摘要:
Kubelet組件運行在Node節點上,維持運行中的Pods以及提供kuberntes運行時環境,主要完成以下使命:
1.監視分配給該Node節點的pods
2.掛載pod所需要的volumes
3.下載pod的secret
4.通過docker/rkt來運行pod中的容器
5.周期的執行pod中為容器定義的liveness探針
6.上報pod的狀態給系統的其他組件
7.上報Node的狀態
1、以下操作屬於node節點上組件的部署,在master節點上只是進行文件配置,然后發布至各node節點。
2、若是需要master也作為node節點加入集群,也需要在master節點部署docker、kubelet、kube-proxy。
1)創建角色綁定
kubelet 啟動時向 kube-apiserver 發送 TLS bootstrapping 請求,需要先將 bootstrap token 文件中的 kubelet-bootstrap 用戶賦予 system:node-bootstrapper cluster 角色(role), 然后 kubelet 才能有權限創建認證請求(certificate signing requests):
[root@k8s-master01 ~]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
--user=kubelet-bootstrap 是部署kube-apiserver時創建bootstrap-token.csv文件中指定的用戶,同時也需要寫入bootstrap.kubeconfig 文件
2)創建kubelet kubeconfig文件,設置集群參數
## 設置集群參數 [root@k8s-master01 ~]# kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://127.0.0.1:6443 \ --kubeconfig=bootstrap.kubeconfig Cluster "kubernetes" set. ## 設置客戶端認證參數 ### tocker是前文提到的bootstrap-token.csv文件中token值 [root@k8s-master01 ~]# kubectl config set-credentials kubelet-bootstrap \ --token=fb8f04963e38858eab0867e8d2296d6b \ --kubeconfig=bootstrap.kubeconfig User "kubelet-bootstrap" set. ## 設置上下文參數 [root@k8s-master01 ~]# kubectl config set-context default \ --cluster=kubernetes \ --user=kubelet-bootstrap \ --kubeconfig=bootstrap.kubeconfig Context "default" created. ## 設置默認上下問參數 [root@k8s-master01 ~]# kubectl config use-context default --kubeconfig=bootstrap.kubeconfig Switched to context "default". ## 分發生成的集群配置文件到各node節點 [root@k8s-master01 ~]# ansible k8s-node -m copy -a 'src=/root/bootstrap.kubeconfig dest=/etc/kubernetes/config/'
3)創建系統核心配置文件服務
我們先在master節點配置好,然后用ansible分發至2各node節點,然后修改對應主機名及IP即可
[root@k8s-master01 ~]# vim /opt/k8s/cfg/kubelet.conf
###
# kubernetes kubelet (minion) config
# kubernetes kubelet (minion) config
# The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
KUBELET_ADDRESS="--node-ip=10.10.0.17"
KUBELET_ADDRESS="--node-ip=10.10.0.17"
# The port for the info server to serve on
# KUBELET_PORT="--port=10250"
# KUBELET_PORT="--port=10250"
# You may leave this blank to use the actual hostname
KUBELET_HOSTNAME="--hostname-override=k8s-node01"
KUBELET_HOSTNAME="--hostname-override=k8s-node01"
# location of the api-server
# KUBELET_API_SERVER=""
# KUBELET_API_SERVER=""
# Add your own!
KUBELET_ARGS=" --address=0.0.0.0 \
--allow-privileged \
--anonymous-auth=false \
--authentication-token-webhook=true \
--authorization-mode=Webhook \
--bootstrap-kubeconfig=/etc/kubernetes/config/bootstrap.kubeconfig \
--client-ca-file=/etc/kubernetes/ssl/ca.pem \
--network-plugin=cni \
--cgroup-driver=cgroupfs \
--cert-dir=/etc/kubernetes/ssl \
--cluster-dns=10.254.0.2 \
--cluster-domain=cluster.local \
--cni-conf-dir=/etc/cni/net.d \
--eviction-max-pod-grace-period=30 \
--image-gc-high-threshold=80 \
--image-gc-low-threshold=70 \
--image-pull-progress-deadline=30s \
--kubeconfig=/etc/kubernetes/config/kubelet.kubeconfig \
--max-pods=100 \
--minimum-image-ttl-duration=720h0m0s \
--node-labels=node.kubernetes.io/k8s-node=true \
--pod-infra-container-image=registry.aliyuncs.com/google_containers/pause-amd64:3.1 \
--rotate-certificates \
--rotate-server-certificates \
--fail-swap-on=false \
--v=2"
--allow-privileged \
--anonymous-auth=false \
--authentication-token-webhook=true \
--authorization-mode=Webhook \
--bootstrap-kubeconfig=/etc/kubernetes/config/bootstrap.kubeconfig \
--client-ca-file=/etc/kubernetes/ssl/ca.pem \
--network-plugin=cni \
--cgroup-driver=cgroupfs \
--cert-dir=/etc/kubernetes/ssl \
--cluster-dns=10.254.0.2 \
--cluster-domain=cluster.local \
--cni-conf-dir=/etc/cni/net.d \
--eviction-max-pod-grace-period=30 \
--image-gc-high-threshold=80 \
--image-gc-low-threshold=70 \
--image-pull-progress-deadline=30s \
--kubeconfig=/etc/kubernetes/config/kubelet.kubeconfig \
--max-pods=100 \
--minimum-image-ttl-duration=720h0m0s \
--node-labels=node.kubernetes.io/k8s-node=true \
--pod-infra-container-image=registry.aliyuncs.com/google_containers/pause-amd64:3.1 \
--rotate-certificates \
--rotate-server-certificates \
--fail-swap-on=false \
--v=2"
## 分發至node節點(別忘了修改參數中對應的主機名、IP地址) [root@k8s-master01 ~]# ansible k8s-node -m copy -a 'src=/opt/k8s/cfg/kubelet.conf dest=/etc/kubernetes/config/'
參數解釋:
- authorization-mode:kubelet認證模式
- network-plugin:網絡插件名稱
- cert-dir:TLS證書所在的目錄
- eviction-max-pod-grace-period:終止pod最大寬限時間
- pod-infra-container-image:每個pod的network/ipc namespace容器使用的鏡像
- rotate-certificates:當證書到期時,通過從kube-apiserver請求新的證書,自動旋轉kubelet客戶機證書
- hostname-override:設置node在集群中的主機名,默認使用主機hostname;如果設置了此項參數,kube-proxy服務也需要設置此項參數
4)創建kubelet系統腳本
[root@k8s-master01 ~]# vim /opt/k8s/unit/kubelet.service [Unit] Description=Kubernetes Kubelet Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=docker.service Requires=docker.service [Service] WorkingDirectory=/var/lib/kubelet EnvironmentFile=-/etc/kubernetes/config/kubelet.conf ExecStart=/usr/local/bin/kubelet $KUBELET_ARGS Restart=on-failure KillMode=process [Install] WantedBy=multi-user.target
## 分發腳本配置文件 [root@k8s-master01 ~]# ansible k8s-node -m copy -a 'src=/opt/k8s/unit/kubelet.service dest=/usr/lib/systemd/system/' ## 創建kubelet數據目錄 [root@k8s-master01 ~]# ansible k8s-node -m file -a 'path=/var/lib/kubelet state=directory'
5)啟動服務
[root@k8s-master01 ~]# ansible k8s-node -m shell -a 'systemctl daemon-reload' [root@k8s-master01 ~]# ansible k8s-node -m shell -a 'systemctl enable kubelet' [root@k8s-master01 ~]# ansible k8s-node -m shell -a 'systemctl start kubelet'
6)查看csr請求
查看未授權的csr請求,處於”Pending”狀態
[root@k8s-master01 ~]# kubectl get csr NAME AGE REQUESTOR CONDITION csr-5m922 100s kubelet-bootstrap Pending csr-k4v2g 99s kubelet-bootstrap Pending
7)批准kubelet 的 TLS 證書請求
kubelet 首次啟動向 kube-apiserver 發送證書簽名請求,必須由 kubernetes 系統允許通過后,才會將該 node 加入到集群。
## 批准后 node節點就加入集群了 [root@k8s-master01 ~]# kubectl certificate approve csr-5m922 [root@k8s-master01 ~]# kubectl certificate approve csr-k4v2g ## 查看node節點就緒狀態 ### 由於我們還沒有安裝網絡,所以node節點還處於NotReady狀態 [root@k8s-master01 ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-node01 NotReady <none> 49m v1.14.1 k8s-node02 NotReady <none> 6m15s v1.14.1