K8S single master deployment four: Kubelet+kube-proxy

Server Role Assignment

role address Install Components
master 192.168.142.220 kube-apiserver kube-controller-manager kube-scheduler etcd
node1 192.168.142.136 kubelet kube-proxy docker flannel etcd
node2 192.168.142.132 kubelet kube-proxy docker flannel etcd

I. Pre-deployment preparation of Kubelet and proxy

All operations before the delimiter occur in master, followed by node nodes

Move Control Command

[root@master bin]# pwd
/k8s/kubernetes/server/bin
//node2 address
[root@master bin]# scp -p kubelet kube-proxy root@192.168.142.132:/opt/kubernetes/bin/
//node1 address
[root@master bin]# scp -p kubelet kube-proxy root@192.168.142.136:/opt/kubernetes/bin/

Build boot file to boot kubelet to issue certificates automatically

Create bootstrap.kubeconfig (must!!!)

//Specify the api entry, referring to itself (apiserver must be installed)
[root@master kubernetes]# export KUBE_APISERVER="https://192.168.142.220:6443"

//Setting up clusters
[root@master kubernetes]# /opt/kubernetes/bin/kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=/k8s/kubeconfig/bootstrap.kubeconfig

//Set up client authentication
[root@master kubernetes]# /opt/kubernetes/bin/kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=/k8s/kubeconfig/bootstrap.kubeconfig

//Setting context parameters
[root@master kubernetes]# /opt/kubernetes/bin/kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=/k8s/kubeconfig/bootstrap.kubeconfig

//Set Default Context
[root@master kubernetes]# /opt/kubernetes/bin/kubectl config use-context default \
--kubeconfig=/k8s/kubeconfig/bootstrap.kubeconfig

Create a kube-proxy kubeconfig file

//Setting up clusters
[root@master kubernetes]# /opt/kubernetes/bin/kubectl config set-cluster kubernetes \
--certificate-authority=/opt/etcd/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=/k8s/kubeconfig/kube-proxy.kubeconfig

//Set up client authentication
[root@master kubernetes]# /opt/kubernetes/bin/kubectl config set-credentials kube-proxy \
--client-certificate=/opt/kubernetes/ssl/kube-proxy.pem \
--client-key=/opt/kubernetes/ssl/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=/k8s/kubeconfig/kube-proxy.kubeconfig

//Setting context parameters
[root@master kubernetes]# /opt/kubernetes/bin/kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=/k8s/kubeconfig/kube-proxy.kubeconfig

//Set Default Context
[root@master kubernetes]# /opt/kubernetes/bin/kubectl config use-context default \
--kubeconfig=/k8s/kubeconfig/kube-proxy.kubeconfig

Push the kubeconfig file

[root@master kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.142.132:/opt/kubernetes/cfg/
[root@master kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.142.136:/opt/kubernetes/cfg/

Write kubectl to environment variable

[root@master kubeconfig]# echo "export PATH=\$PATH:/opt/kubernetes/bin/" >> /etc/profile
[root@master kubeconfig]# source /etc/profile

Create bootstrap role permissions for apiserver request signature

(Most important!!!Not nearly finished)

[root@master kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap

node side (all nodes have different addresses, all remaining steps are the same)

Install Kubelet

Specify node IP and DNS as global variables (different node variables need to be changed)

It is also possible to make changes directly in the configuration file without setting variables.

[root@node1 bin]# export NODE_ADDRESS="192.168.142.136"
[root@node1 bin]# export DNS_SERVER_IP="192.168.142.2"

Create a kubelet configuration file

[root@node1 ~]# cat <<EOF >/opt/kubernetes/cfg/kubelet

KUBELET_OPTS="--logtostderr=true \\
--v=4 \\
--hostname-override=${NODE_ADDRESS} \\
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\
--config=/opt/kubernetes/cfg/kubelet.config \\
--cert-dir=/opt/kubernetes/ssl \\
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"

EOF

#This is the second one, there are two!!Remember, there are two!!
[root@node1 ~]# cat <<EOF >/opt/kubernetes/cfg/kubelet.config

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: ${NODE_ADDRESS}
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- ${DNS_SERVER_IP} 
clusterDomain: cluster.local.
failSwapOn: false
authentication:
  anonymous:
    enabled: true
EOF

Create a kubelet startup script

[root@node1 ~]# cat <<EOF >/usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
KillMode=process

[Install]
WantedBy=multi-user.target
EOF

Open Service

[root@node1 ~]# chmod +x /usr/lib/systemd/system/kubelet.service
[root@node1 ~]# systemctl daemon-reload
[root@node1 ~]# systemctl enable kubelet
[root@node1 ~]# systemctl restart kubelet

At this point, if successful, the master receives a signature request from the node to join the cluster.The next thing we need to do is ask for permission.

Return to master to check signature request

[root@master kubeconfig]# kubectl get csr
NAME                                                   AGE   REQUESTOR           CONDITION
node-csr-rDZDbQ9_NzqUXKMn2Yn28LVkzEXuITrNqPZ9WrJD5qg   42s   kubelet-bootstrap   Pending
//"pending" stands for wait state

Generate a kubelet.kubeconfig certificate file with bootstrap role privileges

[root@master kubeconfig]# kubectl certificate approve node-csr-rDZDbQ9_NzqUXKMn2Yn28LVkzEXuITrNqPZ9WrJD5qg

//The node state changes at this point
[root@master kubeconfig]# kubectl get csr
NAME                                                   AGE   REQUESTOR           CONDITION
node-csr-rDZDbQ9_NzqUXKMn2Yn28LVkzEXuITrNqPZ9WrJD5qg   42s   kubelet-bootstrap   Approved,Issued
//"Approved" means consent to the request; "Issued" means the node has been published

//View clusters
[root@master kubeconfig]# kubectl get nodes
NAME        STATUS    AGE       VERSION
192.168.142.136   Ready     49m       v1.6.2

The following steps are performed in the node node

Install kube-proxy

Create a kube-proxy configuration file

[root@node1 ~]# cat <<EOF >/opt/kubernetes/cfg/kube-proxy

KUBE_PROXY_OPTS="--logtostderr=true \\
--v=4 \\
--hostname-override=192.168.142.136 \\
--cluster-cidr=10.0.0.0/24 \\
--proxy-mode=ipvs \\
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"

EOF

Create a kube-proxy startup script

[root@node1 ~]# cat <<EOF >/usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

Open Service

[root@node1 ~]# chmod +x /usr/lib/systemd/system/kube-proxy.service
[root@node1 ~]# systemctl daemon-reload
[root@node1 ~]# systemctl enable kube-proxy
[root@node1 ~]# systemctl restart kube-proxy

View service startup status

[root@node2 cfg]# netstat -atnp | grep proxy
tcp        0      0 127.0.0.1:10249         0.0.0.0:*               LISTEN      50601/kube-proxy
tcp6       0      0 :::10256                :::*                    LISTEN      50601/kube-proxy

At this point, the entire single master cluster deployment is complete!!!!

106 original articles published, 21 praised and 4978 visited
Private letter follow

Tags: Kubernetes kubelet SSL Docker

Posted on Tue, 04 Feb 2020 20:03:24 -0800 by ScratchyAnt