(interface)。
<h3 id="amazonec2-securitygroup-nodedriver">Amazon EC2 security group when using Node Driver</h3>
<p>If you are <a href="/docs/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ec2/">Creating an Amazon EC2 Cluster</a>, you can choose to let Rancher create a Security Group called <code>rancher-nodes</code>. The following rules are automatically added to this Security Group.
</p>
rancher-nodes安全组
入站规则
Type | Protocol | Port Range | Source |
---|---|---|---|
SSH | TCP | 22 | 0.0.0.0/0 |
HTTP | TCP | 80 | 0.0.0.0/0 |
Custom TCP Rule | TCP | 443 | 0.0.0.0/0 |
Custom TCP Rule | TCP | 2376 | 0.0.0.0/0 |
Custom TCP Rule | TCP | 2379-2380 | sg-xxx (rancher-nodes) |
Custom UDP Rule | UDP | 4789 | sg-xxx (rancher-nodes) |
Custom TCP Rule | TCP | 6443 | 0.0.0.0/0 |
Custom UDP Rule | UDP | 8472 | sg-xxx (rancher-nodes) |
Custom TCP Rule | TCP | 10250-10252 | sg-xxx (rancher-nodes) |
Custom TCP Rule | TCP | 10256 | sg-xxx (rancher-nodes) |
Custom TCP Rule | TCP | 30000-32767 | 0.0.0.0/0 |
Custom UDP Rule | UDP | 30000-32767 | 0.0.0.0/0 |
出站规则
Type | Protocol | Port Range | Destination |
---|---|---|---|
All traffic | All | All | 0.0.0.0/0 |