k8s开启汇聚器aggregator

安装证书

先拷贝一个模板文件

mkdir -p /work/deploy/kubernetes/security/aggregatorLayer_tls 
cd /work/deploy/kubernetes/security/aggregatorLayer_tls
cp /etc/pki/tls/openssl.cnf openssl-aggregator.cnf

修改模板文件，记得在v3_req 下添加：subjectAltName=@alt_names

[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
IP.1 = 127.0.0.1  # kubernetes master server ip
IP.2 = 10.10.0.1
IP.3 = 10.10.0.200 
IP.4 = 192.168.0.97
IP.5 = 192.168.0.96
IP.6 = 192.168.0.95
IP.7 = 192.168.0.94

然后生成相关证书

openssl genrsa -out ca.key 2048 
openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.pem -subj "/CN=aggregator/O=k8s-egg"
openssl genrsa -out aggregator.key 2048
openssl req -new -key aggregator.key -out aggregator.csr -subj "/O=k8s-egg/CN=aggregator" -config openssl-aggregator.cnf 
openssl x509 -req -in aggregator.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out aggregator.pem -days 10000 -extensions v3_req -extfile openssl-aggregator.cnf

修改apiserver的启动参数

vim /etc/kubernetes/apiserver 

在最后添加如下

KUBE_AGGREGATOR_ARGS="--requestheader-client-ca-file=/work/deploy/kubernetes/security/aggregatorLayer_tls/ca.pem --requestheader-allowed-names=aggregator --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --proxy-client-cert-file=/work/deploy/kubernetes/security/aggregatorLayer_tls/aggregator.pem --proxy-client-key-file=/work/deploy/kubernetes/security/aggregatorLayer_tls/aggregator.key"

修改启动文件

vim /usr/lib/systemd/system/kube-apiserver.service

在ExecStart的后面添加： $KUBE_AGGREGATOR_ARGS

重启apiserver

systemctl daemon-reload
systemctl restart kube-apiserver

部署 metrics server

cd /work/deploy/kubernetes/
git clone https://github.com/kubernetes-incubator/metrics-server
cd /work/deploy/kubernetes/metrics-server/deploy/kubernetes
docker pull registry.cn-shenzhen.aliyuncs.com/yinkaicool/metrics-server-amd64:v0.3.4

vim metrics-server-deployment.yaml 修改镜像为
registry.cn-shenzhen.aliyuncs.com/yinkaicool/metrics-server-amd64:v0.3.4
同时command也要修改添加不安全验证
如下图：

cd …
kca kubernetes

验证