1. 给kubelet赋予权限(仅在master执行)
$cd /etc/kubernetes
$kubectl create clusterrolebinding kubelet-bootstrap
--clusterrole=system:node-bootstrapper
--user=kubelet-bootstrap
2.确认两个节点kubelet和kube-proxy二进制文件存在
$ll /usr/bin/kube*
-rwxr-xr-x 1 root root 148146512 Dec 28 13:34 /usr/bin/kubelet
-rwxr-xr-x 1 root root 64388925 Dec 28 13:34 /usr/bin/kube-proxy
3.配置/usr/lib/systemd/system/kubelet.service
$mkdir /var/lib/kubelet #两个节点分别创建工作目录
注:下面红色内容写入本机地址。
node132:
$vim /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
ExecStart=/usr/bin/kubelet
--address=192.168.7.132
--hostname-override=192.168.7.132
--pod-infra-container-image=docker.io/kubernetes/pause
--experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig
--kubeconfig=/etc/kubernetes/ssl/kubelet.kubeconfig
--cert-dir=/etc/kubernetes/ssl
--hairpin-mode promiscuous-bridge
--allow-privileged=true
--serialize-image-pulls=false
--logtostderr=true
--cgroup-driver=systemd
--cluster_dns=10.254.10.20
--cluster_domain=cluster.local
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
node133:
$vim /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
ExecStart=/usr/bin/kubelet
--address=192.168.7.133
--hostname-override=192.168.7.133
--pod-infra-container-image=docker.io/kubernetes/pause
--experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig
--kubeconfig=/etc/kubernetes/ssl/kubelet.kubeconfig
--cert-dir=/etc/kubernetes/ssl
--hairpin-mode promiscuous-bridge
--allow-privileged=true
--serialize-image-pulls=false
--logtostderr=true
--cgroup-driver=systemd
--cluster_dns=10.254.10.20
--cluster_domain=cluster.local
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
4.启动kublet
systemctl daemon-reload
systemctl enable kubelet
systemctl start kubelet
systemctl status kubelet
5.通过 kublet 的 TLS 证书请求 (仅在master执行)
kubelet 首次启动时向 kube-apiserver 发送证书签名请求,必须通过后 kubernetes 系统才会将该 Node 加入到集群。
1、查看未授权的请求:
$kubectl get csr
2、通过csr请求:
$kubectl get csr | awk '/Pending/ {print $1}' | xargs kubectl certificate approve
$kubectl get csr
6.配置kube-proxy
安装conntrack
$yum install -y conntrack-tools
7.配置 /usr/lib/systemd/system/kube-proxy.service
红色内容写入本机地址
node132:
vim /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/proxy
ExecStart=/usr/bin/kube-proxy
--bind-address=192.168.7.132
--hostname-override=192.168.7.132
--kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig
--cluster-cidr=10.254.0.0/16
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
node133:
vim /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/proxy
ExecStart=/usr/bin/kube-proxy
--bind-address=192.168.7.133
--hostname-override=192.168.7.133
--kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig
--cluster-cidr=10.254.0.0/16
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
8.启动kube-proxy
systemctl daemon-reload
systemctl enable kube-proxy
systemctl start kube-proxy
systemctl status kube-proxy
9.masters上获取节点
$kubectl get nodes #看到节点都是ready状态。