k8s1.13.0二进制部署-node节点(四)

Master apiserver启用TLS认证后,Node节点kubelet组件想要加入集群,必须使用CA签发的有效证书才能与apiserver通信,当Node节点很多时,签署证书是一件很繁琐的事情,因此有了TLS Bootstrapping机制,kubelet会以一个低权限用户自动向apiserver申请证书,kubelet的证书由apiserver动态签署。
认证大致工作流程如图所示:

准备二进制文件

scp kubelet kube-proxy 192.168.0.125:/opt/kubernetes/bin/
scp kubelet kube-proxy 192.168.0.126:/opt/kubernetes/bin/

部署kubelet

创建角色绑定

kubectl create clusterrolebinding kubelet-bootstrap   --clusterrole=system:node-bootstrapper   --user=kubelet-bootstrap
创建 kubelet bootstrapping kubeconfig 文件
# 设置集群参数
kubectl config set-cluster kubernetes   --certificate-authority=/opt/kubernetes/ssl/ca.pem   --embed-certs=true   --server=https://192.168.0.130:6443 \
  --kubeconfig=bootstrap.kubeconfig

# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap   --token=${BOOTSTRAP_TOKEN}   --kubeconfig=bootstrap.kubeconfig

# 设置上下文参数
kubectl config set-context default   --cluster=kubernetes   --user=kubelet-bootstrap   --kubeconfig=bootstrap.kubeconfig

# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
将bootstrap.kubeconfig文件拷贝到node节点
scp bootstrap.kubeconfig 192.168.0.125:/opt/kubernetes/cfg/
scp bootstrap.kubeconfig 192.168.0.126:/opt/kubernetes/cfg/
创建kubelet配置文件

[[email protected] ~]# vim /opt/kubernetes/cfg/kubelet

KUBELET_OPTS="--logtostderr=false \
--v=4 \
--log-dir=/opt/kubernetes/log \
--hostname-override=192.168.0.125 \
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"

参数说明:

--hostname-override 在集群中显示的主机名
--kubeconfig 指定kubeconfig文件位置,会自动生成
--bootstrap-kubeconfig 指定刚才生成的bootstrap.kubeconfig文件
--cert-dir 颁发证书存放位置
--pod-infra-container-image 管理Pod网络的镜像

其中/opt/kubernetes/cfg/kubelet.config配置文件如下:
[[email protected] ~]# vim /opt/kubernetes/cfg/kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address:
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
  anonymous:
    enabled: true
创建kubelet系统服务
[[email protected] ~]# vim /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS
Restart=on-failure
KillMode=process

[Install]
WantedBy=multi-user.target
启动kubelet
systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet
systemctl status kubelet

查看csr请求

[[email protected] ~]# kubectl get csr
NAME                                                   AGE    REQUESTOR           CONDITION
node-csr-h0XFLgAXsCQvIQdUN5_fHGJbwYJaekO3zzhEK_wDcNY   103s   kubelet-bootstrap   Pending
node-csr-xECZ6WkPvlSzu9fE4CJQlMjPfCxJlUpidvSuKWOGpZE   90s    kubelet-bootstrap   Pending

批准kubelet 的 TLS 证书请求

[[email protected] ~]# kubectl get csr|grep ‘Pending‘ | awk ‘NR>0{print $1}‘| xargs kubectl certificate approve
certificatesigningrequest.certificates.k8s.io/node-csr-h0XFLgAXsCQvIQdUN5_fHGJbwYJaekO3zzhEK_wDcNY approved
certificatesigningrequest.certificates.k8s.io/node-csr-xECZ6WkPvlSzu9fE4CJQlMjPfCxJlUpidvSuKWOGpZE approved

查看node已经加入集群

[[email protected] ~]# kubectl get node
NAME            STATUS   ROLES    AGE   VERSION
192.168.0.125   Ready    <none>   68s   v1.13.0
192.168.0.126   Ready    <none>   69s   v1.13.0

kube-proxy部署

配置kube-proxy使用LVS
yum install -y ipvsadm ipset conntrack

创建 kube-proxy 证书请求

[[email protected] ssl]# vim kube-proxy-csr.json
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

生成证书

cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem    -ca-key=/opt/kubernetes/ssl/ca-key.pem    -config=/opt/kubernetes/ssl/ca-config.json    -profile=kubernetes  kube-proxy-csr.json | cfssljson -bare kube-proxy

将证书分发到node节点

scp kube-proxy*.pem 192.168.0.125:/opt/kubernetes/ssl/
scp kube-proxy*.pem 192.168.0.126:/opt/kubernetes/ssl/
创建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes   --certificate-authority=/opt/kubernetes/ssl/ca.pem   --embed-certs=true   --server=https://192.168.0.130:6443 \
  --kubeconfig=kube-proxy.kubeconfig

kubectl config set-credentials kube-proxy   --client-certificate=kube-proxy.pem   --client-key=kube-proxy-key.pem   --embed-certs=true   --kubeconfig=kube-proxy.kubeconfig

kubectl config set-context default   --cluster=kubernetes   --user=kube-proxy   --kubeconfig=kube-proxy.kubeconfig

kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

分发kubeconfig配置文件

scp kube-proxy.kubeconfig 192.168.0.125:/opt/kubernetes/cfg/
scp kube-proxy.kubeconfig 192.168.0.126:/opt/kubernetes/cfg/

创建kube-proxy配置文件

[[email protected] ~]# vim /opt/kubernetes/cfg/kube-proxy

KUBE_PROXY_OPTS="--logtostderr=false \
--v=4 \
--log-dir=/opt/kubernetes/log \
--hostname-override=192.168.0.125 \
--cluster-cidr=10.0.0.0/24 \
--proxy-mode=ipvs \
--ipvs-min-sync-period=5s \
--ipvs-sync-period=5s \
--ipvs-scheduler=rr \
--masquerade-all=true \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"

创建kube-proxy系统服务

[[email protected] ~]# vim /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
ExecStart=/opt/kubernetes/bin/kube-proxy $KUBE_PROXY_OPTS
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

启动kube-proxy

systemctl daemon-reload
systemctl enable kube-proxy
systemctl restart kube-proxy
systemctl status kube-proxy
运行一个测试示例
kubectl run nginx --image=nginx --replicas=3
kubectl expose deployment nginx --port=88 --target-port=80 --type=NodePort

查看pod,service

[[email protected] ~]# kubectl get pod,svc -o wide
NAME                         READY   STATUS              RESTARTS   AGE   IP            NODE            NOMINATED NODE   READINESS GATES
pod/nginx-7cdbd8cdc9-g9658   0/1     ImagePullBackOff    0          51s   172.17.84.2   192.168.0.125   <none>           <none>
pod/nginx-7cdbd8cdc9-wmh46   0/1     ContainerCreating   0          51s   <none>        192.168.0.126   <none>           <none>
pod/nginx-7cdbd8cdc9-zwmxd   0/1     ContainerCreating   0          51s   <none>        192.168.0.126   <none>           <none>

NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)        AGE   SELECTOR
service/kubernetes   ClusterIP   10.0.0.1     <none>        443/TCP        21h   <none>
service/nginx        NodePort    10.0.0.171   <none>        88:48652/TCP   48s   run=nginx

访问部署的nginx

查看访问日志

[[email protected] ~]# kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous
[[email protected]-master1 ~]# kubectl logs nginx-7cdbd8cdc9-g9658
172.17.84.1 - - [18/Dec/2018:01:59:43 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" "-"

查看LVS状态

[[email protected] ~]# ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 127.0.0.1:48652 rr
-> 172.17.34.2:80 Masq 1 0 0
-> 172.17.34.3:80 Masq 1 0 0
-> 172.17.84.2:80 Masq 1 0 0
TCP 172.17.34.0:48652 rr
-> 172.17.34.2:80 Masq 1 0 0
-> 172.17.34.3:80 Masq 1 0 0
-> 172.17.84.2:80 Masq 1 0 0
TCP 172.17.34.1:48652 rr
-> 172.17.34.2:80 Masq 1 0 0
-> 172.17.34.3:80 Masq 1 0 0
-> 172.17.84.2:80 Masq 1 0 0
TCP 192.168.0.126:48652 rr
-> 172.17.34.2:80 Masq 1 0 0
-> 172.17.34.3:80 Masq 1 0 0
-> 172.17.84.2:80 Masq 1 0 0
TCP 10.0.0.1:443 rr
-> 192.168.0.123:6443 Masq 1 0 0
-> 192.168.0.124:6443 Masq 1 0 0
TCP 10.0.0.171:88 rr
-> 172.17.34.2:80 Masq 1 0 0
-> 172.17.34.3:80 Masq 1 0 0
-> 172.17.84.2:80 Masq 1 0 0

原文地址:https://www.cnblogs.com/yuezhimi/p/10133061.html

时间: 2024-10-08 04:22:08

k8s1.13.0二进制部署-node节点(四)的相关文章

k8s1.13.0二进制部署-master节点(三)

部署apiserver 创建生成CSR的JSON配置文件 [[email protected] ssl]# vim kubernetes-csr.json { "CN": "kubernetes", "hosts": [ "127.0.0.1", "192.168.0.123", "192.168.0.124", "192.168.0.130", "10.0

k8s1.13.0二进制部署Dashboard(五)

部署UI 下载yaml文件https://github.com/kubernetes/kubernetes [[email protected] ~]# git clone https://github.com/kubernetes/kubernetes.git [[email protected] ~]# cd kubernetes/cluster/addons/dashboard/ [[email protected]-master1 dashboard]# ll total 32 -rw-

k8s部署---node节点组件部署(四)

kubelet组件简介 kubernetes 是一个分布式的集群管理系统,在每个节点(node)上都要运行一个 worker 对容器进行生命周期的管理,这个 worker 程序就是 kubelet kubelet 的主要功能就是定时从某个地方获取节点上 pod/container 的期望状态(运行什么容器.运行的副本数量.网络或者存储如何配置等等),并调用对应的容器平台接口达到这个状态. kubelet组件特性 定时汇报当前节点的状态给 apiserver,以供调度的时候使用 镜像和容器的清理工

部署node节点组件

部署node节点组件 mv kubelet kube-proxy /opt/kubernetes/bin chmod +x /opt/kubernetes/bin/* && chmod +x *.sh ./kubelet.sh 172.16.163.130 10.10.10.2 ./proxy.sh 172.16.163.130 kubelet.sh [[email protected] ~]# cat kubelet.sh #!/bin/bash NODE_ADDRESS=${1:-&q

5.K8S部署-------- 部署Node节点

没有特别其他说明一切按照文档执行 1.二进制包准备 将软件包从linux-node1复制到linux-node2 linux-node3中去. [[email protected]1 ~]# cd /usr/local/src/kubernetes/server/bin/ [[email protected] bin]# cp kubelet kube-proxy /opt/kubernetes/bin/ [[email protected] bin]# scp kubelet kube-pro

K8S二进制部署master节点

在完成前面的K8S基础组件配置之后,我们就可以正式开始K8S的部署工作.本文介绍在k8s master组件的二进制部署过程,由于环境为内网开发和测试环境,所以仅考虑etcd组件的高可用,api-server.controller-manager和scheduler的高可用暂不考虑,后续可以使用keepalive的方式实现. 一.软件包下载地址Server包: https://dl.k8s.io/v1.9.6/kubernetes-server-linux-amd64.tar.gz 二.部署mas

k8s二进制部署

k8s二进制部署 1.环境准备 主机名 ip地址 角色 k8s-master01 10.0.0.10 master k8s-master02 10.0.0.11 master k8s-node01 10.0.0.12 node k8s-node02 10.0.0.13 node 初始化操作 关闭防火墙 关闭selinux 关闭swap 安装ntp使时间同步 配置域名解析 配置免密 k8s-master01 到其他机器. 安装docker 2.生成配置CFSSL CFFSL能够构建本地CA,生成后

[转贴]CentOS7.5 Kubernetes V1.13(最新版)二进制部署集群

CentOS7.5 Kubernetes V1.13(最新版)二进制部署集群 http://blog.51cto.com/10880347/2326146 一.概述 kubernetes 1.13 已发布,这是 2018 年年内第四次也是最后一次发布新版本.Kubernetes 1.13 是迄今为止发布间隔最短的版本之一(与上一版本间隔十周),主要关注 Kubernetes 的稳定性与可扩展性,其中存储与集群生命周期相关的三项主要功能已逐步实现普遍可用性. Kubernetes 1.13 的核心

三 node节点部署k8s组件

接着第二篇,master上面部署完了三个角色,接着部署node节点主要部署:kubelet kube-proxy 一 环境准备(以下都是在master上操作) 1建立目录,拷贝两个组件 mkdir /home/yx/kubernetes/{bin,cfg,ssl} -p # 两个node节点都拷贝 scp -r /home/yx/src/kubernetes/server/bin/kubelet [email protected]:/home/yx/kubernetes/bin scp -r /