Node组件为:kubelet 、Kube-proxy
一、在master节点下载二进制包
wget https://storage.googleapis.com/kubernetes-release/release/v1.16.6/kubernetes-server-linux-amd64.tar.gz
三、解压文件
tar -zxvf kubernetes-server-linux-amd64.tar.gz
or
mkdir a
tar -zxvf kubernetes-server-linux-amd64.tar.gz -C a
cp a/kubernetes/server/bin/kubectl kubernetes/bin/
cp a/kubernetes/server/bin/kube-proxy kubernetes/bin/
四、得到kubernetes目录
cd kubernetes
五、我们只需要kubernetes/server/bin以下文件
- kubectl
- kube-proxy
以上是为了获取最新的k8s,所以可以去官网下载k8s安装的二进制文件,我们还需要一些其他的辅助文件:
下面的文件实际上可以正常运行的,可以跳过一至五这个步骤
kubernetes.tar.gztree kubernetes/
输出以下内容:
kubernetes/
├── bin
│ ├── kubectl
│ └── kube-proxy
├── cfg
│ ├── bootstrap.kubeconfig #请求证书的配置文件
│ ├── kubelet.conf
│ ├── kubelet-config.yml#动态调整kubelet配置
│ ├── kube-proxy.conf
│ ├── kube-proxy-config.yml #动态调整proxy配置
│ └── kube-proxy.kubeconfig #是链接apiserver的组件
├── logs
└── ssl
kubernetes/
├── bin
│ ├── kubectl
│ └── kube-proxy
├── cfg
│ ├── bootstrap.kubeconfig #请求证书的配置文件
│ ├── kubelet.conf
│ ├── kubelet-config.yml#动态调整kubelet配置
│ ├── kube-proxy.conf
│ ├── kube-proxy-config.yml #动态调整proxy配置
│ └── kube-proxy.kubeconfig #是链接apiserver的组件
├── logs
└── ssl
#配置文件后缀含义
.cnf #基本配置文件
.kubeconfig #链接apiserver的配置文件
.yml #主要配置文件(动态更新配置文件)
六、配置文件含义解释
注意:
- bootstrap.kubeconfig 下的server要为master的IP
- kube-proxy.kubeconfig 下的server要为master的IP
- kubelet.conf 下的hostname-override 注册节点名称要唯一
- kube-proxy-config.yml 下的hostnameOverride 注册节点名称要唯一
cat kubelet.conf
输出以下内容:
KUBELET_OPTS="--logtostderr=false #日志
--v=2 #日志级别
--log-dir=/opt/kubernetes/logs #日志目录
--hostname-override=k8s-node1 #节点名称,名称必须唯一,每个节点都要改一下
--network-plugin=cni #启用网络插件
--v=2 #日志级别
--log-dir=/opt/kubernetes/logs #日志目录
--hostname-override=k8s-node1 #节点名称,名称必须唯一,每个节点都要改一下
--network-plugin=cni #启用网络插件
#指定配置文件路径
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig
--config=/opt/kubernetes/cfg/kubelet-config.yml
--cert-dir=/opt/kubernetes/ssl #指定为节点颁发的证书存放目录
--pod-infra-container-image=lizhenliang/pause-amd64:3.0" #启动pod的镜像,这个pod镜像主要是管理pod的命名空间
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig
--config=/opt/kubernetes/cfg/kubelet-config.yml
--cert-dir=/opt/kubernetes/ssl #指定为节点颁发的证书存放目录
--pod-infra-container-image=lizhenliang/pause-amd64:3.0" #启动pod的镜像,这个pod镜像主要是管理pod的命名空间
cat bootstrap.kubeconfig
输出以下内容:
apiVersion: v1
clusters:
- cluster:
certificate-authority: /opt/kubernetes/ssl/ca.pem
server: https://192.168.31.61:6443 #master1服务器IP(内网IP)
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubelet-bootstrap
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: kubelet-bootstrap
user:
token: c47ffb939f5ca36231d9e3121a252940 #token要与/opt/kubernetes/cfg/token.csv 里面的token一致
apiVersion: v1
clusters:
- cluster:
certificate-authority: /opt/kubernetes/ssl/ca.pem
server: https://192.168.31.61:6443 #master1服务器IP(内网IP)
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubelet-bootstrap
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: kubelet-bootstrap
user:
token: c47ffb939f5ca36231d9e3121a252940 #token要与/opt/kubernetes/cfg/token.csv 里面的token一致
k8s为了解决kubelet颁发证书的复杂性,所以引入了bootstrap机制,自动的为将要加入到集群的node颁发kubelet证书,所有链接apiserver的都需要证书。
bootstrap工作流程
cat kubelet-config.yml
输出以下内容:
kind: KubeletConfiguration #使用对象
apiVersion: kubelet.config.k8s.io/v1beta1 #api版本
address: 0.0.0.0 #监听地址
port: 10250 #当前kubelet的端口
readOnlyPort: 10255 #kubelet暴露的端口
cgroupDriver: cgroupfs #驱动,要于docker info显示的驱动一致
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local #集群域
failSwapOn: false #关闭swap
apiVersion: kubelet.config.k8s.io/v1beta1 #api版本
address: 0.0.0.0 #监听地址
port: 10250 #当前kubelet的端口
readOnlyPort: 10255 #kubelet暴露的端口
cgroupDriver: cgroupfs #驱动,要于docker info显示的驱动一致
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local #集群域
failSwapOn: false #关闭swap
#访问授权
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 2m0s
enabled: true
x509:
clientCAFile: /opt/kubernetes/ssl/ca.pem
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 5m0s
cacheUnauthorizedTTL: 30s
evictionHard:
imagefs.available: 15%
memory.available: 100Mi
nodefs.available: 10%
nodefs.inodesFree: 5%
maxOpenFiles: 1000000
maxPods: 110
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 2m0s
enabled: true
x509:
clientCAFile: /opt/kubernetes/ssl/ca.pem
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 5m0s
cacheUnauthorizedTTL: 30s
evictionHard:
imagefs.available: 15%
memory.available: 100Mi
nodefs.available: 10%
nodefs.inodesFree: 5%
maxOpenFiles: 1000000
maxPods: 110
cat kube-proxy.kubeconfig
输出以下内容:
apiVersion: v1
clusters:
- cluster:
certificate-authority: /opt/kubernetes/ssl/ca.pem #指定ca
server: https://192.168.31.61:6443 #masterIP地址(内网)
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kube-proxy
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: kube-proxy
user:
client-certificate: /opt/kubernetes/ssl/kube-proxy.pem
client-key: /opt/kubernetes/ssl/kube-proxy-key.pem
clusters:
- cluster:
certificate-authority: /opt/kubernetes/ssl/ca.pem #指定ca
server: https://192.168.31.61:6443 #masterIP地址(内网)
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kube-proxy
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: kube-proxy
user:
client-certificate: /opt/kubernetes/ssl/kube-proxy.pem
client-key: /opt/kubernetes/ssl/kube-proxy-key.pem
cat kube-proxy-config.yml
输出以下内容:
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
address: 0.0.0.0 #监听地址
metricsBindAddress: 0.0.0.0:10249 #监控指标地址
clientConnection:
kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig #读取配置文件
hostnameOverride: k8s-node1 #注册到k8s的节点名称
clusterCIDR: 10.0.0.0/24
mode: ipvs #模式,使用ipvs(性能比较好),默认是IPtables
ipvs:
scheduler: "rr"
iptables:
masqueradeAll: true
apiVersion: kubeproxy.config.k8s.io/v1alpha1
address: 0.0.0.0 #监听地址
metricsBindAddress: 0.0.0.0:10249 #监控指标地址
clientConnection:
kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig #读取配置文件
hostnameOverride: k8s-node1 #注册到k8s的节点名称
clusterCIDR: 10.0.0.0/24
mode: ipvs #模式,使用ipvs(性能比较好),默认是IPtables
ipvs:
scheduler: "rr"
iptables:
masqueradeAll: true
七、将文件移动到工作目录
mv kubernetes/ /opt/
八、将service移动到工作目录
mv *service /usr/lib/systemd/system/
九、去master1主机将证书下发到node节点
scp *pem root @172.19.***.***:/opt/kubernetes/ssl/
九、启动、加入开机启动、查看日志
systemctl start kubelet
systemctl enable kubelet
tail /opt/kubernetes/logs/kubelet.INFO
systemctl start kube-proxy
systemctl status kube-proxy
systemctl enable kube-proxy
十、去master1主机查看请求需要颁发证书的服务
kubectl get csr
输出以下内容
NAME AGE REQUESTOR CONDITION
node-csr-5n1O9r9fqSNXbii_Lo1cB4YVjLlImpKAXu89-a2rXe0 2m32s kubelet-bootstrap Pending
node-csr-5n1O9r9fqSNXbii_Lo1cB4YVjLlImpKAXu89-a2rXe0 2m32s kubelet-bootstrap Pending
十一、在master1主机给请求的节点颁发证书
kubectl certificate approve node-csr-5n1O9r9fqSNXbii_Lo1cB4YVjLlImpKAXu89-a2rXe0
十二、在master1主机查看已经颁发的节点
kubectl get node
输出以下内容
NAME STATUS ROLES AGE VERSION
k8s-node1 NotReady <none> 110s v1.16.6
k8s-node1 NotReady <none> 110s v1.16.6
十三、我们可以在node服务器看到颁发的证书
ls /opt/kubernetes/ssl
十四、在其他node机器按照以上方式同样的方式部署
node需要部署docker、kubelet、kube-proxy