Kubelet Configuration kubelet是安装在k8s节点上负责启动销毁容器的重要组件,其启动参数我一直是通过systemctl使用参数形式传入的,但是根据文档和其自身help的说明来看,很多参数标注了DEPRECATED。
例如: –fail-swap-on Makes the Kubelet fail to start if swap is enabled on the node. (default true) (DEPRECATED: This parameter should be set via the config file specified by the Kubelet’s –config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
这些参数已经不推荐直接用命令传参的方式使用了,而是引入了Kubelet Configuration。官方说明 以下是一个例子
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 port: 10250 readOnlyPort: 10255 cgroupDriver: cgroupfs clusterDNS: - 192.168.0.2 clusterDomain: k8s.local failSwapOn: true authentication: anonymous: enabled: false x509: clientCAFile: /etc/kubernetes/pki/kubelet-ca.pem staticPodPath: /etc/kubernetes/staticPods imageGcHighThreshold: 70 imageGcLowThreshold: 50 featureGates: RotateKubeletClientCertificate: true RotateKubeletServerCertificate: true rotateCertificates: true
使用–config参数指定这个kubelet config文件,原本的命令参数变成:
1 2 3 4 5 6 7 8 KUBELET_ARGS="--bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \ --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \ --cert-dir=/etc/kubernetes/pki \ --network-plugin=cni \ --node-labels=node.kubernetes.io/role=k8s-node \ --pod-infra-container-image=ccr.ccs.tencentyun.com/google_container/pause-amd64:3.1 \ --config=/etc/kubernetes/kubeletConfig \ --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
可以看到变化比较大,简洁很多。而且KubeletConfiguration还能做成configMap,这样就能重用。
kubelet 认证 通过上面的方式改变成kubelet参数文件后,有个很大的变化是authentication.anonymous,这个参数默认是true也就是允许匿名。在旧的命令行参数方式没什么问题,但是现在在k8s master上运行kubectl logs或者kubectl exec就会出现报错
1 Error from server (Forbidden): Forbidden (user=system:anonymous, verb=get, resource=nodes,subresource=proxy)
明显看出匿名权限问题,网上也有一些解决方法是直接给system:anonymous赋权的,但是毕竟生产环境这样做存在隐患,解决方法是禁用匿名认证,创建一个x509证书认证。 怎么创建证书就不说了,配置x509文件的关键是在kubelet配置ca证书,在apiserver配置client证书,然后给证书用户赋权。官方说明 kubelet配置:
1 2 3 4 5 authentication: anonymous: enabled: false x509: clientCAFile: /etc/kubernetes/pki/kubelet-ca.pem
apiserver配置:
1 2 --kubelet-client-certificate=/etc/kubernetes/pki/kubelet-client.pem --kubelet-client-key=/etc/kubernetes/pki/kubelet-client-key.pem
证书用户是kubeletadmin,rbac赋权:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kubelet-admin rules: - apiGroups: [""] resources: ["nodes/proxy","nodes/stats","nodes/log","nodes/spec","nodes/metrics"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubelet-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubelet-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: kubeletadmin
这样就配置好kubelet认证,然后还有授权,默认是AlwaysAllow,这里不改了。