[{"data":1,"prerenderedAt":344},["ShallowReactive",2],{"navigation":3,"post-\u002Fposts\u002F2019\u002Faliyun-k8s-setup":20,"surroundPosts-\u002Fposts\u002F2019\u002Faliyun-k8s-setup":331},[4,8,12,16],{"title":5,"path":6,"stem":7},"首页","\u002F","00.index",{"title":9,"path":10,"stem":11},"文章","\u002Fposts","01.posts",{"title":13,"path":14,"stem":15},"动态","\u002Fmoments","02.moments",{"title":17,"path":18,"stem":19},"关于","\u002Fabout","09.about",{"id":21,"title":22,"body":23,"class":310,"cover":310,"coverSize":310,"date":311,"description":55,"draft":312,"extension":313,"hideComments":312,"location":310,"meta":314,"navigation":315,"path":316,"readingTime":317,"seo":322,"sitemap":323,"stem":324,"tags":325,"time":310,"weather":310,"__hash__":330},"posts\u002Fposts\u002F2019\u002F20191229.aliyun-k8s-setup.md","阿里云 k8s 集群搭建",{"type":24,"value":25,"toc":306},"minimark",[26,31,38,44,49,131,140,145,149,152,224,227,230,287,302],[27,28,30],"h3",{"id":29},"为-vpc-配置-snat","为 VPC 配置 SNAT",[32,33,34],"p",{},[35,36,37],"strong",{},"注：SNAT 已关闭，看起来两个 ECS 节点都有公网 IP，不需要了。（2024-06-04）",[32,39,40],{},[41,42,43],"del",{},"阿里云的 NAT 网关太贵，考虑自行搭建 SNAT。",[32,45,46],{},[41,47,48],{},"购买最廉价 ECS，配置如下设置",[50,51,56],"pre",{"className":52,"code":53,"language":54,"meta":55,"style":55},"language-bash shiki shiki-themes material-theme-lighter github-light github-dark","sysctl net.ipv4.ip_forward # 查看当前 IP 转发配置，0 为关闭，1 为打开\nsysctl -w net.ipv4.ip_forward=1 # 打开 IP 转发\niptables -t nat -I POSTROUTING -s 172.16.0.0\u002F16 -j SNAT --to-source 172.16.117.66\n","bash","",[57,58,59,76,95],"code",{"__ignoreMap":55},[60,61,64,68,72],"span",{"class":62,"line":63},"line",1,[60,65,67],{"class":66},"sbgvK","sysctl",[60,69,71],{"class":70},"s_sjI"," net.ipv4.ip_forward",[60,73,75],{"class":74},"sutJx"," # 查看当前 IP 转发配置，0 为关闭，1 为打开\n",[60,77,79,81,85,88,92],{"class":62,"line":78},2,[60,80,67],{"class":66},[60,82,84],{"class":83},"stzsN"," -w",[60,86,87],{"class":70}," net.ipv4.ip_forward=",[60,89,91],{"class":90},"srdBf","1",[60,93,94],{"class":74}," # 打开 IP 转发\n",[60,96,98,101,104,107,110,113,116,119,122,125,128],{"class":62,"line":97},3,[60,99,100],{"class":66},"iptables",[60,102,103],{"class":83}," -t",[60,105,106],{"class":70}," nat",[60,108,109],{"class":83}," -I",[60,111,112],{"class":70}," POSTROUTING",[60,114,115],{"class":83}," -s",[60,117,118],{"class":70}," 172.16.0.0\u002F16",[60,120,121],{"class":83}," -j",[60,123,124],{"class":70}," SNAT",[60,126,127],{"class":83}," --to-source",[60,129,130],{"class":90}," 172.16.117.66\n",[32,132,133],{},[41,134,135,136,139],{},"去 VPC 路由表中添加 ",[57,137,138],{},"0.0.0.0\u002F0"," 下一跳为上述 ECS",[32,141,142],{},[41,143,144],{},"设置 iptasbles 开机启动：",[27,146,148],{"id":147},"dnat","DNAT",[32,150,151],{},"通过 公网 IP 访问集群管理 API",[50,153,155],{"className":52,"code":154,"language":54,"meta":55,"style":55},"iptables -t nat -I PREROUTING -p tcp --dport 6443 -j DNAT --to 172.16.117.67:6443\niptables -t nat -I POSTROUTING -d 172.16.117.67\u002F32 -p tcp --dport 6443 -j MASQUERADE\n",[57,156,157,193],{"__ignoreMap":55},[60,158,159,161,163,165,167,170,173,176,179,182,184,187,190],{"class":62,"line":63},[60,160,100],{"class":66},[60,162,103],{"class":83},[60,164,106],{"class":70},[60,166,109],{"class":83},[60,168,169],{"class":70}," PREROUTING",[60,171,172],{"class":83}," -p",[60,174,175],{"class":70}," tcp",[60,177,178],{"class":83}," --dport",[60,180,181],{"class":90}," 6443",[60,183,121],{"class":83},[60,185,186],{"class":70}," DNAT",[60,188,189],{"class":83}," --to",[60,191,192],{"class":70}," 172.16.117.67:6443\n",[60,194,195,197,199,201,203,205,208,211,213,215,217,219,221],{"class":62,"line":78},[60,196,100],{"class":66},[60,198,103],{"class":83},[60,200,106],{"class":70},[60,202,109],{"class":83},[60,204,112],{"class":70},[60,206,207],{"class":83}," -d",[60,209,210],{"class":70}," 172.16.117.67\u002F32",[60,212,172],{"class":83},[60,214,175],{"class":70},[60,216,178],{"class":83},[60,218,181],{"class":90},[60,220,121],{"class":83},[60,222,223],{"class":70}," MASQUERADE\n",[32,225,226],{},"记得开启安全组规则允许 6443 端口",[32,228,229],{},"在 k8s 集群信息中设置 自定义证书 SAN 为 47.111.247.217 配置证书，解决以下证书问题：",[50,231,233],{"className":52,"code":232,"language":54,"meta":55,"style":55},"Unable to connect to the server: x509: certificate is valid for 172.21.0.1, 127.0.0.1, 7.20.49.48, 172.16.117.67, not 47.111.247.217\n",[57,234,235],{"__ignoreMap":55},[60,236,237,240,243,246,248,251,254,257,260,263,266,269,272,275,278,281,284],{"class":62,"line":63},[60,238,239],{"class":66},"Unable",[60,241,242],{"class":70}," to",[60,244,245],{"class":70}," connect",[60,247,242],{"class":70},[60,249,250],{"class":70}," the",[60,252,253],{"class":70}," server:",[60,255,256],{"class":70}," x509:",[60,258,259],{"class":70}," certificate",[60,261,262],{"class":70}," is",[60,264,265],{"class":70}," valid",[60,267,268],{"class":70}," for",[60,270,271],{"class":70}," 172.21.0.1,",[60,273,274],{"class":70}," 127.0.0.1,",[60,276,277],{"class":70}," 7.20.49.48,",[60,279,280],{"class":70}," 172.16.117.67,",[60,282,283],{"class":70}," not",[60,285,286],{"class":90}," 47.111.247.217\n",[288,289,290,293],"blockquote",{},[32,291,292],{},"参考链接：",[32,294,295],{},[296,297,301],"a",{"href":298,"rel":299},"https:\u002F\u002Fyq.aliyun.com\u002Farticles\u002F112497",[300],"nofollow","如何通过 EIP 实现 VPC 下的 SNAT 以及 DNAT",[303,304,305],"style",{},"html pre.shiki code .sbgvK, html code.shiki .sbgvK{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .s_sjI, html code.shiki .s_sjI{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sutJx, html code.shiki .sutJx{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit}html pre.shiki code .stzsN, html code.shiki .stzsN{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .srdBf, html code.shiki .srdBf{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":55,"searchDepth":78,"depth":78,"links":307},[308,309],{"id":29,"depth":97,"text":30},{"id":147,"depth":97,"text":148},null,"2019-12-29",false,"md",{},true,"\u002Fposts\u002F2019\u002Faliyun-k8s-setup",{"text":318,"minutes":319,"time":320,"words":321},"2 min read",1.17,70200,234,{"title":22,"description":55},{"loc":316},"posts\u002F2019\u002F20191229.aliyun-k8s-setup",[326,327,328,329],"技术","阿里云","k8s","DevOps","nx96pApv8oyqcXahwKsOs9Y-8UfgHxl4bCTvPo9djqQ",[332,338],{"title":333,"path":334,"stem":335,"date":336,"description":337,"children":-1},"2019 年总结暨 2020 年展望","\u002Fposts\u002F2020\u002Ffighting-2020","posts\u002F2020\u002F20200102.fighting-2020","2020-01-02","不知不觉，又独自在电脑前工作到深夜。",{"title":339,"path":340,"stem":341,"date":342,"description":343,"children":-1},"Docker 同一域名下多个 Registry 保存凭证的方式","\u002Fposts\u002F2019\u002Fdocker-registry-auth-with-same-domain","posts\u002F2019\u002F20191201.docker-registry-auth-with-same-domain","2019-12-01","阿里云的容器镜像服务是个好东西，配合在阿里云上容器服务，速度非常快。",1777579140777]