[BIN] kube-proxy #

ARCH=amd64
if [ "$(uname -i)" = "aarch64" ]; then ARCH=arm64; fi

VERSION=v1.29.1
wget https://cdn.dl.k8s.io/release/${VERSION}/bin/linux/${ARCH}/kube-proxy -O /usr/bin/kube-proxy
chmod +x /usr/bin/kube-proxy

source ~/.k8s.env

# 创建kube-proxy访问kube-apiserver的证书
openssl genrsa -out ${CERTDIR}/kube-proxy.key 2048
openssl req -new -key ${CERTDIR}/kube-proxy.key \
    -out ${CERTDIR}/kube-proxy.csr \
    -subj "/CN=system:kube-proxy"
openssl x509 -req -days 36500 \
    -in ${CERTDIR}/kube-proxy.csr \
    -CA ${CERTDIR}/ca.crt \
    -CAkey ${CERTDIR}/ca.key \
    -CAcreateserial \
    -out ${CERTDIR}/kube-proxy.crt
rm -fr ${CERTDIR}/kube-proxy.csr

source ~/.k8s.env
KUBECONFIG=${K8SDIR}/kube-proxy.conf

## 设置集群参数
kubectl config set-cluster kubernetes \
  --certificate-authority=${CERTDIR}/ca.crt \
  --embed-certs=true \
  --server=https://${NODEIP}:6443 \
  --kubeconfig=${KUBECONFIG}

## 设置客户端认证参数
kubectl config set-credentials kube-proxy \
  --client-certificate=${CERTDIR}/kube-proxy.crt \
  --client-key=${CERTDIR}/kube-proxy.key \
  --embed-certs=true \
  --kubeconfig=${KUBECONFIG}

## 设置上下文参数
kubectl config set-context kubernetes \
  --cluster=kubernetes \
  --user=kube-proxy \
  --kubeconfig=${KUBECONFIG}

## 设置默认上下文
kubectl config use-context kubernetes --kubeconfig=${KUBECONFIG}

cat > /etc/systemd/system/kube-proxy.service << EOF
[Unit]
Description=Kubernetes Proxy Service
After=network.target

[Service]
ExecStart=/usr/bin/kube-proxy --kubeconfig=/etc/kubernetes/kube-proxy.conf \
    --proxy-mode=ipvs

Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload && systemctl start kube-proxy