kubelet 授权 kube-apiserver 的一些操作 exec run logs 等
RBAC 只需创建一次就可以
kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes
创建 bootstrap kubeconfig 文件
注意: token 生效时间为 1day , 超过时间未创建自动失效,需要重新创建 token
kubeadm token create --description kubelet-bootstrap-token --groups system:bootstrappers:kubernetes-clientgroup --kubeconfig ~/.kube/config
查看生成的 token
kubeadm token list --kubeconfig ~/.kube/config
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
2kcmsb.hyl5s4g0l1mkff9z 23h 2018-11-16T11:08:00+08:00 authentication,signing kubelet-bootstrap-token system:bootstrappers:kubernetes-clientgroup
配置集群参数,生成kubernetes-clientgroup-bootstrap.kubeconfig
kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://192.168.1.7:6443 \ #master节点ip --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig
配置客户端认证
kubectl config set-credentials kubelet-bootstrap \ --token= 2kcmsb.hyl5s4g0l1mkff9z \ #上面生成的token --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig
配置关联
kubectl config set-context default \ --cluster=kubernetes \ --user=kubelet-bootstrap \ --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig
配置默认关联
kubectl config use-context default --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig
拷贝生成的 kubernetes-clientgroup-bootstrap.kubeconfig 文件到其它所有的node节点,并重命名
scp kubernetes-clientgroup-bootstrap.kubeconfig 192.168.1.8:/etc/kubernetes/bootstrap.kubeconfig
配置 bootstrap RBAC 权限
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --group=system:bootstrappers
否则报如下错误
failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:bootstrap:1jezb7" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope
创建自动批准相关 CSR 请求的 ClusterRole
vi /etc/kubernetes/tls-instructs-csr.yaml
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver rules: - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests/selfnodeserver"] verbs: ["create"]
导入 yaml 文件
kubectl apply -f /etc/kubernetes/tls-instructs-csr.yaml
clusterrole.rbac.authorization.k8s.io "system:certificates.k8s.io:certificatesigningrequests:selfnodeserver" created
查看创建的ClusterRole
kubectl describe ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
# 自动批准 system:bootstrappers 组用户 TLS bootstrapping 首次申请证书的 CSR 请求 kubectl create clusterrolebinding node-client-auto-approve-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --group=system:bootstrappers
# 自动批准 system:nodes 组用户更新 kubelet 自身与 apiserver 通讯证书的 CSR 请求 kubectl create clusterrolebinding node-client-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeclient --group=system:nodes
# 自动批准 system:nodes 组用户更新 kubelet 10250 api 端口证书的 CSR 请求 kubectl create clusterrolebinding node-server-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeserver --group=system:nodes
查看已有绑定 kubectl get clusterrolebindings
动态 kubelet 配置
创建kubelet服务文件
mkdir -p /var/lib/kubelet
vim /etc/systemd/system/kubelet.service
[Unit] Description=Kubernetes Kubelet Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=docker.service Requires=docker.service [Service] WorkingDirectory=/var/lib/kubelet ExecStart=/usr/local/bin/kubelet \ --hostname-override=k8s-wjoyxt \ #本地node节点的hostname --pod-infra-container-image=jicki/pause-amd64:3.1 \ #pod的基础镜像,即gcr的gcr.io/google_containers/pause-amd64:3.1镜像 --bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \ --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \ --config=/etc/kubernetes/kubelet.config.json \ --cert-dir=/etc/kubernetes/ssl \ --logtostderr=true \ --v=2 [Install] WantedBy=multi-user.target
创建 kubelet config 配置文件
vim /etc/kubernetes/kubelet.config.json { "kind": "KubeletConfiguration", "apiVersion": "kubelet.config.k8s.io/v1beta1", "authentication": { "x509": { "clientCAFile": "/etc/kubernetes/ssl/ca.pem" }, "webhook": { "enabled": true, "cacheTTL": "2m0s" }, "anonymous": { "enabled": false } }, "authorization": { "mode": "Webhook", "webhook": { "cacheAuthorizedTTL": "5m0s", "cacheUnauthorizedTTL": "30s" } }, "address": "172.16.6.66", #本地node节点的IP "port": 10250, "readOnlyPort": 0, "cgroupDriver": "cgroupfs", "hairpinMode": "promiscuous-bridge", "serializeImagePulls": false, "RotateCertificates": true, "featureGates": { "RotateKubeletClientCertificate": true, "RotateKubeletServerCertificate": true }, "MaxPods": "512", "failSwapOn": false, "containerLogMaxSize": "10Mi", "containerLogMaxFiles": 5, "clusterDomain": "cluster.local.", "clusterDNS": ["10.254.0.2"] }
以上配置中:
cluster.local. 为 kubernetes 集群的 domain
10.254.0.2 预分配的 dns 地址
"clusterDNS": ["10.254.0.2"] 可配置多个 dns地址,逗号可开, 可配置宿主机dns
systemctl daemon-reload
systemctl enable kubelet
systemctl start kubelet
systemctl status kubelet
验证nodes
注意:这里的 ROLES 是节点标签
关于 kubectl get node 中的 ROLES 的标签
单 Master 打标签 kubectl label node es-60 node-role.kubernetes.io/master="",当标签为 NoSchedule,表示不进行资源调度
更新标签命令为 kubectl taint nodes es-60 node-role.kubernetes.io/master=:NoSchedule
单 Node 打标签 kubectl label node es-61 node-role.kubernetes.io/node=""
关于删除 label 可使用 - 号相连 如: kubectl label nodes es-61 node-role.kubernetes.io/node-
查看自动生成的证书配置文件
ls -lt /etc/kubernetes/ssl/kubelet-*
