### 创建 Kube-Proxy 证书
```
cd /opt/k8s/ssl/
# 编写证书配置文件
vi /opt/k8s/ssl/k8s_proxy.json
{
"CN": "system:node-proxier",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangXi",
"L": "Nanning",
"O": "system:kube-proxy",
"OU": "Kubernetes-manual"
}
]
}
# 创建证书
cfssl gencert -ca=/etc/pki/k8s/k8s-ca.pem -ca-key=/etc/pki/k8s/k8s-ca-key.pem \
-config=/etc/cfssl/ca-config.json \
-profile=kubernetes /etc/cfssl/k8s/k8s_proxy.json | cfssljson -bare k8s_proxy
# 分发证书
cp k8s_proxy.pem /opt/ssl/k8s/
cp k8s_proxy-key.pem /opt/ssl/k8s/
```
*****
### 创建 Kube-Proxy 连接文件
```
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/pki/k8s/k8s-ca.pem \
--embed-certs=true \
--server=https://172.16.0.51:6443 \
--kubeconfig=k8s_proxy.kubeconfig
kubectl config set-credentials admin \
--client-certificate=/etc/pki/k8s/k8s_proxy.pem \
--embed-certs=true \
--client-key=/etc/pki/k8s/k8s_proxy-key.pem \
--kubeconfig=k8s_proxy.kubeconfig
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=system:node-proxier \
--kubeconfig=k8s_proxy.kubeconfig
kubectl config use-context kubernetes --kubeconfig=k8s_proxy.kubeconfig
cp k8s_proxy.kubeconfig /opt/k8s/
```
*****
### 安装 Kube-Proxy
```
docker run -it --name kube-proxy -d --restart=always \
--network=host \
--privileged \
-v /opt/k8s/k8s_proxy.kubeconfig:/opt/k8s/config \
-v /lib/modules/:/lib/modules/ \
-v /var/lib/lxcfs/proc/cpuinfo:/proc/cpuinfo:rw \
-v /var/lib/lxcfs/proc/diskstats:/proc/diskstats:rw \
-v /var/lib/lxcfs/proc/meminfo:/proc/meminfo:rw \
-v /var/lib/lxcfs/proc/stat:/proc/stat:rw \
-v /var/lib/lxcfs/proc/swaps:/proc/swaps:rw \
-v /var/lib/lxcfs/proc/uptime:/proc/uptime:rw \
-m 2048m \
-v /var/log/kubernetes/:/var/log/kubernetes/ \
--entrypoint="/usr/local/bin/kube-proxy" \
gcr.io/google_containers/kube-proxy:v1.12.1 \
--kubeconfig="/opt/k8s/config" \
--proxy-mode="iptables" \
--hostname-override="10.10.10.231" \
--cluster-cidr="10.253.0.0/16" \
--logtostderr \
--alsologtostderr
```
