这部分我们部署kubernetes的工作节点worker。实例中我们有两个工作节点node-2和node-3,node-3一个是独立的工作节点,node-2是一个跟master在一起的节点。
在每个节点上我们会部署kubelet、kube-proxy、container runtime、cni、nginx-proxy。
Container Runtime - Containerd
----1.1 软件包下载
设定containerd的版本号
[root@node-2/3 ~]# VERSION=1.4.3
下载压缩包
[root@node-2/3 ~]# wget https://github.com/containerd/containerd/releases/download/v${VERSION}/cri-containerd-cni-${VERSION}-linux-amd64.tar.gz
----1.2 整理压缩文件
下载后的文件是一个tar.gz,是一个allinone的包,包括了runc、circtl、ctr、containerd等容器运行时以及cni相关的文件,解压缩到一个独立的目录中
[root@node-2/3 ~]# mkdir -p /root/containerd
[root@node-2/3 ~]# cd /root/containerd
[root@node-2/3 containerd]# ll cri-containerd-cni-1.4.3-linux-amd64.tar.gz
-rw-r--r-- 1 root root 99176835 Dec 1 2020 cri-containerd-cni-1.4.3-linux-amd64.tar.gz
# 解压缩
[root@node-2/3 containerd]# tar -zxvf cri-containerd-cni-1.4.3-linux-amd64.tar.gz
[root@node-2/3 containerd]# ll
total 96868
-rw-r--r-- 1 root root 99176835 Nov 5 14:47 cri-containerd-cni-1.4.3-linux-amd64.tar.gz
drwxr-xr-x 4 root root 4096 Dec 1 2020 etc
drwxr-xr-x 4 root root 4096 Dec 1 2020 opt
drwxr-xr-x 3 root root 4096 Dec 1 2020 usr
# 复制需要的文件
[root@node-2/3 containerd]# cp etc/crictl.yaml /etc/
[root@node-2/3 containerd]# ll /etc/crictl.yaml
-rw-r--r-- 1 root root 57 Nov 5 14:54 /etc/crictl.yaml
[root@node-2/3 containerd]# cp etc/systemd/system/containerd.service /etc/systemd/system/
[root@node-2/3 containerd]# ll /etc/systemd/system/containerd.service
-rw-r--r-- 1 root root 1269 Nov 5 14:54 /etc/systemd/system/containerd.service
[root@node-2/3 containerd]# cp -r usr /
[root@node-2/3 containerd]# ll /usr/local/bin/containerd*
-rwxr-xr-x 1 root root 49254048 Nov 5 14:54 /usr/local/bin/containerd
-rwxr-xr-x 1 root root 6742016 Nov 5 14:54 /usr/local/bin/containerd-shim
-rwxr-xr-x 1 root root 9097216 Nov 5 14:54 /usr/local/bin/containerd-shim-runc-v1
-rwxr-xr-x 1 root root 9113600 Nov 5 14:54 /usr/local/bin/containerd-shim-runc-v2
[root@node-2/3 containerd]# ll /usr/local/bin/cri*
-rwxr-xr-x 1 root root 27513491 Nov 5 14:54 /usr/local/bin/crictl
-rwxr-xr-x 1 root root 30870619 Nov 5 14:54 /usr/local/bin/critest
[root@node-2/3 containerd]# ll /usr/local/bin/ctr
-rwxr-xr-x 1 root root 26042464 Nov 5 14:54 /usr/local/bin/ctr
[root@node-2/3 containerd]# ll /usr/local/sbin/runc
-rwxr-xr-x 1 root root 14794440 Nov 5 14:54 /usr/local/sbin/runc
----1.3 containerd配置文件
[root@node-2-3 containerd]# which containerd
/usr/local/bin/containerd
[root@node-2-3 containerd]# mkdir -p /etc/containerd
# 默认配置生成配置文件
[root@node-2-3 containerd]# containerd config default > /etc/containerd/config.toml
[root@node-2/3 containerd]# ll /etc/containerd/config.toml
-rw-r--r-- 1 root root 4071 Nov 5 15:06 /etc/containerd/config.toml
[root@node-2-3 containerd]# cat /etc/containerd/config.toml
# 定制化配置(可选)
[root@node-2-3 containerd]# vim /etc/containerd/config.toml
#这里的属性看Word文档。可对应第四章的配置看看!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[root@node-2-3 ~]# vim /etc/containerd/config.toml
#如果是docker,那么是/var/lib/docker。这个目录修改为磁盘空间比较充足的位置,软链接也可以。
root = "/var/lib/containerd"
#这里从0改为比较小的值,系统内存不足的时候更不容易被杀掉,毕竟是守护进程,更不应该容易被杀掉。
#这一章作者没改动,自己根据第四章改动了。
oom_score = -999
#其他配置暂不关注,一下学习太多细节的东西,学习没好处,不好消化。
----1.4 启动containerd
[root@node-2-3 containerd]# systemctl enable containerd
Created symlink from /etc/systemd/system/multi-user.target.wants/containerd.service to /etc/systemd/system/containerd.service.
[root@node-2-3 containerd]# systemctl restart containerd
[root@node-2-3 containerd]# systemctl status containerd
[root@node-2-3 containerd]# systemctl is-enabled containerd
enabled
配置kubelet
#准备kubelet配置(kubelet依赖了K8S的证书目录)
[root@node-2/3 ~]# pwd
/root
[root@node-2 ~]# echo $HOSTNAME
node-2
[root@node-3 ~]# echo $HOSTNAME
node-3
[root@node-2/3 ~]# mkdir -p /etc/kubernetes/ssl/
[root@node-2/3 ~]# cp ${HOSTNAME}-key.pem ${HOSTNAME}.pem ca.pem ca-key.pem /etc/kubernetes/ssl/
cp: overwrite ¡®/etc/kubernetes/ssl/node-2-key.pem¡¯? y
cp: overwrite ¡®/etc/kubernetes/ssl/node-2.pem¡¯? y
cp: overwrite ¡®/etc/kubernetes/ssl/ca.pem¡¯? y
cp: overwrite ¡®/etc/kubernetes/ssl/ca-key.pem¡¯? y
[root@node-2 ~]# ll /etc/kubernetes/ssl/
total 40
-rw------- 1 root root 1679 Nov 5 15:33 ca-key.pem
-rw-r--r-- 1 root root 1367 Nov 5 15:33 ca.pem
-rw------- 1 root root 1679 Nov 4 22:34 kubernetes-key.pem
-rw-r--r-- 1 root root 1647 Nov 4 22:34 kubernetes.pem
-rw------- 1 root root 1679 Nov 5 15:33 node-2-key.pem
-rw-r--r-- 1 root root 1456 Nov 5 15:33 node-2.pem
-rw------- 1 root root 1675 Nov 4 22:34 proxy-client-key.pem
-rw-r--r-- 1 root root 1399 Nov 4 22:34 proxy-client.pem
-rw------- 1 root root 1675 Nov 4 22:34 service-account-key.pem
-rw-r--r-- 1 root root 1407 Nov 4 22:34 service-account.pem
[root@node-3 ~]# ll /etc/kubernetes/ssl/
total 16
-rw------- 1 root root 1679 Nov 5 15:34 ca-key.pem
-rw-r--r-- 1 root root 1367 Nov 5 15:34 ca.pem
-rw------- 1 root root 1675 Nov 5 15:34 node-3-key.pem
-rw-r--r-- 1 root root 1456 Nov 5 15:34 node-3.pem
[root@node-2/3 ~]# cp ${HOSTNAME}.kubeconfig /etc/kubernetes/kubeconfig
[root@node-2/3 ~]# ll /etc/kubernetes/kubeconfig
-rw------- 1 root root 6369 Nov 5 15:35 /etc/kubernetes/kubeconfig
[root@node-2 ~]# IP=172.16.1.22
[root@node-2 ~]# echo $IP
172.16.1.22
[root@node-3 ~]# IP=172.16.1.23
[root@node-3 ~]# echo $IP
172.16.1.23
# 写入kubelet配置文件
[root@node-2/3 ~]# mkdir -pv /etc/kubernetes/manifests/
[root@node-2/3 ~]# ll -ld /etc/kubernetes/manifests/
[root@node-2/3 ~]# cat <<EOF > /etc/kubernetes/kubelet-config.yaml
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: "/etc/kubernetes/ssl/ca.pem"
authorization:
mode: Webhook
clusterDomain: "cluster.local"
clusterDNS:
- "169.254.25.10"
#对应5-5的kube-controller-manager.service
podCIDR: "10.200.0.0/16"
address: ${IP}
readOnlyPort: 0
staticPodPath: /etc/kubernetes/manifests
healthzPort: 10248
healthzBindAddress: 127.0.0.1
kubeletCgroups: /systemd/system.slice
resolvConf: "/etc/resolv.conf"
runtimeRequestTimeout: "15m"
kubeReserved:
cpu: 200m
memory: 512M
tlsCertFile: "/etc/kubernetes/ssl/${HOSTNAME}.pem"
tlsPrivateKeyFile: "/etc/kubernetes/ssl/${HOSTNAME}-key.pem"
EOF
[root@node-2/3 ~]# ll /etc/kubernetes/kubelet-config.yaml
-rw-r--r-- 1 root root 688 Nov 5 15:37 /etc/kubernetes/kubelet-config.yaml
[root@node-2/3 ~]# cat /etc/kubernetes/kubelet-config.yaml
#配置kubelet服务
[root@node-2/3 ~]# cat <<EOF > /etc/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
After=containerd.service
Requires=containerd.service
[Service]
ExecStart=/usr/local/bin/kubelet \\
--config=/etc/kubernetes/kubelet-config.yaml \\
--container-runtime=remote \\
--container-runtime-endpoint=unix:///var/run/containerd/containerd.sock \\
--image-pull-progress-deadline=2m \\
#这里是个文件
--kubeconfig=/etc/kubernetes/kubeconfig \\
--network-plugin=cni \\
--node-ip=${IP} \\
--register-node=true \\
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
[root@node-2-3 ~]# ll /etc/systemd/system/kubelet.service
-rw-r--r-- 1 root root 584 Jan 4 00:51 /etc/systemd/system/kubelet.service
[root@node-2-3 ~]# cat /etc/systemd/system/kubelet.service
配置nginx-proxy
nginx-proxy是一个用于worker节点访问apiserver的一个代理,本质上是一个nginx,本质是apiserver一个优雅的高可用方案。
它使用kubelet的static(静态)pod方式启动,让每个节点都可以均衡的访问到每个apiserver服务,优雅的替代了通过虚拟ip(传统的使用hadproxy+keepalive)访问apiserver的方式。
Tips: nginx-proxy 只需要在没有 apiserver 的节点部署哦~
因为对外提供了6443的代理,是专门给worker节点用的,因为master节点已经有了API SERVER,就不需要代理了,直接访问API SERVER就OK了。
这里node-2由于master和worker在一起,所以node-2并不是配置下述文件,但如果要分开,提出来的worker切记也要配置。
这里只在node-3配置,因为node-3是一个纯的worker节点,没有API SERVER,需要配置上的一个代理。
----3.1 nginx配置文件
#只在nginx3节点配置
[root@node-3 ~]# mkdir -p /etc/nginx
# 指定master ip列表。这里master的IP列表,就决定了nginx去访问API SERVER的地址。
[root@node-3 ~]# MASTER_IPS=(172.16.1.21 172.16.1.22)
[root@node-1/2 ~]# netstat -lntup|grep 6443
tcp6 0 0 :::6443 :::* LISTEN 1808/kube-apiserver
# 执行前请先copy一份,这里并不能直接使用,并修改好 upstream 的 'server' 部分配置 注意这里启动的是6443端口。
[root@node-3 ~]# cat <<EOF > /etc/nginx/nginx.conf
error_log stderr notice;
worker_processes 2;
worker_rlimit_nofile 130048;
worker_shutdown_timeout 10s;
events {
multi_accept on;
use epoll;
worker_connections 16384;
}
stream {
upstream kube_apiserver {
least_conn;
#这里只保留两个地址信息即可
server ${MASTER_IPS[0]}:6443;
server ${MASTER_IPS[1]}:6443;
...
server ${MASTER_IPS[N]}:6443;
}
server {
#本地监听的是本机的IP+PORT,其实访问的就是nginx。
listen 127.0.0.1:6443;
proxy_pass kube_apiserver;
proxy_timeout 10m;
proxy_connect_timeout 1s;
}
}
http {
aio threads;
aio_write on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 5m;
keepalive_requests 100;
reset_timedout_connection on;
server_tokens off;
autoindex off;
server {
listen 8081;
location /healthz {
access_log off;
return 200;
}
location /stub_status {
stub_status on;
access_log off;
}
}
}
EOF
[root@node-3 ~]# cat /etc/nginx/nginx.conf
----3.2 nginx manifest(nginx启动文件)
#只在node-3节点配置。
#nginx的启动配置文件就是一个yaml文件,让K8S把这个nginx作为一个POD调度起来,一个POD的配置文件。
#使用的就是一个标准的nginx镜像。
#这个目录在工作节点的node-2和node-3都建立
[root@node-3 ~]# mkdir -pv /etc/kubernetes/manifests/
#使用的其实是一个标准的nginx镜像
[root@node-3 ~]# cat <<EOF > /etc/kubernetes/manifests/nginx-proxy.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx-proxy
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: Reconcile
k8s-app: kube-nginx
spec:
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
nodeSelector:
kubernetes.io/os: linux
priorityClassName: system-node-critical
containers:
- name: nginx-proxy
#这里有个镜像,执行时会自己下载。可以自己手工先下载。
image: docker.io/library/nginx:1.19
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 25m
memory: 32M
securityContext:
privileged: true
livenessProbe:
httpGet:
path: /healthz
port: 8081
readinessProbe:
httpGet:
path: /healthz
port: 8081
volumeMounts:
#这里肯定要挂载一下刚才指定的nginx的配置。
- mountPath: /etc/nginx
name: etc-nginx
readOnly: true
volumes:
- name: etc-nginx
hostPath:
#这里肯定要挂载一下刚才指定的nginx的配置。
path: /etc/nginx
EOF
[root@node-3 ~]# cat /etc/kubernetes/manifests/nginx-proxy.yaml
配置kube-proxy
#需要在每一个worker节点配置
# 准备K8S需要用到的配置文件
----4.1 配置文件
[root@node-2/3 ~]# cd ~
[root@node-2/3 ~]# mkdir -p /etc/kubernetes/
[root@node-2/3 ~]# cp kube-proxy.kubeconfig /etc/kubernetes/
[root@node-2/3 ~]# cat /etc/kubernetes/kube-proxy.kubeconfig
# 创建 kube-proxy-config.yaml(kube-proxy启动要用到的配置文件)
[root@node-2/3 ~]# cat <<EOF > /etc/kubernetes/kube-proxy-config.yaml
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
bindAddress: 0.0.0.0
clientConnection:
kubeconfig: "/etc/kubernetes/kube-proxy.kubeconfig"
clusterCIDR: "10.200.0.0/16"
mode: ipvs
EOF
[root@node-2/3 ~]# cat /etc/kubernetes/kube-proxy-config.yaml
----4.2 kube-proxy 服务文件
[root@node-2/3 ~]# cat <<EOF > /etc/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube Proxy
Documentation=https://github.com/kubernetes/kubernetes
[Service]
ExecStart=/usr/local/bin/kube-proxy \\
--config=/etc/kubernetes/kube-proxy-config.yaml
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
[root@node-2/3 ~]# cat /etc/systemd/system/kube-proxy.service
手工下载镜像
#否则启动服务时下载镜像太慢
#建议在每个worker工作节点都下载一下,避免访问Google仓库失败的问题。
[root@node-2/3 ~]# crictl pull registry.cn-hangzhou.aliyuncs.com/kubernetes-kubespray/pause:3.2
Image is up to date for sha256:80d28bedfe5dec59da9ebf8e6260224ac9008ab5c11dbbe16ee3ba3e4439ac2c
[root@node-2/3 ~]# ctr -n k8s.io i tag registry.cn-hangzhou.aliyuncs.com/kubernetes-kubespray/pause:3.2 k8s.gcr.io/pause:3.2
k8s.gcr.io/pause:3.2
[root@node-2/3 ~]# crictl pull docker.io/library/nginx:1.19
Image is up to date for sha256:f0b8a9a541369db503ff3b9d4fa6de561b300f7363920c2bff4577c6c24c5cf6
[root@node-3 ~]# crictl images
IMAGE TAG IMAGE ID SIZE
docker.io/library/nginx 1.19 f0b8a9a541369 53.7MB
registry.cn-hangzhou.aliyuncs.com/kubernetes-kubespray/pause 3.2 80d28bedfe5de 298kB
k8s.gcr.io/pause 3.2 80d28bedfe5de 298kB
启动服务
[root@node-2/3 ~]# swapoff -a && free -h
[root@node-2-3 ~]# systemctl daemon-reload
[root@node-2-3 ~]# systemctl enable kubelet kube-proxy
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /etc/systemd/system/kubelet.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /etc/systemd/system/kube-proxy.service.
[root@node-2-3 ~]# systemctl restart kubelet kube-proxy
[root@node-2-3 ~]# systemctl status kubelet kube-proxy
[root@node-2-3 ~]# journalctl -f -u kubelet
[root@node-2-3 ~]# journalctl -f -u kube-proxy
或者
systemctl daemon-reload && systemctl enable kubelet kube-proxy && systemctl restart kubelet kube-proxy
检查服务
#这个只能在这个worker工作节点node-3节点查看
[root@node-3 ~]# crictl ps
#启动完暂时可能没进程,查询日志
CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID
4bfd0cfae63a9 f0b8a9a541369 59 minutes ago Running nginx-proxy 0 8f46c27d7f09d
[root@node-3 ~]# netstat -lntup|grep 6443
tcp 0 0 127.0.0.1:6443 0.0.0.0:* LISTEN 6019/nginx: master
#有问题看日志
[root@node-2-3 ~]# journalctl -f -u kubelet
[root@node-2-3 ~]# journalctl -f -u kube-proxy
#重新核实配置文件
[root@node-3 ~]# cat /etc/nginx/nginx.conf
[root@node-3 ~]# cat /etc/kubernetes/manifests/nginx-proxy.yaml
标题:Kubernetes(五)kubernetes-the-hard-way方式(5.6)部署kubernetes工作节点
作者:yazong
地址:https://blog.llyweb.com/articles/2022/11/05/1667649714739.html