下载二进制文件
下载地址:kubernetes.io/zh-cn/relea…
将文件下载到 /usr/local/bin 目录下并赋予执行权限
sudo chmod +x /usr/local/bin/kubelet
签发 kubelet 证书
cfssl 证书配置新增 kubelet 配置
cat config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"cert sign",
"crl sign"
],
"expiry": "43800h",
"ca_constraint": {
"is_ca": true,
"max_path_len": 0
}
},
"etcd": {
"usages": [
"digital signature",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
},
"kube-apiserver": {
"usages": [
"digital signature",
"key encipherment",
"server auth"
],
"expiry": "8760h"
},
"kube-controller-manager": {
"usages": [
"digital signature",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
},
"kube-scheduler": {
"usages": [
"digital signature",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
},
"admin": {
"usages": [
"digital signature",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
},
"kubelet": {
"usages": [
"digital signature",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
创建证书请求文件 kubelet-csr.json
cat kubelet-csr.json
{
"CN": "system:node:srv-k8s-node-01",
"hosts": [
"127.0.0.1",
"10.0.30.26"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:nodes",
"OU": "Kubernetes"
}
]
}
生成证书
cfssl gencert -ca=kubernetes-ca.pem -ca-key=kubernetes-ca-key.pem -config=config.json -profile=kubelet kubelet-csr.json | cfssljson -bare kubelet
2024/12/10 23:34:12 [INFO] generate received request
2024/12/10 23:34:12 [INFO] received CSR
2024/12/10 23:34:12 [INFO] generating key: rsa-2048
2024/12/10 23:34:12 [INFO] encoded CSR
2024/12/10 23:34:12 [INFO] signed certificate with serial number 535257814764988464083544682884456342075269674830
ls kubelet*
kubelet.csr kubelet-csr.json kubelet-key.pem kubelet.pem
创建 kubelet 配置文件 /opt/kubernetes/cfg/kubelet-config.yml
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 0.0.0.0
cgroupDriver: systemd
clusterDNS:
- 172.16.0.101
clusterDomain: cluster.local
tlsCertFile: /home/we8/k8s/cfssl/kubelet.pem
tlsPrivateKeyFile: /home/we8/k8s/cfssl/kubelet-key.pem
cgroupDriver: systemd
containerRuntimeEndpoint: "unix:///var/run/cri-dockerd.sock"
创建 kubelet kubeconfig 文件
设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=/home/we8/k8s/cfssl/kubernetes-chain.pem \
--embed-certs=true \
--server=https://10.0.30.47:6443 \
--kubeconfig=/home/we8/k8s/kubeconfig/kubelet
设置客户端认证参数
kubectl config set-credentials system:node:srv-k8s-node-01 \
--client-certificate=/home/we8/k8s/cfssl/kubelet.pem \
--client-key=/home/we8/k8s/cfssl/kubelet-key.pem \
--embed-certs=true \
--kubeconfig=/home/we8/k8s/kubeconfig/kubelet
设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=system:node:srv-k8s-node-01 \
--kubeconfig=/home/we8/k8s/kubeconfig/kubelet
设置默认上下文
kubectl config use-context default --kubeconfig=/home/we8/k8s/kubeconfig/kubelet
创建 systemd 服务文件
cat /etc/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
ExecStart=/usr/local/bin/kubelet \
--v=2 \
--kubeconfig=/home/we8/k8s/kubeconfig/kubelet \
--config=/opt/kubernetes/cfg/kubelet-config.yml \
--client-ca-file=/home/we8/k8s/cfssl/kubernetes-chain.pem
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
禁用服务器 swap
# 临时禁用 swap
sudo swapoff -a
# 永久禁用 swap,编辑 /etc/fstab,注释掉 swap 相关行
sudo sed -i '/swap/s/^/#/' /etc/fstab
# 验证 swap 是否已禁用
free -m
cat /proc/swaps
启动 kubelet
sudo systemctl daemon-reload
sudo systemctl enable kubelet
sudo systemctl start kubelet
sudo systemctl status kubelet
