5.7 Enable Kubelet Proxy
Kubelet Proxy
Kubelet Proxy is an enhanced feature of Module Controller V2 on the K8s side.
It allows users to interact directly with Module Controller V2 using the kubectl tool,
providing an operational experience similar to the native K8s Kubelet.
For design details, please refer to the documentation.
Enable Kubelet Proxy
- Deploy cert-manager to manage certificate generation and rotation
cert-manager is a Kubernetes plugin for automating the management and rotation of TLS certificates. It helps generate and manage TLS certificates used for the Kubelet Proxy.
Please refer to the cert-manager documentation for installation instructions.
Here is a simple installation example (v1.18.2):
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.2/cert-manager.yaml
After successful deployment, deploy the corresponding Issuer and Certificate:
- To create Issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: virtual-kubelet-issuer
spec:
selfSigned: {}
- To create Cert
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: virtual-kubelet-cert
spec:
secretName: virtual-kubelet-tls # secretName: virtual-kubelet-tls # The name of the Secret where the certificate is stored, which will be used later in the ModuleController
duration: 2160h # 90 days
renewBefore: 360h # renew 15 days before expiration
issuerRef:
name: virtual-kubelet-issuer # Reference to the above Issuer
kind: ClusterIssuer
commonName: koupleless-virtual-kubelet # Common Name
usages:
- server auth
- digital signature
- key encipherment
After creation, you can use the following command to check whether the certificate secret was generated successfully:
If the output is similar to the following, the certificate has been generated successfully:
kubectl get secret virtual-kubelet-tls
If the output is similar to the following, the certificate has been generated successfully:
NAME TYPE DATA AGE
virtual-kubelet-tls kubernetes.io/tls 3 1m
- Add
pods/logpermission to the Role
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: virtual-kubelet-role
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods" , "pods/status", "pods/spec","nodes", "nodes/status", "events", "pods/log"]
verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]
- apiGroups: [ "apps" ]
resources: [ "deployments", "deployments/status", "deployments/spec", "daemonSets", "daemonSets/status", "daemonSets/spec" ]
verbs: [ "get", "watch", "list" ]
- apiGroups: [""] # "" indicates the core API group
resources: ["configmaps", "secrets", "services"]
verbs: ["get", "watch", "list"]
- apiGroups: ["coordination.k8s.io"] # "" indicates the core API group
resources: ["leases"]
verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]
- Create a Service for the ModuleController deployment
apiVersion: v1
kind: Service
metadata:
name: module-controller
namespace: default
labels:
app: module-controller
virtual-kubelet.koupleless.io/kubelet-proxy-service: "true" # Necessary, indicates that this Service is used for Kubelet Proxy
spec:
selector:
app: module-controller
ports:
- name: httptunnel # If HTTP tunneling is not enabled, please remove this port
port: 7777
targetPort: 7777
- name: kubelet-proxy # Kubelet Proxy port
port: 10250
type: ClusterIP
- Modify the ENV configuration of ModuleController
apiVersion: apps/v1
kind: Deployment
metadata:
name: module-controller
spec:
replicas: 1
selector:
matchLabels:
app: module-controller
template:
metadata:
labels:
app: module-controller
spec:
serviceAccountName: virtual-kubelet
volumes:
- name: tls-certs
secret:
secretName: virtual-kubelet-tls # Necessary, mount the TLS certificate generated by cert-manager
containers:
- name: module-controller
image: serverless-registry.cn-shanghai.cr.aliyuncs.com/opensource/release/module-controller-v2:<VERSION> # Please replace <VERSION> with the actual version number, e.g., v2.1.4
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: "1000m"
memory: "400Mi"
ports:
- name: httptunnel # If HTTP tunneling is not enabled, please remove this port
containerPort: 7777
- name: kubelet-proxy # Kubelet Proxy port
containerPort: 10250
env:
- name: ENABLE_HTTP_TUNNEL
value: "true"
- name: NAMESPACE # Necessary, the namespace where ModuleController is deployed
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KUBELET_PROXY_ENABLED # Necessary, enable Kubelet Proxy
value: "true"
volumeMounts: # Necessary, mount the TLS certificate generated by cert-manager
- name: tls-certs
mountPath: /etc/virtual-kubelet/tls
readOnly: true
Verify Kubelet Proxy
Assume that a module named biz1-web-single-host has been deployed and the Module Controller has enabled the Kubelet
Proxy.
NAME READY STATUS RESTARTS AGE
base-76d79d8599-f64jt 1/1 Running 0 13d
biz1-web-single-host-786dfc476f-qsp7q 1/1 Running 0 7m40s
module-controller-59f7bb765-8w84l 1/1 Running 0 13d
At this point, you can directly access the module’s logs using the kubectl command:
kubectl logs --tail=50 biz1-web-single-host-786dfc476f-qsp7q
It is expected to see normal log output. If an error occurs, it may indicate that the Kubelet Proxy is not properly configured or not enabled.
Feedback
Was this page helpful?
Welcome propose feedback to community!
Welcome propose feedback to community, or improve this document directly.。