node節(jié)點組件 (v1.17)
- docker https://download.docker.com/
- kubelet
- kube-proxy
kubernetes-server-linux-amd64.tar.gz(相關(guān)的這里都能找到二進制文件!)
1. 系統(tǒng)初始化
1.1 系統(tǒng)環(huán)境
[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 8.0.1905 (Core)
1.2 修改各個節(jié)點的對應(yīng)hostname, 并分別寫入/etc/hosts
hostnamectl set-hostname k8s-node01
# 寫入hosts--> 注意是 >> 表示不改變原有內(nèi)容追加!
cat>> /etc/hosts <<EOF
192.168.2.201 k8s-master01
192.168.2.202 k8s-master02
192.168.2.203 k8s-master03
192.168.2.11 k8s-node01
192.168.2.12 k8s-node02
EOF
1.3 安裝依賴包和常用工具
yum install wget vim yum-utils net-tools tar chrony curl jq ipvsadm ipset conntrack iptables sysstat libseccomp -y
1.4 所有節(jié)點關(guān)閉firewalld, selinux以及swap
# 關(guān)閉防火墻并清空防火墻規(guī)則
systemctl disable --now firewalld
iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat
iptables -P FORWARD ACCEP
# 關(guān)閉selinux --->selinux=disabled 需重啟生效!
setenforce 0 && sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
# 關(guān)閉swap --->注釋掉swap那一行, 需重啟生效!
swapoff -a && sed -i '/ swap / s/^\(.*\)$/# \1/g' /etc/fstab
1.5 所有節(jié)點設(shè)置時間同步
timedatectl set-timezone Asia/Shanghai
timedatectl set-local-rtc 0
systemctl enable chronyd && systemctl restart chronyd
1.6 調(diào)整內(nèi)核參數(shù), k8s必備參數(shù)!
# 先加載模塊
modprobe br_netfilter
# 寫入配置文件
cat> /etc/sysctl.d/kubernetes.conf <<EOF
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max = 6553500
net.nf_conntrack_max = 6553500
net.ipv4.tcp_max_tw_buckets = 4096
EOF
# 生效配置
sysctl -p /etc/sysctl.d/kubernetes.conf
1.6 kube-proxy開始ipvs的前置條件
# 寫入配置文件
cat> /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
# 引導(dǎo)和驗證!
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4
1.7 在每臺node上預(yù)建目錄
# 預(yù)創(chuàng)建目錄
mkdir -p /opt/k8s/{bin,cert}
mkdir -p /opt/lib/{kubelet,kube-proxy}
# 在每臺node上添加環(huán)境變量:
sh -c "echo 'PATH=/opt/k8s/bin:$PATH:$HOME/bin:$JAVA_HOME/bin' >> /etc/profile.d/k8s.sh"
# 生效環(huán)境變量
source /etc/profile.d/k8s.sh
-
做完以上步驟, 最好重啟下機器并檢查下
2. 部署安裝 docker
- docker 是容器的運行環(huán)境,管理它的生命周期蔗衡。kubelet 通過 Container Runtime Interface (CRI) 與 docker 進行交互
- flanneld 啟動時將網(wǎng)絡(luò)配置寫入 /run/flannel/docker 文件中甘晤,dockerd 啟動前讀取該文件中的環(huán)境變量 DOCKER_NETWORK_OPTIONS ,然后設(shè)置 docker0 網(wǎng)橋網(wǎng)段淀歇;
2.1 yum 安裝 docker
- 截至目前,Red Hat已阻止docker-ce的安裝匈织,因此浪默,如果您嘗試運行命令yum install docker-ce牡直,將運行失敗。
# 添加 docker 源
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# 安裝配套 containerd.io (用得是 el7 得...)
yum install https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.6-3.3.el7.x86_64.rpm
# yum 安裝docker-ce 19.03
yum install docker-ce
2.2 docker配置文件修改
2.3 設(shè)置開機啟動, 并啟動驗證 docker 服務(wù)
systemctl enable docker && systemctl daemon-reload && systemctl restart docker && systemctl status docker
3. 部署 kubelet 組件
- kublet 運行在每個 node 節(jié)點上纳决,接收 kube-apiserver 發(fā)送的請求碰逸,管理 Pod 容器,執(zhí)行交互式命令阔加,如 exec饵史、run、logs 等胜榔。
- kublet 啟動時自動向 kube-apiserver 注冊節(jié)點信息胳喷,內(nèi)置的 cadvisor 統(tǒng)計和監(jiān)控節(jié)點的資源使用情況。
- 為確保安全夭织,本文檔只開啟接收 https 請求的安全端口吭露,對請求進行認證和授權(quán),拒絕未授權(quán)的訪問
ps: kubelet 的機制不需要手動生成證書!
3.1 下載二進制kubelet文件
kubernetes-server-linux-amd64.tar.gz # 我在這里, 在這里! 里面有 kubectl 二進制單文件工具!
# 傳送過去, 順便也把 kube-proxy 也傳送過去!
[root@k8s-master01 ~]# scp /root/kubernetes/server/bin/{kubelet,kube-proxy} root@k8s-node01:/opt/k8s/bin/
3.2 在 master 節(jié)點上創(chuàng)建角色綁定
- kubelet 啟動時向 kube-apiserver 發(fā)送 TLS bootstrapping 請求尊惰,需要先將 bootstrap token 文件中的 kubelet-bootstrap 用戶賦予 system:node-bootstrapper cluster角色(role)讲竿, 然后 kubelet 才能有權(quán)限創(chuàng)建認證請求(certificate signing requests):
[root@k8s-master01 ~]# kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap
--user=kubelet-bootstrap 是部署kube-apiserver時創(chuàng)建bootstrap-token.csv文件中指定的用戶,同時也需要寫入bootstrap.kubeconfig 文件
3.3 在 master 節(jié)點上為要加入的 node 創(chuàng)建 kubelet-bootstrap.kubeconfig 文件
# 設(shè)置集群參數(shù)
[root@k8s-master01 ~]# kubectl config set-cluster kubernetes \
--certificate-authority=/opt/k8s/cert/ca.pem \
--embed-certs=true \
--server=https://192.168.2.210:8443 \
--kubeconfig=/opt/k8s/kubelet-bootstrap.kubeconfig
# 設(shè)置客戶端認證參數(shù)
### tocker是前文提到的bootstrap-token.csv文件中token值
[root@k8s-master01 ~]# kubectl config set-credentials kubelet-bootstrap \
--token=23f6d5b6ddb2779c048ef13197d4aa2b \
--kubeconfig=/opt/k8s/kubelet-bootstrap.kubeconfig
# 設(shè)置上下文參數(shù)
[root@k8s-master01 ~]# kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=/opt/k8s/kubelet-bootstrap.kubeconfig
# 設(shè)置默認上下文
[root@k8s-master01 ~]# kubectl config use-context default \
--kubeconfig=/opt/k8s/kubelet-bootstrap.kubeconfig
傳送相關(guān)所需文件
# 把 ca 證書和私鑰傳送給 node 節(jié)點
scp /opt/k8s/cert/ca*.pem root@k8s-node01:/opt/k8s/cert/
# 把生成的 kubelet-bootstrap.kubeconfig 傳送給 node 節(jié)點 (可復(fù)用!)
scp /opt/k8s/kubelet-bootstrap.kubeconfig root@k8s-node01:/opt/k8s/
3.4 在 node 節(jié)點上創(chuàng)建對應(yīng)的 kubelet 的 systemd unit 文件
- 注意參數(shù)的替換
" ##NODE_IP## " 替換對應(yīng)的nodeIP
" ##NODE_NAME## " 替換對應(yīng)node的hostname
[root@k8s-node01 ~]# vi /etc/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/opt/lib/kubelet
ExecStart=/opt/k8s/bin/kubelet \
--bootstrap-kubeconfig=/opt/k8s/kubelet-bootstrap.kubeconfig \
--cert-dir=/opt/k8s/cert/ \
--kubeconfig=/opt/k8s/kubelet.kubeconfig \
--anonymous-auth=false \
--authorization-mode=Webhook \
--authentication-token-webhook=true \
--client-ca-file=/opt/k8s/cert/ca.pem \
--address=##NODE_IP## \
--cgroup-driver=cgroupfs \
--image-pull-progress-deadline=300s \
--node-labels=node.kubernetes.io/k8s-node=true \
--cluster-dns=10.96.0.2 \
--cluster-domain=cluster.local \
--node-ip=##NODE_IP## \
--port=10250 \
--hostname-override=##NODE_NAME## \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.1 \
--network-plugin=cni \
--cni-conf-dir=/opt/cni/net.d \
--alsologtostderr=true \
--logtostderr=false \
--log-dir=/opt/log/kubernetes \
--v=2
Restart=on-failure
RestartSec=5
KillMode=process
[Install]
WantedBy=multi-user.target
- --authorization-mode:kubelet認證模式
- --cert-dir:TLS證書所在的目錄
- --eviction-max-pod-grace-period:終止pod最大寬限時間
- --pod-infra-container-image:每個pod的network/ipc namespace容器使用的鏡像地址!
- --hostname-override:設(shè)置node在集群中的主機名弄屡,默認使用主機hostname题禀;如果設(shè)置了此項參數(shù),kube-proxy服務(wù)也需要設(shè)置此項參數(shù)
3.6 設(shè)置開機啟動. 并開啟檢查 kubelet 服務(wù)
systemctl daemon-reload && systemctl enable kubelet && systemctl restart kubelet && systemctl status kubelet
3.7 在 master 上批準kubelet 的 TLS 證書請求
- kubelet 首次啟動向 kube-apiserver 發(fā)送證書簽名請求膀捷,必須由 kubernetes 系統(tǒng)允許通過后投剥,才會將該 node 加入到集群。
手動 approve csr 請求
# 查看 CSR 列表:
[root@k8s-master01 ~]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr--LyhqMsoBZHufxq_PNLzryNXUZGHhGy1sbdclP6pPoE 12m kubelet-bootstrap Pending
# 手動approve csr:
[root@k8s-master01 ~]# kubectl certificate approve node-csr--LyhqMsoBZHufxq_PNLzryNXUZGHhGy1sbdclP6pPoE
certificatesigningrequest.certificates.k8s.io/node-csr--LyhqMsoBZHufxq_PNLzryNXUZGHhGy1sbdclP6pPoE approved
# )查看 approve 結(jié)果:
[root@k8s-master01 ~]# kubectl get csr
NAME AGE REQUESTOR CONDITION
csr-wzzm5 61s kubelet-bootstrap Approved
自動 approve csr 請求!
- 創(chuàng)建三個 ClusterRoleBinding担孔,分別用于自動 approve client江锨、renew client、renew server 證書:
[root@k8s-master01 ~]# cat > /opt/k8s/csr-crb.yaml <<EOF
# Approve all CSRs for the group "system:bootstrappers"
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: auto-approve-csrs-for-group
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
apiGroup: rbac.authorization.k8s.io
---
# To let a node of the group "system:nodes" renew its own credentials
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: node-client-cert-renewal
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
apiGroup: rbac.authorization.k8s.io
---
# A ClusterRole which instructs the CSR approver to approve a node requesting a
# serving cert matching its client cert.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: approve-node-server-renewal-csr
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/selfnodeserver"]
verbs: ["create"]
---
# To let a node of the group "system:nodes" renew its own server credentials
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: node-server-cert-renewal
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: approve-node-server-renewal-csr
apiGroup: rbac.authorization.k8s.io
EOF
- auto-approve-csrs-for-group:自動 approve node 的第一次 CSR糕篇; 注意第一次 CSR 時啄育,請求的 Group 為 system:bootstrappers;
- node-client-cert-renewal:自動 approve node 后續(xù)過期的 client 證書拌消,自動生成的證書 Group 為 system:nodes;
- node-server-cert-renewal:自動 approve node 后續(xù)過期的 server 證書挑豌,自動生成的證書 Group 為 system:nodes;
生效配置:
[root@k8s-master01 ~]# kubectl apply -f /opt/k8s/csr-crb.yaml
clusterrolebinding.rbac.authorization.k8s.io/auto-approve-csrs-for-group created
clusterrolebinding.rbac.authorization.k8s.io/node-client-cert-renewal created
clusterrole.rbac.authorization.k8s.io/approve-node-server-renewal-csr created
clusterrolebinding.rbac.authorization.k8s.io/node-server-cert-renewal created
4. 部署 kube-proxy 組件
- kube-proxy 運行在所有 node 節(jié)點上,它監(jiān)聽 apiserver 中 service 和 Endpoint 的變化情況墩崩,創(chuàng)建路由規(guī)則來進行服務(wù)負載均衡氓英。
- kube-proxy 使用 ipvs 模式。(ipvs 配置已在環(huán)境配置里設(shè)置!)
4.1 下載 kube-proxy 二進制文件
kubernetes-server-linux-amd64.tar.gz # 我在這里, 在這里! 里面有 kube-proxy 二進制單文件工具!
4.2 在 master 節(jié)點上創(chuàng)建 kube-proxy 證書
在 master 節(jié)點上創(chuàng)建證書請求文件
[root@k8s-master01 ~]# cat > /opt/k8s/cert/kube-proxy-csr.json << EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "steams"
}
]
}
EOF
- CN:指定該證書的 User 為 system:kube-proxy鹦筹;
- 該證書只會被 kube-proxy 當做 client 證書使用铝阐,所以 hosts 字段為空;
在 master 節(jié)點上生成證書和私鑰
[root@k8s-master01 ~]# cfssl gencert \
-ca=/opt/k8s/cert/ca.pem \
-ca-key=/opt/k8s/cert/ca-key.pem \
-config=/opt/k8s/cert/ca-config.json \
-profile=kubernetes /opt/k8s/cert/kube-proxy-csr.json | cfssljson -bare /opt/k8s/cert/kube-proxy
# 查看證書
[root@k8s-master01 ~]# ls /opt/k8s/cert/kube-proxy*
4.3 在 master 節(jié)點上創(chuàng)建kube-proxy.kubeconfig 文件
## 配置集群參數(shù)
[root@kube-master ~]# kubectl config set-cluster kubernetes \
--certificate-authority=/opt/k8s/cert/ca.pem \
--embed-certs=true \
--server=https://192.168.2.210:8443 \
--kubeconfig=/opt/k8s/kube-proxy.kubeconfig
## 配置客戶端認證參數(shù)
[root@kube-master ~]# kubectl config set-credentials kube-proxy \
--client-certificate=/opt/k8s/cert/kube-proxy.pem \
--client-key=/opt/k8s/cert/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=/opt/k8s/kube-proxy.kubeconfig
## 配置集群上下文
[root@kube-master ~]# kubectl config set-context kube-proxy@kubernetes \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=/opt/k8s/kube-proxy.kubeconfig
## 配置集群默認上下文
[root@kube-master ~]# kubectl config use-context kube-proxy@kubernetes \
--kubeconfig=/opt/k8s/kube-proxy.kubeconfig
- --embed-certs=true:將 ca.pem 和 admin.pem 證書內(nèi)容嵌入到生成的 kubectl-proxy.kubeconfig 文件中(不加時铐拐,寫入的是證書文件路徑)徘键;
傳送相關(guān)所需文件
# 傳送證書和私鑰至node節(jié)點
[root@k8s-master01 ~]# scp /opt/k8s/cert/kube-proxy*.pem root@k8s-node01:/opt/k8s/cert/
# 傳送kube-proxy.kubeconfig至node節(jié)點
[root@k8s-master01 ~]# scp /opt/k8s/kube-proxy.kubeconfig root@k8s-node01:/opt/k8s/
4.5 在 node 節(jié)點上創(chuàng)建對應(yīng)的 kube-proxy 的 kube-proxy 配置文件
- all flags other than --config, --write-config-to, and --cleanup are deprecated. Please begin using a config file ASAP
以后預(yù)測所有組件都在朝這個方向走!! - 注意參數(shù)的替換
" ##NODE_IP## " 替換對應(yīng) node 的 nodeIP
" ##NODE_NAME## " 替換對應(yīng) node 的 hostname
[root@k8s-node01 ~]# vi /opt/k8s/kube-proxy.config.yaml
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: ##NODE_IP##
clientConnection:
kubeconfig: /opt/k8s/kube-proxy.kubeconfig
clusterCIDR: 10.96.0.0/16
healthzBindAddress: ##NODE_IP##:10256
hostnameOverride: ##NODE_NAME##
kind: KubeProxyConfiguration
metricsBindAddress: ##NODE_IP##:10249
mode: "ipvs"
4.6 在 node 節(jié)點上創(chuàng)建 kube-proxy 得 systemd unit 文件
[root@k8s-node01 ~]# vi /etc/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
WorkingDirectory=/opt/lib/kube-proxy
ExecStart=/opt/k8s/bin/kube-proxy \
--config=/opt/k8s/kube-proxy.config.yaml \
--alsologtostderr=true \
--logtostderr=false \
--log-dir=/opt/log/kubernetes \
--v=2
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
4.7 設(shè)置開機啟動, 并啟動并檢查 kube-proxy 服務(wù)
systemctl daemon-reload && systemctl enable kube-proxy && systemctl restart kube-proxy && systemctl status kube-proxy
4.8 在node節(jié)點上-->查看 ipvs 路由規(guī)則
[root@k8s-node01 ~]# /usr/sbin/ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.96.0.1:443 rr
-> 192.168.2.201:6443 Masq 1 0 0
-> 192.168.2.202:6443 Masq 1 0 0
-> 192.168.2.203:6443 Masq 1 0 0
