Kubernetes

7、kubernetes-node节点部署详细流程:

Linux · 3月7日 · 2020年

一、部署worker Node

  • 安装docker

二进制下载地址,下载目录规划/service/scripts:

wget https://download.docker.com/linux/static/stable/x86_64/docker-19.03.6.tgz

1、解压docker压缩包

[root@k8s-node3 scripts]# tar zxvf docker-19.03.6.tgz 
[root@k8s-node2 scripts]# cd docker
[root@k8s-node2 docker]# ls
containerd  containerd-shim  ctr  docker  dockerd  docker-init  docker-proxy  runc

2、迁移docker目录下文件到/usr/local/bin下:

[root@k8s-node3 docker]# mv * /usr/local/bin/

3、配置docker加速镜像文件/etc/docker/daemon.json

{
 "registry-mirrors": ["https://ujaxb028.mirror.aliyuncs.com"]
}

4、配置docker.service启动配置文件

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service containerd.service
Wants=network-online.target

[Service]
Type=notify
ExecStart=/usr/local/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
KillMode=process

[Install]
WantedBy=multi-user.target

5、配置开机启动

[root@k8s-node1 docker]# systemctl enable docker

二、部署Node组件kubelet详细

配置文件格式介

名称 文件格式 备注
kubelet.conf conf 基本配置文件
kube-proxy.conf
kubelet-config.yml .yml 主要配置文件
kube-proxy-config.yml
bootstrap.kubeconfig .kubeconfig 连接apiserver证书配置文件

0、拷贝kubelet kube-proxy命令至/opt/etcd/bin,并且创建日志logs目录,证书迁移至/opt/etcd/ssl下ca.pem、kube-proxy.pem、kube-proxy-key.pem

[root@k8s-master bin]# cp -a kubelet kube-proxy /opt/etcd/bin/
[root@k8s-master script]# cp -a ca.pem kube-proxy.pem kube-proxy-key.pem /opt/etcd/ssl/
[root@k8s-master]#mkdir-p/opt/etcd/logs

1、kubelet工作流程图:

2、kubelet.conf配置文件

KUBELET_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/etcd/logs \
--hostname-override=k8s-node1 \
--network-plugin=cni \
--kubeconfig=/opt/etcd/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/etcd/cfg/bootstrap.kubeconfig \
--config=/opt/etcd/cfg/kubelet-config.yml \
--cert-dir=/opt/etcd/ssl/kubernetes \
--pod-infra-container-image=lizhenliang/pause-amd64:3.0"

 

解:

KUBELET_OPTS=      输出日志。
--v=           日志级别。
--log-dir=        日志路径。
--hostname-override   注册到主机名字的信息。
--network-plugin    启用网络插件。
--kubeconfig=     kubelet命令行请求使用的配置文件路径。
--bootstrap-kubeconfig 将要自动加入Master主机集群的node节点颁发的证书。路径配置文件.
--config=       指定yml配置文件的路径。
--cert-dir=       为node节点自动颁发的证书存储路径。
--pod-infra-container-image= 管理pod节点镜像的命令空间。

3、bootstrap.kubeconfig

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /opt/etcd/ssl/kubernetes/ca.pem
    server: https://192.168.3.63:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubelet-bootstrap
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: kubelet-bootstrap
  user:
    token: 4d3cafa7f12185628436cab57aaf77c7

详解:自动生成的证书

apiVersion: v1      api版本
clusters:           集群       
- cluster:
    certificate-authority: /opt/etcd/ssl/kubernetes/ca.pem    指定CA的证书
    server: https://192.168.3.63:6443              Master主机地址.
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubelet-bootstrap
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: kubelet-bootstrap                     用户
  user:
    token: c47ffb939f5ca36231d9e3121a252940node节点与master节点通信认证信息,路径下/opt/etcd/cfg/token.csv。

4、kubelet-config.yml

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local 
failSwapOn: false
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 2m0s
    enabled: true
  x509:
    clientCAFile: /opt/etcd/ssl/kubernetes/ca.pem 
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 5m0s
    cacheUnauthorizedTTL: 30s
evictionHard:
  imagefs.available: 15%
  memory.available: 100Mi
  nodefs.available: 10%
  nodefs.inodesFree: 5%
maxOpenFiles: 1000000
maxPods: 110

 

详解

kind: KubeletConfiguration                              使用对象
apiVersion: kubelet.config.k8s.io/v1beta1                api版本
address: 0.0.0.0                                        监听的地址
port: 10250                                             暴露的端口
readOnlyPort: 10255                                     读取的端口
cgroupDriver: cgroupfs                                  驱动
clusterDNS:                                        kubelet内部的DNS地址
- 10.0.0.2
clusterDomain: cluster.local                        集群的域
failSwapOn: false                                   关闭交换内存
authentication:                                    
  anonymous:
    enabled: false                                  
  webhook:                                         认证信息授权
   cacheTTL: 2m0s
    enabled: true
  x509:
    clientCAFile: /opt/etcd/ssl/kubernetes/ca.pem
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 5m0s
    cacheUnauthorizedTTL: 30s
evictionHard:
  imagefs.available: 15%
  memory.available: 100Mi                      垃圾回收策略
  nodefs.available: 10%
  nodefs.inodesFree: 5%
maxOpenFiles: 1000000
maxPods: 110      打开最大文件数

5、启动文件放入/usr/lib/systemd/system

[Unit]
Description=Kubernetes Kubelet
After=docker.service
Before=docker.service

[Service]
EnvironmentFile=/opt/etcd/cfg/kubelet.conf
ExecStart=/opt/etcd/bin/kubelet $KUBELET_OPTS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

 

三、部署node节点kube-proxy三个文件详解:

1、 kube-proxy.conf

KUBE_PROXY_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/etcd/logs \
--config=/opt/etcd/cfg/kube-proxy-config.yml"

详解:

KUBE_PROXY_OPTS= 输出日志
--v=2 日志级别
--log-dir= 日志路径
--config= yml日志路径

2、kube-proxy.kubeconfig

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /opt/etcd/ssl/kubernetes/ca.pem
    server: https://192.168.3.63:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kube-proxy
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: kube-proxy
  user:
    client-certificate: /opt/etcd/ssl/kubernetes/kube-proxy.pem
    client-key: /opt/etcd/ssl/kubernetes/kube-proxy-key.pem

详解:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /opt/etcd/ssl/ca.pem    连接APIserver节点认证证书
    server: https://192.168.3.63:6443     Master主机节点地址
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kube-proxy
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: kube-proxy
  user:
    client-certificate: /opt/etcd/ssl/kube-proxy.pem      指定kube-proxy的证书 
    client-key: /opt/etcd/ssl/kube-proxy-key.pem指定kube-proxy的证书 

3、kube-proxy-config.yml

kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
address: 0.0.0.0
metricsBindAddress: 0.0.0.0:10249
clientConnection:
  kubeconfig: /opt/etcd/cfg/kube-proxy.kubeconfig
hostnameOverride: k8s-node1
clusterCIDR: 10.0.0.0/24
mode: ipvs
ipvs:
  scheduler: "rr"
iptables:
  masqueradeAll: true

详解:能够动态调整kube-proxy.kubeconfig文件

kind: KubeProxyConfiguration   
apiVersion: kubeproxy.config.k8s.io/v1alpha1    版本
address: 0.0.0.0                                监听所有端口
metricsBindAddress: 0.0.0.0:10249               指标暴露端口
clientConnection:
  kubeconfig: /opt/etcd/cfg/kube-proxy.kubeconfig
hostnameOverride: k8s-node1                      注册到Master节点的信息名称
clusterCIDR: 10.0.0.0/24                         集群server的网段
mode: ipvs                                       模式
ipvs:
  scheduler: "rr"                                 调度算法
iptables:
  masqueradeAll: true

4、启动文件放入/usr/lib/systemd/system

[Unit]
Description=Kubernetes Proxy
After=network.target

[Service]
EnvironmentFile=/opt/etcd/cfg/kube-proxy.conf
ExecStart=/opt/etcd/bin/kube-proxy $KUBE_PROXY_OPTS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

 

四、部署node节点完成

1、Master节点验证是否成功

[root@k8s-master system]# kubectl get csr
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-kDsA-Pi7xxHdvAay1pEVlLT3SO6ttNjkALJI4n8PaLo   50m     kubelet-bootstrap   Pending
node-csr-p3jrJROmC_msLl_23rfa6cwRQlJuzdFLhQkKQEATHcE   21s     kubelet-bootstrap   Pending
node-csr-vNjMX4y25tdnaw5KRsfb8Nlp6YPDkQXcZpNXCs_cXyE   2m24s   kubelet-bootstrap   Pending

说明:负责该证书apiserver与node节点通信配置文件bootstrap.kubeconfig\kube-proxy.kubeconfig

2、允许给node节点颁发证书命令:

[root@k8s-master system]# kubectl  certificate approve node-csr-kDsA-Pi7xxHdvAay1pEVlLT3SO6ttNjkALJI4n8PaLo
certificatesigningrequest.certificates.k8s.io/node-csr-kDsA-Pi7xxHdvAay1pEVlLT3SO6ttNjkALJI4n8PaLo approved
[root@k8s-master system]# kubectl  certificate approve node-csr-p3jrJROmC_msLl_23rfa6cwRQlJuzdFLhQkKQEATHcE
certificatesigningrequest.certificates.k8s.io/node-csr-p3jrJROmC_msLl_23rfa6cwRQlJuzdFLhQkKQEATHcE approved
[root@k8s-master system]# kubectl  certificate approve node-csr-vNjMX4y25tdnaw5KRsfb8Nlp6YPDkQXcZpNXCs_cXyE
certificatesigningrequest.certificates.k8s.io/node-csr-vNjMX4y25tdnaw5KRsfb8Nlp6YPDkQXcZpNXCs_cXyE approved

3、查看授权是否成功

[root@k8s-master system]# kubectl get node
NAME        STATUS     ROLES    AGE   VERSION
k8s-node1   NotReady   <none>   32s   v1.17.3
k8s-node2   NotReady   <none>   5s    v1.17.3
k8s-node3   NotReady   <none>   16s   v1.17.3

&nbsp;

0 条回应