k8s集群二进制安装--kube-apiserver部署

4.master上kube-apiserver部署
4.1 生成apiserver的证书

cd /root/TLS/k8s

#配置ca-config
vi ca-config.json
{
“signing”: {
“default”: {
“expiry”: “87600h”
},
“profiles”: {
“kubernetes”: {
“expiry”: “87600h”,
“usages”: [
“signing”,
“key encipherment”,
“server auth”,
“client auth”
]
}
}
}
}

#配置ca-csr
vi ca-csr.json
{
“CN”: “kubernetes”,
“key”: {
“algo”: “rsa”,
“size”: 2048
},
“names”: [
{
“C”: “CN”,
“L”: “Beijing”,
“ST”: “Beijing”,
“O”: “k8s”,
“OU”: “System”
}
]
}

#初始化生成证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

[INFO] generating a new CA key and certificate from CSR
[INFO] generate received request
[INFO] received CSR
[INFO] generating key: rsa-2048
[INFO] encoded CSR
[INFO] signed certificate with serial number 418635448264553512763642514569244257653784032746

#使用自签CA签发kube-apiserver HTTPS证书，创建证书申请文件,hosts中添加集群中所有可信任ip地址

##配置server-csr.json
vi server-csr.json
{
“CN”: “kubernetes”,
“hosts”: [
“172.16.0.1”,
“127.0.0.1”,
“172.16.0.103”,
“172.16.0.104”,
“172.16.0.105”,
“kubernetes”,
“kubernetes.default”,
“kubernetes.default.svc”,
“kubernetes.default.svc.cluster”,
“kubernetes.default.svc.cluster.local”
],
“key”: {
“algo”: “rsa”,
“size”: 2048
},
“names”: [
{
“C”: “CN”,
“L”: “BeiJing”,
“ST”: “BeiJing”,
“O”: “k8s”,
“OU”: “System”
}
]
}

##证书生成
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

[INFO] generate received request
[INFO] received CSR
[INFO] generating key: rsa-2048
[INFO] encoded CSR
[INFO] signed certificate with serial number 293220325431162389345332022540296919482596573516
[WARNING] This certificate lacks a “hosts” field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 (“Information Requirements”).

4.2 安装kube-apiserver组件

##下载或上传安装包
https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG

##解压
tar -zxvf kubernetes-server-linux-amd64.tar.gz

##将kube-apiserver、kube-controller-manager、kube-scheduler复制到/usr/bin下
cd /data/kubernetes/server/bin
cp kube-apiserver /usr/bin/
cp kube-controller-manager /usr/bin/
cp kube-scheduler /usr/bin/

##创建数据目录
mkdir -p /data/k8s/{ssl,logs,cfg}
cp server.pem /data/k8s/ssl/
cp ca.pem /data/k8s/ssl/
cp ca-key.pem /data/k8s/ssl/
cp ca.pem /data/k8s/ssl/
touch /data/k8s/logs/k8s-audit.log

##配置kube-apiserver.conf
vi kube-apiserver.conf
KUBE_APISERVER_OPTS="–logtostderr=false
–v=2
–log-dir=/data/k8s/logs
–etcd-servers=https://172.16.0.104:2379,https://172.16.0.105:2379
–bind-address=172.16.0.104
–secure-port=6443
–advertise-address=172.16.0.104
–allow-privileged=true
–service-cluster-ip-range=172.0.0.0/16
–enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction
–authorization-mode=RBAC,Node
–enable-bootstrap-token-auth=true
–token-auth-file=/data/k8s/cfg/token.csv
–service-node-port-range=30000-32767
–kubelet-client-certificate=/data/k8s/ssl/server.pem
–kubelet-client-key=/data/k8s/ssl/server-key.pem
–tls-cert-file=/data/k8s/ssl/server.pem
–tls-private-key-file=/data/k8s/ssl/server-key.pem
–client-ca-file=/data/k8s/ssl/ca.pem
–service-account-key-file=/data/k8s/ssl/ca-key.pem
–etcd-cafile=/etc/etcd/ssl/ca.pem
–etcd-certfile=/etc/etcd/ssl/server.pem
–etcd-keyfile=/etc/etcd/ssl/server-key.pem
–audit-log-maxage=30
–audit-log-maxbackup=3
–audit-log-maxsize=100
–audit-log-path=/data/k8s/logs/k8s-audit.log"

##配置kube-apiserver.service服务
vim /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
After=etcd.service
Wants=etcd.service

[Service]
EnvironmentFile=/data/k8s/cfg/kube-apiserver.conf
ExecStart=/usr/bin/kube-apiserver
$KUBE_APISERVER_OPTS
Restart=on-failure
Type=notify
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

##生成token文件
head -c 16 /dev/urandom | od -An -t x | tr -d ’ ’
vi token.csv
b68602b994097ce41cbf616c9a93e5cb,kubelet-bootstrap,10001,“system:node-bootstrapper”

##启动服务
systemctl daemon-reload
systemctl start kube-apiserver
systemctl enable kube-apiserver

##检查是否成功
systemctl status kube-apiserver

4.3 授权kubelet-bootstrap用户允许的请求证书
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created

4.4 安装kube-controller-manager组件

##创建conf配置文件
vi /data/k8s/cfg/kube-controller-manager.conf

KUBE_CONTROLLER_MANAGER_OPTS="–logtostderr=false
–v=2
–log-dir=/data/k8s/logs
–leader-elect=true
–master=127.0.0.1:8080
–bind-address=127.0.0.1
–allocate-node-cidrs=true
–cluster-cidr=172.0.0.0/16
–service-cluster-ip-range=172.0.0.0/24
–cluster-signing-cert-file=/data/k8s/ssl/ca.pem
–cluster-signing-key-file=/data/k8s/ssl/ca-key.pem
–root-ca-file=/data/k8s/ssl/ca.pem
–service-account-private-key-file=/data/k8s/ssl/ca-key.pem
–experimental-cluster-signing-duration=87600h0m0s"

##创建kube-controller-manager服务
vi /usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
After=kube-apiserver.service
Requires=kube-apiserver.service

[Service]
EnvironmentFile=/data/k8s/cfg/kube-controller-manager.conf
ExecStart=/usr/bin/kube-controller-manager
$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

##启动服务
systemctl daemon-reload
systemctl start kube-controller-manager
systemctl enable kube-controller-manager

##检查是否启动正常
systemctl status kube-controller-manager

4.5 安装kube-scheduler组件

##创建kube-scheduler.conf配置文件
vi /data/k8s/cfg/kube-scheduler.conf

KUBE_SCHEDULER_OPTS="–logtostderr=false
–v=2
–log-dir=/data/k8s/logs
–leader-elect
–master=127.0.0.1:8080
–bind-address=127.0.0.1"

##创建kube-scheduler.service服务
vi /usr/lib/systemd/system/kube-scheduler.service

[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
After=kube-apiserver.service
Requires=kube-apiserver.service

[Service]
User=root
EnvironmentFile=/data/k8s/cfg/kube-scheduler.conf
ExecStart=/usr/bin/kube-scheduler
$KUBE_SCHEDULER_OPTS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

##启动服务
systemctl daemon-reload
systemctl start kube-scheduler
systemctl enable kube-scheduler

##查看启动是否正常
systemctl status kube-scheduler

##查看集群状态
[root@k8s-master cfg]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-1 Healthy {“health”:“true”}
etcd-0 Healthy {“health”:“true”}

参考文档：
##k8s集群安装
https://www.cnblogs.com/xulan0922/p/14583596.html

##token文件
https://blog.csdn.net/linux_player_c/article/details/79844345