kubernetes 1.6 集群实践 （七）

node 节点

node节点是K8S集群中运行各种容器的设备

node节点必须部署： docker flannel kubelet kube-proxy

软件下载

在github上下载kubelet 和 kube-prxoy，下载K8S编译好的二进制包

$ tar  xf  kubernetes-server-linux-amd64.tar.gz
$ cd kubernetes/server/bin
$ cp {kubelet,kube-proxy}  /usr/bin/
$ chmod +x  /usr/bin/kube*

kubelet 配置启动

在（二）k8s部署 - kubeconfig 文件中已经生成了kubelet要使用的认证文件/etc/kubernetes/bootstrap.kubeconfig

创建kubelet专属的配置文件

$ cat > /etc/kubernetes/kubelet<< EOF
###
## kubernetes kubelet (minion) config
#
## The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
KUBELET_ADDRESS="--address=192.168.19.101"                                                 #kubelet 绑定的ip，不同的节点不同
#
## The port for the info server to serve on
#KUBELET_PORT="--port=10250"
#
## You may leave this blank to use the actual hostname
KUBELET_HOSTNAME="--hostname-override=192.168.19.101"                                       #在集群中节点的名称，不同的节点不同
#
## location of the api-server
KUBELET_API_SERVER="--api-servers=https://192.168.19.101:6443"                               
#
## pod infrastructure container
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest"
#
## Add your own!
KUBELET_ARGS="--cgroup-driver=systemd --cluster-dns=10.254.0.2 --experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig --require-kubeconfig --cert-dir=/etc/kubernetes/ssl --cluster-domain=cluster.local. --hairpin-mode promiscuous-bridge --serialize-image-pulls=false --eviction-hard=memory.available<500Mi  --system-reserved=memory=2Gi"

EOF

--system-reserved=memory=2Gi 为系统预留2G内存
--eviction-hard=memory.available<500Mi 可以内存不足500Mi驱逐pod

KUBELET_API_SERVER 连接的端口是有apiserver提供的安全端口secure-port

创建systemd启动文件

$ cat >/usr/lib/systemd/system/kubelet.service <<EOF
[Unit]
Description=Kubernetes Kubelet Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service

[Service]
WorkingDirectory=/var/lib/kubelet
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/kubelet
ExecStart=/usr/bin/kubelet 
            $KUBE_LOGTOSTDERR 
            $KUBE_LOG_LEVEL 
            $KUBELET_API_SERVER 
            $KUBELET_ADDRESS 
            $KUBELET_PORT 
            $KUBELET_HOSTNAME 
            $KUBE_ALLOW_PRIV 
            $KUBELET_POD_INFRA_CONTAINER 
            $KUBELET_ARGS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

给角色赋予权限

kubelet 启动时向 kube-apiserver 发送 TLS bootstrapping 请求，需要先将 bootstrap token 文件中的 kubelet-bootstrap 用户赋予 system:node-bootstrapper cluster 角色(role)， 然后 kubelet 才能有权限创建认证请求(certificate signing requests)：
其中pending状态是为授权的，approved状态是授权的
授权新新的节点加入请求：

$ cd /etc/kubernetes
$ kubectl create clusterrolebinding kubelet-bootstrap 
  --clusterrole=system:node-bootstrapper 
  --user=kubelet-bootstrap

启动kubelet

$ mkdir /var/lib/kubelet
$ systemctl daemon-reload  && systemctl enable kubelet  && systemctl start kubelet

由于kubelet的证书是由apiserver 统一生成，需要的集群中批准node的证书

kubectl get csr
NAME                                                   AGE       REQUESTOR           CONDITION
node-csr-CiUlm-x037PXyL5Fjee_Srhv9FlhM5Sv-8CApsJcffg   1h        kubelet-bootstrap   Approved,Issued
node-csr-tUOaGyNomAykxdk8tpPkPr1ZQvKkf1M_tYO5-cB3nkw   15s       kubelet-bootstrap   Pending
node-csr-z6sWICbRkv7yqQTHohNhq59-SzjPbK4irLj8Gdc5pO8   50m       kubelet-bootstrap   Approved,Issued

$ kubectl describe csr node-csr-tUOaGyNomAykxdk8tpPkPr1ZQvKkf1M_tYO5-cB3nkw
Name:			node-csr-tUOaGyNomAykxdk8tpPkPr1ZQvKkf1M_tYO5-cB3nkw
Labels:			<none>
Annotations:		<none>
CreationTimestamp:	Sun, 15 Oct 2017 05:17:04 -0400
Requesting User:	kubelet-bootstrap
Status:			Pending
Subject:
	Common Name:	system:node:192.168.19.103
	Serial Number:	
	Organization:	system:nodes
Events:	<none>

$ kubectl certificate approve node-csr-tUOaGyNomAykxdk8tpPkPr1ZQvKkf1M_tYO5-cB3nkw
certificatesigningrequest "node-csr-tUOaGyNomAykxdk8tpPkPr1ZQvKkf1M_tYO5-cB3nkw" approved

$ kubectl get node
NAME            STATUS     AGE       VERSION
192.168.0.101   NotReady   1h        v1.7.1
192.168.0.102   NotReady   51m       v1.7.1
192.168.0.103   Ready      3s        v1.7.1

kube-proxy 配置启动

配置kube-proxy的专属配置文件

$ cat > /etc/kubernetes/proxy <<EOF
###
# kubernetes proxy config

# default config should be adequate

# Add your own!
KUBE_PROXY_ARGS="--bind-address=192.168.19.101 --hostname-override=192.168.19.101 --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig --cluster-cidr=10.250.0.0/16"

EOF

--bind-address 是本机的ip地址
--hostname-override 是节点名字

配置systemd启动文件

$ cat > /usr/lib/systemd/system/kube-proxy.service <<EOF
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target

[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/proxy
ExecStart=/usr/bin/kube-proxy 
	    $KUBE_LOGTOSTDERR 
	    $KUBE_LOG_LEVEL 
	    $KUBE_MASTER 
	    $KUBE_PROXY_ARGS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

EOF

启动kube-proxy

$ systemctl daemon-reload && systemctl enable kube-proxy && systemctl start kube-proxy