Add kubelet pod pid limit

apis/kubekey/v1alpha2/default.go

@@ -57,6 +57,7 @@ const (
 	DefaultRegistryVersion      = "2"
 	DefaultHarborVersion        = "v2.5.3"
 	DefaultMaxPods              = 110
+	DefaultPodPidsLimit         = 10000
 	DefaultNodeCidrMaskSize     = 24
 	DefaultIPIPMode             = "Always"
 	DefaultVXLANMode            = "Never"
@@ -124,6 +125,9 @@ func (cfg *ClusterSpec) SetDefaultClusterSpec(incluster bool) (*ClusterSpec, map
 	if cfg.Kubernetes.MaxPods == 0 {
 		clusterCfg.Kubernetes.MaxPods = DefaultMaxPods
 	}
+	if cfg.Kubernetes.PodPidsLimit == 0 {
+		clusterCfg.Kubernetes.PodPidsLimit = DefaultPodPidsLimit
+	}
 	if cfg.Kubernetes.NodeCidrMaskSize == 0 {
 		clusterCfg.Kubernetes.NodeCidrMaskSize = DefaultNodeCidrMaskSize
 	}

apis/kubekey/v1alpha2/kubernetes_types.go

@@ -27,6 +27,7 @@ type Kubernetes struct {
 	DisableKubeProxy       bool     `yaml:"disableKubeProxy" json:"disableKubeProxy,omitempty"`
 	MasqueradeAll          bool     `yaml:"masqueradeAll" json:"masqueradeAll,omitempty"`
 	MaxPods                int      `yaml:"maxPods" json:"maxPods,omitempty"`
+	PodPidsLimit           int      `yaml:"podPidsLimit" json:"podPidsLimit,omitempty"`
 	NodeCidrMaskSize       int      `yaml:"nodeCidrMaskSize" json:"nodeCidrMaskSize,omitempty"`
 	ApiserverCertExtraSans []string `yaml:"apiserverCertExtraSans" json:"apiserverCertExtraSans,omitempty"`
 	ProxyMode              string   `yaml:"proxyMode" json:"proxyMode,omitempty"`

docs/config-example.md

@@ -36,6 +36,7 @@ spec:
     autoRenewCerts: true # Whether to install a script which can automatically renew the Kubernetes control plane certificates. [Default: false]
     masqueradeAll: false  # masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode. [Default: false].
     maxPods: 110  # maxPods is the number of Pods that can run on this Kubelet. [Default: 110]
+    podPidsLimit: 10000 # podPidsLimit is the maximum number of PIDs in any pod. [Default: 10000]
     nodeCidrMaskSize: 24  # The internal network node size allocation. This is the size allocated to each node on your network. [Default: 24]
     proxyMode: ipvs  # Specify which proxy mode to use. [Default: ipvs]
     featureGates: # enable featureGates, [Default: {"ExpandCSIVolumes":true,"RotateKubeletServerCertificate": true,"CSIStorageCapacity":true, "TTLAfterFinished":true}]

pkg/kubernetes/templates/v1beta2/kubeadm_config.go

@@ -157,12 +157,14 @@ var (
 		"TTLAfterFinished":               true, //k8s 1.12+
 		"ExpandCSIVolumes":               true, //k8s 1.14+
 		"CSIStorageCapacity":             true, //k8s 1.19+
+		"SupportPodPidsLimit":            true,
 	}
 	FeatureGatesSecurityDefaultConfiguration = map[string]bool{
 		"RotateKubeletServerCertificate": true, //k8s 1.7+
 		"TTLAfterFinished":               true, //k8s 1.12+
 		"ExpandCSIVolumes":               true, //k8s 1.14+
 		"CSIStorageCapacity":             true, //k8s 1.19+
+		"SupportPodPidsLimit":            true,
 		"SeccompDefault":                 true, //kubelet
 	}
 
@@ -263,6 +265,7 @@ func GetKubeletConfiguration(runtime connector.Runtime, kubeConf *common.KubeCon
 		"clusterDomain":      kubeConf.Cluster.Kubernetes.DNSDomain,
 		"clusterDNS":         []string{kubeConf.Cluster.ClusterDNS()},
 		"maxPods":            kubeConf.Cluster.Kubernetes.MaxPods,
+		"podPidsLimit":       kubeConf.Cluster.Kubernetes.PodPidsLimit,
 		"rotateCertificates": true,
 		"kubeReserved": map[string]string{
 			"cpu":    "200m",
@@ -274,7 +277,7 @@ func GetKubeletConfiguration(runtime connector.Runtime, kubeConf *common.KubeCon
 		},
 		"evictionHard": map[string]string{
 			"memory.available": "5%",
-			"pid.available":    "5%",
+			"pid.available":    "10%",
 		},
 		"evictionSoft": map[string]string{
 			"memory.available": "10%",