!TIP 二进制部署
k8s- 部署kube-apiserver
转载请注明出处:https://janrs.com/dchk 有任何问题欢迎在底部评论区发言。
部署 kube-apiserver
1.创建目录
代码语言:shell复制!NOTE 每台
master服务器都要创建。
# 创建证书目录
mkdir -p /etc/kubernetes/pki/{apiserver/,kubelet/,aggregator/,service-account/,sign/,etcd/}
# 创建配置文件存放目录以及 kubeconfig 存放目录和初始化集群所需配置文件目录
mkdir -p /etc/kubernetes/{config/,kubeconfig/,init_k8s_config/}
# 创建 kubectl 使用 config 的默认目录
mkdir -p /root/.kube/
# 创建日志存放目录
mkdir -p /var/log/kubernetes/{apiserver/,controller/,scheduler/}2.创建 ssl 证书
2-1.创建 ca 根证书
代码语言:shell复制!NOTE
ca根证书采用4096位加密。 创建证书可以在其他地方生成后再上传,设置好对应的ip就行。
cat > /ssl/apiserver-ca-csr.json <<EOF
{
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cd /ssl/ &&
cfssl gencert -initca apiserver-ca-csr.json |
cfssljson -bare apiserver-ca - &&
ls apiserver-ca* |
grep apiserver-ca2-2.创建 server 证书
代码语言:shell复制!NOTE
hosts参数的ip需要把master节点,HA节点以及vip地址都写进去。
cat > /ssl/apiserver-server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"172.16.222.121",
"172.16.222.122",
"172.16.222.123",
"172.16.222.201",
"172.16.222.202",
"172.16.222.110",
"10.68.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"O": "k8s",
"OU": "System",
"ST": "Beijing"
}
]
}
EOF
cd /ssl/ &&
cfssl gencert -ca=apiserver-ca.pem
-ca-key=apiserver-ca-key.pem
-config=ca-config.json
-profile=server apiserver-server-csr.json |
cfssljson -bare apiserver-server &&
ls apiserver-server* |
grep apiserver-server2-3.创建 etcd 提供给 kube-apiserver 访问的 client 证书
代码语言:shell复制!NOTE 由于是访问
etcd的服务,所以要使用etcd的ca机构签发证书。
cat > /ssl/etcd-apiserver-client-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "k8s",
"OU": "system"
}
]
}
EOF
cd /ssl/ &&
cfssl gencert -ca=etcd-ca.pem
-ca-key=etcd-ca-key.pem
-config=ca-config.json
-profile=client etcd-apiserver-client-csr.json |
cfssljson -bare etcd-apiserver-client &&
ls etcd-apiserver-client* |
grep etcd-apiserver-client2-4.创建 kubelet 的 ca 证书
代码语言:shell复制!NOTE
ca根证书采用4096位加密。
cat > /ssl/kubelet-ca-scr.json <<EOF
{
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cd /ssl/ &&
cfssl gencert -initca kubelet-ca-scr.json |
cfssljson -bare kubelet-ca - &&
ls kubelet-ca* |
grep kubelet-ca2-5.创建 kubelet 提供给 kube-apiserver 访问的 client 证书
该证书由 kubelet 的 ca 签发机构创建。
客户端 client 证书不需要设置 hosts 参数。
cat > /ssl/kubelet-apiserver-client-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "k8s",
"OU": "system"
}
]
}
EOF
cd /ssl/ &&
cfssl gencert -ca=kubelet-ca.pem
-ca-key=kubelet-ca-key.pem
-config=ca-config.json
-profile=client kubelet-apiserver-client-csr.json |
cfssljson -bare kubelet-apiserver-client &&
ls kubelet-apiserver-client* |
grep kubelet-apiserver-client3.分发证书
分发 etcd-ca.pem 密钥给 kube-apiserver
分发到 master 节点
scp /ssl/etcd-ca.pem root@172.16.222.121:/etc/kubernetes/pki/etcd/ &&
scp /ssl/etcd-ca.pem root@172.16.222.122:/etc/kubernetes/pki/etcd/ &&
scp /ssl/etcd-ca.pem root@172.16.222.123:/etc/kubernetes/pki/etcd/分发 kube-apiserver 的 ca 根证书
分发到 master 节点
scp /ssl/apiserver-ca*.pem root@172.16.222.121:/etc/kubernetes/pki/apiserver/ &&
scp /ssl/apiserver-ca*.pem root@172.16.222.122:/etc/kubernetes/pki/apiserver/ &&
scp /ssl/apiserver-ca*.pem root@172.16.222.123:/etc/kubernetes/pki/apiserver/分发 etcd 颁发给 kube-apiserver 的 client 证书
分发到 master 节点
scp /ssl/etcd-apiserver-client*.pem root@172.16.222.121:/etc/kubernetes/pki/etcd/ &&
scp /ssl/etcd-apiserver-client*.pem root@172.16.222.122:/etc/kubernetes/pki/etcd/ &&
scp /ssl/etcd-apiserver-client*.pem root@172.16.222.123:/etc/kubernetes/pki/etcd/分发所有 kube-apiserver 的 server 证书
分发到 master 节点
scp /ssl/apiserver-server*.pem root@172.16.222.121:/etc/kubernetes/pki/apiserver/ &&
scp /ssl/apiserver-server*.pem root@172.16.222.122:/etc/kubernetes/pki/apiserver/ &&
scp /ssl/apiserver-server*.pem root@172.16.222.123:/etc/kubernetes/pki/apiserver/分发 kubelet 的 ca 证书
分发到 node 节点
scp /ssl/kubelet-ca*.pem root@172.16.222.231:/etc/kubernetes/pki/kubelet/分发 kubelet 颁发给 kube-apiserver 的 client 证书
分发到 master 节点
scp /ssl/kubelet-apiserver-client*.pem root@172.16.222.121:/etc/kubernetes/pki/kubelet/ &&
scp /ssl/kubelet-apiserver-client*.pem root@172.16.222.122:/etc/kubernetes/pki/kubelet/ &&
scp /ssl/kubelet-apiserver-client*.pem root@172.16.222.123:/etc/kubernetes/pki/kubelet/4.下载 k8s server 端的二进制文件
!NOTE 每台
master服务器都要下载。
下载
代码语言:shell复制cd /tmp &&
wget https://dl.k8s.io/v1.23.9/kubernetes-server-linux-amd64.tar.gz分发到每台 master 服务器
scp /tmp/kubernetes-server-linux-amd64.tar.gz root@172.16.222.121:/home/ &&
scp /tmp/kubernetes-server-linux-amd64.tar.gz root@172.16.222.122:/home/ &&
scp /tmp/kubernetes-server-linux-amd64.tar.gz root@172.16.222.123:/home/解压
到每台 master 服务器解压
cd /home/ &&
tar -zxvf kubernetes-server-linux-amd64.tar.gz复制二进制执行文件到 /usr/local/bin/
到每台 master 服务器复制
cd /home/kubernetes/server/bin/ &&
cp kube-apiserver kube-controller-manager kubectl kube-scheduler /usr/local/bin/5.部署 kube-apiserver
5-1.创建服务启动配置文件
!NOTE 以下操作需要登录到对应的
master服务器操作。 只需要修改配置参数中的ip地址即可。 注意:以下配置中,日志等级设置为:6。产生的日志的速度会非常快。学习部署后可以修改为:2。
5-1-1.创建 master-01 服务器的启动配置文件
代码语言:shell复制cat > /etc/kubernetes/config/apiserver.conf <<EOF
KUBE_APISERVER_OPTS="--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
--anonymous-auth=false
--bind-address=172.16.222.121
--secure-port=6443
--advertise-address=172.16.222.121
--insecure-port=0
--authorization-mode=Node,RBAC
--runtime-config=api/all=true
--service-cluster-ip-range=10.68.0.1/16
--service-node-port-range=30000-39999
--service-account-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--tls-cert-file=/etc/kubernetes/pki/apiserver/apiserver-server.pem
--tls-private-key-file=/etc/kubernetes/pki/apiserver/apiserver-server-key.pem
--client-ca-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--service-account-signing-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca-key.pem
--service-account-issuer=https://kubernetes.default.svc.cluster.local
--api-audiences=https://kubernetes.default.svc
--etcd-cafile=/etc/kubernetes/pki/etcd/etcd-ca.pem
--etcd-certfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client.pem
--etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client-key.pem
--etcd-servers=https://172.16.222.111:2379,https://172.16.222.112:2379,https://172.16.222.113:2379
--feature-gates=RemoveSelfLink=false
--enable-swagger-ui=true
--allow-privileged=true
--apiserver-count=3
--enable-aggregator-routing=true
--audit-log-maxage=30
--audit-log-maxbackup=3
--audit-log-maxsize=100
--audit-log-path=/var/log/kubernetes/apiserver/apiserver-audit.log
--event-ttl=1h
--alsologtostderr=true
--logtostderr=false
--log-dir=/var/log/kubernetes/apiserver/
--v=6"
EOF5-1-2.创建 master-02 服务器的启动配置文件
代码语言:shell复制cat > /etc/kubernetes/config/apiserver.conf <<EOF
KUBE_APISERVER_OPTS="--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
--anonymous-auth=false
--bind-address=172.16.222.122
--secure-port=6443
--advertise-address=172.16.222.122
--insecure-port=0
--authorization-mode=Node,RBAC
--runtime-config=api/all=true
--service-cluster-ip-range=10.68.0.1/16
--service-node-port-range=30000-39999
--service-account-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--tls-cert-file=/etc/kubernetes/pki/apiserver/apiserver-server.pem
--tls-private-key-file=/etc/kubernetes/pki/apiserver/apiserver-server-key.pem
--client-ca-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--service-account-signing-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca-key.pem
--service-account-issuer=https://kubernetes.default.svc.cluster.local
--api-audiences=https://kubernetes.default.svc
--etcd-cafile=/etc/kubernetes/pki/etcd/etcd-ca.pem
--etcd-certfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client.pem
--etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client-key.pem
--etcd-servers=https://172.16.222.111:2379,https://172.16.222.112:2379,https://172.16.222.113:2379
--feature-gates=RemoveSelfLink=false
--enable-swagger-ui=true
--allow-privileged=true
--apiserver-count=3
--enable-aggregator-routing=true
--audit-log-maxage=30
--audit-log-maxbackup=3
--audit-log-maxsize=100
--audit-log-path=/var/log/kubernetes/apiserver/apiserver-audit.log
--event-ttl=1h
--alsologtostderr=true
--logtostderr=false
--log-dir=/var/log/kubernetes/apiserver/
--v=6"
EOF5-1-3.创建 master-03 服务器的启动配置文件
代码语言:shell复制cat > /etc/kubernetes/config/apiserver.conf <<EOF
KUBE_APISERVER_OPTS="--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
--anonymous-auth=false
--bind-address=172.16.222.123
--secure-port=6443
--advertise-address=172.16.222.123
--insecure-port=0
--authorization-mode=Node,RBAC
--runtime-config=api/all=true
--service-cluster-ip-range=10.68.0.1/16
--service-node-port-range=30000-39999
--service-account-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--tls-cert-file=/etc/kubernetes/pki/apiserver/apiserver-server.pem
--tls-private-key-file=/etc/kubernetes/pki/apiserver/apiserver-server-key.pem
--client-ca-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--service-account-signing-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca-key.pem
--service-account-issuer=https://kubernetes.default.svc.cluster.local
--api-audiences=https://kubernetes.default.svc
--etcd-cafile=/etc/kubernetes/pki/etcd/etcd-ca.pem
--etcd-certfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client.pem
--etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client-key.pem
--etcd-servers=https://172.16.222.111:2379,https://172.16.222.112:2379,https://172.16.222.113:2379
--feature-gates=RemoveSelfLink=false
--enable-swagger-ui=true
--allow-privileged=true
--apiserver-count=3
--enable-aggregator-routing=true
--audit-log-maxage=30
--audit-log-maxbackup=3
--audit-log-maxsize=100
--audit-log-path=/var/log/kubernetes/apiserver/apiserver-audit.log
--event-ttl=1h
--alsologtostderr=true
--logtostderr=false
--log-dir=/var/log/kubernetes/apiserver/
--v=6"
EOF5-2.创建服务启动文件
代码语言:shell复制!NOTE 使用
cat命令创建文件时,环境变量参数会丢失。需要在开头的EOF加上单引号即可。 在每台master服务器都要创建。每个启动文件都一样。
cat > /usr/lib/systemd/system/kube-apiserver.service <<'EOF'
[Unit]
Description=Kubernetes API Server Service
Documentation=https://github.com/kubernetes/kubernetes
#Requires=etcd.service
#After=etcd.service
Before=kube-controller-manager.service kube-scheduler.service
[Service]
EnvironmentFile=-/etc/kubernetes/config/apiserver.conf
ExecStart=/usr/local/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF5-3.启动服务
启动服务
代码语言:shell复制systemctl daemon-reload &&
systemctl start kube-apiserver5-4.设置开机启动
没有错误后,设置开启启动
代码语言:shell复制systemctl enable kube-apiserver5-5.其他操作
停止服务
代码语言:shell复制systemctl stop kube-apiserver查看状态
代码语言:shell复制systemctl status kube-apiserver查看错误
代码语言:shell复制journalctl -l --no-pager -u kube-apiserver删除进程日志
代码语言:shell复制rm -rvf /var/log/journal/*至此。kube-apiserver 组件部署成功。
转载请注明出处:https://janrs.com/dchk 有任何问题欢迎在底部评论区发言。
