kubelet 部署
kubelet 是每个 Worker 节点上运行的核心代理,负责 Pod 和容器的生命周期管理。
TLS Bootstrap 原理
Master API Server 启用 TLS 认证后,Node 节点的 kubelet 与 kube-apiserver 通信需要使用 CA 签发的有效证书。当节点数量多时,手动签发证书工作量大。TLS Bootstrap 机制允许 kubelet 以低权限用户自动向 API Server 申请证书,由 API Server 动态签署。
建议在 Node 上使用这种方式,kube-proxy 仍由管理员统一颁发证书。
Bootstrap Token 配置
在 Master 节点创建 Bootstrap Token:
# 从 token.csv 文件中提取引导令牌(二进制安装方式)
BOOTSTRAP_TOKEN=$(awk -F "," '{print $1}' /etc/kubernetes/token.csv)
# 或使用 kubeadm 创建
kubeadm token create --print-join-command
bash
创建 bootstrap kubeconfig 文件:
# 设置集群信息
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://192.168.4.213:6443 \
--kubeconfig=/etc/kubernetes/kubelet-bootstrap.kubeconfig
# 设置用户认证信息
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=/etc/kubernetes/kubelet-bootstrap.kubeconfig
# 设置上下文
kubectl config set-context kubelet-bootstrap@kubernetes \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=/etc/kubernetes/kubelet-bootstrap.kubeconfig
# 使用上下文
kubectl config use-context kubelet-bootstrap@kubernetes \
--kubeconfig=/etc/kubernetes/kubelet-bootstrap.kubeconfig
bash
权限配置
在 Master 节点上执行:
# 创建集群角色绑定
kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=kubelet-bootstrap
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
bash
kubelet 配置文件
在所有 Worker 节点上创建目录:
mkdir -p /etc/kubernetes/manifests
mkdir -p /var/lib/kubelet
mkdir -p /etc/kubernetes/pki
bash
创建 kubelet 配置文件:
# /etc/kubernetes/kubelet-conf.yml
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 2m0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.pem
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 5m0s
cacheUnauthorizedTTL: 30s
cgroupDriver: systemd
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
failSwapOn: true
rotateCertificates: true
staticPodPath: /etc/kubernetes/manifests
maxPods: 110
yaml
systemd 服务
# /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
After=cri-docker.service docker.service
Wants=network-online.target
Requires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
ExecStart=/usr/local/bin/kubelet \
--bootstrap-kubeconfig=/etc/kubernetes/kubelet-bootstrap.kubeconfig \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
--config=/etc/kubernetes/kubelet-conf.yml \
--container-runtime-endpoint=unix:///run/cri-dockerd.sock \
--pod-infra-container-image=registry.k8s.io/pause:3.9 \
--cert-dir=/etc/kubernetes/pki \
--rotate-certificates \
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
ini
关键参数说明:
--bootstrap-kubeconfig:Bootstrap 阶段使用的临时 kubeconfig--kubeconfig:证书签发后自动生成的正式 kubeconfig--rotate-certificates:启用证书自动轮换
同步配置文件到 Worker 节点
# 同步二进制文件
for i in node1 node2 node3; do scp kubelet kube-proxy $i:/usr/local/bin; done
# 同步配置文件
for i in node1 node2 node3; do scp /etc/kubernetes/kubelet-conf.yml $i:/etc/kubernetes; done
# 同步 bootstrap kubeconfig
for i in node1 node2 node3; do scp /etc/kubernetes/kubelet-bootstrap.kubeconfig $i:/etc/kubernetes; done
# 同步 CA 证书
for i in node1 node2 node3; do scp /etc/kubernetes/pki/ca.pem $i:/etc/kubernetes/pki; done
bash
启动和验证
systemctl daemon-reload
systemctl enable --now kubelet
systemctl status kubelet
# 在 Master 节点查看
kubectl get nodes
bash
↑