kube-apiserver集群规划
| 主机名 | 角色 | IP地址 |
|---|---|---|
| mfyxw30.mfxyw.com | kube-apiserver主 | 192.168.80.30 |
| mfyxw40.mfyxw.com | kube-apiserver从 | 192.168.80.40 |
温馨提示:这里部署文档以mfyxw30.mfyxw.com主机为例,另外两台主机安装部署方法类似
1.下载kubernetes软件
kubernetes的github链接:https://github.com/kuberneteskubernetes-v1.15.10链接地址:https://dl.k8s.io/v1.15.10/kubernetes-server-linux-amd64.tar.gz可以登录mfyxw30服务器下载 wget https://dl.k8s.io/v1.15.10/kubernetes-server-linux-amd64.tar.gz#发现国内没有办法下载。只能自己想办法了。我下载好的kubernetes-v1.15.10上传到网盘k8s-v1.15.10网盘地址 链接:https://pan.baidu.com/s/1qL_su3YppyyBGz-loKSHfg 提取码:3kfx
2.把kubernetes上传服务器,解压,软连接
#mfyxw30和mfyxw40都需要执行此操作,以mfyxw30为例[root@mfyxw30 ~]#tar xf kubernetes-server-linux-amd64.tar.gz -C /opt[root@mfyxw30 ~]#cd /opt[root@mfyxw30 opt]#mv kubernetes kubernetes-v1.15.10[root@mfyxw30 opt]#ln -s kubernetes-v1.15.10 kubernetes
3.删除kuberneters包不需要的文件
在mfyxw30主机上删除kubernetes包不需要的文件
[root@mfyxw30 ~]#cd /opt/kubernetes/server/bin#tar后缀的是容器镜像包,不是采用kubeadm来安装,故可以删除[root@mfyxw30 bin]#rm -fr *.tar[root@mfyxw30 bin]#rm -fr *_tag#kubernetes-src.tar.gz是kubernetes的go语言写的源码包,在此用不到[root@mfyxw30 bin]#rm -fr /opt/kubernetes/kubernetes-src.tar.gz
在mfyxw40主机上删除kubernetes包不需要的文件
[root@mfyxw40 ~]#cd /opt/kubernetes/server/bin#tar后缀的是容器镜像包,不是采用kubeadm来安装,故可以删除[root@mfyxw40 bin]#rm -fr *.tar[root@mfyxw40 bin]#rm -fr *_tag#kubernetes-src.tar.gz是kubernetes的go语言写的源码包,在此用不到[root@mfyxw40 bin]#rm /opt/kubernetes/kubernetes-src.tar.gz
4.创建生成证书签名请求(csr)的JSON配置文件
签发Client证书:apiserver和etcd集群间通信用的证书,在这个通信过程中,etcd是服务端,apiserver是客户端
#生成client证书签名请求配置文件是需要在签发证书的mfyxw50主机上执行[root@mfyxw50 ~]#cat > /opt/certs/client-csr.json << EOF{ "CN": "k8s-node", "hosts": [
], "key": { "algo": "rsa", "size": 2048
}, "names": [
{ "C": "CN", "ST": "GuangDong", "L": "GuangZhou", "O": "od", "OU": "ops"
}
]
}
EOF
5.生成client证书和私钥
#需要在签发证书主机mfyxw50上执行[root@mfyxw50 ~]#cd /opt/certs[root@mfyxw50 certs]#cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json | cfssljson -bare client
6.创建生成kube-apiserver证书签名请求(csr)的JSON配置文件
#生成kube-apiserver证书签名请求配置文件是需要在签发证书的mfyxw50主机上执行[root@mfyxw50 ~]# cat > /opt/certs/apiserver-csr.json << EOF{ "CN": "apiserver", "hosts": [ "127.0.0.1", "172.16.0.1", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local", "192.168.80.100", "192.168.80.20", "192.168.80.30", "192.168.80.40"
], "key": { "algo": "rsa", "size": 2048
}, "names": [
{ "C": "CN", "ST": "GuangDong", "L": "GuangZhou", "O": "od", "OU": "ops"
}
]
}
EOF
7.生成kube-apiserver证书和私钥
#需要在签发证书主机mfyxw50上执行[root@mfyxw50 ~]#cd /opt/certs[root@mfyxw50 certs]#cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json | cfssljson -bare apiserver
8.将生成的证书复制至各运算节点
#在mfyxw30主机上创建certs目录[root@mfyxw30 ~]#mkdir -p /opt/kubernetes/server/bin/cert#在mfyxw40主机上创建cert目录[root@mfyxw40 ~]#mkdir -p /opt/kubernetes/server/bin/cert#在mfyxw50(证书签发主机)上把证书和私钥分别复制至mfyxw30和mfyxw40主机下/opt/kubernetes/server/bin/cert目录[root@mfyxw50 ~]#cd /opt/certs/[root@mfyxw50 ~]#scp -r ca.pem ca-key.pem apiserver.pem apiserver-key.pem client.pem client-key.pem mfyxw30:/opt/kubernetes/server/bin/cert/[root@mfyxw50 ~]#scp -r ca.pem ca-key.pem apiserver.pem apiserver-key.pem client.pem client-key.pem mfyxw40:/opt/kubernetes/server/bin/cert/
9.查看复制过去的私钥的权限
#分别需要在mfyxw30和mfyxw40主机上查看,在此以mfyxw30截图为例,如果权限不是600,请修改为600[root@mfyxw30 ~]#ls -l /opt/kubernetes/server/bin/cert/[root@mfyxw40 ~]#ls -l /opt/kubernetes/server/bin/cert/
10.创建审计日志记录和采集配置文件
分别在mfyxw30和mfyxw40的路径/opt/kubernetes/server/bin/下创建conf目录
[root@mfyxw30 ~]#mkdir -p /opt/kubernetes/server/bin/conf[root@mfyxw40 ~]#mkdir -p /opt/kubernetes/server/bin/conf
1.在mfyxw30主机上创建审计日志记录和采集配置文件
[root@mfyxw30 ~]#cat > /opt/kubernetes/server/bin/conf/audit.yaml << EOF apiVersion: audit.k8s.io/v1beta1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages: - "RequestReceived"rules: # Log pod changes at RequestResponse level - level: RequestResponse resources: - group: "" # Resource "pods" doesn't match requests to any subresource of pods, # which is consistent with the RBAC policy. resources: ["pods"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata resources: - group: "" resources: ["pods/log", "pods/status"] # Don't log requests to a configmap called "controller-leader" - level: None resources: - group: "" resources: ["configmaps"] resourceNames: ["controller-leader"] # Don't log watch requests by the "system:kube-proxy" on endpoints or services - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" # core API group resources: ["endpoints", "services"] # Don't log authenticated requests to certain non-resource URL paths. - level: None userGroups: ["system:authenticated"] nonResourceURLs: - "/api*" # Wildcard matching. - "/version" # Log the request body of configmap changes in kube-system. - level: Request resources: - group: "" # core API group resources: ["configmaps"] # This rule only applies to resources in the "kube-system" namespace. # The empty string "" can be used to select non-namespaced resources. namespaces: ["kube-system"] # Log configmap and secret changes in all other namespaces at the Metadata level. - level: Metadata resources: - group: "" # core API group resources: ["secrets", "configmaps"] # Log all other resources in core and extensions at the Request level. - level: Request resources: - group: "" # core API group - group: "extensions" # Version of group should NOT be included. # A catch-all rule to log all other requests at the Metadata level. - level: Metadata # Long-running requests like watches that fall under this rule will not # generate an audit event in RequestReceived. omitStages: - "RequestReceived"EOF
2.在mfyxw40主机上创建审计日志记录和采集配置文件
[root@mfyxw40 ~]#cat > /opt/kubernetes/server/bin/conf/audit.yaml << EOF apiVersion: audit.k8s.io/v1beta1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages: - "RequestReceived"rules: # Log pod changes at RequestResponse level - level: RequestResponse resources: - group: "" # Resource "pods" doesn't match requests to any subresource of pods, # which is consistent with the RBAC policy. resources: ["pods"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata resources: - group: "" resources: ["pods/log", "pods/status"] # Don't log requests to a configmap called "controller-leader" - level: None resources: - group: "" resources: ["configmaps"] resourceNames: ["controller-leader"] # Don't log watch requests by the "system:kube-proxy" on endpoints or services - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" # core API group resources: ["endpoints", "services"] # Don't log authenticated requests to certain non-resource URL paths. - level: None userGroups: ["system:authenticated"] nonResourceURLs: - "/api*" # Wildcard matching. - "/version" # Log the request body of configmap changes in kube-system. - level: Request resources: - group: "" # core API group resources: ["configmaps"] # This rule only applies to resources in the "kube-system" namespace. # The empty string "" can be used to select non-namespaced resources. namespaces: ["kube-system"] # Log configmap and secret changes in all other namespaces at the Metadata level. - level: Metadata resources: - group: "" # core API group resources: ["secrets", "configmaps"] # Log all other resources in core and extensions at the Request level. - level: Request resources: - group: "" # core API group - group: "extensions" # Version of group should NOT be included. # A catch-all rule to log all other requests at the Metadata level. - level: Metadata # Long-running requests like watches that fall under this rule will not # generate an audit event in RequestReceived. omitStages: - "RequestReceived"EOF
11.创建kube-apiserver启动脚本
在主机mfyxw30上创建kube-apiserver启动脚本
[root@mfyxw30 ~]#cat > /opt/kubernetes/server/bin/kube-apiserver.sh << EOF#!/bin/bash./kube-apiserver \ --apiserver-count 2 \ --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \ --audit-policy-file ./conf/audit.yaml \ --authorization-mode RBAC \ --client-ca-file ./cert/ca.pem \ --requestheader-client-ca-file ./cert/ca.pem \ --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \ --etcd-cafile ./cert/ca.pem \ --etcd-certfile ./cert/client.pem \ --etcd-keyfile ./cert/client-key.pem \ --etcd-servers https://192.168.80.20:2379,https://192.168.80.30:2379,https://192.168.80.40:2379 \ --service-account-key-file ./cert/ca-key.pem \ --service-cluster-ip-range 172.16.0.0/16 \ --service-node-port-range 3000-29999 \ --target-ram-mb=1024 \ --kubelet-client-certificate ./cert/client.pem \ --kubelet-client-key ./cert/client-key.pem \ --log-dir /data/logs/kubernetes/kube-apiserver \ --tls-cert-file ./cert/apiserver.pem \ --tls-private-key-file ./cert/apiserver-key.pem \ --v 2EOF
在主机mfyxw40上创建kube-apiserver启动脚本
[root@mfyxw40 ~]#cat > /opt/kubernetes/server/bin/kube-apiserver.sh << EOF#!/bin/bash./kube-apiserver \ --apiserver-count 2 \ --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \ --audit-policy-file ./conf/audit.yaml \ --authorization-mode RBAC \ --client-ca-file ./cert/ca.pem \ --requestheader-client-ca-file ./cert/ca.pem \ --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \ --etcd-cafile ./cert/ca.pem \ --etcd-certfile ./cert/client.pem \ --etcd-keyfile ./cert/client-key.pem \ --etcd-servers https://192.168.80.20:2379,https://192.168.80.30:2379,https://192.168.80.40:2379 \ --service-account-key-file ./cert/ca-key.pem \ --service-cluster-ip-range 172.16.0.0/16 \ --service-node-port-range 3000-29999 \ --target-ram-mb=1024 \ --kubelet-client-certificate ./cert/client.pem \ --kubelet-client-key ./cert/client-key.pem \ --log-dir /data/logs/kubernetes/kube-apiserver \ --tls-cert-file ./cert/apiserver.pem \ --tls-private-key-file ./cert/apiserver-key.pem \ --v 2EOF
12.调整权限和创建存放kupe-apiserver日志的目录
分别在mfyxw30和mfyxw40主机上对kube-apiserver.sh文件添加可执行权限,并创建存放kube-apiserver的日志文件的目录,以mfyxw30的截图为例
[root@mfyxw30 ~]#chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh[root@mfyxw30 ~]#mkdir -p /data/logs/kubernetes/kube-apiserver[root@mfyxw40 ~]#chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh[root@mfyxw40 ~]#mkdir -p /data/logs/kubernetes/kube-apiserver
13.创建supervisor配置文件
为mfyxw30主机创建supervisor配置文件
[root@mfyxw30 ~]#cat > /etc/supervisord.d/kube-apiserver.ini << EOF [program:kube-apiserver-80-30] command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=false ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) stderr_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stderr.log ; stderr log path, NONE for none; default AUTO stderr_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stderr_logfile_backups=4 ; # of stderr logfile backups (default 10) stderr_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stderr_events_enabled=false ; emit events on stderr writes (default false) EOF
为mfyxw40主机创建supervisor配置文件
[root@mfyxw40 ~]#cat > /etc/supervisord.d/kube-apiserver.ini << EOF [program:kube-apiserver-80-40] command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=false ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) stderr_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stderr.log ; stderr log path, NONE for none; default AUTO stderr_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stderr_logfile_backups=4 ; # of stderr logfile backups (default 10) stderr_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stderr_events_enabled=false ; emit events on stderr writes (default false) EOF
14.启动supervisor服务并检查
在mfyxw30主机上,启动supervisor服务并检查,以mfyxw30图片为例,另一台机器同样方法启动服务和查看
[root@mfyxw30 ~]#supervisorctl update[root@mfyxw30 ~]#supervisorctl status[root@mfyxw30 ~]# netstat -luntp | grep api
在mfyxw40主机上,启动supervisor服务并检查
[root@mfyxw40 ~]#supervisorctl update[root@mfyxw40 ~]#supervisorctl status[root@mfyxw40 ~]# netstat -luntp | grep api
