kubernetes集群搭建(二进制方式)之--master部署kube-apiserver
master包括的组件
- etcd 用于存储(已安装)
- kube-apiserver k8s集群入口(本章安装)
- kube-controller-manager 管理组件
- kube-scheduler 调度组件
现在安装kube-apiserver,均在master上执行操作,包里包含node组件,处理好直接复制到node节点即可
1.生成kube-apiserver证书
各节点都是通过kube-apiserver进行传输信息,所以apiserver的证书会进行认真,下发证书,添加node节点
(1)自签证书办法机构CA
cat > ca-config.json<< EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json<< EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}]
}
EOF
(2)生成证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
(3)使用自签CA 签发kube-apiserver HTTPS 证书
创建证书申请文件:
cat > server-csr.json<< EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"172.21.32.17",
"172.21.32.15",
"172.21.32.16",
"172.21.32.18",
"172.21.32.19",
"172.21.32.11",
"172.21.32.12",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}]
}
EOF
注:hosts可以多写一些预留ip
(4)生成证书:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
2.下载二进制文件
下载地址:https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.19.md#v1183
进去后有很多包,找server端的就好
cd /data/src
wget https://dl.k8s.io/v1.19.8/kubernetes-server-linux-amd64.tar.gz
3.解压二进制包并拷贝到对应目录
#创建k8s的工作目录
mkdir -p /data/kubernetes/{bin,cfg,ssl,logs}
#解压二进制包
tar fx kubernetes-server-linux-amd64.tar.gz
#拷贝相关文件到相应目录
cd kubernetes/server/bin
cp kube-apiserver kube-scheduler kube-controller-manager /data/kubernetes/bin
cp kubectl /usr/bin
4.创建kube-apiserver配置文件
cat > /data/kubernetes/cfg/kube-apiserver.conf << EOF
KUBE_APISERVER_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/data/kubernetes/logs \\
--etcd-servers=https://172.21.32.17:2379,https://172.21.32.15:2379 \\
--bind-address=172.21.32.17 \\
--secure-port=6443 \\
--advertise-address=172.21.32.17 \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
--authorization-mode=RBAC,Node \\
--enable-bootstrap-token-auth=true \\
--token-auth-file=/data/kubernetes/cfg/token.csv \\
--service-node-port-range=30000-32767 \\
--kubelet-client-certificate=/data/kubernetes/ssl/server.pem \\
--kubelet-client-key=/data/kubernetes/ssl/server-key.pem \\
--tls-cert-file=/data/kubernetes/ssl/server.pem \\
--tls-private-key-file=/data/kubernetes/ssl/server-key.pem \\
--client-ca-file=/data/kubernetes/ssl/ca.pem \\
--service-account-key-file=/data/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/data/etcd/ssl/ca.pem \\
--etcd-certfile=/data/etcd/ssl/server.pem \\
--etcd-keyfile=/data/etcd/ssl/server-key.pem \\
--audit-log-maxage=30 \\
--audit-log-maxbackup=3 \\
--audit-log-maxsize=100 \\
--audit-log-path=/data/kubernetes/logs/k8s-audit.log"
EOF
注:上面两个\ \ 第一个是转义符,第二个是换行符,使用转义符是为了使用EOF 保留换
行符。
–logtostderr:启用日志
—v:日志等级
–log-dir:日志目录
–etcd-servers:etcd 集群地址
–bind-address:监听地址,注意这个没有0.0.0.0
–secure-port:https 安全端口
–advertise-address:集群通告地址
–allow-privileged:启用授权
–service-cluster-ip-range:Service 虚拟IP 地址段
–enable-admission-plugins:准入控制模块
–authorization-mode:认证授权,启用RBAC 授权和节点自管理
–enable-bootstrap-token-auth:启用TLS bootstrap 机制
–token-auth-file:bootstrap token 文件
–service-node-port-range:Service nodeport 类型默认分配端口范围
–kubelet-client-xxx:apiserver 访问kubelet 客户端证书
–tls-xxx-file:apiserver https 证书
–etcd-xxxfile:连接Etcd 集群证书
–audit-log-xxx:审计日志
5.拷贝刚才生成的ssl证书
cp ~/TLS/k8s/ca*pem ~/TLS/k8s/server*pem /data/kubernetes/ssl/
6.启用TLS Bootstrapping机制
TLS Bootstraping:Master apiserver 启用TLS 认证后,Node 节点kubelet 和kubeproxy
要与kube-apiserver 进行通信,必须使用CA 签发的有效证书才可以,当Node
节点很多时,这种客户端证书颁发需要大量工作,同样也会增加集群扩展复杂度。为了
简化流程,Kubernetes 引入了TLS bootstraping 机制来自动颁发客户端证书,kubelet
会以一个低权限用户自动向apiserver 申请证书,kubelet 的证书由apiserver 动态签署。
创建上述配置文件中的token文件:
cat > /data/kubernetes/cfg/token.csv << EOF
a2349e2c0e7fe38090b402038b47ddff,kubelet-bootstrap,10001,"system:nodebootstrapper"
EOF
格式:token,用户名,UID,用户组
7.systemd管理apiserver
cat > /usr/lib/systemd/system/kube-apiserver.service << EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/data/kubernetes/cfg/kube-apiserver.conf
ExecStart=/data/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
8.启动apiserver
systemctl daemon-reload
systemctl start kube-apiserver
systemctl enable kube-apiserver
systemctl status kube-apiserver
9.授权kubelet-bootstrap用户允许请求证书
kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap
验证创建成功,有返回值说明创建成功
kubectl get clusterrolebinding | grep kubelet-bootstrap