kubernetes 二进制安装(v1.20.15)(七)加塞一个工作节点

2022-06-11 11:31:40 浏览数 (1)

文章目录
  • k8s-node1 加入集群
    • 分发文件
    • 核对文件
    • 启动kubelet
    • 批准新Node证书申请
    • 启动kube-proxy

k8s-node1 加入集群

分发文件

代码语言:javascript复制
#此操作在Master(k8s-master)上进行
​
#分发kubernetes工作目录
scp -r /opt/kubernetes k8s-node1:/opt/
​
#分发kubelet,kube-proxy的管理文件
scp -r /usr/lib/systemd/system/{kubelet,kube-proxy}.service k8s-node1:/usr/lib/systemd/system
​
#分发证书文件
scp /opt/kubernetes/ssl/ca.pem k8s-node1:/opt/kubernetes/ssl
​
#替换kubelet.conf文件
scp /opt/TLS/k8s/cfg/kubelet02.conf k8s-node1:/opt/kubernetes/cfg/kubelet.conf
​
#替换kube-proxy-config.yml
scp /opt/TLS/k8s/cfg/kube-proxy-config02.yml k8s-node1:/opt/kubernetes/cfg/kube-proxy-config.yml
​
​
#删除kubelet证书和kubeconfig文件
ssh k8s-node1 "rm -f /opt/kubernetes/cfg/kubelet.kubeconfig"
ssh k8s-node1 "rm -f /opt/kubernetes/ssl/kubelet*"

这里我再说一遍 TLS Bootstrapping:算了下一篇吧,这里之所以要删除这两个文件,是因为要从 master 的 apiserver 重新生成,如果有东西在那边,会导致一些莫名其妙的后果,比方说 kubelet 起来了,但是从master 上扫描不到 node。

如果有想重新安装 kubelet,记得要将那两个地方清理一下,不然会很有意思…

核对文件

代码语言:javascript复制
#此操作在k8s-node1上进行
​
[root@k8s-node1 ~]# ll /opt/kubernetes
total 12
drwxr-xr-x 2 root root  114 Apr  3 15:47 bin
drwxr-xr-x 2 root root 4096 Apr  3 15:48 cfg
drwxr-xr-x 2 root root 4096 Apr  3 15:47 logs
drwxr-xr-x 2 root root 4096 Apr  3 15:48 ssl
​
[root@k8s-node1 ~]# ll /usr/lib/systemd/system/{kubelet,kube-proxy}.service
-rw-r--r-- 1 root root 246 Apr  3 15:47 /usr/lib/systemd/system/kubelet.service
-rw-r--r-- 1 root root 253 Apr  3 15:47 /usr/lib/systemd/system/kube-proxy.service
​
[root@k8s-node1 ~]# ll /opt/kubernetes/ssl/ca.pem
-rw-r--r-- 1 root root 1310 Apr  3 15:47 /opt/kubernetes/ssl/ca.pem
​
[root@k8s-node1 ~]# ll /opt/kubernetes/cfg/kubelet.conf
-rw-r--r-- 1 root root 382 Apr  3 15:48 /opt/kubernetes/cfg/kubelet.conf
​
[root@k8s-node1 ~]# cat /opt/kubernetes/cfg/kubelet.conf
KUBELET_OPTS="--logtostderr=false 
--v=2 
--log-dir=/opt/kubernetes/logs 
--hostname-override=k8s-node1 
--network-plugin=cni 
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig 
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig 
--config=/opt/kubernetes/cfg/kubelet-config.yml 
--cert-dir=/opt/kubernetes/ssl 
--pod-infra-container-image=ibmcom/pause-amd64:3.1"
​
[root@k8s-node1 ~]# ll /opt/kubernetes/cfg/kube-proxy-config.yml
-rw-r--r-- 1 root root 320 Apr  3 15:48 /opt/kubernetes/cfg/kube-proxy-config.yml
​
[root@k8s-node1 ~]# cat /opt/kubernetes/cfg/kubelet.conf
KUBELET_OPTS="--logtostderr=false 
--v=2 
--log-dir=/opt/kubernetes/logs 
--hostname-override=k8s-node1 
--network-plugin=cni 
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig 
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig 
--config=/opt/kubernetes/cfg/kubelet-config.yml 
--cert-dir=/opt/kubernetes/ssl 
--pod-infra-container-image=ibmcom/pause-amd64:3.1"
[root@k8s-node1 ~]# cat /opt/kubernetes/cfg/kube-proxy-config.yml
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
metricsBindAddress: 0.0.0.0:10249
clientConnection:
  kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig
hostnameOverride: k8s-node1
clusterCIDR: 10.244.0.0/16
mode: ipvs
ipvs:
  scheduler: "rr"
iptables:
  masqueradeAll: true
​
[root@k8s-node1 ~]# ll /opt/kubernetes/cfg/kubelet.kubeconfig
ls: cannot access /opt/kubernetes/cfg/kubelet.kubeconfig: No such file or directory
​
[root@k8s-node1 ~]# ll /opt/kubernetes/ssl/kubelet*
ls: cannot access /opt/kubernetes/ssl/kubelet*: No such file or directory

注:bootstrap.kubeconfig 那里面是 master 的地址。

启动kubelet

代码语言:javascript复制
#此操作在k8s-node1上进行
[root@k8s-node1 ~]# systemctl daemon-reload && systemctl start kubelet && systemctl enable kubelet && systemctl status kubelet
....

批准新Node证书申请

代码语言:javascript复制
#此操作在Master(k8s-master)上进行
​
#查看新的证书请求,状态为Pending
[root@k8s-master cfg]# kubectl get csr
NAME                                                   AGE   SIGNERNAME                                    REQUESTOR           REQUESTEDDURATION   CONDITION
node-csr-6mDDHTg4HuOsVY_7oJRUqtS-6YQFe7JytpYdbRs9kek   31m   kubernetes.io/kube-apiserver-client-kubelet   kubelet-bootstrap   <none>              Approved,Issued
node-csr-ktjmR4VegWx92ELE3IskISfkdatpXBTKBrq8ZOCVObc   56s   kubernetes.io/kube-apiserver-client-kubelet   kubelet-bootstrap   <none>              Pending
​
#批准新的请求,并加入集群
[root@k8s-master cfg]# kubectl certificate approve node-csr-ktjmR4VegWx92ELE3IskISfkdatpXBTKBrq8ZOCVObc
certificatesigningrequest.certificates.k8s.io/node-csr-ktjmR4VegWx92ELE3IskISfkdatpXBTKBrq8ZOCVObc approved
​
#查看证书批准状态
[root@k8s-master cfg]# kubectl get csr
NAME                                                   AGE   SIGNERNAME                                    REQUESTOR           REQUESTEDDURATION   CONDITION
node-csr-6mDDHTg4HuOsVY_7oJRUqtS-6YQFe7JytpYdbRs9kek   31m   kubernetes.io/kube-apiserver-client-kubelet   kubelet-bootstrap   <none>              Approved,Issued
node-csr-ktjmR4VegWx92ELE3IskISfkdatpXBTKBrq8ZOCVObc   75s   kubernetes.io/kube-apiserver-client-kubelet   kubelet-bootstrap   <none>              Approved,Issued
​
#查看集群节点
[root@k8s-master cfg]# kubectl get nodes
NAME   		STATUS     ROLES    AGE   VERSION
k8s-master  NotReady   <none>   30m   v1.23.4
k8s-node1   NotReady   <none>   14s   v1.23.4
​
# 由于网络插件还没有部署,节点会没有准备就绪 NotReady

启动kube-proxy

代码语言:javascript复制
[root@k8s-node1 ~]# systemctl daemon-reload && systemctl start kube-proxy && systemctl enable kube-proxy && systemctl status kube-proxy
kubernetes node.js 网络安全 https bootstrap

0 人点赞