apiserver的部署
api-server的部署脚本 [root@mast-1 k8s]# cat apiserver.sh #!/bin/bash MASTER_ADDRESS=$1 主节点IP ETCD_SERVERS=$2 etcd地址 cat <<EOF >/opt/kubernetes/cfg/kube-apiserver KUBE_APISERVER_OPTS="--logtostderr=true \ --v=4 \ --etcd-servers=${ETCD_SERVERS} \ --bind-address=${MASTER_ADDRESS} \ --secure-port=6443 \ --advertise-address=${MASTER_ADDRESS} \ --allow-privileged=true \ --service-cluster-ip-range=10.0.0.0/24 \ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \ --authorization-mode=RBAC,Node \ --kubelet-https=true \ --enable-bootstrap-token-auth \ --token-auth-file=/opt/kubernetes/cfg/token.csv \ --service-node-port-range=30000-50000 \ --tls-cert-file=/opt/kubernetes/ssl/server.pem \ --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \ --client-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \ --etcd-cafile=/opt/etcd/ssl/ca.pem \ --etcd-certfile=/opt/etcd/ssl/server.pem \ --etcd-keyfile=/opt/etcd/ssl/server-key.pem" EOF cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-apiserver systemctl restart kube-apiserver
下载二进制包
[root@mast-1 k8s]# wget https://dl.k8s.io/v1.10.13/kubernetes-server-linux-amd64.tar.gz
解压安装
[root@mast-1 k8s]# tar xf kubernetes-server-linux-amd64.tar.gz [root@mast-1 k8s]# cd kubernetes/server/bin/ [root@mast-1 bin]# ls apiextensions-apiserver cloud-controller-manager.tar kube-apiserver kube-controller-manager kubectl kube-proxy.docker_tag kube-scheduler.docker_tag cloud-controller-manager hyperkube kube-apiserver.docker_tag kube-controller-manager.docker_tag kubelet kube-proxy.tar kube-scheduler.tar cloud-controller-manager.docker_tag kubeadm kube-apiserver.tar kube-controller-manager.tar kube-proxy kube-scheduler mounter [root@mast-1 ~]# mkdir /opt/kubernetes/{cfg,ssl,bin} -pv mkdir: 已创建目录 "/opt/kubernetes" mkdir: 已创建目录 "/opt/kubernetes/cfg" mkdir: 已创建目录 "/opt/kubernetes/ssl" mkdir: 已创建目录 "/opt/kubernetes/bin" [root@mast-1 bin]# cp kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/ [root@mast-1 k8s]# ./apiserver.sh 192.168.10.11 https://192.168.10.11:2379,https://192.168.10.12:2379,https://192.168.10.13:2379 [root@mast-1 k8s]# cd /opt/kubernetes/cfg/ [root@mast-1 cfg]# vi kube-apiserver KUBE_APISERVER_OPTS="--logtostderr=false --log-dir=/opt/kubernetes/logs 定义日志目录;注意创建此目录 --v=4 --etcd-servers=https://192.168.10.11:2379,https://192.168.10.12:2379,https://192.168.10.13:2379 --bind-address=192.168.10.11 绑定的IP地址 --secure-port=6443 端口基于https通信的 --advertise-address=192.168.10.11 集群通告地址;其他节点访问通告这个IP --allow-privileged=true 容器层的授权 --service-cluster-ip-range=10.0.0.0/24 负责均衡的虚拟IP --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction 启用准入插件;决定是否要启用一些高级功能 --authorization-mode=RBAC,Node 认证模式 --kubelet-https=true api-server主动访问kubelet是使用https协议 --enable-bootstrap-token-auth 认证客户端并实现自动颁发证书 --token-auth-file=/opt/kubernetes/cfg/token.csv 指定token文件 --service-node-port-range=30000-50000 node认证端口范围 --tls-cert-file=/opt/kubernetes/ssl/server.pem apiserver 证书文件 --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem ca证书 --etcd-cafile=/opt/etcd/ssl/ca.pem etcd 证书 --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pem"
生成证书与token文件
[root@mast-1 k8s]# cat k8s-cert.sh cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #----------------------- cat > server-csr.json <<EOF { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "10.206.176.19", master IP "10.206.240.188", LB;node节点不用写,写上也不错 "10.206.240.189", LB: "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server #----------------------- cat > admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin #----------------------- cat > kube-proxy-csr.json <<EOF { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy [root@mast-1 k8s]# bash k8s-cert.sh 2019/04/22 18:05:08 [INFO] generating a new CA key and certificate from CSR 2019/04/22 18:05:08 [INFO] generate received request 2019/04/22 18:05:08 [INFO] received CSR 2019/04/22 18:05:08 [INFO] generating key: rsa-2048 2019/04/22 18:05:09 [INFO] encoded CSR 2019/04/22 18:05:09 [INFO] signed certificate with serial number 631400127737303589248201910249856863284562827982 2019/04/22 18:05:09 [INFO] generate received request 2019/04/22 18:05:09 [INFO] received CSR 2019/04/22 18:05:09 [INFO] generating key: rsa-2048 2019/04/22 18:05:10 [INFO] encoded CSR 2019/04/22 18:05:10 [INFO] signed certificate with serial number 99345466047844052770348056449571016254842578399 2019/04/22 18:05:10 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). 2019/04/22 18:05:10 [INFO] generate received request 2019/04/22 18:05:10 [INFO] received CSR 2019/04/22 18:05:10 [INFO] generating key: rsa-2048 2019/04/22 18:05:11 [INFO] encoded CSR 2019/04/22 18:05:11 [INFO] signed certificate with serial number 309283889504556884051139822527420141544215396891 2019/04/22 18:05:11 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). 2019/04/22 18:05:11 [INFO] generate received request 2019/04/22 18:05:11 [INFO] received CSR 2019/04/22 18:05:11 [INFO] generating key: rsa-2048 2019/04/22 18:05:11 [INFO] encoded CSR 2019/04/22 18:05:11 [INFO] signed certificate with serial number 286610519064253595846587034459149175950956557113 2019/04/22 18:05:11 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). [root@mast-1 k8s]# ls admin.csr apiserver.sh ca-key.pem etcd-cert.sh kube-proxy.csr kubernetes scheduler.sh server.pem admin-csr.json ca-config.json ca.pem etcd.sh kube-proxy-csr.json kubernetes-server-linux-amd64.tar.gz server.csr admin-key.pem ca.csr controller-manager.sh k8s-cert kube-proxy-key.pem kubernetes.tar.gz server-csr.json admin.pem ca-csr.json etcd-cert k8s-cert.sh kube-proxy.pem master.zip
生成token文件
[root@mast-1 k8s]# cp ca-key.pem ca.pem server-key.pem server.pem /opt/kubernetes/ssl/ [root@mast-1 k8s]#BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008 [root@mast-1 k8s]#cat > token.csv <<EOF ${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap" EOF [root@mast-1 k8s]# cat token.csv 0fb61c46f8991b718eb38d27b605b008,kubelet-bootstrap,10001,"system:kubelet-bootstrap" [root@mast-1 k8s]# mv token.csv /opt/kubernetes/cfg/
启动apiserver
[root@mast-1 k8s]# systemctl start kube-apiserver [root@mast-1 k8s]# ps -ef | grep apiserver root 3264 1 99 20:35 ? 00:00:01 /opt/kubernetes/bin/kube-apiserver --logtostderr=false --log-dir=/opt/kubernetes/logs --v=4 --etcd-servers=https://192.168.10.11:2379,https:/ /192.168.10.12:2379,https://192.168.10.13:2379 --bind-address=192.168.10.11 --secure-port=6443 --advertise-address=192.168.10.11 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/etcd/ssl/ca.pem --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pemroot 3274 1397 0 20:35 pts/0 00:00:00 grep --color=auto apiserver
生成配置文件并启动controller-manager
[root@mast-1 k8s]# cat controller-manager.sh #!/bin/bash MASTER_ADDRESS=$1 cat <<EOF >/opt/kubernetes/cfg/kube-controller-manager KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \ 日志配置 --v=4 \ --master=${MASTER_ADDRESS}:8080 \ apimaster端口 --leader-elect=true \ --address=127.0.0.1 \ --service-cluster-ip-range=10.0.0.0/24 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \ --root-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ --experimental-cluster-signing-duration=87600h0m0s" EOF cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-controller-manager systemctl restart kube-controller-manager [root@mast-1 k8s]# bash controller-manager.sh 127.0.0.1 输入masterIP [root@mast-1 k8s]# ss -lntp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 192.168.10.11:6443 *:* users:(("kube-apiserver",pid=7604,fd=6))LISTEN 0 128 192.168.10.11:2379 *:* users:(("etcd",pid=1428,fd=7))LISTEN 0 128 127.0.0.1:2379 *:* users:(("etcd",pid=1428,fd=6))LISTEN 0 128 127.0.0.1:10252 *:* users:(("kube-controller",pid=7593,fd=3))LISTEN 0 128 192.168.10.11:2380 *:* users:(("etcd",pid=1428,fd=5))LISTEN 0 128 127.0.0.1:8080 *:* users:(("kube-apiserver",pid=7604,fd=5))LISTEN 0 128 *:22 *:* users:(("sshd",pid=902,fd=3))LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1102,fd=13))LISTEN 0 128 :::10257 :::* users:(("kube-controller",pid=7593,fd=5))LISTEN 0 128 :::22 :::* users:(("sshd",pid=902,fd=4))LISTEN 0 100 ::1:25 :::* users:(("master",pid=1102,fd=14))
生成配置文件,并启动scheduler
[root@mast-1 k8s]# cat scheduler.sh #!/bin/bash MASTER_ADDRESS=$1 cat <<EOF >/opt/kubernetes/cfg/kube-scheduler KUBE_SCHEDULER_OPTS="--logtostderr=true \ --v=4 \ --master=${MASTER_ADDRESS}:8080 \ --leader-elect" EOF cat <<EOF >/usr/lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-scheduler systemctl restart kube-scheduler [root@mast-1 k8s]# bash scheduler.sh 127.0.0.1 [root@mast-1 k8s]# ss -lntp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 192.168.10.11:2379 *:* users:(("etcd",pid=1428,fd=7))LISTEN 0 128 127.0.0.1:2379 *:* users:(("etcd",pid=1428,fd=6))LISTEN 0 128 127.0.0.1:10252 *:* users:(("kube-controller",pid=7809,fd=3))LISTEN 0 128 192.168.10.11:2380 *:* users:(("etcd",pid=1428,fd=5))LISTEN 0 128 *:22 *:* users:(("sshd",pid=902,fd=3))LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1102,fd=13))LISTEN 0 128 :::10251 :::* users:(("kube-scheduler",pid=8073,fd=3))LISTEN 0 128 :::10257 :::* users:(("kube-controller",pid=7809,fd=5))LISTEN 0 128 :::22 :::* users:(("sshd",pid=902,fd=4))LISTEN 0 100 ::1:25 :::* users:(("master",pid=1102,fd=14))
配置文件
[root@mast-1 k8s]# cat /opt/kubernetes/cfg/kube-controller-manager KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true --v=4 --master=127.0.0.1:8080 API连接地址 --leader-elect=true 自动做高可用选举 --address=127.0.0.1 地址,不对外提供服务 --service-cluster-ip-range=10.0.0.0/24 地址范围与apiserver配置一样 --cluster-name=kubernetes 名字 --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem 签名 --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem 签名 --root-ca-file=/opt/kubernetes/ssl/ca.pem 根证书 --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem --experimental-cluster-signing-duration=87600h0m0s" 有效时间
配置文件
[root@mast-1 k8s]# cat /opt/kubernetes/cfg/kube-scheduler KUBE_SCHEDULER_OPTS="--logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect"
将客户端工具复制到/usr/bin目录下
[root@mast-1 k8s]# cp kubernetes/server/bin/kubectl /usr/bin/
查看集群状态
[root@mast-1 k8s]# kubectl get cs NAME STATUS MESSAGE ERROR scheduler Healthy ok etcd-2 Healthy {"health":"true"} etcd-1 Healthy {"health":"true"} etcd-0 Healthy {"health":"true"} controller-manager Healthy ok