Ставим воркер руками У меня есть кластер на k0s например, я хочу подцепить к нему какой-нибудь воркер, где угодно. Наброски команд. По мотивам https://github.com/kelseyhightower/kubernetes-the-hard-way   ### root@kube-ctrl:~/add-manually-worker# cat ca.conf [req] distinguished_name = req_distinguished_name prompt = no x509_extensions = ca_x509_extensions [ca_x509_extensions] basicConstraints = CA:TRUE keyUsage = cRLSign, keyCertSign [req_distinguished_name] C = US ST = Washington L = Seattle CN = CA # Worker Nodes # # Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/) # called Node Authorizer, that specifically authorizes API requests made # by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet). # In order to be authorized by the Node Authorizer, Kubelets must use a credential # that identifies them as being in the `system:nodes` group, with a username # of `system:node:`. [kube-work-4] distinguished_name = kube-work-4_distinguished_name prompt = no req_extensions = kube-work-4_req_extensions [kube-work-4_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth, serverAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "kube-work-4 Certificate" subjectAltName = DNS:kube-work-4, IP:10.138.117.7 # IP воркера subjectKeyIdentifier = hash [kube-work-4_distinguished_name] CN = system:node:kube-work-4 O = system:nodes C = US ST = Washington L = Seattle [default_req_extensions] basicConstraints = CA:FALSE extendedKeyUsage = clientAuth keyUsage = critical, digitalSignature, keyEncipherment nsCertType = client nsComment = "Admin Client Certificate" subjectKeyIdentifier = hash ### for host in kube-work-4; do openssl genrsa -out "${host}.key" 4096 openssl req -new -key "${host}.key" -sha256 \ -config "ca.conf" -section ${host} \ -out "${host}.csr" openssl x509 -req -days 3653 -in "${host}.csr" \ -copy_extensions copyall \ -sha256 -CA "ca.crt" \ -CAkey "ca.key" \ -CAcreateserial \ -out "${host}.crt" kubectl config set-cluster kubernetes-the-hard-way \ --certificate-authority=ca.crt \ --embed-certs=true \ --server=https://10.138.117.204:6443 \ --kubeconfig=${host}.kubeconfig done ### root@kube-ctrl:~/add-manually-worker# cat kube-work-4.kubeconfig apiVersion: v1 clusters: - cluster: certificate-authority-data: `cat ca.crt | base64 -w0` server: https://10.138.117.204:6443 name: kubernetes-the-hard-way contexts: - context: cluster: kubernetes-the-hard-way namespace: default user: system:node:kube-work-4 name: default-context current-context: default-context kind: Config preferences: {} users: - name: system:node:kube-work-4 user: client-certificate-data: `cat crt | base64 -w0` client-key-data: `cat key | base64 -w0` ### root@kube-ctrl:~/add-manually-worker# kubectl --kubeconfig kube-work-4.kubeconfig get no NAME STATUS ROLES AGE VERSION kube-work-1 Ready 85d v1.30.3+k0s kube-work-2 Ready shits 15h v1.30.6+k0s kube-work-3 Ready 14h v1.30.5+k0s ### root@kube-work-4:~# cat down https://github.com/containernetworking/plugins/releases/download/v1.3.0/cni-plugins-linux-amd64-v1.3.0.tgz https://storage.googleapis.com/kubernetes-release/release/v1.30.1/bin/linux/amd64/kube-proxy https://storage.googleapis.com/kubernetes-release/release/v1.30.1/bin/linux/amd64/kubelet root@kube-work-4:~# wget -q --show-progress --https-only --timestamping -P downloads -i down cni-plugins-linux-amd64-v1.3.0.tgz 100%[====================================================================================================>] 43.24M 21.5MB/s in 2.0s kube-proxy 100%[====================================================================================================>] 54.91M 17.3MB/s in 3.2s kubelet 100%[====================================================================================================>] 95.46M 22.5MB/s in 5.0s apt install containerd -y ### root@kube-work-4:~# systemctl cat kube.service # /etc/systemd/system/kube.service [Unit] Description=Kubernetes Kubelet Documentation=https://github.com/kubernetes/kubernetes After=containerd.service Requires=containerd.service [Service] ExecStart=/usr/local/bin/kubelet \ --config=/var/lib/kubelet/kubelet-config.yaml \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --register-node=true \ --v=2 Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target ### root@kube-work-4:~# cat /var/lib/kubelet/kubelet-config.yaml kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 authentication: anonymous: enabled: false webhook: enabled: true x509: clientCAFile: "/var/lib/kubelet/ca.crt" authorization: mode: Webhook clusterDomain: "cluster.local" clusterDNS: - "10.32.0.10" cgroupDriver: systemd containerRuntimeEndpoint: "unix:///var/run/containerd/containerd.sock" podCIDR: "100.64.32.0/24" resolvConf: "/etc/resolv.conf" runtimeRequestTimeout: "15m" tlsCertFile: "/var/lib/kubelet/kubelet.crt" tlsPrivateKeyFile: "/var/lib/kubelet/kubelet.key" ### kube-worker-4.{crt,key}->/var/lib/kubelet/kubelet.{crt,key} ### root@kube-work-4:~# cat /var/lib/kubelet/kubeconfig apiVersion: v1 clusters: - cluster: certificate-authority-data: # ca base64 server: https://10.138.117.204:6443 name: kubernetes-the-hard-way contexts: - context: cluster: kubernetes-the-hard-way namespace: default user: system:node:kube-work-4 name: default-context current-context: default-context kind: Config preferences: {} users: - name: system:node:kube-work-4 user: client-certificate-data: # base64 client-key-data: # base64 ### systemctl start kube.service root@kube-ctrl:~# kubectl get no -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME kube-work-1 Ready 85d v1.30.3+k0s 10.138.117.150 Debian GNU/Linux 12 (bookworm) 6.1.0-23-amd64 containerd://1.7.20 kube-work-2 Ready shits 16h v1.30.6+k0s 10.13.37.3 Rocky Linux 9.4 (Blue Onyx) 5.14.0-427.42.1.el9_4.x86_64 containerd://1.7.22 kube-work-3 Ready 14h v1.30.5+k0s 10.138.117.79 AlmaLinux 9.4 (Seafoam Ocelot) 5.14.0-427.42.1.el9_4.x86_64 containerd://1.7.22 kube-work-4 Ready 35s v1.30.1 10.138.117.7 Ubuntu 20.04.6 LTS 5.4.0-200-generic containerd://1.7.12