部署kube-apiserver集群
集群规划
主机名 角色 ip
HDSS7-21.host.com kube-apiserver 10.4.7.21
HDSS7-22.host.com kube-apiserver 10.4.7.22
HDSS7-11.host.com 4层负载均衡 10.4.7.11
HDSS7-12.host.com 4层负载均衡 10.4.7.12
注意:这里10.4.7.11和10.4.7.12使用nginx做4层负载均衡器,用keepalive跑一个vip:10.4.7.10,代理两个kube-apiserver,实现高可用。
这里部署文档以HDSS7-14.host.com主机为例,另外一台运算节点部署方法类似
下载k8s二进制源码
下载软件,解压,做软连接,安装1.15.2
https://github.com/kubernetes/kubernetes/tags?after=v1.13.11-beta.0
[root@hdss7-21 ~]# cd /opt/src/
[root@localhost certs]# rz
[root@hdss7-21 src]# ls
kubernetes-server-linux-amd64-v1.15.2.tar.gz
查看文件大小并解压
[root@localhost src]# du -sh kubernetes-server-linux-amd64-v1.15.2.tar.gz
424M kubernetes-server-linux-amd64-v1.15.2.tar.gz
[root@localhost src]# tar -zxvf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/
[root@hdss7-21 src]# cd ..
[root@hdss7-21 opt]# mv kubernetes/ kubernetes-v1.15.2
做软连接,方便以后更新
[root@hdss7-21 opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes
[root@hdss7-21 opt]# ll
总用量 0
drwx--x--x 4 root root 28 12月 10 14:28 containerd
lrwxrwxrwx 1 root root 17 12月 10 16:45 etcd -> /opt/etcd-v3.1.20
drwxr-xr-x 4 etcd etcd 166 12月 10 17:43 etcd-v3.1.20
lrwxrwxrwx 1 root root 24 12月 10 18:33 kubernetes -> /opt/kubernetes-v1.15.2/
drwxr-xr-x 4 root root 79 8月 5 18:01 kubernetes-v1.15.2
drwxr-xr-x 2 root root 97 12月 10 18:29 src
[root@hdss7-21 opt]# cd kubernetes
[root@hdss7-21 kubernetes]# ls
addons kubernetes-src.tar.gz LICENSES server
删除源码包
[root@hdss7-21 kubernetes]# rm -rf kubernetes-src.tar.gz
[root@hdss7-21 kubernetes]# cd server/bin/
删除没用的文件docker镜像等
[root@localhost bin]# rm -f *.tar && rm -f *_tag
# 剩余一些可执行文件
[root@localhost bin]# ll
总用量 884636
-rwxr-xr-x 1 root root 43534816 8月 5 2019 apiextensions-apiserver
-rwxr-xr-x 1 root root 100548640 8月 5 2019 cloud-controller-manager
-rwxr-xr-x 1 root root 200648416 8月 5 2019 hyperkube
-rwxr-xr-x 1 root root 40182208 8月 5 2019 kubeadm
-rwxr-xr-x 1 root root 164501920 8月 5 2019 kube-apiserver
-rwxr-xr-x 1 root root 116397088 8月 5 2019 kube-controller-manager
-rwxr-xr-x 1 root root 42985504 8月 5 2019 kubectl
-rwxr-xr-x 1 root root 119616640 8月 5 2019 kubelet
-rwxr-xr-x 1 root root 36987488 8月 5 2019 kube-proxy
-rwxr-xr-x 1 root root 38786144 8月 5 2019 kube-scheduler
-rwxr-xr-x 1 root root 1648224 8月 5 2019 mounter
签发证书
签发apiserver-client证书:apiserver与etc通信用的证书。
apiserver是客户端,etcd是服务端
在运维主机HDSS-200.host.com上完成签发
创建生成证书签名请求(csr)的JSON配置文件 – 此目录下有,直接上传修改,不要粘贴复制
[root@hdss7-200 ~]# cd /opt/certs/
[root@hdss7-200 ~]# vi /opt/certs/client-csr.json
{
"CN": "k8s-node",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "shengzhen",
"L": "shengzhen",
"O": "od",
"OU": "ops"
}
]
}
[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
创建签名请求(csr)的JSON配置文件,apiserver,server端证书 – 直接上传
[root@hdss7-200 certs]# vi apiserver-csr.json
{
"CN": "k8s-apiserver",
"hosts": [
"127.0.0.1",
"192.168.0.1",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"10.4.7.10",
"10.4.7.21",
"10.4.7.22",
"10.4.7.23"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "shengzhen",
"L": "shengzhen",
"O": "od",
"OU": "ops"
}
]
}
[root@hdss7-12 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver
[root@hdss7-200 certs]# ll
总用量 80
total 24
-rw-r--r-- 1 root root 1257 6月 26 17:29 apiserver.csr
-rw-r--r-- 1 root root 570 6月 26 17:29 apiserver-csr.json
-rw------- 1 root root 1679 6月 26 17:29 apiserver-key.pem
-rw-r--r-- 1 root root 1602 6月 26 17:29 apiserver.pem
-rw-r--r-- 1 root root 997 6月 26 17:24 client.csr
-rw-r--r-- 1 root root 284 6月 26 17:23 client-csr.json
-rw------- 1 root root 1675 6月 26 17:24 client-key.pem
-rw-r--r-- 1 root root 1371 6月 26 17:24 client.pem
拷贝证书
[root@hdss7-14 ~]# cd /opt/kubernetes/server/bin/
[root@hdss7-21 bin]# mkdir cert
[root@hdss7-21 bin]# cd cert/
# 最后有个点,表示拷贝到当前目录
[root@hdss7-21 cert]# scp hdss7-12:/opt/certs/ca.pem .
[root@hdss7-21 cert]# scp hdss7-12:/opt/certs/ca-key.pem .
[root@hdss7-21 cert]# scp hdss7-12:/opt/certs/client.pem .
[root@hdss7-21 cert]# scp hdss7-12:/opt/certs/client-key.pem .
[root@hdss7-21 cert]# scp hdss7-12:/opt/certs/apiserver.pem .
[root@hdss7-21 cert]# scp hdss7-12:/opt/certs/apiserver-key.pem .
# 全部复制到另外一台apiserver主机上
[root@localhost cert]# scp ./*.pem 10.4.7.200:/opt/kubernetes/server/bin/cert/
root@10.4.7.200's password:
scp: /opt/kubernetes/server/bin/cert/: No such file or directory
[root@localhost cert]# scp ./*.pem 10.4.7.22:/opt/kubernetes/server/bin/cert/
The authenticity of host '10.4.7.22 (10.4.7.22)' can't be established.
ECDSA key fingerprint is SHA256:FuzW+BCs20gMQ9jse/bm88jvdMwwAcn274ukbLlVCSU.
ECDSA key fingerprint is MD5:66:c8:11:5e:0b:41:fa:69:56:b7:b5:70:7d:33:9e:ad.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.4.7.22' (ECDSA) to the list of known hosts.
root@10.4.7.22's password:
apiserver-key.pem 100% 1679 737.7KB/s 00:00
apiserver.pem 100% 1602 472.4KB/s 00:00
ca-key.pem 100% 1675 673.3KB/s 00:00
ca.pem 100% 1346 811.5KB/s 00:00
client-key.pem 100% 1675 804.3KB/s 00:00
client.pem
创建启动配置脚本 apiserver的资源清单
[root@hdss7-22 cert]# cd /opt/kubernetes/server/bin
[root@hdss7-21 bin]# mkdir conf
[root@hdss7-21 bin]# cd conf/
[root@hdss7-21 conf]# vi audit.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
编写启动脚本 – 直接上传
注:脚本不能包含多余的空格,且需要对照格式,否则报错
[root@hdss7-21 config]# vi /opt/kubernetes/server/bin/kube-apiserver.sh
#!/bin/bash
./kube-apiserver \
--apiserver-count 2 \
--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
--audit-policy-file ./conf/audit.yaml \
--authorization-mode RBAC \
--client-ca-file ./cert/ca.pem \
--requestheader-client-ca-file ./cert/ca.pem \
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
--etcd-cafile ./cert/ca.pem \
--etcd-certfile ./cert/client.pem \
--etcd-keyfile ./cert/client-key.pem \
--etcd-servers https://10.4.7.12:2379,https://10.4.7.21:2379,https://10.4.7.22:2379 \
--service-account-key-file ./cert/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--service-node-port-range 3000-29999 \
--target-ram-mb=1024 \
--kubelet-client-certificate ./cert/client.pem \
--kubelet-client-key ./cert/client-key.pem \
--log-dir /data/logs/kubernetes/kube-apiserver \
--tls-cert-file ./cert/apiserver.pem \
--tls-private-key-file ./cert/apiserver-key.pem \
--v 2
查看帮助命令,查看每行的意思
[root@hdss7-21 bin]# ./kube-apiserver --help|grep -A 5 target-ram-mb
添加执行权限
[root@localhost bin]# cd /opt/kubernetes/server/bin/
[root@hdss7-21 bin]# chmod +x kube-apiserver.sh
创建后台启动
# 21根据实际IP地址更改
# [program:kube-apiserver-7-21]
[root@hdss7-21 bin]# vi /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-7-21]
command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
[root@hdss7-21 bin]# mkdir -p /data/logs/kubernetes/kube-apiserver
[root@hdss7-21 bin]# supervisorctl update
[root@hdss7-21 bin]# supervisorctl status
# 注:报错请直接查看日志,然后删除掉kube-apiserver.ini文件再 supervisorctl update来清除缓存,
之后重新编写ini文件,再 supervisorctl update即可
# 检查是否启动成功
[root@hdss7-21 bin]# netstat -luntp | grep kube-api
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 27303/./kube-apiser
tcp6 0 0 :::6443 :::* LISTEN 27303/./kube-apiser
3243
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
