创建配置文件---两个node节点一起操作
[root@k8s-node1 ~]#
cat > /opt/kubernetes/cfg/kube-proxy.conf << EOF
KUBE_PROXY_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--config=/opt/kubernetes/cfg/kube-proxy-config.yml"
EOF配置参数文件-----node2节点,注意修改hostnameOverride
[root@k8s-node1 ~]#
cat > /opt/kubernetes/cfg/kube-proxy-config.yml << EOF
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
metricsBindAddress: 0.0.0.0:10249
clientConnection:
kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig
hostnameOverride: k8s-node1
clusterCIDR: 10.0.0.0/24
EOF生成kube-proxy.kubeconfig文件
生成kube-proxy证书:
[root@k8s-master1 k8s]# cd /root/TLS/k8s
cat > kube-proxy-csr.json << EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
生成证书
[root@k8s-master1 k8s-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
2020/09/12 10:52:38 [INFO] generate received request
2020/09/12 10:52:38 [INFO] received CSR
2020/09/12 10:52:38 [INFO] generating key: rsa-2048
2020/09/12 10:52:38 [INFO] encoded CSR
2020/09/12 10:52:38 [INFO] signed certificate with serial number 723955282015572391940188006880295334346862480961
2020/09/12 10:52:38 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
生成kubeconfig文件:
[root@k8s-master1 k8s-cert]# KUBE_APISERVER="https://10.10.1.37:6443" kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-credentials kube-proxy \ --client-certificate=./kube-proxy.pem \ --client-key=./kube-proxy-key.pem \ --embed-certs=true \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-context default \ --cluster=kubernetes \ --user=kube-proxy \ --kubeconfig=kube-proxy.kubeconfig kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
替换成证书文件
[root@k8s-master1 k8s-cert]# vim kube-proxy.kubeconfig
apiVersion: v1
clusters:
- cluster:
certificate-authority: /opt/kubernetes/ssl/ca.pem
server: https://10.10.1.37:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kube-proxy
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: kube-proxy
user:
client-certificate: /opt/kubernetes/ssl/kube-proxy.pem
client-key: /opt/kubernetes/ssl/kube-proxy-key.pem
拷贝到配置文件指定路径
[root@k8s-master1 k8s-cert]# scp -r kube-proxy.pem kube-proxy-key.pem 10.10.1.39:/opt/kubernetes/ssl/ kube-proxy.pem 100% 1403 3.6MB/s 00:00 kube-proxy-key.pem 100% 1675 5.5MB/s 00:00 [root@k8s-master1 k8s-cert]# scp -r kube-proxy.pem kube-proxy-key.pem 10.10.1.40:/opt/kubernetes/ssl/ kube-proxy.pem 100% 1403 3.8MB/s 00:00 kube-proxy-key.pem 100% 1675 4.6MB/s 00:00 [root@k8s-master1 k8s-cert]# scp -r kube-proxy.kubeconfig 10.10.1.39:/opt/kubernetes/cfg/ kube-proxy.kubeconfig 100% 429 1.3MB/s 00:00 [root@k8s-master1 k8s-cert]# scp -r kube-proxy.kubeconfig 10.10.1.40:/opt/kubernetes/cfg/ kube-proxy.kubeconfig
systemd管理kube-proxy
cat > /usr/lib/systemd/system/kube-proxy.service << EOF
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-proxy.conf
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF启动并设置开机启动
[root@k8s-node1 ~]# systemctl daemon-reload [root@k8s-node1 ~]# systemctl start kube-proxy [root@k8s-node1 ~]# systemctl enable kube-proxy Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
继续阅读
- 我的QQ
- QQ扫一扫
-
- 我的头条
- 头条扫一扫
-
评论