部署Node节点kube-proxy服务

部署主机

主机名 角色 ip
HDSS7-21.host.com kube-proxy 10.4.7.21
HDSS7-22.host.com kube-proxy 10.4.7.22

注意:这里部署文档以HDSS7-21.host.com主机为例,另外一台运算节点安装部署方法类似

签发证书

[root@hdss7-200 certs]# vim kube-proxy-csr.json
{
    "CN": "system:kube-proxy",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}
[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client kube-proxy-csr.json | cfssl-json -bare kube-proxy-client
2019/11/17 14:08:07 [INFO] generate received request
2019/11/17 14:08:07 [INFO] received CSR
2019/11/17 14:08:07 [INFO] generating key: rsa-2048
2019/11/17 14:08:08 [INFO] encoded CSR
2019/11/17 14:08:08 [INFO] signed certificate with serial number 279341187308665700948191655234490079643724706187
2019/11/17 14:08:08 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@hdss7-200 certs]# ll kube-proxy*
-rw------- 1 root root 1675 Nov 17 14:08 kube-proxy-client-key.pem
-rw-r--r-- 1 root root 1005 Nov 17 14:08 kube-proxy-client.csr
-rw-r--r-- 1 root root 1383 Nov 17 14:08 kube-proxy-client.pem
-rw-r--r-- 1 root root  267 Nov 17 14:07 kube-proxy-csr.json

分发证书

[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/kube-proxy-client.pem .
root@hdss7-200's password:
kube-proxy-client.pem               100% 1383   283.9KB/s   00:00    
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/kube-proxy-client-key.pem .
root@hdss7-200's password:
kube-proxy-client-key.pem           100% 1675   246.3KB/s   00:00  

创建集群用户

set-cluster

[root@hdss7-21 cert]# cd ../conf/
[root@hdss7-21 conf]# kubectl config set-cluster myk8s \
   --certificate-authority=/opt/kubernetes/server/bin/cert/ca.pem \
   --embed-certs=true \
   --server=https://10.4.7.10:7443 \
   --kubeconfig=kube-proxy.kubeconfig
Cluster "myk8s" set.

set-credentials

[root@hdss7-21 conf]# kubectl config set-credentials kube-proxy \
   --client-certificate=/opt/kubernetes/server/bin/cert/kube-proxy-client.pem \
   --client-key=/opt/kubernetes/server/bin/cert/kube-proxy-client-key.pem \
   --embed-certs=true \
   --kubeconfig=kube-proxy.kubeconfig
User "kube-proxy" set.

set-context

[root@hdss7-21 conf]# kubectl config set-context myk8s-context \
   --cluster=myk8s \
   --user=kube-proxy \
   --kubeconfig=kube-proxy.kubeconfig
Context "myk8s-context" created.

use-context

[root@hdss7-21 conf]# kubectl config use-context myk8s-context --kubeconfig=kube-proxy.kubeconfig
Switched to context "myk8s-context".

分发配置

[root@hdss7-21 conf]# scp kube-proxy.kubeconfig root@hdss7-22:/opt/kubernetes/server/bin/conf/
root@hdss7-22's password:
kube-proxy.kubeconfig               100% 6235   236.7KB/s   00:00  

配置ipvs转发

[root@hdss7-21 conf]# vim ~/ipvs.sh
#!/bin/bash
ipvs_mods_dir="/usr/lib/modules/$(uname -r)/kernel/net/netfilter/ipvs"
for i in $(ls $ipvs_mods_dir|grep -o "^[^.]*")
do
  /sbin/modinfo -F filename $i &>/dev/null
  if [ $? -eq 0 ];then
    /sbin/modprobe $i
  fi
done
[root@hdss7-21 conf]# sh ~/ipvs.sh
[root@hdss7-21 conf]# lsmod|grep ip_vs
ip_vs_wrr              12697  0
ip_vs_wlc              12519  0
ip_vs_sh               12688  0
ip_vs_sed              12519  0
ip_vs_rr               12600  0
ip_vs_pe_sip           12740  0
nf_conntrack_sip       33860  1 ip_vs_pe_sip
ip_vs_nq               12516  0
ip_vs_lc               12516  0
ip_vs_lblcr            12922  0
ip_vs_lblc             12819  0
ip_vs_ftp              13079  0
ip_vs_dh               12688  0
ip_vs                 145497  24 ip_vs_dh,ip_vs_lc,ip_vs_nq,ip_vs_rr,ip_vs_sh,ip_vs_ftp,ip_vs_sed,ip_vs_wlc,ip_vs_wrr,ip_vs_pe_sip,ip_vs_lblcr,ip_vs_lblc
nf_nat                 26583  3 ip_vs_ftp,nf_nat_ipv4,nf_nat_masquerade_ipv4
nf_conntrack          137239  8 ip_vs,nf_nat,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_netlink,nf_conntrack_sip,nf_conntrack_ipv4
libcrc32c              12644  4 xfs,ip_vs,nf_nat,nf_conntrack

创建启动脚本

[root@hdss7-21 bin]# vim kube-proxy.sh
#!/bin/bash
./kube-proxy \
  --cluster-cidr 172.7.0.0/16 \
  --hostname-override hdss7-21.host.com \
  --proxy-mode=ipvs \
  --ipvs-scheduler=nq \
  --kubeconfig ./conf/kube-proxy.kubeconfig
[root@hdss7-21 bin]# chmod +x kube-proxy.sh
[root@hdss7-21 bin]# mkdir -p /data/logs/kubernetes/kube-proxy

创建supervisor配置

[root@hdss7-21 bin]# vim /etc/supervisord.d/kube-proxy.ini
[program:kube-proxy-7-21]
command=/opt/kubernetes/server/bin/kube-proxy.sh                 ; the program (relative uses PATH, can take args)
numprocs=1                                                       ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin                             ; directory to cwd to before exec (def no cwd)
autostart=true                                                   ; start at supervisord start (default: true)
autorestart=true                                                 ; retstart at unexpected quit (default: true)
startsecs=22                                                     ; number of secs prog must stay running (def. 1)
startretries=3                                                   ; max # of serial start failures (default 3)
exitcodes=0,2                                                    ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                                  ; signal used to kill process (default TERM)
stopwaitsecs=10                                                  ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                        ; setuid to this UNIX account to run the program
redirect_stderr=false                                            ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-proxy/proxy.stdout.log     ; stdout log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                     ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                                         ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                      ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                                      ; emit events on stdout writes (default false)
stderr_logfile=/data/logs/kubernetes/kube-proxy/proxy.stderr.log     ; stderr log path, NONE for none; default AUTO
stderr_logfile_maxbytes=64MB                                     ; max # logfile bytes b4 rotation (default 50MB)
stderr_logfile_backups=4                                         ; # of stderr logfile backups (default 10)
stderr_capture_maxbytes=1MB                                      ; number of bytes in 'capturemode' (default 0)
stderr_events_enabled=false                                      ; emit events on stderr writes (default false)
stopasgroup=true                                                 ;默认为false,进程被杀死时,是否向这个进程组发送stop信号,包括子进程
killasgroup=true                                                 ;默认为false,向进程组发送kill信号,包括子进程

启动kube-proxy

启动kube-proxy
[root@hdss7-21 bin]# supervisorctl update
kube-proxy-7-21: added process group
[root@hdss7-21 bin]# supervisorctl status
etcd-server-7-21                 RUNNING   pid 13739, uptime 18:46:12
kube-apiserver-7-21              RUNNING   pid 13888, uptime 16:55:46
kube-controller-manager-7-21     RUNNING   pid 14810, uptime 2:29:31
kube-kubelet-7-21                RUNNING   pid 14992, uptime 1:17:20
kube-proxy-7-21                  RUNNING   pid 33712, uptime 0:01:41
kube-scheduler-7-21              RUNNING   pid 14840, uptime 2:15:55

查看是否ipvs调用

[root@hdss7-21 bin]# yum install -y ipvsadm
[root@hdss7-21 bin]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.0.1:443 nq
  -> 10.4.7.21:6443               Masq    1      0          0         
  -> 10.4.7.22:6443               Masq    1      0          0

 

点赞

发表评论

电子邮件地址不会被公开。

14 − 13 =