!TIP 二进制部署
k8s
- 部署kube-apiserver
转载请注明出处:https://janrs.com/dchk 有任何问题欢迎在底部评论区发言。
!NOTE 每台
master
服务器都要创建。
# 创建证书目录
mkdir -p /etc/kubernetes/pki/{apiserver/,kubelet/,aggregator/,service-account/,sign/,etcd/}
# 创建配置文件存放目录以及 kubeconfig 存放目录和初始化集群所需配置文件目录
mkdir -p /etc/kubernetes/{config/,kubeconfig/,init_k8s_config/}
# 创建 kubectl 使用 config 的默认目录
mkdir -p /root/.kube/
# 创建日志存放目录
mkdir -p /var/log/kubernetes/{apiserver/,controller/,scheduler/}
!NOTE
ca
根证书采用4096
位加密。 创建证书可以在其他地方生成后再上传,设置好对应的ip
就行。
cat > /ssl/apiserver-ca-csr.json <<EOF
{
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cd /ssl/ && \
cfssl gencert -initca apiserver-ca-csr.json | \
cfssljson -bare apiserver-ca - && \
ls apiserver-ca* | \
grep apiserver-ca
!NOTE
hosts
参数的ip
需要把master
节点,HA
节点以及vip
地址都写进去。
cat > /ssl/apiserver-server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"172.16.222.121",
"172.16.222.122",
"172.16.222.123",
"172.16.222.201",
"172.16.222.202",
"172.16.222.110",
"10.68.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"O": "k8s",
"OU": "System",
"ST": "Beijing"
}
]
}
EOF
cd /ssl/ && \
cfssl gencert -ca=apiserver-ca.pem \
-ca-key=apiserver-ca-key.pem \
-config=ca-config.json \
-profile=server apiserver-server-csr.json | \
cfssljson -bare apiserver-server && \
ls apiserver-server* | \
grep apiserver-server
!NOTE 由于是访问
etcd
的服务,所以要使用etcd
的ca
机构签发证书。
cat > /ssl/etcd-apiserver-client-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "k8s",
"OU": "system"
}
]
}
EOF
cd /ssl/ && \
cfssl gencert -ca=etcd-ca.pem \
-ca-key=etcd-ca-key.pem \
-config=ca-config.json \
-profile=client etcd-apiserver-client-csr.json | \
cfssljson -bare etcd-apiserver-client && \
ls etcd-apiserver-client* | \
grep etcd-apiserver-client
!NOTE
ca
根证书采用4096
位加密。
cat > /ssl/kubelet-ca-scr.json <<EOF
{
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cd /ssl/ && \
cfssl gencert -initca kubelet-ca-scr.json | \
cfssljson -bare kubelet-ca - && \
ls kubelet-ca* | \
grep kubelet-ca
该证书由 kubelet
的 ca
签发机构创建。
客户端 client
证书不需要设置 hosts
参数。
cat > /ssl/kubelet-apiserver-client-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "k8s",
"OU": "system"
}
]
}
EOF
cd /ssl/ && \
cfssl gencert -ca=kubelet-ca.pem \
-ca-key=kubelet-ca-key.pem \
-config=ca-config.json \
-profile=client kubelet-apiserver-client-csr.json | \
cfssljson -bare kubelet-apiserver-client && \
ls kubelet-apiserver-client* | \
grep kubelet-apiserver-client
分发 etcd-ca.pem
密钥给 kube-apiserver
分发到 master
节点
scp /ssl/etcd-ca.pem root@172.16.222.121:/etc/kubernetes/pki/etcd/ && \
scp /ssl/etcd-ca.pem root@172.16.222.122:/etc/kubernetes/pki/etcd/ && \
scp /ssl/etcd-ca.pem root@172.16.222.123:/etc/kubernetes/pki/etcd/
分发 kube-apiserver
的 ca
根证书
分发到 master
节点
scp /ssl/apiserver-ca*.pem root@172.16.222.121:/etc/kubernetes/pki/apiserver/ && \
scp /ssl/apiserver-ca*.pem root@172.16.222.122:/etc/kubernetes/pki/apiserver/ && \
scp /ssl/apiserver-ca*.pem root@172.16.222.123:/etc/kubernetes/pki/apiserver/
分发 etcd
颁发给 kube-apiserver
的 client
证书
分发到 master
节点
scp /ssl/etcd-apiserver-client*.pem root@172.16.222.121:/etc/kubernetes/pki/etcd/ && \
scp /ssl/etcd-apiserver-client*.pem root@172.16.222.122:/etc/kubernetes/pki/etcd/ && \
scp /ssl/etcd-apiserver-client*.pem root@172.16.222.123:/etc/kubernetes/pki/etcd/
分发所有 kube-apiserver
的 server
证书
分发到 master
节点
scp /ssl/apiserver-server*.pem root@172.16.222.121:/etc/kubernetes/pki/apiserver/ && \
scp /ssl/apiserver-server*.pem root@172.16.222.122:/etc/kubernetes/pki/apiserver/ && \
scp /ssl/apiserver-server*.pem root@172.16.222.123:/etc/kubernetes/pki/apiserver/
分发 kubelet
的 ca
证书
分发到 node
节点
scp /ssl/kubelet-ca*.pem root@172.16.222.231:/etc/kubernetes/pki/kubelet/
分发 kubelet
颁发给 kube-apiserver
的 client
证书
分发到 master
节点
scp /ssl/kubelet-apiserver-client*.pem root@172.16.222.121:/etc/kubernetes/pki/kubelet/ && \
scp /ssl/kubelet-apiserver-client*.pem root@172.16.222.122:/etc/kubernetes/pki/kubelet/ && \
scp /ssl/kubelet-apiserver-client*.pem root@172.16.222.123:/etc/kubernetes/pki/kubelet/
!NOTE 每台
master
服务器都要下载。
下载
cd /tmp && \
wget https://dl.k8s.io/v1.23.9/kubernetes-server-linux-amd64.tar.gz
分发到每台 master
服务器
scp /tmp/kubernetes-server-linux-amd64.tar.gz root@172.16.222.121:/home/ && \
scp /tmp/kubernetes-server-linux-amd64.tar.gz root@172.16.222.122:/home/ && \
scp /tmp/kubernetes-server-linux-amd64.tar.gz root@172.16.222.123:/home/
解压
到每台 master
服务器解压
cd /home/ && \
tar -zxvf kubernetes-server-linux-amd64.tar.gz
复制二进制执行文件到 /usr/local/bin/
到每台 master
服务器复制
cd /home/kubernetes/server/bin/ && \
cp kube-apiserver kube-controller-manager kubectl kube-scheduler /usr/local/bin/
!NOTE 以下操作需要登录到对应的
master
服务器操作。 只需要修改配置参数中的ip
地址即可。 注意:以下配置中,日志等级设置为:6
。产生的日志的速度会非常快。学习部署后可以修改为:2
。
cat > /etc/kubernetes/config/apiserver.conf <<EOF
KUBE_APISERVER_OPTS="--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
--anonymous-auth=false
--bind-address=172.16.222.121
--secure-port=6443
--advertise-address=172.16.222.121
--insecure-port=0
--authorization-mode=Node,RBAC
--runtime-config=api/all=true
--service-cluster-ip-range=10.68.0.1/16
--service-node-port-range=30000-39999
--service-account-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--tls-cert-file=/etc/kubernetes/pki/apiserver/apiserver-server.pem
--tls-private-key-file=/etc/kubernetes/pki/apiserver/apiserver-server-key.pem
--client-ca-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--service-account-signing-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca-key.pem
--service-account-issuer=https://kubernetes.default.svc.cluster.local
--api-audiences=https://kubernetes.default.svc
--etcd-cafile=/etc/kubernetes/pki/etcd/etcd-ca.pem
--etcd-certfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client.pem
--etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client-key.pem
--etcd-servers=https://172.16.222.111:2379,https://172.16.222.112:2379,https://172.16.222.113:2379
--feature-gates=RemoveSelfLink=false
--enable-swagger-ui=true
--allow-privileged=true
--apiserver-count=3
--enable-aggregator-routing=true
--audit-log-maxage=30
--audit-log-maxbackup=3
--audit-log-maxsize=100
--audit-log-path=/var/log/kubernetes/apiserver/apiserver-audit.log
--event-ttl=1h
--alsologtostderr=true
--logtostderr=false
--log-dir=/var/log/kubernetes/apiserver/
--v=6"
EOF
cat > /etc/kubernetes/config/apiserver.conf <<EOF
KUBE_APISERVER_OPTS="--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
--anonymous-auth=false
--bind-address=172.16.222.122
--secure-port=6443
--advertise-address=172.16.222.122
--insecure-port=0
--authorization-mode=Node,RBAC
--runtime-config=api/all=true
--service-cluster-ip-range=10.68.0.1/16
--service-node-port-range=30000-39999
--service-account-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--tls-cert-file=/etc/kubernetes/pki/apiserver/apiserver-server.pem
--tls-private-key-file=/etc/kubernetes/pki/apiserver/apiserver-server-key.pem
--client-ca-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--service-account-signing-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca-key.pem
--service-account-issuer=https://kubernetes.default.svc.cluster.local
--api-audiences=https://kubernetes.default.svc
--etcd-cafile=/etc/kubernetes/pki/etcd/etcd-ca.pem
--etcd-certfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client.pem
--etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client-key.pem
--etcd-servers=https://172.16.222.111:2379,https://172.16.222.112:2379,https://172.16.222.113:2379
--feature-gates=RemoveSelfLink=false
--enable-swagger-ui=true
--allow-privileged=true
--apiserver-count=3
--enable-aggregator-routing=true
--audit-log-maxage=30
--audit-log-maxbackup=3
--audit-log-maxsize=100
--audit-log-path=/var/log/kubernetes/apiserver/apiserver-audit.log
--event-ttl=1h
--alsologtostderr=true
--logtostderr=false
--log-dir=/var/log/kubernetes/apiserver/
--v=6"
EOF
cat > /etc/kubernetes/config/apiserver.conf <<EOF
KUBE_APISERVER_OPTS="--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
--anonymous-auth=false
--bind-address=172.16.222.123
--secure-port=6443
--advertise-address=172.16.222.123
--insecure-port=0
--authorization-mode=Node,RBAC
--runtime-config=api/all=true
--service-cluster-ip-range=10.68.0.1/16
--service-node-port-range=30000-39999
--service-account-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--tls-cert-file=/etc/kubernetes/pki/apiserver/apiserver-server.pem
--tls-private-key-file=/etc/kubernetes/pki/apiserver/apiserver-server-key.pem
--client-ca-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--service-account-signing-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca-key.pem
--service-account-issuer=https://kubernetes.default.svc.cluster.local
--api-audiences=https://kubernetes.default.svc
--etcd-cafile=/etc/kubernetes/pki/etcd/etcd-ca.pem
--etcd-certfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client.pem
--etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client-key.pem
--etcd-servers=https://172.16.222.111:2379,https://172.16.222.112:2379,https://172.16.222.113:2379
--feature-gates=RemoveSelfLink=false
--enable-swagger-ui=true
--allow-privileged=true
--apiserver-count=3
--enable-aggregator-routing=true
--audit-log-maxage=30
--audit-log-maxbackup=3
--audit-log-maxsize=100
--audit-log-path=/var/log/kubernetes/apiserver/apiserver-audit.log
--event-ttl=1h
--alsologtostderr=true
--logtostderr=false
--log-dir=/var/log/kubernetes/apiserver/
--v=6"
EOF
!NOTE 使用
cat
命令创建文件时,环境变量参数会丢失。需要在开头的EOF
加上单引号即可。 在每台master
服务器都要创建。每个启动文件都一样。
cat > /usr/lib/systemd/system/kube-apiserver.service <<'EOF'
[Unit]
Description=Kubernetes API Server Service
Documentation=https://github.com/kubernetes/kubernetes
#Requires=etcd.service
#After=etcd.service
Before=kube-controller-manager.service kube-scheduler.service
[Service]
EnvironmentFile=-/etc/kubernetes/config/apiserver.conf
ExecStart=/usr/local/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
启动服务
systemctl daemon-reload && \
systemctl start kube-apiserver
没有错误后,设置开启启动
systemctl enable kube-apiserver
停止服务
systemctl stop kube-apiserver
查看状态
systemctl status kube-apiserver
查看错误
journalctl -l --no-pager -u kube-apiserver
删除进程日志
rm -rvf /var/log/journal/*
转载请注明出处:https://janrs.com/dchk 有任何问题欢迎在底部评论区发言。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。