twelve. Deploy kube-proxy
1. Create a kube-proxy certificate
1) Create a kube-proxy certificate signing request
# kube-proxy extract CN as the user name of the client, namely system:kube-proxy. The ClusterRoleBindings system:node-proxier used by the RBAC predefined by kube-apiserver binds the user system:kube-proxy to the ClusterRole system:node-proxier, which grants the node the permission to call kube-apiserver proxy-related APIs; # The hosts list is Empty [root@kubenode1 ~] # mkdir -p /etc/kubernetes/proxy [root@kubenode1 ~] # cd /etc/kubernetes/ [root@kubenode1 proxy] # touch proxy-csr.json [root@kubenode1 proxy] # vim proxy-csr.json { " CN " : " system:kube-proxy " , " hosts " : [], " key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "ChengDu", "L": "ChengDu", "O": "system:kube-proxy", "OU": "cloudteam" } ] }
2) Generate kube-proxy certificate and private key
[root@kubenode1 proxy]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \ -ca-key=/etc/kubernetes/ssl/ca-key.pem \ -config=/etc/kubernetes/ssl/ca-config.json \ -profile=kubernetes proxy-csr.json | cfssljson -bare proxy
# 分发proxy.pem,proxy-key.pem [root@kubenode1 proxy]# scp proxy*.pem [email protected]:/etc/kubernetes/proxy/ [root@kubenode1 proxy]# scp proxy*.pem [email protected]:/etc/kubernetes/proxy/
2. Create the kube-proxy kubeconfig file
#Configure cluster parameters; # --server: Specify api-server, use vip after ha; # Customize the cluster name, which must be consistent after setting; # --kubeconfig : Specify the kubeconfig file path and file name; if not set , generated by default in ~/.kube/config file [root@kubenode1 proxy] # kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/ssl/ ca.pem \ --embed-certs= true \ --server=https://172.30.200.10:6443 \ --kubeconfig= proxy.kubeconfig #Configure client authentication parameters; #The authentication user is "system:kube-scheduler" in the previous signature; #Specify the corresponding public key certificate/private key, etc. [root@kubenode1 proxy] # kubectl config set-credentials system:kube- proxy \ --client-certificate=/etc/kubernetes/proxy/ proxy.pem \ --embed-certs= true \ --client-key=/etc/kubernetes/proxy/proxy- key.pem \ --kubeconfig= proxy.kubeconfig #Configure context parameters [root@kubenode1 proxy] # kubectl config set-context system:kube-proxy@kubernetes \ --cluster= kubernetes \ --user=system:kube- proxy \ --kubeconfig= proxy.kubeconfig #Configure default context [root@kubenode1 proxy] # kubectl config use-context system:kube-proxy@kubernetes --kubeconfig=proxy.kubeconfig
#Distribute the proxy.kubeconfig file to all nodes; [root@kubenode1 proxy] # scp proxy.kubeconfig [email protected]:/etc/kubernetes/proxy/ [root@kubenode1 proxy] # scp proxy.kubeconfig [email protected]. 200.23: /etc/kubernetes/proxy/
3. Configure the systemd unit file of kube-proxy
The relevant executables are already deployed when kubectl is deployed.
#You can set iptables to open tcp 4194 port through ExecStartPost to prepare for cAdvisor [root@kubenode1 ~] # touch /usr/lib/systemd/system/kube-proxy.service [root@kubenode1 ~] # vim /usr/lib/ systemd/system/kube-proxy.service [Unit] Description = Kubernetes Kube- Proxy Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] WorkingDirectory=/var/lib/kube-proxy EnvironmentFile=/usr/local/kubernetes/kube-proxy.conf ExecStart=/usr/local/kubernetes/bin/kube-proxy $KUBE_PROXY_ARGS Restart=on-failure RestartSec = 5 LimitNOFILE = 65536 [Install] WantedBy=multi-user.target #Create workspace directory [root@kubenode1 ~] # mkdir -p /var/lib/kube-proxy #Configure the startup parameter file; # --bind-address: bind the host ip address, the default value "0.0.0.0" means to use all network interfaces; # --hostname-override: set the hostname of the node in the cluster, the default is used Host hostname; kubelet sets this parameter, then kube-proxy also needs to set this parameter [root@kubenode1 ~] # touch /usr/local/kubernetes/kube-proxy.conf [root@kubenode1 ~] # vim /usr /local/kubernetes/kube-proxy.conf KUBE_PROXY_ARGS= " --bind-address=172.30.200.21 \ --hostname-override=172.30.200.21 \ --cluster-cidr=169.169.0.0/16 \ --kubeconfig=/etc/kubernetes/proxy/proxy.kubeconfig \ --logtostderr=false \ --log-dir=/var/log/kubernetes/proxy \ --v=2" #Create log directory [root@kubenode1 ~] # mkdir -p /var/log/kubernetes/proxy
4. Start and verify
[root@kubenode1 ~]# systemctl daemon-reload [root@kubenode1 ~]# systemctl enable kube-proxy [root@kubenode1 ~]# systemctl start kube-proxy [root@kubenode1 ~]# systemctl status kube-proxy