1.建立kube證書
cat > /etc/ssl/kube-proxy/kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "ChengDu",
"L": "ChengDu",
"O": "k8s",
"OU": "dessler"
}
]
}
EOF
複製代碼
cfssl gencert -ca=/etc/ssl/ca.pem \
-ca-key=/etc/ssl/ca-key.pem \
-config=/etc/ssl/ca-config.json \
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
複製代碼
[root@host40 kube-proxy]
kube-proxy.csr kube-proxy-csr.json kube-proxy-key.pem kube-proxy.pem
複製代碼
2分發證書,及二進制文件
3.配置kubeconfig文件
root@localhost kube-proxy]
> --certificate-authority=/etc/ssl/ca.pem \
> --embed-certs=true \
> --server=https://192.168.1.43:8443 \
> --kubeconfig=kube-proxy.kubeconfig
Cluster "kubernetes" set.
複製代碼
[root@localhost kube-proxy]
> --client-certificate=/etc/ssl/kube-proxy/kube-proxy.pem \
> --client-key=/etc/ssl/kube-proxy/kube-proxy-key.pem \
> --embed-certs=true \
> --kubeconfig=kube-proxy.kubeconfig
User "kube-proxy" set.
複製代碼
[root@localhost kube-proxy]
> --cluster=kubernetes \
> --user=kube-proxy \
> --kubeconfig=kube-proxy.kubeconfig
Context "default" created.
複製代碼
[root@localhost kube-proxy]
Switched to context "default".
複製代碼
4.準備kube-proxy配置文件
cat > /opt/kubernetes/cfg/kube-proxy.config.yaml <<EOF
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 192.168.1.44
clientConnection:
kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig
clusterCIDR: 172.30.0.0/16
healthzBindAddress: 192.168.1.44:10256
hostnameOverride: k8s-node01
kind: KubeProxyConfiguration
metricsBindAddress: 192.168.1.44:10249
mode: "ipvs"
EOF
複製代碼
5.配置kube-proxy服務
- 說明:
- bindAddress: 監聽地址
- kubeconfig: 鏈接 apiserver 的 kubeconfig 文件
- clusterCIDR: 必須與 kube-controller-manager 的--cluster-cidr 選項值一致;kube-proxy 根據 --cluster-cidr 判斷集羣內部和外部流量,指定 --cluster-cidr 或 --masquerade-all 選項後 kube-proxy 纔會對訪問 Service IP 的請求作 SNAT
- hostnameOverride: 參數值必須與 kubelet 的值一致,不然 kube-proxy 啓動後會找不到該 Node,從而不會建立任何 ipvs 規則
- mode: 使用 ipvs 模式
6.啓動服務
systemctl daemon-reload
systemctl enable kube-proxy
systemctl restart kube-proxy
systemctl status kube-proxy
複製代碼