kubernetes集群之部署kubelet
下载cordns与pause的镜像
[root@master-1 .kube]# docker pull k8s.gcr.io/pause:3.2 3.2: Pulling from pause c74f8866df09: Pull complete Digest: sha256:927d98197ec1141a368550822d18fa1c60bdae27b78b0c004f705f548c07814f Status: Downloaded newer image for k8s.gcr.io/pause:3.2 k8s.gcr.io/pause:3.2 您在 /var/spool/mail/root 中有新邮件 [root@master-1 .kube]# docker pull k8s.gcr.io/coredns:1.7.0 1.7.0: Pulling from coredns c6568d217a00: Pull complete 6937ebe10f02: Pull complete Digest: sha256:73ca82b4ce829766d4f1f10947c3a338888f876fbed0540dc849c89ff256e90c Status: Downloaded newer image for k8s.gcr.io/coredns:1.7.0 k8s.gcr.io/coredns:1.7.0 [root@master-1 .kube]# docker images ls REPOSITORY TAG IMAGE ID CREATED SIZE [root@master-2 .kube]# docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE k8s.gcr.io/coredns 1.7.0 bfe3a36ebd25 2 years ago 45.2MB k8s.gcr.io/pause 3.2 80d28bedfe5d 2 years ago 683kB
绑定授权
[root@master-1 work]# BOOTSTRAP_TOKEN=$(awk -F "," '{print $1}' /etc/kubernetes/token.csv)
您在 /var/spool/mail/root 中有新邮件
[root@master-1 work]# kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.10.29:6443 --kubeconfig=kubelet-bootstrap.kubeconfig
Cluster "kubernetes" set.
您在 /var/spool/mail/root 中有新邮件
[root@master-1 work]# kubectl config set-credentials kubelet-bootstrap --token=${BOOTSTRAP_TOKEN} --kubeconfig=kubelet-bootstrap.kubeconfig
User "kubelet-bootstrap" set.
[root@master-1 work]# kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=kubelet-bootstrap.kubeconfig
Context "default" created.
[root@master-1 work]# kubectl config use-context default --kubeconfig=kubelet-bootstrap.kubeconfig
Switched to context "default".
[root@master-1 work]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
您在 /var/spool/mail/root 中有新邮件
#创建配置文件kubelet.json
[root@master-1 work]# vim kubelet.json
{
"kind": "KubeletConfiguration",
"apiVersion": "kubelet.config.k8s.io/v1beta1",
"authentication": {
"x509": {
"clientCAFile": "/etc/kubernetes/ssl/ca.pem"
},
"webhook": {
"enabled": true,
"cacheTTL": "2m0s"
},
"anonymous": {
"enabled": false
}
},
"authorization": {
"mode": "Webhook",
"webhook": {
"cacheAuthorizedTTL": "5m0s",
"cacheUnauthorizedTTL": "30s"
}
},
"address": "192.168.10.32",
"port": 10250,
"readOnlyPort": 10255,
"cgroupDriver": "systemd",
"hairpinMode": "promiscuous-bridge",
"serializeImagePulls": false,
"featureGates": {
"RotateKubeletClientCertificate": true,
"RotateKubeletServerCertificate": true
},
"clusterDomain": "cluster.local.",
"clusterDNS": ["10.255.0.2"]
}
创建启动文件
vim kubelet.service [Unit] Description=Kubernetes Kubelet Documentation=https://github.com/kubernetes/kubernetes After=docker.service Requires=docker.service [Service] WorkingDirectory=/var/lib/kubelet ExecStart=/usr/local/bin/kubelet \ --bootstrap-kubeconfig=/etc/kubernetes/kubelet-bootstrap.kubeconfig \ --cert-dir=/etc/kubernetes/ssl \ --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \ --config=/etc/kubernetes/kubelet.json \ --network-plugin=cni \ --pod-infra-container-image=k8s.gcr.io/pause:3.2 \ --alsologtostderr=true \ --logtostderr=false \ --log-dir=/var/log/kubernetes \ --v=2 Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target
拷贝文件
[root@master-1 work]# scp kubelet-bootstrap.kubeconfig kubelet.json node-1:/etc/kubernetes/ kubelet-bootstrap.kubeconfig 100% 2151 2.3MB/s 00:00 kubelet.json 100% 802 985.9KB/s 00:00 您在 /var/spool/mail/root 中有新邮件 [root@master-1 work]# scp ca.pem node-1:/etc/kubernetes/ssl ca.pem 100% 1346 2.0MB/s 00:00 [root@master-1 work]# scp kubelet.service node-1:/usr/lib/systemd/system/ kubelet.service
创建目录
[root@node-1 modules]# mkdir /var/lib/kubelet [root@node-1 modules]# mkdir /var/log/kubernetes
设置开机自启并启动kubelet
[root@node-1 modules]# systemctl daemon-reload
[root@node-1 modules]# systemctl enable kubelet
[root@node-1 modules]# systemctl start kubelet.service
[root@node-1 modules]# systemctl status kubelet.service
● kubelet.service - Kubernetes Kubelet
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Active: active (running) since 四 2022-08-11 23:00:36 CST; 10s ago
Docs: https://github.com/kubernetes/kubernetes
Main PID: 19743 (kubelet)
Tasks: 7
Memory: 25.3M
CGroup: /system.slice/kubelet.service
└─19743 /usr/local/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/kubelet-bootstrap.kubeconfig --cert-dir=/etc/kubernetes/ssl --kubeconfig=/etc/kubernetes/kubelet.kubeconfig --config=/etc/kub...
8月 11 23:00:36 node-1 kubelet[19743]: I0811 23:00:36.767526 19743 mount_linux.go:202] Detected OS with systemd
8月 11 23:00:36 node-1 kubelet[19743]: I0811 23:00:36.767805 19743 server.go:416] Version: v1.20.7
8月 11 23:00:36 node-1 kubelet[19743]: W0811 23:00:36.767852 19743 feature_gate.go:235] Setting GA feature gate RotateKubeletClientCertificate=true. It will be removed in a future release.
8月 11 23:00:36 node-1 kubelet[19743]: I0811 23:00:36.767859 19743 feature_gate.go:243] feature gates: &{map[RotateKubeletClientCertificate:true RotateKubeletServerCertificate:true]}
8月 11 23:00:36 node-1 kubelet[19743]: W0811 23:00:36.767906 19743 feature_gate.go:235] Setting GA feature gate RotateKubeletClientCertificate=true. It will be removed in a future release.
8月 11 23:00:36 node-1 kubelet[19743]: I0811 23:00:36.767910 19743 feature_gate.go:243] feature gates: &{map[RotateKubeletClientCertificate:true RotateKubeletServerCertificate:true]}
8月 11 23:00:36 node-1 kubelet[19743]: I0811 23:00:36.768000 19743 bootstrap.go:119] Using bootstrap kubeconfig to generate TLS client cert, key and kubeconfig file
8月 11 23:00:36 node-1 kubelet[19743]: I0811 23:00:36.769118 19743 bootstrap.go:150] No valid private key and/or certificate found, reusing existing private key or creating a new one
8月 11 23:00:36 node-1 kubelet[19743]: I0811 23:00:36.796222 19743 bootstrap.go:355] Waiting for client certificate to be issued
8月 11 23:00:36 node-1 kubelet[19743]: I0811 23:00:36.801327 19743 reflector.go:219] Starting reflector *v1.CertificateSigningRequest (0s) from k8s.io/client-go/tools/watch/informerwatcher.go:146
master 查看客户端csr 请求
[root@master-1 work]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR CONDITION node-csr-8MjbNrohP0Mk8iNeEW6_idHh8oTtooHpr50o1_AcSjg 29s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending
master 批准客户端申请证书请求
[root@master-1 work]# kubectl certificate approve node-csr-8MjbNrohP0Mk8iNeEW6_idHh8oTtooHpr50o1_AcSjg certificatesigningrequest.certificates.k8s.io/node-csr-8MjbNrohP0Mk8iNeEW6_idHh8oTtooHpr50o1_AcSjg approved
master 批准后重新查看状态
[root@master-1 work]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR CONDITION node-csr-8MjbNrohP0Mk8iNeEW6_idHh8oTtooHpr50o1_AcSjg 53s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued
查看集群节点 注意:STATUS是NotReady表示还没有安装网络插件
[root@master-1 work]# kubectl get nodes NAME STATUS ROLES AGE VERSION node-1 NotReady <none> 8s v1.20.7
草都可以从石头缝隙中长出来更可况你呢
