《二》Kubernetes叢集部署(node)-搭建單叢集v1.1
在Node節點部署元件
Master apiserver啟用TLS認證後,Node節點kubelet元件想要加入叢集,必須使用CA簽發的有效證書才能與
apiserver通訊,當Node節點很多時,簽署證書是一件很繁瑣的事情,因此有了TLS Bootstrapping機制,kubelet
會以一個低許可權使用者自動向apiserver申請證書,kubelet的證書由apiserver動態簽署。
認證大致工作流程如圖所示:
1、將kubelet-bootstrap使用者繫結到系統叢集角色
在主節點(192.168.1.13)上執行
[[email protected] kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap
返回結果:
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
2、拷貝檔案:(將前面下載的二進位制包中的kubelet和kube-proxy拷貝到/opt/kubernetes/bin目錄下)
[[email protected] bin]# pwd
/data/tools/k8s/kubernetes/server/bin
[[email protected] bin]# scp kubelet kube-proxy 192.168.1.23:/opt/kubernetes/bin/
[[email protected]
執行指令碼,生成 kube-proxy.kubeconfig bootstrap.kubeconfig 2個檔案
cat /data/k8s/kubeconfig/kubeconfig.sh
[[email protected] kubeconfig]# cat kubeconfig.sh
#-----------------start-----------------------------------------------------------------------------------------
#已經建立 cat /opt/kubernetes/cfg/token.csv 就不需要再建立了
#建立 TLS Bootstrapping Token
#BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
#BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008
#cat > token.csv << EOF
#${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
#EOF
BOOTSTRAP_TOKEN=674c457d4dcf2eefe4920d7dbb6b0ddcc
APISERVER=$1
SSL_DIR=$2
#建立kubelet bootstrapping kubeconfig
export KUBE_APISERVER="https://$APISERVER:6443"
#設定叢集引數
kubectl config set-cluster kubernetes \
--certificate-authority=$SSL_DIR/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=bootstrap.kubeconfig
#設定客戶端認證引數
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=bootstrap.kubeconfig
#設定上下文引數
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=bootstrap.kubeconfig
#設定預設上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
#建立kube-proxy kubeconfig檔案
kubectl config set-cluster kubernetes \
--certificate-authority=$SSL_DIR/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=$SSL_DIR/kube-proxy.pem \
--client-key=$SSL_DIR/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
#-----------------end-----------------------------------------------------------------------------------------
引數1:本地ip,引數2:ca.pem目錄
[[email protected] kubeconfig]# bash kubeconfig.sh 192.168.1.13 /data/k8s/master-ca
3、拷貝檔案
[[email protected] kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig 192.168.1.23:/opt/kubernetes/cfg/
[[email protected] kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig 192.168.1.24:/opt/kubernetes/cfg/
部署kubelet元件
1、建立kubelet配置檔案
[[email protected] cfg]# cd /opt/kubernetes/cfg
[[email protected] cfg]# cat kubelet.sh
#--------------------start-------------------------------------------------------------
#!/bin/bash
NODE_ADDRESS=$1
DNS_SERVER_IP=${2:-"10.0.0.2"}
cat <<EOF >/opt/kubernetes/cfg/kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=${NODE_ADDRESS} \
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
EOF
cat <<EOF >/opt/kubernetes/cfg/kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: ${NODE_ADDRESS}
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- ${DNS_SERVER_IP}
clusterDomain: cluster.local.
failSwapOn: false
authentication:
anonymous:
enabled: true
EOF
cat << EOF > /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet
#--------------------end-------------------------------------------------------------
執行指令碼(生成kubelet、kubelet.config配置檔案):
bash kubelet.sh 192.168.1.23
引數說明:
--hostname-override 在叢集中顯示的主機名
--kubeconfig 指定kubeconfig檔案位置,會自動生成
--bootstrap-kubeconfig 指定剛才生成的bootstrap.kubeconfig檔案
--cert-dir 頒發證書存放位置
--pod-infra-container-image 管理Pod網路的映象
systemd管理kubelet元件:
[[email protected] cfg]# cat /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
啟動:
systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet
錯誤日誌:/var/log/message
很大一個原因是:在master主機上生成的配置檔案(bootstrap.kubeconfig kube-proxy.kubeconfig)有問題,需要在看看
在Master審批Node加入叢集:
啟動後還沒加入到叢集中,需要手動允許該節點才可以。 在Master節點檢視請求籤名的Node:
主節點上: