新乡网站推广公司,建立公司网站时什么是重要的,宜都网站制作,wordpress 短信验证码文章目录 1 生成kube-apiserver证书 #xff08;master节点操作#xff09;1.1 自签证书颁发机构#xff08;CA#xff09;1.2 使用自签CA签发kube-apiserver HTTPS证书 2 从Github下载二进制文件3 解压二进制包 #xff08;master节点操作#xff09;4 部署kube-apiserv… 文章目录 1 生成kube-apiserver证书 master节点操作1.1 自签证书颁发机构CA1.2 使用自签CA签发kube-apiserver HTTPS证书 2 从Github下载二进制文件3 解压二进制包 master节点操作4 部署kube-apiserver master节点操作4.1 创建配置文件4.2 拷贝刚才生成的证书4.3 创建上述配置文件中token文件4.4 systemd管理apiserver4.5 启动并设置开机启动4.6 授权kubelet-bootstrap用户允许请求证书 5 部署kube-controller-manager master节点操作5.1 创建配置文件5.2 systemd管理controller-manager5.3 启动并设置开机启动 6 部署kube-scheduler master节点操作6.1 创建配置文件6.2 systemd管理scheduler6.3 启动并设置开机启动6.4 查看集群状态 1 生成kube-apiserver证书 master节点操作
1.1 自签证书颁发机构CA
# cd /root/TLS/k8s/cat ca-config.json EOF
{signing: {default: {expiry: 87600h},profiles: {kubernetes: {expiry: 87600h,usages: [signing,key encipherment,server auth,client auth]}}}
}
EOFcat ca-csr.json EOF
{CN: kubernetes,key: {algo: rsa,size: 2048},names: [{C: CN,L: Beijing,ST: Beijing,O: k8s,OU: System}]
}
EOF生成证书
# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -# ls *pem
ca-key.pem ca.pem1.2 使用自签CA签发kube-apiserver HTTPS证书
创建证书申请文件
# cd /root/TLS/k8s/cat server-csr.json EOF
{CN: kubernetes,hosts: [10.0.0.1,127.0.0.1,10.20.17.20,10.20.17.21,10.20.17.22,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local],key: {algo: rsa,size: 2048},names: [{C: CN,L: BeiJing,ST: BeiJing,O: k8s,OU: System}]
}
EOF注上述文件hosts字段中IP为所有Master/LB/VIP IP一个都不能少为了方便后期扩容可以多写几个预留的IP。 生成证书
# cfssl gencert -caca.pem -ca-keyca-key.pem -configca-config.json -profilekubernetes server-csr.json | cfssljson -bare server# ls server*pem
server-key.pem server.pem2 从Github下载二进制文件
下载地址 https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1183 注打开链接你会发现里面有很多包下载一个server包就够了包含了Master和Worker Node二进制文件。 3 解压二进制包 master节点操作
mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}
cd /opt/tools/
tar zxvf kubernetes-server-linux-amd64.tar.gzcd kubernetes/server/bin/
cp kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bi
cp kubectl /usr/bin/4 部署kube-apiserver master节点操作
4.1 创建配置文件
cat /opt/kubernetes/cfg/kube-apiserver.conf EOF
KUBE_APISERVER_OPTS--logtostderrfalse \\
--v2 \\
--log-dir/opt/kubernetes/logs \\
--etcd-servershttps://10.20.17.20:2379,https://10.20.17.21:2379,https://10.20.17.22:2379 \\
--bind-address10.20.17.20 \\
--secure-port6443 \\
--advertise-address10.20.17.20 \\
--allow-privilegedtrue \\
--service-cluster-ip-range10.0.0.0/24 \\
--enable-admission-pluginsNamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
--authorization-modeRBAC,Node \\
--enable-bootstrap-token-authtrue \\
--token-auth-file/opt/kubernetes/cfg/token.csv \\
--service-node-port-range1000-65535 \\
--kubelet-client-certificate/opt/kubernetes/ssl/server.pem \\
--kubelet-client-key/opt/kubernetes/ssl/server-key.pem \\
--tls-cert-file/opt/kubernetes/ssl/server.pem \\
--tls-private-key-file/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile/opt/etcd/ssl/ca.pem \\
--etcd-certfile/opt/etcd/ssl/server.pem \\
--etcd-keyfile/opt/etcd/ssl/server-key.pem \\
--audit-log-maxage30 \\
--audit-log-maxbackup3 \\
--audit-log-maxsize100 \\
--audit-log-path/opt/kubernetes/logs/k8s-audit.log
EOF注上面两个\ \ 第一个是转义符第二个是换行符使用转义符是为了使用EOF保留换行符。
–logtostderr启用日志—v日志等级–log-dir日志目录–etcd-serversetcd集群地址–bind-address监听地址–secure-porthttps安全端口–advertise-address集群通告地址–allow-privileged启用授权–service-cluster-ip-rangeService虚拟IP地址段–enable-admission-plugins准入控制模块–authorization-mode认证授权启用RBAC授权和节点自管理–enable-bootstrap-token-auth启用TLS bootstrap机制–token-auth-filebootstrap token文件–service-node-port-rangeService nodeport类型默认分配端口范围–kubelet-client-xxxapiserver访问kubelet客户端证书–tls-xxx-fileapiserver https证书–etcd-xxxfile连接Etcd集群证书–audit-log-xxx审计日志
4.2 拷贝刚才生成的证书
把刚才生成的证书拷贝到配置文件中的路径
cp /root/TLS/k8s/ca*pem /root/TLS/k8s/server*pem /opt/kubernetes/ssl/4.3 创建上述配置文件中token文件
生成token
head -c 16 /dev/urandom | od -An -t x | tr -d 创建token文件
cat /opt/kubernetes/cfg/token.csv EOF
063e91e42837f2a2b36860457f515053,kubelet-bootstrap,10001,system:node-bootstrapper
EOF4.4 systemd管理apiserver
cat /usr/lib/systemd/system/kube-apiserver.service EOF
[Unit]
DescriptionKubernetes API Server
Documentationhttps://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile/opt/kubernetes/cfg/kube-apiserver.conf
ExecStart/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restarton-failure
[Install]
WantedBymulti-user.target
EOF4.5 启动并设置开机启动
systemctl daemon-reload
systemctl start kube-apiserver
systemctl enable kube-apiserver4.6 授权kubelet-bootstrap用户允许请求证书
kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrolesystem:node-bootstrapper \
--userkubelet-bootstrap5 部署kube-controller-manager master节点操作
5.1 创建配置文件
cat /opt/kubernetes/cfg/kube-controller-manager.conf EOF
KUBE_CONTROLLER_MANAGER_OPTS--logtostderrfalse \\
--v2 \\
--log-dir/opt/kubernetes/logs \\
--leader-electtrue \\
--master127.0.0.1:8080 \\
--bind-address127.0.0.1 \\
--allocate-node-cidrstrue \\
--cluster-cidr10.244.0.0/16 \\
--service-cluster-ip-range10.0.0.0/24 \\
--cluster-signing-cert-file/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file/opt/kubernetes/ssl/ca-key.pem \\
--root-ca-file/opt/kubernetes/ssl/ca.pem \\
--service-account-private-key-file/opt/kubernetes/ssl/ca-key.pem \\
--experimental-cluster-signing-duration87600h0m0s
EOF–master通过本地非安全本地端口8080连接apiserver。–leader-elect当该组件启动多个时自动选举HA–cluster-signing-cert-file/–cluster-signing-key-file自动为kubelet颁发证书的CA与apiserver保持一致
5.2 systemd管理controller-manager
cat /usr/lib/systemd/system/kube-controller-manager.service EOF
[Unit]
DescriptionKubernetes Controller Manager
Documentationhttps://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile/opt/kubernetes/cfg/kube-controller-manager.conf
ExecStart/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restarton-failure
[Install]
WantedBymulti-user.target
EOF5.3 启动并设置开机启动
systemctl daemon-reload
systemctl start kube-controller-manager
systemctl enable kube-controller-manager6 部署kube-scheduler master节点操作
6.1 创建配置文件
cat /opt/kubernetes/cfg/kube-scheduler.conf EOF
KUBE_SCHEDULER_OPTS--logtostderrfalse \
--v2 \
--log-dir/opt/kubernetes/logs \
--leader-elect \
--master127.0.0.1:8080 \
--bind-address127.0.0.1
EOF–master通过本地非安全本地端口8080连接apiserver。–leader-elect当该组件启动多个时自动选举HA
6.2 systemd管理scheduler
cat /usr/lib/systemd/system/kube-scheduler.service EOF
[Unit]
DescriptionKubernetes Scheduler
Documentationhttps://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile/opt/kubernetes/cfg/kube-scheduler.conf
ExecStart/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restarton-failure
[Install]
WantedBymulti-user.target
EOF6.3 启动并设置开机启动
systemctl daemon-reload
systemctl start kube-scheduler
systemctl enable kube-scheduler6.4 查看集群状态
所有组件都已经启动成功通过kubectl工具查看当前集群组件状态
[rootk8s-master ~]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy {health:true}
etcd-2 Healthy {health:true}
etcd-1 Healthy {health:true}
