【K8S运维知识汇总】第2天7：安装部署主控节点服务——apiserver

【K8S运维知识汇总】第2天7：安装部署主控节点服务——apiserver

部署kube-apiserver集群

集群规划

主机名 角色 ipHDSS7-21.host.com kube-apiserver 10.4.7.21HDSS7-22.host.com kube-apiserver 10.4.7.22HDSS7-11.host.com 4层负载均衡 10.4.7.11HDSS7-12.host.com 4层负载均衡 10.4.7.12

注意：这里10.4.7.11和10.4.7.12使用nginx做4层负载均衡器，用keepalive跑一个vip：10.4.7.10，代理两个kube-apiserver，实现高可用。

这里部署文档以HDSS7-14.host.com主机为例，另外一台运算节点部署方法类似

-k8s二进制源码

-软件，解压，做软连接，安装1.15.2

​​~]# cd /opt/src/[root@localhost certs]# rz[root@hdss7-21 src]# lskubernetes-server-linux-amd64-v1.15.2.tar.gz

查看文件大小并解压

[root@localhost src]# du -sh kubernetes-server-linux-amd64-v1.15.2.tar.gz 424M kubernetes-server-linux-amd64-v1.15.2.tar.gz[root@localhost src]# tar -zxvf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/[root@hdss7-21 src]# cd ..[root@hdss7-21 opt]# mv kubernetes/ kubernetes-v1.15.2

做软连接，方便以后更新

[root@hdss7-21 opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes[root@hdss7-21 opt]# ll总用量 0drwx--x--x 4 root root 28 12月 10 14:28 containerdlrwxrwxrwx 1 root root 17 12月 10 16:45 etcd -> /opt/etcd-v3.1.20drwxr-xr-x 4 etcd etcd 166 12月 10 17:43 etcd-v3.1.20lrwxrwxrwx 1 root root 24 12月 10 18:33 kubernetes -> /opt/kubernetes-v1.15.2/drwxr-xr-x 4 root root 79 8月 5 18:01 kubernetes-v1.15.2drwxr-xr-x 2 root root 97 12月 10 18:29 src[root@hdss7-21 opt]# cd kubernetes[root@hdss7-21 kubernetes]# lsaddons kubernetes-src.tar.gz LICENSES server

删除源码包

[root@hdss7-21 kubernetes]# rm -rf kubernetes-src.tar.gz [root@hdss7-21 kubernetes]# cd server/bin/

删除没用的文件docker镜像等

[root@localhost bin]# rm -f *.tar && rm -f *_tag#　剩余一些可执行文件[root@localhost bin]# ll总用量 884636-rwxr-xr-x 1 root root 43534816 8月 5 2019 apiextensions-apiserver-rwxr-xr-x 1 root root 100548640 8月 5 2019 cloud-controller-manager-rwxr-xr-x 1 root root 200648416 8月 5 2019 hyperkube-rwxr-xr-x 1 root root 40182208 8月 5 2019 kubeadm-rwxr-xr-x 1 root root 164501920 8月 5 2019 kube-apiserver-rwxr-xr-x 1 root root 116397088 8月 5 2019 kube-controller-manager-rwxr-xr-x 1 root root 42985504 8月 5 2019 kubectl-rwxr-xr-x 1 root root 119616640 8月 5 2019 kubelet-rwxr-xr-x 1 root root 36987488 8月 5 2019 kube-proxy-rwxr-xr-x 1 root root 38786144 8月 5 2019 kube-scheduler-rwxr-xr-x 1 root root 1648224 8月 5 2019

签发证书

签发apiserver-client证书：apiserver与etc通信用的证书。apiserver是客户端，etcd是服务端在运维主机HDSS-200.host.com上完成签发

创建生成证书签名请求（csr）的jsON配置文件 – 此目录下有，直接上传修改，不要粘贴复制

[root@hdss7-200 ~]# cd /opt/certs/[root@hdss7-200 ~]# vi /opt/certs/client-csr.json{ "CN": "k8s-node", "hosts": [ ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "shengzhen", "L": "shengzhen", "O": "od", "OU": "ops" } ]}[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client

创建签名请求（csr）的JSON配置文件，apiserver，server端证书 – 直接上传

[root@hdss7-200 certs]# vi apiserver-csr.json{ "CN": "k8s-apiserver", "hosts": [ "127.0.0.1", "192.168.0.1", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local", "10.4.7.10", "10.4.7.21", "10.4.7.22", "10.4.7.23" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "shengzhen", "L": "shengzhen", "O": "od", "OU": "ops" } ]}[root@hdss7-12 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver[root@hdss7-200 certs]# ll总用量 80total 24-rw-r--r-- 1 root root 1257 6月 26 17:29 apiserver.csr-rw-r--r-- 1 root root 570 6月 26 17:29 apiserver-csr.json-rw------- 1 root root 1679 6月 26 17:29 apiserver-key.pem-rw-r--r-- 1 root root 1602 6月 26 17:29 apiserver.pem-rw-r--r-- 1 root root 997 6月 26 17:24 client.csr-rw-r--r-- 1 root root 284 6月 26 17:23 client-csr.json-rw------- 1 root root 1675 6月 26 17:24 client-key.pem-rw-r--r-- 1 root root 1371 6月 26 17:24 client.pem

拷贝证书

[root@hdss7-14 ~]# cd /opt/kubernetes/server/bin/[root@hdss7-21 bin]# mkdir cert[root@hdss7-21 bin]# cd cert/# 最后有个点，表示拷贝到当前目录[root@hdss7-21 cert]# scp hdss7-12:/opt/certs/ca.pem . [root@hdss7-21 cert]# scp hdss7-12:/opt/certs/ca-key.pem .[root@hdss7-21 cert]# scp hdss7-12:/opt/certs/client.pem .[root@hdss7-21 cert]# scp hdss7-12:/opt/certs/client-key.pem .[root@hdss7-21 cert]# scp hdss7-12:/opt/certs/apiserver.pem .[root@hdss7-21 cert]# scp hdss7-12:/opt/certs/apiserver-key.pem .# 全部复制到另外一台apiserver主机上[root@localhost cert]# scp ./*.pem 10.4.7.200:/opt/kubernetes/server/bin/cert/root@10.4.7.200's password: scp: /opt/kubernetes/server/bin/cert/: No such file or directory[root@localhost cert]# scp ./*.pem 10.4.7.22:/opt/kubernetes/server/bin/cert/The authenticity of host '10.4.7.22 (10.4.7.22)' can't be established.ECDSA key fingerprint is SHA256:FuzW+BCs20gMQ9jse/bm88jvdMwwAcn274ukbLlVCSU.ECDSA key fingerprint is MD5:66:c8:11:5e:0b:41:fa:69:56:b7:b5:70:7d:33:9e:ad.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '10.4.7.22' (ECDSA) to the list of known hosts.root@10.4.7.22's password: apiserver-key.pem 100% 1679 737.7KB/s 00:00 apiserver.pem 100% 1602 472.4KB/s 00:00 ca-key.pem 100% 1675 673.3KB/s 00:00 ca.pem 100% 1346 811.5KB/s 00:00 client-key.pem 100% 1675 804.3KB/s 00:00 client.pem

创建启动配置脚本 apiserver的资源清单

[root@hdss7-22 cert]# cd /opt/kubernetes/server/bin[root@hdss7-21 bin]# mkdir conf[root@hdss7-21 bin]# cd conf/[root@hdss7-21 conf]# vi audit.yamlapiVersion: audit.k8s.io/v1beta1 # This is required.kind: Policy# Don't generate audit events for all requests in RequestReceived stage.omitStages: - "RequestReceived"rules: # Log pod changes at RequestResponse level - level: RequestResponse resources: - group: "" # Resource "pods" doesn't match requests to any subresource of pods, # which is consistent with the RBAC policy. resources: ["pods"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata resources: - group: "" resources: ["pods/log", "pods/status"] # Don't log requests to a configmap called "controller-leader" - level: None resources: - group: "" resources: ["configmaps"] resourceNames: ["controller-leader"] # Don't log watch requests by the "system:kube-proxy" on endpoints or services - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" # core API group resources: ["endpoints", "services"] # Don't log authenticated requests to certain non-resource URL paths. - level: None userGroups: ["system:authenticated"] nonResourceURLs: - "/api*" # Wildcard matching. - "/version" # Log the request body of configmap changes in kube-system. - level: Request resources: - group: "" # core API group resources: ["configmaps"] # This rule only applies to resources in the "kube-system" namespace. # The empty string "" can be used to select non-namespaced resources. namespaces: ["kube-system"] # Log configmap and secret changes in all other namespaces at the Metadata level. - level: Metadata resources: - group: "" # core API group resources: ["secrets", "configmaps"] # Log all other resources in core and extensions at the Request level. - level: Request resources: - group: "" # core API group - group: "extensions" # Version of group should NOT be included. # A catch-all rule to log all other requests at the Metadata level. - level: Metadata # Long-running requests like watches that fall under this rule will not # generate an audit event in RequestReceived. omitStages: - "RequestReceived"

编写启动脚本 – 直接上传 注：脚本不能包含多余的空格，且需要对照格式，否则报错

[root@hdss7-21 config]# vi /opt/kubernetes/server/bin/kube-apiserver.sh#!/bin/bash./kube-apiserver \ --apiserver-count 2 \ --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \ --audit-policy-file ./conf/audit.yaml \ --authorization-mode RBAC \ --client-ca-file ./cert/ca.pem \ --requestheader-client-ca-file ./cert/ca.pem \ --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \ --etcd-cafile ./cert/ca.pem \ --etcd-certfile ./cert/client.pem \ --etcd-keyfile ./cert/client-key.pem \ --etcd-servers \ --service-account-key-file ./cert/ca-key.pem \ --service-cluster-ip-range 192.168.0.0/16 \ --service-node-port-range 3000-29999 \ --target-ram-mb=1024 \ --kubelet-client-certificate ./cert/client.pem \ --kubelet-client-key ./cert/client-key.pem \ --log-dir /data/logs/kubernetes/kube-apiserver \ --tls-cert-file ./cert/apiserver.pem \ --tls-private-key-file ./cert/apiserver-key.pem \ --v 2

查看帮助命令，查看每行的意思

[root@hdss7-21 bin]# ./kube-apiserver --help|grep -A 5 target-ram-mb

添加执行权限

[root@localhost bin]# cd /opt/kubernetes/server/bin/[root@hdss7-21 bin]# chmod +x kube-apiserver.sh

创建后台启动

# 21根据实际IP地址更改# [program:kube-apiserver-7-21] [root@hdss7-21 bin]# vi /etc/supervisord.d/kube-apiserver.ini[program:kube-apiserver-7-21] command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args)numprocs=1 ; number of processes copies to start (def 1)directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)autostart=true ; start at supervisord start (default: true)autorestart=true ; retstart at unexpected quit (default: true)startsecs=30 ; number of secs prog must stay running (def. 1)startretries=3 ; max # of serial start failures (default 3)exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)stopsignal=QUIT ; signal used to kill process (default TERM)stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)user=root ; setuid to this UNIX account to run the programredirect_stderr=true ; redirect proc stderr to stdout (default false)stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTOstdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)stdout_events_enabled=false ; emit events on stdout writes (default false)[root@hdss7-21 bin]# mkdir -p /data/logs/kubernetes/kube-apiserver[root@hdss7-21 bin]# supervisorctl update[root@hdss7-21 bin]# supervisorctl status# 注：报错请直接查看日志，然后删除掉kube-apiserver.ini文件再 supervisorctl update来清除缓存，之后重新编写ini文件，再 supervisorctl update即可# 检查是否启动成功[root@hdss7-21 bin]# netstat -luntp | grep kube-apitcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 27303/./kube-apiser tcp6 0 0 :::6443 :::* LISTEN 27303/./kube-apiser

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。