欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

Kubernetes 集群部署(三)(master、node 部分)

程序员文章站 2022-07-13 22:24:34
...


本文承接: Kubernetes 集群部署(二)(flannel 网络配置)


Kubernetes 集群部署(三)(部署 master/node 组件)

1.部署 master(组件)

①创建 K8S 工作目录及证书目录

[[email protected] ~]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p		'//创建k8s工作目录'
[[email protected] ~]# cd k8s/
[[email protected] k8s]# mkdir k8s-cert		'//创建K8S存储证书的目录'
[[email protected] k8s]# cd k8s-cert/

②撰写创建证书脚本并执行

[[email protected] k8s-cert]# vim k8s-cert.sh		'//撰写创建证书的脚本'

cat > ca-config.json <<EOF		'//定义ca证书,格式为json'
{
  "signing": {
    "default": {
      "expiry": "87600h"		'//周期为87600h=10年'
    },
    "profiles": {
      "kubernetes": {		'//k8s'
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat > ca-csr.json <<EOF		'//实现证书,签名'
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",			'//表示为单元'
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
'//生成证书,创建,初始化ca,使用到ca签名文件;使用cfssjson格式创建一个ca证书'
#-----------------------

cat > server-csr.json <<EOF		'//使用server端证书,json格式'
{
    "CN": "kubernetes",
    "hosts": [				'//这里考虑后续多节点,提前添加2个nginx为负载均衡群集'
      "10.0.0.1",			'//内部集群通讯会用到的IP地址'
      "127.0.0.1",			'//自身回环地址'
      "192.168.126.11",		'//master01'
      "192.168.126.12",		'//master02'
      "192.168.126.15"		'//nginx01'
      "192.168.126.16"		'//nginx02'
      "192.168.126.100",	'//VIP(漂移)'
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
'//生成,创建,使用ca证书与秘钥,ca配置文件,指定名称生成文件'
'//使用cfssljson格式创建名为server的证书'

#-----------------------
'//需要一个管理员身份的绑定来具备操作资源的权限,以下来制作相关证书'
cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
'//制作出admin的两张证书'

#-----------------------

cat > kube-proxy-csr.json <<EOF		'//制作网络代理证书'
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
'//制作出两张proxy的证书'


[[email protected] k8s-cert]# . k8s-cert.sh 
...
...
[[email protected] k8s-cert]# ls *.pem		'//最终制作出这8张证书'
admin-key.pem  ca-key.pem  kube-proxy-key.pem  server-key.pem
admin.pem      ca.pem      kube-proxy.pem      server.pem

③完善 K8S 工作目录

[[email protected] k8s-cert]# cp ca*.pem server*.pem /opt/kubernetes/ssl/
'//这里master只需要ca与server,admin与proxy给node'

[[email protected] k8s-cert]# cd ..
[[email protected] k8s]# rz -E
rz waiting to receive.		'//将下载好的K8S软件包传至目录下'
[[email protected] k8s]# ls kuber*
kubernetes-server-linux-amd64.tar.gz		'//包含server与node的所有组件包/执行脚本,非常庞大'
[[email protected] k8s]# tar zxvf kubernetes-server-linux-amd64.tar.gz 
...
...
[[email protected] k8s]# cd kubernetes/
[[email protected] kubernetes]# ls
addons  kubernetes-src.tar.gz  LICENSES  server
[[email protected] kubernetes]# cd server/
[[email protected] server]# ls
bin
[[email protected] server]# cd bin/
[[email protected] bin]# ls		'//接下来将我们需要的脚本文件拷贝至K8S工作目录下'
apiextensions-apiserver             kubectl-convert
kubeadm                             kubelet
kube-aggregator                     kube-proxy
kube-apiserver                      kube-proxy.docker_tag
kube-apiserver.docker_tag           kube-proxy.tar
kube-apiserver.tar                  kube-scheduler
kube-controller-manager             kube-scheduler.docker_tag
kube-controller-manager.docker_tag  kube-scheduler.tar
kube-controller-manager.tar         mounter
kubectl
[[email protected] bin]# cp kube-apiserver kubectl kube-scheduler kube-controller-manager /opt/kubernetes/bin/
[[email protected] bin]# tree /opt/kubernetes/
/opt/kubernetes/
├── bin
│   ├── kube-apiserver
│   ├── kube-controller-manager
│   ├── kubectl
│   └── kube-scheduler
├── cfg		'//还缺配置文件和启动脚本'
└── ssl
    ├── ca-key.pem
    ├── ca.pem
    ├── server-key.pem
    └── server.pem

3 directories, 8 files

④建立 token 令牌并撰写一个启动 apiserver 的脚本

[[email protected] bin]# cd /root/k8s/
[[email protected] k8s]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
46f66211f8331155527e36e3a4d59a31
'//随机生成16位***,后续有用'
[[email protected] k8s]# vim /opt/kubernetes/cfg/token.csv
'//建立token令牌,K8S的管理需要令牌服务(系统-角色-操作权限)'

46f66211f8331155527e36e3a4d59a31,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
'//***,用户名(kubelet),id,角色身份'
'//kubelet是一个组件,但是我们需要创建一个角色来控制其'


[[email protected] k8s]# vim apiserver.sh 
'//撰写一个启动aipserver的脚本'
#!/bin/bash

MASTER_ADDRESS=$1		'//master IP,本机'
ETCD_SERVERS=$2			'//etcd IP'

cat <<EOF >/opt/kubernetes/cfg/kube-apiserver	'//生成一个配置文件'

KUBE_APISERVER_OPTS="--logtostderr=true \\		'//日志格式'
--v=4 \\		'//日志版本'
--etcd-servers=${ETCD_SERVERS} \\		'//etcd IP'
--bind-address=${MASTER_ADDRESS} \\		'//master IP'
--secure-port=6443 \\		'//https(安全)'
--advertise-address=${MASTER_ADDRESS} \\		'//监听IP'
--allow-privileged=true \\		'//开放许可权限'
--service-cluster-ip-range=10.0.0.0/24 \\		'//群集内部通讯地址'
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\		'//插件'
--authorization-mode=RBAC,Node \\		'//安全访问形式使用RBAC安全框架'
--kubelet-https=true \\		'//开启https协议'
--enable-bootstrap-token-auth \\		'使用token令牌进行验证'
--token-auth-file=/opt/kubernetes/cfg/token.csv \\		'//指定配置文件'
--service-node-port-range=30000-50000 \\		'//proxy暴露端口号映射范围,不会和常用端口号冲突'
--tls-cert-file=/opt/kubernetes/ssl/server.pem  \\		'//通讯使用tls安全加密,使用到server端证书'
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\		'//etcd端证书'
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"

EOF

cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service		'//服务启动'
[Unit]
Description=Kubernetes API Server		'//API Server'
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver		'//指定配置文件路径'
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS		'//启动路径,变量指向日志文件也同时开启'
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-apiserver
systemctl restart kube-apiserver

⑤启动 apiserver

[[email protected] k8s]# . apiserver.sh 192.168.126.11 https://192.168.126.11:2379,https://192.168.126.13:2379,https://192.168.126.14:2379
'//指定masterIP,ETCD群集IP,开启apiserver'
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-apiserver.service to /usr/lib/systemd/system/kube-apiserver.service.
[[email protected] k8s]# systemctl status kube-apiserver.service 
[[email protected] k8s]# ps aux | grep kube		'//查看进程'
[[email protected] k8s]# cat /opt/kubernetes/cfg/kube-apiserver		'//查看生成的配置文件'
[[email protected] k8s]# netstat -ntap | grep 6443		'//查看可供安全访问的端口是否开启'
tcp        0      0 192.168.126.11:6443     0.0.0.0:*               LISTEN      23837/kube-apiserve 
tcp        0      0 192.168.126.11:6443     192.168.126.11:56606    ESTABLISHED 23837/kube-apiserve 
tcp        0      0 192.168.126.11:56606    192.168.126.11:6443     ESTABLISHED 23837/kube-apiserve 
[[email protected] k8s]# netstat -ntap | grep 8080
'//http协议端口,用于内部通讯'

⑥撰写 scheduler/controller-manager 脚本并启动

[[email protected] k8s]# vim scheduler.sh
'//撰写一个启动scheduler的脚本'
#!/bin/bash

MASTER_ADDRESS=$1		'//这里建议填写127.0.0.1,因为方便后续多节点操作,拷贝文件过去直接就可以用'

cat <<EOF >/opt/kubernetes/cfg/kube-scheduler

KUBE_SCHEDULER_OPTS="--logtostderr=true \\
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\		'//内部通讯可使用8080的http协议端口,在安全的基础上高效'
--leader-elect"

EOF

cat <<EOF >/usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler

[[email protected] k8s]# . scheduler.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-scheduler.service to /usr/lib/systemd/system/kube-scheduler.service.
[[email protected] k8s]# systemctl status kube-scheduler.service 


[[email protected] k8s]# vim controller-manager.sh 

#!/bin/bash

MASTER_ADDRESS=$1

cat <<EOF >/opt/kubernetes/cfg/kube-controller-manager


KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \\
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\
--leader-elect=true \\
--address=127.0.0.1 \\
--service-cluster-ip-range=10.0.0.0/24 \\
--cluster-name=kubernetes \\
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem  \\
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--experimental-cluster-signing-duration=87600h0m0s"

EOF

cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl restart kube-controller-manager


[[email protected] k8s]# . controller-manager.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /usr/lib/systemd/system/kube-controller-manager.service.
[[email protected] k8s]# systemctl status kube-controller-manager.service

[[email protected] k8s]# ps aux | grep kube		'//查看进程'

[[email protected] k8s]# /opt/kubernetes/bin/kubectl get cs
'//使用kubectl命令管理工具查看master节点状态(通过apiserver)'
NAME                 STATUS    MESSAGE              ERROR
scheduler            Healthy   ok                   
etcd-0               Healthy   {"health": "true"}   
etcd-1               Healthy   {"health": "true"}   
etcd-2               Healthy   {"health": "true"}   
controller-manager   Healthy   ok

2.部署 node (组件)

①在 master 节点将 kubelet、kube-proxy 传输至 node 节点

----master----
[[email protected] k8s]# cd kubernetes/server/bin/
[[email protected] bin]# ls
apiextensions-apiserver              kube-controller-manager.tar
cloud-controller-manager             kubectl
cloud-controller-manager.docker_tag  kubelet
cloud-controller-manager.tar         kube-proxy
hyperkube                            kube-proxy.docker_tag
kubeadm                              kube-proxy.tar
kube-apiserver                       kube-scheduler
kube-apiserver.docker_tag            kube-scheduler.docker_tag
kube-apiserver.tar                   kube-scheduler.tar
kube-controller-manager              mounter
kube-controller-manager.docker_tag
'//node组件需要kubelet与kube-proxy'
[[email protected] bin]# scp kubelet kube-proxy [email protected]:/opt/kubernetes/bin/
[email protected]'s password: 
kubelet                                   100%  168MB  84.0MB/s   00:02    
kube-proxy                                100%   48MB  70.9MB/s   00:00    
[[email protected] bin]# scp kubelet kube-proxy [email protected]:/opt/kubernetes/bin/
[email protected]'s password: 
kubelet                                   100%  168MB  88.8MB/s   00:01    
kube-proxy                                100%   48MB  87.0MB/s   00:00 

②创建 kubeconfig 目录并完善

'//apierver与kubelet通讯需要用到6443端口,内部通讯则可以用到8080端口'
'//需要建立TLS通讯安全加密'
'//kubelet需要先准备参数提交给apiserver,其确认完了颁发证书给kubelet(授权)'
'//即kubelet加入到K8S之前需要准备一些列参数、证书、凭证'

[[email protected] k8s]# mkdir kubeconfig
'//存放以上所需要参数的目录,以供apiserver与kubelet通讯'
'//kubelet启动后,其证书授权会颁发给node节点'
[[email protected] k8s]# cd kubeconfig/
[[email protected] kubeconfig]# vim kubeconfig		'//注意该脚本没有加.sh,因为内容中会有冲突'

APISERVER=$1
SSL_DIR=$2			'//存放证书目录'

# 创建kubelet bootstrapping kubeconfig,建立访问端口
export KUBE_APISERVER="https://$APISERVER:6443"

# 设置集群参数
kubectl config set-cluster kubernetes \
  --certificate-authority=$SSL_DIR/ca.pem \
  --embed-certs=true \		'//true表示将以上证书写入至kubeconfig中'
  --server=${KUBE_APISERVER} \
  --kubeconfig=bootstrap.kubeconfig
  '//其内置了token.csv中用户的token及apiserver CA证书,kubelet首次启动会加载此文件,使用apiserver CA证书建立与apiserver的TLS通讯,使其中的token用户作为身份标识向apiserver发起CSR请求'

# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
  --token=758de51593b30a0ece374abfbf7a2b4a \		'//依赖于token令牌'
  --kubeconfig=bootstrap.kubeconfig

# 设置上下文参数
kubectl config set-context default \
  --cluster=kubernetes \			'//集群名称'
  --user=kubelet-bootstrap \		'//用户名称'
  --kubeconfig=bootstrap.kubeconfig		'//配置文件'

# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
'//创建资源(命名空间,属于bootstrap.kubeconfig)'

#----------------------

# 创建kube-proxy kubeconfig文件

kubectl config set-cluster kubernetes \		'//proxy也需要证书'
  --certificate-authority=$SSL_DIR/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=kube-proxy.kubeconfig

kubectl config set-credentials kube-proxy \
  --client-certificate=$SSL_DIR/kube-proxy.pem \
  --client-key=$SSL_DIR/kube-proxy-key.pem \
  --embed-certs=true \
  --kubeconfig=kube-proxy.kubeconfig

kubectl config set-context default \
  --cluster=kubernetes \
  --user=kube-proxy \
  --kubeconfig=kube-proxy.kubeconfig

kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig


[[email protected] kubeconfig]# vim /etc/profile
'//在末行插入以下全局变量,便于使用kubectl管理命令'
export PATH=$PATH:/opt/kubernetes/bin/
 
[[email protected] kubeconfig]# source /etc/profile		'//使其生效'
[[email protected] kubeconfig]# kubectl get cs
NAME                 STATUS    MESSAGE              ERROR
controller-manager   Healthy   ok                   
scheduler            Healthy   ok                   
etcd-0               Healthy   {"health": "true"}   
etcd-2               Healthy   {"health": "true"}   
etcd-1               Healthy   {"health": "true"}
[[email protected] kubeconfig]# . kubeconfig 192.168.126.11 /root/k8s/k8s-cert/
'//执行该脚本,指定本机IP与存放证书目录'
Cluster "kubernetes" set.
User "kubelet-bootstrap" set.
Context "default" created.
Switched to context "default".
Cluster "kubernetes" set.
User "kube-proxy" set.
Context "default" created.
Switched to context "default".
[[email protected] kubeconfig]# ls		'//生成2个新文件'
bootstrap.kubeconfig  kubeconfig  kube-proxy.kubeconfig

③拷贝配置文件至 node 节点并创建 bootstrap 角色用于连接 apiserver

'//拷贝配置文件至node节点'
[[email protected] kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/
[email protected]'s password: 
bootstrap.kubeconfig                      100% 2168     1.4MB/s   00:00    
kube-proxy.kubeconfig                     100% 6274     3.6MB/s   00:00    
[[email protected] kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/
[email protected]'s password: 
bootstrap.kubeconfig                      100% 2168   509.3KB/s   00:00    
kube-proxy.kubeconfig                     100% 6274     5.4MB/s   00:00    

'//创建bootstrap角色赋予权限用于连接apiserver请求签名'
'clusterrole为集群角色,绑定至bootstrapper,kubelet以node身份连接K8S'
[[email protected] kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created

④启动 kubelet

----node----
[[email protected] ~]# vim kubelet.sh		'//撰写一个kubelet启动脚本'

#!/bin/bash

NODE_ADDRESS=$1		'//本机地址'
DNS_SERVER_IP=${2:-"10.0.0.2"}		'//指定DNS解析地址'

cat <<EOF >/opt/kubernetes/cfg/kubelet		'//配置文件'

KUBELET_OPTS="--logtostderr=true \\
--v=4 \\
--hostname-override=${NODE_ADDRESS} \\
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\
--config=/opt/kubernetes/cfg/kubelet.config \\
--cert-dir=/opt/kubernetes/ssl \\
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
'//基础容器:创建一个pod,同时还会隐藏性创建一个基础pod去管理当前容器的生命周期'

EOF

cat <<EOF >/opt/kubernetes/cfg/kubelet.config		'//前面有定义,配置资源;yml'

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: ${NODE_ADDRESS}
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- ${DNS_SERVER_IP} 
clusterDomain: cluster.local.
failSwapOn: false
authentication:
  anonymous:
    enabled: true
EOF

cat <<EOF >/usr/lib/systemd/system/kubelet.service		'//启动'
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
KillMode=process

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet


[[email protected] ~]# . kubelet.sh 192.168.126.13		'//启动脚本,此时kubelet处于代授权状态'
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[[email protected] ~]# ps aux|grep kube
'//检查kubelet服务进程是否启动'

⑤master 节点同意 node01 节点请求

----master----
[[email protected] kubeconfig]# kubectl get csr
NAME                                                   AGE   REQUESTOR           CONDITION
node-csr-VBHgXo-rVVHmC0kv3gBp3oZIx_Y3tX_t4T7zrRU_OPU   82s   kubelet-bootstrap   Pending
'//检测到node01节点请求,等待集群给该节点颁发证书'
[[email protected] kubeconfig]# kubectl certificate approve node-csr-VBHgXo-rVVHmC0kv3gBp3oZIx_Y3tX_t4T7zrRU_OPU
'//修改资源,同意一个自签证书请求'
[[email protected] kubeconfig]# kubectl get csr
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-VBHgXo-rVVHmC0kv3gBp3oZIx_Y3tX_t4T7zrRU_OPU   4h58m   kubelet-bootstrap   Approved,Issued
'//Approved,Issued表示为已经被正式允许加入群集'
'//本人这里遇到过坑,全部服务正常启动,配置也没问题,但就是没Issued出来,后来重启主机再重新开启一遍服务就好了,坑的一笔'

[[email protected] kubeconfig]# kubectl get node
NAME             STATUS   ROLES    AGE   VERSION
192.168.126.13   Ready    <none>   10m   v1.12.3
'//查看集群节点,已成功加入node01节点'

⑥node01 启动 proxy

----node01----
'//再撰写一个启动proxy的脚本'
[[email protected] ~]# vim proxy.sh

#!/bin/bash

NODE_ADDRESS=$1

cat <<EOF >/opt/kubernetes/cfg/kube-proxy

KUBE_PROXY_OPTS="--logtostderr=true \\
--v=4 \\
--hostname-override=${NODE_ADDRESS} \\
--cluster-cidr=10.0.0.0/24 \\
--proxy-mode=ipvs \\		'//网络代理模式为ipvs:L4负载均衡'
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"

EOF

cat <<EOF >/usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-proxy
systemctl restart kube-proxy


[[email protected] ~]# . proxy.sh 192.168.126.13		'//指定node(自身)IP'
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[[email protected] ~]# systemctl status kube-proxy.service 
'//kube-proxy已正常启动'

⑦node02

----node02----
'//node01直接将配置好的K8S工作目录复制到node02节点即可,后续再做修改'
[[email protected] ~]# scp -r /opt/kubernetes/ [email protected]:/opt/
The authenticity of host '192.168.126.14 (192.168.126.14)' can't be established.
ECDSA key fingerprint is SHA256:KYwbK4GjzV61NspNK1g9iQSSXL38RbX51ghM9FysXgA.
ECDSA key fingerprint is MD5:19:e6:2c:12:57:e4:0c:d2:68:c9:ad:21:4a:1a:c9:0b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.126.14' (ECDSA) to the list of known hosts.
[email protected]'s password: 
flanneld                                    100%  238   306.3KB/s   00:00    
kubelet                                     100%  378   157.2KB/s   00:00    
kubelet.config                              100%  268   493.5KB/s   00:00    
bootstrap.kubeconfig                        100% 2168     3.9MB/s   00:00    
kube-proxy.kubeconfig                       100% 6274    11.9MB/s   00:00    
kubelet.kubeconfig                          100% 2297     4.8MB/s   00:00    
kube-proxy                                  100%  190   327.9KB/s   00:00    
mk-docker-opts.sh                           100% 2139     2.4MB/s   00:00    
flanneld                                    100%   37MB  86.8MB/s   00:00    
kubelet                                     100%  168MB  98.3MB/s   00:01    
kube-proxy                                  100%   48MB 105.4MB/s   00:00    
kubelet.crt                                 100% 2193     2.8MB/s   00:00    
kubelet.key                                 100% 1679     1.4MB/s   00:00    
kubelet-client-2021-04-14-21-32-44.pem      100% 1277   959.9KB/s   00:00    
kubelet-client-current.pem                  100% 1277     1.2MB/s   00:00    

'//将kubelet、kube-proxy的serbice文件拷贝至node02'
[[email protected] ~]# scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service [email protected]:/usr/lib/systemd/system/
[email protected]'s password: 
kubelet.service                             100%  264   456.2KB/s   00:00    
kube-proxy.service                          100%  231   167.4KB/s   00:00   

'//开始进行修改'
'//首先修改复制过来的node01的证书,等会node02会自行申请证书'
[[email protected] cfg]# vim kubelet

KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.126.14 \		'//修改IP'
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"

[[email protected] cfg]# vim kubelet.config 

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.126.14		'//修改IP'
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
  anonymous:
    enabled: true

[[email protected] cfg]# vim kube-proxy

KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.126.14 \		'//修改IP'
--cluster-cidr=10.0.0.0/24 \
--proxy-mode=ipvs \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"

[[email protected] cfg]# systemctl daemon-reload
[[email protected] cfg]# systemctl start kubelet.service
[[email protected] cfg]# systemctl enable kubelet.service
[[email protected] cfg]# systemctl status kubelet.service 
[[email protected] cfg]# systemctl start kube-proxy.service && systemctl enable kube-proxy.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.


'//回到master,查看node02的kubelet请求'
[[email protected] kubeconfig]# kubectl get csr
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-VBHgXo-rVVHmC0kv3gBp3oZIx_Y3tX_t4T7zrRU_OPU   5h36m   kubelet-bootstrap   Approved,Issued
node-csr-fMkvyYgM667Bye8Ggvnby6gQuXnWdIu9gFuf1937LpU   82m     kubelet-bootstrap   Pending
[[email protected] k8s]# kubectl certificate approve node-csr-fMkvyYgM667Bye8Ggvnby6gQuXnWdIu9gFuf1937LpU
'//授权许可加入群集'
[[email protected] kubeconfig]# kubectl get csr
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-VBHgXo-rVVHmC0kv3gBp3oZIx_Y3tX_t4T7zrRU_OPU   5h37m   kubelet-bootstrap   Approved,Issued
node-csr-fMkvyYgM667Bye8Ggvnby6gQuXnWdIu9gFuf1937LpU   83m     kubelet-bootstrap   Approved,Issued
[[email protected] kubeconfig]# kubectl get node
NAME             STATUS   ROLES    AGE   VERSION
192.168.126.13   Ready    <none>   47m   v1.12.3
192.168.126.14   Ready    <none>   47m   v1.12.3