高可用Kubernetes集群-10. 部署kube-proxy

 十二．部署kube-proxy

1. 創建kube-proxy證書

1）創建kube-proxy證書簽名請求

# kube-proxy提取CN作為客戶端的用戶名，即system:kube-proxy。 kube-apiserver預定義的 RBAC使用的ClusterRoleBindings system:node-proxier將用戶system:kube-proxy與ClusterRole system:node-proxier綁定，該Role授予節點調用kube-apiserver proxy相關api的權限；
# hosts列表為空
[root@kubenode1 ~]# mkdir -p /etc/kubernetes/proxy
[root@kubenode1 ~]# cd /etc/kubernetes/
[root@kubenode1 proxy]# touch proxy-csr.json
[root@kubenode1 proxy]# vim proxy-csr.json
{
    "CN": "system:kube-proxy",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "ChengDu",
            "L": "ChengDu",
            "O": "system:kube-proxy",
            "OU": "cloudteam"
        }
    ]
}

2）生成kube-proxy證書與私鑰

[root@kubenode1 proxy]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/etc/kubernetes/ssl/ca-config.json \
-profile=kubernetes proxy-csr.json | cfssljson -bare proxy

# 分發proxy.pem，proxy-key.pem
[root@kubenode1 proxy]# scp proxy*.pem root@172.30.200.22:/etc/kubernetes/proxy/
[root@kubenode1 proxy]# scp proxy*.pem root@172.30.200.23:/etc/kubernetes/proxy/

2. 創建kube-proxy kubeconfig文件

# 配置集群參數；
# --server：指定api-server，采用ha之后的vip；
# cluster名自定義，設定之后需保持一致；
# --kubeconfig：指定kubeconfig文件路徑與文件名；如果不設置，默認生成在~/.kube/config文件
[root@kubenode1 proxy]# kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://172.30.200.10:6443 \
--kubeconfig=proxy.kubeconfig

# 配置客戶端認證參數；
# 認證用戶為前文簽名中的“system:kube-scheduler”；
# 指定對應的公鑰證書/私鑰等
[root@kubenode1 proxy]# kubectl config set-credentials system:kube-proxy \
--client-certificate=/etc/kubernetes/proxy/proxy.pem \
--embed-certs=true \
--client-key=/etc/kubernetes/proxy/proxy-key.pem \
--kubeconfig=proxy.kubeconfig

# 配置上下文參數
[root@kubenode1 proxy]# kubectl config set-context system:kube-proxy@kubernetes \
--cluster=kubernetes \
--user=system:kube-proxy \
--kubeconfig=proxy.kubeconfig

# 配置默認上下文
[root@kubenode1 proxy]# kubectl config use-context system:kube-proxy@kubernetes --kubeconfig=proxy.kubeconfig

# 分發proxy.kubeconfig文件到所有node節點；
[root@kubenode1 proxy]# scp proxy.kubeconfig root@172.30.200.22:/etc/kubernetes/proxy/
[root@kubenode1 proxy]# scp proxy.kubeconfig root@172.30.200.23:/etc/kubernetes/proxy/

3. 配置kube-proxy的systemd unit文件

相關可執行文件在部署kubectl時已部署完成。

# 可通過ExecStartPost設置iptables開放tcp 4194端口，為cAdvisor做准備
[root@kubenode1 ~]# touch /usr/lib/systemd/system/kube-proxy.service
[root@kubenode1 ~]# vim /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target

[Service]
WorkingDirectory=/var/lib/kube-proxy
EnvironmentFile=/usr/local/kubernetes/kube-proxy.conf
ExecStart=/usr/local/kubernetes/bin/kube-proxy $KUBE_PROXY_ARGS
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target


# 創建工作區目錄
[root@kubenode1 ~]# mkdir -p /var/lib/kube-proxy

# 配置啟動參數文件；
# --bind-address：綁定主機ip地址，默認值”0.0.0.0”表示使用全部網絡接口；
# --hostname-override：設置node在集群中的主機名，默認使用主機hostname； kubelet設置了此項參數，則kube-proxy也需要設置此項參數
[root@kubenode1 ~]# touch /usr/local/kubernetes/kube-proxy.conf
[root@kubenode1 ~]# vim /usr/local/kubernetes/kube-proxy.conf
KUBE_PROXY_ARGS="--bind-address=172.30.200.21 \
  --hostname-override=172.30.200.21 \
  --cluster-cidr=169.169.0.0/16 \
  --kubeconfig=/etc/kubernetes/proxy/proxy.kubeconfig \
  --logtostderr=false \
  --log-dir=/var/log/kubernetes/proxy \
  --v=2"

# 創建日志目錄
[root@kubenode1 ~]# mkdir -p /var/log/kubernetes/proxy

4. 啟動並驗證

[root@kubenode1 ~]# systemctl daemon-reload
[root@kubenode1 ~]# systemctl enable kube-proxy
[root@kubenode1 ~]# systemctl start kube-proxy
[root@kubenode1 ~]# systemctl status kube-proxy