5.7 启用 Kubelet 代理

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.2/cert-manager.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: virtual-kubelet-issuer
spec:
  selfSigned: {}

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: virtual-kubelet-cert
spec:
  secretName: virtual-kubelet-tls # 证书存储的 Secret 名称，后续我们将会在 ModuleController 中使用
  duration: 2160h # 90天
  renewBefore: 360h # 15天前续期
  issuerRef:
    name: virtual-kubelet-issuer # 上一步创建的 Issuer
    kind: ClusterIssuer
  commonName: koupleless-virtual-kubelet # 公共名称
  usages:
  - server auth 
  - digital signature
  - key encipherment

kubectl get secret virtual-kubelet-tls

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: virtual-kubelet-role
rules:
  - apiGroups: [""] # "" indicates the core API group
    resources: ["pods" , "pods/status", "pods/spec","nodes", "nodes/status", "events", "pods/log"]
    verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]
  - apiGroups: [ "apps" ]
    resources: [ "deployments", "deployments/status", "deployments/spec", "daemonSets", "daemonSets/status", "daemonSets/spec" ]
    verbs: [ "get", "watch", "list" ]
  - apiGroups: [""] # "" indicates the core API group
    resources: ["configmaps", "secrets", "services"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["coordination.k8s.io"] # "" indicates the core API group
    resources: ["leases"]
    verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]

apiVersion: v1
kind: Service
metadata:
    name: module-controller
    namespace: default
    labels:
        app: module-controller
        virtual-kubelet.koupleless.io/kubelet-proxy-service: "true" # 必须，用于标识这是 Kubelet 的代理 Service
spec:
    selector:
        app: module-controller
    ports:
        - name: httptunnel # 运维 HTTP 管道端口，如果启用了 MQTT 管道，请将此端口删除
          port: 7777
          targetPort: 7777
        - name: kubelet-proxy # Kubelet 代理端口，与 ModuleController ENV 中的 KUBELET_PROXY_PORT 保持一致
          port: 10250
    type: ClusterIP

apiVersion: apps/v1
kind: Deployment
metadata:
  name: module-controller
spec:
  replicas: 1
  selector:
    matchLabels:
      app: module-controller
  template:
    metadata:
      labels:
        app: module-controller
    spec:
      serviceAccountName: virtual-kubelet
      volumes:
        - name: tls-certs
          secret:
            secretName: virtual-kubelet-tls # 必须，挂载前面创建的 TLS 证书
      containers:
        - name: module-controller
          image: serverless-registry.cn-shanghai.cr.aliyuncs.com/opensource/release/module-controller-v2:<版本号>
          imagePullPolicy: IfNotPresent
          resources:
            limits:
              cpu: "1000m"
              memory: "400Mi"
          ports:
            - name: httptunnel # 如果未启用 HTTP 管道，请将此端口删除
              containerPort: 7777
            - name: kubelet-proxy # Kubelet 代理端口
              containerPort: 10250
          env:
            - name: ENABLE_HTTP_TUNNEL
              value: "true"
            - name: NAMESPACE # 必须，用于标识 ModuleController Pod 所在的命名空间
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: KUBELET_PROXY_ENABLED # 必须，启用 Kubelet 代理
              value: "true"
          volumeMounts: # 必须，挂载 TLS 证书
            - name: tls-certs
              mountPath: /etc/virtual-kubelet/tls
              readOnly: true

kubectl logs --tail=50 biz1-web-single-host-786dfc476f-qsp7q