kubernetes-the-hard-way/docs/06-kubernetes-worker.md

308 lines
6.4 KiB
Markdown
Raw Normal View History

2016-07-07 19:55:01 +03:00
# Bootstrapping Kubernetes Workers
In this lab you will bootstrap 3 Kubernetes worker nodes. The following virtual machines will be used:
2016-07-07 19:55:01 +03:00
2016-09-11 09:15:57 +03:00
* worker0
* worker1
* worker2
2016-07-09 03:36:55 +03:00
2016-07-07 19:55:01 +03:00
## Why
Kubernetes worker nodes are responsible for running your containers. All Kubernetes clusters need one or more worker nodes. We are running the worker nodes on dedicated machines for the following reasons:
* Ease of deployment and configuration
* Avoid mixing arbitrary workloads with critical cluster components. We are building machines with just enough resources so we don't have to worry about wasting resources.
2016-07-07 19:55:01 +03:00
Some people would like to run workers and cluster services anywhere in the cluster. This is totally possible, and you'll have to decide what's best for your environment.
2017-03-25 21:41:26 +03:00
## Prerequisites
2016-07-07 19:55:01 +03:00
2017-03-26 23:02:03 +03:00
Each worker node will provision a unique TLS client certificate as defined in the [kubelet TLS bootstrapping guide](https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/). The `kubelet-bootstrap` user must be granted permission to request a client TLS certificate.
2016-07-07 21:37:54 +03:00
```
gcloud compute ssh controller0
```
Enable TLS bootstrapping by binding the `kubelet-bootstrap` user to the `system:node-bootstrapper` cluster role:
2017-03-24 05:48:14 +03:00
```
2017-03-25 21:41:26 +03:00
kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap
2017-03-24 05:48:14 +03:00
```
2017-03-25 21:41:26 +03:00
## Provision the Kubernetes Worker Nodes
Run the following commands on `worker0`, `worker1`, `worker2`:
2017-03-24 05:48:14 +03:00
```
sudo mkdir -p /var/lib/{kubelet,kube-proxy,kubernetes}
2017-03-25 21:41:26 +03:00
```
2017-03-24 05:48:14 +03:00
```
2017-03-25 21:41:26 +03:00
sudo mkdir -p /var/run/kubernetes
2017-03-24 05:48:14 +03:00
```
2017-03-25 21:41:26 +03:00
```
sudo mv bootstrap.kubeconfig /var/lib/kubelet
```
2016-07-07 19:55:01 +03:00
```
2017-03-25 21:41:26 +03:00
sudo mv kube-proxy.kubeconfig /var/lib/kube-proxy
2016-07-07 19:55:01 +03:00
```
2017-03-25 21:41:26 +03:00
Move the TLS certificates in place
2016-07-07 19:55:01 +03:00
```
2017-03-24 05:48:14 +03:00
sudo mv ca.pem /var/lib/kubernetes/
2016-07-07 19:55:01 +03:00
```
2017-03-25 21:41:26 +03:00
### Install Docker
2016-07-07 19:55:01 +03:00
```
2017-03-24 05:48:14 +03:00
wget https://get.docker.com/builds/Linux/x86_64/docker-1.12.6.tgz
2016-07-07 19:55:01 +03:00
```
```
2017-03-24 05:48:14 +03:00
tar -xvf docker-1.12.6.tgz
2016-07-07 19:55:01 +03:00
```
```
2016-07-08 20:26:32 +03:00
sudo cp docker/docker* /usr/bin/
2016-07-07 19:55:01 +03:00
```
Create the Docker systemd unit file:
```
2017-03-24 05:48:14 +03:00
cat > docker.service <<EOF
[Unit]
2016-07-07 19:55:01 +03:00
Description=Docker Application Container Engine
2017-07-18 15:43:01 +03:00
Documentation=http://docs.docker.com
2016-07-07 19:55:01 +03:00
[Service]
2017-03-24 05:48:14 +03:00
ExecStart=/usr/bin/docker daemon \\
--iptables=false \\
--ip-masq=false \\
--host=unix:///var/run/docker.sock \\
--log-level=error \\
2016-07-07 19:55:01 +03:00
--storage-driver=overlay
Restart=on-failure
RestartSec=5
[Install]
2017-03-24 05:48:14 +03:00
WantedBy=multi-user.target
EOF
```
2017-03-24 14:24:53 +03:00
Start the docker service:
2017-03-24 05:48:14 +03:00
```
sudo mv docker.service /etc/systemd/system/docker.service
2016-07-07 19:55:01 +03:00
```
```
sudo systemctl daemon-reload
2017-03-25 21:41:26 +03:00
```
```
2016-07-07 19:55:01 +03:00
sudo systemctl enable docker
2017-03-25 21:41:26 +03:00
```
```
2016-07-07 19:55:01 +03:00
sudo systemctl start docker
```
```
sudo docker version
```
2017-03-25 21:41:26 +03:00
### Install the kubelet
2016-07-07 22:23:30 +03:00
2017-03-25 21:41:26 +03:00
The Kubelet can now use [CNI - the Container Network Interface](https://github.com/containernetworking/cni) to manage machine level networking requirements.
2016-07-07 20:59:14 +03:00
Download and install CNI plugins
```
sudo mkdir -p /opt/cni
```
```
2017-03-24 05:48:14 +03:00
wget https://storage.googleapis.com/kubernetes-release/network-plugins/cni-amd64-0799f5732f2a11b329d9e3d51b9c8f2e3759f2ff.tar.gz
2016-07-07 20:59:14 +03:00
```
```
2017-03-24 05:48:14 +03:00
sudo tar -xvf cni-amd64-0799f5732f2a11b329d9e3d51b9c8f2e3759f2ff.tar.gz -C /opt/cni
2016-07-07 20:59:14 +03:00
```
2016-07-07 19:55:01 +03:00
Download and install the Kubernetes worker binaries:
```
2017-04-12 17:09:55 +03:00
wget https://storage.googleapis.com/kubernetes-release/release/v1.6.1/bin/linux/amd64/kubectl
2016-09-27 15:23:35 +03:00
```
2017-03-25 21:41:26 +03:00
2016-09-27 15:23:35 +03:00
```
2017-04-12 17:09:55 +03:00
wget https://storage.googleapis.com/kubernetes-release/release/v1.6.1/bin/linux/amd64/kube-proxy
2016-09-27 15:23:35 +03:00
```
2017-03-25 21:41:26 +03:00
2016-09-27 15:23:35 +03:00
```
2017-04-12 17:09:55 +03:00
wget https://storage.googleapis.com/kubernetes-release/release/v1.6.1/bin/linux/amd64/kubelet
2016-07-07 19:55:01 +03:00
```
```
2016-07-08 14:37:03 +03:00
chmod +x kubectl kube-proxy kubelet
2016-07-07 19:55:01 +03:00
```
```
2016-07-08 14:37:03 +03:00
sudo mv kubectl kube-proxy kubelet /usr/bin/
2016-07-07 19:55:01 +03:00
```
Create the kubelet systemd unit file:
2017-03-25 21:41:26 +03:00
```
API_SERVERS=$(sudo cat /var/lib/kubelet/bootstrap.kubeconfig | \
grep server | cut -d ':' -f2,3,4 | tr -d '[:space:]')
```
2016-07-07 19:55:01 +03:00
```
2017-03-24 05:48:14 +03:00
cat > kubelet.service <<EOF
[Unit]
2016-07-07 19:55:01 +03:00
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
[Service]
2017-03-24 05:48:14 +03:00
ExecStart=/usr/bin/kubelet \\
2017-03-25 21:41:26 +03:00
--api-servers=${API_SERVERS} \\
2017-03-24 05:48:14 +03:00
--allow-privileged=true \\
--cluster-dns=10.32.0.10 \\
--cluster-domain=cluster.local \\
--container-runtime=docker \\
--experimental-bootstrap-kubeconfig=/var/lib/kubelet/bootstrap.kubeconfig \\
--network-plugin=kubenet \\
--kubeconfig=/var/lib/kubelet/kubeconfig \\
--serialize-image-pulls=false \\
--register-node=true \\
--tls-cert-file=/var/lib/kubelet/kubelet-client.crt \\
--tls-private-key-file=/var/lib/kubelet/kubelet-client.key \\
--cert-dir=/var/lib/kubelet \\
2016-07-07 19:55:01 +03:00
--v=2
Restart=on-failure
RestartSec=5
[Install]
2017-03-24 05:48:14 +03:00
WantedBy=multi-user.target
EOF
```
```
sudo mv kubelet.service /etc/systemd/system/kubelet.service
2016-07-07 19:55:01 +03:00
```
2017-03-24 09:08:54 +03:00
```
2017-03-25 21:41:26 +03:00
sudo systemctl daemon-reload
2017-03-24 09:08:54 +03:00
```
2016-07-07 19:55:01 +03:00
```
sudo systemctl enable kubelet
2017-03-25 21:41:26 +03:00
```
```
2016-07-07 19:55:01 +03:00
sudo systemctl start kubelet
```
```
2016-07-08 20:26:32 +03:00
sudo systemctl status kubelet --no-pager
2016-07-07 19:55:01 +03:00
```
2016-07-07 21:37:54 +03:00
#### kube-proxy
```
2017-03-24 05:48:14 +03:00
cat > kube-proxy.service <<EOF
[Unit]
2016-07-07 21:37:54 +03:00
Description=Kubernetes Kube Proxy
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
2017-03-24 05:48:14 +03:00
ExecStart=/usr/bin/kube-proxy \\
2017-03-24 18:31:17 +03:00
--cluster-cidr=10.200.0.0/16 \\
--masquerade-all=true \\
2017-03-25 21:41:26 +03:00
--kubeconfig=/var/lib/kube-proxy/kube-proxy.kubeconfig \\
2017-03-24 05:48:14 +03:00
--proxy-mode=iptables \\
2016-07-07 21:37:54 +03:00
--v=2
Restart=on-failure
RestartSec=5
[Install]
2017-03-24 05:48:14 +03:00
WantedBy=multi-user.target
2017-03-24 09:08:54 +03:00
EOF
2017-03-24 05:48:14 +03:00
```
```
sudo mv kube-proxy.service /etc/systemd/system/kube-proxy.service
2016-07-07 21:37:54 +03:00
```
```
sudo systemctl daemon-reload
2017-03-25 21:41:26 +03:00
```
```
2016-07-07 21:37:54 +03:00
sudo systemctl enable kube-proxy
2017-03-25 21:41:26 +03:00
```
```
2016-07-07 21:37:54 +03:00
sudo systemctl start kube-proxy
```
```
2016-07-08 20:26:32 +03:00
sudo systemctl status kube-proxy --no-pager
2016-07-07 21:37:54 +03:00
```
2016-07-09 03:37:48 +03:00
> Remember to run these steps on `worker0`, `worker1`, and `worker2`
2017-03-24 14:24:53 +03:00
## Approve the TLS certificate requests
Each worker node will submit a certificate signing request which must be approved before the node is allowed to join the cluster.
Log into one of the controller nodes:
```
gcloud compute ssh controller0
```
List the pending certificate requests:
```
kubectl get csr
```
2017-03-25 21:41:26 +03:00
```
NAME AGE REQUESTOR CONDITION
csr-XXXXX 1m kubelet-bootstrap Pending
```
2017-03-24 14:24:53 +03:00
> Use the kubectl describe csr command to view the details of a specific signing request.
Approve each certificate signing request using the `kubectl certificate approve` command:
```
2017-03-25 21:41:26 +03:00
kubectl certificate approve csr-XXXXX
```
```
certificatesigningrequest "csr-XXXXX" approved
2017-03-24 14:24:53 +03:00
```
Once all certificate signing requests have been approved all nodes should be registered with the cluster:
```
kubectl get nodes
```
```
NAME STATUS AGE VERSION
2017-04-12 17:09:55 +03:00
worker0 Ready 7m v1.6.1
worker1 Ready 5m v1.6.1
worker2 Ready 2m v1.6.1
2017-03-24 14:24:53 +03:00
```