1、准备软件包
[root@linux-node1 bin]# pwd
/usr/local/src/kubernetes/server/bin
[root@linux-node1 bin]# cp kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/
2、创建生成CSR的JSON配置文件
[root@linux-node1 bin]# cd /usr/local/src/ssl/
[root@linux-node1 ssl]# vim kubernetes-csr.json
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.43.21",
"10.1.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
3、生成kubernetes证书和私钥
[root@linux-node1 ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem
> -ca-key=/opt/kubernetes/ssl/ca-key.pem
> -config=/opt/kubernetes/ssl/ca-config.json
> -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
[root@linux-node1 ssl]# cp kubernetes*.pem /opt/kubernetes/ssl/
[root@linux-node1 ssl]# scp kubernetes*.pem 192.168.43.22:/opt/kubernetes/ssl/
[root@linux-node1 ssl]# scp kubernetes*.pem 192.168.43.23:/opt/kubernetes/ssl/
4、创建kube-apiserver使用客户端的token文件
[root@linux-node1 ssl]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
c5b00c8b2a61246c61202a53cffed505
[root@linux-node1 ssl]# vim /opt/kubernetes/ssl/bootstrap-token.csv
c5b00c8b2a61246c61202a53cffed505,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
5、创建基础用户名、密码认证配置
[root@linux-node1 ssl]# vim /opt/kubernetes/ssl/basic-auth.csv
admin,admin,1
readonly,readonly,2
6、部署kubernetes APIserver
[root@linux-node1 ssl]# vim /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
ExecStart=/opt/kubernetes/bin/kube-apiserver
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction
--bind-address=192.168.43.21
--insecure-bind-address=127.0.0.1
--authorization-mode=Node,RBAC
--runtime-config=rbac.authorization.k8s.io/v1
--kubelet-https=true
--anonymous-auth=false
--basic-auth-file=/opt/kubernetes/ssl/basic-auth.csv
--enable-bootstrap-token-auth
--token-auth-file=/opt/kubernetes/ssl/bootstrap-token.csv
--service-cluster-ip-range=10.1.0.0/16
--service-node-port-range=20000-40000
--tls-cert-file=/opt/kubernetes/ssl/kubernetes.pem
--tls-private-key-file=/opt/kubernetes/ssl/kubernetes-key.pem
--client-ca-file=/opt/kubernetes/ssl/ca.pem
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem
--etcd-cafile=/opt/kubernetes/ssl/ca.pem
--etcd-certfile=/opt/kubernetes/ssl/kubernetes.pem
--etcd-keyfile=/opt/kubernetes/ssl/kubernetes-key.pem
--etcd-servers=https://192.168.43.21:2379,https://192.168.43.22:2379,https://192.168.43.23:2379
--enable-swagger-ui=true
--allow-privileged=true
--audit-log-maxage=30
--audit-log-maxbackup=3
--audit-log-maxsize=100
--audit-log-path=/opt/kubernetes/log/api-audit.log
--event-ttl=1h
--v=2
--logtostderr=false
--log-dir=/opt/kubernetes/log
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
7、启动API server服务
[root@linux-node1 ssl]# systemctl daemon-reload
[root@linux-node1 ssl]# systemctl enable kube-apiserver
[root@linux-node1 ssl]# systemctl start kube-apiserver
8、部署controller Manager服务
[root@linux-node1 ~]# vim /usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/opt/kubernetes/bin/kube-controller-manager
--address=127.0.0.1
--master=http://127.0.0.1:8080
--allocate-node-cidrs=true
--service-cluster-ip-range=10.1.0.0/16
--cluster-cidr=10.2.0.0/16
--cluster-name=kubernetes
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem
--root-ca-file=/opt/kubernetes/ssl/ca.pem
--leader-elect=true
--v=2
--logtostderr=false
--log-dir=/opt/kubernetes/log
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
9、启动Controller Manager
[root@linux-node1 ~]# systemctl daemon-reload
[root@linux-node1 ~]# systemctl enable kube-controller-manager
[root@linux-node1 ~]# systemctl start kube-controller-manager
[root@linux-node1 ~]# systemctl status kube-controller-manager
10、部署kubernetes Scheduler
[root@linux-node1 ~]# vim /usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/opt/kubernetes/bin/kube-scheduler
--address=127.0.0.1
--master=http://127.0.0.1:8080
--leader-elect=true
--v=2
--logtostderr=false
--log-dir=/opt/kubernetes/log
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
11、启动服务
[root@linux-node1 ~]# systemctl daemon-reload
[root@linux-node1 ~]# systemctl enable kube-scheduler
[root@linux-node1 ~]# systemctl start kube-scheduler