部署kubelet
1、准备二进制包
[root@k8smaster ~]# cd /usr/local/src/kubernetes/server/bin/

[root@k8smaster bin]# scp kubelet kube-proxy k8snode1:/opt/kubernetes/bin/
[root@k8smaster bin]# scp kubelet kube-proxy k8snode2:/opt/kubernetes/bin/

2.创建角色绑定
[root@k8smaster bin]# cd /usr/local/src/ssl/
[root@k8smaster ssl]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io "kubelet-bootstrap" created

3.创建 kubelet bootstrapping kubeconfig 文件 设置集群参数
[root@k8smaster ssl]# kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://192.168.137.171:6443 \
--kubeconfig=bootstrap.kubeconfig
Cluster "kubernetes" set.

设置客户端认证参数
[root@k8smaster ssl]# kubectl config set-credentials kubelet-bootstrap \
--token=ad6d5bb607a186796d8861557df0d17f \
--kubeconfig=bootstrap.kubeconfig
User "kubelet-bootstrap" set.

设置上下文参数
[root@k8smaster ssl]# kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=bootstrap.kubeconfig
Context "default" created.

选择默认上下文
[root@k8smaster ~]# kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
Switched to context "default".

[root@k8smaster ssl]# cp bootstrap.kubeconfig /opt/kubernetes/cfg/
[root@k8smaster ssl]# scp bootstrap.kubeconfig k8snode1:/opt/kubernetes/cfg/bootstrap.kubeconfig
[root@k8smaster ssl]# scp bootstrap.kubeconfig k8snode2:/opt/kubernetes/cfg/bootstrap.kubeconfig

node节点部署kubelet
1.设置CNI支持(master节点可不配置)
[root@k8smaster ssl]# mkdir -p /etc/cni/net.d
[root@k8smaster ssl]# vim /etc/cni/net.d/10-default.conf

{
"name": "flannel",
"type": "flannel",
"delegate": {
"bridge": "docker0",
"isDefaultGateway": true,
"mtu": 1400
}
}

[root@k8smaster ssl]# scp /etc/cni/net.d/10-default.conf k8snode1:/etc/cni/net.d
[root@k8smaster ssl]# scp /etc/cni/net.d/10-default.conf k8snode2:/etc/cni/net.d

[root@k8smaster ssl]#

2、 创建kubelet目录
[root@k8snode1 ~]# mkdir /var/lib/kubelet
[root@k8snode1 ~]# vim /usr/lib/systemd/system/kubelet.service

[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service

[Service]
WorkingDirectory=/var/lib/kubelet
ExecStart=/opt/kubernetes/bin/kubelet \
--address=192.168.137.201 \
--hostname-override=192.168.137.201 \
--pod-infra-container-image=mirrorgooglecontainers/pause-amd64:3.0 \
--experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--cert-dir=/opt/kubernetes/ssl \
--network-plugin=cni \
--cni-conf-dir=/etc/cni/net.d \
--cni-bin-dir=/opt/kubernetes/bin/cni \
--cluster-dns=10.1.0.2 \
--cluster-domain=cluster.local. \
--hairpin-mode hairpin-veth \
--allow-privileged=true \
--fail-swap-on=false \
--logtostderr=true \
--v=2 \
--logtostderr=false \
--log-dir=/opt/kubernetes/log
Restart=on-failure
RestartSec=5

[root@k8snode1 ~]# systemctl daemon-reload
[root@k8snode1 ~]# systemctl enable kubelet
[root@k8snode1 ~]# systemctl start kubelet
[root@k8snode1 ~]# systemctl status kubelet

查看csr请求 注意是在k8smster上执行。
[root@k8smaster bin]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr--H3IeaAXhDIlgw3nvfJZxfbJdURjjzNBBng4GthssxE 6m kubelet-bootstrap Pending
node-csr-s32pz33uIKZWEkXwIDHR09pxZKXwy1R6lug6KbXBBvE 6m kubelet-bootstrap Pending

批准kubelet 的 TLS 证书请求
[root@k8smaster bin]# kubectl get csr|grep 'Pending' | awk 'NR>0{print $1}'| xargs kubectl certificate approve
certificatesigningrequest.certificates.k8s.io "node-csr--H3IeaAXhDIlgw3nvfJZxfbJdURjjzNBBng4GthssxE" approved
certificatesigningrequest.certificates.k8s.io "node-csr-s32pz33uIKZWEkXwIDHR09pxZKXwy1R6lug6KbXBBvE" approved

查看node节点状态
[root@k8smaster ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8snode1 Ready 38s v1.10.1
k8snode2 Ready 38s v1.10.1