3-2 部署kube-proxy
2.1 集群规划#
| 主机名 | 角色 | IP地址 |
|---|---|---|
| pg60-31.k8s.host.com | kube-proxy | 10.20.60.31 |
| pg60-32.k8s.host.com | kube-proxy | 10.20.60.32 |
| pg60-33.k8s.host.com | kube-proxy | 10.20.60.33 |
2.2 签发kubelet证书#
在 pg60-200.k8s.host.com 虚机实例上操作
shell> cat > /root/certs/kube-proxy-csr.json << EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "91donkey",
"OU": "ops"
}
]
}
EOF
2.3 生成kube-proxy证书和私钥#
shell> cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client kube-proxy-csr.json | cfssl-json -bare kube-proxy-client
2020/05/15 14:18:47 [INFO] generate received request
2020/05/15 14:18:47 [INFO] received CSR
2020/05/15 14:18:47 [INFO] generating key: rsa-2048
2020/05/15 14:18:47 [INFO] encoded CSR
2020/05/15 14:18:47 [INFO] signed certificate with serial number 190461294488270208078365053921752069419692185569
2020/05/15 14:18:47 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
2.4 检查生成的证书和私钥#
2.5 拷贝证书至各运算节点,并创建配置#
在 pg60-21.k8s.host.com 虚机实例上操作
-
拷贝证书、私钥(注意私钥文件属性600)
-
创建 kubeconfig 文件
shell> cat > kubelet-proxy.sh << "EOF"
#!/bin/bash -
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://10.20.60.10:6443 \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=/etc/kubernetes/pki/kube-proxy-client.pem \
--client-key=/etc/kubernetes/pki/kube-proxy-client-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
EOF
- 分发
shell> scp kube-proxy.kubeconfig root@${node_ip}:/etc/kubernetes/
2.6 创建 kube-proxy 配置文件#
shell> cat > kube-proxy-config.yaml.template << "EOF"
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
clientConnection:
burst: 200
kubeconfig: "/etc/kubernetes/kube-proxy.kubeconfig"
qps: 100
bindAddress: 10.20.60.31
healthzBindAddress: 10.20.60.31:10256
metricsBindAddress: 10.20.60.31:10249
enableProfiling: true
clusterCIDR: 172.60.0.0/16
hostnameOverride: pg60-31
mode: "ipvs"
portRange: ""
iptables:
masqueradeAll: false
ipvs:
scheduler: rr
excludeCIDRs: []
EOF
shell> scp kube-proxy.service.template root@${node_ip}:/etc/kubernetes/kube-proxy.service
注意根据服务器设备修改相应内容
2.7 创建kube-proxy启动脚本#
shell> cat > kube-proxy.service.template << "EOF"
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
ExecStart=/opt/kubernetes/server/bin/kube-proxy \
--config=/etc/kubernetes/kube-proxy-config.yaml \
--cluster-cidr=172.60.0.0/16 \
--logtostderr=true \
--v=2
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
shell> scp kube-proxy-config.yaml.template root@${node_ip}:/etc/systemd/system/kube-proxy-config.yaml
注意:kube-proxy集群各主机的启动脚本略有不同,部署其他节点时注意修改。
2.8 启动 kube-proxy 服务#
shell> yum install ipvsadm -y
shell> modprobe ip_vs_rr
shell> systemctl daemon-reload && systemctl enable kube-proxy && systemctl restart kube-proxy
2.9 检查启动结果#
-
查看监听端口
-
查看 ipvs 路由规则
可见所有通过 https 访问 k8s svc kubernetes 的请求都转发到 kube-apiserver 节点的 6443 端口
分类:
Kubernetes
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?