zoukankan      html  css  js  c++  java
  • k8s集群之master节点部署

    apiserver的部署

        

    api-server的部署脚本
    [root@mast-1 k8s]# cat apiserver.sh 
    #!/bin/bash
    
    MASTER_ADDRESS=$1   主节点IP
    ETCD_SERVERS=$2        etcd地址
    
    cat <<EOF >/opt/kubernetes/cfg/kube-apiserver
    
    KUBE_APISERVER_OPTS="--logtostderr=true \
    --v=4 \
    --etcd-servers=${ETCD_SERVERS} \
    --bind-address=${MASTER_ADDRESS} \
    --secure-port=6443 \
    --advertise-address=${MASTER_ADDRESS} \
    --allow-privileged=true \
    --service-cluster-ip-range=10.0.0.0/24 \
    --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
    --authorization-mode=RBAC,Node \
    --kubelet-https=true \
    --enable-bootstrap-token-auth \
    --token-auth-file=/opt/kubernetes/cfg/token.csv \
    --service-node-port-range=30000-50000 \
    --tls-cert-file=/opt/kubernetes/ssl/server.pem  \
    --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
    --client-ca-file=/opt/kubernetes/ssl/ca.pem \
    --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
    --etcd-cafile=/opt/etcd/ssl/ca.pem \
    --etcd-certfile=/opt/etcd/ssl/server.pem \
    --etcd-keyfile=/opt/etcd/ssl/server-key.pem"
    
    EOF
    
    cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service
    [Unit]
    Description=Kubernetes API Server
    Documentation=https://github.com/kubernetes/kubernetes
    
    [Service]
    EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
    ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    EOF
    
    systemctl daemon-reload
    systemctl enable kube-apiserver
    systemctl restart kube-apiserver
    

      下载二进制包

    [root@mast-1 k8s]# wget https://dl.k8s.io/v1.10.13/kubernetes-server-linux-amd64.tar.gz
    

      解压安装

    [root@mast-1 k8s]# tar xf kubernetes-server-linux-amd64.tar.gz 
    [root@mast-1 k8s]# cd kubernetes/server/bin/
    [root@mast-1 bin]# ls
    apiextensions-apiserver              cloud-controller-manager.tar  kube-apiserver             kube-controller-manager             kubectl     kube-proxy.docker_tag  kube-scheduler.docker_tag
    cloud-controller-manager             hyperkube                     kube-apiserver.docker_tag  kube-controller-manager.docker_tag  kubelet     kube-proxy.tar         kube-scheduler.tar
    cloud-controller-manager.docker_tag  kubeadm                       kube-apiserver.tar         kube-controller-manager.tar         kube-proxy  kube-scheduler         mounter
    [root@mast-1 ~]# mkdir /opt/kubernetes/{cfg,ssl,bin} -pv
    mkdir: 已创建目录 "/opt/kubernetes"
    mkdir: 已创建目录 "/opt/kubernetes/cfg"
    mkdir: 已创建目录 "/opt/kubernetes/ssl"
    mkdir: 已创建目录 "/opt/kubernetes/bin"
    [root@mast-1 bin]# cp kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/
    [root@mast-1 k8s]# ./apiserver.sh 192.168.10.11 https://192.168.10.11:2379,https://192.168.10.12:2379,https://192.168.10.13:2379
    [root@mast-1 k8s]# cd /opt/kubernetes/cfg/
    [root@mast-1 cfg]# vi kube-apiserver 
    KUBE_APISERVER_OPTS="--logtostderr=false 
    --log-dir=/opt/kubernetes/logs     定义日志目录;注意创建此目录
    --v=4 
    --etcd-servers=https://192.168.10.11:2379,https://192.168.10.12:2379,https://192.168.10.13:2379 
    --bind-address=192.168.10.11    绑定的IP地址
    --secure-port=6443    端口基于https通信的
    --advertise-address=192.168.10.11     集群通告地址;其他节点访问通告这个IP
    --allow-privileged=true        容器层的授权
    --service-cluster-ip-range=10.0.0.0/24    负责均衡的虚拟IP
    --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction   启用准入插件;决定是否要启用一些高级功能
    --authorization-mode=RBAC,Node     认证模式
    --kubelet-https=true   api-server主动访问kubelet是使用https协议
    --enable-bootstrap-token-auth    认证客户端并实现自动颁发证书
    --token-auth-file=/opt/kubernetes/cfg/token.csv       指定token文件
    --service-node-port-range=30000-50000    node认证端口范围
    --tls-cert-file=/opt/kubernetes/ssl/server.pem     apiserver 证书文件
    --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem 
    --client-ca-file=/opt/kubernetes/ssl/ca.pem 
    --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem    ca证书
    --etcd-cafile=/opt/etcd/ssl/ca.pem    etcd   证书
    --etcd-certfile=/opt/etcd/ssl/server.pem 
    --etcd-keyfile=/opt/etcd/ssl/server-key.pem"
    

      生成证书与token文件

    [root@mast-1 k8s]# cat k8s-cert.sh 
    cat > ca-config.json <<EOF
    {
      "signing": {
        "default": {
          "expiry": "87600h"
        },
        "profiles": {
          "kubernetes": {
             "expiry": "87600h",
             "usages": [
                "signing",
                "key encipherment",
                "server auth",
                "client auth"
            ]
          }
        }
      }
    }
    EOF
    
    cat > ca-csr.json <<EOF
    {
        "CN": "kubernetes",
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "L": "Beijing",
                "ST": "Beijing",
          	    "O": "k8s",
                "OU": "System"
            }
        ]
    }
    EOF
    
    cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
    
    #-----------------------
    
    cat > server-csr.json <<EOF
    {
        "CN": "kubernetes",
        "hosts": [
          "10.0.0.1",
          "127.0.0.1",
          "10.206.176.19",  master IP
          "10.206.240.188",  LB;node节点不用写,写上也不错
          "10.206.240.189",  LB:
          "kubernetes",
          "kubernetes.default",
          "kubernetes.default.svc",
          "kubernetes.default.svc.cluster",
          "kubernetes.default.svc.cluster.local"
        ],
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "L": "BeiJing",
                "ST": "BeiJing",
                "O": "k8s",
                "OU": "System"
            }
        ]
    }
    EOF
    
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
    
    #-----------------------
    
    cat > admin-csr.json <<EOF
    {
      "CN": "admin",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "L": "BeiJing",
          "ST": "BeiJing",
          "O": "system:masters",
          "OU": "System"
        }
      ]
    }
    EOF
    
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
    
    #-----------------------
    
    cat > kube-proxy-csr.json <<EOF
    {
      "CN": "system:kube-proxy",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "L": "BeiJing",
          "ST": "BeiJing",
          "O": "k8s",
          "OU": "System"
        }
      ]
    }
    EOF
    
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
    [root@mast-1 k8s]# bash k8s-cert.sh 
    2019/04/22 18:05:08 [INFO] generating a new CA key and certificate from CSR
    2019/04/22 18:05:08 [INFO] generate received request
    2019/04/22 18:05:08 [INFO] received CSR
    2019/04/22 18:05:08 [INFO] generating key: rsa-2048
    2019/04/22 18:05:09 [INFO] encoded CSR
    2019/04/22 18:05:09 [INFO] signed certificate with serial number 631400127737303589248201910249856863284562827982
    2019/04/22 18:05:09 [INFO] generate received request
    2019/04/22 18:05:09 [INFO] received CSR
    2019/04/22 18:05:09 [INFO] generating key: rsa-2048
    2019/04/22 18:05:10 [INFO] encoded CSR
    2019/04/22 18:05:10 [INFO] signed certificate with serial number 99345466047844052770348056449571016254842578399
    2019/04/22 18:05:10 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
    websites. For more information see the Baseline Requirements for the Issuance and Management
    of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
    specifically, section 10.2.3 ("Information Requirements").
    2019/04/22 18:05:10 [INFO] generate received request
    2019/04/22 18:05:10 [INFO] received CSR
    2019/04/22 18:05:10 [INFO] generating key: rsa-2048
    2019/04/22 18:05:11 [INFO] encoded CSR
    2019/04/22 18:05:11 [INFO] signed certificate with serial number 309283889504556884051139822527420141544215396891
    2019/04/22 18:05:11 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
    websites. For more information see the Baseline Requirements for the Issuance and Management
    of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
    specifically, section 10.2.3 ("Information Requirements").
    2019/04/22 18:05:11 [INFO] generate received request
    2019/04/22 18:05:11 [INFO] received CSR
    2019/04/22 18:05:11 [INFO] generating key: rsa-2048
    2019/04/22 18:05:11 [INFO] encoded CSR
    2019/04/22 18:05:11 [INFO] signed certificate with serial number 286610519064253595846587034459149175950956557113
    2019/04/22 18:05:11 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
    websites. For more information see the Baseline Requirements for the Issuance and Management
    of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
    specifically, section 10.2.3 ("Information Requirements").
    [root@mast-1 k8s]# ls
    admin.csr       apiserver.sh    ca-key.pem             etcd-cert.sh  kube-proxy.csr       kubernetes                            scheduler.sh     server.pem
    admin-csr.json  ca-config.json  ca.pem                 etcd.sh       kube-proxy-csr.json  kubernetes-server-linux-amd64.tar.gz  server.csr
    admin-key.pem   ca.csr          controller-manager.sh  k8s-cert      kube-proxy-key.pem   kubernetes.tar.gz                     server-csr.json
    admin.pem       ca-csr.json     etcd-cert              k8s-cert.sh   kube-proxy.pem       master.zip

        

     生成token文件

    [root@mast-1 k8s]# cp ca-key.pem ca.pem server-key.pem server.pem /opt/kubernetes/ssl/
    [root@mast-1 k8s]#BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008
    
    [root@mast-1 k8s]#cat > token.csv <<EOF
    ${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
    EOF
    [root@mast-1 k8s]# cat token.csv 
    0fb61c46f8991b718eb38d27b605b008,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
    [root@mast-1 k8s]# mv token.csv  /opt/kubernetes/cfg/
    

      

     启动apiserver

    [root@mast-1 k8s]# systemctl start kube-apiserver
    [root@mast-1 k8s]# ps -ef | grep apiserver
    root       3264      1 99 20:35 ?        00:00:01 /opt/kubernetes/bin/kube-apiserver --logtostderr=false --log-dir=/opt/kubernetes/logs --v=4 --etcd-servers=https://192.168.10.11:2379,https:/
    /192.168.10.12:2379,https://192.168.10.13:2379 --bind-address=192.168.10.11 --secure-port=6443 --advertise-address=192.168.10.11 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/etcd/ssl/ca.pem --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pemroot       3274   1397  0 20:35 pts/0    00:00:00 grep --color=auto apiserver
    

      生成配置文件并启动controller-manager

    [root@mast-1 k8s]# cat controller-manager.sh 
    #!/bin/bash
    
    MASTER_ADDRESS=$1
    
    cat <<EOF >/opt/kubernetes/cfg/kube-controller-manager
    
    
    KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \   日志配置
    --v=4 \
    --master=${MASTER_ADDRESS}:8080 \  apimaster端口
    --leader-elect=true \
    --address=127.0.0.1 \   
    --service-cluster-ip-range=10.0.0.0/24 \
    --cluster-name=kubernetes \
    --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \
    --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem  \
    --root-ca-file=/opt/kubernetes/ssl/ca.pem \
    --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \
    --experimental-cluster-signing-duration=87600h0m0s"
    
    EOF
    
    cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service
    [Unit]
    Description=Kubernetes Controller Manager
    Documentation=https://github.com/kubernetes/kubernetes
    
    [Service]
    EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
    ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    EOF
    
    systemctl daemon-reload
    systemctl enable kube-controller-manager
    systemctl restart kube-controller-manager
    [root@mast-1 k8s]# bash controller-manager.sh 127.0.0.1   输入masterIP
    [root@mast-1 k8s]# ss -lntp
    State       Recv-Q Send-Q                                                  Local Address:Port                                                                 Peer Address:Port              
    LISTEN      0      128                                                     192.168.10.11:6443                                                                            *:*                   
    users:(("kube-apiserver",pid=7604,fd=6))LISTEN      0      128                                                     192.168.10.11:2379                                                                            *:*                   
    users:(("etcd",pid=1428,fd=7))LISTEN      0      128                                                         127.0.0.1:2379                                                                            *:*                   
    users:(("etcd",pid=1428,fd=6))LISTEN      0      128                                                         127.0.0.1:10252                                                                           *:*                   
    users:(("kube-controller",pid=7593,fd=3))LISTEN      0      128                                                     192.168.10.11:2380                                                                            *:*                   
    users:(("etcd",pid=1428,fd=5))LISTEN      0      128                                                         127.0.0.1:8080                                                                            *:*                   
    users:(("kube-apiserver",pid=7604,fd=5))LISTEN      0      128                                                                 *:22                                                                              *:*                   
    users:(("sshd",pid=902,fd=3))LISTEN      0      100                                                         127.0.0.1:25                                                                              *:*                   
    users:(("master",pid=1102,fd=13))LISTEN      0      128                                                                :::10257                                                                          :::*                   
    users:(("kube-controller",pid=7593,fd=5))LISTEN      0      128                                                                :::22                                                                             :::*                   
    users:(("sshd",pid=902,fd=4))LISTEN      0      100                                                               ::1:25                                                                             :::*                   
    users:(("master",pid=1102,fd=14))
    

      生成配置文件,并启动scheduler

    [root@mast-1 k8s]# cat scheduler.sh 
    #!/bin/bash
    
    MASTER_ADDRESS=$1
    
    cat <<EOF >/opt/kubernetes/cfg/kube-scheduler
    
    KUBE_SCHEDULER_OPTS="--logtostderr=true \
    --v=4 \
    --master=${MASTER_ADDRESS}:8080 \
    --leader-elect"
    
    EOF
    
    cat <<EOF >/usr/lib/systemd/system/kube-scheduler.service
    [Unit]
    Description=Kubernetes Scheduler
    Documentation=https://github.com/kubernetes/kubernetes
    
    [Service]
    EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
    ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    EOF
    
    systemctl daemon-reload
    systemctl enable kube-scheduler
    systemctl restart kube-scheduler
    [root@mast-1 k8s]# bash scheduler.sh 127.0.0.1
    [root@mast-1 k8s]# ss -lntp
    State       Recv-Q Send-Q                                                  Local Address:Port                                                                 Peer Address:Port              
    LISTEN      0      128                                                     192.168.10.11:2379                                                                            *:*                   
    users:(("etcd",pid=1428,fd=7))LISTEN      0      128                                                         127.0.0.1:2379                                                                            *:*                   
    users:(("etcd",pid=1428,fd=6))LISTEN      0      128                                                         127.0.0.1:10252                                                                           *:*                   
    users:(("kube-controller",pid=7809,fd=3))LISTEN      0      128                                                     192.168.10.11:2380                                                                            *:*                   
    users:(("etcd",pid=1428,fd=5))LISTEN      0      128                                                                 *:22                                                                              *:*                   
    users:(("sshd",pid=902,fd=3))LISTEN      0      100                                                         127.0.0.1:25                                                                              *:*                   
    users:(("master",pid=1102,fd=13))LISTEN      0      128                                                                :::10251                                                                          :::*                   
    users:(("kube-scheduler",pid=8073,fd=3))LISTEN      0      128                                                                :::10257                                                                          :::*                   
    users:(("kube-controller",pid=7809,fd=5))LISTEN      0      128                                                                :::22                                                                             :::*                   
    users:(("sshd",pid=902,fd=4))LISTEN      0      100                                                               ::1:25                                                                             :::*                   
    users:(("master",pid=1102,fd=14))
    

      配置文件

    [root@mast-1 k8s]# cat /opt/kubernetes/cfg/kube-controller-manager 
    
    
    KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true 
    --v=4 
    --master=127.0.0.1:8080   API连接地址
    --leader-elect=true     自动做高可用选举
    --address=127.0.0.1     地址,不对外提供服务
    --service-cluster-ip-range=10.0.0.0/24   地址范围与apiserver配置一样
    --cluster-name=kubernetes     名字
    --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem 签名
    --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem     签名
    --root-ca-file=/opt/kubernetes/ssl/ca.pem   根证书
    --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem   
    --experimental-cluster-signing-duration=87600h0m0s"   有效时间
    

      配置文件

    [root@mast-1 k8s]# cat /opt/kubernetes/cfg/kube-scheduler 
    
    KUBE_SCHEDULER_OPTS="--logtostderr=true 
    --v=4 
    --master=127.0.0.1:8080 
    --leader-elect"
    

      将客户端工具复制到/usr/bin目录下

    [root@mast-1 k8s]# cp kubernetes/server/bin/kubectl /usr/bin/
    

      查看集群状态

    [root@mast-1 k8s]# kubectl get cs
    NAME                 STATUS    MESSAGE             ERROR
    scheduler            Healthy   ok                  
    etcd-2               Healthy   {"health":"true"}   
    etcd-1               Healthy   {"health":"true"}   
    etcd-0               Healthy   {"health":"true"}   
    controller-manager   Healthy   ok     
    

      

    草都可以从石头缝隙中长出来更可况你呢
  • 相关阅读:
    IDirect3DDevice9::SetTexture的stage参数
    c++ 返回对象的引用要小心
    c++ 头文件循环引用解法
    Real-Time Rendering.3rd,Radiance与距离无关 的解释
    0xffff0000颜色表示
    signed distance field 算法
    c++ abs与fabs
    unity, OnTriggerEnter2D不触发
    unity, particle play once and destroy
    装机人员工具
  • 原文地址:https://www.cnblogs.com/rdchenxi/p/10754366.html
Copyright © 2011-2022 走看看