kubernetes1.8.4 安装指南 -- 6. 安装kubernetes master

最新推荐文章于 2024-06-06 22:21:54 发布
最新推荐文章于 2024-06-06 22:21:54 发布
阅读量1.1k 收藏 1
点赞数
分类专栏: # Kubernetes
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/chenhaifeng2016/article/details/78777315
版权

接下来安装kubernetes master的3个核心组件,分别是apiserver, controller-manager, scheduler。


mkdir -p /etc/kubernetes/manifests


定义apiserver pod: apiserver.yml

apiVersion: v1
kind: Pod
metadata:
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ""
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  hostNetwork: true
  containers :
  - name: kube-apiserver
    image: registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver-amd64:v1.8.4
    command:
      - kube-apiserver
      - --v=0
      - --logtostderr=true
      - --allow-privileged=true
      - --bind-address=0.0.0.0
      - --secure-port=6443
      - --insecure-port=0
      - --advertise-address=10.0.0.210
      - --service-cluster-ip-range=10.96.0.0/12
      - --service-node-port-range=30000-32767
      - --etcd-servers=http://10.0.0.210:2379
      - --client-ca-file=/etc/kubernetes/pki/ca.pem
      - --tls-cert-file=/etc/kubernetes/pki/apiserver.pem
      - --tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem
      - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver.pem
      - --kubelet-client-key=/etc/kubernetes/pki/apiserver-key.pem
      - --service-account-key-file=/etc/kubernetes/pki/sa.pub
      - --token-auth-file=/etc/kubernetes/token.csv
      - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
      - --admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota
      - --authorization-mode=Node,RBAC
      - --enable-bootstrap-token-auth=true
      - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.pem
      - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.pem
      - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client-key.pem
      - --requestheader-allowed-names=aggregator
      - --requestheader-group-headers=X-Remote-Group
      - --requestheader-extra-headers-prefix=X-Remote-Extra-
      - --requestheader-username-headers=X-Remote-User
      - --audit-log-maxage=30
      - --audit-log-maxbackup=3
      - --audit-log-maxsize=100
      - --audit-log-path=/var/log/kubernetes/audit.log
      - --audit-policy-file=/etc/kubernetes/audit-policy.yml
      - --experimental-encryption-provider-config=/etc/kubernetes/encryption.yml
      - --event-ttl=1h
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /healthz
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /var/log/kubernetes
      name: k8s-audit-log
    - mountPath: /etc/kubernetes/pki
      name: k8s-certs
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: ca-certs
      readOnly: true
    - mountPath: /etc/kubernetes/encryption.yml
      name: encryption-config
      readOnly: true
    - mountPath: /etc/kubernetes/audit-policy.yml
      name: audit-config
      readOnly: true
    - mountPath: /etc/kubernetes/token.csv
      name: token-csv
      readOnly: true
  volumes:
  - hostPath:
      path: /var/log/kubernetes
      type: DirectoryOrCreate
    name: k8s-audit-log
  - hostPath:
      path: /etc/kubernetes/pki
      type: DirectoryOrCreate
    name: k8s-certs
  - hostPath:
      path: /etc/kubernetes/encryption.yml
      type: FileOrCreate
    name: encryption-config
  - hostPath:
      path: /etc/kubernetes/audit-policy.yml
      type: FileOrCreate
    name: audit-config
  - hostPath:
      path: /etc/kubernetes/token.csv
      type: FileOrCreate
    name: token-csv
  - hostPath:
      path: /etc/ssl/certs
      type: DirectoryOrCreate
    name: ca-certs


定义controller-manager pod: manager.yml 

apiVersion: v1
kind: Pod
metadata:
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ""
  labels:
    component: kube-controller-manager
    tier: control-plane
  name: kube-controller-manager
  namespace: kube-system
spec:
  hostNetwork: true
  containers:
  - name: kube-controller-manager
    image: registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager-amd64:v1.8.4
    command:
      - kube-controller-manager
      - --v=0
      - --logtostderr=true
      - --address=127.0.0.1
      - --root-ca-file=/etc/kubernetes/pki/ca.pem
      - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.pem
      - --cluster-signing-key-file=/etc/kubernetes/pki/ca-key.pem
      - --service-account-private-key-file=/etc/kubernetes/pki/sa.key
      - --kubeconfig=/etc/kubernetes/controller-manager.conf
      - --leader-elect=true
      - --use-service-account-credentials=true
      - --node-monitor-grace-period=40s
      - --node-monitor-period=5s
      - --pod-eviction-timeout=2m0s
      - --controllers=*,bootstrapsigner,tokencleaner
      - --allocate-node-cidrs=true
      - --cluster-cidr=10.244.0.0/16
      - --node-cidr-mask-size=24
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /healthz
        port: 10252
        scheme: HTTP
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 200m
    volumeMounts:
    - mountPath: /etc/kubernetes/pki
      name: k8s-certs
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: ca-certs
      readOnly: true
    - mountPath: /etc/kubernetes/controller-manager.conf
      name: kubeconfig
      readOnly: true
    - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
      name: flexvolume-dir
  volumes:
  - hostPath:
      path: /etc/kubernetes/pki
      type: DirectoryOrCreate
    name: k8s-certs
  - hostPath:
      path: /etc/ssl/certs
      type: DirectoryOrCreate
    name: ca-certs
  - hostPath:
      path: /etc/kubernetes/controller-manager.conf
      type: FileOrCreate
    name: kubeconfig
  - hostPath:
      path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
      type: DirectoryOrCreate
    name: flexvolume-dir


定义scheduler pod: scheduler.yml 

apiVersion: v1
kind: Pod
metadata:
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ""
  labels:
    component: kube-scheduler
    tier: control-plane
  name: kube-scheduler
  namespace: kube-system
spec:
  hostNetwork: true
  containers:
  - name: kube-scheduler
    image: registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler-amd64:v1.8.4
    command:
      - kube-scheduler
      - --v=0
      - --logtostderr=true
      - --address=127.0.0.1
      - --leader-elect=true
      - --kubeconfig=/etc/kubernetes/scheduler.conf
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /healthz
        port: 10251
        scheme: HTTP
      initialDelaySeconds: 15
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 100m
    volumeMounts:
    - mountPath: /etc/kubernetes/pki
      name: k8s-certs
      readOnly: true
    - mountPath: /etc/kubernetes/scheduler.conf
      name: kubeconfig
      readOnly: true
  volumes:
  - hostPath:
      path: /etc/kubernetes/pki
      type: DirectoryOrCreate
    name: k8s-certs
  - hostPath:
      path: /etc/kubernetes/scheduler.conf
      type: FileOrCreate
    name: kubeconfig

生成一个用来加密etcd的key

head -c 32 /dev/urandom | base64


在/etc/kubernetes下创建文件encryption.yml

kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: SUpbL4juUYyvxj3/gonV5xVEx8j769/99TSAf8YT/sQ=
      - identity: {}

在/etc/kubernetes下面创建审核策略文件audit-policy.yml 

apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
- level: Metadata

在/lib/systemd/system/下面创建文件kubelet.service

[Unit]
Description=kubelet: The Kubernetes Node Agent
Documentation=http://kubernetes.io/docs/

[Service]
ExecStart=/usr/local/bin/kubelet
Restart=on-failure
StartLimitInterval=0
RestartSec=10

[Install]
WantedBy=multi-user.target

在/etc/systemd/system/kubelet.service.d/下面创建文件10-kubelet.conf 

[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--address=0.0.0.0 --port=10250 --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBE_LOGTOSTDERR=--logtostderr=true --v=0"
Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true --anonymous-auth=false"
Environment="KUBELET_POD_CONTAINER=--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.0"
Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local"
Environment="KUBELET_AUTHZ_ARGS=--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.pem"
Environment="KUBELET_CADVISOR_ARGS=--cadvisor-port=0"
Environment="KUBELET_CERTIFICATE_ARGS=--rotate-certificates=true --cert-dir=/var/lib/kubelet/pki"
Environment="KUBELET_EXTRA_ARGS=--fail-swap-on=false --serialize-image-pulls=false"
Environment="KUBE_NODE_LABEL=--node-labels=node-role.kubernetes.io/master=true"
ExecStart=
ExecStart=/usr/local/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBE_LOGTOSTDERR $KUBELET_POD_CONTAINER $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_EXTRA_ARGS $KUBE_NODE_LABEL

创建容器卷的本地目录

mkdir -p /var/lib/kubelet

mkdir -p /var/log/kubernetes


运行kubelet

systemctl enable kubelet

systemctl start kubelet


待服务启动完成后, 拷贝kubeconfig文件admin.conf

cp /etc/kubernetes/admin.conf ~/.kube/config


创建一个 apiserver-to-kubelet-rbac.yml 来定义权限,以供我们执行 logs、exec 等指令:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:kube-apiserver-to-kubelet
rules:
  - apiGroups:
      - ""
    resources:
      - nodes/proxy
      - nodes/stats
      - nodes/log
      - nodes/spec
      - nodes/metrics
    verbs:
      - "*"
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: system:kube-apiserver
  namespace: ""
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:kube-apiserver-to-kubelet
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: kube-apiserver



黑虎含珠
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Kubernetes安装
吴小恒的博客
01-30 1672
Kubernetes介绍 Kubernetes是一门基于go语言开发的容器编排的技术。容器编排技术有哪些?Docker Swarm、Google Kubernetes和Apache Mesos。各有千秋,同学们自行百度每个软件的区别,Kubernetes目前是使用最为广泛的容器编排软件。 安装说明 Kubernetes有用二进制安装安装的方式,但是比较费劲,我估计你很快就对k8s失去信心,...
Kubernetes安装手册(非高可用版).md
05-27
适合新手部署实验
Kubernetes 1.8.x 全手动安装教程
菲宇运维
01-22 1197
Kubernetes 提供了许多云端平台与操作系统的安装方式,本章将以全手动安装方式来部署,主要是学习与了解 Kubernetes 创建流程。若想要了解更多平台的部署可以参考 Picking the Right Solution来选择自己最喜欢的方式。 本次安装版本为: Kubernetes v1.8.2 Etcd v3.2.9 Calico v2.6.2 Docker v17.10.0...
了解Kubernetes-RKE2的PKI以及证书存放位置
最新发布
博然的宝藏库
06-06 836
默认位置:/etc/kubenetes/pki ,因为我是搭建的RKE2发行版的k8s,故我的PKI在这里:/var/lib/rancher/rke2/server/tls。3、但同理Api-server相对于Etcd和Kubelet那么,Etcd、Kubelet为Server端,则Api-server有一份对应的Client证书。可以方便理解为当你的集群有Server,Client架构,那么为了安全加密之间的通信,则需要使用证书进行交互,那么利用PKI架构可以安全加密组件之间的通信。简称:证书基础设施。
Kubernetes 安装手册(非高可用版)
09-21 473
Kubernetes 安装手册(非高可用版)
kubernetes安装手册.txt
02-18
一步一步安装kubernetes, 步骤比较详细, 适合新手
iptables-services-1.8.4-22.el8.x86_64.rpm
01-14
官方离线安装包,测试可用。使用rpm -ivh [rpm完整包名] 进行安装
iptables-1.8.4-20.el8.x86_64.rpm
12-09
离线安装包,亲测可用
ons-client-1.8.7.4.Final.jar
11-01
ons-client-1.8.7.4.Final.jar
iptables-services-1.8.4-20.el8.x86_64.rpm
12-07
离线安装包,亲测可用
iptables-ebtables-1.8.4-22.el8.x86_64.rpm
01-14
官方离线安装包,测试可用。使用rpm -ivh [rpm完整包名] 进行安装
Kubernetes_1.14_完全安装包,并且附上详细安装步骤
04-24
Kubernetes_1.14_完全安装包,并且附上详细安装步骤,此版本涉及的插件,扩展工具安装步骤以及参数配置都已经详细奉上
kubernetes 安装手册(成功版)
dlm520947的博客
06-02 429
管理组件采用staticPod或者daemonSet形式跑的,宿主机os能跑docker应该本篇教程能大多适用安装完成仅供学习和实验 本次安裝的版本: Kubernetes v1.10.0 (1.10.0和1.10.3亲测成功) CNI v0.6.0 Etcd v3.1.13 Calico v3.0.4 Docker CE latest version(18.03) ...
Kubernetes(K8S)安装教程(实践)
m0_37499043的博客
11-28 897
参考:https://www.cnblogs.com/Sunzz/p/15184167.html 一、安装环境说明 硬件要求 内存:2GB或更多RAM CPU:2核CPU或更多CPU 硬盘:30GB或更多 本次环境说明: 操作系统:CentOS 7.6 master:192.168.7.111 node01:192.168.7.112 node02:192.168.7.113 二、环境准备 注:所有K8S服务器节点都需执行 1.关闭防火墙和selinux ...
kubernetes(K8S)快速安装与配置集群搭建图文教程
热门推荐
xzpdxz的博客
01-05 2万+
教程地址: http://note.youdao.com/noteshare?id=1197d46dd344f8aaaed66c1914a094b0&sub=0E5B2F856948479988AC9320CF934085
kubernetes1.8 部署安装
weixin_33796205的博客
10-26 325
环境说明:我这里的部署环境是三台虚拟机master:172.17.80.10、node01:172.17.80.11、node02:172.17.80.12Linux系统内核为:3.10.0-327.el7.x86_64 kubernetes版本:1.8因需要上google,download p_w_picpath和kubernetes软件包,我事先己经使用proxy下载...
kubernetes-1.8.0》04-master搭建
Hek's blog
11-22 1563
《kubernets-1.8.0》04-master搭建 《kubernets 1.8.0 测试环境安装部署》 时间:2017-11-21 一、api-HA介绍部署三台master: 目前所谓的 Kubernetes HA 其实主要的就是 API Server 的 HA,master 上其他组件比如 controller-manager 等都是可以通过 Etcd 做选举;而 API
kubernetes1.8.4 安装指南 -- 11. 安装kubernetes dashboard
陈海峰的博客
12-15 6435
接下来安装WebUI Dashboard dashboard的版本兼容性 所以接下来安装的是1.8.0版本。 参照文档https://github.com/kubernetes/dashboard/wiki/Certificate-management, 需要建立secret  mkdir -p /etc/kubernetes/addons/certs && cd /etc
Kubernetes Node安装配置(三)
猫咪控丶的博客
09-15 247
node服务器的安装与配置,及操作docker 1.node服务器所需内容安装: # rhsm 红帽的密钥,下载时使用到的密钥,没有会报错 yum install kubernetes-node docker flannel *rhsm* -y 2.配置kubernetes-node服务器: 1)查看kubernetes-node下的所有安装文件 config:配置文件 kubelet:客户端 proxy:代理,配置docker容器的网络代理 cd /etc/kubernetes..
bash: apt-get: 未找到命令...
07-27
您下载了版本1.8.4的apt软件包,并使用以下命令进行安装:sudo dpkg -i apt_1.8.4_armhf.deb。然而,您在安装过程中遇到了另一个错误,提示未安装软件包ubuntu-keyring。根据引用\[2\],您下载了2018.02.28版本的...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值