本文介绍node节点的二进制部署过程。 一、软件包下载地址 Node包:https://dl.k8s.io/v1.9.6/kubernetes-node-linux-amd64.tar.gz ``` # tar -zxvpf kubernetes-node-linux-amd64.tar.gz # mv kubernetes/node/bin/kube* /usr/local/sbin/ ``` 二、在master上创建kubelet-bootstrap 用户并绑定system:node-bootstrapper 角色 kubelet 启动时向 kube-apiserver 发送 TLS bootstrapping 请求,需要先将 bootstrap token 文件中的 kubelet-bootstrap 用户赋予 system:node-bootstrapper 角色,然后 kubelet 才有权限创建认证请求(certificatesigningrequests)。-user=kubelet-bootstrap 是前文master节点上文件 /etc/kubernetes/token.csv 中指定的用户名 在master节点上运行: ``` # kubectl create clusterrolebinding kubelet-bootstrap \ --clusterrole=system:node-bootstrapper \ --user=kubelet-bootstrap clusterrolebinding "kubelet-bootstrap" created ``` 三、node节点上设置kubelet 1、设置集群参数 ``` # kubectl config set-cluster kubernetes \ --certificate-authority=/etc/ssl/etcd/ca.pem \ --embed-certs=true \ --server=https://192.168.115.5:6443 \ --kubeconfig=bootstrap.kubeconfig ``` 2、设置客户端认证参数,token同样来自前文master节点上文件 /etc/kubernetes/token.csv  ``` # kubectl config set-credentials kubelet-bootstrap \ --token=3e6916ba861192f279c67d827952ea30 \ --kubeconfig=bootstrap.kubeconfig ``` 3、设置上下文参数 ``` # kubectl config set-context default \ --cluster=kubernetes \ --user=kubelet-bootstrap \ --kubeconfig=bootstrap.kubeconfig ``` 4、设置默认上下文 ``` # kubectl config use-context default --kubeconfig=bootstrap.kubeconfig # mv bootstrap.kubeconfig /etc/kubernetes/ ``` ![](https://s4.51cto.com/images/blog/201804/18/eb3838cb3de3ba914bc9fc4bd42e9485.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 5、创建工作目录 ``` # mkdir /var/lib/kubelet ``` 6、配置kubelet启动脚本 ``` # cat /usr/lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=docker.service Requires=docker.service [Service] WorkingDirectory=/var/lib/kubelet ExecStart=/usr/local/sbin/kubelet \ --address=192.168.115.6 \ --hostname-override=192.168.115.6 \ --pod-infra-container-image=gcr.io/google_containers/pause-amd64:3.0 \ --experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \ --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \ --cert-dir=/etc/ssl/kubernetes \ --cluster-dns=10.254.0.2\ --cluster-domain=cluster.local. \ --hairpin-mode promiscuous-bridge \ --allow-privileged=true \ --serialize-image-pulls=false \ --logtostderr=true \ --v=2 ExecStartPost=/sbin/iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 4194 -j ACCEPT ExecStartPost=/sbin/iptables -A INPUT -s 172.16.0.0/12 -p tcp --dport 4194 -j ACCEPT ExecStartPost=/sbin/iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 4194 -j ACCEPT ExecStartPost=/sbin/iptables -A INPUT -p tcp --dport 4194 -j DROP Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target ``` 7、启动测试 ``` # systemctl daemon-reload # systemctl start kubelet # systemctl status kubelet ``` ![](https://s4.51cto.com/images/blog/201804/18/369362a5ea05bfdbf62b6f2c5871713a.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 8、在master上对node节点的csr进行授权 ``` # kubectl get nodes # kubectl get csr # kubectl certificate approve node-csr-s6NbHbQp8M3fxKbRTO9AW6_L6KNi89gQdGByxm6sGn8 ``` ![](https://s4.51cto.com/images/blog/201804/18/85f4fce824f2a5b4a5d9f232b8db2fe5.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 9、在master上进行角色绑定 ``` # kubectl get nodes # kubectl describe clusterrolebindings system:node # kubectl create clusterrolebinding kubelet-node-clusterbinding \ --clusterrole=system:node --user=system:node:192.168.115.6 ``` ![](https://s4.51cto.com/images/blog/201804/18/87d15f71df518afaedbc8eae551db9cc.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ``` # kubectl describe clusterrolebindings kubelet-node-clusterbinding ``` ![](https://s4.51cto.com/images/blog/201804/18/bbb1d0a21f9d75e9964e6991a442bc08.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 也可以将在整个集群范围内将 system:node ClusterRole 授予组”system:nodes”: ``` # kubectl create clusterrolebinding kubelet-node-clusterbinding \ > --clusterrole=system:node --group=system:nodes clusterrolebinding "kubelet-node-clusterbinding" created ``` 常见错误: error: failed to run Kubelet: Running with swap on is not supported, please disable swap! or set --fail-swap-on flag to false. /proc/swaps contained: 解决方案: ``` # swapoff -a ``` 四、node节点上设置kube-proxy 1、创建 kube-proxy 证书签名请求 ``` # cat kube-proxy-csr.json { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "FuZhou", "L": "FuZhou", "O": "k8s", "OU": "System" } ] } # cfssl gencert -ca=/etc/ssl/etcd/ca.pem \ -ca-key=/etc/ssl/etcd/ca-key.pem \ -config=/etc/ssl/etcd/ca-config.json \ -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy # mv kube-proxy*.pem /etc/ssl/kubernetes/ # rsync /etc/ssl/kubernetes/* vm2:/etc/ssl/kubernetes/ # rsync /etc/ssl/kubernetes/* vm3:/etc/ssl/kubernetes/ ``` 2、在node节点上创建 kube-proxy kubeconfig 文件 设置集群参数 ``` # kubectl config set-cluster kubernetes \ --certificate-authority=/etc/ssl/etcd/ca.pem \ --embed-certs=true \ --server=https://192.168.115.5:6443 \ --kubeconfig=kube-proxy.kubeconfig ``` 设置客户端参数 ``` # kubectl config set-credentials kube-proxy \ --client-certificate=/etc/ssl/kubernetes/kube-proxy.pem \ --client-key=/etc/ssl/kubernetes/kube-proxy-key.pem \ --embed-certs=true \ --kubeconfig=kube-proxy.kubeconfig ``` 设置上下文参数 ``` # kubectl config set-context default \ --cluster=kubernetes \ --user=kube-proxy \ --kubeconfig=kube-proxy.kubeconfig ``` 设置默认上下文 ``` # kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig # mv kube-proxy.kubeconfig /etc/kubernetes/ ``` ![](https://s4.51cto.com/images/blog/201804/18/545953af7c78bb6899bfceb7556357e5.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 3、创建kube-proxy工作目录 ``` # mkdir -p /var/lib/kube-proxy ``` 4、配置kube-proxy启动脚本 ``` # cat /usr/lib/systemd/system/kube-proxy.service [Unit] Description=Kubernetes Kube-Proxy Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] WorkingDirectory=/var/lib/kube-proxy ExecStart=/usr/local/sbin/kube-proxy \ --bind-address=192.168.115.6 \ --hostname-override=192.168.115.6\ --cluster-cidr=172.30.0.0/16 \ --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig \ --logtostderr=true \ --v=2 Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target ``` 5、启动测试 ``` # systemctl daemon-reload # systemctl start kube-proxy # netstat -ntpl |grep kube ``` ![](https://s4.51cto.com/images/blog/201804/18/e4daed97fcc2b8a81f830d7ac660989d.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 按照同样的方法部署另一台node主机vm3 ![](https://s4.51cto.com/images/blog/201804/18/3c297fff7ad0ceeb5d38d292945142e0.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/201804/18/84f4cd678aa7d8af788fc1f3b80b098b.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 五、创建pod测试 ``` # cat nginx-rc.yaml apiVersion: v1 kind: ReplicationController metadata: name: nginx labels: name: nginx spec: replicas: 2 selector: name: nginx template: metadata: labels: name: nginx spec: containers: - name: nginx-test image: docker.io/nginx ports: - containerPort: 80 # cat nginx-svc.yaml apiVersion: v1 kind: Service metadata: name: nginx labels: name: nginx spec: type: NodePort ports: - port: 80 protocol: TCP targetPort: 80 name: http nodePort: 8401 selector: name: nginx ``` ![](https://s4.51cto.com/images/blog/201804/18/98bbf8132a71b9d537345d0ed091d974.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) 访问测试 ![](https://s4.51cto.com/images/blog/201804/18/a3b51408ec481b86089c028391444748.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=) ![](https://s4.51cto.com/images/blog/201804/18/92be0d1925b852c30ccacd26d6162f6a.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)