kubernetes-monin安装

安装kubelet

kubelet 启动时向 kube-apiserver 发送 TLS bootstrapping 请求,需要先将 bootstrap token 文件中的 kubelet-bootstrap,用户赋予 system:node-bootstrapper cluster 角色(role), 然后 kubelet 才能有权限创建认证请求(certificate signing requests)

cd /etc/kubernetes
kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap

  • --user=kubelet-bootstrap 是在 /etc/kubernetes/token.csv 文件中指定的用户名,同时也写入了 /etc/kubernetes/bootstrap.kubeconfig 文件

  • 从master中将kubelet,kube-proxy的二进制包scp到各节点

scp server/bin/{kube-proxy,kubelet} root@x.x.x.x:/usr/local/bin/

  • 创建kubelet的service配置文件
  • 文件位置/usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes

After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/kubelet
ExecStart=/usr/local/bin/kubelet \
        $KUBE\_LOGTOSTDERR \

        $KUBE\_LOG\_LEVEL \

        $KUBELET\_API\_SERVER \

        $KUBELET\_ADDRESS \

        $KUBELET\_PORT \

        $KUBELET\_HOSTNAME \

        $KUBE\_ALLOW\_PRIV \

        $KUBELET\_POD\_INFRA\_CONTAINER \

        $KUBELET\_ARGS
Restart=on-failure
[Install]
WantedBy=multi-user.target

kubelet的配置文件/etc/kubernetes/kubelet。其中的IP地址更改为你的每台node节点的IP地址.

*注意*:在启动kubelet之前,需要先手动创建/var/lib/kubelet目录

  • 创建 /etc/kubernetes/kubelet
###
## kubernetes kubelet (minion) config
#
## The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
KUBELET_ADDRESS="--address=120.27.70.6"
#
## The port for the info server to serve on
#KUBELET_PORT="--port=10250"
#
## You may leave this blank to use the actual hostname
KUBELET_HOSTNAME="--hostname-override=110.27.70.6"
#
## location of the api-server
## COMMENT THIS ON KUBERNETES 1.8+
# KUBELET_API_SERVER="--api-servers=http://110.168.157.198:8080"
#
## pod infrastructure container
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest"
#
## Add your own!
KUBELET_ARGS="--cgroup-driver=systemd --cluster-dns=10.254.0.2 --resolv-conf=/etc/resolv.conf --experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig --cert-dir=/etc/kubernetes/ssl --cluster-domain=cluster.local --hairpin-mode promiscuous-bridge --serialize-image-pulls=false"

1.8.7版本时KUBELET_API_SERVER 参数已经被弃用,使用--kubeconfig代替

  • 启动kubelet
systemctl daemon-reload
systemctl enable kubelet
systemctl start kubelet
systemctl status kubelet

  • 需要将master中的/etc/kubernetes/config文件拷贝到slave服务器中,在slave服务器中的config配置KUBE_SERVER需要注释

  • 通过 kublet 的 TLS 证书请求

  • kubelet 首次启动时向 kube-apiserver 发送证书签名请求,必须通过后 kubernetes 系统才会将该 Node 加入到集群

kubectl get csr
kubectl certificate approve csr名称
kubectl get nodes
  • kubelet启动问题
  • kubelet启动成功后上master执行`kubectl get csr` 并且approve csr,查看集群中的节点还是找不到资源,
  • 后来发现docker中的cgroup-driver使用默认的cgroup而不是systemd,因为kubelet中配置的是systemd所以启动kubelet就失败

kube-proxy配置

  • 安装conntrack

conntrack-tools用于检测iptables状态数据包软件

yum install -y conntrack-tools

  • 创建 kube-proxy 的service配置文件

    文件路径/usr/lib/systemd/system/kube-proxy.service

[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=
https://github.com/GoogleCloudPlatform/kubernetes

After=network.target
[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/proxy
ExecStart=/usr/local/bin/kube-proxy \
    $KUBE\_LOGTOSTDERR \

    $KUBE\_LOG\_LEVEL \

    $KUBE\_MASTER \

    $KUBE\_PROXY\_ARGS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
  • kube-proxy配置文件/etc/kubernetes/proxy
###
# kubernetes proxy config
# default config should be adequate
# Add your own!
KUBE_PROXY_ARGS="--bind-address=110.217.70.6 --hostname-override=10.227.70.6 --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig --cluster-cidr=10.254.0.0/16"

  • --hostname-override 参数值必须与 kubelet 的值一致,否则 kube-proxy 启动后会找不到该 Node,从而不会创建任何 iptables 规则;

  • kube-proxy 根据 --cluster-cidr 判断集群内部和外部流量,指定 --cluster-cidr 或 --masquerade-all 选项后 kube-proxy 才会对访问 Service IP 的请求做 SNAT;

  • --kubeconfig 指定的配置文件嵌入了 kube-apiserver 的地址、用户名、证书、秘钥等请求和认证信息;

  • 预定义的 RoleBinding cluster-admin 将User system:kube-proxy 与 Role system:node-proxier 绑定,该 Role 授予了调用 kube-apiserver Proxy 相关 API 的权限

  • 启动kube-proxy

systemctl daemon-reload
systemctl enable kube-proxy
systemctl start kube-proxy
systemctl status kube-proxy

results matching ""

    No results matching ""