Kubernetes/Kubelet
Jump to navigation
Jump to search
The kubelet is the primary “node agent” that runs on each node. The kubelet takes a set of PodSpecs that are provided through various mechanisms (primarily through the apiserver) and ensures that the containers described in those PodSpecs are running and healthy.
A few interesting options:
--port int32:- the port for the Kubelet to serve on. (default 10250)--read-only-port int32:- the read-only port for the Kubelet to serve on with no authentication/authorization (set to 0 to disable) (default 10255)--healthz-port int32:- the port of the localhost healthz endpoint (set to 0 to disable) (default 10248)--max-pods int32:- number of Pods that can run on this Kubelet. (default 110)
Check what options are applied, ssh to one of the nodes and check kubelet process
kubectl get nodes -owide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME minikube Ready master 45m v1.15.2 10.0.2.15 <none> Buildroot 2018.05.3 4.15.0 docker://18.9.8 ps -aux | grep kubelet root 3409 8.3 4.8 1353596 96020 ? Ssl 20:54 2:40 /usr/bin/kubelet --authorization-mode=Webhook --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --cgroup-driver=cgroupfs --client-ca-file=/var/lib/minikube/certs/ca.crt --cluster-dns=10.96.0.10 --cluster-domain=cluster.local --container-runtime=docker --fail-swap-on=false --hostname-override=minikube --kubeconfig=/etc/kubernetes/kubelet.conf --pod-manifest-path=/etc/kubernetes/manifests root 3819 8.5 14.2 471736 284396 ? Ssl 20:54 2:43 kube-apiserver --advertise-address=192.168.99.104 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/var/lib/minikube/certs/ca.crt --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota --enable-bootstrap-token-auth=true --etcd-cafile=/var/lib/minikube/certs/etcd/ca.crt --etcd-certfile=/var/lib/minikube/certs/apiserver-etcd-client.crt --etcd-keyfile=/var/lib/minikube/certs/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --insecure-port=0 --kubelet-client-certificate=/var/lib/minikube/certs/apiserver-kubelet-client.crt --kubelet-client-key=/var/lib/minikube/certs/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/var/lib/minikube/certs/front-proxy-client.crt --proxy-client-key-file=/var/lib/minikube/certs/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/var/lib/minikube/certs/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=8443 --service-account-key-file=/var/lib/minikube/certs/sa.pub --service-cluster-ip-range=10.96.0.0/12 --tls-cert-file=/var/lib/minikube/certs/apiserver.crt --tls-private-key-file=/var/lib/minikube/certs/apiserver.key docker 18542 0.0 0.0 9240 476 pts/0 S+ 21:26 0:00 grep kubelet
Check check ports
# Http
curl http://localhost:10255/stats/summary
{
"node": {
"nodeName": "minikube",
"systemContainers": [
{
"name": "runtime",
"startTime": "2019-08-28T21:14:07Z",
"cpu": {
"time": "2019-08-28T21:32:41Z",
"usageNanoCores": 80916024,
"usageCoreNanoSeconds": 383367236057
},
...
# Minikube calling kubelet on https
sudo curl https://localhost:10250/stats/summary -k \
--cert /var/lib/minikube/certs/apiserver-kubelet-client.crt \
--key /var/lib/minikube/certs/apiserver-kubelet-client.key
sudo curl https://${HOSTNAME}:10250/stats/summary \
--cert /var/lib/minikube/certs/apiserver-kubelet-client.crt \
--key /var/lib/minikube/certs/apiserver-kubelet-client.key
References
- Kubelet K8s docs