安装

创建kubelet-bootstrap.kubeconfig
[root@xianchaomaster1 work]# cd /data/work/
[root@xianchaomaster1 work]# BOOTSTRAP_TOKEN=$(awk -F "," '{print $1}' /etc/kubernetes/token.csv)

[root@xianchaomaster1 work]# rm -r kubelet-bootstrap.kubeconfig

[root@xianchaomaster1 work]#  kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.40.180:6443 --kubeconfig=kubelet-bootstrap.kubeconfig

[root@xianchaomaster1 work]# kubectl config set-credentials kubelet-bootstrap --token=${BOOTSTRAP_TOKEN} --kubeconfig=kubelet-bootstrap.kubeconfig

[root@xianchaomaster1 work]# kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=kubelet-bootstrap.kubeconfig

[root@xianchaomaster1 work]# kubectl config use-context default --kubeconfig=kubelet-bootstrap.kubeconfig

[root@xianchaomaster1 work]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap

#创建配置文件kubelet.json
"cgroupDriver": "systemd"要和docker的驱动一致。
address替换为自己xianchaonode1的IP地址。

[root@xianchaomaster1 work]# vim kubelet.json 
{
  "kind": "KubeletConfiguration",
  "apiVersion": "kubelet.config.k8s.io/v1beta1",
  "authentication": {
    "x509": {
      "clientCAFile": "/etc/kubernetes/ssl/ca.pem"
    },
    "webhook": {
      "enabled": true,
      "cacheTTL": "2m0s"
    },
    "anonymous": {
      "enabled": false
    }
  },
  "authorization": {
    "mode": "Webhook",
    "webhook": {
      "cacheAuthorizedTTL": "5m0s",
      "cacheUnauthorizedTTL": "30s"
    }
  },
  "address": "192.168.40.183",
  "port": 10250,
  "readOnlyPort": 10255,
  "cgroupDriver": "systemd",
  "hairpinMode": "promiscuous-bridge",
  "serializeImagePulls": false,
  "featureGates": {
    "RotateKubeletClientCertificate": true,
    "RotateKubeletServerCertificate": true
  },
  "clusterDomain": "cluster.local.",
  "clusterDNS": ["10.255.0.2"]
}

[root@xianchaomaster1 work]# vim kubelet.service 
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
ExecStart=/usr/local/bin/kubelet \
  --bootstrap-kubeconfig=/etc/kubernetes/kubelet-bootstrap.kubeconfig \
  --cert-dir=/etc/kubernetes/ssl \
  --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
  --config=/etc/kubernetes/kubelet.json \
  --network-plugin=cni \
  --pod-infra-container-image=k8s.gcr.io/pause:3.2 \
  --alsologtostderr=true \
  --logtostderr=false \
  --log-dir=/var/log/kubernetes \
  --v=2
Restart=on-failure
RestartSec=5
 
[Install]
WantedBy=multi-user.target


#注： –hostname-override：显示名称，集群中唯一 
–network-plugin：启用CNI 
–kubeconfig：空路径，会自动生成，后面用于连接apiserver 
–bootstrap-kubeconfig：首次启动向apiserver申请证书
–config：配置参数文件 
–cert-dir：kubelet证书生成目录 
–pod-infra-container-image：管理Pod网络容器的镜像

#注：kubelete.json配置文件address改为各个节点的ip地址，在各个work节点上启动服务

[root@xianchaonode1 ~]# mkdir /etc/kubernetes/ssl -p
[root@xianchaomaster1 work]# scp kubelet-bootstrap.kubeconfig kubelet.json xianchaonode1:/etc/kubernetes/
[root@xianchaomaster1 work]# scp  ca.pem xianchaonode1:/etc/kubernetes/ssl/
[root@xianchaomaster1 work]# scp  kubelet.service xianchaonode1:/usr/lib/systemd/system/

#启动kubelet服务
[root@xianchaonode1 ~]# mkdir /var/lib/kubelet
[root@xianchaonode1 ~]# mkdir /var/log/kubernetes
[root@xianchaonode1 ~]#  systemctl daemon-reload
[root@xianchaonode1 ~]# systemctl enable kubelet
[root@xianchaonode1 ~]# systemctl start kubelet
[root@xianchaonode1 ~]#  systemctl status kubelet
   Active: active (running) since 
确认kubelet服务启动成功后，接着到xianchaomaster1节点上Approve一下bootstrap请求。

[əˈpruːv]：批准

执行如下命令可以看到一个worker节点发送了一个 CSR 请求：
[root@xianchaomaster1 work]# kubectl get csr
NAME                                                   AGE   SIGNERNAME                                    REQUESTOR           CONDITION
node-csr-SY6gROGEmH0qVZhMVhJKKWN3UaWkKKQzV8dopoIO9Uc   87s   kubernetes.io/kube-apiserver-client-kubelet   kubelet-bootstrap   Pending

[root@xianchaomaster1 work]# kubectl certificate approve node-csr-SY6gROGEmH0qVZhMVhJKKWN3UaWkKKQzV8dopoIO9Uc
[root@xianchaomaster1 work]# kubectl get csr
NAME                                                   AGE     SIGNERNAME                                    REQUESTOR           CONDITION
node-csr-SY6gROGEmH0qVZhMVhJKKWN3UaWkKKQzV8dopoIO9Uc   2m25s   kubernetes.io/kube-apiserver-client-kubelet   kubelet-bootstrap   Approved,Issued

[root@xianchaomaster1 work]# kubectl get nodes
NAME    STATUS     ROLES    AGE   VERSION
xianchaonode1   NotReady   <none>   30s   v1.20.7

#注意：STATUS是NotReady表示还没有安装网络插件