4.1. kubelet 部署
4.1.1. 签发证书
证书签发在 hdss7-200 操作
[root@hdss7-200 ~]# cd /opt/certs/[root@hdss7-200 certs]# vim kubelet-csr.json # 将所有可能的kubelet机器IP添加到hosts中{"CN": "k8s-kubelet","hosts": ["127.0.0.1","10.4.7.10","10.4.7.21","10.4.7.22","10.4.7.23","10.4.7.24","10.4.7.25","10.4.7.26","10.4.7.27","10.4.7.28"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "beijing","L": "beijing","O": "od","OU": "ops"}]}[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server kubelet-csr.json | cfssl-json -bare kubelet2020/01/06 23:10:56 [INFO] generate received request2020/01/06 23:10:56 [INFO] received CSR2020/01/06 23:10:56 [INFO] generating key: rsa-20482020/01/06 23:10:56 [INFO] encoded CSR2020/01/06 23:10:56 [INFO] signed certificate with serial number 612219427848569697387713705315595557671018203792020/01/06 23:10:56 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable forwebsites. For more information see the Baseline Requirements for the Issuance and Managementof Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);specifically, section 10.2.3 ("Information Requirements").[root@hdss7-200 certs]# ls kubelet* -l-rw-r--r-- 1 root root 1115 Jan 6 23:10 kubelet.csr-rw-r--r-- 1 root root 452 Jan 6 23:10 kubelet-csr.json-rw------- 1 root root 1675 Jan 6 23:10 kubelet-key.pem-rw-r--r-- 1 root root 1468 Jan 6 23:10 kubelet.pem[root@hdss7-200 certs]# scp kubelet.pem kubelet-key.pem hdss7-21:/opt/kubernetes/server/bin/certs/[root@hdss7-200 certs]# scp kubelet.pem kubelet-key.pem hdss7-22:/opt/kubernetes/server/bin/certs/
4.1.2. 创建kubelet配置
kubelet配置在 hdss7-21 hdss7-22 操作
set-cluster # 创建需要连接的集群信息,可以创建多个k8s集群信息
[root@hdss7-21 ~]# kubectl config set-cluster myk8s \ --certificate-authority=/opt/kubernetes/server/bin/certs/ca.pem \ --embed-certs=true \ --server=https://10.4.7.10:7443 \ --kubeconfig=/opt/kubernetes/conf/kubelet.kubeconfigset-credentials # 创建用户账号,即用户登陆使用的客户端私有和证书,可以创建多个证书
[root@hdss7-21 ~]# kubectl config set-credentials k8s-node \ --client-certificate=/opt/kubernetes/server/bin/certs/client.pem \ --client-key=/opt/kubernetes/server/bin/certs/client-key.pem \ --embed-certs=true \ --kubeconfig=/opt/kubernetes/conf/kubelet.kubeconfigset-context # 设置context,即确定账号和集群对应关系
[root@hdss7-21 ~]# kubectl config set-context myk8s-context \ --cluster=myk8s \ --user=k8s-node \ --kubeconfig=/opt/kubernetes/conf/kubelet.kubeconfiguse-context # 设置当前使用哪个context
[root@hdss7-21 ~]# kubectl config use-context myk8s-context --kubeconfig=/opt/kubernetes/conf/kubelet.kubeconfig4.1.3. 授权k8s-node用户
此步骤只需要在一台master节点执行
授权 k8s-node 用户绑定集群角色 system:node ,让 k8s-node 成为具备运算节点的权限。 ``` [root@hdss7-21 ~]# vim k8s-node.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: k8s-node roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:node subjects:- apiGroup: rbac.authorization.k8s.io
kind: User
name: k8s-node
[root@hdss7-21 ~]# kubectl create -f k8s-node.yaml
clusterrolebinding.rbac.authorization.k8s.io/k8s-node created
[root@hdss7-21 ~]# kubectl get clusterrolebinding k8s-node
NAME AGE
k8s-node 36s
[root@hdss7-200 ~]# docker pull kubernetes/pause [root@hdss7-200 ~]# docker login -u admin harbor.od.com [root@hdss7-200 ~]# docker image tag kubernetes/pause:latest harbor.od.com/public/pause:latest [root@hdss7-200 ~]# docker image push harbor.od.com/public/pause:latest<a name="RChx7"></a> #### 4.1.4. 装备pause镜像 将pause镜像放入到harbor私有仓库中,仅在 hdss7-200 操作:
[root@hdss7-21 ~]# vim /opt/kubernetes/server/bin/kubelet-startup.sh<a name="DkJ3g"></a> #### 4.1.5. 创建启动脚本 在node节点创建脚本并启动kubelet,涉及服务器: hdss7-21 hdss7-22!/bin/sh
WORK_DIR=$(dirname $(readlink -f $0)) [ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/kubernetes/server/bin/kubelet \ —anonymous-auth=false \ —cgroup-driver systemd \ —cluster-dns 192.168.0.2 \ —cluster-domain cluster.local \ —runtime-cgroups=/systemd/system.slice \ —kubelet-cgroups=/systemd/system.slice \ —fail-swap-on=”false” \ —client-ca-file ./certs/ca.pem \ —tls-cert-file ./certs/kubelet.pem \ —tls-private-key-file ./certs/kubelet-key.pem \ —hostname-override hdss7-21.host.com \ —image-gc-high-threshold 20 \ —image-gc-low-threshold 10 \ —kubeconfig ../../conf/kubelet.kubeconfig \ —log-dir /data/logs/kubernetes/kube-kubelet \ —pod-infra-container-image harbor.od.com/public/pause:latest \ —root-dir /data/kubelet [root@hdss7-21 ~]# chmod u+x /opt/kubernetes/server/bin/kubelet-startup.sh [root@hdss7-21 ~]# mkdir -p /data/logs/kubernetes/kube-kubelet /data/kubelet
[root@hdss7-21 ~]# vim /etc/supervisord.d/kube-kubelet.ini [program:kube-kubelet-7-21] command=/opt/kubernetes/server/bin/kubelet-startup.sh numprocs=1 directory=/opt/kubernetes/server/bin autostart=true autorestart=true startsecs=30 startretries=3 exitcodes=0,2 stopsignal=QUIT stopwaitsecs=10 user=root redirect_stderr=true stdout_logfile=/data/logs/kubernetes/kube-kubelet/kubelet.stdout.log stdout_logfile_maxbytes=64MB stdout_logfile_backups=5 stdout_capture_maxbytes=1MB stdout_events_enabled=false
[root@hdss7-21 ~]# supervisorctl update
[root@hdss7-21 ~]# supervisorctl status
etcd-server-7-21 RUNNING pid 23637, uptime 1 day, 14:56:25
kube-apiserver-7-21 RUNNING pid 32591, uptime 16:35:54
kube-controller-manager-7-21 RUNNING pid 33357, uptime 14:40:09
kube-kubelet-7-21 RUNNING pid 37232, uptime 0:01:08
kube-scheduler-7-21 RUNNING pid 33450, uptime 14:30:50
[root@hdss7-21 ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
hdss7-21.host.com Ready
<a name="uzNPY"></a>
#### 4.1.6. 修改节点角色
使用 kubectl get nodes 获取的Node节点角色为空,可以按照以下方式修改
[root@hdss7-21 ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
hdss7-21.host.com Ready
若有收获,就点个赞吧
0 人点赞
