部署环境
| IP地址 |
主机名 |
功能 |
|---|---|---|
| 10.1.32.230 | k8s-deploy-test | 部署节点,不承担实际作用 |
| 10.1.32.231 | k8s-master-test01 | master节点 |
| 10.1.32.232 | k8s-master-test02 | master节点 |
| 10.1.32.233 | k8s-master-test03 | master节点 |
| 10.1.32.240 | k8s-nginx-test | 负载均衡节点,实际生产中应为HA架构 |
| 10.1.32.234 | k8s-node01-test01 | node节点 |
| 10.1.32.235 | k8s-node02-test02 | node节点 |
| 10.1.32.236 | k8s-node03-test03 | node节点 |
部署kube-proxy
kube-proxy运行在worker节点上,负责为Pod创建代理服务。
kube-proxy从apiserver获取所有server信息,并根据server信息创建代理服务,实现server到Pod的请求路由和转发,从而实现K8s层级的虚拟转发网络。。
创建kube-proxy的配置文件并分发到各节点(k8s-deploy):
创建kube-proxy证书请求文件:
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
cat > kube-proxy-csr.json << EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Shanghai",
"L": "Shanghai",
"O": "dominos",
"OU": "ops"
}
]
}
EOF- CN必须为system:kube-proxy。
- 该证书只会被 kube-proxy 当做 client 证书使用,所以 hosts 字段为空。
创建kube-proxy证书:
cfssl gencert -ca=/opt/k8s/work/ca.pem \
-ca-key=/opt/k8s/work/ca-key.pem \
-config=/opt/k8s/work/ca-config.json \
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
创建kube-proxy的配置文件并分发到各节点(k8s-deploy):
设置kubeconfig文件的集群参数:
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/k8s/work/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig设置kubeconfig文件的用户账户:
kubectl config set-credentials kube-proxy \
--client-certificate=kube-proxy.pem \
--client-key=kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig设置kubeconfig文件的上线文参数:
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig设置kubeconfig文件的默认上下文:
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig将kube-proxy使用的kubeconfig配置文件分发到各node节点:
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for node_name in ${NODE_NODE_NAMES[@]}
do
echo ">>> ${node_name}"
scp kube-proxy.kubeconfig root@${node_name}:/etc/kubernetes/
done创建kube-proxy的配置文件并分发到各节点(k8s-deploy):
创建kube-proxy的配置文件模版:
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
cat > kube-proxy-config.yaml.template << EOF
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
clientConnection:
burst: 200
kubeconfig: "/etc/kubernetes/kube-proxy.kubeconfig"
qps: 100
bindAddress: ##NODE_IP##
healthzBindAddress: ##NODE_IP##:10256
metricsBindAddress: ##NODE_IP##:10249
enableProfiling: true
clusterCIDR: ${CLUSTER_CIDR}
hostnameOverride: ##NODE_NAME##
mode: "ipvs"
portRange: ""
kubeProxyIPTablesConfiguration:
masqueradeAll: false
kubeProxyIPVSConfiguration:
scheduler: rr
excludeCIDRs: []
EOF- bindAddress,监听地址。
- clientConnection.kubeconfig,kube-proxy连接apiserver使用的kubeconfig文件。
- clusterCIDR,kube-proxy根据–cluster-cidr判断集群内部和外部流量,指定–cluster-cidr或–masquerade-all选项后kube-proxy才会对访问Service IP的请求做SNAT。
- hostnameOverride,参数值必须与kubelet的值一致,否则kube-proxy启动后会找不到该Node,从而不会创建任何ipvs规则。
- mode: 使用ipvs模式。
将kube-proxy的配置文件分到到各node节点:
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for (( i=0; i < 3; i++ ))
do
echo ">>> ${NODE_NODE_NAMES[i]}"
sed -e "s/##NODE_NAME##/${NODE_NODE_NAMES[i]}/" -e "s/##NODE_IP##/${NODE_NODE_IPS[i]}/" kube-proxy-config.yaml.template > kube-proxy-config-${NODE_NODE_NAMES[i]}.yaml.template
scp kube-proxy-config-${NODE_NODE_NAMES[i]}.yaml.template root@${NODE_NODE_NAMES[i]}:/etc/kubernetes/kube-proxy-config.yaml
done创建kube-proxy的服务文件并分发到各节点(k8s-deploy):
创建kube-proxy的服务器文件模版:
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
cat > kube-proxy.service << EOF
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
WorkingDirectory=${K8S_DIR}/kube-proxy
ExecStart=/opt/k8s/bin/kube-proxy \\
--config=/etc/kubernetes/kube-proxy-config.yaml \\
--logtostderr=true \\
--v=2
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF将kube-proxy的服务文件分到到各node节点:
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for node_name in ${NODE_NODE_NAMES[@]}
do
echo ">>> ${node_name}"
scp kube-proxy.service root@${node_name}:/etc/systemd/system/
done启动各节点的kube-proxy服务并验证(k8s-deploy):
启动各节点的kube-proxy服务:
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p ${K8S_DIR}/kube-proxy"
ssh root@${node_ip} "modprobe ip_vs_rr"
ssh root@${node_ip} "systemctl daemon-reload && systemctl enable kube-proxy && systemctl restart kube-proxy"
done验证各节点的kube-proxy服务是否成功启动:
for node_ip in ${NODE_NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "systemctl status kube-proxy|grep Active"
done
查看各节点ipvs路由规则是否生成:
for node_ip in ${NODE_NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "/usr/sbin/ipvsadm -ln"
done
文档更新时间: 2021-09-02 17:22 作者:闻骏
