zoukankan      html  css  js  c++  java
  • k8s集群---apiserver,controller-manager,scheduler部署

    #证书自签名脚本
    root@k8s-master: ~/k8s/k8s-cert 14:06:06
    $ cat k8s-cert.sh 
    cat > ca-config.json <<EOF
    {
      "signing": {
        "default": {
          "expiry": "87600h"
        },
        "profiles": {
          "kubernetes": {
             "expiry": "87600h",
             "usages": [
                "signing",
                "key encipherment",
                "server auth",
                "client auth"
            ]
          }
        }
      }
    }
    EOF
    
    cat > ca-csr.json <<EOF
    {
        "CN": "kubernetes",
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "L": "Beijing",
                "ST": "Beijing",
                "O": "k8s",
                "OU": "System"
            }
        ]
    }
    EOF
    
    cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
    
    #-----------------------
    #hosts内容slb节点ip,master节点ip,下边是node节点ip(node节点多写一写冗余IP地址为后续使用)
    cat > server-csr.json <<EOF
    {
        "CN": "kubernetes",
        "hosts": [
          "10.0.0.1",
          "127.0.0.1",
          "192.168.1.63",
          "192.168.1.64",
          "192.168.1.65",
          "192.168.1.66",
          "192.168.1.60",
          "192.168.1.61",
         "192.168.1.62",
          "kubernetes",
          "kubernetes.default",
          "kubernetes.default.svc",
          "kubernetes.default.svc.cluster",
          "kubernetes.default.svc.cluster.local"
        ],
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "L": "BeiJing",
                "ST": "BeiJing",
                "O": "k8s",
                "OU": "System"
            }
        ]
    }
    EOF
    
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
    
    #-----------------------
    
    cat > admin-csr.json <<EOF
    {
      "CN": "admin",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "L": "BeiJing",
          "ST": "BeiJing",
          "O": "system:masters",
          "OU": "System"
        }
      ]
    }
    EOF
    
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
    
    #-----------------------
    
    cat > kube-proxy-csr.json <<EOF
    {
      "CN": "system:kube-proxy",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "L": "BeiJing",
          "ST": "BeiJing",
          "O": "k8s",
          "OU": "System"
        }
      ]
    }
    EOF
    
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
    root@k8s-master: ~/k8s/k8s-cert 14:06:12
    $ 
    
    
    
    1. kube-apiserver
    2. kube-controller-manager 3. kube-scheduler
    配置文件 -> systemd管理组件 -> 启动
     
    ==================================================kube-apiserver==================================================


    # 创建 TLS Bootstrapping Token
    #BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
    BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008

    cat > token.csv <<EOF
    ${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
    EOF
    mv token.csv /opt/kubernetes/cfg

    2,部署kube-apiserver
    (1)创建apiserver的文件存放目录
    root@k8s-master: ~/soft 14:09:51
    $ mkdir /opt/kubernetes/{bin,ssl,cfg} -p
    
    (2)解压tar包,将核心组件复制到/opt/kubernetes/bin下kube-apiserver,kube-controller-manager,kube-scheduler
    root@k8s-master: ~/soft 14:11:12
    $ tar zxvf kubernetes-server-linux-amd64.tar.gz
    root@k8s-master: ~ 14:17:18
    $ cd /root/soft/kubernetes/server/bin
    root@k8s-master: ~/soft/kubernetes/server/bin 14:19:23
    $ cp kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/
    
    (3)kube-apiserver配置文件脚本
    root@k8s-master: ~/k8s 14:21:49
    $ cat apiserver.sh 
    #!/bin/bash
    #master主机节点ip地址,传入变量
    MASTER_ADDRESS=$1
    #etcd所有节点ip地址
    ETCD_SERVERS=$2
    
    cat <<EOF >/opt/kubernetes/cfg/kube-apiserver
    #true开启日志默认写到/var/log/messages,第二选项flase,并在下边指定log写入目录--logs-dir=/opt/kubernetes/logs
    KUBE_APISERVER_OPTS="--logtostderr=true \
    #日志登记,登记越高日志越少
    --v=4 \
    --etcd-servers=${ETCD_SERVERS} \
    --bind-address=${MASTER_ADDRESS} \
    --secure-port=6443 \
    --advertise-address=${MASTER_ADDRESS} \
    --allow-privileged=true \
    #负载均衡节点ip范文,下边是端口
    --service-cluster-ip-range=10.0.0.0/24 \
    --service-node-port-range=30000-50000 \
    --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
    --authorization-mode=RBAC,Node \
    --kubelet-https=true \
    #互相通信的token,身份认证标识
    --enable-bootstrap-token-auth \
    --token-auth-file=/opt/kubernetes/cfg/token.csv \
    #apiserver的ssl自签名证书
    --tls-cert-file=/opt/kubernetes/ssl/server.pem  \
    --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
    --client-ca-file=/opt/kubernetes/ssl/ca.pem \
    --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
    #下边是etcd的ssl自签名证书。因为都是https
    --etcd-cafile=/opt/etcd/ssl/ca.pem \
    --etcd-certfile=/opt/etcd/ssl/server.pem \
    --etcd-keyfile=/opt/etcd/ssl/server-key.pem"
    
    EOF
    
    #配置systemctl管理apiserver
    cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service
    [Unit]
    Description=Kubernetes API Server
    Documentation=https://github.com/kubernetes/kubernetes
    
    [Service]
    EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
    ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    EOF
    
    systemctl daemon-reload
    systemctl enable kube-apiserver
    systemctl restart kube-apiserver
    root@k8s-master: ~/k8s 14:21:51
    $ 
    
    (4)将apiserver自签名证书移动到/opt/kubernetes/ssl
    root@k8s-master: /opt/kubernetes/ssl 15:11:40
    $ pwd
    /opt/kubernetes/ssl
    root@k8s-master: /opt/kubernetes/ssl 15:11:42
    $ ls
    ca-key.pem  ca.pem  server-key.pem  server.pem
    root@k8s-master: /opt/kubernetes/ssl 15:11:42
    $ 
    
    (5)复制apiserver自签名证书到/opt/kubernetes/ssl
    执行脚本
    root@k8s-master: ~/k8s 14:47:17
    $ ./apiserver.sh 192.168.1.63 https://192.168.1.63:2379,https://192.168.1.65:2379,https://192.168.1.66:2379
    
    (6)验证apiserver是否启动成功
    root@k8s-master: /opt/kubernetes/ssl 15:12:50
    $ netstat -lntup |grep 8080
    tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      3972/kube-apiserver 
    root@k8s-master: /opt/kubernetes/ssl 15:12:52
    root@k8s-master: /opt/kubernetes/ssl 15:13:21
    $ ps -ef|grep kube
    root      3972     1  1 11:57 ?        00:03:14 /opt/kubernetes/bin/kube-apiserver --logtostderr=true --v=4 --etcd-servers=https://192.168.1.63:2379,https://192.168.1.65:2379,https://192.168.1.66:2379 --bind-address=192.168.1.63 --secure-port=6443 --advertise-address=192.168.1.63 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/etcd/ssl/ca.pem --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pem
    root      4091     1  0 12:07 ?        00:01:00 /opt/kubernetes/bin/kube-scheduler --logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect
    root      4096     1  0 12:07 ?        00:01:32 /opt/kubernetes/bin/kube-controller-manager --logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect=true --address=127.0.0.1 --service-cluster-ip-range=10.0.0.0/24 --cluster-name=kubernetes --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem --root-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem --experimental-cluster-signing-duration=87600h0m0s
    root      5899  5763  0 15:13 pts/0    00:00:00 grep --color=auto kube
    root@k8s-master: /opt/kubernetes/ssl 15:13:26
    $ 
    ####报错排查方式
    $ source /opt/kubernetes/cfg/kube-apiserver   
    $ /opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
    
    ==================================================kube-controller-manager==================================================
    
    root@k8s-master: ~/k8s 15:15:44
    $ cat controller-manager.sh 
    #!/bin/bash
    #传参master节点ip地址
    MASTER_ADDRESS=$1
    
    cat <<EOF >/opt/kubernetes/cfg/kube-controller-manager
    
    
    KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \
    --v=4 \
    #master-apiserver运行端口8080所有引用传参变量
    --master=${MASTER_ADDRESS}:8080 \
    #选举,自动做高可用
    --leader-elect=true \
    #这个服务只在本地运行所以能跟apiserver通信就可以了
    --address=127.0.0.1 \
    --service-cluster-ip-range=10.0.0.0/24 \
    --cluster-name=kubernetes \
    #颁发证书
    --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \
    --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem  \
    --root-ca-file=/opt/kubernetes/ssl/ca.pem \
    --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \
    --experimental-cluster-signing-duration=87600h0m0s"
    
    EOF
    ##使用systemctl管理controller工具
    cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service
    [Unit]
    Description=Kubernetes Controller Manager
    Documentation=https://github.com/kubernetes/kubernetes
    
    [Service]
    EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
    ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    EOF
    
    systemctl daemon-reload
    systemctl enable kube-controller-manager
    systemctl restart kube-controller-manager
    root@k8s-master: ~/k8s 15:15:46
    $ 
    
    
    
    
    
    ==================================================kube-scheduler==================================================
    
    root@k8s-master: ~/k8s 15:46:04
    $ cat scheduler.sh 
    #!/bin/bash
    
    MASTER_ADDRESS=$1
    ##scheduler四行,定义日志,指定masterip,自动选举
    cat <<EOF >/opt/kubernetes/cfg/kube-scheduler
    
    KUBE_SCHEDULER_OPTS="--logtostderr=true \
    --v=4 \
    --master=${MASTER_ADDRESS}:8080 \
    --leader-elect"
    
    EOF
    
    cat <<EOF >/usr/lib/systemd/system/kube-scheduler.service
    [Unit]
    Description=Kubernetes Scheduler
    Documentation=https://github.com/kubernetes/kubernetes
    
    [Service]
    EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
    ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    EOF
    
    systemctl daemon-reload
    systemctl enable kube-scheduler
    systemctl restart kube-scheduler
    
    
    
    
    ==================================================kubectl==================================================
    部署完成验证
    root@k8s-master: ~/k8s 15:47:29
    $ cp /root/soft/kubernetes/server/bin/kubectl /usr/bin/
    #检查当前集群节点的健康状态
    $ kubectl get cs
    NAME                 STATUS    MESSAGE             ERROR
    scheduler            Healthy   ok                  
    controller-manager   Healthy   ok                  
    etcd-0               Healthy   {"health":"true"}   
    etcd-2               Healthy   {"health":"true"}   
    etcd-1               Healthy   {"health":"true"}   
    root@k8s-master: ~/k8s 15:48:14
    $ 
    
    ###ps:cs为缩写
  • 相关阅读:
    my first android test
    VVVVVVVVVV
    my first android test
    my first android test
    my first android test
    ini文件
    ZZZZ
    Standard Exception Classes in Python 1.5
    Python Module of the Week Python Module of the Week
    my first android test
  • 原文地址:https://www.cnblogs.com/Carr/p/10559983.html
Copyright © 2011-2022 走看看