YAZONG 我的开源

Kubernetes(五)kubernetes-the-hard-way方式(5.6)部署kubernetes工作节点

  , , ,
0 评论0 浏览

这部分我们部署kubernetes的工作节点worker。实例中我们有两个工作节点node-2和node-3,node-3一个是独立的工作节点,node-2是一个跟master在一起的节点。

在每个节点上我们会部署kubelet、kube-proxy、container runtime、cni、nginx-proxy。

Container Runtime - Containerd

image.png

----1.1 软件包下载


设定containerd的版本号

[root@node-2/3 ~]# VERSION=1.4.3

下载压缩包

[root@node-2/3 ~]# wget https://github.com/containerd/containerd/releases/download/v${VERSION}/cri-containerd-cni-${VERSION}-linux-amd64.tar.gz
----1.2 整理压缩文件

下载后的文件是一个tar.gz,是一个allinone的包,包括了runc、circtl、ctr、containerd等容器运行时以及cni相关的文件,解压缩到一个独立的目录中

[root@node-2/3 ~]# mkdir -p /root/containerd
[root@node-2/3 ~]# cd /root/containerd
[root@node-2/3 containerd]# ll cri-containerd-cni-1.4.3-linux-amd64.tar.gz
-rw-r--r-- 1 root root 99176835 Dec  1  2020 cri-containerd-cni-1.4.3-linux-amd64.tar.gz

# 解压缩
[root@node-2/3 containerd]# tar -zxvf cri-containerd-cni-1.4.3-linux-amd64.tar.gz 
[root@node-2/3 containerd]# ll
total 96868
-rw-r--r-- 1 root root 99176835 Nov  5 14:47 cri-containerd-cni-1.4.3-linux-amd64.tar.gz
drwxr-xr-x 4 root root     4096 Dec  1  2020 etc
drwxr-xr-x 4 root root     4096 Dec  1  2020 opt
drwxr-xr-x 3 root root     4096 Dec  1  2020 usr

# 复制需要的文件
[root@node-2/3 containerd]# cp etc/crictl.yaml /etc/
[root@node-2/3 containerd]# ll /etc/crictl.yaml
-rw-r--r-- 1 root root 57 Nov  5 14:54 /etc/crictl.yaml
[root@node-2/3 containerd]# cp etc/systemd/system/containerd.service /etc/systemd/system/
[root@node-2/3 containerd]# ll /etc/systemd/system/containerd.service
-rw-r--r-- 1 root root 1269 Nov  5 14:54 /etc/systemd/system/containerd.service
[root@node-2/3 containerd]# cp -r usr /
[root@node-2/3 containerd]# ll /usr/local/bin/containerd*
-rwxr-xr-x 1 root root 49254048 Nov  5 14:54 /usr/local/bin/containerd
-rwxr-xr-x 1 root root  6742016 Nov  5 14:54 /usr/local/bin/containerd-shim
-rwxr-xr-x 1 root root  9097216 Nov  5 14:54 /usr/local/bin/containerd-shim-runc-v1
-rwxr-xr-x 1 root root  9113600 Nov  5 14:54 /usr/local/bin/containerd-shim-runc-v2
[root@node-2/3 containerd]# ll /usr/local/bin/cri*
-rwxr-xr-x 1 root root 27513491 Nov  5 14:54 /usr/local/bin/crictl
-rwxr-xr-x 1 root root 30870619 Nov  5 14:54 /usr/local/bin/critest
[root@node-2/3 containerd]# ll /usr/local/bin/ctr
-rwxr-xr-x 1 root root 26042464 Nov  5 14:54 /usr/local/bin/ctr
[root@node-2/3 containerd]# ll /usr/local/sbin/runc 
-rwxr-xr-x 1 root root 14794440 Nov  5 14:54 /usr/local/sbin/runc

----1.3 containerd配置文件

[root@node-2-3 containerd]# which containerd
/usr/local/bin/containerd
[root@node-2-3 containerd]# mkdir -p /etc/containerd
# 默认配置生成配置文件
[root@node-2-3 containerd]# containerd config default > /etc/containerd/config.toml
[root@node-2/3 containerd]# ll /etc/containerd/config.toml
-rw-r--r-- 1 root root 4071 Nov  5 15:06 /etc/containerd/config.toml
[root@node-2-3 containerd]# cat /etc/containerd/config.toml
# 定制化配置(可选)
[root@node-2-3 containerd]# vim /etc/containerd/config.toml
#这里的属性看Word文档。可对应第四章的配置看看!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[root@node-2-3 ~]# vim /etc/containerd/config.toml
#如果是docker,那么是/var/lib/docker。这个目录修改为磁盘空间比较充足的位置,软链接也可以。
root = "/var/lib/containerd"
#这里从0改为比较小的值,系统内存不足的时候更不容易被杀掉,毕竟是守护进程,更不应该容易被杀掉。
#这一章作者没改动,自己根据第四章改动了。
oom_score = -999
#其他配置暂不关注,一下学习太多细节的东西,学习没好处,不好消化。

----1.4 启动containerd

[root@node-2-3 containerd]# systemctl enable containerd
Created symlink from /etc/systemd/system/multi-user.target.wants/containerd.service to /etc/systemd/system/containerd.service.
[root@node-2-3 containerd]# systemctl restart containerd
[root@node-2-3 containerd]# systemctl status containerd
[root@node-2-3 containerd]# systemctl is-enabled containerd
enabled

配置kubelet


#准备kubelet配置(kubelet依赖了K8S的证书目录)

[root@node-2/3 ~]# pwd
/root

[root@node-2 ~]# echo $HOSTNAME
node-2
[root@node-3 ~]# echo $HOSTNAME
node-3

[root@node-2/3 ~]# mkdir -p /etc/kubernetes/ssl/

[root@node-2/3 ~]# cp ${HOSTNAME}-key.pem ${HOSTNAME}.pem ca.pem ca-key.pem /etc/kubernetes/ssl/
cp: overwrite ¡®/etc/kubernetes/ssl/node-2-key.pem¡¯? y
cp: overwrite ¡®/etc/kubernetes/ssl/node-2.pem¡¯? y
cp: overwrite ¡®/etc/kubernetes/ssl/ca.pem¡¯? y
cp: overwrite ¡®/etc/kubernetes/ssl/ca-key.pem¡¯? y

[root@node-2 ~]# ll /etc/kubernetes/ssl/
total 40
-rw------- 1 root root 1679 Nov  5 15:33 ca-key.pem
-rw-r--r-- 1 root root 1367 Nov  5 15:33 ca.pem
-rw------- 1 root root 1679 Nov  4 22:34 kubernetes-key.pem
-rw-r--r-- 1 root root 1647 Nov  4 22:34 kubernetes.pem
-rw------- 1 root root 1679 Nov  5 15:33 node-2-key.pem
-rw-r--r-- 1 root root 1456 Nov  5 15:33 node-2.pem
-rw------- 1 root root 1675 Nov  4 22:34 proxy-client-key.pem
-rw-r--r-- 1 root root 1399 Nov  4 22:34 proxy-client.pem
-rw------- 1 root root 1675 Nov  4 22:34 service-account-key.pem
-rw-r--r-- 1 root root 1407 Nov  4 22:34 service-account.pem
[root@node-3 ~]# ll /etc/kubernetes/ssl/
total 16
-rw------- 1 root root 1679 Nov  5 15:34 ca-key.pem
-rw-r--r-- 1 root root 1367 Nov  5 15:34 ca.pem
-rw------- 1 root root 1675 Nov  5 15:34 node-3-key.pem
-rw-r--r-- 1 root root 1456 Nov  5 15:34 node-3.pem

[root@node-2/3 ~]# cp ${HOSTNAME}.kubeconfig /etc/kubernetes/kubeconfig
[root@node-2/3 ~]# ll /etc/kubernetes/kubeconfig
-rw------- 1 root root 6369 Nov  5 15:35 /etc/kubernetes/kubeconfig

[root@node-2 ~]# IP=172.16.1.22
[root@node-2 ~]# echo $IP
172.16.1.22
[root@node-3 ~]# IP=172.16.1.23
[root@node-3 ~]# echo $IP
172.16.1.23

# 写入kubelet配置文件
[root@node-2/3 ~]# mkdir -pv /etc/kubernetes/manifests/
[root@node-2/3 ~]# ll -ld /etc/kubernetes/manifests/

[root@node-2/3 ~]# cat <<EOF > /etc/kubernetes/kubelet-config.yaml
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
  anonymous:
    enabled: false
  webhook:
    enabled: true
  x509:
    clientCAFile: "/etc/kubernetes/ssl/ca.pem"
authorization:
  mode: Webhook
clusterDomain: "cluster.local"
clusterDNS:
  - "169.254.25.10"
#对应5-5的kube-controller-manager.service
podCIDR: "10.200.0.0/16"
address: ${IP}
readOnlyPort: 0
staticPodPath: /etc/kubernetes/manifests
healthzPort: 10248
healthzBindAddress: 127.0.0.1
kubeletCgroups: /systemd/system.slice
resolvConf: "/etc/resolv.conf"
runtimeRequestTimeout: "15m"
kubeReserved:
  cpu: 200m
  memory: 512M
tlsCertFile: "/etc/kubernetes/ssl/${HOSTNAME}.pem"
tlsPrivateKeyFile: "/etc/kubernetes/ssl/${HOSTNAME}-key.pem"
EOF

[root@node-2/3 ~]# ll /etc/kubernetes/kubelet-config.yaml
-rw-r--r-- 1 root root 688 Nov  5 15:37 /etc/kubernetes/kubelet-config.yaml
[root@node-2/3 ~]# cat /etc/kubernetes/kubelet-config.yaml

#配置kubelet服务

[root@node-2/3 ~]# cat <<EOF > /etc/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
After=containerd.service
Requires=containerd.service

[Service]
ExecStart=/usr/local/bin/kubelet \\
  --config=/etc/kubernetes/kubelet-config.yaml \\
  --container-runtime=remote \\
  --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock \\
  --image-pull-progress-deadline=2m \\
  #这里是个文件
  --kubeconfig=/etc/kubernetes/kubeconfig \\
  --network-plugin=cni \\
  --node-ip=${IP} \\
  --register-node=true \\
  --v=2
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

[root@node-2-3 ~]# ll /etc/systemd/system/kubelet.service
-rw-r--r-- 1 root root 584 Jan  4 00:51 /etc/systemd/system/kubelet.service
[root@node-2-3 ~]# cat /etc/systemd/system/kubelet.service

配置nginx-proxy

nginx-proxy是一个用于worker节点访问apiserver的一个代理,本质上是一个nginx,本质是apiserver一个优雅的高可用方案。
它使用kubelet的static(静态)pod方式启动,让每个节点都可以均衡的访问到每个apiserver服务,优雅的替代了通过虚拟ip(传统的使用hadproxy+keepalive)访问apiserver的方式。
    Tips: nginx-proxy 只需要在没有 apiserver 的节点部署哦~		
	因为对外提供了6443的代理,是专门给worker节点用的,因为master节点已经有了API SERVER,就不需要代理了,直接访问API SERVER就OK了。
	这里node-2由于master和worker在一起,所以node-2并不是配置下述文件,但如果要分开,提出来的worker切记也要配置。
	这里只在node-3配置,因为node-3是一个纯的worker节点,没有API SERVER,需要配置上的一个代理。

----3.1 nginx配置文件

#只在nginx3节点配置

[root@node-3 ~]# mkdir -p /etc/nginx
# 指定master ip列表。这里master的IP列表,就决定了nginx去访问API SERVER的地址。
[root@node-3 ~]# MASTER_IPS=(172.16.1.21 172.16.1.22)

[root@node-1/2 ~]# netstat -lntup|grep 6443
tcp6       0      0 :::6443                 :::*                    LISTEN      1808/kube-apiserver 

# 执行前请先copy一份,这里并不能直接使用,并修改好 upstream 的 'server' 部分配置				注意这里启动的是6443端口。
[root@node-3 ~]# cat <<EOF > /etc/nginx/nginx.conf
error_log stderr notice;

worker_processes 2;
worker_rlimit_nofile 130048;
worker_shutdown_timeout 10s;

events {
  multi_accept on;
  use epoll;
  worker_connections 16384;
}

stream {
  upstream kube_apiserver {
    least_conn;
	#这里只保留两个地址信息即可
    server ${MASTER_IPS[0]}:6443;
    server ${MASTER_IPS[1]}:6443;
    ...
    server ${MASTER_IPS[N]}:6443;
  }

  server {
    #本地监听的是本机的IP+PORT,其实访问的就是nginx。
    listen        127.0.0.1:6443;
    proxy_pass    kube_apiserver;
    proxy_timeout 10m;
    proxy_connect_timeout 1s;
  }
}

http {
  aio threads;
  aio_write on;
  tcp_nopush on;
  tcp_nodelay on;

  keepalive_timeout 5m;
  keepalive_requests 100;
  reset_timedout_connection on;
  server_tokens off;
  autoindex off;

  server {
    listen 8081;
    location /healthz {
      access_log off;
      return 200;
    }
    location /stub_status {
      stub_status on;
      access_log off;
    }
  }
}
EOF

[root@node-3 ~]# cat /etc/nginx/nginx.conf

----3.2 nginx manifest(nginx启动文件)

#只在node-3节点配置。
#nginx的启动配置文件就是一个yaml文件,让K8S把这个nginx作为一个POD调度起来,一个POD的配置文件。
#使用的就是一个标准的nginx镜像。

#这个目录在工作节点的node-2和node-3都建立
[root@node-3 ~]# mkdir -pv /etc/kubernetes/manifests/
#使用的其实是一个标准的nginx镜像
[root@node-3 ~]# cat <<EOF > /etc/kubernetes/manifests/nginx-proxy.yaml
apiVersion: v1
kind: Pod
metadata:
  name: nginx-proxy
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
    k8s-app: kube-nginx
spec:
  hostNetwork: true
  dnsPolicy: ClusterFirstWithHostNet
  nodeSelector:
    kubernetes.io/os: linux
  priorityClassName: system-node-critical
  containers:
  - name: nginx-proxy
	#这里有个镜像,执行时会自己下载。可以自己手工先下载。
    image: docker.io/library/nginx:1.19
    imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 25m
        memory: 32M
    securityContext:
      privileged: true
    livenessProbe:
      httpGet:
        path: /healthz
        port: 8081
    readinessProbe:
      httpGet:
        path: /healthz
        port: 8081
    volumeMounts:
	#这里肯定要挂载一下刚才指定的nginx的配置。
    - mountPath: /etc/nginx
      name: etc-nginx
      readOnly: true
  volumes:
  - name: etc-nginx
    hostPath:
	  #这里肯定要挂载一下刚才指定的nginx的配置。
      path: /etc/nginx
EOF

[root@node-3 ~]# cat /etc/kubernetes/manifests/nginx-proxy.yaml

配置kube-proxy

#需要在每一个worker节点配置
# 准备K8S需要用到的配置文件


----4.1 配置文件

[root@node-2/3 ~]# cd ~
[root@node-2/3 ~]# mkdir -p /etc/kubernetes/
[root@node-2/3 ~]# cp kube-proxy.kubeconfig /etc/kubernetes/
[root@node-2/3 ~]# cat /etc/kubernetes/kube-proxy.kubeconfig
# 创建 kube-proxy-config.yaml(kube-proxy启动要用到的配置文件)
[root@node-2/3 ~]# cat <<EOF > /etc/kubernetes/kube-proxy-config.yaml
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
bindAddress: 0.0.0.0
clientConnection:
  kubeconfig: "/etc/kubernetes/kube-proxy.kubeconfig"
clusterCIDR: "10.200.0.0/16"
mode: ipvs
EOF

[root@node-2/3 ~]# cat /etc/kubernetes/kube-proxy-config.yaml

----4.2 kube-proxy 服务文件

[root@node-2/3 ~]# cat <<EOF > /etc/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube Proxy
Documentation=https://github.com/kubernetes/kubernetes

[Service]
ExecStart=/usr/local/bin/kube-proxy \\
  --config=/etc/kubernetes/kube-proxy-config.yaml
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

[root@node-2/3 ~]# cat /etc/systemd/system/kube-proxy.service

手工下载镜像


#否则启动服务时下载镜像太慢
#建议在每个worker工作节点都下载一下,避免访问Google仓库失败的问题。

[root@node-2/3 ~]# crictl pull registry.cn-hangzhou.aliyuncs.com/kubernetes-kubespray/pause:3.2
Image is up to date for sha256:80d28bedfe5dec59da9ebf8e6260224ac9008ab5c11dbbe16ee3ba3e4439ac2c
[root@node-2/3 ~]# ctr -n k8s.io i tag  registry.cn-hangzhou.aliyuncs.com/kubernetes-kubespray/pause:3.2 k8s.gcr.io/pause:3.2
k8s.gcr.io/pause:3.2
[root@node-2/3 ~]# crictl pull docker.io/library/nginx:1.19
Image is up to date for sha256:f0b8a9a541369db503ff3b9d4fa6de561b300f7363920c2bff4577c6c24c5cf6
[root@node-3 ~]# crictl images
IMAGE                                                          TAG                 IMAGE ID            SIZE
docker.io/library/nginx                                        1.19                f0b8a9a541369       53.7MB
registry.cn-hangzhou.aliyuncs.com/kubernetes-kubespray/pause   3.2                 80d28bedfe5de       298kB
k8s.gcr.io/pause                                               3.2                 80d28bedfe5de       298kB

启动服务

[root@node-2/3 ~]# swapoff -a && free -h

[root@node-2-3 ~]# systemctl daemon-reload
[root@node-2-3 ~]# systemctl enable kubelet kube-proxy
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /etc/systemd/system/kubelet.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /etc/systemd/system/kube-proxy.service.
[root@node-2-3 ~]# systemctl restart kubelet kube-proxy
[root@node-2-3 ~]# systemctl status kubelet kube-proxy
[root@node-2-3 ~]# journalctl -f -u kubelet
[root@node-2-3 ~]# journalctl -f -u kube-proxy
或者
systemctl daemon-reload && systemctl enable kubelet kube-proxy && systemctl restart kubelet kube-proxy

检查服务

#这个只能在这个worker工作节点node-3节点查看
[root@node-3 ~]# crictl ps
#启动完暂时可能没进程,查询日志
CONTAINER           IMAGE               CREATED             STATE               NAME                ATTEMPT             POD ID
4bfd0cfae63a9       f0b8a9a541369       59 minutes ago      Running             nginx-proxy         0                   8f46c27d7f09d
[root@node-3 ~]# netstat -lntup|grep 6443
tcp        0      0 127.0.0.1:6443          0.0.0.0:*               LISTEN      6019/nginx: master  

#有问题看日志
[root@node-2-3 ~]# journalctl -f -u kubelet
[root@node-2-3 ~]# journalctl -f -u kube-proxy
#重新核实配置文件
[root@node-3 ~]# cat /etc/nginx/nginx.conf
[root@node-3 ~]# cat /etc/kubernetes/manifests/nginx-proxy.yaml

标题:Kubernetes(五)kubernetes-the-hard-way方式(5.6)部署kubernetes工作节点
作者:yazong
地址:https://blog.llyweb.com/articles/2022/11/05/1667649714739.html