启动ectd后,按照bash命令启动api server
sudo docker run --rm -it --name kube-apiserver \
--network host \
-v /etc/kubernetes/pki:/etc/kubernetes/pki \
registry.aliyuncs.com/google_containers/kube-apiserver:v1.28.2 \
kube-apiserver \
--advertise-address=100.64.158.0 \
--allow-privileged=true \
--authorization-mode=Node,RBAC \
--client-ca-file=/etc/kubernetes/pki/ca.crt \
--enable-admission-plugins=NodeRestriction \
--enable-bootstrap-token-auth=true \
--etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt \
--etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt \
--etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key \
--etcd-servers=https://127.0.0.1:2379 \
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt \
--kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key \
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \
--proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt \
--proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key \
--requestheader-allowed-names=front-proxy-client \
--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-group-headers=X-Remote-Group \
--requestheader-username-headers=X-Remote-User \
--runtime-config=api/all=true \
--secure-port=6443 \
--service-account-issuer=https://kubernetes.default.svc.cluster.local \
--service-account-key-file=/etc/kubernetes/pki/sa.pub \
--service-account-signing-key-file=/etc/kubernetes/pki/sa.key \
--service-cluster-ip-range=10.96.0.0/12 \
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt \
--tls-private-key-file=/etc/kubernetes/pki/apiserver.key
发现如下报错:但 kube-apiserver
无法与 etcd
通信,出现了 authentication handshake failed: EOF
错误
检查etcd的端口,etcd
正在监听 127.0.0.1:2379
,但是 kube-apiserver
依然无法与 etcd
通信。这可能是因为证书或配置问题
sudo netstat -tulnp | grep 2379
>
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 14343/etcd
查看etcd日志,也运行正常
sudo journalctl -u etcd -e
检查sudo ls -l /etc/kubernetes/pki/,发现该目录为空,这意味着etcd和apiserver的密钥没有配置
生成证书和密钥
一共需要生成四组密钥
- “ca.crt”和“ca.key”,CA证书和密钥,用于签发其他证书
- “server.crt”和“server.key”,etcd服务器证书和密钥
- “peer.crt”和“peer.key”,etcd之间相互通信的证书和密钥
- “healthcheak-client.crt”和“healthcheck-client.key”,用于健康检查的客户端证书
OpenSSL 是一个开源的加密工具包,它提供了一系列用于生成和管理数字证书的命令行工具
CA证书生成
sudo openssl genrsa -out /etc/kubernetes/pki/etcd/ca.key 2048
sudo openssl req -x509 -new -nodes -key /etc/kubernetes/pki/etcd/ca.key -subj "/CN=etcd-ca" -days 10000 -out /etc/kubernetes/pki/etcd/ca.crt
其余的私钥生成、CSR 创建和证书签发,都按照以下代码进行
sudo openssl genrsa -out /etc/kubernetes/pki/etcd/server.key 2048
sudo openssl req -new -key /etc/kubernetes/pki/etcd/server.key -subj "/CN=etcd" -out /etc/kubernetes/pki/etcd/server.csr
sudo openssl x509 -req -in /etc/kubernetes/pki/etcd/server.csr -CA /etc/kubernetes/pki/etcd/ca.crt -CAkey /etc/kubernetes/pki/etcd/ca.key -CAcreateserial -out /etc/kubernetes/pki/etcd/server.crt -days 10000 -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1")
设置权限:将目录下所有 .key
文件的权限设置为 600
。600
权限表示文件所有者可读写,其他用户无权访问。这是因为私钥是最机密的文件,需要严格控制访问权限。使用 chown 命令将 /etc/kubernetes/pki/etcd 目录下所有 .key 文件的所有者和所属组都设置为 etcd。这是因为 etcd 服务需要访问这些私钥文件,因此设置 etcd 用户和组作为所有者。
将目录下所有 .crt 文件的权限设置为 644。644 权限表示文件所有者可读写,其他用户可读。这是因为证书文件是公开的,可以被其他程序访问。
sudo chmod 600 /etc/kubernetes/pki/etcd/*.key
sudo chown etcd:etcd /etc/kubernetes/pki/etcd/*.key
sudo chmod 644 /etc/kubernetes/pki/etcd/*.crt
sudo chown etcd:etcd /etc/kubernetes/pki/etcd/*.crt
随后执行重启etcd的命令,发现如下错误
"subjectAltName=DNS:localhost,IP:127.0.0.1")
error loading the config file '/dev/fd/63"
这个错误可能是由于尝试在命令行中使用匿名文件描述符(/dev/fd/63
)而引起的。利用如下命令进行配置,随后重新执行上面生成证书和密钥的操作
echo "subjectAltName=DNS:localhost,IP:127.0.0.1" | sudo tee /etc/kubernetes/pki/etcd/ext.cnf > /dev/null
更新etcd.conf文件
默认的etcd配置文件在/etc/etcd/etcd.conf中,很多的配置都是注释掉的,解注释代码,并做以下配置
#ETCD_CORS=""
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
#ETCD_WAL_DIR=""
ETCD_LISTEN_PEER_URLS="https://localhost:2380"
ETCD_LISTEN_CLIENT_URLS="https://localhost:2379"
#ETCD_MAX_SNAPSHOTS="5"
#ETCD_MAX_WALS="5"
ETCD_NAME="default"
#ETCD_SNAPSHOT_COUNT="100000"
#ETCD_HEARTBEAT_INTERVAL="100"
#ETCD_ELECTION_TIMEOUT="1000"
#ETCD_QUOTA_BACKEND_BYTES="0"
#ETCD_MAX_REQUEST_BYTES="1572864"
#ETCD_GRPC_KEEPALIVE_MIN_TIME="5s"
#ETCD_GRPC_KEEPALIVE_INTERVAL="2h0m0s"
#ETCD_GRPC_KEEPALIVE_TIMEOUT="20s"
#
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://localhost:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://localhost:2379"
#ETCD_DISCOVERY=""
#ETCD_DISCOVERY_FALLBACK="proxy"
#ETCD_DISCOVERY_PROXY=""
#ETCD_DISCOVERY_SRV=""
ETCD_INITIAL_CLUSTER="default=https://localhost:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_STRICT_RECONFIG_CHECK="true"
ETCD_ENABLE_V2="true"
#
#[Proxy]
#ETCD_PROXY="off"
#ETCD_PROXY_FAILURE_WAIT="5000"
#ETCD_PROXY_REFRESH_INTERVAL="30000"
#ETCD_PROXY_DIAL_TIMEOUT="1000"
#ETCD_PROXY_WRITE_TIMEOUT="5000"
#ETCD_PROXY_READ_TIMEOUT="0"
#
#[Security]
ETCD_CERT_FILE="/etc/kubernetes/pki/etcd/server.crt"
ETCD_KEY_FILE="/etc/kubernetes/pki/etcd/server.key"
ETCD_TRUSTED_CA_FILE="/etc/kubernetes/pki/etcd/ca.crt"
ETCD_PEER_CERT_FILE="/etc/kubernetes/pki/etcd/peer.crt"
ETCD_PEER_KEY_FILE="/etc/kubernetes/pki/etcd/peer.key"
ETCD_PEER_TRUSTED_CA_FILE="/etc/kubernetes/pki/etcd/ca.crt"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_AUTO_TLS="false"
ETCD_PEER_AUTO_TLS="false"
#ETCD_PEER_CLIENT_CERT_AUTH="false"
#ETCD_PEER_TRUSTED_CA_FILE=""
#ETCD_PEER_AUTO_TLS="false"
#
#[Logging]
#ETCD_DEBUG="false"
#ETCD_LOG_PACKAGE_LEVELS=""
#ETCD_LOG_OUTPUT="default"
#
#[Unsafe]
#ETCD_FORCE_NEW_CLUSTER="false"
#
#[Version]
#ETCD_VERSION="false"
#ETCD_AUTO_COMPACTION_RETENTION="0"
#
#[Profiling]
#ETCD_ENABLE_PPROF="false"
#ETCD_METRICS="basic"
#
#[Auth]
#ETCD_AUTH_TOKEN="simple"
随后重启etcd