[BIN] Kubelet

[BIN] Kubelet #

kubeconfig for kubelet # 

source ~/.k8s.env
KUBECONFIG=${K8SDIR}/bootstrap-kubelet.conf

mkdir -p ${K8SDIR}/manifests

# 创建 token
export BOOTSTRAP_TOKEN=$(kubeadm token create \
  --description kubelet-bootstrap-token \
  --groups system:bootstrappers:${NODENAME})

# 设置集群参数
kubectl config set-cluster kubernetes \
  --certificate-authority=${CERTDIR}/ca.crt \
  --embed-certs=true \
  --server=https://${NODEIP}:6443 \
  --kubeconfig=${KUBECONFIG}

# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
  --token=${BOOTSTRAP_TOKEN} \
  --kubeconfig=${KUBECONFIG}

# 设置上下文参数
kubectl config set-context default \
  --cluster=kubernetes \
  --user=kubelet-bootstrap \
  --kubeconfig=${KUBECONFIG}

# 设置默认上下文
kubectl config use-context default --kubeconfig=${KUBECONFIG}

config for kubelet # 

source ~/.k8s.env
mkdir -p /var/lib/kubelet/

cat > /var/lib/kubelet/config.yaml << EOF
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 0s
    enabled: true
  x509:
    clientCAFile: ${CERTDIR}/ca.crt
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 0s
    cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
- ${DNSIP}
clusterDomain: ${CLUSTER_SUFFIX}
containerRuntimeEndpoint: ""
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
kind: KubeletConfiguration
logging:
  flushFrequency: 0
  options:
    json:
      infoBufferSize: "0"
  verbosity: 0
memorySwap: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
rotateCertificates: true
runtimeRequestTimeout: 0s
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: ${K8SDIR}/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s

EOF

cat > /var/lib/kubelet/kubeadm-flags.env << EOF
KUBELET_KUBEADM_ARGS="--container-runtime-endpoint=unix:///var/run/containerd/containerd.sock" 
EOF

rolebinding for token # 

# kubelet可以使用token访问指定的资源
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --group=system:bootstrappers --user=kubelet-bootstrapper

# kube-apiserver可以访问kubelet获取容器信息
kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes

# 手动签发kubelet的证书
kubectl get csr
kubectl certificate approve ${csrid}