K8S從入門到放棄系列-(10)kubernetes集羣之kube-proxy部署

摘要:
  kube-proxy的做用主要是負責service的實現,具體來講,就是實現了內部從pod到service和外部的從node port向service的訪問

新版本目前 kube-proxy 組件所有采用 ipvs 方式負載,因此爲了 kube-proxy 能正常工做須要預先處理一下 ipvs 配置以及相關依賴(每臺 node 都要處理)
## 開啓ipvs
[root@k8s-master01 ~]# ansible k8s-node -m shell -a "yum install -y ipvsadm ipset conntrack"
[root@k8s-master01 ~]# ansible k8s-node -m shell -a 'modprobe -- ip_vs'
[root@k8s-master01 ~]# ansible k8s-node -m shell -a 'modprobe -- ip_vs_rr'
[root@k8s-master01 ~]# ansible k8s-node -m shell -a 'modprobe -- ip_vs_wrr'
[root@k8s-master01 ~]# ansible k8s-node -m shell -a 'modprobe -- ip_vs_sh'
[root@k8s-master01 ~]# ansible k8s-node -m shell -a 'modprobe -- nf_conntrack_ipv4'
1)建立kube-proxy證書請求

[root@k8s-master01 ~]# vim /opt/k8s/certs/kube-proxy-csr.json
{
    "CN": "system:kube-proxy",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "ShangHai",
            "L": "ShangHai",
            "O": "system:kube-proxy",
            "OU": "System"
        }
    ]
}
2)生成kube-proxy證書與私鑰

[root@k8s-master01 ~]# cd /opt/k8s/certs/
[root@k8s-master01 certs]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
 -ca-key=/etc/kubernetes/ssl/ca-key.pem \
 -config=/opt/k8s/certs/ca-config.json \
 -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
2019/04/25 17:39:22 [INFO] generate received request
2019/04/25 17:39:22 [INFO] received CSR
2019/04/25 17:39:22 [INFO] generating key: rsa-2048
2019/04/25 17:39:22 [INFO] encoded CSR
2019/04/25 17:39:22 [INFO] signed certificate with serial number 265052874363255358468035370835573343349230196562
2019/04/25 17:39:22 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
3)查看證書生成

[root@k8s-master01 certs]# ll kube-proxy*
-rw-r--r-- 1 root root 1029 Apr 25 17:39 kube-proxy.csr
-rw-r--r-- 1 root root  302 Apr 25 17:37 kube-proxy-csr.json
-rw------- 1 root root 1675 Apr 25 17:39 kube-proxy-key.pem
-rw-r--r-- 1 root root 1428 Apr 25 17:39 kube-proxy.pem
4)證書分發

[root@k8s-master01 certs]# ansible k8s-node -m copy -a 'src=/opt/k8s/certs/kube-proxy-key.pem dest=/etc/kubernetes/ssl/'
[root@k8s-master01 certs]# ansible k8s-node -m copy -a 'src=/opt/k8s/certs/kube-proxy.pem dest=/etc/kubernetes/ssl/'
5)建立kube-proxy kubeconfig文件
kube-proxy組件鏈接 apiserver 所需配置文件
## 配置集羣參數
[root@k8s-master01 ~]# kubectl config set-cluster kubernetes \
 --certificate-authority=/etc/kubernetes/ssl/ca.pem \
 --embed-certs=true \
 --server=https://127.0.0.1:6443 \
 --kubeconfig=kube-proxy.kubeconfig
Cluster "kubernetes" set.
## 配置客戶端認證參數
[root@k8s-master01 ~]# kubectl config set-credentials system:kube-proxy \
 --client-certificate=/opt/k8s/certs/kube-proxy.pem \
 --embed-certs=true \
 --client-key=/opt/k8s/certs/kube-proxy-key.pem \
 --kubeconfig=kube-proxy.kubeconfig
User "system:kube-proxy" set.
## 配置集羣上下文
[root@k8s-master01 ~]# kubectl config set-context system:kube-proxy@kubernetes \
 --cluster=kubernetes \
 --user=system:kube-proxy \
 --kubeconfig=kube-proxy.kubeconfig
Context "system:kube-proxy@kubernetes" created.
## 配置集羣默認上下文
[root@k8s-master01 ~]# kubectl config use-context system:kube-proxy@kubernetes --kubeconfig=kube-proxy.kubeconfig
Switched to context "system:kube-proxy@kubernetes".

##配置文件分發至node節點
[root@k8s-master01 ~]# ansible k8s-node -m copy -a 'src=/root/kube-proxy.kubeconfig dest=/etc/kubernetes/config/'
6)配置kube-proxy參數

[root@k8s-master01 ~]# vim /opt/k8s/cfg/kube-proxy.conf
###
# kubernetes proxy config
# default config should be adequate
# Add your own!
KUBE_PROXY_ARGS="   --bind-address=0.0.0.0 \
                    --cleanup-ipvs=true \
                    --cluster-cidr=10.254.0.0/16 \
                    --hostname-override=k8s-node01 \
                    --healthz-bind-address=0.0.0.0 \
                    --healthz-port=10256 \
                    --masquerade-all=true \
                    --proxy-mode=ipvs \
                    --ipvs-min-sync-period=5s \
                    --ipvs-sync-period=5s \
                    --ipvs-scheduler=wrr \
                    --kubeconfig=/etc/kubernetes/config/kube-proxy.kubeconfig \
                    --logtostderr=true \
                    --v=2"
## 分發參數配置文件
### 修改hostname-override字段所屬主機名
[root@k8s-master01 ~]# ansible k8s-node -m copy -a 'src=/opt/k8s/cfg/kube-proxy.conf dest=/etc/kubernetes/config/'
7)kube-proxy系統服務腳本

[root@k8s-master01 ~]# vim /opt/k8s/unit/kube-proxy.service
[Unit] Description=Kubernetes Kube-Proxy Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] EnvironmentFile=-/etc/kubernetes/config/kube-proxy.conf ExecStart=/usr/local/bin/kube-proxy $KUBE_PROXY_ARGS Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target ## 分發至node節點 [root@k8s-master01 ~]# ansible k8s-node -m copy -a 'src=/opt/k8s/unit/kube-proxy.service dest=/usr/lib/systemd/system/' ## 啓動服務 [root@k8s-master01 ~]# ansible k8s-node -m shell -a 'systemctl daemon-reload' [root@k8s-master01 ~]# ansible k8s-node -m shell -a 'systemctl enable kube-proxy' [root@k8s-master01 ~]# ansible k8s-node -m shell -a 'systemctl start kube-proxy'
8)查看ipvs路由規則

檢查LVS狀態,能夠看到已經建立了一個LVS集羣,未來自10.254.0.1:443的請求轉到三臺master的6443端口,而6443就是api-server的端口
[root@k8s-node01 ~]# ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  10.254.0.1:443 wrr
  -> 10.10.0.18:6443              Masq    1      0          0         
  -> 10.10.0.19:6443              Masq    1      0          0         
  -> 10.10.0.20:6443              Masq    1      0          0
相關文章
相關標籤/搜索