k8s服务端二进制部署-kube-controller-manager
本文章是 k8s二进制高可用集群部署 的分支。详细步骤请参考目录。
二进制下载地址 参考 k8s服务端二进制部署-kube-apiserver
1.使用自签CA签发kube-controller-manager证书
在etcd集群部署及kube-apiserver流程中我们已经自签了证书签发机构(CA)
因此建议如果etcd和kube-apiserver使用的证书使用了相同的CA签发,那么继续使用相同。
如果不相同,则使用kube-apiserver使用的CA签发kube-controller-manager的证书。
# 创建证书请求文件 cat > kube-controller-manager-csr.json << EOF { "CN": "system:kube-controller-manager", "key": { "algo": "rsa", "size": 2048 }, "hosts": [ "10.0.0.1", "127.0.0.1", "192.168.64.130", "192.168.64.131", "192.168.64.132", "192.168.64.133", "192.168.64.134", "10.10.10.1", "10.255.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluste.local" ], "names": [ { "C": "CN", "ST": "Tianjin", "L": "Tianjin", "O": "system:kube-controller-manager", "OU": "System" } ] } EOF # 生成证书 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
2.生成kubeconfig文件(以下是shell命令,直接在终端执行)【kubeconfig介绍】
cd /opt/kubernetes
KUBE_CONFIG="/opt/kubernetes/cfg/kube-controller-manager.kubeconfig" KUBE_APISERVER="https://192.168.64.130:6443" #设置集群参数 kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=${KUBE_CONFIG} #设置客户端认证参数 kubectl config set-credentials system:kube-controller-manager \ --client-certificate=/opt/kubernetes/ssl/kube-controller-manager.pem \ --client-key=/opt/kubernetes/ssl/kube-controller-manager-key.pem \ --embed-certs=true \ --kubeconfig=${KUBE_CONFIG} #设置上下文参数 kubectl config set-context system:kube-controller-manager \ --cluster=kubernetes \ --user=system:kube-controller-manager \ --kubeconfig=${KUBE_CONFIG} #设置默认上下文 kubectl config use-context system:kube-controller-manager --kubeconfig=${KUBE_CONFIG}
3.创建配置文件
cat > /opt/kubernetes/cfg/kube-controller-manager.conf << EOF KUBE_CONTROLLER_MANAGER_OPTS=" \ --bind-address=127.0.0.1 \ --kubeconfig=/opt/kubernetes/cfg/kube-controller-manager.kubeconfig \ --service-cluster-ip-range=10.0.0.0/24 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \ --allocate-node-cidrs=true \ --cluster-cidr=10.244.0.0/16 \ --root-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ --leader-elect=true \ --feature-gates=RotateKubeletServerCertificate=true \ --controllers=*,bootstrapsigner,tokencleaner \ --horizontal-pod-autoscaler-sync-period=10s \ --tls-cert-file=/opt/kubernetes/ssl/kube-controller-manager.pem \ --tls-private-key-file=/opt/kubernetes/ssl/kube-controller-manager-key.pem \ --use-service-account-credentials=true \ --v=2" EOF
备注:
--kubeconfig:连接apiserver配置文件
--master: 通过本地非安全本地端口8080连接apiserver
--load-elect: 当该组件启动多个时,自动选举(HA)
--cluster-signing-cert-file / --cluster-signing-key-file : 自动为kubelet颁发证书的CA,与apiserver保持一致
4.systemd管理controller-manager
cat > /usr/lib/systemd/system/kube-controller-manager.service << EOF [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf ExecStart=kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF
5.启动并设置开机启动
systemctl daemon-reload systemctl start kube-controller-manager systemctl enable kube-controller-manager
