将bootstrap.kubeconfig kube-proxy.kubeconfig 文件拷贝到所有 nodes节点
cp bootstrap.kubeconfig kube-proxy.kubeconfig /data/soft/kubernetes/cfg/ scp -P 12525 -r bootstrap.kubeconfig kube-proxy.kubeconfig www@192.168.0.7:/data/soft/kubernetes/cfg/ scp -P 12525 -r bootstrap.kubeconfig kube-proxy.kubeconfig www@192.168.0.8:/data/soft/kubernetes/cfg/ node节点配置kubelet注意:创建kubelet 参数配置文件拷贝到所有nodes节点,这里只列举了其中一个node 的配置,其他的node配置可以参考这个配置,修改下本机ip地址既可
创建 kubelet 参数配置模板文件:
vim /data/soft/kubernetes/cfg/kubelet.config kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: 192.168.0.7 port: 10250 readOnlyPort: 10255 cgroupDriver: cgroupfs clusterDNS: ["10.0.0.2"] clusterDomain: cluster.local. failSwapOn: false authentication: anonymous: enabled: true参数说明:
address: 授权绑定的ip地址(node本地ip)
创建kubelet配置文件
vim /data/soft/kubernetes/cfg/kubelet KUBELET_OPTS="--logtostderr=true \ --v=4 \ --hostname-override=192.168.0.7 \ --kubeconfig=http://www.likecs.com/data/soft/kubernetes/cfg/kubelet.kubeconfig \ --bootstrap-kubeconfig=http://www.likecs.com/data/soft/kubernetes/cfg/bootstrap.kubeconfig \ --config=http://www.likecs.com/data/soft/kubernetes/cfg/kubelet.config \ --cert-dir=http://www.likecs.com/data/soft/kubernetes/ssl \ --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"参数说明:
--hostname-override 在集群中显示的主机名(node本机ip) --kubeconfig 指定kubeconfig文件位置,会自动生成 --bootstrap-kubeconfig 指定刚才生成的bootstrap.kubeconfig文件 --cert-dir 颁发证书存放位置 --pod-infra-container-image 管理Pod网络的镜像创建kubelet的kubelet.service 文件
vim /usr/lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet After=docker.service Requires=docker.service [Service] EnvironmentFile=http://www.likecs.com/data/soft/kubernetes/cfg/kubelet ExecStart=http://www.likecs.com/data/soft/kubernetes/bin/kubelet $KUBELET_OPTS Restart=on-failure KillMode=process [Install] WantedBy=multi-user.target将kubelet.config kubelet 文件拷贝到所有 nodes节点
cd /data/soft/kubernetes/cfg/ \cp kubelet.config kubelet /data/soft/kubernetes/cfg/ scp -P 12525 -r kubelet.config kubelet www@192.168.0.7:/data/soft/kubernetes/cfg/ scp -P 12525 -r kubelet.config kubelet www@192.168.0.8:/data/soft/kubernetes/cfg/ scp -P 12525 -r /usr/lib/systemd/system/kubelet.service www@192.168.0.7:/usr/lib/systemd/system/kubelet.service scp -P 12525 -r /usr/lib/systemd/system/kubelet.service www@192.168.0.8:/usr/lib/systemd/system/kubelet.service将kubelet-bootstrap用户绑定到系统集群角色,master 执行
/data/soft/kubernetes/bin/kubectl create clusterrolebinding kubelet-bootstrap \ --clusterrole=system:node-bootstrapper \ --user=kubelet-bootstrapnode启动服务kubelet
systemctl daemon-reload systemctl enable kubelet systemctl restart kubelet master节点approve kubelet CSR 请求处理可以手动或自动 approve CSR 请求。推荐使用自动的方式,因为从 v1.8 版本开始,可以自动轮转approve csr 后生成的证书。
这里采用手动 approve CSR 请求,在Master节点查看请求签名的Node:
查看 CSR 列表:
# kubectl get csr NAME AGE REQUESTOR CONDITION node-csr-An1VRgJ7FEMMF_uyy6iPjyF5ahuLx6tJMbk2SMthwLs 39m kubelet-bootstrap Pending node-csr-dWPIyP_vD1w5gBS4iTZ6V5SJwbrdMx05YyybmbW3U5s 5m5s kubelet-bootstrap Pending # kubectl certificate approve node-csr-An1VRgJ7FEMMF_uyy6iPjyF5ahuLx6tJMbk2SMthwLs certificatesigningrequest.certificates.k8s.io/node-csr-An1VRgJ7FEMMF_uyy6iPjyF5ahuLx6tJMbk2SMthwLs # kubectl certificate approve node-csr-dWPIyP_vD1w5gBS4iTZ6V5SJwbrdMx05YyybmbW3U5s certificatesigningrequest.certificates.k8s.io/node-csr-dWPIyP_vD1w5gBS4iTZ6V5SJwbrdMx05YyybmbW3U5s approved # kubectl get csr NAME AGE REQUESTOR CONDITION node-csr-An1VRgJ7FEMMF_uyy6iPjyF5ahuLx6tJMbk2SMthwLs 41m kubelet-bootstrap Approved,Issued node-csr-dWPIyP_vD1w5gBS4iTZ6V5SJwbrdMx05YyybmbW3U5s 7m32s kubelet-bootstrap Approved,Issued Requesting User:请求 CSR 的用户,kube-apiserver 会对它进行认证和授权; Subject:请求签名的证书信息; 证书的 CN 是 system:node:kube-node2, Organization 是 system:nodes,kube-apiserver 的 Node 授权模式会授予该证书的相关权限;