Kubernetes master 上的组件安装配置
1简介
在K8S的master节点上主要部署kube-apiserver,kube-controller-manager,kube-scheduler三个组件,并且首先部署kube-apiserver.
2.下载安装程序包
https://github.com/kubernetes/kubernetes/releases
3.为apisever 生成证书
ca 机构的配置文件
cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF
ca的配置信息
cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF
生成ca证书
[root@dn01 k8s-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 2019/09/15 22:53:21 [INFO] generating a new CA key and certificate from CSR 2019/09/15 22:53:21 [INFO] generate received request 2019/09/15 22:53:21 [INFO] received CSR 2019/09/15 22:53:21 [INFO] generating key: rsa-2048 2019/09/15 22:53:21 [INFO] encoded CSR 2019/09/15 22:53:21 [INFO] signed certificate with serial number 572912617063945469665143433279729810814394937603 [root@dn01 k8s-cert]# ll total 24 -rw-r--r--. 1 root root 294 Sep 15 22:52 ca-config.json -rw-r--r--. 1 root root 1001 Sep 15 22:53 ca.csr -rw-r--r--. 1 root root 262 Sep 15 22:53 ca-csr.json -rw-------. 1 root root 1675 Sep 15 22:53 ca-key.pem -rw-r--r--. 1 root root 1359 Sep 15 22:53 ca.pem [root@dn01 k8s-cert]#
为k8s颁发证书
证书信息
cat > server-csr.json <<EOF { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "10.10.100.30", "10.10.100.33", "10.10.100.34", "10.10.100.35",##负载ip "10.10.100.36",## 负载IP "10.10.100.37", ##vip "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF
生成证书
[root@dn01 k8s-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server 2019/09/15 22:56:24 [INFO] generate received request 2019/09/15 22:56:24 [INFO] received CSR 2019/09/15 22:56:24 [INFO] generating key: rsa-2048 2019/09/15 22:56:24 [INFO] encoded CSR 2019/09/15 22:56:24 [INFO] signed certificate with serial number 389651765945997061844331666019799313343391426565 2019/09/15 22:56:24 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). [root@dn01 k8s-cert]# ll total 40 -rw-r--r--. 1 root root 294 Sep 15 22:52 ca-config.json -rw-r--r--. 1 root root 1001 Sep 15 22:53 ca.csr -rw-r--r--. 1 root root 262 Sep 15 22:53 ca-csr.json -rw-------. 1 root root 1675 Sep 15 22:53 ca-key.pem -rw-r--r--. 1 root root 1359 Sep 15 22:53 ca.pem -rw-r--r--. 1 root root 2327 Sep 15 22:50 k8s-cert.sh -rw-r--r--. 1 root root 1285 Sep 15 22:56 server.csr -rw-r--r--. 1 root root 620 Sep 15 22:56 server-csr.json -rw-------. 1 root root 1679 Sep 15 22:56 server-key.pem -rw-r--r--. 1 root root 1651 Sep 15 22:56 server.pem [root@dn01 k8s-cert]#
配置admin的证书
证书信息
cat > admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF
生成admin的证书,后期会用到
[root@dn01 k8s-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin 2019/09/15 22:58:09 [INFO] generate received request 2019/09/15 22:58:09 [INFO] received CSR 2019/09/15 22:58:09 [INFO] generating key: rsa-2048 2019/09/15 22:58:10 [INFO] encoded CSR 2019/09/15 22:58:10 [INFO] signed certificate with serial number 544703490421261671310917214619235450800685894119 2019/09/15 22:58:10 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). [root@dn01 k8s-cert]# ll total 56 -rw-r--r--. 1 root root 1009 Sep 15 22:58 admin.csr -rw-r--r--. 1 root root 229 Sep 15 22:58 admin-csr.json -rw-------. 1 root root 1675 Sep 15 22:58 admin-key.pem -rw-r--r--. 1 root root 1399 Sep 15 22:58 admin.pem -rw-r--r--. 1 root root 294 Sep 15 22:52 ca-config.json -rw-r--r--. 1 root root 1001 Sep 15 22:53 ca.csr -rw-r--r--. 1 root root 262 Sep 15 22:53 ca-csr.json -rw-------. 1 root root 1675 Sep 15 22:53 ca-key.pem -rw-r--r--. 1 root root 1359 Sep 15 22:53 ca.pem -rw-r--r--. 1 root root 2327 Sep 15 22:50 k8s-cert.sh -rw-r--r--. 1 root root 1285 Sep 15 22:56 server.csr -rw-r--r--. 1 root root 620 Sep 15 22:56 server-csr.json -rw-------. 1 root root 1679 Sep 15 22:56 server-key.pem -rw-r--r--. 1 root root 1651 Sep 15 22:56 server.pem
为kube-proxy颁发证书
证书信息
cat > kube-proxy-csr.json <<EOF { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF
生成kube-proxy的证书
[root@dn01 k8s-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy 2019/09/15 23:00:44 [INFO] generate received request 2019/09/15 23:00:44 [INFO] received CSR 2019/09/15 23:00:44 [INFO] generating key: rsa-2048 2019/09/15 23:00:44 [INFO] encoded CSR 2019/09/15 23:00:44 [INFO] signed certificate with serial number 100753043521389054173620768687584067283743043982 2019/09/15 23:00:44 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). [root@dn01 k8s-cert]# ll total 72 -rw-r--r--. 1 root root 1009 Sep 15 22:58 admin.csr -rw-r--r--. 1 root root 229 Sep 15 22:58 admin-csr.json -rw-------. 1 root root 1675 Sep 15 22:58 admin-key.pem -rw-r--r--. 1 root root 1399 Sep 15 22:58 admin.pem -rw-r--r--. 1 root root 294 Sep 15 22:52 ca-config.json -rw-r--r--. 1 root root 1001 Sep 15 22:53 ca.csr -rw-r--r--. 1 root root 262 Sep 15 22:53 ca-csr.json -rw-------. 1 root root 1675 Sep 15 22:53 ca-key.pem -rw-r--r--. 1 root root 1359 Sep 15 22:53 ca.pem -rw-r--r--. 1 root root 2327 Sep 15 22:50 k8s-cert.sh -rw-r--r--. 1 root root 1009 Sep 15 23:00 kube-proxy.csr -rw-r--r--. 1 root root 230 Sep 15 23:00 kube-proxy-csr.json -rw-------. 1 root root 1679 Sep 15 23:00 kube-proxy-key.pem -rw-r--r--. 1 root root 1403 Sep 15 23:00 kube-proxy.pem -rw-r--r--. 1 root root 1285 Sep 15 22:56 server.csr -rw-r--r--. 1 root root 620 Sep 15 22:56 server-csr.json -rw-------. 1 root root 1679 Sep 15 22:56 server-key.pem -rw-r--r--. 1 root root 1651 Sep 15 22:56 server.pem [root@dn01 k8s-cert]#
这样,所有需要的证书一下都生成完成,包括:ca,sever,admin,kube-proxy四部分证书
[root@dn01 k8s-cert]# ls *pem admin-key.pem ca-key.pem kube-proxy-key.pem server-key.pem admin.pem ca.pem kube-proxy.pem server.pem
将ca证书和server的证书拷贝到kubernetes 的安装路径下/opt/kubernetes/ssl/
[root@dn01 k8s-cert]# cp ca*pem server*pem /opt/kubernetes/ssl/ [root@dn01 k8s-cert]# ls /opt/kubernetes/ssl/ ca-key.pem ca.pem server-key.pem server.pem [root@dn01 k8s-cert]#
4.安装配置apiserver
在master 上创建安装目录
[root@dn01 k8s]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p
上传到主机目录/root/k8s/目录下并解压
[root@dn01 k8s]# tar -zxf kubernetes-server-linux-amd64.tar.gz
[root@dn01 k8s]# ls
kubernetes kubernetes-server-linux-amd64.tar.gz
进入kubernetes的解压目录的/kubernetes/server/bin
[root@dn01 bin]# ls apiextensions-apiserver kube-controller-manager.tar cloud-controller-manager kubectl cloud-controller-manager.docker_tag kubelet cloud-controller-manager.tar kube-proxy hyperkube kube-proxy.docker_tag kubeadm kube-proxy.tar kube-apiserver kube-scheduler kube-apiserver.docker_tag kube-scheduler.docker_tag kube-apiserver.tar kube-scheduler.tar kube-controller-manager mounter kube-controller-manager.docker_tag [root@dn01 bin]#
将目录下kube-apiserver,kube-controller-manager,kube-scheduler,kubectl四个可执行文件拷贝到安装目录
[root@dn01 bin]# cp kube-apiserver kube-scheduler kube-controller-manager kubectl /opt/kubernetes/bin/
创建token.csv 放置在/opt/kubernetes/cfg/下
[root@dn01 k8s]# vi /opt/kubernetes/cfg/token.csv 0fb61c46f8991b718eb38d27b605b008,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
附:随机生成token字符串
[root@dn01 k8s]# head -c 16 /dev/urandom | od -An -t x | tr -d ' ' d4cfbf51d1927065b5a8896785003203
初始化apiserver配置文件 到/opt/kubernetes/cfg/
[root@dn01 k8s]# cat /opt/kubernetes/cfg/kube-apiserver KUBE_APISERVER_OPTS="--logtostderr=true \ --v=4 \ --etcd-servers=https://10.10.100.30:2379,https://10.10.100.31:2379,https://10.10.100.32:2379 \ --bind-address=10.10.100.30 \ --secure-port=6443 \ --advertise-address=10.10.100.30 \ --allow-privileged=true \ --service-cluster-ip-range=10.0.0.0/24 \ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \ --authorization-mode=RBAC,Node \ --kubelet-https=true \ --enable-bootstrap-token-auth \ --token-auth-file=/opt/kubernetes/cfg/token.csv \ --service-node-port-range=30000-50000 \ --tls-cert-file=/opt/kubernetes/ssl/server.pem \ --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \ --client-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \ --etcd-cafile=/opt/etcd/ssl/ca.pem \ --etcd-certfile=/opt/etcd/ssl/server.pem \ --etcd-keyfile=/opt/etcd/ssl/server-key.pem" [root@dn01 k8s]#
配置system 服务配置文件
[root@dn01 k8s]# cat /usr/lib/systemd/system/kube-apiserver.service [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target [root@dn01 k8s]#
重载系统服务,启动apiser服务,并查看启动进程
[root@dn01 k8s]#systemctl daemon-reload [root@dn01 k8s]#systemctl enable kube-apiserver [root@dn01 k8s]#systemctl restart kube-apiserver 检查进程 [root@dn01 k8s]# ps -ef | grep kube-apiserver root 7796 1 6 23:41 ? 00:00:41 /opt/kubernetes/bin/kube-apiserver --logtostderr=true --v=4 --etcd-servers=https://10.10.100.30:2379,https://10.10.100.31:2379,https://10.10.100.32:2379 --bind-address=10.10.100.30 --secure-port=6443 --advertise-address=10.10.100.30 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/etcd/ssl/ca.pem --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pem root 7815 7328 0 23:52 pts/0 00:00:00 grep --color=auto kube-apiserver [root@dn01 k8s]#
5.安装scheduler 分布式任务调度
初始化scheduler配置文件 在/opt/kubernetes/cfg/下
[root@dn01 k8s]# cat /opt/kubernetes/cfg/kube-scheduler KUBE_SCHEDULER_OPTS="--logtostderr=true \ --v=4 \ --master=127.0.0.1:8080 \ --leader-elect"
配置system 服务配置文件
[root@dn01 k8s]# cat /opt/kubernetes/cfg/kube-scheduler KUBE_SCHEDULER_OPTS="--logtostderr=true \ --v=4 \ --master=127.0.0.1:8080 \ --leader-elect" [root@dn01 k8s]# cat /usr/lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target [root@dn01 k8s]#
启动scheduler服务,检查进程
[root@dn01 k8s]#systemctl daemon-reload [root@dn01 k8s]#systemctl enable kube-scheduler [root@dn01 k8s]#systemctl restart kube-scheduler 检查进程 [root@dn01 k8s]# ps -ef | grep scheduler root 7893 1 3 00:09 ? 00:00:06 /opt/kubernetes/bin/kube-scheduler --logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect root 7907 7328 0 00:12 pts/0 00:00:00 grep --color=auto scheduler [root@dn01 k8s]#
6.安装controller-manager控制管理组件
初始化controller-manager配置文件 在/opt/kubernetes/cfg/下
[root@dn01 k8s]# cat /opt/kubernetes/cfg/kube-controller-manager KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \ --v=4 \ --master=127.0.0.1:8080 \ --leader-elect=true \ --address=127.0.0.1 \ --service-cluster-ip-range=10.0.0.0/24 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \ --root-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ --experimental-cluster-signing-duration=87600h0m0s" [root@dn01 k8s]#
配置system 服务配置文件
[root@dn01 k8s]# cat /opt/kubernetes/cfg/kube-controller-manager KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \ --v=4 \ --master=127.0.0.1:8080 \ --leader-elect=true \ --address=127.0.0.1 \ --service-cluster-ip-range=10.0.0.0/24 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \ --root-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ --experimental-cluster-signing-duration=87600h0m0s" [root@dn01 k8s]# cat /usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target
启动controller-manager服务,检查进程
[root@dn01 k8s]#systemctl daemon-reload [root@dn01 k8s]#systemctl enable kube-controller-manager [root@dn01 k8s]#systemctl restart kube-controller-manager 检查进程 [root@dn01 k8s]# ps -ef | grep controller root 7959 1 14 00:16 ? 00:00:01 /opt/kubernetes/bin/kube-controller-manager --logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect=true --address=127.0.0.1 --service-cluster-ip-range=10.0.0.0/24 --cluster-name=kubernetes --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem --root-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem --experimental-cluster-signing-duration=87600h0m0s root 7969 7328 0 00:16 pts/0 00:00:00 grep --color=auto controller
通过kubectl 工具查看当前主机master的状态
[root@dn01 k8s]# /opt/kubernetes/bin/kubectl get cs NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-1 Healthy {"health":"true"} etcd-2 Healthy {"health":"true"} etcd-0 Healthy {"health":"true"}
至此,master 节点部署完成
为了能够直接执行ku'bectl命令,将kubenetes的可执行文件加入到环境变量中
[root@dn01 kubeconfig]# export PATH=$PATH:/opt/kubernetes/bin/
并且写入到环境变量的配置文件中
[root@dn01 kubeconfig]# vi /etc/profile
[root@dn01 kubeconfig]# cat /etc/profile # /etc/profile # System wide environment and startup programs, for login setup # Functions and aliases go in /etc/bashrc # It's NOT a good idea to change this file unless you know what you # are doing. It's much better to create a custom.sh shell script in # /etc/profile.d/ to make custom changes to your environment, as this # will prevent the need for merging in future updates. pathmunge () { case ":${PATH}:" in *:"$1":*) ;; *) if [ "$2" = "after" ] ; then PATH=$PATH:$1 else PATH=$1:$PATH fi esac } if [ -x /usr/bin/id ]; then if [ -z "$EUID" ]; then # ksh workaround EUID=`/usr/bin/id -u` UID=`/usr/bin/id -ru` fi USER="`/usr/bin/id -un`" LOGNAME=$USER MAIL="/var/spool/mail/$USER" fi # Path manipulation if [ "$EUID" = "0" ]; then pathmunge /usr/sbin pathmunge /usr/local/sbin else pathmunge /usr/local/sbin after pathmunge /usr/sbin after fi HOSTNAME=`/usr/bin/hostname 2>/dev/null` HISTSIZE=1000 if [ "$HISTCONTROL" = "ignorespace" ] ; then export HISTCONTROL=ignoreboth else export HISTCONTROL=ignoredups fi export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL # By default, we want umask to get set. This sets it for login shell # Current threshold for system reserved uid/gids is 200 # You could check uidgid reservation validity in # /usr/share/doc/setup-*/uidgid file if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then umask 002 else umask 022 fi for i in /etc/profile.d/*.sh /etc/profile.d/sh.local ; do if [ -r "$i" ]; then if [ "${-#*i}" != "$-" ]; then . "$i" else . "$i" >/dev/null fi fi done unset i unset -f pathmunge export PATH=$PATH:/opt/kubernetes/bin/
[root@dn01 kubeconfig]# source /etc/profile
