14. 第十三篇 二進位制安裝kube-proxy
本文是二進位制安裝kubernetes v1.17.0 之kube-proxy,kube-proxy是什麼,這裡就不得不說下service,service是一組Pod的抽象集合,它相當於一組Pod的負載均衡器,負責將請求分發到對應的pod,kube-proxy就是負責service的實現的,當請求到達service時,它通過label關聯到後端並轉發到某個Pod;kube-proxy提供了三種負載均衡模式:使用者空間、iptables、ipvs,網上有很多關於這三種模式的區別,這裡先不詳述,本文采用ipvs。
kube-proxy需要執行在所有節點上(因為我們master節點也有Pod,如果沒有的話,可以只部署在非master節點上),kube-proxy它主動的去監聽kube-apiserver中service和endpoint的變化情況,然後根據定義的模式,建立路由規則,並提供服務service IP(headless型別的service無IP)和負載均衡功能。注意:在所有節點安裝ipvsadm和ipset命令,載入ip_vs核心模組,準備章節已經執行過。
下載https://dl.k8s.io/v1.17.0/kubernetes-node-linux-amd64.tar.gz並解壓,文章中使用到kube-proxy,把kube-proxy到中控機的/data/k8s/bin/目錄,再把kube-proxy分發到所有節點上面/data/k8s/bin/目錄中即可。
建立kubeconfig配置檔案並分發
kube-proxy是作為kube-apiserver的客戶端,由於我們啟用了TLS,所以需要認證訪問,這裡我們需要使用到之前生成的證書(詳情見:第三篇 PKI基礎概念、cfssl工具介紹及kubernetes中證書),下面我們建立kubeconfig配置檔案;
#!/bin/bash cd /data/k8s/work source /data/k8s/bin/env.sh kubectl config set-cluster kubernetes \ --certificate-authority=/data/k8s/work/ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-credentials kube-proxy \ --client-certificate=kube-proxy.pem \ --client-key=kube-proxy-key.pem \ --embed-certs=true \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-context default \ --cluster=kubernetes \ --user=kube-proxy \ --kubeconfig=kube-proxy.kubeconfig kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig for node_name in ${NODE_NAMES[@]} do echo ">>> ${node_name}" scp kube-proxy.kubeconfig root@${node_name}:/etc/kubernetes/ done
建立kube-proxy配置檔案並分發
#!/bin/bash
cd /data/k8s/work
source /data/k8s/bin/env.sh
cat > kube-proxy-config.yaml.template <<EOF
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
clientConnection:
burst: 200
kubeconfig: "/etc/kubernetes/kube-proxy.kubeconfig"
qps: 100
bindAddress: ##NODE_IP##
healthzBindAddress: ##NODE_IP##:10256
metricsBindAddress: ##NODE_IP##:10249
enableProfiling: true
clusterCIDR: ${CLUSTER_CIDR}
hostnameOverride: ##NODE_NAME##
mode: "ipvs"
portRange: ""
kubeProxyIPTablesConfiguration:
masqueradeAll: false
kubeProxyIPVSConfiguration:
scheduler: rr
excludeCIDRs: []
EOF
for (( i=0; i < 4; i++ ))
do
echo ">>> ${NODE_NAMES[i]}"
sed -e "s/##NODE_NAME##/${NODE_NAMES[i]}/" -e "s/##NODE_IP##/${NODE_IPS[i]}/" kube-proxy-config.yaml.template > kube-proxy-config-${NODE_NAMES[i]}.yaml.template
scp kube-proxy-config-${NODE_NAMES[i]}.yaml.template root@${NODE_NAMES[i]}:/etc/kubernetes/kube-proxy-config.yaml
done
配置詳解
建立啟動檔案並分發
#!/bin/bash
cd /data/k8s/work
source /data/k8s/bin/env.sh
cat > kube-proxy.service <<EOF
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
WorkingDirectory=${K8S_DIR}/kube-proxy
ExecStart=/data/k8s/bin/kube-proxy \\
--config=/etc/kubernetes/kube-proxy-config.yaml \\
--master=https://api.k8s.vip:8443
--logtostderr=true \\
--v=2
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
for node_name in ${NODE_NAMES[@]}
do
echo ">>> ${node_name}"
scp kube-proxy.service root@${node_name}:/etc/systemd/system/
done
啟動服務
#!/bin/bash
cd /data/k8s/work
source /data/k8s/bin/env.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p ${K8S_DIR}/kube-proxy"
ssh root@${node_ip} "systemctl daemon-reload && systemctl enable kube-proxy && systemctl restart kube-proxy"
done
服務檢查
#!/bin/bash
cd /data/k8s/work
source /data/k8s/bin/env.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "systemctl status kube-proxy|grep -i active"
done
檢查結果:
>>> 192.168.16.104
Active: active (running) since Sun 2019-12-29 23:00:26 CST; 1 months 5 days ago
>>> 192.168.16.105
Active: active (running) since Sun 2019-12-29 23:00:27 CST; 1 months 5 days ago
>>> 192.168.16.106
Active: active (running) since Sun 2019-12-29 23:00:27 CST; 1 months 5 days ago
>>> 192.168.16.107
Active: active (running) since Sun 2019-12-29 23:00:28 CST; 1 months 5 days ago
總結
kube-proxy元件安裝相對簡單,這裡只要知道kube-proxy是什麼,瞭解其工作機制,它有哪些負載均衡模式,如何為service提供服務,kube-proxy又是如何關聯到後端pod等,這裡提供了非安全埠10249,安全埠10256。