kubernetes 1.8 高可用安裝（四）

四、安裝kubernetes node

Kubernetes的一個Node節點上須要運行以下組件：

• Docker，目前安裝的是docker-1.12.6

• kubelet

• kube-proxy 使用daemonset安裝

4.1 安裝kubelet和cni

安裝rpm包

yum localinstall -y kubelet-1.8.0-1.x86_64.rpm kubernetes-cni-0.5.1-1.x86_64.rpm

在任一master節點建立ClusterRoleBinding

kubectl create clusterrolebinding kubelet-bootstrap \
  --clusterrole=system:node-bootstrapper \
  --user=kubelet-bootstrap

4.2將證書和配置文件同步到本機

rsync -avSH rsync://master_ip/k8s/pki /etc/kubernetes/
rsync -avSH rsync://master_ip/k8s/bootstrap.kubeconfig /etc/kubernetes/

4.3 配置kubelet

/etc/systemd/system/kubelet.service.d/kubelet.conf

[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true"
Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.12 --cluster-domain=cluster.local"
Environment="KUBELET_AUTHZ_ARGS=--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.pem"
Environment="KUBELET_CADVISOR_ARGS=--cadvisor-port=0"
Environment="KUBELET_CGROUP_ARGS=--cgroup-driver=cgroupfs"
Environment="KUBELET_CERTIFICATE_ARGS=--rotate-certificates=true --cert-dir=/var/lib/kubelet/pki"
Environment="KUBELET_EXTRA_ARGS=--v=2 --pod-infra-container-p_w_picpath=foxchan/pause-amd64:3.0 --fail-swap-on=false"
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CADVISOR_ARGS $K
UBELET_CGROUP_ARGS $KUBELET_CERTIFICATE_ARGS $KUBELET_EXTRA_ARGS

4.4 配置kube-proxy

修改後啓動kubelet

systemctl daemon-reload
systemctl start kubelet

因爲採用了 TLS Bootstrapping，因此 kubelet 啓動後不會當即加入集羣，而是進行證書申請，
看日誌

Oct 24 16:45:43  kubelet[240975]: I1024 16:45:43.566069  240975 bootstrap.go:57] Using bootstrap kubeconfig to generate TLS client cert, key and kubeconfig file

看csr,仍然是pending狀態

[root@kvm-master manifests]# kubectl get csr
NAME                                                   AGE       REQUESTOR           CONDITION
node-csr-VJFRWBpJqhe3lpLKPULmJ9wfYeF0xoMQF8VzfcvYyqw   2h        kubelet-bootstrap   Approved,Issued
node-csr-yCn3MIUz-luhqwEVva1haugCmoz48ykxU7x4er3pfQs   44s       kubelet-bootstrap   Pending

須要在 master 容許其證書申請

kubectl get csr | grep Pending | awk '{print $1}' | xargs kubectl certificate approve

此時看node已經加入集羣

[root@kvm-master manifests]# kubectl get nodes
NAME            STATUS     ROLES     AGE       VERSION
node2   NotReady   <none>    5m        v1.8.0
node1    Ready      <none>    1h        v1.8.0

由於kubelet配置了network-plugin=cni，可是還沒安裝，因此狀態會是NotReady,不想看這個報錯或者不須要網絡，就能夠修改kubelet配置文件，去掉network-plugin=cni 就能夠了。

Oct 25 15:48:15 localhost kubelet: W1025 15:48:15.584765  240975 cni.go:196] Unable to update cni config: No networks found in /etc/cni/net.d
Oct 25 15:48:15 localhost kubelet: E1025 15:48:15.585057  240975 kubelet.go:2095] Container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized

建立kube-proxy 相關文件

在master操做
kubectl apply -f kube-proxy-rbac.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-proxy
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: system:kube-proxy
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
subjects:
  - kind: ServiceAccount
    name: kube-proxy
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: system:node-proxier
  apiGroup: rbac.authorization.k8s.io

kubectl apply -f kubeproxy-ds.yaml

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  labels:
    k8s-app: kube-proxy
  name: kube-proxy
  namespace: kube-system
spec:
  selector:
    matchLabels:
      k8s-app: kube-proxy
  template:
    metadata:
      labels:
        k8s-app: kube-proxy
    spec:
      containers:
      - command:
        - /bin/sh
        - -c
        - /usr/local/bin/kube-proxy
          --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig
          --cluster-cidr=10.96.0.0/12
          --conntrack-max-per-core=655360
          --conntrack-min=655360
          --conntrack-tcp-timeout-established=1h
          --conntrack-tcp-timeout-close-wait=60s
          --v=2 1>>/var/log/kube-proxy.log 2>&1
        name: kube-proxy
        p_w_picpath: foxchan/kube-proxy-amd64:v1.8.1
        p_w_picpathPullPolicy: IfNotPresent
        securityContext:
          privileged: true
        volumeMounts:
        - mountPath: /etc/kubernetes/
          name: k8s
        - mountPath: /var/log/kube-proxy.log
          name: logfile
        - mountPath: /run/xtables.lock
          name: xtables-lock
        - mountPath: /lib/modules
          name: modprobe
      hostNetwork: true
      serviceAccountName: kube-proxy
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
      volumes:
      - hostPath:
          path: /etc/kubernetes
        name: k8s
      - hostPath:
          path: /var/log/kube-proxy.log
        name: logfile
      - hostPath:
          path: /run/xtables.lock
          type: FileOrCreate
        name: xtables-lock
      - hostPath:
          path: /lib/modules
          type: ""
        name: modprobe
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 1
    type: RollingUpdate

查看 proxy 是否正常

[root@kvm-master kubeproxy]# kubectl get pods -n kube-system
NAME               READY     STATUS    RESTARTS   AGE
kube-proxy-rw2bt   1/1       Running   0          1m
kube-proxy-sct84   1/1       Running   0          1m