zoukankan      html  css  js  c++  java
  • k8s1.13.0二进制部署-node节点(四)

    Master apiserver启用TLS认证后,Node节点kubelet组件想要加入集群,必须使用CA签发的有效证书才能与apiserver通信,当Node节点很多时,签署证书是一件很繁琐的事情,因此有了TLS Bootstrapping机制,kubelet会以一个低权限用户自动向apiserver申请证书,kubelet的证书由apiserver动态签署。
    认证大致工作流程如图所示:

    准备二进制文件

    scp kubelet kube-proxy 192.168.0.125:/opt/kubernetes/bin/
    scp kubelet kube-proxy 192.168.0.126:/opt/kubernetes/bin/

    部署kubelet

    创建角色绑定

    kubectl create clusterrolebinding kubelet-bootstrap 
      --clusterrole=system:node-bootstrapper 
      --user=kubelet-bootstrap
    创建 kubelet bootstrapping kubeconfig 文件
    # 设置集群参数
    kubectl config set-cluster kubernetes 
      --certificate-authority=/opt/kubernetes/ssl/ca.pem 
      --embed-certs=true 
      --server=https://192.168.0.130:6443 
      --kubeconfig=bootstrap.kubeconfig
    
    # 设置客户端认证参数
    kubectl config set-credentials kubelet-bootstrap 
      --token=${BOOTSTRAP_TOKEN} 
      --kubeconfig=bootstrap.kubeconfig
    
    # 设置上下文参数
    kubectl config set-context default 
      --cluster=kubernetes 
      --user=kubelet-bootstrap 
      --kubeconfig=bootstrap.kubeconfig
    
    # 设置默认上下文
    kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
    将bootstrap.kubeconfig文件拷贝到node节点
    scp bootstrap.kubeconfig 192.168.0.125:/opt/kubernetes/cfg/
    scp bootstrap.kubeconfig 192.168.0.126:/opt/kubernetes/cfg/
    创建kubelet配置文件

    [root@k8s-node01 ~]# vim /opt/kubernetes/cfg/kubelet

    KUBELET_OPTS="--logtostderr=false
    --v=4
    --log-dir=/opt/kubernetes/log
    --hostname-override=192.168.0.125
    --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig
    --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig
    --config=/opt/kubernetes/cfg/kubelet.config
    --cert-dir=/opt/kubernetes/ssl
    --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"

    参数说明: 

    --hostname-override 在集群中显示的主机名
    --kubeconfig 指定kubeconfig文件位置,会自动生成
    --bootstrap-kubeconfig 指定刚才生成的bootstrap.kubeconfig文件
    --cert-dir 颁发证书存放位置
    --pod-infra-container-image 管理Pod网络的镜像

    其中/opt/kubernetes/cfg/kubelet.config配置文件如下:
    [root@k8s-node01 ~]# vim /opt/kubernetes/cfg/kubelet.config
    kind: KubeletConfiguration
    apiVersion: kubelet.config.k8s.io/v1beta1
    address:
    port: 10250
    readOnlyPort: 10255
    cgroupDriver: cgroupfs
    clusterDNS:
    - 10.0.0.2
    clusterDomain: cluster.local.
    failSwapOn: false
    authentication:
      anonymous:
        enabled: true
    创建kubelet系统服务
    [root@k8s-node02 ~]# vim /usr/lib/systemd/system/kubelet.service
    [Unit]
    Description=Kubernetes Kubelet
    After=docker.service
    Requires=docker.service
    
    [Service]
    EnvironmentFile=/opt/kubernetes/cfg/kubelet
    ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS
    Restart=on-failure
    KillMode=process
    
    [Install]
    WantedBy=multi-user.target
    启动kubelet
    systemctl daemon-reload
    systemctl enable kubelet
    systemctl restart kubelet
    systemctl status kubelet

     查看csr请求

    [root@k8s-master1 ~]# kubectl get csr
    NAME                                                   AGE    REQUESTOR           CONDITION
    node-csr-h0XFLgAXsCQvIQdUN5_fHGJbwYJaekO3zzhEK_wDcNY   103s   kubelet-bootstrap   Pending
    node-csr-xECZ6WkPvlSzu9fE4CJQlMjPfCxJlUpidvSuKWOGpZE   90s    kubelet-bootstrap   Pending

    批准kubelet 的 TLS 证书请求

    [root@k8s-master1 ~]# kubectl get csr|grep 'Pending' | awk 'NR>0{print $1}'| xargs kubectl certificate approve
    certificatesigningrequest.certificates.k8s.io/node-csr-h0XFLgAXsCQvIQdUN5_fHGJbwYJaekO3zzhEK_wDcNY approved
    certificatesigningrequest.certificates.k8s.io/node-csr-xECZ6WkPvlSzu9fE4CJQlMjPfCxJlUpidvSuKWOGpZE approved

    查看node已经加入集群

    [root@k8s-master1 ~]# kubectl get node
    NAME            STATUS   ROLES    AGE   VERSION
    192.168.0.125   Ready    <none>   68s   v1.13.0
    192.168.0.126   Ready    <none>   69s   v1.13.0

    kube-proxy部署

    配置kube-proxy使用LVS
    yum install -y ipvsadm ipset conntrack

    创建 kube-proxy 证书请求

    [root@k8s-master1 ssl]# vim kube-proxy-csr.json
    {
      "CN": "system:kube-proxy",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "ST": "BeiJing",
          "L": "BeiJing",
          "O": "k8s",
          "OU": "System"
        }
      ]
    }

    生成证书

    cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem 
       -ca-key=/opt/kubernetes/ssl/ca-key.pem 
       -config=/opt/kubernetes/ssl/ca-config.json 
       -profile=kubernetes  kube-proxy-csr.json | cfssljson -bare kube-proxy

    将证书分发到node节点

    scp kube-proxy*.pem 192.168.0.125:/opt/kubernetes/ssl/
    scp kube-proxy*.pem 192.168.0.126:/opt/kubernetes/ssl/
    创建kube-proxy kubeconfig文件
    kubectl config set-cluster kubernetes 
      --certificate-authority=/opt/kubernetes/ssl/ca.pem 
      --embed-certs=true 
      --server=https://192.168.0.130:6443 
      --kubeconfig=kube-proxy.kubeconfig
    
    kubectl config set-credentials kube-proxy 
      --client-certificate=kube-proxy.pem 
      --client-key=kube-proxy-key.pem 
      --embed-certs=true 
      --kubeconfig=kube-proxy.kubeconfig
    
    kubectl config set-context default 
      --cluster=kubernetes 
      --user=kube-proxy 
      --kubeconfig=kube-proxy.kubeconfig
    
    kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

    分发kubeconfig配置文件

    scp kube-proxy.kubeconfig 192.168.0.125:/opt/kubernetes/cfg/
    scp kube-proxy.kubeconfig 192.168.0.126:/opt/kubernetes/cfg/

    创建kube-proxy配置文件

    [root@k8s-node01 ~]# vim /opt/kubernetes/cfg/kube-proxy

    KUBE_PROXY_OPTS="--logtostderr=false
    --v=4
    --log-dir=/opt/kubernetes/log
    --hostname-override=192.168.0.125
    --cluster-cidr=10.0.0.0/24
    --proxy-mode=ipvs
    --ipvs-min-sync-period=5s
    --ipvs-sync-period=5s
    --ipvs-scheduler=rr
    --masquerade-all=true
    --kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"

    创建kube-proxy系统服务

    [root@k8s-node01 ~]# vim /usr/lib/systemd/system/kube-proxy.service
    [Unit]
    Description=Kubernetes Proxy
    After=network.target
    
    [Service]
    EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
    ExecStart=/opt/kubernetes/bin/kube-proxy $KUBE_PROXY_OPTS
    Restart=on-failure
    RestartSec=5
    LimitNOFILE=65536
    
    [Install]
    WantedBy=multi-user.target

    启动kube-proxy

    systemctl daemon-reload
    systemctl enable kube-proxy
    systemctl restart kube-proxy
    systemctl status kube-proxy
    运行一个测试示例
    kubectl run nginx --image=nginx --replicas=3
    kubectl expose deployment nginx --port=88 --target-port=80 --type=NodePort

    查看pod,service

    [root@k8s-master1 ~]# kubectl get pod,svc -o wide
    NAME                         READY   STATUS              RESTARTS   AGE   IP            NODE            NOMINATED NODE   READINESS GATES
    pod/nginx-7cdbd8cdc9-g9658   0/1     ImagePullBackOff    0          51s   172.17.84.2   192.168.0.125   <none>           <none>
    pod/nginx-7cdbd8cdc9-wmh46   0/1     ContainerCreating   0          51s   <none>        192.168.0.126   <none>           <none>
    pod/nginx-7cdbd8cdc9-zwmxd   0/1     ContainerCreating   0          51s   <none>        192.168.0.126   <none>           <none>
    
    NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)        AGE   SELECTOR
    service/kubernetes   ClusterIP   10.0.0.1     <none>        443/TCP        21h   <none>
    service/nginx        NodePort    10.0.0.171   <none>        88:48652/TCP   48s   run=nginx

    访问部署的nginx

    查看访问日志

    [root@k8s-master1 ~]# kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous
    [root@k8s-master1 ~]# kubectl logs nginx-7cdbd8cdc9-g9658
    172.17.84.1 - - [18/Dec/2018:01:59:43 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" "-"

    查看LVS状态

    [root@k8s-node02 ~]# ipvsadm -L -n
    IP Virtual Server version 1.2.1 (size=4096)
    Prot LocalAddress:Port Scheduler Flags
    -> RemoteAddress:Port Forward Weight ActiveConn InActConn
    TCP 127.0.0.1:48652 rr
    -> 172.17.34.2:80 Masq 1 0 0
    -> 172.17.34.3:80 Masq 1 0 0
    -> 172.17.84.2:80 Masq 1 0 0
    TCP 172.17.34.0:48652 rr
    -> 172.17.34.2:80 Masq 1 0 0
    -> 172.17.34.3:80 Masq 1 0 0
    -> 172.17.84.2:80 Masq 1 0 0
    TCP 172.17.34.1:48652 rr
    -> 172.17.34.2:80 Masq 1 0 0
    -> 172.17.34.3:80 Masq 1 0 0
    -> 172.17.84.2:80 Masq 1 0 0
    TCP 192.168.0.126:48652 rr
    -> 172.17.34.2:80 Masq 1 0 0
    -> 172.17.34.3:80 Masq 1 0 0
    -> 172.17.84.2:80 Masq 1 0 0
    TCP 10.0.0.1:443 rr
    -> 192.168.0.123:6443 Masq 1 0 0
    -> 192.168.0.124:6443 Masq 1 0 0
    TCP 10.0.0.171:88 rr
    -> 172.17.34.2:80 Masq 1 0 0
    -> 172.17.34.3:80 Masq 1 0 0
    -> 172.17.84.2:80 Masq 1 0 0

  • 相关阅读:
    布尔值数据类型
    数据类型
    while循环。for循环
    对于元素类型为集合的List进行排序
    进程和线程之由来
    ExecutorService的关闭
    Java并发编程:CountDownLatch、CyclicBarrier和Semaphore
    什么是设计模式
    java多线程的原子性
    OutputStream的flush()方法
  • 原文地址:https://www.cnblogs.com/yuezhimi/p/10133061.html
Copyright © 2011-2022 走看看