十二.部署kube-proxy
1. 创建kube-proxy证书
1)创建kube-proxy证书签名请求
# kube-proxy提取CN作为客户端的用户名,即system:kube-proxy。 kube-apiserver预定义的 RBAC使用的ClusterRoleBindings system:node-proxier将用户system:kube-proxy与ClusterRole system:node-proxier绑定,该Role授予节点调用kube-apiserver proxy相关api的权限; # hosts列表为空 [root@kubenode1 ~]# mkdir -p /etc/kubernetes/proxy [root@kubenode1 ~]# cd /etc/kubernetes/ [root@kubenode1 proxy]# touch proxy-csr.json [root@kubenode1 proxy]# vim proxy-csr.json { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "ChengDu", "L": "ChengDu", "O": "system:kube-proxy", "OU": "cloudteam" } ] }
2)生成kube-proxy证书与私钥
[root@kubenode1 proxy]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem -config=/etc/kubernetes/ssl/ca-config.json -profile=kubernetes proxy-csr.json | cfssljson -bare proxy
# 分发proxy.pem,proxy-key.pem [root@kubenode1 proxy]# scp proxy*.pem root@172.30.200.22:/etc/kubernetes/proxy/ [root@kubenode1 proxy]# scp proxy*.pem root@172.30.200.23:/etc/kubernetes/proxy/
2. 创建kube-proxy kubeconfig文件
# 配置集群参数; # --server:指定api-server,采用ha之后的vip; # cluster名自定义,设定之后需保持一致; # --kubeconfig:指定kubeconfig文件路径与文件名;如果不设置,默认生成在~/.kube/config文件 [root@kubenode1 proxy]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true --server=https://172.30.200.10:6443 --kubeconfig=proxy.kubeconfig # 配置客户端认证参数; # 认证用户为前文签名中的“system:kube-scheduler”; # 指定对应的公钥证书/私钥等 [root@kubenode1 proxy]# kubectl config set-credentials system:kube-proxy --client-certificate=/etc/kubernetes/proxy/proxy.pem --embed-certs=true --client-key=/etc/kubernetes/proxy/proxy-key.pem --kubeconfig=proxy.kubeconfig # 配置上下文参数 [root@kubenode1 proxy]# kubectl config set-context system:kube-proxy@kubernetes --cluster=kubernetes --user=system:kube-proxy --kubeconfig=proxy.kubeconfig # 配置默认上下文 [root@kubenode1 proxy]# kubectl config use-context system:kube-proxy@kubernetes --kubeconfig=proxy.kubeconfig
# 分发proxy.kubeconfig文件到所有node节点; [root@kubenode1 proxy]# scp proxy.kubeconfig root@172.30.200.22:/etc/kubernetes/proxy/ [root@kubenode1 proxy]# scp proxy.kubeconfig root@172.30.200.23:/etc/kubernetes/proxy/
3. 配置kube-proxy的systemd unit文件
相关可执行文件在部署kubectl时已部署完成。
# 可通过ExecStartPost设置iptables开放tcp 4194端口,为cAdvisor做准备 [root@kubenode1 ~]# touch /usr/lib/systemd/system/kube-proxy.service [root@kubenode1 ~]# vim /usr/lib/systemd/system/kube-proxy.service [Unit] Description=Kubernetes Kube-Proxy Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] WorkingDirectory=/var/lib/kube-proxy EnvironmentFile=/usr/local/kubernetes/kube-proxy.conf ExecStart=/usr/local/kubernetes/bin/kube-proxy $KUBE_PROXY_ARGS Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target # 创建工作区目录 [root@kubenode1 ~]# mkdir -p /var/lib/kube-proxy # 配置启动参数文件; # --bind-address:绑定主机ip地址,默认值”0.0.0.0”表示使用全部网络接口; # --hostname-override:设置node在集群中的主机名,默认使用主机hostname; kubelet设置了此项参数,则kube-proxy也需要设置此项参数 [root@kubenode1 ~]# touch /usr/local/kubernetes/kube-proxy.conf [root@kubenode1 ~]# vim /usr/local/kubernetes/kube-proxy.conf KUBE_PROXY_ARGS="--bind-address=172.30.200.21 --hostname-override=172.30.200.21 --cluster-cidr=169.169.0.0/16 --kubeconfig=/etc/kubernetes/proxy/proxy.kubeconfig --logtostderr=false --log-dir=/var/log/kubernetes/proxy --v=2" # 创建日志目录 [root@kubenode1 ~]# mkdir -p /var/log/kubernetes/proxy
4. 启动并验证
[root@kubenode1 ~]# systemctl daemon-reload [root@kubenode1 ~]# systemctl enable kube-proxy [root@kubenode1 ~]# systemctl start kube-proxy [root@kubenode1 ~]# systemctl status kube-proxy
