eleven. deploy kubelet
The next two chapters are to deploy Kube-Node related services, including: kubelet, kube-proxy.
1. TLS bootstrap user authorization
# kubelet uses the TLS Bootstrapping mechanism to automatically complete the registration to the kube-apiserver, which is very useful when the number of nodes is large or when the capacity is automatically expanded later. # When the kubelet starts to send a TLS bootstrapping request to the kube-apiserver, you need to first assign the kubelet-bootstrap user in the bootstrap token file to the ClusterRole system:node-bootstrapper role (which can be queried through kubectl get clusterroles), and then the kubelet has permission to create authentication requests , which can be achieved by creating a ClusterRoleBinding; # --user=kubelet-bootstrap specifies the username, which is the username specified in the file /etc/kubernetes/bootstrap/token.csv (created above), and also needs to be written to the kubeconfig file/ etc/kubernetes/bootstrap.kubeconfig; [root@kubenode1 ~] # kubectl create clusterrolebinding kubelet-bootstrap \ --clusterrole=system: node- bootstrapper \ --user=kubelet-bootstrap
# ClusterRoleBinding:kubelet-bootstrap创建成功 [root@kubenode1 ~]# kubectl get clusterrolebinding
2. Create the kube-scheduler kubeconfig file
[root @ kubenode1 ~] # cd / etc / kubernetes / bootstrap / #Configure cluster parameters; # --embed -certs: Set to true to write the certificate-authority certificate to the generated bootstrap.kubeconfig file [root@kubenode1 bootstrap] # kubectl config set-cluster kubernetes \ --certificate-authority =/etc/kubernetes/ssl/ ca.pem \ --embed-certs= true \ --server=https://172.30.200.10:6443 \ --kubeconfig= bootstrap.kubeconfig #Configure the client authentication parameters; #Authenticate the user as " kubelet -bootstrap" in the token.csv file above; #Specify the token, the environment variable of the token that has been set in the previous article, the certificate and private key are first used by kube-apiserver in kubeler Registration is auto-generated [root@kubenode1 bootstrap] # kubectl config set-credentials kubelet-bootstrap \ --token= ${BOOTSTRAP_TOKEN} \ --kubeconfig= bootstrap.kubeconfig #Configure context parameters [root@kubenode1 bootstrap] # kubectl config set-context default \ --cluster= kubernetes \ --user=kubelet- bootstrap \ --kubeconfig= bootstrap.kubeconfig #Configure the default context [root@kubenode1 bootstrap] # kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
# 分发bootstrap.kubeconfig到所有node节点 [root@kubenode1 bootstrap]# scp bootstrap.kubeconfig [email protected]:/etc/kubernetes/bootstrap/ [root@kubenode1 bootstrap]# scp bootstrap.kubeconfig [email protected]:/etc/kubernetes/bootstrap/
3. Configure the systemd unit file of the kubelet
The relevant executables are already deployed when kubectl is deployed.
# kubelet depends on the docker.service service and starts after it is started; # You can set iptables to open tcp 4194 port through ExecStartPost to prepare for cAdvisor [root@kubenode1 ~] # touch /usr/lib/systemd/system/kubelet.service [root@kubenode1 ~] # vim /usr/lib/systemd/system/kubelet.service [Unit] Description = Kubernetes Kubelet Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=docker.service Requires=docker.service [Service] WorkingDirectory = / var / lib / kubelet EnvironmentFile = / usr / local / kubernetes / kubelet.conf ExecStart = / usr / local / kubernetes / bin / kubelet $ KUBELET_ARGS Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target #Create working directory [root@kubenode1 ~] # mkdir -p /var/lib/kubelet #Configure the startup parameter file; # --address : bind the host ip address, the default value "0.0.0.0" means use all network interfaces; # --hostname-override: set the hostname of the node in the cluster, the default hostname is used ;If this parameter is set, the kube-proxy service also needs to set this parameter; # --pod-infra-container-image: The basic pause image used for namespace sharing in the Pod, the default value is "gcr.io/google_containers /pause-amd64:3.0"; it is recommended to pull related images on the node in advance to improve deployment efficiency; # --bootstrap-kubeconfig: When kubelet is started for the first time, when there is no client certificate file, the specified kubeconfig will be used to configure the kube-apiserver to obtain clients Client certificate; through csr request, after successful acquisition, a kubeconfig file will be generated in the path specified by --kubeconfig; the certificate and private key files will be saved to the directory specified by --cert-dir; # --cluster-dns: In the specified cluster dns servers, separated by commas; kubelet sets the DNS domain name resolution configuration file /etc/resolv.conf file in the newly created Pod, and writes the nameserver and search configurations; # --cluster-domain: the domain name of the dns server in the cluster; # - -allow-privileged: Whether to allow the container to be started in privileged mode, the default is false; #--serialize-image-pulls: Pull images in sequence, the default value is true; # --fail-swap-on=false: If the node has swap enabled, the node cannot start the kubelet service, the default value is true, in v1.8.x Pay attention to v1.9.x version [root@kubenode1 ~] # touch /usr/local/kubernetes/kubelet.conf [root@kubenode1 ~] # vim /usr/local/kubernetes/kubelet.conf KUBELET_ARGS= " -- address=172.30.200.21 \ --hostname-override=172.30.200.21 \ --pod-infra-container-image=gcr.io/google_containers/pause-amd64:3.0 \ --bootstrap-kubeconfig=/etc/kubernetes/bootstrap/bootstrap.kubeconfig \ --kubeconfig = / etc / kubernetes / bootstrap / kubelet.kubeconfig \ --cert-dir=/etc/kubernetes/bootstrap \ --cluster-dns=169.169.0.11 \ --cluster-domain=cluster.local. \ --allow-privileged=true \ --serialize-image-pulls=false \ --fail-swap-on=false \ --logtostderr=false \ --log-dir = / var / log / kubernetes / kubelet \ --v=2" #Create log directory [root@kubenode1 ~] # mkdir -p /var/log/kubernetes/kubelet
4. Start and verify
1) kubelet status verification
[root@kubenode1 ~]# systemctl daemon-reload [root@kubenode1 ~]# systemctl enable kubelet [root@kubenode1 ~]# systemctl start kubelet [root@kubenode1 ~]# systemctl status kubelet
2) TLS certificate request via kubelet
When the kubelet starts to send a certificate signing request to the kube-apiserver for the first time, it must be allowed by the kubernetes system before the node is added to the cluster.
Take kubenode1 as an example, other nodes are similar.
#View unauthorized csr requests, in "Pending" state [root@kubenode1 ~] # kubectl get csr
#Through csr request, the status changes to "Approved, Issued"; #Cluster nodes are "Ready" [root@kubenode1 ~] # kubectl certificate approve node-csr-Gl5zdgp6IZYQBAV1S59vXDZzHbirH9qDMb0xHaDnDIA [root@kubenode1 ~] # kubectl get nodes
3) kubelet certificate and private key
#In the specified directory, you can query the automatically generated kubelet certificate, private key and kubeconfig file, etc.; [root@kubenode1 ~] # ll /etc/kubernetes/bootstrap/