這篇文章接《Kubernetes1.9生産環境高可用實踐–004-node中安裝flannel網絡插件》。
主要講在伺服器yds-dev-svc02-node01中如何安裝kubernetes1.9中的kubelet和proxy。
在配置的過程中,我會把執行指令的所有輸出都複制出來,供大家參考。也可以讓大家知道這個指令是在那一台伺服器上面執行。
01 準備檔案
01.01 下載下傳需要使用的檔案
我們在 Kubernetes1.9生産環境高可用實踐–002 中,已經下載下傳了叢集安裝的所有二進制檔案。下載下傳位址為::https://pan.baidu.com/s/1wyhV_kBpIqZ_MdS2Ghb8sg
在這節中,我們使用到的檔案有: kubelet和kube-proxy
接下來,我們開始配置。
02 配置kubelet
02.01 準備kubelet
将kubelet二進制檔案放到目錄/usr/bin/目錄中。
[[email protected]-dev-svc02-node01 ~]# cp kubelet /usr/bin/
[[email protected]-dev-svc02-node01 ~]# chmod +x /usr/bin/kubelet
02.02 下載下傳pod-infrastructure鏡像
[[email protected]-dev-svc02-node01 ssl]# yum install *rhsm*
[[email protected]-dev-svc02-node01 ssl]# docker pull registry.access.redhat.com/rhel7/pod-infrastructure:latest
02.02 準備證書檔案
我們需要再建立proxy的證書檔案。
和前面一樣,還是回到伺服器yds-dev-svc01-etcd01中進行建立。
建立kube-proxy-csr.json
[root@yds-dev-svc01-etcd01 key]# cat kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size":
},
"names": [
{
"C": "CN",
"ST": "chengdu",
"L": "chengdu",
"O": "k8s",
"OU": "System"
}
]
}
使用cfssl指令建立證書
檢視建立的證書
[[email protected] key]# ls kube-proxy*
kube-proxy.csr kube-proxy-csr.json kube-proxy-key.pem kube-proxy.pem
[[email protected] key]# pwd
/tmp/key
02.03 建立proxy kubeconfig配置檔案
* 配置叢集 *
kubectl config set-cluster kubernetes \
--certificate-authority=/tmp/key/ca.pem \
--embed-certs=true \
--server=https://192.168.3.55:6443 \
--kubeconfig=kube-proxy.kubeconfig
* 配置用戶端認證 *
kubectl config set-credentials kube-proxy \
--client-certificate=/tmp/key/kube-proxy.pem \
--client-key=/tmp/key/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
* 配置關聯 *
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
* 配置預設關聯 *
配置完成後,會生成kube-proxy.kubeconfig檔案。接下來。我們把這個檔案複制到節點的/etc/kubernetes目錄中。
02.04 建立bootstrap配置檔案
這一步,我們會在安裝kubectl的yds-dev-svc01-master01上面執行。
kubelet 啟動時向 kube-apiserver 發送 TLS bootstrapping 請求,需要先将 bootstrap token 檔案中的 kubelet-bootstrap 使用者賦予 system:node-bootstrapper cluster 角色(role), 然後 kubelet 才能有權限建立認證請求(certificate signing requests):
[[email protected]-dev-svc01-master01 ~]# cd /etc/kubernetes/
[[email protected]-dev-svc01-master01 kubernetes]# ls
apiserver config controller-manager scheduler ssl token.csv
[[email protected]-dev-svc01-master01 kubernetes]# kubectl create clusterrolebinding kubelet-bootstrap \
> --clusterrole=system:node-bootstrapper \
> --user=kubelet-bootstrap
clusterrolebinding "kubelet-bootstrap" created
檢視建立結果:
[[email protected] kubernetes]# kubectl get clusterrolebinding
NAME AGE
cluster-admin 8d
kubelet-bootstrap 3m
system:aws-cloud-provider 8d
system:basic-user 8d
system:controller:attachdetach-controller 8d
system:controller:certificate-controller 8d
system:controller:clusterrole-aggregation-controller 8d
system:controller:cronjob-controller 8d
system:controller:daemon-set-controller 8d
system:controller:deployment-controller 8d
system:controller:disruption-controller 8d
system:controller:endpoint-controller 8d
system:controller:generic-garbage-collector 8d
system:controller:horizontal-pod-autoscaler 8d
system:controller:job-controller 8d
system:controller:namespace-controller 8d
system:controller:node-controller 8d
system:controller:persistent-volume-binder 8d
system:controller:pod-garbage-collector 8d
system:controller:replicaset-controller 8d
system:controller:replication-controller 8d
system:controller:resourcequota-controller 8d
system:controller:route-controller 8d
system:controller:service-account-controller 8d
system:controller:service-controller 8d
system:controller:statefulset-controller 8d
system:controller:ttl-controller 8d
system:discovery 8d
system:kube-controller-manager 8d
system:kube-dns 8d
system:kube-scheduler 8d
system:node 8d
system:node-proxier 8d
檢視描述:
[[email protected] kubernetes]# kubectl describe clusterrolebinding kubelet-bootstrap
Name: kubelet-bootstrap
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: system:node-bootstrapper
Subjects:
Kind Name Namespace
---- ---- ---------
User kubelet-bootstrap
檢視内容:
[[email protected] kubernetes]# kubectl edit clusterrolebinding kubelet-bootstrap
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: --T08::Z
name: kubelet-bootstrap
resourceVersion: "528680"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/kubelet-bootstrap
uid: fc---b786-c2948d8a8
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node-bootstrapper
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubelet-bootstrap
02.05 建立kubelet配置檔案
配置檔案位址為:/etc/kubernetes/kubelet
[[email protected] ~]# cat /etc/kubernetes/kubelet
###
## kubernetes kubelet (minion) config
#
## The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
KUBELET_ADDRESS="--address=192.168.3.56"
#
## The port for the info server to serve on
#KUBELET_PORT="--port=10250"
#
## You may leave this blank to use the actual hostname
KUBELET_HOSTNAME="--hostname-override=yds-dev-svc02-node01"
#
## pod infrastructure container
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest"
#
## Add your own!
KUBELET_ARGS="--runtime-cgroups=/systemd/system.slice --kubelet-cgroups=/systemd/system.slice --cgroup-driver=systemd --fail-swap-on=false --experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig --cluster-dns=10.254.0.2 --cert-dir=/etc/kubernetes/ssl --cluster-domain=cluster.local. --hairpin-mode promiscuous-bridge --serialize-image-pulls=false"
KUBELET_ADDRESS: 填寫本節點的IP位址。
KUBELET_HOSTNAME: 填寫本節點的主機名,配置這裡明顯的影響是‘kubectl get nodes’這個指令的輸出。
KUBELET_API_SERVER: 填寫我們前面配置的apiserver位址。
cert-dir: 自動生成證書的存放路徑。
tls-cert-file: 指向apiserver證書
tls-private-key-file: 指向apiserver key
02.06 建立config配置檔案
[[email protected] ~]# cat /etc/kubernetes/config
###
# kubernetes system config
#
# The following values are used to configure various aspects of all
# kubernetes services, including
#
# kube-apiserver.service
# kube-controller-manager.service
# kube-scheduler.service
# kubelet.service
# kube-proxy.service
# logging to stderr means we get it in the systemd journal
KUBE_LOGTOSTDERR="--logtostderr=true"
# journal message level, 0 is debug
KUBE_LOG_LEVEL="--v=0"
# Should this cluster be allowed to run privileged docker containers
KUBE_ALLOW_PRIV="--allow-privileged=true"
02.07 建立service配置檔案
建立配置檔案: /usr/lib/systemd/system/kubelet.service
[[email protected] ~]# cat /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/kubelet
ExecStart=/usr/bin/kubelet \
$KUBE_LOGTOSTDERR \
$KUBE_LOG_LEVEL \
$KUBELET_API_SERVER \
$KUBELET_ADDRESS \
$KUBELET_PORT \
$KUBELET_HOSTNAME \
$KUBE_ALLOW_PRIV \
$KUBELET_POD_INFRA_CONTAINER \
$KUBELET_ARGS
Restart=on-failure
[Install]
WantedBy=multi-user.target
03. 配置kube-proxy
03.01 建立proxy配置檔案
[root@yds-dev-svc02-node01 kubernetes]# cat proxy
KUBE_PROXY_ARGS="--kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig"
03.01 建立service檔案
[[email protected] kubernetes]# cat /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/proxy
ExecStart=/usr/bin/kube-proxy \
$KUBE_LOGTOSTDERR \
$KUBE_LOG_LEVEL \
$KUBE_MASTER \
$KUBE_PROXY_ARGS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
04 啟動服務
04.01 發送證書簽名請求
kubelet 首次啟動時會向apiserver發送證書簽名請求,apiserver通過才會将該 Node 加入到叢集。
檢視節點發送的證書簽名請求指令為:
kubectl get certificatesigningrequests 或者
kubectl get csr 這兩個指令是一樣的。
[[email protected]-dev-svc01-master01 ~]# kubectl get certificatesigningrequests
NAME AGE REQUESTOR CONDITION
node-csr-KHdclgQlIa0kaTz-f5vjijMx_G2vzLUjuQZc8UIc7Oo 11s kubelet-bootstrap Pending
[[email protected]-dev-svc01-master01 ~]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-KHdclgQlIa0kaTz-f5vjijMx_G2vzLUjuQZc8UIc7Oo 3m kubelet-bootstrap Pending
node-csr-KHdclgQlIa0kaTz-f5vjijMx_G2vzLUjuQZc8UIc7Oo 為發送請求的名稱。
04.02 同意簽名請求
由于需要apiserver同意簽名請求,是以,我們需要通過kubectl工具來執行。這裡我們在伺服器yds-dev-svc01-master01中執行。
[root@yds-dev-svc01-master01 ~]# kubectl certificate approve node-csr-KHdclgQlIa0kaTz-f5vjijMx_G2vzLUjuQZc8UIc7Oo
certificatesigningrequest "node-csr-KHdclgQlIa0kaTz-f5vjijMx_G2vzLUjuQZc8UIc7Oo" approved
04.03 檢查證書生成
我們在同意簽名請求後,節點伺服器會自動生成證書檔案,證書檔案存放目錄在我們前面的配置檔案中已經配置的/etc/kubernetes/ssl。現在我們看下這個目錄中的生成檔案。
[[email protected] ssl]# ls kubelet*
kubelet-client.crt kubelet-client.key kubelet.crt kubelet.key
04.03 檢查節點資訊
還記得我們配置kubectl的伺服器yds-dev-svc01-master01嗎。現在我們需要在這樣面執行指令。
[[email protected]-dev-svc01-master01 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
yds-dev-svc02-node01 Ready <none> 5d v1.9.0
看到,我們建立的節點都已經顯示出來了。
以上,我們的節點配置已經完成,如果要增加多個節點,隻按相同的操作便可。