kubelet 部署 ¶
在 ca 节点执行
创建 kubelet-bootstrap 的 kubeconfig ¶
mkdir kubelet
BOOTSTRAP_TOKEN=$(ssh root@k8s-master01 "awk -F ',' '{print \$1}' /etc/kubernetes/token.csv")
kubectl config set-cluster kubernetes --certificate-authority=ca/ca.pem --embed-certs=true --server=https://192.168.3.200:6443 --kubeconfig=kubelet/kubelet-bootstrap.kubeconfig
kubectl config set-credentials kubelet-bootstrap --token=${BOOTSTRAP_TOKEN} --kubeconfig=kubelet/kubelet-bootstrap.kubeconfig
kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=kubelet/kubelet-bootstrap.kubeconfig
kubectl config use-context default --kubeconfig=kubelet/kubelet-bootstrap.kubeconfig
kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=kubelet-bootstrap
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap --kubeconfig=kubelet/kubelet-bootstrap.kubeconfig
kubectl describe clusterrolebinding cluster-system-anonymous
kubectl describe clusterrolebinding kubelet-bootstrap
创建 kubelet 服务配置文件 ¶
cat > kubelet/k8s-master01-kubelet.json << "EOF"
{
"kind": "KubeletConfiguration",
"apiVersion": "kubelet.config.k8s.io/v1beta1",
"authentication": {
"x509": {
"clientCAFile": "/etc/kubernetes/ssl/ca.pem"
},
"webhook": {
"enabled": true,
"cacheTTL": "2m0s"
},
"anonymous": {
"enabled": false
}
},
"authorization": {
"mode": "Webhook",
"webhook": {
"cacheAuthorizedTTL": "5m0s",
"cacheUnauthorizedTTL": "30s"
}
},
"address": "192.168.3.50",
"port": 10250,
"readOnlyPort": 10255,
"cgroupDriver": "systemd",
"hairpinMode": "promiscuous-bridge",
"serializeImagePulls": false,
"clusterDomain": "cluster.local.",
"clusterDNS": ["10.96.0.2"]
}
EOF
cat > kubelet/k8s-master02-kubelet.json << "EOF"
{
"kind": "KubeletConfiguration",
"apiVersion": "kubelet.config.k8s.io/v1beta1",
"authentication": {
"x509": {
"clientCAFile": "/etc/kubernetes/ssl/ca.pem"
},
"webhook": {
"enabled": true,
"cacheTTL": "2m0s"
},
"anonymous": {
"enabled": false
}
},
"authorization": {
"mode": "Webhook",
"webhook": {
"cacheAuthorizedTTL": "5m0s",
"cacheUnauthorizedTTL": "30s"
}
},
"address": "192.168.3.51",
"port": 10250,
"readOnlyPort": 10255,
"cgroupDriver": "systemd",
"hairpinMode": "promiscuous-bridge",
"serializeImagePulls": false,
"clusterDomain": "cluster.local.",
"clusterDNS": ["10.96.0.2"]
}
EOF
cat > kubelet/k8s-master03-kubelet.json << "EOF"
{
"kind": "KubeletConfiguration",
"apiVersion": "kubelet.config.k8s.io/v1beta1",
"authentication": {
"x509": {
"clientCAFile": "/etc/kubernetes/ssl/ca.pem"
},
"webhook": {
"enabled": true,
"cacheTTL": "2m0s"
},
"anonymous": {
"enabled": false
}
},
"authorization": {
"mode": "Webhook",
"webhook": {
"cacheAuthorizedTTL": "5m0s",
"cacheUnauthorizedTTL": "30s"
}
},
"address": "192.168.3.52",
"port": 10250,
"readOnlyPort": 10255,
"cgroupDriver": "systemd",
"hairpinMode": "promiscuous-bridge",
"serializeImagePulls": false,
"clusterDomain": "cluster.local.",
"clusterDNS": ["10.96.0.2"]
}
EOF
cat > kubelet/k8s-worker01-kubelet.json << "EOF"
{
"kind": "KubeletConfiguration",
"apiVersion": "kubelet.config.k8s.io/v1beta1",
"authentication": {
"x509": {
"clientCAFile": "/etc/kubernetes/ssl/ca.pem"
},
"webhook": {
"enabled": true,
"cacheTTL": "2m0s"
},
"anonymous": {
"enabled": false
}
},
"authorization": {
"mode": "Webhook",
"webhook": {
"cacheAuthorizedTTL": "5m0s",
"cacheUnauthorizedTTL": "30s"
}
},
"address": "192.168.3.60",
"port": 10250,
"readOnlyPort": 10255,
"cgroupDriver": "systemd",
"hairpinMode": "promiscuous-bridge",
"serializeImagePulls": false,
"clusterDomain": "cluster.local.",
"clusterDNS": ["10.96.0.2"]
}
EOF
cat > kubelet/k8s-worker02-kubelet.json << "EOF"
{
"kind": "KubeletConfiguration",
"apiVersion": "kubelet.config.k8s.io/v1beta1",
"authentication": {
"x509": {
"clientCAFile": "/etc/kubernetes/ssl/ca.pem"
},
"webhook": {
"enabled": true,
"cacheTTL": "2m0s"
},
"anonymous": {
"enabled": false
}
},
"authorization": {
"mode": "Webhook",
"webhook": {
"cacheAuthorizedTTL": "5m0s",
"cacheUnauthorizedTTL": "30s"
}
},
"address": "192.168.3.61",
"port": 10250,
"readOnlyPort": 10255,
"cgroupDriver": "systemd",
"hairpinMode": "promiscuous-bridge",
"serializeImagePulls": false,
"clusterDomain": "cluster.local.",
"clusterDNS": ["10.96.0.2"]
}
EOF
创建 apiserver 服务管理配置文件 ¶
两个 worker 节点均执行
cat > kubelet/kubelet.service << "EOF"
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
ExecStart=/usr/local/bin/kubelet \
--bootstrap-kubeconfig=/etc/kubernetes/kubelet-bootstrap.kubeconfig \
--cert-dir=/etc/kubernetes/ssl \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
--config=/etc/kubernetes/kubelet.json \
--rotate-certificates \
--container-runtime-endpoint=unix:///run/cri-dockerd.sock \
--pod-infra-container-image=registry.k8s.io/pause:3.9 \
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
#!/bin/bash
TARGET_HOSTS=("k8s-master01" "k8s-master02" "k8s-master03" "k8s-worker01" "k8s-worker02")
DIRECTORY=kubelet/
CA_DIRECTORY=ca/
# 通过循环执行 scp 命令
for host in "${TARGET_HOSTS[@]}"; do
echo "正在复制文件到 $host..."
# 所有 etcd 节点创建工作目录
ssh -t $host 'mkdir -p /var/lib/kubelet'
# 复制证书和密钥文件到 /etc/kubernetes/ssl/ 目录
scp ${DIRECTORY}kubelet-bootstrap.kubeconfig $host:/etc/kubernetes/
# 复制 ca 到 /etc/kubernetes/ssl 目录
scp ${CA_DIRECTORY}ca*.pem $host:/etc/kubernetes/ssl/
# 复制 systemd 服务文件到 /usr/lib/systemd/system/ 目录
scp ${DIRECTORY}kubelet.service $host:/usr/lib/systemd/system/kubelet.service
# 复制对应主机的配置文件到 /etc/kubernetes/ 目录
case $host in
"k8s-master01")
scp ${DIRECTORY}k8s-master01-kubelet.json $host:/etc/kubernetes/kubelet.json
;;
"k8s-master02")
scp ${DIRECTORY}k8s-master02-kubelet.json $host:/etc/kubernetes/kubelet.json
;;
"k8s-master03")
scp ${DIRECTORY}k8s-master03-kubelet.json $host:/etc/kubernetes/kubelet.json
;;
"k8s-worker01")
scp ${DIRECTORY}k8s-worker01-kubelet.json $host:/etc/kubernetes/kubelet.json
;;
"k8s-worker02")
scp ${DIRECTORY}k8s-worker02-kubelet.json $host:/etc/kubernetes/kubelet.json
;;
*)
echo "未识别的主机名: $host"
;;
esac
done
# 在目标主机上执行 systemctl 命令
for host in "${TARGET_HOSTS[@]}"; do
echo "在 $host 上执行 systemctl 命令..."
ssh -t $host 'sudo systemctl daemon-reload'
ssh -t $host 'sudo systemctl enable --now kubelet'
ssh -t $host 'sudo systemctl status kubelet'
done
查看服务是否正常
kubectl get nodes
kubectl get csr
kubectl describe node | grep Runtime