K8S系列(二)二进制部署(二)之Master节点
上一篇: K8S系列(二)二进制部署(一)之etcd集群
下一篇: K8S系列(二)二进制部署(三)之Node节点
一、 介绍
1. Master节点是k8s集群中的中心入口
2. apiserver组件是统一入口,为集群提供api来完成相应的操作
3. kube-schedule组件是用来做资源调度的,负责服务调度到集群的节点
4. kube-controller-manager组件是用来控制我们服务的部署、回滚、自愈、升级
二、 部署Api-Server
2.1 为ApiServer自签证书
1. cd ~/certs && mkdir kubeapiserver && cd kubeapiserver
2. cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
3. cat > ca-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
4.cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
5. cat > server-csr.json << EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.3.10",
"192.168.3.11",
"192.168.3.12",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
4. cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
server-csr.json | cfssljson -bare server
2.2 创建目录并下载、解压kubernetes包
1. cd /sw
2. wget https://dl.k8s.io/v1.18.20/kubernetes-server-linux-amd64.tar.gz
3. tar zvxf kubernetes-server-linux-amd64.tar.gz
4. mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}
5. cp kubernetes/server/bin/{kube-apiserver,kube-scheduler,kube-controller-manager} \
/opt/kubernetes/bin
6. cp kubernetes/server/bin/{kubelet,kubectl} /usr/bin/
7. cp ~/certs/kubeapiserver/{ca*pem,server*pem} /opt/kubernetes/ssl/
8. cd /opt/kubernetes/cfg/ && head -c 16 /dev/urandom | od -An -t x | tr -d ' '
9. cat > token.csv <<EOF
上面生成的token字符串,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
2.3 创建apiserver的配置文件
cat > /opt/kubernetes/cfg/kube-apiserver.conf << EOF
KUBE_APISERVER_OPTS="--logtostderr=true \ ##启用日志
--v=4 \ ##日志等级
--log-dir=/opt/kubernetes/logs \ ##日志目录
--etcd-servers=https://192.168.3.10:2379,https://192.168.3.11:2379,https://192.168.3.12:2379 \ ##etcd 集群地址
--bind-address=192.168.3.10 \ ##监听地址
--secure-port=6443 \ ##https 安全端口
--advertise-address=192.168.3.10 \ ##集群通告地址
--allow-privileged=true \ ##启用授权
--service-cluster-ip-range=10.0.0.0/24 \ ##Service 虚拟 IP 地址段
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \ ##认证授权,启用 RBAC 授权和节点自管理
--enable-bootstrap-token-auth=true \ ##启用 TLS bootstrap 机制
--token-auth-file=/opt/kubernetes/cfg/token.csv \ ##bootstrap token 文件
--service-node-port-range=30000-32767 \ ##Service nodeport 类型默认分配端口范围
--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \ ##apiserver 访问 kubelet 客户端证书
--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \ ##apiserver https 证书
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \ ##连接 Etcd 集群证书
--etcd-certfile=/opt/etcd/ssl/etcd.pem \
--etcd-keyfile=/opt/etcd/ssl/etcd-key.pem \
--audit-log-maxage=30 \ ##审计日志
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
EOF
2.4 创建apiserver服务启动文件
cat > /usr/lib/systemd/system/kube-apiserver.service << EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
2.5 启动并设置开机启动
systemctl daemon-reload
systemctl start kube-apiserver
systemctl enable kube-apiserver
systemctl status kube-apiserver 来查看是否启动成功
//如果启动不成功, cat /var/log/messages|grep kube-apiserver|grep -i error 来查日志排错
三、 部署kube-controller-manager
3.1 创建配置文件
cat > /opt/kubernetes/cfg/kube-controller-manager.conf<< EOF
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \
--v=4 \
--log-dir=/opt/kubernetes/logs \
--leader-elect=true \
--master=127.0.0.1:8080 \
--bind-address=127.0.0.1 \
--service-cluster-ip-range=10.0.0.0/24 \
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \
--root-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \
--experimental-cluster-signing-duration=87600h0m0s"
EOF
3.2 创建服务启动文件
cat > /usr/lib/systemd/system/kube-controller-manager.service << EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager.conf
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
3.3 启动并设置开机启动
systemctl daemon-reload
systemctl start kube-controller-manager
systemctl enable kube-controller-manager
systemctl status kube-controller-manager
四、 部署kube-schedule
4.1 创建配置文件
cat > /opt/kubernetes/cfg/kube-scheduler.conf << EOF
KUBE_SCHEDULER_OPTS="--logtostderr=true \
--v=4 \
--log-dir=/opt/kubernetes/logs \
--leader-elect \
--master=127.0.0.1:8080"
EOF
4.2 创建服务启动文件
cat > /usr/lib/systemd/system/kube-scheduler.service << EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf
ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
4.3 启动并设置开机启动
systemctl daemon-reload
systemctl start kube-scheduler
systemctl enable kube-scheduler
systemctl status kube-scheduler 来查看是否启动成功
//如果启动不成功, cat /var/log/messages|grep kube-scheduler|grep -i error 来查日志排错
五、 总结
5.1 查看组件状态
- kubectl get cs
- 从上面图可以看到,目前我们master节点的 etcd、apiserver、控制器、调度器都部署成功了
- 接下来我们要部署node节点了
- 如有不对的地方欢迎指正,希望能帮到大家