下面的操作如果没有特别强调,还是在Master Node上进行,master节点也当作一个node节点
以下2条命令在master节点上执行 [root@master01 ~]# cp kubernetes/server/bin/{kubelet,kube-proxy} /k8s/k8s/bin/ 部署kubelet 参数说明 --hostname-override:显示名(唯一性),就是本机的主机名,如写成其他则启动时将找不到 --network-plugin:启用CNI --kubeconfig:空路径,会自动生成,后面用于连接apiserver --bootstrap-kubeconfig:首次启动向apiserver申请证书 --config:配置参数文件 --cert-dir:kubelet证书生成目录 --pod-infra-container-image:管理Pod网络容器的镜像 注:注意下一个命令中的hostname-override选项 [root@master01 ~]# cat > /k8s/k8s/cfg/kubelet.cfg << EOF KUBELET_OPTS="--logtostderr=false \\ --v=2 \\ --log-dir=http://www.likecs.com/k8s/k8s/logs \\ --hostname-override=master01 \\ --network-plugin=cni \\ --kubeconfig=http://www.likecs.com/k8s/k8s/cfg/kubelet.kubeconfig \\ --bootstrap-kubeconfig=http://www.likecs.com/k8s/k8s/cfg/bootstrap.kubeconfig \\ --config=http://www.likecs.com/k8s/k8s/cfg/kubelet-config.yml \\ --cert-dir=http://www.likecs.com/k8s/k8s/ssl \\ --pod-infra-container-image=lizhenliang/pause-amd64:3.0" EOF \# registry.access.redhat.com/rhel7/pod-infrastructure:latest 配置参数文件 [root@master01 ~]# cat > /k8s/k8s/cfg/kubelet-config.yml << EOF kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: 0.0.0.0 port: 10250 readOnlyPort: 10255 cgroupDriver: systemd clusterDNS: - 10.0.0.2 clusterDomain: cluster.local failSwapOn: false authentication: anonymous: enabled: false webhook: cacheTTL: 2m0s enabled: true x509: clientCAFile: /k8s/k8s/ssl/ca.pem authorization: mode: Webhook webhook: cacheAuthorizedTTL: 5m0s cacheUnauthorizedTTL: 30s evictionHard: imagefs.available: 15% memory.available: 100Mi nodefs.available: 10% nodefs.inodesFree: 5% maxOpenFiles: 1000000 maxPods: 110 EOF 生成bootstrap.kubeconfig文件 [root@master01 ~]# KUBE_APISERVER="https://192.168.1.21:6443" # apiserver IP:PORT [root@master01 ~]# TOKEN="12c940e938c533cf294ac01370cde146" # 与token.csv里保持一致 注:如更换了窗口则需要重新定义KUBE_APISERVER和TOKEN的变量,然后重新生成 kubelet bootstrap kubeconfig 配置文件 ### 生成 kubelet bootstrap kubeconfig 配置文件 注:生成bootstrap.kubeconfig文件时一定要在/k8s/k8s/cfg/kubelet.cfg文件中--bootstrap-kubeconfig项定义的目录中执行,不然就得mv到--bootstrap-kubeconfig项指的位置,这里要注意 [root@master01 ~]# cd /k8s/k8s/cfg/ [root@master01 cfg]# kubectl config set-cluster kubernetes \ --certificate-authority=http://www.likecs.com/k8s/k8s/ssl/ca.pem \ --embed-certs=true --server=${KUBE_APISERVER} \ --kubeconfig=bootstrap.kubeconfig [root@master01 cfg]# kubectl config set-credentials "kubelet-bootstrap" \ --token=${TOKEN} --kubeconfig=bootstrap.kubeconfig # 设置上下文 [root@master01 cfg]# kubectl config set-context default --cluster=kubernetes \ --user="kubelet-bootstrap" --kubeconfig=bootstrap.kubeconfig # 切换上下文 [root@master01 cfg]# kubectl config use-context default --kubeconfig=bootstrap.kubeconfig systemd管理kubelet [root@master01 cfg]# cat > /usr/lib/systemd/system/kubelet.service << EOF [Unit] Description=Kubernetes Kubelet After=docker.service [Service] EnvironmentFile=http://www.likecs.com/k8s/k8s/cfg/kubelet.cfg ExecStart=http://www.likecs.com/k8s/k8s/bin/kubelet \$KUBELET_OPTS Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF 启动并设置开机启动 [root@master01 cfg]# systemctl daemon-reload systemctl enable kubelet systemctl start kubelet [root@master01 cfg]# systemctl status kubelet ● kubelet.service - Kubernetes Kubelet Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled) Active: active (running) since 三 2021-07-07 23:45:49 EDT; 3min 24s ago Main PID: 17793 (kubelet) Tasks: 9 Memory: 19.9M CGroup: /system.slice/kubelet.service └─17793 /k8s/k8s/bin/kubelet --logtostderr=false --v=2 --log-dir=http://www.likecs.com/k8s/k8s/logs --hostname-override=master01 --n... 7月 07 23:45:49 master01 systemd[1]: Started Kubernetes Kubelet. 批准kubelet证书申请并加入集群 1、查看kubelet证书请求 [root@master01 k8s]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR CONDITION node-csr-ELAp2OgRZbZc2pXjrzaRh 4m2s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending 注:该请求NAME列太长,在排版时进行了删减过,NAME列全称如下 NAME列的名字全称是:node-csr-ELAp2OgRZbZc2pXjrzaRh4LZQt9n_eCVMVGB3sTYB6Q 批准申请 [root@master01 k8s]# kubectl certificate approve node-csr-ELAp2OgRZbZc2pXjrzaRh4LZQt9n_eCVMVGB3sTYB6Q 再来查看kubelet证书请求 状态已经从Pending变为了Approved,Issued [root@master01 k8s]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR CONDITION node-csr-ELAp2OgRZbZc2pXjrzaRh 4m59s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued [root@master01 k8s]# kubectl get nodes NAME STATUS ROLES AGE VERSION master01 NotReady <none> 108s v1.18.19 注:由于网络插件还没有部署,上面的STATUS列会是 NotReady 部署kube-proxy [root@master01 cfg]# cat > /k8s/k8s/cfg/kube-proxy.cfg << EOF KUBE_PROXY_OPTS="--logtostderr=false \\ --v=2 \\ --log-dir=http://www.likecs.com/k8s/k8s/logs \\ --config=http://www.likecs.com/k8s/k8s/cfg/kube-proxy-config.yml" EOF 配置上面提到的kube-proxy.conf参数文件 [root@master01 cfg]# cat > /k8s/k8s/cfg/kube-proxy-config.yml << EOF kind: KubeProxyConfiguration apiVersion: kubeproxy.config.k8s.io/v1alpha1 bindAddress: 0.0.0.0 metricsBindAddress: 0.0.0.0:10249 clientConnection: kubeconfig: /k8s/k8s/cfg/kube-proxy.kubeconfig hostnameOverride: master01 clusterCIDR: 10.0.0.0/24 EOF 生成kube-proxy.kubeconfig文件 [root@master01 cfg]# cd /k8s/k8s/ssl/ 创建证书请求文件 [root@master01 ssl]# cat > kube-proxy-csr.json << EOF { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Guangzhou", "ST": "Guangzhou", "O": "k8s", "OU": "System" } ] } EOF 生成kube-proxy证书 [root@master01 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy # 查看证书 [root@master01 ssl]# ll kube-proxy*pem -rw------- 1 root root 1679 7月 3 03:01 kube-proxy-key.pem -rw-r--r-- 1 root root 1395 7月 3 03:01 kube-proxy.pem 生成kubeconfig文件: [root@master01 ssl]# KUBE_APISERVER="https://172.16.186.111:6443" 注:该变量在生成bootstrap.kubeconfig文件时已定义过,这里不再重复执行,执行前需确定该变量是否存在:echo $KUBE_APISERVER [root@master01 ssl]# kubectl config set-cluster kubernetes \ --certificate-authority=http://www.likecs.com/k8s/k8s/ssl/ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=kube-proxy.kubeconfig 注:该命令执行后会在当前目录中生成一个名为 kube-proxy.kubeconfig 的文件,需要注意 [root@master01 ssl]# kubectl config set-credentials kube-proxy \ --client-certificate=http://www.likecs.com/k8s/k8s/ssl/kube-proxy.pem \ --client-key=http://www.likecs.com/k8s/k8s/ssl/kube-proxy-key.pem \ --embed-certs=true \ --kubeconfig=kube-proxy.kubeconfig [root@master01 ssl]# kubectl config set-context default \ --cluster=kubernetes \ --user=kube-proxy \ --kubeconfig=kube-proxy.kubeconfig [root@master01 ssl]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig 拷贝kube-proxy.kubeconfig文件到指定路径 [root@master01 ssl]# mv kube-proxy.kubeconfig /k8s/k8s/cfg/ [root@master01 ssl]# cd .. systemd管理kube-proxy [root@master01 ~]# cat > /usr/lib/systemd/system/kube-proxy.service << EOF [Unit] Description=Kubernetes Proxy After=network.target [Service] EnvironmentFile=http://www.likecs.com/k8s/k8s/cfg/kube-proxy.cfg ExecStart=http://www.likecs.com/k8s/k8s/bin/kube-proxy \$KUBE_PROXY_OPTS Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF 启动并设置开机启动 [root@master01 ~]# systemctl daemon-reload systemctl enable kube-proxy systemctl start kube-proxy [root@master01 k8s]# systemctl status kube-proxy ● kube-proxy.service - Kubernetes Proxy Loaded: loaded (/usr/lib/systemd/system/kube-proxy.service; enabled; vendor preset: disabled) Active: active (running) since 三 2021-07-07 23:55:45 EDT; 4s ago Main PID: 19058 (kube-proxy) Tasks: 8 Memory: 11.5M CGroup: /system.slice/kube-proxy.service └─19058 /k8s/k8s/bin/kube-proxy --logtostderr=false --v=2 --log-dir=http://www.likecs.com/k8s/k8s/logs --config=http://www.likecs.com/k8s/k8s/cfg/kube-pr... 7月 07 23:55:45 master01 systemd[1]: Started Kubernetes Proxy. 部署CNI网络