kube-proxy 部署
kube-proxy 负责管理节点上的网络规则,实现 Service 的负载均衡。它监听 API Server 中 Service 和 Endpoints 的变化,并实时更新转发规则。
工作模式
| 模式 | 性能 | 说明 |
|---|---|---|
| iptables | 中 | 默认模式,使用 iptables 规则 |
| IPVS | 高 | 内核级负载均衡,推荐用于生产环境 |
证书生成
在 Master 节点上为 kube-proxy 签发证书:
cat > kube-proxy-csr.json << EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:kube-proxy",
"OU": "system"
}
]
}
EOF
# 生成证书
cfssl gencert \
-ca=/etc/kubernetes/pki/ca.pem \
-ca-key=/etc/kubernetes/pki/ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-proxy-csr.json | cfssljson -bare /etc/kubernetes/pki/kube-proxy
bash
创建 kubeconfig
# 设置集群信息
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://192.168.4.213:6443 \
--kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig
# 设置用户凭证
kubectl config set-credentials kube-proxy \
--client-certificate=/etc/kubernetes/pki/kube-proxy.pem \
--client-key=/etc/kubernetes/pki/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig
# 设置上下文
kubectl config set-context kube-proxy@kubernetes \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig
# 使用上下文
kubectl config use-context kube-proxy@kubernetes \
--kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig
bash
kube-proxy 配置文件
# /etc/kubernetes/kube-proxy.yaml
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
bindAddress: 0.0.0.0
clientConnection:
acceptContentTypes: ""
burst: 10
contentType: application/vnd.kubernetes.protobuf
kubeconfig: /etc/kubernetes/kube-proxy.kubeconfig
qps: 5
clusterCIDR: 10.244.0.0/16
configSyncPeriod: 15m0s
conntrack:
maxPerCore: 32768
min: 131072
tcpCloseWaitTimeout: 1h0m0s
tcpEstablishedTimeout: 24h0m0s
enableProfiling: false
healthzBindAddress: 0.0.0.0:10256
hostnameOverride: ""
ipvs:
masqueradeAll: true
minSyncPeriod: 5s
scheduler: "rr"
syncPeriod: 30s
mode: "ipvs"
metricsBindAddress: 127.0.0.1:10249
oomScoreAdj: -999
yaml
systemd 服务文件
# /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube Proxy
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
WorkingDirectory=/var/lib/kube-proxy
ExecStart=/usr/local/bin/kube-proxy \
--config=/etc/kubernetes/kube-proxy.yaml \
--v=2
Restart=on-failure
RestartSec=10s
[Install]
WantedBy=multi-user.target
ini
同步文件到 Worker 节点
# 创建工作目录
mkdir -p /var/lib/kube-proxy
# 同步 kubeconfig、配置文件和证书到所有 Worker 节点
for i in node1 node2 node3; do
scp /etc/kubernetes/kube-proxy.kubeconfig $i:/etc/kubernetes/
scp /etc/kubernetes/kube-proxy.yaml $i:/etc/kubernetes/
done
bash
启动和验证
systemctl daemon-reload
systemctl enable --now kube-proxy
systemctl status kube-proxy
# 验证 IPVS 规则
ipvsadm -Ln
bash
↑