zoukankan      html  css  js  c++  java

  • Centos7部署kubernetes API服务(四)

    1、准备软件包
    [root@linux-node1 bin]# pwd
    /usr/local/src/kubernetes/server/bin
    [root@linux-node1 bin]# cp kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/
    2、创建生成CSR的JSON配置文件
    [root@linux-node1 bin]# cd /usr/local/src/ssl/
    [root@linux-node1 ssl]# vim kubernetes-csr.json
    {
    "CN": "kubernetes",
    "hosts": [
    "127.0.0.1",
    "192.168.43.21",
    "10.1.0.1",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
    ],
    "key": {
    "algo": "rsa",
    "size": 2048
    },
    "names": [
    {
    "C": "CN",
    "ST": "BeiJing",
    "L": "BeiJing",
    "O": "k8s",
    "OU": "System"
    }
    ]
    }
     
    3、生成kubernetes证书和私钥
    [root@linux-node1 ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem
    > -ca-key=/opt/kubernetes/ssl/ca-key.pem
    > -config=/opt/kubernetes/ssl/ca-config.json
    > -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
    [root@linux-node1 ssl]# cp kubernetes*.pem /opt/kubernetes/ssl/
    [root@linux-node1 ssl]# scp kubernetes*.pem 192.168.43.22:/opt/kubernetes/ssl/
    [root@linux-node1 ssl]# scp kubernetes*.pem 192.168.43.23:/opt/kubernetes/ssl/
    4、创建kube-apiserver使用客户端的token文件
    [root@linux-node1 ssl]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
    c5b00c8b2a61246c61202a53cffed505
    [root@linux-node1 ssl]# vim /opt/kubernetes/ssl/bootstrap-token.csv
    c5b00c8b2a61246c61202a53cffed505,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
    5、创建基础用户名、密码认证配置
    [root@linux-node1 ssl]# vim /opt/kubernetes/ssl/basic-auth.csv
    admin,admin,1
    readonly,readonly,2
    6、部署kubernetes APIserver
    [root@linux-node1 ssl]# vim /usr/lib/systemd/system/kube-apiserver.service
    [Unit]
    Description=Kubernetes API Server
    Documentation=https://github.com/GoogleCloudPlatform/kubernetes
    After=network.target
    [Service]
    ExecStart=/opt/kubernetes/bin/kube-apiserver
    --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction
    --bind-address=192.168.43.21
    --insecure-bind-address=127.0.0.1
    --authorization-mode=Node,RBAC
    --runtime-config=rbac.authorization.k8s.io/v1
    --kubelet-https=true
    --anonymous-auth=false
    --basic-auth-file=/opt/kubernetes/ssl/basic-auth.csv
    --enable-bootstrap-token-auth
    --token-auth-file=/opt/kubernetes/ssl/bootstrap-token.csv
    --service-cluster-ip-range=10.1.0.0/16
    --service-node-port-range=20000-40000
    --tls-cert-file=/opt/kubernetes/ssl/kubernetes.pem
    --tls-private-key-file=/opt/kubernetes/ssl/kubernetes-key.pem
    --client-ca-file=/opt/kubernetes/ssl/ca.pem
    --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem
    --etcd-cafile=/opt/kubernetes/ssl/ca.pem
    --etcd-certfile=/opt/kubernetes/ssl/kubernetes.pem
    --etcd-keyfile=/opt/kubernetes/ssl/kubernetes-key.pem
    --etcd-servers=https://192.168.43.21:2379,https://192.168.43.22:2379,https://192.168.43.23:2379
    --enable-swagger-ui=true
    --allow-privileged=true
    --audit-log-maxage=30
    --audit-log-maxbackup=3
    --audit-log-maxsize=100
    --audit-log-path=/opt/kubernetes/log/api-audit.log
    --event-ttl=1h
    --v=2
    --logtostderr=false
    --log-dir=/opt/kubernetes/log
    Restart=on-failure
    RestartSec=5
    Type=notify
    LimitNOFILE=65536
    [Install]
    WantedBy=multi-user.target
    7、启动API server服务
    [root@linux-node1 ssl]# systemctl daemon-reload
    [root@linux-node1 ssl]# systemctl enable kube-apiserver
    [root@linux-node1 ssl]# systemctl start kube-apiserver
    8、部署controller Manager服务
    [root@linux-node1 ~]# vim /usr/lib/systemd/system/kube-controller-manager.service
    [Unit]
    Description=Kubernetes Controller Manager
    Documentation=https://github.com/GoogleCloudPlatform/kubernetes
    [Service]
    ExecStart=/opt/kubernetes/bin/kube-controller-manager
    --address=127.0.0.1
    --master=http://127.0.0.1:8080
    --allocate-node-cidrs=true
    --service-cluster-ip-range=10.1.0.0/16
    --cluster-cidr=10.2.0.0/16
    --cluster-name=kubernetes
    --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem
    --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem
    --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem
    --root-ca-file=/opt/kubernetes/ssl/ca.pem
    --leader-elect=true
    --v=2
    --logtostderr=false
    --log-dir=/opt/kubernetes/log
    Restart=on-failure
    RestartSec=5
    [Install]
    WantedBy=multi-user.target
    9、启动Controller Manager
    [root@linux-node1 ~]# systemctl daemon-reload
    [root@linux-node1 ~]# systemctl enable kube-controller-manager
    [root@linux-node1 ~]# systemctl start kube-controller-manager
    [root@linux-node1 ~]# systemctl status kube-controller-manager
    10、部署kubernetes Scheduler
    [root@linux-node1 ~]# vim /usr/lib/systemd/system/kube-scheduler.service
    [Unit]
    Description=Kubernetes Scheduler
    Documentation=https://github.com/GoogleCloudPlatform/kubernetes
    [Service]
    ExecStart=/opt/kubernetes/bin/kube-scheduler
    --address=127.0.0.1
    --master=http://127.0.0.1:8080
    --leader-elect=true
    --v=2
    --logtostderr=false
    --log-dir=/opt/kubernetes/log
    Restart=on-failure
    RestartSec=5
    [Install]
    WantedBy=multi-user.target
    11、启动服务
    [root@linux-node1 ~]# systemctl daemon-reload
    [root@linux-node1 ~]# systemctl enable kube-scheduler
    [root@linux-node1 ~]# systemctl start kube-scheduler
  • 相关阅读:
    SSH 连接超时解决办法
    alter system switch logfile和alter system archive log current 的区别
    Oracle 删除归档日志脚本
    Oracle 11g 新特性简介
    Oracle sqlplus 常用命令总结
    Oracle 11g 新特性简介
    计算文件的MD5值上传到服务器 下载验证文件是否被篡改
    看不下去的代码放这有机会用手机看。。。
    C++ Primer第一章学习笔记——C++初邂逅
    OpenCV学习笔记(四十七)——VideoWriter生成视频流highgui
  • 原文地址:https://www.cnblogs.com/xiaoliangxianshen/p/9165525.html
Copyright © 2011-2022 走看看