-
簽發證書
# ca.pem, ca-key.pem ca-config.json 是原始簽發的ca根證書,和json根 # kubelet-csr.json 現在是統一做一個統一證書,以后可不用重復簽發 # cat kubelet-csr.json { "CN": "system:node", "hosts": [ "127.0.0.1", "192.168.2.3", "192.168.2.4", "192.168.2.5", .....# 中間是遍歷了所有網段的ip地址,這里不可以寫網段 ..... "192.168.3.249", "192.168.3.250", "192.168.3.251", "192.168.3.252", "192.168.3.253" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "HangZhou", "L": "XS", "O": "system:nodes", "OU": "System" } ] } cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubelet-csr.json |cfssljson -bare kubelet -
生成kubelet.kubeconfig 憑證
1)set-cluster kubectl config set-cluster myk8s \ --certificate-authority=/etc/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://127.0.0.1:6443 \ --kubeconfig=kubelet.kubeconfig #連接apiserver的 2) set-credentials kubectl config set-credentials k8s-node \ --client-certificate=/application/kubernetes/ssl/kubernetes.pem \ --client-key=/application/kubernetes/ssl/kubernetes-key.pem \ --embed-certs=true \ --kubeconfig=kubelet.kubeconfig 3) set-context kubectl config set-context myk8s-context \ --cluster=myk8s \ --user=k8s-node \ --kubeconfig=kubelet.kubeconfig 4) use-context kubectl config use-context myk8s-context --kubeconfig=kubelet.kubeconfig -
配置kubelet的rbac權限
# 下面2個都要運行,以前的一套為kubernetes,現在新創建的為k8s-node,以后統一使用K8S-node # cat kubernetes.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: k8s-node roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:node subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: kubernetes # cat k8s-node.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: k8s-node roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:node subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: k8s-node -
kube-proxy.kubeconfig不需要每個node都配置,使用原先的
-
配置nginx 代理api-serser
cat /etc/nginx/nginx.conf #1.20需要另外安裝stream模塊 ... stream { upstream apiserver_6443 { server 192.168.2.91:6443; server 192.168.2.92:6443; server 192.168.2.93:6443; } server { listen 6443; proxy_pass apiserver_6443; } } nginx -t systemctl reload nginx -
配置ssh信任
ssh-copy-id -i ~/.ssh/id_rsa.pub xxxx #node8 -
將一系列文件拷貝至新node
cd /etc/ scp -r kubernetes/ node8:/etc/ scp kubelet.kubeconfig node8:/etc/kubernetes/ scp -r /etc/systemd/system/kubelet.service node8:/etc/systemd/system scp -r /etc/systemd/system/kube-proxy.service node8:/etc/systemd/system scp -r /var/lib/kubelet node8:/var/lib/ scp -r /var/lib/kube-proxy/ node8:/var/lib/ scp -r /etc/calico/ node8:/etc/ scp -r /etc/cni/ node8:/etc/ scp -r /etc/calico/ node8:/etc/ -
登錄node8中,修改kubelet和kube-proxy的配置文件
#修改成對應的ip地址 略 #hostname 不帶特殊字符和_ -
安裝docker
略 -
啟動kubelet和kube-proxy