Kubernetes部署（七）：Node节点部署

部署kubelet

1.二进制包准备
将软件包从复制到所有node中去。

[[email?protected] ~]# cd /usr/local/src/kubernetes/server/bin/
[[email?protected] bin]# for n in `seq 204 206`;do scp kubelet 10.31.90.$n:/data/kubernetes/bin/ ;done
[[email?protected] bin]# for n in `seq 201 206`;do scp  kube-proxy 10.31.90.$n:/data/kubernetes/bin/ ;done

2.创建角色绑定

[[email?protected] ~]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created

3.创建 kubelet bootstrapping kubeconfig 文件
设置集群参数

[[email?protected] ~]# kubectl config set-cluster kubernetes    --certificate-authority=/data/kubernetes/ssl/ca.pem    --embed-certs=true    --server=https://10.31.90.200:6443    --kubeconfig=bootstrap.kubeconfig
Cluster "kubernetes" set.

设置客户端认证参数,token要使用之前那个

[[email?protected] ~]# kubectl config set-credentials kubelet-bootstrap    --token=cf25becebf64e3fffd7f3890a60ac16d    --kubeconfig=bootstrap.kubeconfig   
User "kubelet-bootstrap" set.

设置上下文参数

[[email?protected] ~]# kubectl config set-context default    --cluster=kubernetes    --user=kubelet-bootstrap    --kubeconfig=bootstrap.kubeconfig
Context "default" created.

选择默认上下文

[[email?protected] ~]# kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
Switched to context "default".
#拷贝到3个node节点
for n in `seq 204 206`;do scp bootstrap.kubeconfig 10.31.90.$n:/data/kubernetes/cfg/;done

部署kubelet(node节点)

1. 设置CNI支持(所有节点)

   [[email?protected] ~]# mkdir -p /etc/cni/net.d
   [[email?protected] ~]# cat >>/etc/cni/net.d/10-default.conf<<EOF
   {
       "name": "flannel","type": "flannel","delegate": {
           "bridge": "docker0","isDefaultGateway": true,"mtu": 1400
       }
   }
   EOF

2.创建kubelet目录

[[email?protected] ~]# mkdir /var/lib/kubelet

3.创建kubelet服务配置

[[email?protected] ~]# vim /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service

[Service]
WorkingDirectory=/var/lib/kubelet
ExecStart=/data/kubernetes/bin/kubelet   --address=10.31.90.204   --hostname-override=10.31.90.204   --pod-infra-container-image=mirrorgooglecontainers/pause-amd64:3.0   --experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig   --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig   --cert-dir=/opt/kubernetes/ssl   --network-plugin=cni   --cni-conf-dir=/etc/cni/net.d   --cni-bin-dir=/opt/kubernetes/bin/cni   --cluster-dns=10.1.0.2   --cluster-domain=cluster.local.   --hairpin-mode hairpin-veth   --allow-privileged=true   --fail-swap-on=false   --logtostderr=true   --v=2   --logtostderr=false   --log-dir=/opt/kubernetes/log
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

4.启动Kubelet

[[email?protected] ~]# systemctl daemon-reload
[[email?protected] ~]# systemctl enable kubelet
[[email?protected] ~]# systemctl start kubelet

5.查看服务状态

[[email?protected] kubernetes]# systemctl status kubelet

6.查看csr请求
注意是在linux-node1上执行。

[[email?protected] ssl]# kubectl get csr
NAME                                                   AGE       REQUESTOR           CONDITION
node-csr-NqH7J1OuDM_jGtQM_VuABiBcAqgDlT_MfJiVS_qWCbg   1m        kubelet-bootstrap   Pending
node-csr-jy10bYvow5hYQ2sKWfCuBlUNIPit54dhQfzRUd5E6dc   4m        kubelet-bootstrap   Pending
node-csr-zPPE5g4d1PtbKo-lQWNNC0bbngttC2bdZtwqBBvjrVM   1m        kubelet-bootstrap   Pending

7.批准kubelet 的 TLS 证书请求

[[email?protected] ~]# kubectl get csr|grep ‘Pending‘ | awk ‘NR>0{print $1}‘| xargs kubectl certificate approve

执行完毕后，查看节点状态已经是Ready的状态了

[[email?protected] ~]# kubectl get csr
NAME                                                   AGE       REQUESTOR           CONDITION
node-csr-NqH7J1OuDM_jGtQM_VuABiBcAqgDlT_MfJiVS_qWCbg   1m        kubelet-bootstrap   Approved,Issued
node-csr-jy10bYvow5hYQ2sKWfCuBlUNIPit54dhQfzRUd5E6dc   5m        kubelet-bootstrap   Approved,Issued
node-csr-zPPE5g4d1PtbKo-lQWNNC0bbngttC2bdZtwqBBvjrVM   2m        kubelet-bootstrap   Approved,Issued

部署Kubernetes Proxy

kube-proxy master和node节点都安装
1.配置kube-proxy使用LVS

[[email?protected] ~]# yum install -y ipvsadm ipset conntrack

2.创建 kube-proxy 证书请求

[[email?protected] ssl]# cd /usr/local/src/ssl/
[[email?protected] ssl]# vim kube-proxy-csr.json
{
  "CN": "system:kube-proxy","hosts": [],"key": {
    "algo": "rsa","size": 2048
  },"names": [
    {
      "C": "CN","ST": "BeiJing","L": "BeiJing","O": "k8s","OU": "System"
    }
  ]
}

3.生成证书

[[email?protected] ssl]# cfssl gencert -ca=/data/kubernetes/ssl/ca.pem    -ca-key=/data/kubernetes/ssl/ca-key.pem    -config=/data/kubernetes/ssl/ca-config.json    -profile=kubernetes  kube-proxy-csr.json | cfssljson -bare kube-proxy

4.分发证书到所有node节点

[[email?protected] ssl]# for n in `seq 201 206`;do scp kube-proxy*.pem [email?protected]$n:/data/kubernetes/ssl;done

5.创建kube-proxy配置文件

[[email?protected] ~]# kubectl config set-cluster kubernetes    --certificate-authority=/data/kubernetes/ssl/ca.pem    --embed-certs=true    --server=https://10.31.90.200:6443    --kubeconfig=kube-proxy.kubeconfig
Cluster "kubernetes" set.

[[email?protected] ~]# kubectl config set-credentials kube-proxy    --client-certificate=/data/kubernetes/ssl/kube-proxy.pem    --client-key=/data/kubernetes/ssl/kube-proxy-key.pem    --embed-certs=true    --kubeconfig=kube-proxy.kubeconfig
User "kube-proxy" set.

[[email?protected] ~]# kubectl config set-context default    --cluster=kubernetes    --user=kube-proxy    --kubeconfig=kube-proxy.kubeconfig
Context "default" created.

[[email?protected] ~]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
Switched to context "default".

6.分发kubeconfig配置文件

[[email?protected] ssl]# for n in `seq 201 206 `;do scp kube-proxy.kubeconfig 10.31.90.$n:/data/kubernetes/cfg/;done

7.创建kube-proxy服务配置

[[email?protected] ~]# mkdir /var/lib/kube-proxy

[[email?protected] ~]# vim /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target

[Service]
WorkingDirectory=/var/lib/kube-proxy
ExecStart=/data/kubernetes/bin/kube-proxy   --bind-address=10.31.90.204   --hostname-override=10.31.90.204   --kubeconfig=/data/kubernetes/cfg/kube-proxy.kubeconfig   --masquerade-all   --feature-gates=SupportIPVSProxyMode=true   --proxy-mode=ipvs   --ipvs-min-sync-period=5s   --ipvs-sync-period=5s   --ipvs-scheduler=rr   --logtostderr=true   --v=2   --logtostderr=false   --log-dir=/data/kubernetes/log

Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

8.启动Kubernetes Proxy
[[email?protected] ~]# systemctl daemon-reload
[[email?protected] ~]# systemctl enable kube-proxy
[[email?protected] ~]# systemctl start kube-proxy

9.查看服务状态
查看kube-proxy服务状态

[[email?protected] scripts]# systemctl status kube-proxy

检查LVS状态
[[email?protected] ~]# ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  10.1.0.1:443 rr
  -> 10.31.90.201:6443            Masq    1      0          0

如果都安装了kubelet和proxy服务，使用下面的命令可以检查状态：

[[email?protected] ~]# kubectl get node
NAME           STATUS    ROLES     AGE       VERSION
10.31.90.204   Ready     <none>    40m       v1.11.5
10.31.90.205   Ready     <none>    40m       v1.11.5
10.31.90.206   Ready     <none>    40m       v1.11.5

node-05,node-06节点请自行部署。
后续会陆续更新所有的安装文档，如果你觉得我写的不错，希望大家多多关注点赞，非常感谢！