手动在kubernetes集群中添加minon

背景

去年年中我使用ansible给项目部署了一个小型的kubernetes集群，部署源码可以在这里找到:contrib。随着业务的发展，目前的集群规模很有可能在明年迎来瓶颈，因此需要 扩容.当然可以继续通过之前的contrib去部署，不过有几点担忧：

1. 目前的系统稳定地提供着服务，ansible脚本可能会对集群产生不可逆的影响
2. 对于contrib的代码不是特别熟悉，不清楚它具体做了哪些步骤，总体来说还是不放心

同时，作为一个system admin，对于集群必须了如指掌才行。因此，在这里做一次演练，手动为已有集群添加节点，增进了解，也为今年的扩容做好准备工作。

Let’s do it

0.已有环境

当前系统里有2台机器:

1. node-1-master
   master上运行着 apiserver, control-manager, scheduler, kubelet, kube-proxy
2. node-2-slave-1
   slave1上运行着 kubelet, kube-proxy

我们需要增加一台node-3-slave-2增加集群的运算能力。
备注: 目前我们所有的kubernetes机器全都是基于CentOS 7及以上，kubernetes的版本为1.3

1.申请新机器

编辑/etc/hosts，在其中增加master和本机的dns条目(集群中都是以hostname来标示每一台机器，比如https://node-1-master，这些dns条目在互联网上是无法解析的，必须在每台机器的 /etc/hosts 配置)。

xxx.xxx.xxx.xxx node-1-master
xxx.xxx.xxx.xxx node-3-slave-2

2.安装docker

yum install docker
systemctl enable docker # 开机自动启动

3.网络配置

3.1 安装firewalld

yum install firewalld

如果已经装好了，这步跳过，判断是否安装可以使用rpm -q firewalld检查。

3.2 配置kube-proxy网络环境

firewall-cmd --zone=public --add-port=8472/udp --permanent
firewall-cmd --zone=public --add-port=10250/tcp --permanent

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i flannel.1 -o docker0 -j ACCEPT -m comment --comment "flannel subnet"
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -i docker0 -j ACCEPT -m comment --comment "kube-proxy redirects"

systemctl restart firewalld

3.2 安装配置flannel

安装flannel:

yum install flannel

装完之后配置flannel参数, 文件位置在/etc/sysconfig/flanneld:

# Flanneld configuration options

# etcd url location.  Point this to the server where etcd runs
FLANNEL_ETCD_ENDPOINTS="http://node-1-master:2379"   # 已修改

# etcd config key.  This is the configuration key that flannel queries
# For address range assignment
FLANNEL_ETCD_PREFIX="/cluster.local/network"         # 已修改

# Any additional options that you want to pass
# By default, we just add a good guess for the network interface on Vbox.  Otherwise, Flannel will probably make the right guess.
FLANNEL_OPTIONS=""

以上环境变量根据自己集群的实际情况配置

重启相关服务：

systemctl enable flanneld
systemctl restart flanneld #自动会从etcd获取新的ip地址段
systemctl restart docker

4.安装kubelet和kube-proxy

在centos上两个服务只需要安装kubnernetes-node就可以了:

yum install kubernetes-node

4.1 修改公用配置

配置文件路径在/etc/kubernetes/config:

###
# kubernetes system config
#
# The following values are used to configure various aspects of all
# kubernetes services, including
#
#   kube-apiserver.service
#   kube-controller-manager.service
#   kube-scheduler.service
#   kubelet.service
#   kube-proxy.service
# logging to stderr means we get it in the systemd journal
KUBE_LOGTOSTDERR="--logtostderr=true"

# journal message level, 0 is debug
KUBE_LOG_LEVEL="--v=0"

# Should this cluster be allowed to run privileged docker containers
KUBE_ALLOW_PRIV="--allow-privileged=false"

# How the controller-manager, scheduler, and proxy find the apiserver
KUBE_MASTER="--master=https://node-1-master"               # 已修改

一般情况下只需要修改KUBE_MASTER的配置就可以了，让它指向master机器的地址

4.2 修改kubelet配置

文件位置在/etc/kubernetes/kubelet:

###
# kubernetes kubelet (minion) config

# The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
KUBELET_ADDRESS="--address=0.0.0.0"                        # 已修改

# The port for the info server to serve on
# KUBELET_PORT="--port=10250"

# You may leave this blank to use the actual hostname
KUBELET_HOSTNAME="--hostname-override=node-3-slave-2"      # 已修改

# location of the api-server
KUBELET_API_SERVER="--api-servers=https://node-1-master"   # 已修改

# pod infrastructure container
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest"

# Add your own!
# 这条配置是在第5步的时候加的!!!!!!!!!
KUBELET_ARGS="--kubeconfig=/etc/kubernetes/kubelet.kubeconfig --config=/etc/kubernetes/manifests"

4.3 修改kube-proxy配置

文件位置在/etc/kubernetes/proxy:

###
# kubernetes proxy config

# default config should be adequate

# Add your own!
# 这条配置是在第5步的时候加的!!!!!!!!!
KUBE_PROXY_ARGS="--kubeconfig=/etc/kubernetes/proxy.kubeconfig"

5.权限相关

5.1 生成kubelet和kube-proxy的token

在这个步骤中我们生成新机器的kubelet和kube-proxy的token并把它注册到master机器中，值得注意的是，以下所有子步骤中的脚本都要在master执行。

1. 执行以下脚本在控制台获得一个token:

   dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null

2. 将上一步生成的token复制到master机器的/etc/kubernetes/tokens/known_hosts.csv文件中:

   # 多加一行，表示该token代表slave2上的kubelet
   YOUR_KUBELET_TOKEN,system:kubelet-node-3-slave-2,system:kubelet-node-3-slave-2

3. 重复步骤1，2，生成kube-proxy的token

   YOUR_PROXY_TOKEN,system:proxy-node-3-slave-2,system:proxy-node-3-slave-2

4. 重启相关服务

   systemctl restart kube-apiserver
   systemctl restart kube-controller-manager
   systemctl restart kube-scheduler

5.2 服务的认证

1. 复制ca证书
   将master中的/etc/kubernetes/certs/ca.crt复制到新机器同样的位置

2. 在配置中多加一行(参照4.2,4.3的注释)，同时创建两个文件:
   2.1. /etc/kubernetes/kubelet.kubeconfig

   apiVersion: v1
   kind: Config
   current-context: kubelet-to-cluster.local
   preferences: {}
   clusters:
   - cluster:
       certificate-authority: /etc/kubernetes/certs/ca.crt
       server: https://node-1-master
     name: cluster.local
   contexts:
   - context:
       cluster: cluster.local
       user: kubelet
     name: kubelet-to-cluster.local
   users:
   - name: kubelet
     user:
       token: YOUR_KUBELET_TOKEN

   2.2. /etc/kubernetes/proxy.kubeconfig

   apiVersion: v1
   kind: Config
   current-context: proxy-to-cluster.local
   preferences: {}
   contexts:
   - context:
       cluster: cluster.local
       user: proxy
     name: proxy-to-cluster.local
   clusters:
   - cluster:
       certificate-authority: /etc/kubernetes/certs/ca.crt
       server: https://node-1-master
     name: cluster.local
   users:
   - name: proxy
     user:
       token: YOUR_PROXY_TOKEN

3. 重启并配置开机自动启动

   systemctl enable kubelet
   systemctl enable kube-proxy
   systemctl restart kubelet
   systemctl restart kube-proxy