3-2 部署kube-proxy
2.1 集群规划
| 主机名 | 角色 | IP地址 |
|---|---|---|
| pg60-31.k8s.host.com | kube-proxy | 10.20.60.31 |
| pg60-32.k8s.host.com | kube-proxy | 10.20.60.32 |
| pg60-33.k8s.host.com | kube-proxy | 10.20.60.33 |
2.2 签发kubelet证书
在 pg60-200.k8s.host.com 虚机实例上操作
shell> cat > /root/certs/kube-proxy-csr.json << EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "91donkey",
"OU": "ops"
}
]
}
EOF
2.3 生成kube-proxy证书和私钥
shell> cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client kube-proxy-csr.json | cfssl-json -bare kube-proxy-client
2020/05/15 14:18:47 [INFO] generate received request
2020/05/15 14:18:47 [INFO] received CSR
2020/05/15 14:18:47 [INFO] generating key: rsa-2048
2020/05/15 14:18:47 [INFO] encoded CSR
2020/05/15 14:18:47 [INFO] signed certificate with serial number 190461294488270208078365053921752069419692185569
2020/05/15 14:18:47 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
2.4 检查生成的证书和私钥
2.5 拷贝证书至各运算节点,并创建配置
在 pg60-21.k8s.host.com 虚机实例上操作
-
拷贝证书、私钥(注意私钥文件属性600)
-
创建 kubeconfig 文件
shell> cat > kubelet-proxy.sh << "EOF"
#!/bin/bash -
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://10.20.60.10:6443 \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=/etc/kubernetes/pki/kube-proxy-client.pem \
--client-key=/etc/kubernetes/pki/kube-proxy-client-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
EOF
- 分发
shell> scp kube-proxy.kubeconfig root@${node_ip}:/etc/kubernetes/
2.6 创建 kube-proxy 配置文件
shell> cat > kube-proxy-config.yaml.template << "EOF"
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
clientConnection:
burst: 200
kubeconfig: "/etc/kubernetes/kube-proxy.kubeconfig"
qps: 100
bindAddress: 10.20.60.31
healthzBindAddress: 10.20.60.31:10256
metricsBindAddress: 10.20.60.31:10249
enableProfiling: true
clusterCIDR: 172.60.0.0/16
hostnameOverride: pg60-31
mode: "ipvs"
portRange: ""
iptables:
masqueradeAll: false
ipvs:
scheduler: rr
excludeCIDRs: []
EOF
shell> scp kube-proxy.service.template root@${node_ip}:/etc/kubernetes/kube-proxy.service
注意根据服务器设备修改相应内容
2.7 创建kube-proxy启动脚本
shell> cat > kube-proxy.service.template << "EOF"
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
ExecStart=/opt/kubernetes/server/bin/kube-proxy \
--config=/etc/kubernetes/kube-proxy-config.yaml \
--cluster-cidr=172.60.0.0/16 \
--logtostderr=true \
--v=2
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
shell> scp kube-proxy-config.yaml.template root@${node_ip}:/etc/systemd/system/kube-proxy-config.yaml
注意:kube-proxy集群各主机的启动脚本略有不同,部署其他节点时注意修改。
2.8 启动 kube-proxy 服务
shell> yum install ipvsadm -y
shell> modprobe ip_vs_rr
shell> systemctl daemon-reload && systemctl enable kube-proxy && systemctl restart kube-proxy
2.9 检查启动结果
-
查看监听端口
-
查看 ipvs 路由规则
可见所有通过 https 访问 k8s svc kubernetes 的请求都转发到 kube-apiserver 节点的 6443 端口
浙公网安备 33010602011771号