kubernetes 1.6 集群实践 (七)
node 节点
node节点是K8S集群中运行各种容器的设备
node节点必须部署: docker flannel kubelet kube-proxy
软件下载
在github上下载kubelet 和 kube-prxoy,下载K8S编译好的二进制包
$ tar xf kubernetes-server-linux-amd64.tar.gz
$ cd kubernetes/server/bin
$ cp {kubelet,kube-proxy} /usr/bin/
$ chmod +x /usr/bin/kube*
kubelet 配置启动
在(二)k8s部署 - kubeconfig 文件中已经生成了kubelet要使用的认证文件/etc/kubernetes/bootstrap.kubeconfig
创建kubelet专属的配置文件
$ cat > /etc/kubernetes/kubelet<< EOF
###
## kubernetes kubelet (minion) config
#
## The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
KUBELET_ADDRESS="--address=192.168.19.101" #kubelet 绑定的ip,不同的节点不同
#
## The port for the info server to serve on
#KUBELET_PORT="--port=10250"
#
## You may leave this blank to use the actual hostname
KUBELET_HOSTNAME="--hostname-override=192.168.19.101" #在集群中节点的名称,不同的节点不同
#
## location of the api-server
KUBELET_API_SERVER="--api-servers=https://192.168.19.101:6443"
#
## pod infrastructure container
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest"
#
## Add your own!
KUBELET_ARGS="--cgroup-driver=systemd --cluster-dns=10.254.0.2 --experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig --require-kubeconfig --cert-dir=/etc/kubernetes/ssl --cluster-domain=cluster.local. --hairpin-mode promiscuous-bridge --serialize-image-pulls=false --eviction-hard=memory.available<500Mi --system-reserved=memory=2Gi"
EOF
--system-reserved=memory=2Gi 为系统预留2G内存
--eviction-hard=memory.available<500Mi 可以内存不足500Mi驱逐pod
KUBELET_API_SERVER 连接的端口是有apiserver提供的安全端口secure-port
创建systemd启动文件
$ cat >/usr/lib/systemd/system/kubelet.service <<EOF
[Unit]
Description=Kubernetes Kubelet Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/kubelet
ExecStart=/usr/bin/kubelet \
\$KUBE_LOGTOSTDERR \
\$KUBE_LOG_LEVEL \
\$KUBELET_API_SERVER \
\$KUBELET_ADDRESS \
\$KUBELET_PORT \
\$KUBELET_HOSTNAME \
\$KUBE_ALLOW_PRIV \
\$KUBELET_POD_INFRA_CONTAINER \
\$KUBELET_ARGS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
给角色赋予权限
kubelet 启动时向 kube-apiserver 发送 TLS bootstrapping 请求,需要先将 bootstrap token 文件中的 kubelet-bootstrap 用户赋予 system:node-bootstrapper cluster 角色(role), 然后 kubelet 才能有权限创建认证请求(certificate signing requests):
其中pending状态是为授权的,approved状态是授权的
授权新新的节点加入请求:
$ cd /etc/kubernetes
$ kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap
启动kubelet
$ mkdir /var/lib/kubelet
$ systemctl daemon-reload && systemctl enable kubelet && systemctl start kubelet
由于kubelet的证书是由apiserver 统一生成,需要的集群中批准node的证书
kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-CiUlm-x037PXyL5Fjee_Srhv9FlhM5Sv-8CApsJcffg 1h kubelet-bootstrap Approved,Issued
node-csr-tUOaGyNomAykxdk8tpPkPr1ZQvKkf1M_tYO5-cB3nkw 15s kubelet-bootstrap Pending
node-csr-z6sWICbRkv7yqQTHohNhq59-SzjPbK4irLj8Gdc5pO8 50m kubelet-bootstrap Approved,Issued
$ kubectl describe csr node-csr-tUOaGyNomAykxdk8tpPkPr1ZQvKkf1M_tYO5-cB3nkw
Name: node-csr-tUOaGyNomAykxdk8tpPkPr1ZQvKkf1M_tYO5-cB3nkw
Labels: <none>
Annotations: <none>
CreationTimestamp: Sun, 15 Oct 2017 05:17:04 -0400
Requesting User: kubelet-bootstrap
Status: Pending
Subject:
Common Name: system:node:192.168.19.103
Serial Number:
Organization: system:nodes
Events: <none>
$ kubectl certificate approve node-csr-tUOaGyNomAykxdk8tpPkPr1ZQvKkf1M_tYO5-cB3nkw
certificatesigningrequest "node-csr-tUOaGyNomAykxdk8tpPkPr1ZQvKkf1M_tYO5-cB3nkw" approved
$ kubectl get node
NAME STATUS AGE VERSION
192.168.0.101 NotReady 1h v1.7.1
192.168.0.102 NotReady 51m v1.7.1
192.168.0.103 Ready 3s v1.7.1
kube-proxy 配置启动
配置kube-proxy的专属配置文件
$ cat > /etc/kubernetes/proxy <<EOF
###
# kubernetes proxy config
# default config should be adequate
# Add your own!
KUBE_PROXY_ARGS="--bind-address=192.168.19.101 --hostname-override=192.168.19.101 --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig --cluster-cidr=10.250.0.0/16"
EOF
--bind-address 是本机的ip地址
--hostname-override 是节点名字
配置systemd启动文件
$ cat > /usr/lib/systemd/system/kube-proxy.service <<EOF
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/proxy
ExecStart=/usr/bin/kube-proxy \
\$KUBE_LOGTOSTDERR \
\$KUBE_LOG_LEVEL \
\$KUBE_MASTER \
\$KUBE_PROXY_ARGS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
启动kube-proxy
$ systemctl daemon-reload && systemctl enable kube-proxy && systemctl start kube-proxy