部署Node节点(Master操作)
#拷贝安装node所需的二进制文件
cp ~/kubernetes/server/bin/kubelet kube-proxy /opt/kubernetes/bin
#添加Kubelet配置
cat > /opt/kubernetes/cfg/kubelet.conf << EOF
KUBELET_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--hostname-override=172.22.213.49 \\
--network-plugin=cni \\
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\
--config=/opt/kubernetes/cfg/kubelet-config.yml \\
--cert-dir=/opt/kubernetes/ssl \\
--pod-infra-container-image=lizhenliang/pause-amd64:3.0"
EOF
#参数说明
--hostname-override #显示名称,集群中唯一
--network-plugin #启用 CNI –kubeconfig:空路径,会自动生成,后面用于连接 apiserver --bootstrap-kubeconfig #首次启动向 apiserver 申请证书
--config #配置参数文件
--cert-dir #kubelet 证书生成目录
--pod-infra-container-image #管理 Pod 网络容器的镜像
#添加Kubelet配置参数
cat > /opt/kubernetes/cfg/kubelet-config.yml << EOF
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local
failSwapOn: false
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 2m0s
enabled: true
x509:
clientCAFile: /opt/kubernetes/ssl/ca.pem
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 5m0s
cacheUnauthorizedTTL: 30s
evictionHard:
imagefs.available: 15%
memory.available: 100Mi
nodefs.available: 10%
nodefs.inodesFree: 5%
maxOpenFiles: 1000000
maxPods: 110
EOF
#生成 bootstrap.kubeconfig 文件
export KUBE_APISERVER="https://172.22.213.49:6443" # apiserver IP:PORT
export TOKEN="ac96145c56de94f42aa7ad553a09ccba" # 与 token.csv 里保持一致
# 生成 kubelet bootstrap kubeconfig 配置文件
[root@master cfg]# kubectl config set-cluster kubernetes \
> --certificate-authority=/opt/kubernetes/ssl/ca.pem \
> --embed-certs=true \
> --server=${KUBE_APISERVER} \
> --kubeconfig=bootstrap.kubeconfig
Cluster "kubernetes" set.
[root@master cfg]#
[root@master cfg]# kubectl config set-credentials "kubelet-bootstrap" \
> --token=${TOKEN} \
> --kubeconfig=bootstrap.kubeconfig
User "kubelet-bootstrap" set.
[root@master cfg]# kubectl config set-context default \
> --cluster=kubernetes \
> --user="kubelet-bootstrap" \
> --kubeconfig=bootstrap.kubeconfig
Context "default" created.
[root@master cfg]#
[root@master cfg]# kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
Switched to context "default".
#添加kubeconfig到cfg目录
cp bootstrap.kubeconfig /opt/kubernetes/cfg
#添加到systemd进行管理
cat > /usr/lib/systemd/system/kubelet.service << EOF
[Unit]
Description=Kubernetes Kubelet
After=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet.conf
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
#启动服务,设置开机自启
systemctl daemon-reload
systemctl start kubelet && systemctl enable kubelet
systemctl is-active kubelet
#查看证书请求
#此时证书是Pending状态,需对他进行授权
[root@master cfg]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
node-csr-kvuLMX5Xuq1nBqdRlx2OCP5krkQ_NuVn7-B_mijrXyM 16s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending
#批准证书请求
kubectl certificate approve node-csr-kvuLMX5Xuq1nBqdRlx2OCP5krkQ_NuVn7-B_mijrXyM
#再次查看证书请求(状态:Approved,Issued//正常)
[root@master cfg]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
node-csr-kvuLMX5Xuq1nBqdRlx2OCP5krkQ_NuVn7-B_mijrXyM 53s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued
#查看集群节点,此时应该有一个节点172.22.213.49
部署Kube-proxy
#创建Kube-proxy配置文件
cat > /opt/kubernetes/cfg/kube-proxy.conf << EOF
KUBE_PROXY_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--config=/opt/kubernetes/cfg/kube-proxy-config.yml"
EOF
#对Kube-proxy参数进行补充
cat > /opt/kubernetes/cfg/kube-proxy-config.yml << EOF
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
metricsBindAddress: 0.0.0.0:10249
clientConnection:
kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig
hostnameOverride: 172.22.213.49 #ip地址改为当前主机ip
clusterCIDR: 10.0.0.0/24
EOF
#生成 kube-proxy.kubeconfig 文件
#创建证书请求文件
pwd
/root/TLS/k8s
cat > kube-proxy-csr.json<< EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
#生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
#添加环境变量(临时)
export KUBE_APISERVER="https://172.22.213.49:6443"
#生成证书文件kubeconfig
[root@master k8s]# kubectl config set-cluster kubernetes \
> --certificate-authority=/opt/kubernetes/ssl/ca.pem \
> --embed-certs=true \
> --server=${KUBE_APISERVER} \
> --kubeconfig=kube-proxy.kubeconfig
Cluster "kubernetes" set.
[root@master k8s]# kubectl config set-credentials kube-proxy \
> --client-certificate=./kube-proxy.pem \
> --client-key=./kube-proxy-key.pem \
> --embed-certs=true \
> --kubeconfig=kube-proxy.kubeconfig
User "kube-proxy" set.
[root@master k8s]#
[root@master k8s]# kubectl config set-context default \
> --cluster=kubernetes \
> --user=kube-proxy \
> --kubeconfig=kube-proxy.kubeconfig
Context "default" created.
[root@master k8s]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
Switched to context "default".
#将生成文件拷贝到工作目录
cp kube-proxy.kubeconfig /opt/kubernetes/cfg/
#添加到systemd进行管理(Kube-Proxy)
cat > /usr/lib/systemd/system/kube-proxy.service << EOF
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-proxy.conf
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
#启动服务,设置开机自启
systemctl daemon-reload
systemctl start kube-proxy && systemctl enable kube-proxy
systemctl is-active kube-proxy