!TIP
TLS Bootstrap部署完整配置文件转载请注明出处:https://janrs.com/y44v 有任何问题欢迎在底部评论区发言。
token.csr 配置
代码语言:shell复制cat > /etc/kubernetes/config/auth-token.csv <<EOF
dafe33bc8fcdae7f9f16df53a95199fa,kubelet-bootstrap,10001,system:bootstrappers
EOFapiserver.conf 配置
代码语言:shell复制cat > /etc/kubernetes/config/apiserver.conf <<EOF
KUBE_APISERVER_OPTS="--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
--anonymous-auth=false
--bind-address=172.16.222.121
--secure-port=6443
--advertise-address=172.16.222.121
--insecure-port=0
--authorization-mode=Node,RBAC
--runtime-config=api/all=true
--service-cluster-ip-range=10.68.0.1/16
--service-node-port-range=30000-39999
--service-account-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--tls-cert-file=/etc/kubernetes/pki/apiserver/apiserver-server.pem
--tls-private-key-file=/etc/kubernetes/pki/apiserver/apiserver-server-key.pem
--client-ca-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--service-account-signing-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca-key.pem
--service-account-issuer=https://kubernetes.default.svc.cluster.local
--api-audiences=https://kubernetes.default.svc
--etcd-cafile=/etc/kubernetes/pki/etcd/etcd-ca.pem
--etcd-certfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client.pem
--etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-apiserver-client-key.pem
--etcd-servers=https://172.16.222.121:2379
--kubelet-client-certificate=/etc/kubernetes/pki/kubelet/kubelet-apiserver-client.pem
--kubelet-client-key=/etc/kubernetes/pki/kubelet/kubelet-apiserver-client-key.pem
--token-auth-file=/etc/kubernetes/config/auth-token.csv
--feature-gates=RemoveSelfLink=false
--enable-swagger-ui=true
--allow-privileged=true
--apiserver-count=3
--enable-aggregator-routing=true
--audit-log-maxage=30
--audit-log-maxbackup=3
--audit-log-maxsize=100
--audit-log-path=/var/log/kubernetes/apiserver/apiserver-audit.log
--event-ttl=1h
--alsologtostderr=true
--logtostderr=false
--log-dir=/var/log/kubernetes/apiserver/
--v=2"
EOFcontroller.conf 配置
代码语言:shell复制cat > /etc/kubernetes/config/controller.conf <<EOF
KUBE_CONTROLLER_MANAGER_OPTS="--port=0
--secure-port=10257
--bind-address=127.0.0.1
--kubeconfig=/etc/kubernetes/kubeconfig/controller.kubeconfig
--service-cluster-ip-range=10.68.0.1/16
--cluster-name=kubernetes
--cluster-signing-cert-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--cluster-signing-key-file=/etc/kubernetes/pki/apiserver/apiserver-ca-key.pem
--root-ca-file=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--feature-gates=RotateKubeletServerCertificate=true
--allocate-node-cidrs=true
--cluster-cidr=10.100.0.0/16
--cluster-signing-duration=87600h
--leader-elect=true
--controllers=*,bootstrapsigner,tokencleaner
--horizontal-pod-autoscaler-sync-period=10s
--tls-cert-file=/etc/kubernetes/pki/apiserver/apiserver-controller-client.pem
--tls-private-key-file=/etc/kubernetes/pki/apiserver/apiserver-controller-client-key.pem
--alsologtostderr=true
--logtostderr=false
--log-dir=/var/log/kubernetes/controller/
--v=2"
EOF
