CKA [Installation] – Ubuntu 从0架设，架设WorkerNode

设置好MasterNode了之后，接下来就是设置WorkerNode, 以下的教程都会在MasterNode和WorkerNode来回切换，所以我会标识号是在哪台机执行。我们需要在WorkerNode安装 kubelet, kube-proxy和container runtime。

✅ 在WorkerNode 安装必要的依赖和前置设定

1. 【WorkerNode】配置container runtime

{
cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF
modprobe overlay
modprobe br_netfilter

cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
net.bridge.bridge-nf-call-iptables  = 1
net.ipv4.ip_forward                 = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
sysctl --system
}

2. 【WorkerNode】安装containerd

apt update && apt upgrade

apt-get install -y containerd

mkdir -p /etc/containerd

containerd config default > /etc/containerd/config.toml

sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml

systemctl restart containerd

systemctl status containerd

cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF

sudo sysctl --system

3. 【WorkerNode】安装依赖，并且把kube-proxy，kubectl和kubelet 拷贝到 /usr/local/bin
如果你还没下载Kubernetes binary的话就需要参考这文章：https://www.pangzai.win/cka-installation-ubuntu-%e4%bb%8e0%e6%9e%b6%e8%ae%be%ef%bc%8c%e4%b8%8b%e8%bd%bdkubernetes-binary-files/

apt install -y socat conntrack ipset

sysctl -w net.ipv4.conf.all.forwarding=1

cd  /root/binaries/kubernetes/node/bin/

cp kube-proxy kubectl kubelet /usr/local/bin

✅ 在MasterNode 使用CA 为WorkerNode创建 Certificate 

1. 【MasterNode】生成WorkerNode的certificate

把openssl-worker.cnf 当中的

• DNS.1 改成你的workernode的hostname
• IP.1 改成你的workernode的IP （Digital Ocean 是Public IP , 而AWS EC2 是Private IP）

以上的截图是WorkerNode查到的hostname

cd /root/certificates

cat > openssl-worker.cnf <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = worker 【改成你的WorkerNode Hostname】
IP.1 = 64.227.162.102 【改成你的WorkerNode IP】
EOF

【把 DNS.1 和 IP.1 改成以上所提到的】
nano openssl-worker.cnf

注意：把以下的system:node:worker 改成你自己WorkerNode的hostname

【Example】

【original】
/CN=system:node:worker/O=system:nodes

【改成】
/CN=system:node:ip-52-0-13-59/O=system:nodes

{
openssl genrsa -out worker.key 2048

openssl req -new -key worker.key -subj "/CN=system:node:worker/O=system:nodes" -out worker.csr -config openssl-worker.cnf

openssl x509 -req -in worker.csr -CA ca.crt -CAkey ca.key -CAcreateserial  -out worker.crt -extensions v3_req -extfile openssl-worker.cnf -days 1000
}

✅ 在MasterNode 使用CA 为WorkerNode创建 Kube Proxy Certificate 

{
openssl genrsa -out kube-proxy.key 2048

openssl req -new -key kube-proxy.key -subj "/CN=system:kube-proxy" -out kube-proxy.csr

openssl x509 -req -in kube-proxy.csr -CA ca.crt -CAkey ca.key -CAcreateserial  -out kube-proxy.crt -days 1000
}

✅ 把以上在MasterNode所生成的certificate 都 copy到 WorkerNode

1. 【WorkerNode】在WorkerNode开启了密码登入，和创建一个账号

grep -r PasswordAuthentication /etc/ssh -l | xargs -n 1 sed -i 's/#\s*PasswordAuthentication\s.*$/PasswordAuthentication yes/; s/^PasswordAuthentication\s*no$/PasswordAuthentication yes/'

systemctl restart ssh

useradd zeal

passwd zeal

【你的zeal户口密码】
zeal5872#

2. 【MasterNode】从MasterNode copy 证书到WorkerNode ， 64.227.162.102 改成 WorkerNode的Public IP

scp kube-proxy.crt kube-proxy.key worker.crt worker.key ca.crt [email protected]:/tmp

3.【WorkerNode】把刚刚copy过来的证书都搬去 /root/certificates

mkdir /root/certificates

cd /tmp

mv kube-proxy.crt kube-proxy.key worker.crt worker.key ca.crt /root/certificates

4. 【WorkerNode】把证书搬动到指定的目录

mkdir /var/lib/kubernetes

cd /root/certificates

cp ca.crt /var/lib/kubernetes

mkdir /var/lib/kubelet

mv worker.crt  worker.key kube-proxy.crt kube-proxy.key /var/lib/kubelet/

✅ 在WorkerNode设定Kubelet

1. 【WorkerNode】生成Kubelet yaml文件

cat <<EOF | sudo tee /var/lib/kubelet/kubelet-config.yaml
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
  anonymous:
    enabled: false
  webhook:
    enabled: true
  x509:
      clientCAFile: "/var/lib/kubernetes/ca.crt"
authorization:
  mode: Webhook
clusterDomain: "cluster.local"
clusterDNS:
  - "10.32.0.10"
runtimeRequestTimeout: "15m"
cgroupDriver: systemd
EOF

2.【WorkerNode】生成Kubelet的Systemd service file

cat <<EOF | sudo tee /etc/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
After=containerd.service
Requires=containerd.service

[Service]
ExecStart=/usr/local/bin/kubelet \
  --config=/var/lib/kubelet/kubelet-config.yaml \
  --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock \
  --kubeconfig=/var/lib/kubelet/kubeconfig \
  --v=2
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

3. 【WorkerNode】生成Kubelet连接apiserver的kubeconfig file

cd /var/lib/kubelet

cp /var/lib/kubernetes/ca.crt .

【Digital Ocean 是Public IP , 而AWS EC2 是Private IP】
【这是ApiServer的IP】
SERVER_IP=<IP-OF-API-SERVER>

{
  kubectl config set-cluster kubernetes-from-scratch \
    --certificate-authority=ca.crt \
    --embed-certs=true \
    --server=https://${SERVER_IP}:6443 \
    --kubeconfig=worker.kubeconfig

  kubectl config set-credentials system:node:worker \
    --client-certificate=worker.crt \
    --client-key=worker.key \
    --embed-certs=true \
    --kubeconfig=worker.kubeconfig

  kubectl config set-context default \
    --cluster=kubernetes-from-scratch \
    --user=system:node:worker \
    --kubeconfig=worker.kubeconfig

  kubectl config use-context default --kubeconfig=worker.kubeconfig
}

mv worker.kubeconfig kubeconfig

✅ 在WorkerNode设定 Kube-Proxy

1. 【WorkerNode】生成Kube-Proxy连接apiserver的kubeconfig file

mkdir /var/lib/kube-proxy

{
  kubectl config set-cluster kubernetes-from-scratch \
    --certificate-authority=ca.crt \
    --embed-certs=true \
    --server=https://${SERVER_IP}:6443 \
    --kubeconfig=kube-proxy.kubeconfig

  kubectl config set-credentials system:kube-proxy \
    --client-certificate=kube-proxy.crt \
    --client-key=kube-proxy.key \
    --embed-certs=true \
    --kubeconfig=kube-proxy.kubeconfig

  kubectl config set-context default \
    --cluster=kubernetes-from-scratch \
    --user=system:kube-proxy \
    --kubeconfig=kube-proxy.kubeconfig

  kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
}

mv kube-proxy.kubeconfig /var/lib/kube-proxy/kubeconfig

2. 【WorkerNode】生成Kube-Proxy的configuration yaml

cat <<EOF | sudo tee /var/lib/kube-proxy/kube-proxy-config.yaml
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
clientConnection:
  kubeconfig: "/var/lib/kube-proxy/kubeconfig"
mode: "iptables"
clusterCIDR: "10.200.0.0/16"
EOF

3. 【WorkerNode】创建Kube-Proxy的systemd service file

cat <<EOF | sudo tee /etc/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube Proxy
Documentation=https://github.com/kubernetes/kubernetes

[Service]
ExecStart=/usr/local/bin/kube-proxy \\
  --config=/var/lib/kube-proxy/kube-proxy-config.yaml
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF

✅ 在WorkerNode启动所有已经设定好的服务

systemctl start kubelet

systemctl start kube-proxy

systemctl status kubelet

systemctl status kube-proxy

systemctl enable kubelet

systemctl enable kube-proxy

✅ 在MasterNode 验证WorkerNode是否有正确连上

1. 默认还没连上WorkerNode的MasterNode是这样的

kubectl get nodes

2. 已经连上WorkerNode的MasterNode是这样的，但是由于还没安装CNI网络插件所以status还是在NotReady的状态