制作apiserver证书(master操作)
cd ~/TLS/k8s
#添加证书配置
cat > ca-config.json<< EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
#ca-k8s证书文件
cat > ca-csr.json<< EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
#生成证书文件
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#添加api证书配置文件
cat > server-csr.json<< EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"172.22.213.49",
"172.22.213.52",
"172.22.213.53",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
#基于模板生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
#查看生成的证书文件
[root@master]# ls server*.pem
server-key.pem server.pem
部署Master机器
#下载地址 https://dl.k8s.io/v1.18.3/kubernetes-server-linux-amd64.tar.gz
#创建工作目录
mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}
#解压
tar zxvf kubernetes-server-linux-amd64.tar.gz
#拷贝master节点所需组件的二进制文件
cd kubernetes/server/bin
cp kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bin
#拷贝kubectl管理工具
cp kubectl /usr/bin/
#拷贝证书文件
cp ~/TLS/k8s/*.pem /opt/kubernetes/ssl/
部署kube-apiserver
#部署kube-apiserver
#创建配置文件 IP地址要和前面创建的Etcd相对应
cat > /opt/kubernetes/cfg/kube-apiserver.conf << EOF
KUBE_APISERVER_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--etcd-servers=https://172.22.213.49:2379,https://172.22.213.52:2379,https://172.22.213.53:2379 \\
--bind-address=0.0.0.0 \\
--secure-port=6443 \\
--advertise-address=172.22.213.49 \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
--authorization-mode=RBAC,Node \\
--enable-bootstrap-token-auth=true \\
--token-auth-file=/opt/kubernetes/cfg/token.csv \\
--service-node-port-range=30000-32767 \\
--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \\
--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \\
--tls-cert-file=/opt/kubernetes/ssl/server.pem \\
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem \\
--audit-log-maxage=30 \\
--audit-log-maxbackup=3 \\
--audit-log-maxsize=100 \\
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
EOF
#参数说明
--logtostderr: #启用日志,支持日志输出
--v #日志等级
--log-dir #指定日志输出目录
--etcd-servers #etcd 集群地址
--bind-address #监听地址,当前地址
--secure-port #https 安全端口 (默认6443)
--advertise-address #集群通告地址
--allow-privileged #启用授权,运行docker使用特权模式
--service-cluster-ip-range #Service 虚拟 IP 地址段
--enable-admission-plugins #准入控制模块
--authorization-mode #认证授权,启用 RBAC 授权和节点自管理
--enable-bootstrap-token-auth #启用 TLS bootstrap 机制
#这里开启这个机制的作用,如果后续有新的节点加入,会自动帮忙授权,只要加入到对应的组中
--token-auth-file #bootstrap token 文件
--service-node-port-range #Service nodeport 类型默认分配端口范围
--kubelet-client-xxx #apiserver 访问 kubelet 客户端证书
--tls-xxx-file #apiserver https 证书
--etcd-xxxfile #连接 Etcd 集群证书
--audit-log-xxx #审计日志
#创建token文件(也可以自己生成,替换)
#格式:token,用户名,UID,用户组
head -c 16 /dev/urandom | od -An -t x | tr -d ' ' #用户名
cat > /opt/kubernetes/cfg/token.csv << EOF
c47ffb939f5ca36231d9e3121a252940,kubelet-bootstrap,10001,"system:nodebootstrapper"
EOF
#将api添加到systemd
cat > /usr/lib/systemd/system/kube-apiserver.service << EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
#启动API服务
systemctl daemon-reload
systemctl start kube-scheduler && systemctl enable kube-scheduler#启动并开机自启
systemctl is-active kube-scheduler #检查服务状态
#授权 kubelet-bootstrap 用户允许请求证书
kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap
#Result
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
部署 kube-controller-manager
#部署 kube-controller-manager
#创建配置文件
cat > /opt/kubernetes/cfg/kube-controller-manager.conf << EOF
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--leader-elect=true \\
--master=127.0.0.1:8080 \\
--bind-address=127.0.0.1 \\
--allocate-node-cidrs=true \\
--cluster-cidr=10.244.0.0/16 \\
--service-cluster-ip-range=10.0.0.0/24 \\
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--experimental-cluster-signing-duration=87600h0m0s"
EOF
#参数说明
--master #通过本地非安全本地端口 8080 连接 apiserver。
--leader-elect #当该组件启动多个时,自动选举(HA)
--cluster-signing-cert-file #ca证书文件
--cluster-signing-key-file #ca证书私钥
#自动为 kubelet 颁发证书的 CA,与 apiserver 保持一致
#添加到systemd管理
cat > /usr/lib/systemd/system/kube-controller-manager.service << EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
#启动Controller服务
systemctl daemon-reload
#启动并开机自启
systemctl start kube-controller-manager && systemctl enable kube-controller-manager
systemctl is-active kube-controller-manager #检查服务状态
部署kube-scheduler
#部署kube-scheduler
#创建配置文件
cat > /opt/kubernetes/cfg/kube-scheduler.conf << EOF
KUBE_SCHEDULER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/logs \
--leader-elect \
--master=127.0.0.1:8080 \
--bind-address=127.0.0.1"
EOF
#参数说明
--master #通过本地非安全本地端口 8080 连接 apiserver。
--leader-elect #当该组件启动多个时,自动选举(HA)
#添加到systemd管理
cat > /usr/lib/systemd/system/kube-scheduler.service << EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf
ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
#启动Scheduler服务
systemctl daemon-reload
systemctl start kube-scheduler && systemctl enable kube-scheduler#启动并开机自启
systemctl is-active kube-scheduler #检查服务状态
查看集群状态
#服务正常
[root@master cfg]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}