二进制安装kubernetes v1.11.2 (第八章 kube-apiserver 部署)
继续上一章部署。
八、部署kube-apiserver组件
使用第七章的haproxy和keepalived部署的高可用集群提供的VIP:${MASTER_VIP}
8.1 下载二进制文件,参考 第三章
8.2 创建 kubernetes 证书和私钥
source /opt/k8s/bin/environment.sh cat > kubernetes-csr.json <<EOF { "CN": "kubernetes", "hosts": [ "127.0.0.1", "192.168.56.20", "192.168.56.20", "${MASTER_VIP}", "${CLUSTER_KUBERNETES_SVC_IP}", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "4Paradigm" } ] } EOF
- host 字段指定授权使用该证书的IP或者域名列表,这里列出了 VIP、apiserver节点IP,kubernetes服务IP和域名
- 域名最后不能是 . (如不能是kubernetes.default.svc.cluster.local.),否则解析失败,提示 x509: cannot parse dnsName "kubernetes.default.svc.cluster.local."
- 如果使用非 cluster.local 域名,,如 xxx.com,则需要修改域名列表中的最后两个域名为:kubernetes.default.svc.xxx、kubernetes.default.svc.xxx.com
- kubernetes服务IP是apiserver自动创建的,一般是 -service-cluster-ip-range 参数指定的网段的第一个IP,后续可以通过如下命令获取:
$ kubectl get svc kubernetes NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes 10.254.0.1 <none> 443/TCP 1d
8.3 生成证书和私钥
cfssl gencert -ca=/etc/kubernetes/cert/ca.pem \ -ca-key=/etc/kubernetes/cert/ca-key.pem \ -config=/etc/kubernetes/cert/ca-config.json \ -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes ls kubernetes*pem
8.4 将生成的证书和私钥文件拷贝到master节点
source /opt/k8s/bin/environment.sh for master_ip in ${MASTER_IPS[@]} do echo ">>> ${master_ip}" ssh root@${master_ip} "mkdir -p /etc/kubernetes/cert/ && sudo chown -R k8s /etc/kubernetes/cert/" scp kubernetes*.pem k8s@${master_ip}:/etc/kubernetes/cert/ done
8.5 创建加密配置文件
source /opt/k8s/bin/environment.sh cat > encryption-config.yaml <<EOF kind: EncryptionConfig apiVersion: v1 resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: ${ENCRYPTION_KEY} - identity: {} EOF
8.6 将加密配置文件拷贝到 master 节点的 /etc/kubernetes 目录下
source /opt/k8s/bin/environment.sh for master_ip in ${MASTER_IPS[@]} do echo ">>> ${master_ip}" scp encryption-config.yaml root@${master_ip}:/etc/kubernetes/ done
替换后的加密配置文件:
[root@k8s-m1 cert]# more encryption-config.yaml kind: EncryptionConfig apiVersion: v1 resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: V8NUF8gATb1bZmBke9NRVw33JHt3elTDfNoIi0uhOFI= - identity: {}
8.7 创建 kube-apiserver systemd unit 模板文件
source /opt/k8s/bin/environment.sh cat > kube-apiserver.service.template <<EOF [Unit] Description=Kubernetes API Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] ExecStart=/opt/k8s/bin/kube-apiserver \\ --enable-admission-plugins=Initializers,NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\ --anonymous-auth=false \\ --experimental-encryption-provider-config=/etc/kubernetes/encryption-config.yaml \\ --advertise-address=##NODE_IP## \\ --bind-address=##NODE_IP## \\ --insecure-port=0 \\ --authorization-mode=Node,RBAC \\ --runtime-config=api/all \\ --enable-bootstrap-token-auth \\ --service-cluster-ip-range=${SERVICE_CIDR} \\ --service-node-port-range=${NODE_PORT_RANGE} \\ --tls-cert-file=/etc/kubernetes/cert/kubernetes.pem \\ --tls-private-key-file=/etc/kubernetes/cert/kubernetes-key.pem \\ --client-ca-file=/etc/kubernetes/cert/ca.pem \\ --kubelet-client-certificate=/etc/kubernetes/cert/kubernetes.pem \\ --kubelet-client-key=/etc/kubernetes/cert/kubernetes-key.pem \\ --service-account-key-file=/etc/kubernetes/cert/ca-key.pem \\ --etcd-cafile=/etc/kubernetes/cert/ca.pem \\ --etcd-certfile=/etc/kubernetes/cert/kubernetes.pem \\ --etcd-keyfile=/etc/kubernetes/cert/kubernetes-key.pem \\ --etcd-servers=${ETCD_ENDPOINTS} \\ --enable-swagger-ui=true \\ --allow-privileged=true \\ --apiserver-count=2 \\ --audit-log-maxage=30 \\ --audit-log-maxbackup=3 \\ --audit-log-maxsize=100 \\ --audit-log-path=/var/log/kube-apiserver-audit.log \\ --event-ttl=1h \\ --alsologtostderr=true \\ --logtostderr=false \\ --log-dir=/var/log/kubernetes \\ --v=2 Restart=on-failure RestartSec=5 Type=notify User=k8s LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
- --experimental-encryption-provider-config:启用加密特性
- --authorization-mode=Node,RBAC: 开启 Node 和 RBAC 授权模式,拒绝未授权的请求
- --enable-admission-plugins:启用 ServiceAccount 和 NodeRestriction
- --service-account-key-file:签名 ServiceAccount Token 的公钥文件,kube-controller-manager 的 --service-account-private-key-file 指定私钥文件,两者配对使用
- --tls-*-file:指定 apiserver 使用的证书、私钥和 CA 文件。--client-ca-file 用于验证 client (kue-controller-manager、kube-scheduler、kubelet、kube-proxy 等)请求所带的证书
- --kubelet-client-certificate、--kubelet-client-key:如果指定,则使用 https 访问 kubelet APIs;需要为证书对应的用户(上面 kubernetes*.pem 证书的用户为 kubernetes) 用户定义 RBAC 规则,否则访问 kubelet API 时提示未授权
- --bind-address: 不能为 127.0.0.1,否则外界不能访问它的安全端口 6443
- --insecure-port=0:关闭监听非安全端口(8080)
- --service-cluster-ip-range: 指定 Service Cluster IP 地址段
- --service-node-port-range: 指定 NodePort 的端口范围
- --runtime-config=api/all=true: 启用所有版本的 APIs,如 autoscaling/v2alpha1
- --enable-bootstrap-token-auth:启用 kubelet bootstrap 的 token 认证
- --apiserver-count=3:指定集群运行模式,多台 kube-apiserver 会通过 leader 选举产生一个工作节点,其它节点处于阻塞状态
- User=k8s:使用 k8s 账户运行
8.8 为各节点创建和分发 kube-apiserver systemd unit 文件
替换模板中的变量,生成各master节点的 systemd unit 文件
source /opt/k8s/bin/environment.sh for (( i=0; i < 2; i++ )) do sed -e "s/##NODE_NAME##/${NODE_NAMES[i]}/" -e "s/##NODE_IP##/${NODE_IPS[i]}/" kube-apiserver.service.template > kube-apiserver-${NODE_IPS[i]}.service done ls kube-apiserver*.service
8.9 分发生成的 systemd unit 文件
source /opt/k8s/bin/environment.sh for master_ip in ${MASTER_IPS[@]} do echo ">>> ${master_ip}" ssh root@${master_ip} "mkdir -p /var/log/kubernetes && chown -R k8s /var/log/kubernetes" scp kube-apiserver-${master_ip}.service root@${master_ip}:/etc/systemd/system/kube-apiserver.service done
- 需要先创建日志目录
- 分发后,文件重命名为 kube-apiserver.service
8.10 启动kube-apiserver 服务
source /opt/k8s/bin/environment.sh for master_ip in ${MASTER_IPS[@]} do echo ">>> ${master_ip}" ssh root@${master_ip} "systemctl daemon-reload && systemctl enable kube-apiserver && systemctl restart kube-apiserver" done
8.11 检查 kube-apiserver 运行状态
source /opt/k8s/bin/environment.sh for master_ip in ${MASTER_IPS[@]} do echo ">>> ${master_ip}" ssh root@${master_ip} "systemctl status kube-apiserver |grep 'Active:'" done
确保服务状态为 Active: active (running)
查看日志的方法:journalctl -u kube-apiserver
8.12 打印 kube-apiserver 写入 etcd 数据
source /opt/k8s/bin/environment.sh ETCDCTL_API=3 etcdctl \ --endpoints=${ETCD_ENDPOINTS} \ --cacert=/etc/kubernetes/cert/ca.pem \ --cert=/etc/etcd/cert/etcd.pem \ --key=/etc/etcd/cert/etcd-key.pem \ get /registry/ --prefix --keys-only
8.13 检查集群信息
[root@k8s-m1 template]# kubectl cluster-info Kubernetes master is running at https://192.168.56.6:8443 To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. [root@k8s-m1 template]# kubectl get all --all-namespaces NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE default service/kubernetes ClusterIP 10.254.0.1 <none> 443/TCP 9m [root@k8s-m1 template]# kubectl get componentstatuses NAME STATUS MESSAGE ERROR controller-manager Unhealthy Get http://127.0.0.1:10252/healthz: dial tcp 127.0.0.1:10252: connect: connection refused scheduler Unhealthy Get http://127.0.0.1:10251/healthz: dial tcp 127.0.0.1:10251: connect: connection refused etcd-0 Healthy {"health":"true"} etcd-1 Healthy {"health":"true"}
8.14 如果执行 kubectl 命令式时输出如下错误信息,则说明使用的 ~/.kube/config 文件不对,请切换到正确的账户后再执行该命令:
The connection to the server localhost:8080 was refused - did you specify the right host or port?
8.15 执行 kubectl get componentstatuses 命令时,apiserver 默认向 127.0.0.1 发送请求。当 controller-manager、scheduler 以集群模式运行时,有可能和 kube-apiserver 不在一台机器上,这时 controller-manager 或 scheduler 的状态为 Unhealthy,但实际上它们工作正常
8.16 检查 kube-apiserver 监听的端口
[root@k8s-m1 template]# sudo netstat -lnpt|grep kube tcp 0 0 192.168.56.20:6443 0.0.0.0:* LISTEN 9918/kube-apiserver
- 6443 接收 https 请求的安全端口,对所有请求做认证和授权
- 由于关闭了非安全端口,所以没有监听8080
8.17 授予 kubernetes 证书访问 kubelet API 的权限
在执行 kubectl exec、run、logs 等命令时,apiserver 会转发到 kubelet,这里定义RBAC规则
[root@k8s-m1 template]# kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes
clusterrolebinding.rbac.authorization.k8s.io/kube-apiserver:kubelet-apis created
