1.9、部署kubelet

  • kubelet运行在每个node节点上,接收kube-apiserver发送的请求,管理Pod容器,执行交互命令

  • kubelet启动时自动向kube-apiserver注册节点信息,内置的cAdivsor统计和监控节点的资源使用资源情况

  • 为确保安全,部署时关闭了kubelet的非安全http端口,对请求进行认证和授权,拒绝未授权的访问

1.9.0、创建kubelet bootstrap kubeconfig文件
#!/usr/bin/env bash

source /opt/k8s/bin/k8s-env.sh

for node_name in ${NODE_NAMES[@]}

do

    printf "\e[1;34m${node_name}\e[0m\n"

    # 创建 token

    export BOOTSTRAP_TOKEN=$(kubeadm token create \

    --description kubelet-bootstrap-token \

    --groups system:bootstrappers:${node_name} \

    --kubeconfig ~/.kube/config)

    # 设置集群参数

    kubectl config set-cluster kubernetes \

    --certificate-authority=/etc/kubernetes/cert/ca.pem \

    --embed-certs=true \

    --server=${KUBE_APISERVER} \

    --kubeconfig=/opt/k8s/ssl/kubelet-bootstrap-${node_name}.kubeconfig

    # 设置客户端认证参数

    kubectl config set-credentials kubelet-bootstrap \

    --token=${BOOTSTRAP_TOKEN} \

    --kubeconfig=/opt/k8s/ssl/kubelet-bootstrap-${node_name}.kubeconfig

    # 设置上下文参数

    kubectl config set-context default \

    --cluster=kubernetes \

    --user=kubelet-bootstrap \

    --kubeconfig=/opt/k8s/ssl/kubelet-bootstrap-${node_name}.kubeconfig

    # 设置默认上下文

    kubectl config use-context default --kubeconfig=/opt/k8s/ssl/kubelet-bootstrap-${node_name}.kubeconfig

done
  • 向kubeconfig写入的是token,bootstrap结束后kube-controller-manager为kubelet创建client和server证书
"查看kubeadm为各个节点创建的token"

k8s-01:~ # kubeadm token list --kubeconfig ~/.kube/config

TOKEN                     TTL         EXPIRES                     USAGES                   DESCRIPTION                                                EXTRA GROUPS

5750z9.ycsk3jxiahgz1gkn   23h         2021-02-14T00:55:41+08:00   authentication,signing   kubelet-bootstrap-token                                    system:bootstrappers:k8s-05

f4scbn.lev5uqmokwai5k0e   23h         2021-02-14T00:55:40+08:00   authentication,signing   kubelet-bootstrap-token                                    system:bootstrappers:k8s-02

kjfsng.qmjesofryg97c80q   23h         2021-02-14T00:55:41+08:00   authentication,signing   kubelet-bootstrap-token                                    system:bootstrappers:k8s-04

nseipt.09jaep1j8qnoqn1a   23h         2021-02-14T00:55:40+08:00   authentication,signing   kubelet-bootstrap-token                                    system:bootstrappers:k8s-01

zlal1h.856gawjgom560fys   23h         2021-02-14T00:55:40+08:00   authentication,signing   kubelet-bootstrap-token                                    system:bootstrappers:k8s-03
  • token有效期为1天,超期后将不能被用来bootstrap kubelet,且会被kube-controller-manager的token cleaner清理
  • kube-apiserver接收kubelet的bootstrap token后,将请求的user设置为system:bootstrap; group设置为system:bootstrappers,后续将为这个group设置ClusterRoleBinding
1.9.1、创建kubelet配置文件
k8s-01:~ # cd /opt/k8s/conf/

k8s-01:/opt/k8s/conf # source /opt/k8s/bin/k8s-env.sh

k8s-01:/opt/k8s/conf # cat > kubelet-config.yaml.template <<EOF

kind: KubeletConfiguration

apiVersion: kubelet.config.k8s.io/v1beta1

address: "##NODE_IP##"

staticPodPath: ""

syncFrequency: 1m

fileCheckFrequency: 20s

httpCheckFrequency: 20s

staticPodURL: ""

port: 10250

readOnlyPort: 0

rotateCertificates: true

serverTLSBootstrap: true

authentication:

  anonymous:

    enabled: false

  webhook:

    enabled: true

  x509:

    clientCAFile: "/etc/kubernetes/cert/ca.pem"

authorization:

  mode: Webhook

registryPullQPS: 0

registryBurst: 20

eventRecordQPS: 0

eventBurst: 20

enableDebuggingHandlers: true

enableContentionProfiling: true

healthzPort: 10248

healthzBindAddress: "##NODE_IP##"

clusterDomain: "${CLUSTER_DNS_DOMAIN}"

clusterDNS:

  - "${CLUSTER_DNS_SVC_IP}"

nodeStatusUpdateFrequency: 10s

nodeStatusReportFrequency: 1m

imageMinimumGCAge: 2m

imageGCHighThresholdPercent: 85

imageGCLowThresholdPercent: 80

volumeStatsAggPeriod: 1m

kubeletCgroups: ""

systemCgroups: ""

cgroupRoot: ""

cgroupsPerQOS: true

cgroupDriver: systemd

runtimeRequestTimeout: 10m

hairpinMode: promiscuous-bridge

maxPods: 220

podCIDR: "${CLUSTER_CIDR}"

podPidsLimit: -1

resolvConf: /etc/resolv.conf

maxOpenFiles: 1000000

kubeAPIQPS: 1000

kubeAPIBurst: 2000

serializeImagePulls: false

evictionHard:

  memory.available:  "100Mi"

nodefs.available:  "10%"

nodefs.inodesFree: "5%"

imagefs.available: "15%"

evictionSoft: {}

enableControllerAttachDetach: true

failSwapOn: true

containerLogMaxSize: 20Mi

containerLogMaxFiles: 10

systemReserved: {}

kubeReserved: {}

systemReservedCgroup: ""

kubeReservedCgroup: ""

enforceNodeAllocatable: ["pods"]

EOF
1.9.2、配置kubelet为systemctl启动
k8s-01:~ # cd /opt/k8s/conf/

k8s-01:/opt/k8s/conf # source /opt/k8s/bin/k8s-env.sh

k8s-01:/opt/k8s/conf # cat > kubelet.service.template <<EOF

[Unit]

Description=Kubernetes Kubelet

Documentation=https://github.com/GoogleCloudPlatform/kubernetes

After=docker.service

Requires=docker.service

[Service]

WorkingDirectory=${K8S_DIR}/kubelet

ExecStart=/opt/k8s/bin/kubelet \\

  --v=2 \\

  --hostname-override=##NODE_IP## \\

  --bootstrap-kubeconfig=/etc/kubernetes/cert/kubelet-bootstrap.kubeconfig \\

  --cert-dir=/etc/kubernetes/cert \\

  --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \\

  --config=/etc/kubernetes/kubelet-config.yaml \\

  --logtostderr=true \\

  --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2 \\

  --image-pull-progress-deadline=15m \\

  --cni-conf-dir=/etc/cni/net.d \\

  --root-dir=${K8S_DIR}/kubelet

Restart=always

RestartSec=5

StartLimitInterval=0

[Install]

WantedBy=multi-user.target

EOF
  • –bootstrap-kubeconfig:指向 bootstrap kubeconfig 文件,kubelet 使用该文件中的用户名和 token 向 kube-apiserver 发送 TLS Bootstrapping 请求
  • K8S approve kubelet 的 csr 请求后,在 --cert-dir 目录创建证书和私钥文件,然后写入 --kubeconfig 文件
  • kubelet设置了 --hostname-override 选项,kube-proxy 也需要设置该选项,否则会出现 找不到 Node 的情况;
1.9.3、拉取kubelet依赖的pause镜像
k8s-01:~ # docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2

k8s-01:~ # cd /opt/k8s/packages/

k8s-01:/opt/k8s/packages # docker save $(docker images | grep -v REPOSITORY | awk 'BEGIN{OFS=":";ORS=" "}{print $1,$2}') -o pause.tar

"将镜像保存到本地,分发到其他节点"
1.9.4、分发kubelet证书和文件到其他节点
#!/usr/bin/env bash

source /opt/k8s/bin/k8s-env.sh

for (( i=0; i < 5; i++ ))

do

    sed -e "s/##NODE_IP##/${NODE_IPS[i]}/" /opt/k8s/conf/kubelet.service.template > \

           /opt/k8s/conf/kubelet-${NODE_IPS[i]}.service

    sed -e "s/##NODE_IP##/${NODE_IPS[i]}/" /opt/k8s/conf/kubelet-config.yaml.template > \

           /opt/k8s/conf/kubelet-config-${NODE_IPS[i]}.yaml.template

done

for node_name in ${NODE_NAMES[@]}

do

    printf "\e[1;34m${node_name}\e[0m\n"

    scp /opt/k8s/ssl/kubelet-bootstrap-${node_name}.kubeconfig \

        ${node_name}:/etc/kubernetes/cert/kubelet-bootstrap.kubeconfig

done

for host in ${NODE_IPS[@]}

do

    printf "\e[1;34m${host}\e[0m\n"

    scp /opt/k8s/conf/kubelet-${host}.service ${host}:/etc/systemd/system/kubelet.service

    scp /opt/k8s/conf/kubelet-config-${host}.yaml.template ${host}:/etc/kubernetes/kubelet-config.yaml

    scp /opt/k8s/packages/pause.tar ${host}:/opt/k8s/

    ssh root@${host} "docker load -i /opt/k8s/pause.tar"

done
1.9.5、授权kubelet-bootstrap用户组允许请求证书
k8s-01:~ # kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --group=system:bootstrappers
  • 不创建的话,kubelet会启动失败
1.9.6、启动kubelet服务
#!/usr/bin/env bash

source /opt/k8s/bin/k8s-env.sh

for host in ${NODE_IPS[@]}

do

    printf "\e[1;34m${host}\e[0m\n"

    ssh root@${host} "mkdir -p ${K8S_DIR}/kubelet/kubelet-plugins/volume/exec/"

    ssh root@${host} "systemctl daemon-reload && \

                      systemctl enable kubelet --now && \

                      systemctl status kubelet | grep Active"

done
  • kubelet 启动后使用 --bootstrap-kubeconfigkube-apiserver 发送 CSR 请求,当这个CSR 被 approve 后,kube-controller-manager 为 kubelet 创建 TLS 客户端证书、私钥和 --kubeletconfig 文件
  • 注意:kube-controller-manager 需要配置 --cluster-signing-cert-file--cluster-signing-key-file 参数,才会为TLS Bootstrap 创建证书和私钥
1.9.7、自动approve CSR请求
  • 创建三个ClusterRoleBinding,分别用于自动approve clientrenew clientrenew server证书
k8s-01:~ # cd /opt/k8s/conf/

k8s-01:/opt/k8s/conf # cat > csr-crb.yaml <<EOF

 # Approve all CSRs for the group "system:bootstrappers"

 kind: ClusterRoleBinding

 apiVersion: rbac.authorization.k8s.io/v1

 metadata:

   name: auto-approve-csrs-for-group

 subjects:

 - kind: Group

   name: system:bootstrappers

   apiGroup: rbac.authorization.k8s.io

 roleRef:

   kind: ClusterRole

   name: system:certificates.k8s.io:certificatesigningrequests:nodeclient

   apiGroup: rbac.authorization.k8s.io

---

 # To let a node of the group "system:nodes" renew its own credentials

 kind: ClusterRoleBinding

 apiVersion: rbac.authorization.k8s.io/v1

 metadata:

   name: node-client-cert-renewal

 subjects:

 - kind: Group

   name: system:nodes

   apiGroup: rbac.authorization.k8s.io

 roleRef:

   kind: ClusterRole

   name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient

   apiGroup: rbac.authorization.k8s.io

---

# A ClusterRole which instructs the CSR approver to approve a node requesting a

# serving cert matching its client cert.

kind: ClusterRole

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  name: approve-node-server-renewal-csr

rules:

- apiGroups: ["certificates.k8s.io"]

  resources: ["certificatesigningrequests/selfnodeserver"]

  verbs: ["create"]

---

 # To let a node of the group "system:nodes" renew its own server credentials

 kind: ClusterRoleBinding

 apiVersion: rbac.authorization.k8s.io/v1

 metadata:

   name: node-server-cert-renewal

 subjects:

 - kind: Group

   name: system:nodes

   apiGroup: rbac.authorization.k8s.io

 roleRef:

   kind: ClusterRole

   name: approve-node-server-renewal-csr

   apiGroup: rbac.authorization.k8s.io

EOF

k8s-01:/opt/k8s/conf # kubectl apply -f csr-crb.yaml
  • auto-approve-csrs-for-group 自动approve node的第一次CSR,注意第一次CSR时,请求的Group为system:bootstrappers
  • node-client-cert-renewal 自动approve node后续过期的client证书,自动生成的证书Group为system:nodes
  • node-server-cert-renewal 自动approve node后续过期的server证书,自动生成的证书Group
1.9.8、查看节点是否都为ready
k8s-01:~ # kubectl get node

NAME            STATUS   ROLES    AGE   VERSION

192.168.72.39   Ready    <none>   20s   v1.19.7

192.168.72.40   Ready    <none>   19s   v1.19.7

192.168.72.41   Ready    <none>   18s   v1.19.7

192.168.72.42   Ready    <none>   18s   v1.19.7

192.168.72.43   Ready    <none>   17s   v1.19.7
1.9.9、手动approve server cert csr
  • 基于安全考虑,CSR approving controllers不会自动approve kubelet server证书签名请求,需要手动approve
k8s-01:~ # kubectl get csr | grep Pending | awk '{print $1}' | xargs kubectl certificate approve
1.9.10、bear token认证和授权
  • 创建一个ServiceAccount,将它和ClusterRole system:kubelet-api-admin绑定,从而具有调用kubelet API的权限
k8s-01:~ # kubectl create sa kubelet-api-test

k8s-01:~ # kubectl create clusterrolebinding kubelet-api-test --clusterrole=system:kubelet-api-admin --serviceaccount=default:kubelet-api-test

suse 12 二进制部署 Kubernetets 1.19.7 - 第09章 - 部署kubelet组件的更多相关文章

  1. suse 12 二进制部署 Kubernetets 1.19.7 - 第13章 - 部署metrics-server插件

    文章目录 1.13.0.创建metrics-server证书和私钥 1.13.1.生成metrics-server证书和私钥 1.13.2.开启kube-apiserver聚合配置 1.13.3.分发 ...

  2. suse 12 二进制部署 Kubernetets 1.19.7 - 第02章 - 部署etcd集群

    文章目录 1.2.部署etcd集群 1.2.0.下载etcd二进制文件 1.2.1.创建etcd证书和私钥 1.2.2.生成etcd证书和私钥 1.2.3.配置etcd为systemctl管理 1.2 ...

  3. suse 12 二进制部署 Kubernetets 1.19.7 - 第03章 - 部署flannel插件

    文章目录 1.3.部署flannel网络 1.3.0.下载flannel二进制文件 1.3.1.创建flannel证书和私钥 1.3.2.生成flannel证书和私钥 1.3.3.将pod网段写入et ...

  4. suse 12 二进制部署 Kubernetets 1.19.7 - 第04章 - 部署docker服务

    文章目录 1.4.部署docker 1.4.0.下载docker二进制文件 1.4.1.配置docker镜像加速 1.4.2.配置docker为systemctl管理 1.4.3.启动docker服务 ...

  5. suse 12 二进制部署 Kubernetets 1.19.7 - 第05章 - 部署kube-nginx

    文章目录 1.5.部署kube-nginx 1.5.0.下载nginx二进制文件 1.5.1.编译部署nginx 1.5.2.配置nginx.conf 1.5.3.配置nginx为systemctl管 ...

  6. suse 12 二进制部署 Kubernetets 1.19.7 - 第06章 - 部署kube-apiserver组件

    文章目录 1.6.部署kube-apiserver 1.6.0.创建kubernetes证书和私钥 1.6.1.生成kubernetes证书和私钥 1.6.2.创建metrics-server证书和私 ...

  7. suse 12 二进制部署 Kubernetets 1.19.7 - 第07章 - 部署kube-controller-manager组件

    文章目录 1.7.部署kube-controller-manager 1.7.0.创建kube-controller-manager请求证书 1.7.1.生成kube-controller-manag ...

  8. suse 12 二进制部署 Kubernetets 1.19.7 - 第08章 - 部署kube-scheduler组件

    文章目录 1.8.部署kube-scheduler 1.8.0.创建kube-scheduler请求证书 1.8.1.生成kube-scheduler证书和私钥 1.8.2.创建kube-schedu ...

  9. suse 12 二进制部署 Kubernetets 1.19.7 - 第10章 - 部署kube-proxy组件

    文章目录 1.10.部署kube-proxy 1.10.0.创建kube-proxy证书 1.10.1.生成kube-proxy证书和秘钥 1.10.2.创建kube-proxy的kubeconfig ...

随机推荐

  1. IDEA开启热部署

    双击shift,查找Registry

  2. Android官方文档翻译 四 1.2Running Your App

    Running Your App If you followed the previous lesson to create an Android project, it includes a def ...

  3. SQLServer触发器调用JavaWeb接口

    这几天接到一个需求需要吧不同系统的数据库进行同步,需要我做一个中间平台进行连接,瞬间就想到了触发器调用接口然后通过API进行传递再写入另一个数据库. sqlServer触发器调用JavaWeb接口 1 ...

  4. ctfshow web2 web3

    ctfshow web2 1.手动注入题.先用万能密码admin' or 1=1%23,有回显 2.union select注入,2处有回显 3.依次查找数据库.表.字段 得到flag ctfshow ...

  5. Solon Web 开发,十一、国际化

    Solon Web 开发 一.开始 二.开发知识准备 三.打包与运行 四.请求上下文 五.数据访问.事务与缓存应用 六.过滤器.处理.拦截器 七.视图模板与Mvc注解 八.校验.及定制与扩展 九.跨域 ...

  6. Cesium中级教程8 - Introduction to Particle Systems 粒子系统入门

    Cesium中文网:http://cesiumcn.org/ | 国内快速访问:http://cesium.coinidea.com/ What is a particle system? 什么是粒子 ...

  7. dubbo系列十一、dubbo transport层记录

    前言 在dubbo接口方法重载且入参未显式指定序列化id导致ClassCastException分析时候用到了dubbo的通信层和编解码,dubbo有个transport层,默认使用netty4进行网 ...

  8. 返回值String表示视图

    第一种:处理器方法返回String--表示逻辑视图名称(需配置视图解析器) 视图解析器: MyController类中: index.jsp中: 第二种:处理器方法方慧String,表示完整视图路径, ...

  9. java-导入import

    1 package face_package; 2 3 import face_packagedemoA.DemoA; 4 import face_packagedemoB.DemoB; 5 //真正 ...

  10. IoC容器-Bean管理XML方式(注入外部bean)

    注入属性-外部bean (1)创建两个类service类和dao类 (2)在service调用dao里面的方法 (3)在spring配置文件中进行配置