k8s集羣部署v1.15實踐12:work節點部署kube-proxy

原創 am2012 2020-05-31 00:39
work節點部署kube-proxy

注:二進制文件前面已經下載分發好

1.創建kube-proxy證書和密鑰

創建簽名請求

[root@k8s-node1 kube-proxy]# cat kube-proxy-csr.json 
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "SZ",
"L": "SZ",
"O": "k8s",
"OU": "4Paradigm"
}
]
}
[root@k8s-node1 kube-proxy]#

CN:指定該證書的 User 爲 system:kube-proxy .預定義的 RoleBinding system:node-proxier 將User system:kube-proxy 與Role system:node-proxier 綁定,該 Role 授予了調用 kube-apiserverProxy 相關 API 的權限.該證書只會被 kube-proxy 當做 client 證書使用,所以 hosts 字段爲空.

生成證書和密鑰

[root@k8s-node1 kube-proxy]#  cfssl gencert -ca=/etc/kubernetes/cert/ca.pem -ca-key=/etc/kubernetes/cert/ca-key.pem -config=/etc/kubernetes/cert/ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
2019/11/05 21:03:03 [INFO] generate received request
2019/11/05 21:03:03 [INFO] received CSR
2019/11/05 21:03:03 [INFO] generating key: rsa-2048
2019/11/05 21:03:04 [INFO] encoded CSR
2019/11/05 21:03:04 [INFO] signed certificate with serial number 257083627823849004077905552203274968448941860993
2019/11/05 21:03:04 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-node1 kube-proxy]# ls
kube-proxy.csr  kube-proxy-csr.json  kube-proxy-key.pem  kube-proxy.pem
[root@k8s-node1 kube-proxy]#

2.創建和分發kubeconfig文件

創建kubeconfig文件

[root@k8s-node1 kube-proxy]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=https://192.168.174.127:8443 --kubeconfig=kube-proxy.kubeconfig
Cluster "kubernetes" set.
[root@k8s-node1 kube-proxy]# kubectl config set-credentials kube-proxy --client-certificate=kube-proxy.pem --client-key=kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig
User "kube-proxy" set.
[root@k8s-node1 kube-proxy]# kubectl config set-context default --cluster=kubernetes --user=kube-proxy --kubeconfig=kube-proxy.kubeconfig
Context "default" created.
[root@k8s-node1 kube-proxy]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
Switched to context "default".
[root@k8s-node1 kube-proxy]# ls |grep config
kube-proxy.kubeconfig
[root@k8s-node1 kube-proxy]#

分發kubeconfig文件

[root@k8s-node1 kube-proxy]# cp kube-proxy.kubeconfig /etc/kubernetes/
[root@k8s-node1 kube-proxy]# scp kube-proxy.kubeconfig root@k8s-node2:/etc/kubernetes/
kube-proxy.kubeconfig                                                                                        100% 6219     5.4MB/s   00:00    
[root@k8s-node1 kube-proxy]# scp kube-proxy.kubeconfig root@k8s-node3:/etc/kubernetes/
kube-proxy.kubeconfig

3.創建kube-proxy config文件

模板

[root@k8s-node1 kube-proxy]# cat kube-proxy.config.yaml.template 
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: ##NODE_IP##
clientConnection:
kubeconfig: /etc/kubernetes/kube-proxy.kubeconfig
clusterCIDR: ${CLUSTER_CIDR}
healthzBindAddress: ##NODE_IP##:10256
hostnameOverride: ##NODE_NAME##
kind: KubeProxyConfiguration
metricsBindAddress: ##NODE_IP##:10249
mode: "ipvs"
[root@k8s-node1 kube-proxy]#

bindAddress:監聽地址.

clientConnection.kubeconfig:連接 apiserver 的 kubeconfig 文件.

clusterCIDR:kube-proxy 根據 --cluster-cidr 判斷集羣內部和外部流量,指定 --cluster-cidr 或 --masquerade-all 選項後 kube-proxy 纔會對訪問Service IP 的請求做 SNAT.

hostnameOverride : 參數值必須與 kubelet 的值一致,否則 kube-proxy 啓動後會找不到該 Node,從而不會創建任何 ipvs 規則.

mode:使用 ipvs 模式.

修改變量

[root@k8s-node1 kube-proxy]# echo ${CLUSTER_CIDR}
172.30.0.0/16
[root@k8s-node1 kube-proxy]# cat kube-proxy.config.yaml.template 
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: ##NODE_IP##
clientConnection:
kubeconfig: /etc/kubernetes/kube-proxy.kubeconfig
clusterCIDR: 172.30.0.0/16
healthzBindAddress: ##NODE_IP##:10256
hostnameOverride: ##NODE_NAME##
kind: KubeProxyConfiguration
metricsBindAddress: ##NODE_IP##:10249
mode: "ipvs"
[root@k8s-node1 kube-proxy]#

分發

[root@k8s-node1 kube-proxy]# cp kube-proxy.config.yaml.template /etc/kubernetes/kube-proxy.config.yaml
[root@k8s-node1 kube-proxy]# scp kube-proxy.config.yaml.template root@k8s-node2:/etc/kubernetes/kube-proxy.config.yaml
kube-proxy.config.yaml.template                                                                              100%  315   283.0KB/s   00:00    
[root@k8s-node1 kube-proxy]# scp kube-proxy.config.yaml.template root@k8s-node3:/etc/kubernetes/kube-proxy.config.yaml
kube-proxy.config.yaml.template                                                                              100%  315   326.6KB/s   00:00    
[root@k8s-node1 kube-proxy]#

修改NODE_IP和NODE_NAME,所有節點的都根據節點的ip和hostname修改.

sed -i -e 's/##NODE_IP##/192\.168\.174\.128/g'  -e 's/##NODE_NAME##/k8s\-node1/g' /etc/kubernetes/kube-proxy.config.yaml

創建和分發kube-proxy systemd unit 文件

[root@k8s-node1 kube-proxy]# cat kube-proxy.service 
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target

[Service]
WorkingDirectory=/var/lib/kube-proxy
ExecStart=/opt/k8s/bin/kube-proxy \
  --config=/etc/kubernetes/kube-proxy.config.yaml \
  --alsologtostderr=true \
  --logtostderr=false \
  --log-dir=/var/log/kubernetes \
  --v=2
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

手動創建目錄WorkingDirectory=/var/lib/kube-proxy

[root@k8s-node1 kube-proxy]# mkdir -p /var/lib/kube-proxy
[root@k8s-node1 kube-proxy]# ssh root@k8s-node2 "mkdir -p /var/lib/kube-proxy"
[root@k8s-node1 kube-proxy]# ssh root@k8s-node3 "mkdir -p /var/lib/kube-proxy"

分發文件

[root@k8s-node1 kube-proxy]# cp kube-proxy.service /etc/systemd/system
[root@k8s-node1 kube-proxy]# scp kube-proxy.service root@k8s-node2:/etc/systemd/system
kube-proxy.service                                                                                           100%  450   525.1KB/s   00:00    
[root@k8s-node1 kube-proxy]# scp kube-proxy.service root@k8s-node3:/etc/systemd/system
kube-proxy.service

加上執行權限

chmod +x -R /etc/systemd/system

4.啓動服務

systemctl daemon-reload && systemctl enable kube-proxy && systemctl restart kube-proxy

啓動報錯

[root@k8s-node1 kubernetes]# cat kube-proxy.ERROR 
Log file created at: 2019/11/05 21:56:48
Running on machine: k8s-node1
Binary: Built with gc go1.12.10 for linux/amd64
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
F1105 21:56:48.913044   30996 server.go:449] unable to load in-cluster configuration, KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT must be defined

文件格式問題,注意參考格式見下

[root@k8s-master1 kubernetes]# cat /etc/kubernetes/kube-proxy.config.yaml
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 192.168.211.128
clientConnection:
  kubeconfig: /etc/kubernetes/kube-proxy.kubeconfig  
clusterCIDR: 172.30.0.0/16
healthzBindAddress: 192.168.211.128:10256
hostnameOverride: k8s-master1
kind: KubeProxyConfiguration
metricsBindAddress: 192.168.211.128:10249
mode: "ipvs"
[root@k8s-master1 kubernetes]#
kubeconfig: /etc/kubernetes/kube-proxy.kubeconfig

注意這個前面的空格,沒有就會報上面的錯誤

再啓動,服務起來了

[root@k8s-node1 kubernetes]# systemctl status kube-proxy
● kube-proxy.service - Kubernetes Kube-Proxy Server
   Loaded: loaded (/etc/systemd/system/kube-proxy.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2019-11-05 21:59:54 EST; 8s ago
     Docs: https://github.com/GoogleCloudPlatform/kubernetes
 Main PID: 32608 (kube-proxy)
    Tasks: 0
   Memory: 10.6M
   CGroup: /system.slice/kube-proxy.service
           ‣ 32608 /opt/k8s/bin/kube-proxy --config=/etc/kubernetes/kube-proxy.config.yaml --alsologtostderr=true --logtostderr=false --log-...

Nov 05 21:59:54 k8s-node1 kube-proxy[32608]: I1105 21:59:54.931228   32608 config.go:187] Starting service config controller
Nov 05 21:59:54 k8s-node1 kube-proxy[32608]: I1105 21:59:54.931248   32608 controller_utils.go:1029] Waiting for caches to sync for s...troller
Nov 05 21:59:54 k8s-node1 kube-proxy[32608]: I1105 21:59:54.931422   32608 config.go:96] Starting endpoints config controller
Nov 05 21:59:54 k8s-node1 kube-proxy[32608]: I1105 21:59:54.931431   32608 controller_utils.go:1029] Waiting for caches to sync for e...troller
Nov 05 21:59:55 k8s-node1 kube-proxy[32608]: I1105 21:59:55.032212   32608 controller_utils.go:1036] Caches are synced for endpoints ...troller
Nov 05 21:59:55 k8s-node1 kube-proxy[32608]: I1105 21:59:55.032320   32608 proxier.go:748] Not syncing ipvs rules until Services and ... master
Nov 05 21:59:55 k8s-node1 kube-proxy[32608]: I1105 21:59:55.032338   32608 controller_utils.go:1036] Caches are synced for service co...troller
Nov 05 21:59:55 k8s-node1 kube-proxy[32608]: I1105 21:59:55.032376   32608 service.go:332] Adding new service port "default/httpd-svc...:80/TCP
Nov 05 21:59:55 k8s-node1 kube-proxy[32608]: I1105 21:59:55.032393   32608 service.go:332] Adding new service port "default/kubernete...443/TCP
Nov 05 21:59:55 k8s-node1 kube-proxy[32608]: I1105 21:59:55.075261   32608 proxier.go:1797] Opened local port "nodePort for default/h...36/tcp)
Hint: Some lines were ellipsized, use -l to show in full.
[root@k8s-node1 kubernetes]#
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

電腦宕機後恢復K8s Pod啓動

1. 先開機看看集羣狀態是不是正常的 kubectl get cs 2. 看看pod狀態: kubectl -n xxx get pod 3. 進到nfs目錄內modeling mariab的文件夾 /dockerdata-nfs 4

liuskyter 2020-07-08 11:16:26

k8s(二)

佔位

6moji6 2020-07-08 10:26:30

利用 kubeadm 簡單搭建k8s(已更新爲V1.13.0版本)

1. 基本系統環境 1.1 系統內核 查看當前系統內核(我這裏是5.0.5-1.el7.elrepo.x86_64): uname -a 版本必須大於等於3.10,否則需要升級內核: # ELRepo 倉庫(可以先看一下 /et

jacksonary 2020-07-08 10:04:33

3.2 控制器——副本控制器(ReplicationController)

3.2 副本控制器(ReplicationController)  ReplicationController(在kubectl命令中經常縮寫爲rc或rcs)是實際確保特定數量的Pod副本在任意時刻的運行。如果Pod副本超過指定數

jacksonary 2020-07-08 10:04:33

3.5 控制器——DaemonSet(守護線程集)

3.5 控制器——DaemonSet(守護線程集)  每個DaemonSet可以確保某些甚至全部節點運行一個Pod的副本,當node加入集羣時,Pod就會加入這些節點,同樣的,當節點從集羣中移除時,這些pods被垃圾回收。刪除一個

jacksonary 2020-07-08 10:04:33

3.3 控制器——Deployments(部署)

3.3 Deployments(部署)  Deployments控制器(Deployment controller,Deployment應該也是控制器的一種吧)提供了Pod和ReplicaSets的聲明式更新。在Deploymen

jacksonary 2020-07-08 10:04:33

3.1 控制器——ReplicaSet

3. 控制器(Controller) 3.1 副本集(ReplicaSet) 定義:副本集(ReplicaSet)的目的是爲了保證一組穩定的Pod副本在任意給定時刻都在運行。因此,它通常用於保證特定數量的相同Pod的可用性。  副

jacksonary 2020-07-08 10:04:33

centos7搭建kubernetes v1.17.1集羣

機器 hostname 10.211.55.64 k8sMaster 10.211.55.65 k8sNode1 10.211.55.66 k8sNode2 所有機器執行以下操作 (1-13) 配置y

夜幕.思年华 2020-07-08 06:16:44

雲原生Tekton之觸發器Trigger

背景 前面的文章講了tekton中pipeline的教程和使用案例,大家有沒有想過,每次都要運行taskrun或者pipelineRun才能真正運行流水線。那怎麼做到自動化執行taskrun和pipelineRun呢?我想了下有

云原生手记 2020-07-08 03:27:17

kubernetes -- 結點調度控制的幾種方式

簡介 調度器通過 kubernetes 的 watch 機制來發現集羣中新創建且尚未被調度到 Node上的 Pod。調度器會將發現的每一個未調度的 Pod 調度到一個合適的 Node 上來運行。 kube-scheduler 是

生命热力٩( 'ω' )و 2020-07-08 02:17:36

k8s創建資源的兩種方式、訪問pod

創建資源 1.用kubectl命令直接創建,   #kubectl run httpd-app --image=reg.yunwei.edu/learn/httpd:latest --replicas=2 在命令行中通過參數指定資源的

PpikachuP 2020-07-08 01:52:27

O-RAN notes(3)---Bronze SMO deployment (2)

(continued) Most of the problems are related to 'docker pull'. Before you execute the install script(./dep/smo/bin/inst

zhenggao2 2020-07-07 23:48:07

centos安裝k8s集羣

一、集羣方式 機器配置:centos 4.4內核以上,cpu大於1核 1.主機配置 配置 規格 內存配置 2G CPU配置 2核 系統版本 Centos7.7 kubelet版本 1.5.1 do

意林飞笑 2020-07-07 18:12:18

kubernetes存儲 -- Volumes管理(三)StatefulSet控制器、StatefulSet部署mysql主從集羣

StatefulSet控制器 StatefulSet可以通過Headless Service維持Pod的拓撲狀態. StatefulSet將應用狀態抽象成了兩種情況: 拓撲狀態:應用實例必須按照某種順序啓動。新創建的Pod必須

生命热力٩( 'ω' )و 2020-07-07 02:59:20

使用kubeadm安裝kubenetes1.17.3

我們使用centos7的系統,內核升級到5.5.4,爲什麼使用升級後的內核,這是因爲centos7.4的內核是3.10,在docker運行時,有內核bug,導致運行緩慢,出現一堆錯誤異常,可以查閱我另外一個博客文章。 一、安裝前的準備工作

Blue_Tear 2020-07-07 01:26:46