kubernetes部署 kube-apiserver 组件
本文档讲解使用 keepalived 和 haproxy 部署一个 3 节点高可用 master 集群的步骤。
kube-apiserver 集群各节点的名称和 IP 如下:
kube-node0:192.168.111.10
kube-node1:192.168.111.11
kube-node2:192.168.111.12
创建 kubernetes 证书和私钥
其中会用到上面的三个主机IP,一个vip(192.168.111.9),这些都是kube-apiserver的对外提供服务的IP,还有就是kubernetes本身会创建一个service,它的IP是我们在启动kube-apiserver是定义的--service-cluster-ip-range 参数指定的IP地址段(10.254.0.0/24,)的第一个IP地址,后续可以通过kubectl get svc kubernetes命令获取。
cat > kubernetes-csr.json <<EOF { "CN": "kubernetes", "hosts": [ "127.0.0.1", "192.168.111.9", "192.168.111.10", "192.168.111.11", "192.168.111.12", "10.254.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "ChongQing", "L": "ChongQing", "O": "k8s", "OU": "yunwei" } ] } EOF
生成认证文件:
cfssl gencert -ca=/etc/kubernetes/ca/ca.pem -ca-key=/etc/kubernetes/ca/ca-key.pem -config=/etc/kubernetes/ca/ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
将生成的证书和私钥文件拷贝到其他kube-apiserver节点
# scp /etc/kubernetes/ca/kubernetes* 192.168.111.11:/etc/kubernetes/ca/
# scp /etc/kubernetes/ca/kubernetes* 192.168.111.12:/etc/kubernetes/ca/
生成token认证文件
#生成随机token
# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
8afdf3c4eb7c74018452423c29433609
#按照固定格式写入token.csv,注意替换token内容
# echo "8afdf3c4eb7c74018452423c29433609,kubelet-bootstrap,10001,"system:kubelet-bootstrap"" > /etc/kubernetes/ca/token.csv
kube-apiserver的配置文件,三台一样(配置文件中将127.0.0.1的非https的api开放,在kube-scheduler服务和kube-controller-manager服务就可以不用认证授权了。):
cat > /lib/systemd/system/kube-apiserver.service <<EOF [Unit] Description=Kubernetes API Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] ExecStart=/usr/local/bin/kube-apiserver --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction --insecure-bind-address=127.0.0.1 --kubelet-https=true --bind-address=192.168.111.12 --authorization-mode=Node,RBAC --runtime-config=api/all --enable-bootstrap-token-auth --token-auth-file=/etc/kubernetes/ca/token.csv --tls-cert-file=/etc/kubernetes/ca/kubernetes.pem --tls-private-key-file=/etc/kubernetes/ca/kubernetes-key.pem --client-ca-file=/etc/kubernetes/ca/ca.pem --service-account-key-file=/etc/kubernetes/ca/ca-key.pem --etcd-cafile=/etc/kubernetes/ca/ca.pem --etcd-certfile=/etc/kubernetes/ca/kubernetes.pem --etcd-keyfile=/etc/kubernetes/ca/kubernetes-key.pem --service-cluster-ip-range=10.254.0.0/16 --etcd-servers=https://192.168.111.10:2379,https://192.168.111.11:2379,https://192.168.111.12:2379 --enable-swagger-ui=true --allow-privileged=true --audit-log-maxage=30 --audit-log-maxbackup=3 --audit-log-maxsize=100 --audit-log-path=/var/lib/audit.log --v=2 Restart=on-failure RestartSec=5 Type=notify LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
systemctl daemon-reload && for SERVICES in kube-apiserver;do systemctl enable $SERVICES; systemctl restart $SERVICES; systemctl status $SERVICES; done
打印 kube-apiserver 写入 etcd 的数据
ETCDCTL_API=3 etcdctl --endpoints=https://192.168.111.10:2379,https://192.168.111.11:2379,https://192.168.111.12:2379 --cacert=/etc/kubernetes/ca/ca.pem --cert=/etc/kubernetes/ca/etcd.pem --key=/etc/kubernetes/ca/etcd-key.pem get /registry/ --prefix --keys-only
部署 kubectl 命令行工具
cat > admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "ChongQing", "L": "ChongQing", "O": "system:masters", "OU": "yunwei" } ] } EOF
生成认证文件:
cfssl gencert -ca=/etc/kubernetes/ca/ca.pem -ca-key=/etc/kubernetes/ca/ca-key.pem -config=/etc/kubernetes/ca/ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
生成kubectl的config文件(可以三台都执行一遍,也可以一台执行后复制过去):
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/ca/ca.pem --embed-certs=true --server=https://192.168.111.9:8443 kubectl config set-credentials admin --client-certificate=/etc/kubernetes/ca/admin.pem --client-key=/etc/kubernetes/ca/admin-key.pem --embed-certs=true kubectl config set-context kubernetes --cluster=kubernetes --user=admin kubectl config use-context kubernetes
mkdir -p ~/.kube
scp ~/.kube/config 192.168.111.11:~/.kube/config
scp ~/.kube/config 192.168.111.12:~/.kube/config
检查集群信息(任意一台)
# kubectl cluster-info Kubernetes master is running at https://192.168.111.9:8443 To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. # kubectl get all --all-namespaces NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE default service/kubernetes ClusterIP 10.254.0.1 <none> 443/TCP 34d # kubectl get componentstatuses NAME STATUS MESSAGE ERROR scheduler Unhealthy Get http://127.0.0.1:10251/healthz: dial tcp 127.0.0.1:10251: connect: connection refused controller-manager Unhealthy Get http://127.0.0.1:10252/healthz: dial tcp 127.0.0.1:10252: connect: connection refused etcd-2 Healthy {"health": "true"} etcd-0 Healthy {"health": "true"} etcd-1 Healthy {"health": "true"}
检查 kube-apiserver 监听的端口
6443: 接收 https 请求的安全端口,对所有请求做认证和授权
# ss -netstat -lnpt|grep kube LISTEN 0 128 192.168.111.12:6443 *:* users:(("kube-apiserver",pid=878,fd=3)) timer:(keepalive,031ms,0) ino:23491 sk:ffff880078d34d80 <-> LISTEN 0 128 127.0.0.1:8080 *:* users:(("kube-apiserver",pid=4168,fd=68)) ino:35479 sk:ffff88002391ec80 <->