十二,Kubernetes_v1.14.2部署kube-apiserver集群
一,下载并解压
#下载
wget https://dl.k8s.io/v1.14.2/kubernetes-server-linux-amd64.tar.gz#解压
tar -zxvf kubernetes-server-linux-amd64.tar.gz -C /opt/kubernetes/package/#验证是否解压成功
ls /opt/kubernetes/package/kubernetes/server/bin/
二,分发kube-apiserver文件
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
scp /opt/kubernetes/package/kubernetes/server/bin/kube-apiserver root@${master_ip}:/opt/kubernetes/bin/
done#验证是否分发成功
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
ssh root@${master_ip} "ls -ld /opt/kubernetes/bin/kube-apiserver"
done
三,创建API Server的认证文件
cd /opt/kubernetes/ssl
cat > kubernetes-csr.json << EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"172.27.128.200",
"10.1.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
四,生成Kubernetes的证书和私钥
cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \
-ca-key=/opt/kubernetes/ssl/ca-key.pem \
-config=/opt/kubernetes/ssl/ca-config.json \
-profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
#验证是否生成成功
ls -ld kubernetes-key.pem kubernetes.pem
五,分发生成的证书和私钥
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
scp kubernetes-key.pem kubernetes.pem root@${master_ip}:/opt/kubernetes/ssl
done#验证是否分发成功
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
ssh root@${master_ip} "ls -ld /opt/kubernetes/ssl/{kubernetes-key.pem,kubernetes.pem}"
done
六,创建 API Server使用的token文件
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
#命令生成:416569d477d651706738c3b6b8e2023ecat > /opt/kubernetes/ssl/bootstrap-token.csv << EOF
416569d477d651706738c3b6b8e2023e,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
七,分发API Server使用的token文件
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
scp /opt/kubernetes/ssl/bootstrap-token.csv root@${master_ip}:/opt/kubernetes/ssl/
done#验证是否分发成功
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
ssh root@${master_ip} "cat /opt/kubernetes/ssl/bootstrap-token.csv"
done
八,创建基础用户名,密码认证配置
cat > /opt/kubernetes/ssl/basic-auth.csv << EOF
admin,admin,1
readonly,readonly,2
EOF
九,分发创建基础用户名,密码认证配置文件
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
scp /opt/kubernetes/ssl/basic-auth.csv root@${master_ip}:/opt/kubernetes/ssl/
done#验证是否分发成功
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
ssh root@${master_ip} "cat /opt/kubernetes/ssl/basic-auth.csv"
done
十,创建metrics-server证书(metrics-server插件使用)
cd /opt/kubernetes/ssl
#创建metrics-server-csr.json
cat > metrics-server-csr.json << EOF
{
"CN": "aggregator",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
十一,生成metrics-server证书
cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \
-ca-key=/opt/kubernetes/ssl/ca-key.pem \
-config=/opt/kubernetes/ssl/ca-config.json \
-profile=kubernetes metrics-server-csr.json | cfssljson -bare metrics-server#验证是否生成成功
ls -ld metrics-server*.pem
十二,分发metrics-server证书
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
scp metrics-server*.pem root@${master_ip}:/opt/kubernetes/ssl
done#验证是否分发成功
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
ssh root@${master_ip} "ls -ld /opt/kubernetes/ssl/metrics-server*.pem"
done
十三,部署kube-apiserver
#创建kube-apiserver的systemd文件
source /root/env.sh
cat > kube-apiserver.service << EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
ExecStart=/opt/kubernetes/bin/kube-apiserver \\
--enable-admission-plugins=MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \\
--bind-address=##MASTER_IP## \\
--insecure-bind-address=127.0.0.1 \\
--authorization-mode=Node,RBAC \\
--runtime-config=api/all=true \\
--kubelet-https=true \\
--anonymous-auth=false \\
--basic-auth-file=/opt/kubernetes/ssl/basic-auth.csv \\
--enable-bootstrap-token-auth \\
--token-auth-file=/opt/kubernetes/ssl/bootstrap-token.csv \\
--service-cluster-ip-range=10.1.0.0/16 \\
--service-node-port-range=20000-40000 \\
--tls-cert-file=/opt/kubernetes/ssl/kubernetes.pem \\
--tls-private-key-file=/opt/kubernetes/ssl/kubernetes-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/kubernetes/ssl/ca.pem \\
--etcd-certfile=/opt/kubernetes/ssl/kubernetes.pem \\
--etcd-keyfile=/opt/kubernetes/ssl/kubernetes-key.pem \\
--etcd-servers=${ETCD_ENDPOINTS} \\
--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--requestheader-extra-headers-prefix=X-Remote-Extra- \\
--requestheader-group-headers=X-Remote-Group \\
--requestheader-username-headers=X-Remote-User \\
--proxy-client-cert-file=/opt/kubernetes/ssl/metrics-server.pem \\
--proxy-client-key-file=/opt/kubernetes/ssl/metrics-server-key.pem \\
--enable-swagger-ui=true \\
--allow-privileged=true \\
--audit-log-maxage=30 \\
--audit-log-maxbackup=3 \\
--audit-log-maxsize=100 \\
--audit-log-path=/opt/kubernetes/log/api-audit.log \\
--event-ttl=1h \\
--v=2 \\
--logtostderr=false \\
--log-dir=/opt/kubernetes/log
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF--etcd-*:访问 etcd 的证书和 etcd 服务器地址;--enable-bootstrap-token-auth:启用 kubelet bootstrap 的 token 认证;--proxy-client-*:apiserver 访问 metrics-server 使用的证书;--bind-address: https 监听的 IP,不能为127.0.0.1,否则外界不能访问它的安全端口 6443;--authorization-mode=Node,RBAC、--anonymous-auth=false: 开启 Node 和 RBAC 授权模式,拒绝未授权的请求;--runtime-config=api/all=true: 启用所有版本的 APIs,如 autoscaling/v2alpha1;--service-cluster-ip-range: 指定 Service Cluster IP 地址段;--service-node-port-range: 指定 NodePort 的端口范围;
十四,替换模板文件中的变量,为各节点生成 systemd unit 文件
source /root/env.sh
for (( i=0; i < 3; i++ ))
do
sed -e "s/##MASTER_IP##/${MASTER_IPS[i]}/" kube-apiserver.service > kube-apiserver-${MASTER_IPS[i]}.service
done#查看是否生成成功
ls kube-apiserver*.service
十五,分发kube-apiserver的systemd文件
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
scp kube-apiserver-${master_ip}.service root@${master_ip}:/usr/lib/systemd/system/kube-apiserver.service
done#验证是否分发成功
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
ssh root@${master_ip} "ls -ld /usr/lib/systemd/system/kube-apiserver.service"
done
十六,启动kube-apiserver服务
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
ssh root@${master_ip} "systemctl daemon-reload && systemctl restart kube-apiserver && systemctl enable kube-apiserver"
done
十七,验证kube-apiserver服务
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
ssh root@${master_ip} "systemctl status kube-apiserver | grep Active"
done确保状态为 active (running),否则查看日志,确认原因
journalctl -u kube-apiserver
十八,打印 kube-apiserver 写入 etcd 的数据
ETCDCTL_API=3 etcdctl \
--endpoints=${ETCD_ENDPOINTS} \
--cacert=/opt/kubernetes/ssl/ca.pem \
--cert=/opt/kubernetes/ssl/etcd.pem \
--key=/opt/kubernetes/ssl/etcd-key.pem \
get /registry/ --prefix --keys-only
十九,检查集群信息
kubectl cluster-info输出:
Kubernetes master is running at https://172.27.128.200:6443
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
kubectl get all --all-namespaces输出:
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default service/kubernetes ClusterIP 10.1.0.1
kubectl get componentstatuses输出:
NAME STATUS MESSAGE ERROR
controller-manager Unhealthy Get http://127.0.0.1:10252/healthz: dial tcp 127.0.0.1:10252: connect: connection refused
scheduler Unhealthy Get http://127.0.0.1:10251/healthz: dial tcp 127.0.0.1:10251: connect: connection refused
etcd-1 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}
二十,检查 kube-apiserver 监听的端口
source /root/env.sh
for master_ip in ${MASTER_IPS[@]}
do
echo -e "\033[31m>>> ${master_ip} \033[0m"
ssh root@${master_ip} "netstat -lnpt | grep kube"
done