创建kube-proxy-csr.json 证书申请文件
cat > /etc/kubernetes/ssl/kube-proxy-csr.json<<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
生成证书和私钥
cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/opt/ssl/ca-config.json \
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
创建kube-proxy.kubeconfig 文件
# 配置集群
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://10.39.7.51:6443 \
--kubeconfig=kube-proxy.kubeconfig
# 配置客户端认证
kubectl config set-credentials kube-proxy \
--client-certificate=/etc/kubernetes/ssl/kube-proxy.pem \
--client-key=/etc/kubernetes/ssl/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
# 配置关联
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
# 配置默认关联
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
分发文件
#kube-proxy.yaml 挂载目录是/etc/kubernetes/pki/ 因为每个节点都有这个目录
cp kube-proxy* /etc/kubernetes/pki/
scp /etc/kubernetes/ssl/kube-proxy* root@10.39.7.52:/etc/kubernetes/pki/
scp /etc/kubernetes/ssl/kube-proxy* root@10.39.7.57:/etc/kubernetes/pki/
创建kube-proxy
kubectl apply -f kube-proxy.yaml
验证
[root@k8s-master-51 ~]# kubectl get po -nkube-system| grep proxy
kube-proxy-ddqvb 1/1 Running 1 17s
kube-proxy-hm2w6 1/1 Running 0 17s
kube-proxy-rwnp5 1/1 Running 0 17s
查看daemon
# 注意nodeselector
[root@k8s-master-51 ~]# kubectl get daemonset -nkube-system
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
calico-node 3 3 3 3 3 beta.kubernetes.io/os=linux 1d
kube-proxy 0 0 0 0 0 kube-proxy=proxy 25s
proxy.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
labels:
component: kube-proxy
k8s-app: kube-proxy
kubernetes.io/cluster-service: "true"
name: kube-proxy
tier: node
name: kube-proxy
namespace: kube-system
spec:
selector:
matchLabels:
component: kube-proxy
k8s-app: kube-proxy
kubernetes.io/cluster-service: "true"
name: kube-proxy
tier: node
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/affinity: '{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"beta.kubernetes.io/arch","operator":"In","values":["amd64"]}]}]}}}'
scheduler.alpha.kubernetes.io/tolerations: '[{"key":"dedicated","value":"master","effect":"NoSchedule"}]'
labels:
component: kube-proxy
k8s-app: kube-proxy
kubernetes.io/cluster-service: "true"
name: kube-proxy
tier: node
spec:
containers:
- command:
- /proxy
- --cluster-cidr=10.254.64.0/18
- --kubeconfig=/run/kubeconfig
- --logtostderr=true
- --proxy-mode=iptables
- --v=2
image: reg.enncloud.cn/enncloud/hyperkube-amd64:v1.11.2
imagePullPolicy: IfNotPresent
name: kube-proxy
securityContext:
privileged: true
volumeMounts:
- mountPath: /var/run/dbus
name: dbus
- mountPath: /run/kubeconfig
name: kubeconfig
- mountPath: /etc/kubernetes/pki
name: pki
dnsPolicy: ClusterFirst
hostNetwork: true
restartPolicy: Always
volumes:
- hostPath:
path: /etc/kubernetes/kube-proxy.kubeconfig
name: kubeconfig
- hostPath:
path: /var/run/dbus
name: dbus
- hostPath:
path: /etc/kubernetes/pki
name: pki
updateStrategy:
type: OnDelete
网友评论