Kubernetes.的master節(jié)點(diǎn)組件部署

第六節(jié)Master節(jié)點(diǎn)部署組件

  • 前提
    在部署Kubernetes之前一定要確保etcd、flannel、docker是正常工作的,否則先解決問題再繼續(xù)。

1 生成證書

創(chuàng)建CA證書:

# cat ca-config.json
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}

# cat ca-csr.json
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

生成apiserver證書:

# cat server-csr.json
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "192.168.31.63",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
生成kube-proxy證書:

# cat kube-proxy-csr.json
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
最終生成以下證書文件:

ls *pem

ca-key.pem  ca.pem  kube-proxy-key.pem  kube-proxy.pem  server-key.pem  server.pem

2 部署apiserver組件

下載二進(jìn)制包:https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.12.md

下載這個(gè)包(kubernetes-server-linux-amd64.tar.gz)就夠了,包含了所需的所有組件。

# mkdir /opt/kubernetes/{bin,cfg,ssl} -p
# tar zxvf kubernetes-server-linux-amd64.tar.gz
# cd kubernetes/server/bin
# cp kube-apiserver kube-scheduler kube-controller-manager kubectl /opt/kubernetes/bin
創(chuàng)建token文件,用途后面會(huì)講到:

# cat /opt/kubernetes/cfg/token.csv
674c457d4dcf2eefe4920d7dbb6b0ddc,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
  • 第一列:隨機(jī)字符串,自己可生成
  • 第二列:用戶名
  • 第三列:UID
  • 第四列:用戶組

創(chuàng)建apiserver配置文件:

# cat /opt/kubernetes/cfg/kube-apiserver 

KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=https://192.168.31.63:2379,https://192.168.31.65:2379,https://192.168.31.66:2379 \
--bind-address=192.168.31.63 \
--secure-port=6443 \
--advertise-address=192.168.31.63 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/opt/kubernetes/ssl/server.pem  \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
配置好前面生成的證書,確保能連接etcd。

參數(shù)說明:

  • —logtostderr 啟用日志
    —-v 日志等級(jí)
    —etcd-servers etcd集群地址
    —bind-address 監(jiān)聽地址
    —secure-port https安全端口
    —advertise-address 集群通告地址
    —allow-privileged 啟用授權(quán)
    —service-cluster-ip-range Service虛擬IP地址段
    —enable-admission-plugins 準(zhǔn)入控制模塊
    —authorization-mode 認(rèn)證授權(quán),啟用RBAC授權(quán)和節(jié)點(diǎn)自管理
    —enable-bootstrap-token-auth 啟用TLS bootstrap功能,后面會(huì)講到
    —token-auth-file token文件
    —service-node-port-range Service Node類型默認(rèn)分配端口范圍

systemd管理apiserver:

# cat /usr/lib/systemd/system/kube-apiserver.service 
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target

啟動(dòng) kube-apiserver:

# systemctl daemon-reload
# systemctl enable kube-apiserver
# systemctl restart kube-apiserver

3 部署scheduler組件

創(chuàng)建schduler配置文件:

# cat /opt/kubernetes/cfg/kube-scheduler 

KUBE_SCHEDULER_OPTS="--logtostderr=true \
--v=4 \
--master=127.0.0.1:8080 \
--leader-elect"

參數(shù)說明:

  • —master 連接本地apiserver
    —leader-elect 當(dāng)該組件啟動(dòng)多個(gè)時(shí),自動(dòng)選舉(HA)

systemd管理schduler組件:

# cat /usr/lib/systemd/system/kube-scheduler.service 
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target

啟動(dòng)kube-scheduler:

# systemctl daemon-reload
# systemctl enable kube-scheduler
# systemctl restart kube-scheduler

4 部署controller-manager組件

創(chuàng)建controller-manager配置文件:

# cat /opt/kubernetes/cfg/kube-controller-manager 
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \
--v=4 \
--master=127.0.0.1:8080 \
--leader-elect=true \
--address=127.0.0.1 \
--service-cluster-ip-range=10.0.0.0/24 \
--cluster-name=kubernetes \
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem  \
--root-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem"

systemd管理controller-manager組件:

# cat /usr/lib/systemd/system/kube-controller-manager.service 
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target

啟動(dòng)kube-controller-manager:

# systemctl daemon-reload
# systemctl enable kube-controller-manager
# systemctl restart kube-controller-manager

所有組件都已經(jīng)啟動(dòng)成功,通過kubectl工具查看當(dāng)前集群組件狀態(tài):

# /opt/kubernetes/bin/kubectl get cs
NAME                 STATUS    MESSAGE             ERROR
scheduler            Healthy   ok                  
etcd-0               Healthy   {"health":"true"}   
etcd-2               Healthy   {"health":"true"}   
etcd-1               Healthy   {"health":"true"}   
controller-manager   Healthy   ok

如上輸出說明組件都正常。

?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • 1. 組件版本和配置策略 組件版本: Kubernetes 1.10.4 Docker 18.03.1-ce Et...
    Anson前行閱讀 5,952評(píng)論 0 11
  • 5.flannel網(wǎng)絡(luò)安裝 flannel啟動(dòng)順序1、啟動(dòng)etcd (先為flannel及docker分配虛擬...
    goearth1501閱讀 1,584評(píng)論 0 0
  • 最底下有打賞鏈接 一、艾灸的禁忌:1.保健還是治???保健上午,治病隨時(shí)。2.臍上不灸,不到30不言補(bǔ)。頭面、臟器、...
    澄熵閱讀 1,398評(píng)論 0 8
  • 人有時(shí)候是矛盾的。 當(dāng)需要一份工作時(shí),工作就稱為生活的目標(biāo)。那時(shí)候想考上公務(wù)員,真是放下了一切愛好,全身心投入復(fù)習(xí)...
    桃子愛吃瓜閱讀 490評(píng)論 1 2
  • 聽說《成都》刷爆了音樂圈?意料之中!我是從《畫》開始認(rèn)識(shí)你的。慶幸,這么久了,當(dāng)年那首畫中的味道,現(xiàn)在還有;現(xiàn)在...
    咕嚕喵喵閱讀 294評(píng)論 0 0

友情鏈接更多精彩內(nèi)容