apiserver部署

1.证书生成，kubernetes的cluster ip地址必须有（10.233.0.1），不然后续部署cni网络模块会有权限异常

[root@mycloud1-001 pki]# cat master_ssl.cnf 
[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[ req_distinguished_name ]

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1=kubernetes
DNS.2=kubernetes.default
DNS.3=kubernetes.default.svc
DNS.4=kubernetes.default.svc.cluster.local
DNS.5=mycloud1-001
DNS.6=mycloud1-002
DNS.7=mycloud1-003
IP.1=169.169.0.1
IP.2=192.168.1.2
IP.3=192.168.1.6
IP.4=192.168.1.100
IP.5=10.233.0.1

openssl genrsa -out apiserver.key 2048

 

openssl req -new -key apiserver.key -config master_ssl.cnf -subj "/CN=kubernetes" -out apiserver.csr

 

openssl x509 -req -in apiserver.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile master_ssl.cnf -out apiserver.crt

查看：openssl x509 -text -noout -in apiserver.crt

2.配置文档

[root@mycloud1-001 kubernetes]# cat kube-apiserver.conf
KUBE_API_ARGS="--advertise-address=192.168.1.6 \
  --allow-privileged=true \
  --alsologtostderr=true \
  --tls-cert-file=/etc/kubernetes/pki/apiserver.crt \
  --tls-private-key-file=/etc/kubernetes/pki/apiserver.key \
  --apiserver-count=3 --endpoint-reconciler-type=master-count \
  --authorization-mode=Node,RBAC \
  --bind-address=0.0.0.0 \
  --token-auth-file=/etc/kubernetes/users/token.csv \
  --client-ca-file=/etc/kubernetes/pki/ca.crt \
  --enable-admission-plugins=NodeRestriction \
  --enable-aggregator-routing=False \
  --enable-bootstrap-token-auth=true \
  --endpoint-reconciler-type=lease \
  --etcd-cafile=/etc/kubernetes/pki/ca.crt \
  --etcd-certfile=/etc/kubernetes/pki/etcd_client.crt \
  --etcd-keyfile=/etc/kubernetes/pki/etcd_client.key \
  --etcd-servers=https://192.168.1.6:2379 \
  --feature-gates=RotateKubeletServerCertificate=True \
  --insecure-port=8080 \    #此处不安全端口正常是关闭的，设置0。我是还没有配置kubeconfig临时开启用了下
  --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt    \
  --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key     \
  --request-timeout=1m0s                                                 \
  --requestheader-allowed-names=front-proxy-client                       \
  --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt  \
  --requestheader-extra-headers-prefix=X-Remote-Extra-                   \
  --requestheader-group-headers=X-Remote-Group                           \
  --requestheader-username-headers=X-Remote-User                         \
  --kubelet-preferred-address-types=InternalDNS,InternalIP,Hostname,ExternalDNS,ExternalIP \
  --log-file=/var/log/kubernetes/kube_apiserver.log \
  --logtostderr=false \
  --profiling=False \
  --secure-port=6443 \
  --service-cluster-ip-range=10.233.0.0/18 \
  --service-node-port-range=30000-32767 "

3.配置systemd unit文件

[root@mycloud1-001 kubernetes]# cat /usr/lib/systemd/system/kube-apiserver.service 
[Unit]
Description=Kubernetes API Server
After=etcd.service
Wants=etcd.service
 
[Service]
EnvironmentFile=/etc/kubernetes/kube-apiserver.conf
ExecStart=/usr/bin/kube-apiserver  $KUBE_API_ARGS
Restart=on-failure
Type=notify
LimitNOFILE=65536
 
[Install]
WantedBy=multi-user.target

4.systemct daemon-reload

systemctl start kube-apiserver