二进制安装部署kubernetes
- 下载安装包
下载地址:https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG
cd /data/app
wget https://dl.k8s.io/v1.22.1/kubernetes-server-linux-amd64.tar.gz - 解压
tar -xf kubernetes-server-linux-amd64.tar.gz --strip-components=3 -C /usr/local/bin kubernetes/server/bin/kube{let,ctl,-apiserver,-controller-manager,-scheduler,-proxy} - 配置系统环境变量
vim /etc/profile
export PATH=/usr/local/bin:${PATH}
source /etc/profile - 创建配置目录
mkdir -p /data/app/kubernetes/ssl
mkdir -p /data/app/kubernetes/etc
mkdir -p /data/app/kubernetes/logs -
创建 token.csv 文件
cat > /data/app/kubernetes/etc/token.csv << EOF $(head -c 16 /dev/urandom | od -An -t x | tr -d ' '),kubeletbootstrap,10001,"system:kubelet-bootstrap" EOF
-
创建 csr 请求文件
cat > kube-apiserver-csr.json << EOF { "CN": "kubernetes", "hosts": [ "127.0.0.1", "172.31.170.15", "172.31.170.16", "172.31.170.17", "172.31.170.200", "172.31.24.100", "172.31.24.101", "172.31.24.102", "10.255.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BJ", "L": "BJ", "O": "k8s", "OU": "system" } ] } EOF
-
生成证书
cp /data/app/etcd/ssl/ca* /data/app/kubernetes/ssl/cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-apiserver-csr.json | cfssljson -bare kube-apiserver
- 创建 api-server 的配置文件
cat > /data/app/kubernetes/etc/kube-apiserver.conf << EOF KUBE_APISERVER_OPTS="--enable-admissionplugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\ --anonymous-auth=false \\ --bind-address=172.31.170.15 \\ --secure-port=6443 \\ --advertise-address=172.31.170.15 \\ --insecure-port=0 \\ --authorization-mode=Node,RBAC \\ --runtime-config=api/all=true \\ --enable-bootstrap-token-auth \\ --service-cluster-ip-range=10.255.0.0/16 \\ --token-auth-file=/data/app/kubernetes/etc/token.csv \\ --service-node-port-range=1-65535 \\ --tls-cert-file=/data/app/kubernetes/ssl/kube-apiserver.pem \\ --tls-private-key-file=/data/app/kubernetes/ssl/kube-apiserver-key.pem \\ --client-ca-file=/data/app/kubernetes/ssl/ca.pem \\ --kubelet-client-certificate=/data/app/kubernetes/ssl/kube-apiserver.pem \\ --kubelet-client-key=/data/app/kubernetes/ssl/kube-apiserver-key.pem \\ --service-account-key-file=/data/app/kubernetes/ssl/ca-key.pem \\ --service-account-signing-key-file=/data/app/kubernetes/ssl/ca-key.pem \\ --service-account-issuer=https://kubernetes.default.svc.cluster.local \\ --etcd-cafile=/data/app/etcd/ssl/ca.pem \\ --etcd-certfile=/data/app/etcd/ssl/etcd.pem \\ --etcd-keyfile=/data/app/etcd/ssl/etcd-key.pem \\ --etcdservers=https://172.31.170.15:2379,https://172.31.170.16:2379,https://172.31.170.17:2379 \\ --enable-swagger-ui=true \\ --allow-privileged=true \\ --apiserver-count=3 \\ --audit-log-maxage=30 \\ --audit-log-maxbackup=3 \\ --audit-log-maxsize=100 \\ --audit-log-path=/data/app/kubernetes/logs/kube-apiserver-audit.log \\ --event-ttl=1h \\ --alsologtostderr=true \\ --logtostderr=false \\ --log-dir=/data/app/kubernetes/logs/kubernetes \\ --v=4" EOF
注解:
--logtostderr:启用日志
--v:日志等级
--log-dir:日志目录
--etcd-servers:etcd 集群地址
--bind-address:监听地址
--secure-port:https 安全端口
--advertise-address:集群通告地址
--allow-privileged:启用授权
--service-cluster-ip-range:Service 虚拟 IP 地址段
--enable-admission-plugins:准入控制模块
--authorization-mode:认证授权,启用 RBAC 授权和节点自管理
--enable-bootstrap-token-auth:启用 TLS bootstrap 机制
--token-auth-file:bootstrap token 文件
--service-node-port-range:Service nodeport 类型默认分配端口范围
--kubelet-client-xxx:apiserver 访问 kubelet 客户端证书
--tls-xxx-file:apiserver https 证书
--etcd-xxxfile:连接 Etcd 集群证书
-audit-log-xxx:审计日志 - 创建api-serve服务启动文件
cat > /usr/lib/systemd/system/kube-apiserver.service << EOF [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes After=etcd.service Wants=etcd.service [Service] EnvironmentFile=-/data/app/kubernetes/etc/kube-apiserver.conf ExecStart=/usr/local/bin/kube-apiserver \$KUBE_APISERVER_OPTS Restart=on-failure RestartSec=5 Type=notify LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
- 启动api-serve服务
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl start kube-apiserver
systemctl status kube-apiserver - 验证api-serve接口
curl --insecure https://192.168.40.180:6443
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· 什么是nginx的强缓存和协商缓存
· 一文读懂知识蒸馏
· Manus爆火,是硬核还是营销?