kube-proxy 部署 ¶
创建 kube-proxy 证书请求文件 ¶
说明:
- hosts 列表包含所有 kube-proxy 节点 IP;
- CN 为 system:kube-proxy、O 为 system:kube-proxy,kubernetes 内置的 ClusterRoleBindings system:kube-proxy 赋予 kube-proxy 工作所需的权限
1. 创建证书目录
mkdir kube-proxy
2. 创建请求证书文件
cat > kube-proxy/kube-proxy.json << "EOF"
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [
"127.0.0.1",
"192.168.3.50",
"192.168.3.51",
"192.168.3.52"
],
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:kube-proxy",
"OU": "system"
}
]
}
EOF
创建 kube-proxy 证书文件 ¶
创建 kube-proxy 的 kube-proxy.kubeconfig 文件 ¶
#!/bin/bash
# 定义变量
MODULE_NAME="kube-proxy"
KUBERNETES_SERVER="https://192.168.3.200:6443"
CA_DIR="ca"
FILE_EXT=".kubeconfig"
CLUSTER_NAME="kubernetes"
USER_NAME="system:${MODULE_NAME}"
# CA 文件路径
CA_CERT="${CA_DIR}/ca.pem"
CA_KEY="${CA_DIR}/ca-key.pem"
CA_CONFIG="${CA_DIR}/ca-config.json"
# 模块相关文件路径
MODULE_DIR="${MODULE_NAME}"
MODULE_CONFIG="${MODULE_DIR}/${MODULE_NAME}${FILE_EXT}"
MODULE_CERT="${MODULE_DIR}/${MODULE_NAME}.pem"
MODULE_KEY="${MODULE_DIR}/${MODULE_NAME}-key.pem"
MODULE_JSON="${MODULE_DIR}/${MODULE_NAME}.json"
# 检查目录是否存在,不存在则退出
if [ ! -d "${MODULE_DIR}" ]; then
echo "目录 ${MODULE_DIR} 不存在,脚本退出。"
exit 1
fi
# 生成组件证书文件
cfssl gencert -ca=${CA_CERT} -ca-key=${CA_KEY} -config=${CA_CONFIG} -profile=kubernetes ${MODULE_JSON} | cfssljson -bare ${MODULE_DIR}/${MODULE_NAME}
# 设置集群
kubectl config set-cluster ${CLUSTER_NAME} \
--certificate-authority=${CA_CERT} \
--embed-certs=true \
--server=${KUBERNETES_SERVER} \
--kubeconfig=${MODULE_CONFIG}
# 设置凭证
kubectl config set-credentials ${USER_NAME} \
--client-certificate=${MODULE_CERT} \
--client-key=${MODULE_KEY} \
--embed-certs=true \
--kubeconfig=${MODULE_CONFIG}
# 设置上下文
kubectl config set-context ${USER_NAME} \
--cluster=${CLUSTER_NAME} \
--user=${USER_NAME} \
--kubeconfig=${MODULE_CONFIG}
# 使用上下文
kubectl config use-context ${USER_NAME} \
--kubeconfig=${MODULE_CONFIG}
创建 kube-proxy 服务配置文件 ¶
1. 在 ca 节点执行
cat > kube-proxy/k8s-master01-kube-proxy.conf << "EOF"
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 192.168.3.50
clientConnection:
kubeconfig: /etc/kubernetes/kube-proxy.kubeconfig
clusterCIDR: 10.244.0.0/16
healthzBindAddress: 192.168.3.50:10256
kind: KubeProxyConfiguration
metricsBindAddress: 192.168.3.50:10249
mode: "ipvs"
EOF
cat > kube-proxy/k8s-master02-kube-proxy.conf << "EOF"
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 192.168.3.51
clientConnection:
kubeconfig: /etc/kubernetes/kube-proxy.kubeconfig
clusterCIDR: 10.244.0.0/16
healthzBindAddress: 192.168.3.51:10256
kind: KubeProxyConfiguration
metricsBindAddress: 192.168.3.51:10249
mode: "ipvs"
EOF
cat > kube-proxy/k8s-master03-kube-proxy.conf << "EOF"
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 192.168.3.52
clientConnection:
kubeconfig: /etc/kubernetes/kube-proxy.kubeconfig
clusterCIDR: 10.244.0.0/16
healthzBindAddress: 192.168.3.52:10256
kind: KubeProxyConfiguration
metricsBindAddress: 192.168.3.52:10249
mode: "ipvs"
EOF
cat > kube-proxy/k8s-worker01-kube-proxy.conf << "EOF"
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 192.168.3.60
clientConnection:
kubeconfig: /etc/kubernetes/kube-proxy.kubeconfig
clusterCIDR: 10.244.0.0/16
healthzBindAddress: 192.168.3.60:10256
kind: KubeProxyConfiguration
metricsBindAddress: 192.168.3.60:10249
mode: "ipvs"
EOF
cat > kube-proxy/k8s-worker02-kube-proxy.conf << "EOF"
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 192.168.3.61
clientConnection:
kubeconfig: /etc/kubernetes/kube-proxy.kubeconfig
clusterCIDR: 10.244.0.0/16
healthzBindAddress: 192.168.3.61:10256
kind: KubeProxyConfiguration
metricsBindAddress: 192.168.3.61:10249
mode: "ipvs"
EOF
创建 kube-proxy 服务启动配置文件 ¶
1. ca 节点执行
cat > kube-proxy/kube-proxy.service << "EOF"
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
WorkingDirectory=/var/lib/kube-proxy
ExecStart=/usr/local/bin/kube-proxy \
--config=/etc/kubernetes/kube-proxy.yaml \
--v=2
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
同步 kube-proxy 证书文件到集群 master 节点 ¶
1. ca 节点执行
#!/bin/bash
TARGET_HOSTS=("k8s-master01" "k8s-master02" "k8s-master03" "k8s-worker01" "k8s-worker02")
DIRECTORY=kube-proxy/
# 通过循环执行 scp 命令
for host in "${TARGET_HOSTS[@]}"; do
echo "正在复制文件到 $host..."
# 所有 etcd 节点创建工作目录
ssh -t $host 'mkdir -p /var/lib/kube-proxy'
# 复制证书和密钥文件到 /etc/kubernetes/ssl/ 目录
scp ${DIRECTORY}kube-proxy*.pem $host:/etc/kubernetes/ssl/
# 复制配置文件到 /etc/kubernetes/ 目录
scp ${DIRECTORY}kube-proxy.kubeconfig $host:/etc/kubernetes/
# 复制 systemd 服务文件到 /usr/lib/systemd/system/ 目录
scp ${DIRECTORY}kube-proxy.service $host:/usr/lib/systemd/system/
# 复制对应主机的配置文件到 /etc/kubernetes/ 目录
case $host in
"k8s-master01")
scp ${DIRECTORY}k8s-master01-kube-proxy.conf $host:/etc/kubernetes/kube-proxy.yaml
;;
"k8s-master02")
scp ${DIRECTORY}k8s-master02-kube-proxy.conf $host:/etc/kubernetes/kube-proxy.yaml
;;
"k8s-master03")
scp ${DIRECTORY}k8s-master03-kube-proxy.conf $host:/etc/kubernetes/kube-proxy.yaml
;;
"k8s-worker01")
scp ${DIRECTORY}k8s-worker01-kube-proxy.conf $host:/etc/kubernetes/kube-proxy.yaml
;;
"k8s-worker02")
scp ${DIRECTORY}k8s-worker02-kube-proxy.conf $host:/etc/kubernetes/kube-proxy.yaml
;;
*)
echo "未识别的主机名: $host"
;;
esac
done
# 在目标主机上执行 systemctl 命令
for host in "${TARGET_HOSTS[@]}"; do
echo "在 $host 上执行 systemctl 命令..."
ssh -t $host 'sudo systemctl daemon-reload'
ssh -t $host 'sudo systemctl enable --now kube-proxy'
ssh -t $host 'sudo systemctl status kube-proxy'
done
查看证书
openssl x509 -in /etc/kubernetes/ssl/kube-proxy.pem -noout -text
启动 kube-proxy 服务 ¶
1. k8s-master 节点执行
可以去每个主节点查看服务是否启动
systemctl status kube-proxy
2. k8s-master 节点查看状态
[root@k8s-master03 ~]# kubectl get cs
Warning: v1 ComponentStatus is deprecated in v1.19+
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy ok