kube-apiserver集群规划
| 主机名 | 角色 | IP地址 |
|---|---|---|
| mfyxw30.mfxyw.com | kube-apiserver主 | 192.168.80.30 |
| mfyxw40.mfyxw.com | kube-apiserver从 | 192.168.80.40 |
温馨提示:这里部署文档以mfyxw30.mfyxw.com主机为例,另外两台主机安装部署方法类似
1.下载kubernetes软件
kubernetes的github链接:https://github.com/kubernetes
kubernetes-v1.15.10链接地址:https://dl.k8s.io/v1.15.10/kubernetes-server-linux-amd64.tar.gz
可以登录mfyxw30服务器下载
wget https://dl.k8s.io/v1.15.10/kubernetes-server-linux-amd64.tar.gz
#发现国内没有办法下载。只能自己想办法了。我下载好的kubernetes-v1.15.10上传到网盘
k8s-v1.15.10网盘地址
链接:https://pan.baidu.com/s/1qL_su3YppyyBGz-loKSHfg
提取码:3kfx
2.把kubernetes上传服务器,解压,软连接
#mfyxw30和mfyxw40都需要执行此操作,以mfyxw30为例
[root@mfyxw30 ~]#tar xf kubernetes-server-linux-amd64.tar.gz -C /opt
[root@mfyxw30 ~]#cd /opt
[root@mfyxw30 opt]#mv kubernetes kubernetes-v1.15.10
[root@mfyxw30 opt]#ln -s kubernetes-v1.15.10 kubernetes
3.删除kuberneters包不需要的文件
在mfyxw30主机上删除kubernetes包不需要的文件
[root@mfyxw30 ~]#cd /opt/kubernetes/server/bin
#tar后缀的是容器镜像包,不是采用kubeadm来安装,故可以删除
[root@mfyxw30 bin]#rm -fr *.tar
[root@mfyxw30 bin]#rm -fr *_tag
#kubernetes-src.tar.gz是kubernetes的go语言写的源码包,在此用不到
[root@mfyxw30 bin]#rm -fr /opt/kubernetes/kubernetes-src.tar.gz
在mfyxw40主机上删除kubernetes包不需要的文件
[root@mfyxw40 ~]#cd /opt/kubernetes/server/bin
#tar后缀的是容器镜像包,不是采用kubeadm来安装,故可以删除
[root@mfyxw40 bin]#rm -fr *.tar
[root@mfyxw40 bin]#rm -fr *_tag
#kubernetes-src.tar.gz是kubernetes的go语言写的源码包,在此用不到
[root@mfyxw40 bin]#rm /opt/kubernetes/kubernetes-src.tar.gz
4.创建生成证书签名请求(csr)的JSON配置文件
签发Client证书:apiserver和etcd集群间通信用的证书,在这个通信过程中,etcd是服务端,apiserver是客户端
#生成client证书签名请求配置文件是需要在签发证书的mfyxw50主机上执行
[root@mfyxw50 ~]#cat > /opt/certs/client-csr.json << EOF
{
"CN": "k8s-node",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "od",
"OU": "ops"
}
]
}
EOF
5.生成client证书和私钥
#需要在签发证书主机mfyxw50上执行
[root@mfyxw50 ~]#cd /opt/certs
[root@mfyxw50 certs]#cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json | cfssljson -bare client
6.创建生成kube-apiserver证书签名请求(csr)的JSON配置文件
#生成kube-apiserver证书签名请求配置文件是需要在签发证书的mfyxw50主机上执行
[root@mfyxw50 ~]# cat > /opt/certs/apiserver-csr.json << EOF
{
"CN": "apiserver",
"hosts": [
"127.0.0.1",
"172.16.0.1",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"192.168.80.100",
"192.168.80.20",
"192.168.80.30",
"192.168.80.40"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "od",
"OU": "ops"
}
]
}
EOF
7.生成kube-apiserver证书和私钥
#需要在签发证书主机mfyxw50上执行
[root@mfyxw50 ~]#cd /opt/certs
[root@mfyxw50 certs]#cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json | cfssljson -bare apiserver
8.将生成的证书复制至各运算节点
#在mfyxw30主机上创建certs目录
[root@mfyxw30 ~]#mkdir -p /opt/kubernetes/server/bin/cert
#在mfyxw40主机上创建cert目录
[root@mfyxw40 ~]#mkdir -p /opt/kubernetes/server/bin/cert
#在mfyxw50(证书签发主机)上把证书和私钥分别复制至mfyxw30和mfyxw40主机下/opt/kubernetes/server/bin/cert目录
[root@mfyxw50 ~]#cd /opt/certs/
[root@mfyxw50 ~]#scp -r ca.pem ca-key.pem apiserver.pem apiserver-key.pem client.pem client-key.pem mfyxw30:/opt/kubernetes/server/bin/cert/
[root@mfyxw50 ~]#scp -r ca.pem ca-key.pem apiserver.pem apiserver-key.pem client.pem client-key.pem mfyxw40:/opt/kubernetes/server/bin/cert/
9.查看复制过去的私钥的权限
#分别需要在mfyxw30和mfyxw40主机上查看,在此以mfyxw30截图为例,如果权限不是600,请修改为600
[root@mfyxw30 ~]#ls -l /opt/kubernetes/server/bin/cert/
[root@mfyxw40 ~]#ls -l /opt/kubernetes/server/bin/cert/
10.创建审计日志记录和采集配置文件
分别在mfyxw30和mfyxw40的路径/opt/kubernetes/server/bin/下创建conf目录
[root@mfyxw30 ~]#mkdir -p /opt/kubernetes/server/bin/conf
[root@mfyxw40 ~]#mkdir -p /opt/kubernetes/server/bin/conf
1.在mfyxw30主机上创建审计日志记录和采集配置文件
[root@mfyxw30 ~]#cat > /opt/kubernetes/server/bin/conf/audit.yaml << EOF
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
EOF
2.在mfyxw40主机上创建审计日志记录和采集配置文件
[root@mfyxw40 ~]#cat > /opt/kubernetes/server/bin/conf/audit.yaml << EOF
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
EOF
11.创建kube-apiserver启动脚本
在主机mfyxw30上创建kube-apiserver启动脚本
[root@mfyxw30 ~]#cat > /opt/kubernetes/server/bin/kube-apiserver.sh << EOF
#!/bin/bash
./kube-apiserver
--apiserver-count 2
--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log
--audit-policy-file ./conf/audit.yaml
--authorization-mode RBAC
--client-ca-file ./cert/ca.pem
--requestheader-client-ca-file ./cert/ca.pem
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
--etcd-cafile ./cert/ca.pem
--etcd-certfile ./cert/client.pem
--etcd-keyfile ./cert/client-key.pem
--etcd-servers https://192.168.80.20:2379,https://192.168.80.30:2379,https://192.168.80.40:2379
--service-account-key-file ./cert/ca-key.pem
--service-cluster-ip-range 172.16.0.0/16
--service-node-port-range 3000-29999
--target-ram-mb=1024
--kubelet-client-certificate ./cert/client.pem
--kubelet-client-key ./cert/client-key.pem
--log-dir /data/logs/kubernetes/kube-apiserver
--tls-cert-file ./cert/apiserver.pem
--tls-private-key-file ./cert/apiserver-key.pem
--v 2
EOF
在主机mfyxw40上创建kube-apiserver启动脚本
[root@mfyxw40 ~]#cat > /opt/kubernetes/server/bin/kube-apiserver.sh << EOF
#!/bin/bash
./kube-apiserver
--apiserver-count 2
--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log
--audit-policy-file ./conf/audit.yaml
--authorization-mode RBAC
--client-ca-file ./cert/ca.pem
--requestheader-client-ca-file ./cert/ca.pem
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
--etcd-cafile ./cert/ca.pem
--etcd-certfile ./cert/client.pem
--etcd-keyfile ./cert/client-key.pem
--etcd-servers https://192.168.80.20:2379,https://192.168.80.30:2379,https://192.168.80.40:2379
--service-account-key-file ./cert/ca-key.pem
--service-cluster-ip-range 172.16.0.0/16
--service-node-port-range 3000-29999
--target-ram-mb=1024
--kubelet-client-certificate ./cert/client.pem
--kubelet-client-key ./cert/client-key.pem
--log-dir /data/logs/kubernetes/kube-apiserver
--tls-cert-file ./cert/apiserver.pem
--tls-private-key-file ./cert/apiserver-key.pem
--v 2
EOF
12.调整权限和创建存放kupe-apiserver日志的目录
分别在mfyxw30和mfyxw40主机上对kube-apiserver.sh文件添加可执行权限,并创建存放kube-apiserver的日志文件的目录,以mfyxw30的截图为例
[root@mfyxw30 ~]#chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh
[root@mfyxw30 ~]#mkdir -p /data/logs/kubernetes/kube-apiserver
[root@mfyxw40 ~]#chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh
[root@mfyxw40 ~]#mkdir -p /data/logs/kubernetes/kube-apiserver
13.创建supervisor配置文件
为mfyxw30主机创建supervisor配置文件
[root@mfyxw30 ~]#cat > /etc/supervisord.d/kube-apiserver.ini << EOF
[program:kube-apiserver-80-30]
command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=false ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stdout log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
stderr_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stderr.log ; stderr log path, NONE for none; default AUTO
stderr_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stderr_logfile_backups=4 ; # of stderr logfile backups (default 10)
stderr_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stderr_events_enabled=false ; emit events on stderr writes (default false)
EOF
为mfyxw40主机创建supervisor配置文件
[root@mfyxw40 ~]#cat > /etc/supervisord.d/kube-apiserver.ini << EOF
[program:kube-apiserver-80-40]
command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=false ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stdout log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
stderr_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stderr.log ; stderr log path, NONE for none; default AUTO
stderr_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stderr_logfile_backups=4 ; # of stderr logfile backups (default 10)
stderr_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stderr_events_enabled=false ; emit events on stderr writes (default false)
EOF
14.启动supervisor服务并检查
在mfyxw30主机上,启动supervisor服务并检查,以mfyxw30图片为例,另一台机器同样方法启动服务和查看
[root@mfyxw30 ~]#supervisorctl update
[root@mfyxw30 ~]#supervisorctl status
[root@mfyxw30 ~]# netstat -luntp | grep api
在mfyxw40主机上,启动supervisor服务并检查
[root@mfyxw40 ~]#supervisorctl update
[root@mfyxw40 ~]#supervisorctl status
[root@mfyxw40 ~]# netstat -luntp | grep api
