kubernetes v1.18.2 二進制部署 ipv4 kube-proxy 部署

簽發 kube-proxy 證書

# 使用一開始定義環境變量
 #建立kube-proxy 證書配置
cat << EOF | tee ${HOST_PATH}/cfssl/k8s/kube-proxy.json
{
  "CN": "system:kube-proxy",
  "hosts": [""], 
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
            "C": "CN",
            "ST": "$CERT_ST",
            "L": "$CERT_L",
      "O": "system:masters",
      "OU": "Kubernetes-manual"
    }
  ]
}
EOF
# 生成 kube-proxy 證書和私鑰
cfssl gencert \
        -ca=${HOST_PATH}/cfssl/pki/k8s/k8s-ca.pem \
        -ca-key=${HOST_PATH}/cfssl/pki/k8s/k8s-ca-key.pem \
        -config=${HOST_PATH}/cfssl/ca-config.json \
        -profile=${CERT_PROFILE} \
         ${HOST_PATH}/cfssl/k8s/kube-proxy.json | \
         cfssljson -bare ${HOST_PATH}/cfssl/pki/k8s/kube-proxy
# 配置kube-proxy.kubeconfig
# 建立kube-proxy kubeconfig 配置文件
# 設置集羣參數
kubectl config set-cluster ${CLUSTER_NAME} \
  --certificate-authority=${HOST_PATH}/cfssl/pki/k8s/k8s-ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${HOST_PATH}/kubeconfig/kube-proxy.kubeconfig 
# 設置客戶端認證參數
    kubectl config set-credentials system:kube-proxy \
  --client-certificate=${HOST_PATH}/cfssl/pki/k8s/kube-proxy.pem \
  --client-key=${HOST_PATH}/cfssl/pki/k8s/kube-proxy-key.pem \
  --embed-certs=true \
  --kubeconfig=${HOST_PATH}/kubeconfig/kube-proxy.kubeconfig 
# 設置上下文參數
    kubectl config set-context default \
  --cluster=${CLUSTER_NAME} \
  --user=system:kube-proxy \
  --kubeconfig=${HOST_PATH}/kubeconfig/kube-proxy.kubeconfig 
# 設置默認上下文
kubectl config use-context default --kubeconfig=${HOST_PATH}/kubeconfig/kube-proxy.kubeconfig 
# 分發kubeconfig 及 證書文件到遠程服務器
scp ./kubeconfig/kube-proxy.kubeconfig 192.168.2.175:/apps/k8s/conf
scp ./kubeconfig/kube-proxy.kubeconfig 192.168.2.176:/apps/k8s/conf
scp ./kubeconfig/kube-proxy.kubeconfig 192.168.2.177:/apps/k8s/conf
scp ./kubeconfig/kube-proxy.kubeconfig 192.168.2.187:/apps/k8s/conf
scp ./kubeconfig/kube-proxy.kubeconfig 192.168.2.185:/apps/k8s/conf

kube-proxy 二進制文件準備

# 進入二進制所在文件夾
cd ${HOST_PATH}/kubernetes/server/bin
scp -r kube-proxy 192.168.2.175:/apps/k8s/bin
scp -r kube-proxy 192.168.2.176:/apps/k8s/bin
scp -r kube-proxy 192.168.2.177:/apps/k8s/bin
scp -r kube-proxy 192.168.2.187:/apps/k8s/bin
scp -r kube-proxy 192.168.2.185:/apps/k8s/bin

kube-proxy 配置文件

cd ${HOST_PATH}
# 建立 kube-proxy
# 192.168.2.175 配置
cat << EOF | tee /apps/k8s/conf/kube-proxy
KUBE_PROXY_OPTS="--logtostderr=false \\
--v=2 \\
--feature-gates=ServiceTopology=true,EndpointSlice=true \\
--masquerade-all=true \\
--proxy-mode=ipvs \\
--ipvs-min-sync-period=5s \\
--ipvs-sync-period=5s \\
--ipvs-scheduler=rr \\
--cluster-cidr=10.80.0.0/12 \\
--log-dir=/apps/k8s/log \\
--metrics-bind-address=0.0.0.0 \\
--hostname-override=k8s-master-1 \\ # 記得每一個節點修改，刪除註釋
--kubeconfig=/apps/k8s/conf/kube-proxy.kubeconfig"
EOF

建立 kube-proxy systemd文件

cat << EOF | tee kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target

[Service]
LimitNOFILE=65535
LimitNPROC=65535
LimitCORE=infinity
LimitMEMLOCK=infinity
EnvironmentFile=-/apps/k8s/conf/kube-proxy
ExecStart=/apps/k8s/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target

EOF
# 上傳啓動文件到遠程服務器
scp -r kube-proxy.service 192.168.2.175:/usr/lib/systemd/system
scp -r kube-proxy.service 192.168.2.176:/usr/lib/systemd/system
scp -r kube-proxy.service 192.168.2.177:/usr/lib/systemd/system
scp -r kube-proxy.service 192.168.2.185:/usr/lib/systemd/system
scp -r kube-proxy.service 192.168.2.187:/usr/lib/systemd/system

kube-proxy 啓動

# 刷新service
ssh  192.168.2.175 systemctl daemon-reload
ssh  192.168.2.176 systemctl daemon-reload
ssh  192.168.2.177 systemctl daemon-reload
ssh  192.168.2.185 systemctl daemon-reload
ssh  192.168.2.187 systemctl daemon-reload
# 設置開機啓動
ssh  192.168.2.175 systemctl enable kube-proxy.service
ssh  192.168.2.176 systemctl enable kube-proxy.service
ssh  192.168.2.177 systemctl enable kube-proxy.service
ssh  192.168.2.185 systemctl enable kube-proxy.service
ssh  192.168.2.187 systemctl enable kube-proxy.service
# 啓動 kube-proxy
ssh  192.168.2.175 systemctl  start kube-proxy.service
ssh  192.168.2.176 systemctl  start kube-proxy.service
ssh  192.168.2.177 systemctl  start kube-proxy.service
ssh  192.168.2.185 systemctl  start kube-proxy.service
ssh  192.168.2.187 systemctl  start kube-proxy.service
# 查看啓動狀態
ssh  192.168.2.175 systemctl  status kube-proxy.service
ssh  192.168.2.176 systemctl  status kube-proxy.service
ssh  192.168.2.177 systemctl  status kube-proxy.service
ssh  192.168.2.185 systemctl  status kube-proxy.service
ssh  192.168.2.187 systemctl  status kube-proxy.service

驗證 kube-proxy

# ssh 任意節點
[root@k8s-master-1 conf]# ip a| grep  kube-ipvs0
3: kube-ipvs0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default
    inet 10.66.0.1/32 brd 10.66.0.1 scope global kube-ipvs0
[root@k8s-master-1 conf]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  10.66.0.1:443 rr
  -> 192.168.2.175:5443           Masq    1      0          0
  -> 192.168.2.176:5443           Masq    1      1          1
  -> 192.168.2.177:5443           Masq    1      0          2
[root@k8s-master-1 conf]# ipvsadm -ln -c
IPVS connection entries
pro expire state       source             virtual            destination
TCP 01:33  TIME_WAIT   10.66.0.1:53808    10.66.0.1:443      192.168.2.177:5443
TCP 00:33  TIME_WAIT   10.66.0.1:53736    10.66.0.1:443      192.168.2.176:5443
TCP 14:33  ESTABLISHED 10.66.0.1:53838    10.66.0.1:443      192.168.2.176:5443
TCP 00:03  TIME_WAIT   10.66.0.1:53700    10.66.0.1:443      192.168.2.177:5443
[root@k8s-master-1 conf]# curl -k https://10.66.0.1:443
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}[root@k8s-master-1 conf]#
# 可以正常訪問返回