1.集群规划
主机名 | 角色 | ip |
h134 | kube-apiserver | 192.168.146.134 |
h135 | kube-apiserver | 192.168.146.135 |
h132 | 4层负载 | 192.168.146.132 |
h133 | 4层负载 | 192.168.146.133 |
PS:在h132、h133上用nginx进行4层代理,并用keepalived启动一个vip:192.168.146.130,用以
代理两个kube-apiserver
2.部署
对象主机:h134,h135(以h134为例)
软件:github的k8s项目下下载,版本1.18.20
server binary下的
kubernetes-server-linux-amd64.tar.gz
2.1
cd /opt/src
tar xf kubernetes-server-linux-amd64 -C /opt
mv kubernetes kubernetes-v1.18.20
ln -s kubernetes-v1.18.20 kubernetes
####删去多余项
rm -rf /opt/kubernets/kubernetes-src.tar.gz
cd /opt/kubernetes/server/bin
rm -rf *_tag
rm -rf *.tar
2.2 签发证书
2.2.1 client证书
对象主机:在h136上生成
PS: 该证书是apiserver与etcd集群通信时所用的证书,该场景下api-server为客户端,etcd集群为服务端
vim /opt/certs/client-csr.json
{
"CN": "k8s-node",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
签发
cd /opt/certs
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json | cfssl-json -bare client
生成如下4个文件
2.2.2 kube-apiserver证书签发
对象主机:在h136上生成
PS:该证书用于其他程序向apiserver发起的连接 进行证书认证时用
vim /opt/certs/apiserver-csr.json
PS:192.168.146.2-为网关
192.168.146.130-为vip(h132、h133)
192.168.146.150-为有可能连入apiserver的预留ip
{
"CN": "k8s-apiserver",
"hosts": [
"127.0.0.1",
"192.168.146.2",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"192.168.146.130",
"192.168.146.134",
"192.168.146.135",
"192.168.146.150"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
cd /opt/certs
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json | cfssl-json -bare apiserver
2.2.3 拉取证书
主机:h134,h135
mkdir /opt/kubernetes/server/bin/cert
cd /opt/kubernetes/server/bin/cert
scp h136:/opt/certs/apiserver-key.pem .
scp h136:/opt/certs/apiserver.pem .
scp h136:/opt/certs/ca-key.pem .
scp h136:/opt/certs/ca.pem .
scp h136:/opt/certs/client-key.pem .
scp h136:/opt/certs/client.pem .
2.3 k8s
2.3.1 kubernetes配置文件
主机:h134 (h135省略展示)
审计配置文件,给k8s做日志审计用,api-server启动时必带的配置
vim /opt/kubernetes.server/bin/conf/audit.yaml
apiVersion: audit.k8s.io/v1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
2.3.2 配置一个apiserver的启动脚本
vim /opt/kubernetes/server/bin/kube-apiserver.sh
#! /bin/bash
./kube-apiserver \
--apiserver-count 2 \
--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
--audit-policy-file ./conf/audit.yaml \
--authorization-mode RBAC \
--client-ca-file ./cert/ca.pem \
--requestheader-client-ca-file ./cert/ca.pem \
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
--etcd-cafile ./cert/ca.pem \
--etcd-certfile ./cert/client.pem \
--etcd-keyfile ./cert/client-key.pem \
--etcd-servers https://192.168.146.133:2379,https://192.168.146.134:2379,https://192.168.146.135:2379 \
--service-account-key-file ./cert/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--service-node-port-range 3000-29999 \
--target-ram-mb=1024 \
--kubelet-client-certificate ./cert/client.pem \
--kubelet-client-key ./cert/client-key.pem \
--log-dir /data/logs/kubernetes/kube-apiserver \
--tls-cert-file ./cert/apiserver.pem \
--tls-private-key-file ./cert/apiserver-key.pem \
--v 2
创建上面脚本中的一些目录
mkdir -p /data/logs/kubernetes/kube-apiserver/
chmod u+x kube-apiserver.sh
2.3.3 创建apiserver的后端服务
vim /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-h134]
command=/opt/kubernetes/server/bin/kube-apiserver.sh
numprocs=1
directory=/opt/kubernetes/server/bin
autostart=true
autorestart=true
startsecs=30
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=root
redirect_stderr=true
stdout_logfile=/data/logs/kubernetes/kube-apiserver/kube-apiserver.stdout.log
stdout_logfile_maxbytes=64MB
stdout_logfile_backups=4
stdout_capture_maxbytes=1MB
stdout_events_enabled=false