• 以 Daemonset 方式部署 kube-proxy

    以 Daemonset 方式部署 kube-proxy

    kube-proxy 可以用二进制部署,也可以用 kubelet 的静态 Pod 部署,但最简单使用 DaemonSet 部署。直接使用 ServiceAccount 的 token 认证,不需要签发证书,也就不用担心证书过期问题。

    先在终端设置下面的变量:

    1. APISERVER="https://10.200.16.79:6443"
    2. CLUSTER_CIDR="10.10.0.0/16"
    • APISERVER 替换为 apiserver 对外暴露的访问地址。有同学想问为什么不直接用集群内的访问地址(kubernetes.default 或对应的 CLUSTER IP),这是一个鸡生蛋还是蛋生鸡的问题,CLSUTER IP 本身就是由 kube-proxy 来生成 iptables 或 ipvs 规则转发 Service 对应 Endpoint 的 Pod IP,kube-proxy 刚启动还没有生成这些转发规则,生成规则的前提是 kube-proxy 需要访问 apiserver 获取 Service 与 Endpoint,而由于还没有转发规则,kube-proxy 访问 apiserver 的 CLUSTER IP 的请求无法被转发到 apiserver。
    • CLUSTER_CIDR 替换为集群 Pod IP 的 CIDR 范围,这个在部署 kube-controller-manager 时也设置过

    为 kube-proxy 创建 RBAC 权限和配置文件:

    1. cat <<EOF | kubectl apply -f -
    2. apiVersion: v1
    3. kind: ServiceAccount
    4. metadata:
    5.   name: kube-proxy
    6.   namespace: kube-system
    8. ---
    10. apiVersion: rbac.authorization.k8s.io/v1
    11. kind: ClusterRoleBinding
    12. metadata:
    13.   name: system:kube-proxy
    14. roleRef:
    15.   apiGroup: rbac.authorization.k8s.io
    16.   kind: ClusterRole
    17.   name: system:node-proxier
    18. subjects:
    19. - kind: ServiceAccount
    20.   name: kube-proxy
    21.   namespace: kube-system
    23. ---
    25. kind: ConfigMap
    26. apiVersion: v1
    27. metadata:
    28.   name: kube-proxy
    29.   namespace: kube-system
    30.   labels:
    31.     app: kube-proxy
    32. data:
    33.   kubeconfig.conf: |-
    34.     apiVersion: v1
    35.     kind: Config
    36.     clusters:
    37.     - cluster:
    38.         certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
    39.         server: ${APISERVER}
    40.       name: default
    41.     contexts:
    42.     - context:
    43.         cluster: default
    44.         namespace: default
    45.         user: default
    46.       name: default
    47.     current-context: default
    48.     users:
    49.     - name: default
    50.       user:
    51.         tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
    52.   config.conf: |-
    53.     apiVersion: kubeproxy.config.k8s.io/v1alpha1
    54.     kind: KubeProxyConfiguration
    55.     bindAddress: 0.0.0.0
    56.     clientConnection:
    57.       acceptContentTypes: ""
    58.       burst: 10
    59.       contentType: application/vnd.kubernetes.protobuf
    60.       kubeconfig: /var/lib/kube-proxy/kubeconfig.conf
    61.       qps: 5
    62.     # 集群中 Pod IP 的 CIDR 范围
    63.     clusterCIDR: ${CLUSTER_CIDR}
    64.     configSyncPeriod: 15m0s
    65.     conntrack:
    66.       # 每个核心最大能跟踪的NAT连接数,默认32768
    67.       maxPerCore: 32768
    68.       min: 131072
    69.       tcpCloseWaitTimeout: 1h0m0s
    70.       tcpEstablishedTimeout: 24h0m0s
    71.     enableProfiling: false
    72.     healthzBindAddress: 0.0.0.0:10256
    73.     iptables:
    74.       # SNAT 所有 Service 的 CLUSTER IP
    75.       masqueradeAll: false
    76.       masqueradeBit: 14
    77.       minSyncPeriod: 0s
    78.       syncPeriod: 30s
    79.     ipvs:
    80.       minSyncPeriod: 0s
    81.       # ipvs 调度类型,默认是 rr,支持的所有类型:
    82.       # rr: round-robin
    83.       # lc: least connection
    84.       # dh: destination hashing
    85.       # sh: source hashing
    86.       # sed: shortest expected delay
    87.       # nq: never queue
    88.       scheduler: rr
    89.       syncPeriod: 30s
    90.     metricsBindAddress: 0.0.0.0:10249
    91.     # 使用 ipvs 模式转发 service
    92.     mode: ipvs
    93.     # 设置 kube-proxy 进程的 oom-score-adj 值,范围 [-1000,1000]
    94.     # 值越低越不容易被杀死,这里设置为 —999 防止发生系统OOM时将 kube-proxy 杀死
    95.     oomScoreAdj: -999
    96. EOF

    在终端设置下面的变量:

    1. ARCH="amd64"
    2. VERSION="v1.16.1"
    • VERSION 是 K8S 版本
    • ARCH 是节点的 cpu 架构,大多数用的 amd64,即 x86_64。其它常见的还有: arm64, arm, ppc64le, s390x,如果你的集群有不同 cpu 架构的节点,可以分别指定 ARCH 部署多个 daemonset (每个节点不会有多个 kube-proxy,nodeSelector 会根据 cpu 架构来选中节点)

    使用 hostNetwork 以 Daemonset 方式部署 kube-proxy 到每个节点:

    1. cat <<EOF | kubectl apply -f -
    2. apiVersion: apps/v1
    3. kind: DaemonSet
    4. metadata:
    5.   labels:
    6.     k8s-app: kube-proxy-ds-${ARCH}
    7.   name: kube-proxy-ds-${ARCH}
    8.   namespace: kube-system
    9. spec:
    10.   selector:
    11.     matchLabels:
    12.       k8s-app: kube-proxy-ds-${ARCH}
    13.   updateStrategy:
    14.     type: RollingUpdate
    15.   template:
    16.     metadata:
    17.       labels:
    18.         k8s-app: kube-proxy-ds-${ARCH}
    19.     spec:
    20.       priorityClassName: system-node-critical
    21.       containers:
    22.       - name: kube-proxy
    23.         image: k8s.gcr.io/kube-proxy-${ARCH}:${VERSION}
    24.         imagePullPolicy: IfNotPresent
    25.         command:
    26.         - /usr/local/bin/kube-proxy
    27.         - --config=/var/lib/kube-proxy/config.conf
    28.         - --hostname-override=\$(NODE_NAME)
    29.         securityContext:
    30.           privileged: true
    31.         volumeMounts:
    32.         - mountPath: /var/lib/kube-proxy
    33.           name: kube-proxy
    34.         - mountPath: /run/xtables.lock
    35.           name: xtables-lock
    36.           readOnly: false
    37.         - mountPath: /lib/modules
    38.           name: lib-modules
    39.           readOnly: true
    40.         env:
    41.           - name: NODE_NAME
    42.             valueFrom:
    43.               fieldRef:
    44.                 fieldPath: spec.nodeName
    45.       hostNetwork: true
    46.       serviceAccountName: kube-proxy
    47.       volumes:
    48.       - name: kube-proxy
    49.         configMap:
    50.           name: kube-proxy
    51.       - name: xtables-lock
    52.         hostPath:
    53.           path: /run/xtables.lock
    54.           type: FileOrCreate
    55.       - name: lib-modules
    56.         hostPath:
    57.           path: /lib/modules
    58.       tolerations:
    59.       - key: CriticalAddonsOnly
    60.         operator: Exists
    61.       - operator: Exists
    62.       nodeSelector:
    63.         beta.kubernetes.io/arch: ${ARCH}
    64. EOF