六、部署master

1、下载
下载地址：
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.16.md

这个二进制包中包含了master和node的所有组件

2、创建对应的目录，并将二进制包中对应的可执行文件拷贝到对应目录

[root@k8s-master01 master]# tree kubernetes/
kubernetes/
├── bin
│   ├── kube-apiserver
│   ├── kube-controller-manager
│   ├── kubectl
│   └── kube-scheduler
├── cfg
├── logs
└── ssl

3、创建对应的配置文件

[root@k8s-master01 master]# cat  kubernetes/cfg/kube-apiserver.conf 
KUBE_APISERVER_OPTS="--logtostderr=false 
--v=2 
--log-dir=/opt/kubernetes/logs 
--etcd-servers=https://10.16.8.161:2379,https://10.16.8.162:2379,https://10.16.8.163:2379 
--bind-address=10.16.8.150 
--secure-port=6443 
--advertise-address=10.16.8.150 
--allow-privileged=true 
--service-cluster-ip-range=10.0.0.0/24 
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction 
--authorization-mode=RBAC,Node 
--enable-bootstrap-token-auth=true 
--token-auth-file=/opt/kubernetes/cfg/token.csv 
--service-node-port-range=30000-32767 
--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem 
--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem 
--tls-cert-file=/opt/kubernetes/ssl/server.pem  
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem 
--client-ca-file=/opt/kubernetes/ssl/ca.pem 
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem 
--etcd-cafile=/opt/etcd/ssl/ca.pem 
--etcd-certfile=/opt/etcd/ssl/server.pem 
--etcd-keyfile=/opt/etcd/ssl/server-key.pem 
--audit-log-maxage=30 
--audit-log-maxbackup=3 
--audit-log-maxsize=100 
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"

[root@k8s-master01 master]# cat kubernetes/cfg/kube-controller-manager.conf 
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false 
--v=2 
--log-dir=/opt/kubernetes/logs 
--leader-elect=true 
--master=127.0.0.1:8080 
--address=127.0.0.1 
--allocate-node-cidrs=true 
--cluster-cidr=10.244.0.0/16 
--service-cluster-ip-range=10.0.0.0/24 
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem 
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem  
--root-ca-file=/opt/kubernetes/ssl/ca.pem 
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem 
--experimental-cluster-signing-duration=876000h0m0s"

[root@k8s-master01 master]# cat kubernetes/cfg/kube-scheduler.conf 
KUBE_SCHEDULER_OPTS="--logtostderr=false 
--v=2 
--log-dir=/opt/kubernetes/logs 
--leader-elect 
--master=127.0.0.1:8080 
--address=127.0.0.1"

4、拷贝生成的apiserver自签证书到ssl

[root@k8s-master01 master]# cp ~/k8s/tls/k8s/*.pem kubernetes/ssl/

5、创建启动文件到/usr/lib/systemd/system

[root@k8s-master01 master]# cat /usr/lib/systemd/system/kube-apiserver.service 
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target

[root@k8s-master01 master]# cat /usr/lib/systemd/system/kube-controller-manager.service 
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target

[root@k8s-master01 master]# cat /usr/lib/systemd/system/kube-scheduler.service 
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf
ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target

6、目录结构

[root@k8s-master01 master]# tree kubernetes/
kubernetes/
├── bin
│   ├── kube-apiserver
│   ├── kube-controller-manager
│   ├── kubectl
│   └── kube-scheduler
├── cfg
│   ├── kube-apiserver.conf
│   ├── kube-controller-manager.conf
│   ├── kube-scheduler.conf
│   └── token.csv
├── logs
└── ssl
    ├── ca-key.pem
    ├── ca.pem
    ├── kube-proxy-key.pem
    ├── kube-proxy.pem
    ├── server-key.pem
    └── server.pem

7、拷贝kubernetes目录到/opt下

[root@k8s-master01 master]# cp -a kubernetes/ /opt/

8、启动

[root@k8s-master01 master]# systemctl start kube-apiserver
[root@k8s-master01 master]# systemctl start kube-controller-manager
[root@k8s-master01 master]# systemctl start kube-scheduler

[root@k8s-master01 master]# systemctl enable kube-apiserver
[root@k8s-master01 master]# systemctl enable kube-controller-manager
[root@k8s-master01 master]# systemctl enable kube-scheduler   

9、检查

[root@k8s-master01 ~]# ps -ef |grep kube
root       7333      1  6 17:26 ?        00:00:45 /opt/kubernetes/bin/kube-apiserver --logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --etcd-servers=https://10.16.8.161:2379,https://10.16.8.162:2379,https://10.16.8.163:2379 --bind-address=10.16.8.150 --secure-port=6443 --advertise-address=10.16.8.150 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --enable-bootstrap-token-auth=true --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-32767 --kubelet-client-certificate=/opt/kubernetes/ssl/server.pem --kubelet-client-key=/opt/kubernetes/ssl/server-key.pem --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/etcd/ssl/ca.pem --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pem --audit-log-maxage=30 --audit-log-maxbackup=3 --audit-log-maxsize=100 --audit-log-path=/opt/kubernetes/logs/k8s-audit.log
root       7355      1  2 17:26 ?        00:00:14 /opt/kubernetes/bin/kube-controller-manager --logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --leader-elect=true --master=127.0.0.1:8080 --address=127.0.0.1 --allocate-node-cidrs=true --cluster-cidr=10.244.0.0/16 --service-cluster-ip-range=10.0.0.0/24 --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem --root-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem --experimental-cluster-signing-duration=876000h0m0s
root       7372      1  0 17:26 ?        00:00:03 /opt/kubernetes/bin/kube-scheduler --logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --leader-elect --master=127.0.0.1:8080 --address=127.0.0.1

10、启用TLS Bootstrapping

[root@k8s-master01 ~]# cat /opt/kubernetes/cfg/token.csv 
c47ffb939f5ca36231d9e3121a252940,kubelet-bootstrap,10001,"system:node-bootstrapper"

格式：token,用户,uid,用户组

token也可自行生成替换，但apiserver配置的token必须要与node节点bootstrap.kubeconfig配置里一致。

[root@k8s-master01 ~]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
c5a9915b716d354f720c0977b42cffda

给kubelet-bootstrap授权：

[root@k8s-master01 ~]# /opt/kubernetes/bin/kubectl create clusterrolebinding kubelet-bootstrap 
--clusterrole=system:node-bootstrapper 
--user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created

10、查看kube-controller-manager、kube-scheduler集群信息

[root@k8s-master02 ~]# kubectl get endpoints kube-controller-manager --namespace=kube-system -o yaml
apiVersion: v1
kind: Endpoints
metadata:
  annotations:
    control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"k8s-master01_c25b4896-bcfe-4bca-892a-07ea8ad72db6","leaseDurationSeconds":15,"acquireTime":"2019-11-04T09:26:34Z","renewTime":"2019-11-06T03:47:34Z","leaderTransitions":0}'
  creationTimestamp: "2019-11-04T09:26:34Z"
  name: kube-controller-manager
  namespace: kube-system
  resourceVersion: "204326"
  selfLink: /api/v1/namespaces/kube-system/endpoints/kube-controller-manager
  uid: 5275607d-62e5-4910-aa9d-ce137a44c1c7

[root@k8s-master02 ~]# kubectl get endpoints kube-scheduler --namespace=kube-system -o yaml                       
apiVersion: v1
kind: Endpoints
metadata:
  annotations:
    control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"k8s-master01_c664643a-cb8d-4e54-b30c-d3fc31656d25","leaseDurationSeconds":15,"acquireTime":"2019-11-04T09:26:45Z","renewTime":"2019-11-06T03:48:08Z","leaderTransitions":0}'
  creationTimestamp: "2019-11-04T09:26:45Z"
  name: kube-scheduler
  namespace: kube-system
  resourceVersion: "204380"
  selfLink: /api/v1/namespaces/kube-system/endpoints/kube-scheduler
  uid: edd0fd64-2667-49d1-89ff-9b3e015c83c8