你正在查看的文档所针对的是 Kubernetes 版本: v1.33

Kubernetes v1.33 版本的文档已不再维护。你现在看到的版本来自于一份静态的快照。如需查阅最新文档,请点击 最新版本。

设置 Konnectivity 服务

Konnectivity 服务为控制平面提供集群通信的 TCP 级别代理。

准备开始

你需要有一个 Kubernetes 集群,并且 kubectl 命令可以与集群通信。 建议在至少有两个不充当控制平面主机的节点的集群上运行本教程。 如果你还没有集群,可以使用 minikube 创建一个集群。

配置 Konnectivity 服务

接下来的步骤需要出口配置,比如:

admin/konnectivity/egress-selector-configuration.yaml 
apiVersion: apiserver.k8s.io/v1beta1 kind: EgressSelectorConfiguration egressSelections: # Since we want to control the egress traffic to the cluster, we use the # "cluster" as the name. Other supported values are "etcd", and "controlplane". - name: cluster  connection:  # This controls the protocol between the API Server and the Konnectivity  # server. Supported values are "GRPC" and "HTTPConnect". There is no  # end user visible difference between the two modes. You need to set the  # Konnectivity server to work in the same mode.  proxyProtocol: GRPC  transport:  # This controls what transport the API Server uses to communicate with the  # Konnectivity server. UDS is recommended if the Konnectivity server  # locates on the same machine as the API Server. You need to configure the  # Konnectivity server to listen on the same UDS socket.  # The other supported transport is "tcp". You will need to set up TLS   # config to secure the TCP transport.  uds:  udsName: /etc/kubernetes/konnectivity-server/konnectivity-server.socket

你需要配置 API 服务器来使用 Konnectivity 服务,并将网络流量定向到集群节点:

  1. 确保服务账号令牌卷投射特性被启用。 该特性自 Kubernetes v1.20 起默认已被启用。

  2. 创建一个出站流量配置文件,比如 admin/konnectivity/egress-selector-configuration.yaml

  3. 将 API 服务器的 --egress-selector-config-file 参数设置为你的 API 服务器的离站流量配置文件路径。

  4. 如果你在使用 UDS 连接,须将卷配置添加到 kube-apiserver:

    spec:  containers:  volumeMounts:  - name: konnectivity-uds  mountPath: /etc/kubernetes/konnectivity-server  readOnly: false  volumes:  - name: konnectivity-uds  hostPath:  path: /etc/kubernetes/konnectivity-server  type: DirectoryOrCreate

为 konnectivity-server 生成或者取得证书和 kubeconfig 文件。 例如,你可以使用 OpenSSL 命令行工具,基于存放在某控制面主机上 /etc/kubernetes/pki/ca.crt 文件中的集群 CA 证书来发放一个 X.509 证书。

openssl req -subj "/CN=system:konnectivity-server" -new -newkey rsa:2048 -nodes -out konnectivity.csr -keyout konnectivity.key openssl x509 -req -in konnectivity.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out konnectivity.crt -days 375 -sha256 SERVER=$(kubectl config view -o jsonpath='{.clusters..server}') kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-credentials system:konnectivity-server --client-certificate konnectivity.crt --client-key konnectivity.key --embed-certs=true kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-cluster kubernetes --server "$SERVER" --certificate-authority /etc/kubernetes/pki/ca.crt --embed-certs=true kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config set-context system:konnectivity-server@kubernetes --cluster kubernetes --user system:konnectivity-server kubectl --kubeconfig /etc/kubernetes/konnectivity-server.conf config use-context system:konnectivity-server@kubernetes rm -f konnectivity.crt konnectivity.key konnectivity.csr

接下来,你需要部署 Konnectivity 服务器和代理。 kubernetes-sigs/apiserver-network-proxy 是一个参考实现。

在控制面节点上部署 Konnectivity 服务。 下面提供的 konnectivity-server.yaml 配置清单假定在你的集群中 Kubernetes 组件都是部署为静态 Pod 的。 如果不是,你可以将 Konnectivity 服务部署为 DaemonSet。

admin/konnectivity/konnectivity-server.yaml 
apiVersion: v1 kind: Pod metadata:  name: konnectivity-server  namespace: kube-system spec:  priorityClassName: system-cluster-critical  hostNetwork: true  containers:  - name: konnectivity-server-container  image: registry.k8s.io/kas-network-proxy/proxy-server:v0.0.37  command: ["/proxy-server"]  args: [  "--logtostderr=true",  # This needs to be consistent with the value set in egressSelectorConfiguration.  "--uds-name=/etc/kubernetes/konnectivity-server/konnectivity-server.socket",  "--delete-existing-uds-file",  # The following two lines assume the Konnectivity server is  # deployed on the same machine as the apiserver, and the certs and  # key of the API Server are at the specified location.  "--cluster-cert=/etc/kubernetes/pki/apiserver.crt",  "--cluster-key=/etc/kubernetes/pki/apiserver.key",  # This needs to be consistent with the value set in egressSelectorConfiguration.  "--mode=grpc",  "--server-port=0",  "--agent-port=8132",  "--admin-port=8133",  "--health-port=8134",  "--agent-namespace=kube-system",  "--agent-service-account=konnectivity-agent",  "--kubeconfig=/etc/kubernetes/konnectivity-server.conf",  "--authentication-audience=system:konnectivity-server"  ]  livenessProbe:  httpGet:  scheme: HTTP  host: 127.0.0.1  port: 8134  path: /healthz  initialDelaySeconds: 30  timeoutSeconds: 60  ports:  - name: agentport  containerPort: 8132  hostPort: 8132  - name: adminport  containerPort: 8133  hostPort: 8133  - name: healthport  containerPort: 8134  hostPort: 8134  volumeMounts:  - name: k8s-certs  mountPath: /etc/kubernetes/pki  readOnly: true  - name: kubeconfig  mountPath: /etc/kubernetes/konnectivity-server.conf  readOnly: true  - name: konnectivity-uds  mountPath: /etc/kubernetes/konnectivity-server  readOnly: false  volumes:  - name: k8s-certs  hostPath:  path: /etc/kubernetes/pki  - name: kubeconfig  hostPath:  path: /etc/kubernetes/konnectivity-server.conf  type: FileOrCreate  - name: konnectivity-uds  hostPath:  path: /etc/kubernetes/konnectivity-server  type: DirectoryOrCreate

在你的集群中部署 Konnectivity 代理:

admin/konnectivity/konnectivity-agent.yaml 
apiVersion: apps/v1 # Alternatively, you can deploy the agents as Deployments. It is not necessary # to have an agent on each node. kind: DaemonSet metadata:  labels:  addonmanager.kubernetes.io/mode: Reconcile  k8s-app: konnectivity-agent  namespace: kube-system  name: konnectivity-agent spec:  selector:  matchLabels:  k8s-app: konnectivity-agent  template:  metadata:  labels:  k8s-app: konnectivity-agent  spec:  priorityClassName: system-cluster-critical  tolerations:  - key: "CriticalAddonsOnly"  operator: "Exists"  containers:  - image: us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.37  name: konnectivity-agent  command: ["/proxy-agent"]  args: [  "--logtostderr=true",  "--ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",  # Since the konnectivity server runs with hostNetwork=true,  # this is the IP address of the master machine.  "--proxy-server-host=35.225.206.7",  "--proxy-server-port=8132",  "--admin-server-port=8133",  "--health-server-port=8134",  "--service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token"  ]  volumeMounts:  - mountPath: /var/run/secrets/tokens  name: konnectivity-agent-token  livenessProbe:  httpGet:  port: 8134  path: /healthz  initialDelaySeconds: 15  timeoutSeconds: 15  serviceAccountName: konnectivity-agent  volumes:  - name: konnectivity-agent-token  projected:  sources:  - serviceAccountToken:  path: konnectivity-agent-token  audience: system:konnectivity-server

最后,如果你的集群启用了 RBAC,请创建相关的 RBAC 规则:

admin/konnectivity/konnectivity-rbac.yaml 
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:  name: system:konnectivity-server  labels:  kubernetes.io/cluster-service: "true"  addonmanager.kubernetes.io/mode: Reconcile roleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: system:auth-delegator subjects:  - apiGroup: rbac.authorization.k8s.io  kind: User  name: system:konnectivity-server --- apiVersion: v1 kind: ServiceAccount metadata:  name: konnectivity-agent  namespace: kube-system  labels:  kubernetes.io/cluster-service: "true"  addonmanager.kubernetes.io/mode: Reconcile
最后修改 December 28, 2023 at 8:22 PM PST: [zh-cn] sync service-accounts.md and serviceaccount link (552e53582d)