【实战加详解】二进制部署k8s高可用集群系列教程六 -部署 kube-apiserver
[!TIP]
二进制部署k8s- 部署kube-apiserver
转载请注明出处:https://janrs.com
部署 kube-apiserver
1.创建目录
[!NOTE]
每台master服务器都要创建。
# 创建证书目录
mkdir -p /etc/kubernetes/pki/{apiserver/,kubelet/,aggregator/,service-account/,sign/,etcd/}
# 创建配置文件存放目录以及 kubeconfig 存放目录和初始化集群所需配置文件目录
mkdir -p /etc/kubernetes/{config/,kubeconfig/,init_k8s_config/}
# 创建 kubectl 使用 config 的默认目录
mkdir -p /root/.kube/
# 创建日志存放目录
mkdir -p /var/log/kubernetes/{apiserver/,controller/,scheduler/}
2.创建 ssl 证书
2-1.创建 ca 根证书
[!NOTE]
ca根证书采用4096位加密。
创建证书可以在其他地方生成后再上传,设置好对应的ip就行。
cat > /ssl/apiserver-ca-csr.json <<EOF
{
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cd /ssl/ && \
cfssl gencert -initca apiserver-ca-csr.json | \
cfssljson -bare apiserver-ca - && \
ls apiserver-ca* | \
grep apiserver-ca
2-2.创建 server 证书
[!NOTE]
hosts参数的ip需要把master节点,HA节点以及vip地址都写进去。
cat > /ssl/apiserver-server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"172.16.222.121",
"172.16.222.122",
"172.16.222.123",
"172.16.222.201",
"172.16.222.202",
"172.16.222.110",
"10.68.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"O": "k8s",
"OU": "System",
"ST": "Beijing"
}
]
}
EOF
cd /ssl/ && \
cfssl gencert -ca=apiserver-ca.pem \
-ca-key=apiserver-ca-key.pem \
-config=ca-config.json \
-profile=server apiserver-server-csr.json | \
cfssljson -bare apiserver-server && \
ls apiserver-server* | \
grep apiserver-server
2-3.创建 etcd 提供给 kube-apiserver 访问的 client 证书
[!NOTE]
由于是访问etcd的服务,所以要使用etcd的ca机构签发证书。
cat > /ssl/etcd-apiserver-client-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "k8s",
"OU": "system"
}
]
}
EOF
cd /ssl/ && \
cfssl gencert -ca=etcd-ca.pem \
-ca-key=etcd-ca-key.pem \
-config=ca-config.json \
-profile=client etcd-apiserver-client-csr.json | \
cfssljson -bare etcd-apiserver-client && \
ls etcd-apiserver-client* | \
grep etcd-apiserver-client
3.分发证书
[!NOTE]
以下证书全部分发到kube-apiserver的服务器。
分发 etcd-ca.pem 密钥给 kube-apiserver
scp /ssl/etcd-ca.pem [email protected]:/etc/kubernetes/pki/etcd/ && \
scp /ssl/etcd-ca.pem [email protected]:/etc/kubernetes/pki/etcd/ && \
scp /ssl/etcd-ca.pem [email protected]:/etc/kubernetes/pki/etcd/
分发 kube-apiserver 的 ca 根证书
scp /ssl/apiserver-ca*.pem [email protected]:/etc/kubernetes/pki/apiserver/ && \
scp /ssl/apiserver-ca*.pem [email protected]:/etc/kubernetes/pki/apiserver/ && \
scp /ssl/apiserver-ca*.pem [email protected]:/etc/kubernetes/pki/apiserver/
分发 etcd 颁发给 kube-apiserver 的 client 证书
scp /ssl/etcd-apiserver-client*.pem [email protected]:/etc/kubernetes/pki/etcd/ && \
scp /ssl/etcd-apiserver-client*.pem [email protected]:/etc/kubernetes/pki/etcd/ && \
scp /ssl/etcd-apiserver-client*.pem [email protected]:/etc/kubernetes/pki/etcd/
分发所有 kube-apiserver 的 server 证书
scp /ssl/apiserver-server*.pem [email protected]:/etc/kubernetes/pki/apiserver/ && \
scp /ssl/apiserver-server*.pem [email protected]:/etc/kubernetes/pki/apiserver/ && \
scp /ssl/apiserver-server*.pem [email protected]:/etc/kubernetes/pki/apiserver/
4.下载 k8s server 端的二进制文件
[!NOTE]
每台master服务器都要下载。
下载
cd /tmp && \
wget https://dl.k8s.io/v1.23.9/kubernetes-server-linux-amd64.tar.gz
分发到每台 master 服务器
scp /tmp/kubernetes-server-linux-amd64.tar.gz [email protected]:/home/ && \
scp /tmp/kubernetes-server-linux-amd64.tar.gz [email protected]:/home/ && \
scp /tmp/kubernetes-server-linux-amd64.tar.gz [email protected]:/home/
解压
到每台 master 服务器解压
cd /home/ && \
tar -zxvf kubernetes-server-linux-amd64.tar.gz
复制二进制执行文件到 /usr/local/bin/
到每台 master 服务器复制
cd /home/kubernetes/server/bin/ && \
cp kube-apiserver kube-controller-manager kubectl kube-scheduler /usr/local/bin/
5.部署 kube-apiserver
5-1.创建服务启动配置文件
[!NOTE]
以下操作需要登录到对应的master服务器操作。
只需要修改配置参数中的ip地址即可。
注意:以下配置中,日志等级设置为:6。产生的日志的速度会非常快。学习部署后可以修改为:2。
5-1-1.创建 master-01 服务器的启动配置文件
cat > /etc/kubernetes/config/apiserver.conf <<EOF
KUBE_APISERVER_OPTS="--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
--anonymous-auth=false
--bind-address=172.16.222.121
--secure-port=6443
--advertise-address=172.16.222.121
--insecure-port=0
--authorization-mode=Node,RBAC
--runtime-config=api/all=true
--service-cluster-ip-range=10.68.0.1/16
--service-node-port-range=30000-39999
--service-account-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--tls-cert-file=/etc/kubernetes/pki/apiserver/apiserver-server.pem
--tls-private-key-file=/etc/kubernetes/pki/apiserver/apiserver-server-key.pem
--client-ca-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--service-account-signing-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca-key.pem
--service-account-issuer=https://kubernetes.default.svc.cluster.local
--api-audiences=https://kubernetes.default.svc
--etcd-cafile=/etc/kubernetes/pki/etcd/etcd-ca.pem
--etcd-certfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client.pem
--etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client-key.pem
--etcd-servers=https://172.16.222.111:2379,https://172.16.222.112:2379,https://172.16.222.113:2379
--feature-gates=RemoveSelfLink=false
--enable-swagger-ui=true
--allow-privileged=true
--apiserver-count=3
--enable-aggregator-routing=true
--audit-log-maxage=30
--audit-log-maxbackup=3
--audit-log-maxsize=100
--audit-log-path=/var/log/kubernetes/apiserver/apiserver-audit.log
--event-ttl=1h
--alsologtostderr=true
--logtostderr=false
--log-dir=/var/log/kubernetes/apiserver/
--v=6"
EOF
5-1-2.创建 master-02 服务器的启动配置文件
cat > /etc/kubernetes/config/apiserver.conf <<EOF
KUBE_APISERVER_OPTS="--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
--anonymous-auth=false
--bind-address=172.16.222.122
--secure-port=6443
--advertise-address=172.16.222.122
--insecure-port=0
--authorization-mode=Node,RBAC
--runtime-config=api/all=true
--service-cluster-ip-range=10.68.0.1/16
--service-node-port-range=30000-39999
--service-account-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--tls-cert-file=/etc/kubernetes/pki/apiserver/apiserver-server.pem
--tls-private-key-file=/etc/kubernetes/pki/apiserver/apiserver-server-key.pem
--client-ca-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--service-account-signing-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca-key.pem
--service-account-issuer=https://kubernetes.default.svc.cluster.local
--api-audiences=https://kubernetes.default.svc
--etcd-cafile=/etc/kubernetes/pki/etcd/etcd-ca.pem
--etcd-certfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client.pem
--etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client-key.pem
--etcd-servers=https://172.16.222.111:2379,https://172.16.222.112:2379,https://172.16.222.113:2379
--feature-gates=RemoveSelfLink=false
--enable-swagger-ui=true
--allow-privileged=true
--apiserver-count=3
--enable-aggregator-routing=true
--audit-log-maxage=30
--audit-log-maxbackup=3
--audit-log-maxsize=100
--audit-log-path=/var/log/kubernetes/apiserver/apiserver-audit.log
--event-ttl=1h
--alsologtostderr=true
--logtostderr=false
--log-dir=/var/log/kubernetes/apiserver/
--v=6"
EOF
5-1-3.创建 master-03 服务器的启动配置文件
cat > /etc/kubernetes/config/apiserver.conf <<EOF
KUBE_APISERVER_OPTS="--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
--anonymous-auth=false
--bind-address=172.16.222.123
--secure-port=6443
--advertise-address=172.16.222.123
--insecure-port=0
--authorization-mode=Node,RBAC
--runtime-config=api/all=true
--service-cluster-ip-range=10.68.0.1/16
--service-node-port-range=30000-39999
--service-account-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--tls-cert-file=/etc/kubernetes/pki/apiserver/apiserver-server.pem
--tls-private-key-file=/etc/kubernetes/pki/apiserver/apiserver-server-key.pem
--client-ca-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--service-account-signing-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca-key.pem
--service-account-issuer=https://kubernetes.default.svc.cluster.local
--api-audiences=https://kubernetes.default.svc
--etcd-cafile=/etc/kubernetes/pki/etcd/etcd-ca.pem
--etcd-certfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client.pem
--etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client-key.pem
--etcd-servers=https://172.16.222.111:2379,https://172.16.222.112:2379,https://172.16.222.113:2379
--feature-gates=RemoveSelfLink=false
--enable-swagger-ui=true
--allow-privileged=true
--apiserver-count=3
--enable-aggregator-routing=true
--audit-log-maxage=30
--audit-log-maxbackup=3
--audit-log-maxsize=100
--audit-log-path=/var/log/kubernetes/apiserver/apiserver-audit.log
--event-ttl=1h
--alsologtostderr=true
--logtostderr=false
--log-dir=/var/log/kubernetes/apiserver/
--v=6"
EOF
5-2.创建服务启动文件
[!NOTE]
使用cat命令创建文件时,环境变量参数会丢失。需要在开头的EOF加上单引号即可。
在每台master服务器都要创建。每个启动文件都一样。
cat > /usr/lib/systemd/system/kube-apiserver.service <<'EOF'
[Unit]
Description=Kubernetes API Server Service
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/etc/kubernetes/config/apiserver.conf
ExecStart=/usr/local/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
5-3.启动服务
启动服务
systemctl daemon-reload && \
systemctl start kube-apiserver
5-4.设置开机启动
没有错误后,设置开启启动
systemctl enable kube-apiserver
5-5.其他操作
停止服务
systemctl stop kube-apiserver
查看状态
systemctl status kube-apiserver
查看错误
journalctl -l --no-pager -u kube-apiserver
删除进程日志
rm -rvf /var/log/journal/*
至此。kube-apiserver 组件部署成功。
转载请注明出处:https://janrs.com