-
1、部署Kubernetes API服务部署
- apiserver提供集群管理的REST API接口,包括认证授权、数据校验以及集群状态变更等。
- 只有API Server才能直接操作etcd;
- 其他模块通过API Server查询或修改数据
- 提供其他模块之间的数据交互和通信枢纽
三台apiserver
master01 10.1.1.100
master01 10.1.1.101
master01 10.1.1.102
vip:master01 10.1.1.200
(1)准备软件包
# 1、在manager节点下载软件包,然后给每个节点都发一份,即为所有节点都准备好软件包,这样后期就不用准备了 cd /usr/local/src wget --no-check-certificate https://dl.k8s.io/v1.18.8/kubernetes-server-linux-amd64.tar.gz #!/bin/bash for i in 'master01' 'master02' 'master03' 'node01' 'node02' 'node03' 'manager' do scp /usr/local/src/kubernetes-server-linux-amd64.tar.gz root@$i:/usr/local/src done # 2、在所有节点执行下述操作 cd /usr/local/src/ tar xf kubernetes-server-linux-amd64.tar.gz # ====================》补充:一些无关的文件可以删除掉 rm -rf /usr/local/src/kubernetes/kubernetes-src.tar.gz # go语言的源码包 rm -rf /usr/local/src/kubernetes/server/bin/*.tar # 删除.tar结尾的,都是一系列docker镜像,我们不用kubeadm部署,所以用不到 rm -rf /usr/local/src/kubernetes/server/bin/*_tag #=====================》最后只剩下一系列绿色的可执行文件 [root@master01 src]# ll /usr/local/src/kubernetes/server/bin/ 总用量 546000 -rwxr-xr-x 1 root root 48140288 8月 14 2020 apiextensions-apiserver -rwxr-xr-x 1 root root 39821312 8月 14 2020 kubeadm -rwxr-xr-x 1 root root 120684544 8月 14 2020 kube-apiserver -rwxr-xr-x 1 root root 110080000 8月 14 2020 kube-controller-manager -rwxr-xr-x 1 root root 44040192 8月 14 2020 kubectl -rwxr-xr-x 1 root root 113300248 8月 14 2020 kubelet -rwxr-xr-x 1 root root 38383616 8月 14 2020 kube-proxy -rwxr-xr-x 1 root root 42962944 8月 14 2020 kube-scheduler -rwxr-xr-x 1 root root 1687552 8月 14 2020 mounter # 3、在master01、master02、master03上执行下述命令 cd /usr/local/src/kubernetes cp server/bin/kube-apiserver /opt/kubernetes/bin/ cp server/bin/kube-controller-manager /opt/kubernetes/bin/ cp server/bin/kube-scheduler /opt/kubernetes/bin/
(2)在master01执行下述操作,创建生成CSR的 JSON 配置文件
# apiserver作为客户端,需要访问etcd,我们需要一个服务端证书,一个客户都证书,之前部署etcd的时候已经为其生成了服务端证书,此处我们只需要为apiserver制作访问etcd的客户端证书即可 cd /usr/local/src/ssl cat > kubernetes-csr.json << EOF { "CN": "kubernetes", "hosts": [ "127.0.0.1", "10.1.1.200", "10.1.1.100", "10.1.1.101", "10.1.1.102",
"10.0.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "ops" } ] } EOF # 注意:10.1.1.200为代理10.1.1.100、10.1.1.101、10.1.1.102三台节点的vip
# 10.0.0.1指的时service网络的第一个IP地址(一般是 kube-apiserver 指定的 service-cluster-ip-range 网段的第一个IP,如 10.0.0.1)
(3)在master01生成 kubernetes 证书和私钥
该证书用于apiserver组件作为客户端访问etcd,也用作apiserver的服务端证书
首先master02与master03与master01一样都部署有apiserver,所以需要发送一份
其次除了mananger节点外,所有的worker node节点,即node01、node02、node03也都需要访问apiserver,所以也应该有一份
cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \ -ca-key=/opt/kubernetes/ssl/ca-key.pem \ -config=/opt/kubernetes/ssl/ca-config.json \ -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes cp kubernetes*.pem /opt/kubernetes/ssl/ scp kubernetes*.pem master02:/opt/kubernetes/ssl/ scp kubernetes*.pem master03:/opt/kubernetes/ssl/ scp kubernetes*.pem node01:/opt/kubernetes/ssl/ scp kubernetes*.pem node02:/opt/kubernetes/ssl/ scp kubernetes*.pem node03:/opt/kubernetes/ssl/
(4) 在master01创建 kube-apiserver 使用的客户端 token 文件,然后发送给master02与master03
# head -c 16 /dev/urandom | od -An -t x | tr -d ' ' d149190dacf50968d58b069745dda2a2 # vim /opt/kubernetes/ssl/bootstrap-token.csv d149190dacf50968d58b069745dda2a2,kubelet-bootstrap,10001,"system:kubelet-bootstrap" # 发送给master02与master03节点的/opt/kubernetes/ssl/ scp /opt/kubernetes/ssl/bootstrap-token.csv master02:/opt/kubernetes/ssl/ scp /opt/kubernetes/ssl/bootstrap-token.csv master03:/opt/kubernetes/ssl/
(5)在master01 创建基础用户名/密码认证配置,然后发送给master02与master03
# vim /opt/kubernetes/ssl/basic-auth.csv admin,admin,1 readonly,readonly,2 scp /opt/kubernetes/ssl/basic-auth.csv master02:/opt/kubernetes/ssl/ scp /opt/kubernetes/ssl/basic-auth.csv master03:/opt/kubernetes/ssl/
(6) 在master01部署Kubernetes API Server,然scp给master02与master03,在master02与master03上吧--bind-address改为自己主机的ip即可
cat > /usr/lib/systemd/system/kube-apiserver.service << EOF [Unit] Description=Kubernetes API Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] ExecStart=/opt/kubernetes/bin/kube-apiserver \ --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \ --bind-address=10.1.1.100 \ --insecure-bind-address=127.0.0.1 \ --authorization-mode=Node,RBAC \ --runtime-config=rbac.authorization.k8s.io/v1 \ --kubelet-https=true \ --anonymous-auth=false \ --basic-auth-file=/opt/kubernetes/ssl/basic-auth.csv \ --enable-bootstrap-token-auth \ --token-auth-file=/opt/kubernetes/ssl/bootstrap-token.csv \ --service-cluster-ip-range=10.0.0.0/16 \ --service-node-port-range=20000-40000 \ --tls-cert-file=/opt/kubernetes/ssl/kubernetes.pem \ --tls-private-key-file=/opt/kubernetes/ssl/kubernetes-key.pem \ --client-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \ --etcd-cafile=/opt/kubernetes/ssl/ca.pem \ --etcd-certfile=/opt/kubernetes/ssl/kubernetes.pem \ --etcd-keyfile=/opt/kubernetes/ssl/kubernetes-key.pem \ --etcd-servers=https://10.1.1.100:2379,https://10.1.1.101:2379,https://10.1.1.102:2379 \ --enable-swagger-ui=true \ --allow-privileged=true \ --audit-log-maxage=30 \ --audit-log-maxbackup=3 \ --audit-log-maxsize=100 \ --audit-log-path=/opt/kubernetes/log/api-audit.log \ --event-ttl=1h \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5 Type=notify LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
cat > /usr/lib/systemd/system/kube-apiserver.service << EOF [Unit] Description=Kubernetes API Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] ExecStart=/opt/kubernetes/bin/kube-apiserver \ --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \ --bind-address=10.1.1.101 \ --insecure-bind-address=127.0.0.1 \ --authorization-mode=Node,RBAC \ --runtime-config=rbac.authorization.k8s.io/v1 \ --kubelet-https=true \ --anonymous-auth=false \ --basic-auth-file=/opt/kubernetes/ssl/basic-auth.csv \ --enable-bootstrap-token-auth \ --token-auth-file=/opt/kubernetes/ssl/bootstrap-token.csv \ --service-cluster-ip-range=10.0.0.0/16 \ --service-node-port-range=20000-40000 \ --tls-cert-file=/opt/kubernetes/ssl/kubernetes.pem \ --tls-private-key-file=/opt/kubernetes/ssl/kubernetes-key.pem \ --client-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \ --etcd-cafile=/opt/kubernetes/ssl/ca.pem \ --etcd-certfile=/opt/kubernetes/ssl/kubernetes.pem \ --etcd-keyfile=/opt/kubernetes/ssl/kubernetes-key.pem \ --etcd-servers=https://10.1.1.100:2379,https://10.1.1.101:2379,https://10.1.1.102:2379 \ --enable-swagger-ui=true \ --allow-privileged=true \ --audit-log-maxage=30 \ --audit-log-maxbackup=3 \ --audit-log-maxsize=100 \ --audit-log-path=/opt/kubernetes/log/api-audit.log \ --event-ttl=1h \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5 Type=notify LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF