部署 kube-proxy生成证书 cfssl 证书请求配置文件新增 kube-proxy 配置创建 kube-pro

生成证书

cfssl 证书请求配置文件新增 kube-proxy 配置

cat config.json 
{
    "signing": {
        "default": {
            "expiry": "8760h"
        },
        "profiles": {
            "kubernetes": {
                "usages": [
                    "signing",
                    "digital signature",
                    "key encipherment",
                    "cert sign",
                    "crl sign"
                ],
                "expiry": "43800h",
                "ca_constraint": {
                    "is_ca": true,
                    "max_path_len": 0
                }
            },
            "etcd": {
                "usages": [
                    "digital signature",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ],
                "expiry": "8760h"
            },
            "kube-apiserver": {
                "usages": [
                    "digital signature",
                    "key encipherment",
                    "server auth"
                ],
                "expiry": "8760h"
            },
            "kube-controller-manager": {
                "usages": [
                    "digital signature",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ],
                "expiry": "8760h"
            },
            "kube-scheduler": {
                "usages": [
                    "digital signature",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ],
                "expiry": "8760h"
            },
            "admin": {
                "usages": [
                    "digital signature",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ],
                "expiry": "8760h"
            },
            "kubelet": {
                "usages": [
                    "digital signature",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ],
                "expiry": "8760h"
            },
            "kube-proxy": {
                "usages": [
                    "digital signature",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ],
                "expiry": "8760h"
            }
        }
    }
}

创建 kube-proxy-csr.json 证书请求配置文件

cat kube-proxy-csr.json 
{
  "CN": "system:kube-proxy",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Beijing",
      "L": "Beijing",
      "O": "system:node-proxier",
      "OU": "Kubernetes"
    }
  ]
}

生成证书

cfssl gencert -ca=kubernetes-ca.pem -ca-key=kubernetes-ca-key.pem -config=config.json -profile=kube-proxy kube-proxy-csr.json | cfssljson -bare kube-proxy
2024/12/16 23:32:05 [INFO] generate received request
2024/12/16 23:32:05 [INFO] received CSR
2024/12/16 23:32:05 [INFO] generating key: rsa-2048
2024/12/16 23:32:05 [INFO] encoded CSR
2024/12/16 23:32:05 [INFO] signed certificate with serial number 571670035011395176778301365231663541127090134145
2024/12/16 23:32:05 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

ls kube-proxy*
kube-proxy.csr  kube-proxy-csr.json  kube-proxy-key.pem  kube-proxy.pem

创建 kubeconfig 文件

设置集群

kubectl config set-cluster kubernetes \
    --certificate-authority=/home/we8/k8s/cfssl/kubernetes-chain.pem \
    --server=https://10.0.30.47:6443 \
    --embed-certs=true \
    --kubeconfig=/home/we8/k8s/kubeconfig/kube-proxy

设置凭证

kubectl config set-credentials system:kube-proxy \
    --client-certificate=/home/we8/k8s/cfssl/kube-proxy.pem \
    --client-key=/home/we8/k8s/cfssl/kube-proxy-key.pem \
    --embed-certs=true \
    --kubeconfig=/home/we8/k8s/kubeconfig/kube-proxy

设置上下文

kubectl config set-context system:kube-proxy@kubernetes \
    --cluster=kubernetes \
    --user=system:kube-proxy \
    --kubeconfig=/home/we8/k8s/kubeconfig/kube-proxy

设置当前上下文

kubectl config use-context system:kube-proxy@kubernetes \
    --kubeconfig=/home/we8/k8s/kubeconfig/kube-proxy

将生成的 kubeconfig 文件拷贝到工作节点

创建 kube-proxy.yml 部署配置文件

# kube-proxy-all.yaml

# ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kube-proxy
  namespace: kube-system

---
# ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: system:kube-proxy
rules:
- apiGroups: ["*"]  # "" 表示核心 API 组
  resources: ["*"]   # "*" 表示所有资源
  verbs: ["*"]      # "*" 表示所有操作权限

---
# ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: system:kube-proxy
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:kube-proxy
subjects:
- kind: ServiceAccount
  name: kube-proxy
  namespace: kube-system

---
# DaemonSet
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: kube-proxy
  namespace: kube-system
  labels:
    k8s-app: kube-proxy
spec:
  selector:
    matchLabels:
      k8s-app: kube-proxy
  template:
    metadata:
      labels:
        k8s-app: kube-proxy
    spec:
      priorityClassName: system-node-critical
      hostNetwork: true
      serviceAccountName: kube-proxy
      containers:
      - name: kube-proxy
        image: k8s.gcr.io/kube-proxy:v1.31.3  # 根据你的集群版本调整
        imagePullPolicy: IfNotPresent
        command:
        - /usr/local/bin/kube-proxy
        - --master=https://10.0.30.47:6443
        - --cluster-cidr=172.16.0.0/16
        - --kubeconfig=/etc/kubernetes/kube-proxy
        
        securityContext:
          privileged: true
        volumeMounts:
        - name: xtables-lock
          mountPath: /run/xtables.lock
        - name: lib-modules
          mountPath: /lib/modules
          readOnly: true
        - name: kubeconfig
          mountPath: /etc/kubernetes/kube-proxy
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
      volumes:
      - name: xtables-lock
        hostPath:
          path: /run/xtables.lock
          type: FileOrCreate
      - name: lib-modules
        hostPath:
          path: /lib/modules
      - name: kubeconfig
        hostPath:
          path: /home/we8/k8s/kubeconfig/kube-proxy
      tolerations:
      - key: CriticalAddonsOnly
        operator: Exists
      - operator: Exists

部署 kube-proxy.yml

kubectl apply -f kube-proxy.yml