kubernetes master节点包含的组件:
- etcd
- flannel
- docker
- kube-apiserver
- kube-scheduler
- kube-controller-manager
目前这三个组件需要部署在同一台机器上:
- kube-scheduler、kube-controller-manager和kube-apiserver三者的功能紧密相关;
- 同时只能有一个kube-scheduler、kube-controller-manager进程处于工作状态,如果运行多个,则需要通过选举产生一个leader;
- 本文档介绍部署单kubernetes master节点的步骤,没有实现高可用master集群。
导入环境变量
$ source /root/local/bin/environment.sh下载二进制文件
从CHANGELOG页面下载server tarball文件
$ wget https://dl.k8s.io/v1.10.0/kubernetes-server-linux-amd64.tar.gz
$ tar -xzvf kubernetes-server-linux-amd64.tar.gz
$ sudo cp -r kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl} /root/local/bin/创建 admin 证书
kubectl 与 kube-apiserver 的安全端口通信,需要为安全通信提供 TLS 证书和秘钥。
创建 admin 证书签名请求
$ cat admin-csr.json
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}- 后续 kube-apiserver 使用 RBAC 对客户端(如 kubelet、kube-proxy、Pod)请求进行授权;
- kube-apiserver 预定义了一些 RBAC 使用的 RoleBindings,如 cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定,该 Role 授予了调用kube-apiserver 所有 API的权限;
- O 指定该证书的 Group 为 system:masters,kubelet 使用该证书访问 kube-apiserver 时 ,由于证书被 CA 签名,所以认证通过,同时由于证书用户组为经过预授权的 system:masters,所以被授予访问所有 API 的权限;
- hosts 属性值为空列表;
生成 admin 证书和私钥:
cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/etc/kubernetes/ssl/ca-config.json \
-profile=kubernetes admin-csr.json | cfssljson -bare admin
$ ls admin*
admin.csr admin-csr.json admin-key.pem admin.pem
$ sudo mv admin*.pem /etc/kubernetes/ssl/
$ rm admin.csr admin-csr.json创建 kubectl kubeconfig 文件
$ # 设置集群参数
$ kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER}
$ # 设置客户端认证参数
$ kubectl config set-credentials admin \
--client-certificate=/etc/kubernetes/ssl/admin.pem \
--embed-certs=true \
--client-key=/etc/kubernetes/ssl/admin-key.pem
$ # 设置上下文参数
$ kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin
$ # 设置默认上下文
$ kubectl config use-context kubernetes- admin.pem 证书 O 字段值为 system:masters,kube-apiserver 预定义的 RoleBinding cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定,该 Role 授予了调用kube-apiserver 相关 API 的权限;
- 生成的 kubeconfig 被保存到 ~/.kube/config 文件;
分发 kubeconfig 文件
将 ~/.kube/config 文件拷贝到运行 kubelet 命令的机器的 ~/.kube/ 目录下。
创建kubernetes证书
创建kubernetes证书签名请求
$ cat > kubernetes-csr.json << EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"${MASTER_IP}",
"${CLUSTER_KUBERNETES_SVC_IP}",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF- 如果hosts字段不为空则需要指定授权使用该证书的IP或域名列表,所以上面分别指定了当前部署的master节点主机IP和域名;
- 还需要添加kube-apiserver注册的名为kubernetes的服务IP (Service Cluster IP),一般是kube-apiserver –service-cluster-ip-range选项值指定的网段的第一个IP,如10.254.0.1;
生成kubernetes证书和私钥
$ cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/etc/kubernetes/ssl/ca-config.json \
-profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
$ ls kubernetes*
# kubernetes.csr kubernetes-csr.json kubernetes-key.pem kubernetes.pem
$ sudo mkdir -p /etc/kubernetes/ssl/
$ sudo mv kubernetes*.pem /etc/kubernetes/ssl/
$ sudo rm -rf kubernetes.csr kubernetes-csr.json配置和启动kube-apiserver
创建kube-apiserver使用的客户端token文件
kubelet首次启动时会向kube-apiserver发送TLS Bootstrapping请求,kube-apiserver验证kubelet请求中的token是否与它配置的token.csv一致,如果一致则自动为kubelet生成证书和秘钥。
# 导入的environment.sh文件定义的BOOTSTRAP_TOKEN变量
$ cat > token.csv << EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
$ mv token.csv /etc/kubernetes/创建kube-apiserver的systemd unit文件
$ cat > kube-apiserver.service << EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
ExecStart=/root/local/bin/kube-apiserver \\
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\
--advertise-address=${MASTER_IP} \\
--bind-address=${MASTER_IP} \\
--insecure-bind-address=${MASTER_IP} \\
--authorization-mode=Node,RBAC \\
--runtime-config=rbac.authorization.k8s.io/v1 \\
--kubelet-https=true \\
--enable-bootstrap-token-auth \\
--token-auth-file=/etc/kubernetes/token.csv \\
--service-cluster-ip-range=${SERVICE_CIDR} \\
--service-node-port-range=${NODE_PORT_RANGE} \\
--tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem \\
--tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem \\
--client-ca-file=/etc/kubernetes/ssl/ca.pem \\
--service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/etc/kubernetes/ssl/ca.pem \\
--etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem \\
--etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem \\
--etcd-servers=${ETCD_ENDPOINTS} \\
--enable-swagger-ui=true \\
--allow-privileged=true \\
--apiserver-count=3 \\
--audit-log-maxage=30 \\
--audit-log-maxbackup=3 \\
--audit-log-maxsize=100 \\
--audit-log-path=/var/lib/audit.log \\
--event-ttl=1h \\
--v=2
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF- kube-apiserver 1.6版本开始使用etcd v3 API和存储格式;
- –authorization-mode=RBAC指定在安全端口使用RBAC授权模式,拒绝未通过授权的请求;
- kube-scheduler、kube-controller-manager一般和kube-apiserver部署在同一台Master机器上,它们使用非安全端口和kube-apiserver通信;
- kubelet、kube-proxy部署在其它Node节点上,如果通过安全端口访问kube-apiserver,则必须先通过TLS证书认证,再通过RBAC授权;
- kube-proxy、kubectl通过在使用的证书里指定相关的User、Group来达到通过RBAC 授权的目的;
- 如果使用了kubelet TLS Boostrap机制,则不能再指定–kubelet-certificate-authority、–kubelet-client-certificate和–kubelet-client-key选项,否则后续kube-apiserver校验kubelet证书时出现x509: certificate signed by unknown authority错误;
- –admission-control值必须包含ServiceAccount,否则部署集群插件时会失败;
- –bind-address不能为127.0.0.1;
- –service-cluster-ip-range指定Service Cluster IP地址段,该地址段不能路由可达;
- –service-node-port-range=${NODE_PORT_RANGE}指定NodePort的端口范围;
- 缺省情况下kubernetes对象保存在etcd /registry 路径下,可以通过–etcd-prefix参数进行调整;
启动kube-apiserver
$ sudo cp kube-apiserver.service /etc/systemd/system/
$ sudo systemctl daemon-reload
$ sudo systemctl enable kube-apiserver
$ sudo systemctl start kube-apiserver
$ sudo systemctl status kube-apiserver配置和启动kube-controller-manager
创建kube-controller-manager的systemd unit文件
$ cat > kube-controller-manager.service << EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
ExecStart=/root/local/bin/kube-controller-manager \\
--address=127.0.0.1 \\
--master=http://${MASTER_IP}:8080 \\
--allocate-node-cidrs=true \\
--service-cluster-ip-range=${SERVICE_CIDR} \\
--cluster-cidr=${CLUSTER_CIDR} \\
--cluster-name=kubernetes \\
--cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \\
--service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem \\
--root-ca-file=/etc/kubernetes/ssl/ca.pem \\
--leader-elect=true \\
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF–address值必须为127.0.0.1,因为当前kube-apiserver期望scheduler和controller-manager在同一台机器,否则:
$ kubectl get componentstatuses
NAME STATUS MESSAGE ERROR
controller-manager Unhealthy Get http://127.0.0.1:10252/healthz: dial tcp 127.0.0.1:10252: getsockopt: connection refused
scheduler Unhealthy Get http://127.0.0.1:10251/healthz: dial tcp 127.0.0.1:10251: getsockopt: connection refused参考:https://github.com/kubernetes-incubator/bootkube/issues/64
- –master=http://{MASTER_IP}:8080:使用非安全8080端口与kube-apiserver通信;
- –cluster-cidr指定Cluster中Pod的CIDR范围,该网段在各Node间必须路由可达(flannel保证);
- –service-cluster-ip-range参数指定Cluster中Service的CIDR范围,该网络在各Node间必须路由不可达,必须和kube-apiserver中的参数一致;
- –cluster-signing-*指定的证书和私钥文件用来签名为TLS BootStrap创建的证书和私钥;
- –root-ca-file用来对kube-apiserver证书进行校验,指定该参数后,才会在Pod容器的ServiceAccount中放置该CA证书文件;
- –leader-elect=true部署多台机器组成的master集群时选举产生一处于工作状态的kube-controller-manager进程;
启动kube-controller-manager
$ sudo cp kube-controller-manager.service /etc/systemd/system/
$ sudo systemctl daemon-reload
$ sudo systemctl enable kube-controller-manager
$ sudo systemctl start kube-controller-manager配置和启动kube-scheduler
创建kube-scheduler的systemd unit文件
$ cat > kube-scheduler.service << EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
ExecStart=/root/local/bin/kube-scheduler \\
--address=127.0.0.1 \\
--master=http://${MASTER_IP}:8080 \\
--leader-elect=true \\
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF- –address值必须为127.0.0.1,因为当前kube-apiserver期望scheduler和controller-manager在同一台机器;
- –master=http://{MASTER_IP}:8080:使用非安全8080端口与kube-apiserver通信;
- –leader-elect=true部署多台机器组成的master集群时选举产生一处于工作状态的kube-controller-manager进程;
启动kube-scheduler
$ sudo cp kube-scheduler.service /etc/systemd/system/
$ sudo systemctl daemon-reload
$ sudo systemctl enable kube-scheduler
$ sudo systemctl start kube-scheduler验证master节点功能
$ kubectl get componentstatuses
# NAME STATUS MESSAGE ERROR
# controller-manager Healthy ok
# scheduler Healthy ok
# etcd-0 Healthy {"health": "true"}
# etcd-1 Healthy {"health": "true"}
# etcd-2 Healthy {"health": "true"}
1663
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
