node节点的部署

master点赋予用户权限

?

1 2 3 4

[root@mast-1 k8s]# kubectl create clusterrolebinding kubelet-bootstrap \ > --clusterrole=system:node-bootstrapper \ > --user=kubelet-bootstrap clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created

　　生成配置文件脚本

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81

[root@mast-1 k8s]# cat kubeconfig.sh # 创建 TLS Bootstrapping Token #BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ') BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008   #cat > token.csv <<EOF #${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap" #EOF   #----------------------   APISERVER=$1 SSL_DIR=$2   # 创建kubelet bootstrapping kubeconfig export KUBE_APISERVER="https://$APISERVER:6443"   # 设置集群参数 kubectl config set-cluster kubernetes \   --certificate-authority=$SSL_DIR/ca.pem \   --embed-certs=true \   --server=${KUBE_APISERVER} \   --kubeconfig=bootstrap.kubeconfig   # 设置客户端认证参数 kubectl config set-credentials kubelet-bootstrap \   --token=${BOOTSTRAP_TOKEN} \   --kubeconfig=bootstrap.kubeconfig   # 设置上下文参数 kubectl config set-context default \   --cluster=kubernetes \   --user=kubelet-bootstrap \   --kubeconfig=bootstrap.kubeconfig   # 设置默认上下文 kubectl config use-context default --kubeconfig=bootstrap.kubeconfig   #----------------------   # 创建kube-proxy kubeconfig文件   kubectl config set-cluster kubernetes \   --certificate-authority=$SSL_DIR/ca.pem \   --embed-certs=true \   --server=${KUBE_APISERVER} \   --kubeconfig=kube-proxy.kubeconfig   kubectl config set-credentials kube-proxy \   --client-certificate=$SSL_DIR/kube-proxy.pem \   --client-key=$SSL_DIR/kube-proxy-key.pem \   --embed-certs=true \   --kubeconfig=kube-proxy.kubeconfig   kubectl config set-context default \   --cluster=kubernetes \   --user=kube-proxy \   --kubeconfig=kube-proxy.kubeconfig   kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig   [root@mast-1 k8s]# bash kubeconfig.sh 192.168.10.11 /root/k8s/ [root@mast-1 k8s]# cat bootstrap.kubeconfig apiVersion: v1 clusters: - cluster:     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVYnBqMkFDaS8zeDE2NDdqMXBHSlhxS2QxR3M0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RUR BT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbAphV3BwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEU1TURReU1qRXdNREF3TUZvWERUSTBNRFF5TURFd01EQXdNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFXcHBibWN4RURBT0JnTlZCQWNUQjBKbGFXcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBNUJaRFR5cFpDam1tUTE2VFRsSlMKVityVzZ4OUUrVGV5c3JiZ0FPNE1iMmNlVW1DaG56MU9SUXlvT0V3MnlJVFd5SkQyVmJZQUJKUEVMLzRQWk1QNApwblRXRVdXMGhYSXYvN0pNOTJid1hGWSsrWVFYVE42c2FzTXF1cGViL1ZwR0x4NFZiYjFNUUJPcDBtSHV3Q1ZxCk1PUEE2Z0ZMQ2lORmIrZHUvd1FDNjgzc2p1VnFEbWFNYXBEMmVMQmJXeFRaOFgxei9zUGtCTC9GcTRJM2JIbCsKUlBVWmVHakU3YmgwaXJ2S25KSWpKbmdnbStDdTAyc0NPZWNIN3JsUDhyNm5ONFY2L1JrMjN4NmlndHFMMWllawpYdncxNFpoUGM1MFE4Mk9HQW9SSGJjdlBiQUc3NTh0cjdkaXZ5WFZ6NjYzdlJYMC9jN1RHWW9yeDV0WmJiQVJOCkpRSURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVZnlWQlE4YlJFZTJ6UzVTTXVCSGlPRGNGWExRd0h3WURWUjBqQkJnd0ZvQVVmeVZCUThiUgpFZTJ6UzVTTXVCSGlPRGNGWExRd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFIeXhxL2VDdVF6cU83bm8rdGlVCmRmNTZOcDY0Tit2OFdFYXc0S1lrZlZsZ0VReXNBR1RGNlBPV2RlSnJNRkw2WCtnRlpZSU41VVMyV0tiK1ErOHAKc1Y5bmdPUUNraGJwWjYwYWJXMUNCTFJ6eGJHdGE4Ymo4TnRZdU84TGZReWF4NnZOd3cwakpsTmpjejlBYS9tVQpWSGljMFZzVHphUFZ5NEhqN09MdVdGNS9NRjY2aVJySFl0aTV4WFpkZ3VMSWV3TDREemxuU042WTNOcDFHc1NTCmtwcmk2elprME1PSTRtbVBIMXdsR2xKOGhFU2dkZ3RrZVZIbUpUTjVid29hc0JSMWlZdXgyKzgwYXFkZUFFQXoKeFdYYU9wRXlKc3ZGbURZcWJBR3pSN2N3VUJqdEU5TjdIKzIrRjJ0VlBGaDlCbk45cXVjdmcxZTlSSCt2YlNHaAp2NjQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K    server: https://192.168.10.11:6443   name: kubernetes contexts: - context:     cluster: kubernetes     user: kubelet-bootstrap   name: default current-context: default kind: Config preferences: {} users: - name: kubelet-bootstrap   user:     token: 0fb61c46f8991b718eb38d27b605b008   token一定一致

　　 将node上的配置文件复制到node节点上

?

1 2 3 4 5 6 7 8 9 10 11 12 13

[root@mast-1 k8s]# scp bootstrap.kubeconfig kube-proxy.kubeconfig 192.168.10.13:/opt/kubernetes/cfg/ root@192.168.10.13's password: bootstrap.kubeconfig                                                                                                                                         100% 2167   187.8KB/s   00:00    kube-proxy.kubeconfig                                                                                                                                        100% 6273   272.0KB/s   00:00    [root@mast-1 k8s]# scp bootstrap.kubeconfig kube-proxy.kubeconfig 192.168.10.14:/opt/kubernetes/cfg/ The authenticity of host '192.168.10.14 (192.168.10.14)' can't be established. ECDSA key fingerprint is SHA256:49eEsjLcmpvTYF6ELlDwwvvpnG9ikMvLKdITIjxW1PU. ECDSA key fingerprint is MD5:c8:58:8a:28:65:88:de:dd:08:7d:4f:69:a3:3e:2b:25. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.10.14' (ECDSA) to the list of known hosts. root@192.168.10.14's password: bootstrap.kubeconfig                                                                                                                                         100% 2167   231.8KB/s   00:00    kube-proxy.kubeconfig                                                                                                                                        100% 6273    86.1KB/s   00:00

　　将kubelet,kube-proxy，拷贝node节点

?

1 2 3 4 5 6 7 8

[root@mast-1 k8s]# scp kubernetes/server/bin/{kubelet,kube-proxy} 192.168.10.13:/opt/kubernetes/bin/ root@192.168.10.13's password: kubelet                                                                                                                                                      100%  169MB   2.7MB/s   01:02    kube-proxy                                                                                                                                                   100%   48MB   2.6MB/s   00:18    [root@mast-1 k8s]# scp kubernetes/server/bin/{kubelet,kube-proxy} 192.168.10.14:/opt/kubernetes/bin/ root@192.168.10.14's password: kubelet                                                                                                                                                      100%  169MB  11.2MB/s   00:15    kube-proxy                                                                                                                                                   100%   48MB   8.0MB/s   00:06

　　运行kubelet.sh，脚本生成配置文件并启动kubelet

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76

[root@node-1 ~]# cat kubelet.sh #!/bin/bash   NODE_ADDRESS=$1 DNS_SERVER_IP=${2:-"10.0.0.2"}   cat <<EOF >/opt/kubernetes/cfg/kubelet   KUBELET_OPTS="--logtostderr=true \\ --v=4 \\ --address=${NODE_ADDRESS} \\ --hostname-override=${NODE_ADDRESS} \\ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\ --experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\ --config=/opt/kubernetes/cfg/kubelet.config \\ --cert-dir=/opt/kubernetes/ssl \\ --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"   EOF   cat <<EOF >/opt/kubernetes/cfg/kubelet.config   kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: ${NODE_ADDRESS} port: 10250 cgroupDriver: cgroupfs clusterDNS: - ${DNS_SERVER_IP} clusterDomain: cluster.local. failSwapOn: false   EOF   cat <<EOF >/usr/lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet After=docker.service Requires=docker.service   [Service] EnvironmentFile=/opt/kubernetes/cfg/kubelet ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS Restart=on-failure KillMode=process   [Install] WantedBy=multi-user.target EOF   systemctl daemon-reload systemctl enable kubelet systemctl restart kubelet [root@node-1 ~]#  bash  kubelet.sh 192.168.10.13 Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service. [root@node-1 ~]# systemctl start kubelet [root@node-1 ~]# systemctl status kubelet ● kubelet.service - Kubernetes Kubelet    Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)    Active: active (running) since 二 2019-04-23 15:51:21 CST; 1min 2s ago  Main PID: 98249 (kubelet)     Tasks: 9    Memory: 15.2M    CGroup: /system.slice/kubelet.service            └─98249 /opt/kubernetes/bin/kubelet --logtostderr=true --v=4 --address=192.168.10.13 --hostname-override=192.168.10.13 --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig --expe...   4月 23 15:51:22 node-1 kubelet[98249]: I0423 15:51:22.662290   98249 feature_gate.go:206] feature gates: &{map[]} 4月 23 15:51:24 node-1 kubelet[98249]: I0423 15:51:24.018824   98249 server.go:826] Using self-signed cert (/opt/kubernetes/ssl/kubelet.crt, /opt/kubernetes/ssl/kubelet.key) 4月 23 15:51:24 node-1 kubelet[98249]: I0423 15:51:24.089220   98249 mount_linux.go:179] Detected OS with systemd 4月 23 15:51:24 node-1 kubelet[98249]: I0423 15:51:24.089336   98249 server.go:408] Version: v1.12.1 4月 23 15:51:24 node-1 kubelet[98249]: I0423 15:51:24.089505   98249 feature_gate.go:206] feature gates: &{map[]} 4月 23 15:51:24 node-1 kubelet[98249]: I0423 15:51:24.089662   98249 feature_gate.go:206] feature gates: &{map[]} 4月 23 15:51:24 node-1 kubelet[98249]: I0423 15:51:24.089869   98249 plugins.go:99] No cloud provider specified. 4月 23 15:51:24 node-1 kubelet[98249]: I0423 15:51:24.089904   98249 server.go:524] No cloud provider specified: "" from the config file: "" 4月 23 15:51:24 node-1 kubelet[98249]: I0423 15:51:24.089979   98249 bootstrap.go:61] Using bootstrap kubeconfig to generate TLS client cert, key and kubeconfig file 4月 23 15:51:24 node-1 kubelet[98249]: I0423 15:51:24.107032   98249 bootstrap.go:92] No valid private key and/or certificate found, reusing existing private key or creating a new one

查看生成的配置文件

?

1 2 3 4 5 6 7 8 9 10 11

[root@node-1 ~]# vim /opt/kubernetes/cfg/kubelet KUBELET_OPTS="--logtostderr=false \   日志写到 --log-dir=/opt/kubernetes/logs \ --v=4 \ --address=192.168.10.13 \   节点IP --hostname-override=192.168.10.13 \   主机名 --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \  自动生成配置文件 --experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \  考过的配置文件 --config=/opt/kubernetes/cfg/kubelet.config \ 本身信息 --cert-dir=/opt/kubernetes/ssl \   证书存放目录 --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"   第一个容器引用镜像地址

　　查看进程

?

1 2 3

[root@node-1 ~]# ps -ef | grep kubelet root     102230      1  9 16:44 ?        00:00:57 /opt/kubernetes/bin/kubelet --logtostderr=false --log-dir=/opt/kubernetes/logs --v=4 --address=192.168.10.13 --hostname-override=192.168.10.1 3 --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig --experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig --config=/opt/kubernetes/cfg/kubelet.config --cert-dir=/opt/kubernetes/ssl --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0

　　在master查看请求

?

1 2 3

[root@mast-1 k8s]# kubectl get csr NAME                                                   AGE   REQUESTOR           CONDITION node-csr-ZONNGVKhERtGrVy4_N5uQFlnt-JlvnAVazkN19No8M8   66m   kubelet-bootstrap   Pending

　　在master同意此请求

?

1 2 3 4 5

[root@mast-1 k8s]# kubectl certificate approve node-csr-ZONNGVKhERtGrVy4_N5uQFlnt-JlvnAVazkN19No8M8 certificatesigningrequest.certificates.k8s.io/node-csr-ZONNGVKhERtGrVy4_N5uQFlnt-JlvnAVazkN19No8M8 approved [root@mast-1 k8s]# kubectl get node NAME            STATUS   ROLES    AGE   VERSION 192.168.10.13   Ready（准备完成状态）    <none>   62s   v1.12.1

　　node的proxy的部署

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38

[root@node-1 ~]# cat proxy.sh #!/bin/bash   NODE_ADDRESS=$1   cat <<EOF >/opt/kubernetes/cfg/kube-proxy   KUBE_PROXY_OPTS="--logtostderr=true \\ --v=4 \\ --hostname-override=${NODE_ADDRESS} \\ --cluster-cidr=10.0.0.0/24 \\ --proxy-mode=ipvs \\ --kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"   EOF   cat <<EOF >/usr/lib/systemd/system/kube-proxy.service [Unit] Description=Kubernetes Proxy After=network.target   [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS Restart=on-failure   [Install] WantedBy=multi-user.target EOF   systemctl daemon-reload systemctl enable kube-proxy systemctl restart kube-proxy [root@node-1 ~]# bash proxy.sh 192.168.10.13 Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service. [root@node-1 ~]# ps -ef | grep proxy root     103894      1  4 17:06 ?        00:00:01 /opt/kubernetes/bin/kube-proxy --logtostderr=true --v=4 --hostname-override=192.168.10.13 --cluster-cidr=10.0.0.0/24 --proxy-mode=ipvs --kubeconfig=/opt/k ubernetes/cfg/kube-proxy.kubeconfigroot     104091   1436  0 17:06 pts/0    00:00:00 grep --color=auto proxy

　　部署第二个节点的两个程序

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

[root@node-2 ~]# cd /opt/kubernetes/ssl/ [root@node-2 ssl]# ls kubelet-client-2019-04-23-17-01-51.pem  kubelet-client-current.pem  kubelet.crt  kubelet.key [root@node-2 ssl]# rm -rf * [root@node-2 ssl]# cd ../cfg/ [root@node-2 cfg]# grep 192.168.10.13 * flanneld:FLANNEL_OPTIONS="--etcd-endpoints=https://192.168.10.11:2379,https://192.168.10.12:2379,https://192.168.10.13:2379 -etcd-cafile=/opt/etcd/ssl/ca.pem -etcd-certfile=/opt/etcd/ssl/serv er.pem -etcd-keyfile=/opt/etcd/ssl/server-key.pem"kubelet:--address=192.168.10.13 \ kubelet:--hostname-override=192.168.10.13 \ kubelet.config:address: 192.168.10.13 [root@node-2 cfg]# vim kubelet KUBELET_OPTS="--logtostderr=false \ --log-dir=/opt/kubernetes/logs \ --v=4 \ --address=192.168.10.14 \ --hostname-override=192.168.10.14 \ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \ --experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \ --config=/opt/kubernetes/cfg/kubelet.config \ --cert-dir=/opt/kubernetes/ssl \ --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0" [root@node-2 cfg]# vim kubelet.config kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: 192.168.10.14 port: 10250  监控端口 cgroupDriver: cgroupfs clusterDNS: - 10.0.0.2 clusterDomain: cluster.local. failSwapOn: false [root@node-2 cfg]# vim kube-proxy KUBE_PROXY_OPTS="--logtostderr=true \ --v=4 \ --hostname-override=192.168.10.14 \ --cluster-cidr=10.0.0.0/24 \ --proxy-mode=ipvs \ --kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig" [root@node-2 cfg]# systemctl start kubelet.service  启动kube [root@node-2 cfg]# systemctl start kube-proxy.service 启动kube-proxy [root@mast-1 k8s]#  kubectl certificate approve node-csr-wBzPhquG-6WwQgPANF53GZn1KAL8zgKOglbfZEncLdk certificatesigningrequest.certificates.k8s.io/node-csr-wBzPhquG-6WwQgPANF53GZn1KAL8zgKOglbfZEncLdk approved [root@mast-1 k8s]# kubectl get node NAME            STATUS     ROLES    AGE   VERSION 192.168.10.13   Ready      <none>   29m   v1.12.1 192.168.10.14   NotReady   <none>   6s    v1.12.1 [root@mast-1 k8s]# kubectl get node NAME            STATUS     ROLES    AGE   VERSION 192.168.10.13   Ready      <none>   29m   v1.12.1 192.168.10.14   NotReady   <none>   9s    v1.12.1 [root@mast-1 k8s]# kubectl get node NAME            STATUS   ROLES    AGE   VERSION 192.168.10.13   Ready    <none>   29m   v1.12.1 192.168.10.14   Ready    <none>   11s   v1.12.1