(1). Node节点需要部署以下组件
- kubelet
- kube-proxy
(2). 准备工作
# 部署node节点,需要的组件(从master拷贝)
[root@master ~]# scp kubernetes/server/bin/{kubelet,kube-proxy} root@10.211.55.101:/opt/kubernetes/bin/
# 为node-1节点创建日志目录
[root@node-1 ~]# mkdir -p /opt/kubernetes/logs
(3). 创建kubelet环境变量配置文件(/opt/kubernetes/config/kubelet)
/opt/kubernetes/config/kubelet.kubeconfig在加入集群时,会自动创建.
KUBELET_OPTS=" --logtostderr=false \
--log-dir=/opt/kubernetes/logs \
--v=4 \
--address=10.211.55.101 \
--hostname-override=10.211.55.101 \
--kubeconfig=/opt/kubernetes/config/kubelet.kubeconfig \
--experimental-bootstrap-kubeconfig=/opt/kubernetes/config/bootstrap.kubeconfig \
--config=/opt/kubernetes/config/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 "
(4). 创建:/opt/kubernetes/config/kubelet.config
[root@node-1 ~]# vi /opt/kubernetes/config/kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 10.211.55.101
port: 10250
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
anonymous:
enabled: true
(5). 通过systemd来管理kubelet(/usr/lib/systemd/system/kubelet.service)
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/config/kubelet
ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
(6). 创建kube-proxy环境变量配置文件(/opt/kubernetes/config/kube-proxy)
# 注意两台node的ip不一样
KUBE_PROXY_OPTS=" --logtostderr=false \
--log-dir=/opt/kubernetes/logs \
--v=4 \
--hostname-override=10.211.55.101 \
--cluster-cidr=10.0.0.0/24 \
--proxy-mode=ipvs \
--kubeconfig=/opt/kubernetes/config/kube-proxy.kubeconfig "
(7). 通过systemd来管理kube-proxy(/usr/lib/systemd/system/kube-proxy.service)
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=-/opt/kubernetes/config/kube-proxy
ExecStart=/opt/kubernetes/bin/kube-proxy $KUBE_PROXY_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
(8). 启动kubelet
[root@node-1 ~]# systemctl daemon-reload
[root@node-1 ~]# systemctl restart kubelet
[root@node-1 ~]# systemctl enable kubelet
(9). Master允许node-1节点加入集群
# 查看node-1节点发起的:csr请求
[root@master ~]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
node-csr-NMZhSNEKprZdRpkShO84T0TJGglShZp2IxM_jXjMIVM 9m27s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending
# 允许这个节点加入K8S集群
[root@master ~]# kubectl certificate approve node-csr-NMZhSNEKprZdRpkShO84T0TJGglShZp2IxM_jXjMIVM
certificatesigningrequest.certificates.k8s.io/node-csr-NMZhSNEKprZdRpkShO84T0TJGglShZp2IxM_jXjMIVM approved
# 再次查看信息,由:Pending -> Approved,Issued
[root@master ~]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
node-csr-NMZhSNEKprZdRpkShO84T0TJGglShZp2IxM_jXjMIVM 11m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued
# 查看node状态
[root@master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
10.211.55.101 Ready <none> 102s v1.19.7
(10). 启动kube-proxy
[root@node-1 ~]# systemctl daemon-reload
[root@node-1 ~]# systemctl enable kube-proxy
# 在执行:systemctl enable kube-proxy时,有可能报错(Failed to execute operation: Invalid argument),解决方案如下
# 创建软链接即可
# [root@node-1 ~]# ln -s /usr/lib/systemd/system/kube-proxy.service /etc/systemd/system/multi-user.target.wants/kube-proxy.service
[root@node-1 ~]# systemctl restart kube-proxy
### (11). 部署node-2节点(拷贝node-1节点数据到node-2)
# 拷贝node-1节点数据到:node-2
[root@node-1 ~]# scp -r /opt/kubernetes root@10.211.55.102:/opt/
[root@node-1 ~]# scp -r /usr/lib/systemd/system/kubelet.service root@10.211.55.102:/usr/lib/systemd/system/kubelet.service
[root@node-1 ~]# scp -r /usr/lib/systemd/system/kube-proxy.service root@10.211.55.102:/usr/lib/systemd/system/kube-proxy.service
(12). 部署node-2节点
# 1. 删除master允许node-1加入K8S集群时,创建的证书
[root@node-2 ~]# rm -rf /opt/kubernetes/ssl/*
# 2. 删除日志目录
[root@node-2 ~]# rm -rf /opt/kubernetes/logs/*
# 3. 修改配置(node-2:10.211.55.102)
# 将这三个文件里的IP(10.211.55.101)改成:10.211.55.102
[root@node-2 ~]# vi /opt/kubernetes/config/kubelet
[root@node-2 ~]# vi /opt/kubernetes/config/kubelet.config
[root@node-2 ~]# vi /opt/kubernetes/config/kube-proxy
# 4. 启动kubelet/kube-proxy
[root@node-2 ~]# systemctl daemon-reload
[root@node-2 ~]# systemctl restart kubelet
[root@node-2 ~]# systemctl enable kubelet
[root@node-2 ~]# systemctl daemon-reload
[root@node-2 ~]# systemctl enable kube-proxy
# 在执行:systemctl enable kube-proxy时,有可能报错(Failed to execute operation: Invalid argument),解决方案如下
# 创建软链接即可
# [root@node-1 ~]# ln -s /usr/lib/systemd/system/kube-proxy.service /etc/systemd/system/multi-user.target.wants/kube-proxy.service
[root@node-2 ~]# systemctl restart kube-proxy
(13). Master允许node-2节点加入K8S集群
[root@master ~]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
node-csr-IWVRVfEf2aZ_y_QVaqrxGos_1_pMkkjhUCpbrwShWmI 2m23s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending
node-csr-NMZhSNEKprZdRpkShO84T0TJGglShZp2IxM_jXjMIVM 48m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued
[root@master ~]# kubectl certificate approve node-csr-IWVRVfEf2aZ_y_QVaqrxGos_1_pMkkjhUCpbrwShWmI
certificatesigningrequest.certificates.k8s.io/node-csr-IWVRVfEf2aZ_y_QVaqrxGos_1_pMkkjhUCpbrwShWmI approved
[root@master ~]# kubectl get csr
[root@master ~]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
node-csr-IWVRVfEf2aZ_y_QVaqrxGos_1_pMkkjhUCpbrwShWmI 2m36s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued
node-csr-NMZhSNEKprZdRpkShO84T0TJGglShZp2IxM_jXjMIVM 48m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued
[root@master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
10.211.55.101 Ready <none> 37m v1.19.7
10.211.55.102 Ready <none> 11s v1.19.7
(14). 在Master节点添加认证的用户
# exec进不了容器
[root@master ~]# kubectl exec -it dig -- nslookup kubernetes
error: unable to upgrade connection: Unauthorized
# 在master节点上,添加认证用户
[root@master ~]# kubectl create clusterrolebinding system:anonymous --clusterrole=cluster-admin --user=system:anonymous
clusterrolebinding.rbac.authorization.k8s.io/system:anonymous created