Highly available Kubernetes cluster-10. Deploy kube-proxy

 twelve. Deploy kube-proxy

1.  Create a kube-proxy certificate

1) Create a kube-proxy certificate signing request

# kube-proxy extract CN as the user name of the client, namely system:kube-proxy. The ClusterRoleBindings system:node-proxier used by the RBAC predefined by kube-apiserver binds the user system:kube-proxy to the ClusterRole system:node-proxier, which grants the node the permission to call kube-apiserver proxy-related APIs; 
# The hosts list is Empty 
[root@kubenode1 ~] # mkdir -p /etc/kubernetes/proxy 
[root@kubenode1 ~] # cd /etc/kubernetes/ 
[root@kubenode1 proxy] # touch proxy-csr.json 
[root@kubenode1 proxy] # vim proxy-csr.json 
{
     " CN " : " system:kube-proxy " ,
     " hosts " : [],
     " key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "ChengDu",
            "L": "ChengDu",
            "O": "system:kube-proxy",
            "OU": "cloudteam"
        }
    ]
}

2) Generate kube-proxy certificate and private key

[root@kubenode1 proxy]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/etc/kubernetes/ssl/ca-config.json \
-profile=kubernetes proxy-csr.json | cfssljson -bare proxy

# 分发proxy.pem，proxy-key.pem
[root@kubenode1 proxy]# scp proxy*.pem [email protected]:/etc/kubernetes/proxy/
[root@kubenode1 proxy]# scp proxy*.pem [email protected]:/etc/kubernetes/proxy/

2.  Create the kube-proxy kubeconfig file

#Configure cluster parameters; # --server: Specify api-server, use vip after ha; # Customize the 
cluster name, which must be consistent after setting; 
# 
--kubeconfig : Specify the kubeconfig file path and file name; if not set , generated by default in ~/.kube/config file 
[root@kubenode1 proxy] # kubectl config set-cluster kubernetes \ 
--certificate-authority=/etc/kubernetes/ssl/ ca.pem \
 --embed-certs= true \
 --server=https://172.30.200.10:6443 \
 --kubeconfig= proxy.kubeconfig


#Configure client authentication parameters; #The authentication user is "system:kube-scheduler" in the previous signature; #Specify 
the corresponding public key certificate/private key, etc. 
[root@kubenode1 proxy] # kubectl config set-credentials system:kube- proxy \ 
--client-certificate=/etc/kubernetes/proxy/ proxy.pem \
 --embed-certs= true \
 --client-key=/etc/kubernetes/proxy/proxy- key.pem \
 --kubeconfig= proxy.kubeconfig

#Configure context parameters 
[root@kubenode1 proxy] # kubectl config set-context system:kube-proxy@kubernetes \ 
--cluster= kubernetes \
 --user=system:kube- proxy \
 --kubeconfig= proxy.kubeconfig

#Configure default context 
[root@kubenode1 proxy] # kubectl config use-context system:kube-proxy@kubernetes --kubeconfig=proxy.kubeconfig

#Distribute the proxy.kubeconfig file to all nodes; 
[root@kubenode1 proxy] # scp proxy.kubeconfig [email protected]:/etc/kubernetes/proxy/ 
[root@kubenode1 proxy] # scp proxy.kubeconfig [email protected]. 200.23: /etc/kubernetes/proxy/

3.  Configure the systemd unit file of kube-proxy

The relevant executables are already deployed when kubectl is deployed.

#You can set iptables to open tcp 4194 port through ExecStartPost to prepare for cAdvisor 
[root@kubenode1 ~] # touch /usr/lib/systemd/system/kube-proxy.service 
[root@kubenode1 ~] # vim /usr/lib/ systemd/system/kube-proxy.service 
[Unit]
Description = Kubernetes Kube- Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target

[Service]
WorkingDirectory=/var/lib/kube-proxy
EnvironmentFile=/usr/local/kubernetes/kube-proxy.conf
ExecStart=/usr/local/kubernetes/bin/kube-proxy $KUBE_PROXY_ARGS
Restart=on-failure
RestartSec = 5 
LimitNOFILE = 65536

[Install]
WantedBy=multi-user.target


#Create workspace directory 
[root@kubenode1 ~] # mkdir -p /var/lib/kube-proxy


#Configure the startup parameter file; # --bind-address: bind the host ip address, the default value "0.0.0.0" means to use all network interfaces; 
# --hostname-override: set the hostname of the node in the cluster, the default is used Host hostname; kubelet sets this parameter, then kube-proxy also needs to set this parameter 
[root@kubenode1 ~] # touch /usr/local/kubernetes/kube-proxy.conf 
[root@kubenode1 ~] # vim /usr /local/kubernetes/kube-proxy.conf 
KUBE_PROXY_ARGS= " --bind-address=172.30.200.21 \
  --hostname-override=172.30.200.21 \
  --cluster-cidr=169.169.0.0/16 \
  --kubeconfig=/etc/kubernetes/proxy/proxy.kubeconfig \
  --logtostderr=false \
  --log-dir=/var/log/kubernetes/proxy \
  --v=2"

#Create log directory 
[root@kubenode1 ~] # mkdir -p /var/log/kubernetes/proxy

4.  Start and verify

[root@kubenode1 ~]# systemctl daemon-reload
[root@kubenode1 ~]# systemctl enable kube-proxy
[root@kubenode1 ~]# systemctl start kube-proxy
[root@kubenode1 ~]# systemctl status kube-proxy