七、安装node

1、安装docker，在Node节点上面操作

yum安装

yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum list --showduplicates |grep docker-ce
yum install -y docker-ce-17.12.1.ce-1.el7.centos

二进制安装

二进制包下载地址：https://download.docker.com/linux/static/stable/x86_64/

wget https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz
tar xf docker-18.09.3.tgz
mv docker/* /usr/bin
mkdir /etc/docker

cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service containerd.service
Wants=network-online.target

[Service]
Type=notify
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
KillMode=process

[Install]
WantedBy=multi-user.target

配置国内docker镜像源

sudo mkdir -p /etc/docker
#两种，一种是阿里云的加速
sudo tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://l2uj4chq.mirror.aliyuncs.com"]
}
EOF

#一种是daocloud的加速
[root@k8s-node01 ~]# cat /etc/docker/daemon.json
{
 "registry-mirrors": ["http://f1361db2.m.daocloud.io"],
 "insecure-registries":["10.16.8.159"],   #为私有仓库地址，目前还没安装私有仓库，预留
 "graph": "/max_data"                     #docker默认的数据存储目录为/var/lib/docker，通过这个参数可以指定存储目录
}

启动

sudo systemctl daemon-reload
sudo systemctl start docker
sudo systemctl enable docker

2、在所有node节点安装kubelet、kube-proxy

目录结构

[root@k8s-node01 opt]# tree kubernetes/
kubernetes/
├── bin
│   ├── kubelet
│   └── kube-proxy
├── cfg
│   ├── bootstrap.kubeconfig
│   ├── kubelet.conf
│   ├── kubelet-config.yml
│   ├── kube-proxy.conf
│   ├── kube-proxy-config.yml
│   └── kube-proxy.kubeconfig
├── logs
└── ssl
    ├── ca.pem
    ├── kube-proxy-key.pem
    └── kube-proxy.pem

bin目录：可执行文件为前面下载的kubernetes-server二进制包中
ssl目录：证书文件为前面部署master时生成的
cfg配置文件：
    .conf为基本配置文件
    .kubeconfi为连接apiserver配置文件
    .yml为主要配置文件

kubelet相关配置文件

配置文件中不同的Node,需要修改hostnameOverride: k8s-node01

[root@k8s-node01 cfg]# cat bootstrap.kubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /opt/kubernetes/ssl/ca.pem
    server: https://10.16.8.150:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubelet-bootstrap
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: kubelet-bootstrap
  user:
    token: c47ffb939f5ca36231d9e3121a252940

[root@k8s-node01 cfg]# cat kubelet.conf 
KUBELET_OPTS="--logtostderr=false 
--v=2 
--log-dir=/opt/kubernetes/logs 
--hostname-override=k8s-node01 
--network-plugin=cni 
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig 
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig 
--config=/opt/kubernetes/cfg/kubelet-config.yml 
--cert-dir=/opt/kubernetes/ssl 
--pod-infra-container-image=lizhenliang/pause-amd64:3.0"

[root@k8s-node01 cfg]# cat kubelet-config.yml 
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local 
failSwapOn: false
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 2m0s
    enabled: true
  x509:
    clientCAFile: /opt/kubernetes/ssl/ca.pem 
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 5m0s
    cacheUnauthorizedTTL: 30s
evictionHard:
  imagefs.available: 15%
  memory.available: 100Mi
  nodefs.available: 10%
  nodefs.inodesFree: 5%
maxOpenFiles: 1000000
maxPods: 110

kube-proxy相关配置文件

[root@k8s-node01 cfg]# cat kube-proxy.conf 
KUBE_PROXY_OPTS="--logtostderr=false 
--v=2 
--log-dir=/opt/kubernetes/logs 
--config=/opt/kubernetes/cfg/kube-proxy-config.yml"

[root@k8s-node01 cfg]# cat  kube-proxy-config.yml
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
address: 0.0.0.0
metricsBindAddress: 0.0.0.0:10249
clientConnection:
  kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig
hostnameOverride: k8s-node01
clusterCIDR: 10.0.0.0/24
mode: ipvs
ipvs:
  scheduler: "rr"
iptables:
  masqueradeAll: true

[root@k8s-node01 cfg]# cat kube-proxy.kubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /opt/kubernetes/ssl/ca.pem
    server: https://10.16.8.150:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kube-proxy
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: kube-proxy
  user:
    client-certificate: /opt/kubernetes/ssl/kube-proxy.pem
    client-key: /opt/kubernetes/ssl/kube-proxy-key.pem

启动配置文件

[root@k8s-node01 cfg]# cat /usr/lib/systemd/system/kubelet.service 
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Before=docker.service

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet.conf
ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

[root@k8s-node01 cfg]# cat /usr/lib/systemd/system/kube-proxy.service 
[Unit]
Description=Kubernetes Proxy
After=network.target

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-proxy.conf
ExecStart=/opt/kubernetes/bin/kube-proxy $KUBE_PROXY_OPTS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

3、启动

systemctl start kubelet
systemctl start kube-proxy
systemctl enable kubelet
systemctl enable kube-proxy

4、允许给Node颁发证书，master上操作

[root@k8s-master01 node]# kubectl get csr
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-REeuIC9SyqMEnXZObe4ke1gbS60kQxvIf22G9himeFE   2m10s   kubelet-bootstrap   Pending

[root@k8s-master01 node]# kubectl certificate approve node-csr-REeuIC9SyqMEnXZObe4ke1gbS60kQxvIf22G9himeFE
certificatesigningrequest.certificates.k8s.io/node-csr-REeuIC9SyqMEnXZObe4ke1gbS60kQxvIf22G9himeFE approved

本次有3个node,所以颁发3次

[root@k8s-master01 node]# kubectl get csr
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-25NwnztxHV28qb5XiwYZllT0_pOl7n01DWbXltSqlzI   8s      kubelet-bootstrap   Pending
node-csr-3Tm1zh9TFML_H-kapIeDYGJXj39B1tnw1xV3AIpUTbA   52s     kubelet-bootstrap   Pending
node-csr-REeuIC9SyqMEnXZObe4ke1gbS60kQxvIf22G9himeFE   7m25s   kubelet-bootstrap   Approved,Issued

[root@k8s-master01 node]# kubectl certificate approve node-csr-25NwnztxHV28qb5XiwYZllT0_pOl7n01DWbXltSqlzI
certificatesigningrequest.certificates.k8s.io/node-csr-25NwnztxHV28qb5XiwYZllT0_pOl7n01DWbXltSqlzI approved
[root@k8s-master01 node]# kubectl certificate approve node-csr-3Tm1zh9TFML_H-kapIeDYGJXj39B1tnw1xV3AIpUTbA
certificatesigningrequest.certificates.k8s.io/node-csr-3Tm1zh9TFML_H-kapIeDYGJXj39B1tnw1xV3AIpUTbA approved

[root@k8s-master01 node]# kubectl get csr
NAME                                                   AGE    REQUESTOR           CONDITION
node-csr-25NwnztxHV28qb5XiwYZllT0_pOl7n01DWbXltSqlzI   46s    kubelet-bootstrap   Approved,Issued
node-csr-3Tm1zh9TFML_H-kapIeDYGJXj39B1tnw1xV3AIpUTbA   90s    kubelet-bootstrap   Approved,Issued
node-csr-REeuIC9SyqMEnXZObe4ke1gbS60kQxvIf22G9himeFE   8m3s   kubelet-bootstrap   Approved,Issued

5、查看node

[root@k8s-master01 node]# kubectl get node
NAME         STATUS     ROLES    AGE     VERSION
k8s-node01   NotReady   <none>   4m19s   v1.16.0
k8s-node02   NotReady   <none>   52s     v1.16.0
k8s-node03   NotReady   <none>   62s     v1.16.0

6、node上面查看cfg和ssl目录

[root@k8s-node01 kubernetes]# tree cfg
cfg
├── bootstrap.kubeconfig
├── kubelet.conf
├── kubelet-config.yml
├── kubelet.kubeconfig
├── kube-proxy.conf
├── kube-proxy-config.yml
└── kube-proxy.kubeconfig

0 directories, 7 files

[root@k8s-node01 kubernetes]# tree ssl
ssl
├── ca.pem
├── kubelet-client-2019-11-05-11-41-51.pem
├── kubelet-client-current.pem -> /opt/kubernetes/ssl/kubelet-client-2019-11-05-11-41-51.pem
├── kubelet.crt
├── kubelet.key
├── kube-proxy-key.pem
└── kube-proxy.pem

可以发现多了 kubelet.kubeconfig，kubelet-client-2019-11-05-11-41-51.pem，kubelet-client-current.pem，kubelet.crt，kubelet.key这些文件，这些都是颁发证书的时候自动生成的文件