kubernetes 二进制安装部署手册
kubernetes 二进制安装部署手册
部署前准备
1) 系统优化
所有机器.
关闭防火墙和selinux
# setenforce 0
# sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config
# systemctl stop firewalld && systemctl disable firewalld
配置阿里云镜像源
mkdir -p /etc/yum.repos.d/bak
mv -t /etc/yum.repos.d/bak/ /etc/yum.repos.d/*
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum -y remove epel-re*
yum clean all
yum -y install epel-re*
配置ntp时间对时
yum -y install ntpdate
/usr/sbin/ntpdate ntp7.aliyun.com > /dev/null 2>&1
(crontab -l; echo "00 23 * * * /usr/sbin/ntpdate ntp7.aliyun.com > /dev/null 2>&1" ) | crontab
2,检查内核版本,查看是否高于 3.8(Docker 需要)
# uname -
3,安装一些工具
yum install wget net-tools telnet tree nmap sysstat lrzsz dos2unix buind-utils -y
2) 安装DNS服务
安装 bind9 服务,在 11 机器上
[root@zsf7-11 ~]# yum -y install bind9
[root@zsf7-11 ~]# vim /etc/named.conf
listen-on port 53 { 10.4.7.11; };
allow-query { any; }; //允许那些客户端来请求
forwarders { 10.4.7.254; }; //上级 DNS 地址
recursion yes; //当前 DNS采用递归算法提供服务,默认迭代和递归
dnssec-enable no;
dnssec-validation no;
检查 DNS 配置文件语法是否正确:
named-checkconf
配置区域文件:
[root@zsf7-11 ~]# vim /etc/named.rfc1912.zones
//主机域
zone "host.com" IN {
type master;
file "host.com.zone";
allow-update { 10.4.7.11; };
};
zone "zsf.com" IN {
type master;
file "zsf.com.zone";
allow-update { 10.4.7.11; };
};
配置主机域的区域文件
[root@zsf7-11 ~]# vim /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.host.com. dnsadmin.host.com. (
2020073001 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.host.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
zsf7-11 A 10.4.7.11
zsf7-12 A 10.4.7.12
zsf7-21 A 10.4.7.21
zsf7-22 A 10.4.7.22
zsf7-200 A 10.4.7.200
[root@zsf7-11 ~]# /var/named/zsf.com.zone
$ORIGIN zsf.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.zsf.com. dnsadmin.zsf.com. (
2020073001 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.zsf.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
启动
systemctl start named && systemctl enable named
检查
dig -t A 主机名 @DNS 服务器地址 +short
更改所有机器的 DNS 解析地址
vim /etc/sysconfig/network-scripts/ifcfg-ens33
systemctl restart network
添加短域名解析
vim /etc/resolv.conf
search host.com
3) 安装harbor,docker仓库
在github 上面下载harbor 安装包,我们这边安装的是2.0.0 版本
[root@zsf7-200 opt]# mkdir src
[root@zsf7-200 opt]# cd src/
[root@zsf7-200 src]# tar xf harbor-offline-installer-v2.0.0.tgz -C /opt/
[root@zsf7-200 src]# cd /opt/
[root@zsf7-200 opt]# ls
certs containerd harbor src
[root@zsf7-200 opt]# mv harbor/ harbor-2.0.0
[root@zsf7-200 opt]# ln -s harbor-2.0.0/ harbor
[root@zsf7-200 opt]# cd harbor
[root@zsf7-200 harbor]# yum -y install docker-compose //因为harbor 是通过docker compose单机编排的,所以我们需要安装docker-compose
[root@zsf7-200 harbor]# cp harbor.yml.tmpl harbor.yml
[root@zsf7-200 harbor]# egrep -v "#|^$" harbor.yml
hostname: harbor.zsf.com //harbor访问的域名
http:
port: 180
harbor_admin_password: Ysyhl9t! //登录harbor仓库的密码
database:
password: root123
max_idle_conns: 50
max_open_conns: 100
data_volume: /data/harbor //数据存储目录
clair:
updaters_interval: 12
trivy:
ignore_unfixed: false
skip_update: false
insecure: false
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 2.0.0
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- clair
- trivy
[root@zsf7-200 harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 19.03.12
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.18.0
[Step 2]: loading Harbor images ...
然后在DNS服务器上添加一个A 记录
[root@zsf7-11 ~]# vim /var/named/zsf.com.zone
$ORIGIN zsf.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.zsf.com. dnsadmin.zsf.com. (
2020073003 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.zsf.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
harbor A 10.4.7.200
//注意 serial 必须改变
[root@zsf7-11 ~]# systemctl restart named
[root@zsf7-11 ~]# ping harbor.zsf.com
PING harbor.zsf.com (10.4.7.200) 56(84) bytes of data.
64 bytes from 10.4.7.200 (10.4.7.200): icmp_seq=1 ttl=64 time=18.9 ms
安装一个nginx代理harbor仓库
[root@zsf7-200 harbor]# yum -y install nginx
[root@zsf7-200 harbor]# cat /etc/nginx/conf.d/harbor.zsf.com.conf
server {
listen 80;
server_name harbor.zsf.com;
client_max_body_size 1000m; //注意docker分层镜像可能大于这个数值,根据自己情况更改
location / {
proxy_pass http://127.0.0.1:180;
}
}
[root@zsf7-200 harbor]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@zsf7-200 harbor]# systemctl start nginx && systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
创建一个public的仓库,登录web界面
<img src="https://zhangshoufu-images.oss-cn-hangzhou.aliyuncs.com/imagesimage-20200806112601173.png" alt="image-20200806112601173" style="zoom:50%;" />
然后测试上传镜像是否正常,
[root@zsf7-21 ~]# docker pull nginx
[root@zsf7-21 ~]# docker tag nginx:latest harbor.zsf.com/public/nginx:1.17.0
[root@zsf7-21 ~]# docker login -u admin -p Ysyhl9t! harbor.zsf.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@zsf7-21 ~]# docker push harbor.zsf.com/public/nginx:1.17.0
可以在harbor仓库内看到镜像,到此harbor仓库搭建完成
4) 安装Docker
3,安装 docker,
在这些机器上安装Docker :zsf7-21,zsf7-22,zsf7-200
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
更改 Docker 配置文件
certs]# mkdir -p /data/docker
certs]# mkdir -p /etc/docker/
certs]# vim /etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.zsf.com"],
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
"bip": "172.7.21.1/24",
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
解释
{
"graph": "/data/docker", //docker放在什么位置
"storage-driver": "overlay2", //存储引擎
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.zsf.com"], //添加http的harbor仓库
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"], //配置阿里云镜像加速
"bip": "172.7.21.1/24", //Docker的虚拟IP地址,需要改成每台主机的最后一位
"exec-opts": ["native.cgroupdriver=systemd"], //docker cgroup 驱动
"live-restore": true //当docker daemon down时容器能正常运行
}
启动Docker
systemctl start docker.service && systemctl enable docker.service
准备自签证书
1,安装生产自签证书需要的软件
[root@zsf7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl //创建证书,创建出来的证书是声明式的
[root@zsf7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json //将声明式的证书转换成 json 格式,变成承载式
[root@zsf7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo //反解析证书
[root@zsf7-200 ~]# chmod +x /usr/bin/cfssl*
2,生成自签证书
[root@zsf7-200 ~]# mkdir /opt/certs
[root@zsf7-200 ~]# cd /opt/certs
1)创建根证书申请文件
[root@zsf7-200 certs]# vim /opt/certs/ca-csr.json
{
"CN": "OldboyEdu",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
解释
{
"CN": "公司机构",
"hosts": [
],
"key": {
"algo": "rsa", //加密算法
"size": 2048 //加密长度
},
"names": [
{
"C": "CN", //国家
"ST": "beijing", //省份
"L": "beijing", //城市
"O": "od", //
"OU": "ops" //职位
}
],
"ca": {
"expiry": "175200h" //证书有效时间
}
}
2) 生成证书
[root@zsf7-200 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
2020/08/04 15:43:48 [INFO] generating a new CA key and certificate from CSR
2020/08/04 15:43:48 [INFO] generate received request
2020/08/04 15:43:48 [INFO] received CSR
2020/08/04 15:43:48 [INFO] generating key: rsa-2048
2020/08/04 15:43:48 [INFO] encoded CSR
2020/08/04 15:43:48 [INFO] signed certificate with serial number 187642729321576839847461032555167519484416835896
[root@zsf7-200 certs]# ls
ca.csr ca-csr.json ca-key.pem ca.pem
//为根证书私钥ca-key.pem ca.pem
安装 k8s 服务
安装 master 组件
安装 etcd
12,21,22
1) 签发 ETCD 证书
[root@zsf7-200 certs]# vim /opt/certs/ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": { //服务端认证
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": { //客户端认证
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": { //双向认证
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
创建etcd 证书请求的文件
[root@zsf7-200 certs]# vi etcd-peer-csr.json
{
"CN": "k8s-etcd",
//可能部署在哪台主机上,不支持网段,如果后期IP地址不在这个里面需要重新签发证书,所以最好多保留几个IP地址
"hosts": [
"10.4.7.11",
"10.4.7.12",
"10.4.7.21",
"10.4.7.22"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
签发证书
[root@zsf7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer
//-profile=peer 双向认证使用
2020/08/04 16:02:12 [INFO] generate received request
2020/08/04 16:02:12 [INFO] received CSR
2020/08/04 16:02:12 [INFO] generating key: rsa-2048
2020/08/04 16:02:13 [INFO] encoded CSR
2020/08/04 16:02:13 [INFO] signed certificate with serial number 699445385173737942257356343390958864239006335823
2020/08/04 16:02:13 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@zsf7-200 certs]# ls etcd*
etcd-peer.csr etcd-peer-csr.json etcd-peer-key.pem etcd-peer.pem
2) 安装 etcd
下面的操作在三台etcd 主机上分别进行操作,zsf7-12 zsf7-21 zsf7-22
创建etcd 服务启动的用户
[root@zsf7-12 ~]# useradd -s /sbin/nologin -M etcd
[root@zsf7-12 ~]# id etcd
uid=1000(etcd) gid=1000(etcd) groups=1000(etcd)
下载 ectd 我们去github上面下载对应版本的etcd,我们这边使用的是3.1.20版本
上传下载好的软件包到/opt/src
[root@zsf7-12 src]# ls
etcd-v3.1.20-linux-amd64.tar.gz
[root@zsf7-12 src]# tar xvf etcd-v3.1.20-linux-amd64.tar.gz -C /opt/
[root@zsf7-12 opt]# mv etcd-v3.1.20-linux-amd64/ etcd-v3.1.20
[root@zsf7-12 opt]# ln -s etcd-v3.1.20/ etcd
[root@zsf7-12 opt]# mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server /data/etcd/etcd-server
[root@zsf7-12 opt]# cd /opt/etcd/certs
下面的操作我们只在zsf7-12 这个机器上操作,另外两台机器类比操作
上传自签证书到指定位置
在zsf7-200机器上操作
[root@zsf7-12 certs]# scp ca.pem etcd-peer-key.pem etcd-peer.pem root@10.4.7.12:/opt/etcd/certs
[root@zsf7-12 certs]# scp ca.pem etcd-peer-key.pem etcd-peer.pem root@10.4.7.21:/opt/etcd/certs
[root@zsf7-12 certs]# scp ca.pem etcd-peer-key.pem etcd-peer.pem root@10.4.7.22:/opt/etcd/certs
在zsf7-12 上编写启动脚本
[root@zsf7-12 certs]# ls
ca.pem etcd-peer-key.pem etcd-peer.pem
[root@zsf7-12 ~]# vim /opt/etcd/etcd-server-startup.sh
#!/bin/sh
./etcd --name etcd-server-7-12 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://10.4.7.12:2380 \
--listen-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://10.4.7.12:2380 \
--advertise-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \
--initial-cluster etcd-server-7-12=https://10.4.7.12:2380,etcd-server-7-21=https://10.4.7.21:2380,etcd-server-7-22=https://10.4.7.22:2380 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
[root@zsf7-12 ~]# chmod +x /opt/etcd/etcd-server-startup.sh
更改文件权限
[root@zsf7-12 ~]# chown -R etcd.etcd /opt/etcd-v3.1.20/
[root@zsf7-12 ~]# chown -R etcd.etcd /data/etcd/etcd-server
3, 安装配置supervisor
因为etcd 不能自己后台启动,所以我们使用supervisor来管理它
[root@zsf7-12 ~]# yum install supervisor -y
[root@zsf7-12 ~]# systemctl start supervisord && systemctl enable supervisord
[root@zsf7-12 ~]# vim /etc/supervisord.d/etcd-server.ini
[program:etcd-server-7-12]
command=/opt/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/etcd ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=etcd ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
[root@zsf7-12 ~]# supervisorctl update
etcd-server-7-12: added process group
剩下的两台主机也安装 etcd
zsf7-21
etcd]# cat /opt/etcd/etcd-server-startup.sh
#!/bin/sh
./etcd --name etcd-server-7-21 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://10.4.7.21:2380 \
--listen-client-urls https://10.4.7.21:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://10.4.7.21:2380 \
--advertise-client-urls https://10.4.7.21:2379,http://127.0.0.1:2379 \
--initial-cluster etcd-server-7-12=https://10.4.7.12:2380,etcd-server-7-21=https://10.4.7.21:2380,etcd-server-7-22=https://10.4.7.22:2380 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
zsf7-22
~]# cat /opt/etcd/etcd-server-startup.sh
#!/bin/bash
./etcd --name etcd-server-7-22 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://10.4.7.22:2380 \
--listen-client-urls https://10.4.7.22:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://10.4.7.22:2380 \
--advertise-client-urls https://10.4.7.22:2379,http://127.0.0.1:2379 \
--initial-cluster etcd-server-7-12=https://10.4.7.12:2380,etcd-server-7-21=https://10.4.7.21:2380,etcd-server-7-22=https://10.4.7.22:2380 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
3) 检查etcd集群状态
[root@zsf7-12 etcd]# ./etcdctl cluster-health
member 988139385f78284 is healthy: got healthy result from http://127.0.0.1:2379
member 5a0ef2a004fc4349 is healthy: got healthy result from http://127.0.0.1:2379
member f4a0cb0a765574a8 is healthy: got healthy result from http://127.0.0.1:2379
cluster is healthy
[root@zsf7-12 etcd]# ./etcdctl member list
988139385f78284: name=etcd-server-7-22 peerURLs=https://10.4.7.22:2380 clientURLs=http://127.0.0.1:2379,https://10.4.7.22:2379 isLeader=false
5a0ef2a004fc4349: name=etcd-server-7-21 peerURLs=https://10.4.7.21:2380 clientURLs=http://127.0.0.1:2379,https://10.4.7.21:2379 isLeader=false
f4a0cb0a765574a8: name=etcd-server-7-12 peerURLs=https://10.4.7.12:2380 clientURLs=http://127.0.0.1:2379,https://10.4.7.12:2379 isLeader=true
安装 APiserver
1) 在 github 上下载安装包
我们这边安装 1.15.4,然后我们在 github 上找到对应的 tag: https://github.com/kubernetes/kubernetes/releases/tag/v1.15.4
如果上面链接失效,可以点击下方这个连接来进行下载:https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.15.md#downloads-for-v1154
2) 创建证书
签发 clinet 证书,Apiserver(client) 和 etcd(service) 进行通信需要的证书,
[root@zsf7-200 certs]# vim client-csr.json
{
"CN": "k8s-client",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "jiangsu",
"L": "nanjing",
"O": "od",
"OU": "ops"
}
]
}
[root@zsf7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
[root@zsf7-200 certs]# ll client*
-rw-r--r-- 1 root root 997 Aug 5 15:31 client.csr
-rw-r--r-- 1 root root 283 Aug 5 15:30 client-csr.json
-rw------- 1 root root 1675 Aug 5 15:31 client-key.pem
-rw-r--r-- 1 root root 1363 Aug 5 15:31 client.pem
签发 Apiserver 证书,这个是 Apiserver 作为服务端需要的证书,别人请求 Apiserver 需要证书认证
# vi apiserver-csr.json
{
"CN": "k8s-apiserver",
"hosts": [
"127.0.0.1",
"192.168.0.1",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
//Apiserver 可能存在哪些机器上,需要注意 VIP 也需要写到里面
"10.4.7.10",
"10.4.7.21",
"10.4.7.22",
"10.4.7.23"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "jiangsu",
"L": "nanjing",
"O": "od",
"OU": "ops"
}
]
}
[root@zsf7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver
[root@zsf7-200 certs]# ll apiserver*
-rw-r--r-- 1 root root 1249 Aug 5 15:33 apiserver.csr
-rw-r--r-- 1 root root 566 Aug 5 15:32 apiserver-csr.json
-rw------- 1 root root 1679 Aug 5 15:33 apiserver-key.pem
-rw-r--r-- 1 root root 1594 Aug 5 15:33 apiserver.pem
3) 安装 apiserver
[root@zsf7-21 /]# cd /opt/src
[root@zsf7-21 src]# ll
total 443192
-rw-r--r-- 1 root root 9850227 Aug 4 15:24 etcd-v3.1.20-linux-amd64.tar.gz
-rw-r--r-- 1 root root 443976803 Aug 5 14:11 kubernetes-server-linux-amd64.tar.gz
[root@zsf7-21 src]# tar xf kubernetes-server-linux-amd64.tar.gz -C /opt/
[root@zsf7-21 src]# cd /opt/
[root@zsf7-21 opt]# mv kubernetes/ kubernetes-1.15.4
[root@zsf7-21 opt]# ln -s kubernetes-1.15.4/ kubernetes
[root@zsf7-21 opt]# cd /opt/kubernetes/server/bin
[root@zsf7-21 bin]# rm -rf *.tar *_tag //.tar 为软件的docker包,我们不需要就删除掉
[root@zsf7-21 bin]# mkdir -p mkdir /opt/kubernetes/bin/certs //存放证书的目录
在 zsf7-200上面拷贝证书到 apiserver 上
[root@zsf7-200 certs]# scp ca.pem ca-key.pem client-key.pem client.pem apiserver.pem apiserver-key.pem root@10.4.7.21:/opt/kubernetes/server/bin/certs/
[root@zsf7-21 bin]# ll /opt/kubernetes/server/bin/certs/
total 24
-rw------- 1 root root 1679 Aug 5 15:41 apiserver-key.pem
-rw-r--r-- 1 root root 1594 Aug 5 15:41 apiserver.pem
-rw------- 1 root root 1675 Aug 5 15:41 ca-key.pem
-rw-r--r-- 1 root root 1338 Aug 5 15:41 ca.pem
-rw------- 1 root root 1675 Aug 5 15:41 client-key.pem
-rw-r--r-- 1 root root 1363 Aug 5 15:41 client.pem
创建Apiserver 启动的配置文件
[root@zsf7-21 bin]# mkdir -p /opt/kubernetes/server/bin/conf
[root@zsf7-21 bin]# cd /opt/kubernetes/server/bin/conf
[root@zsf7-21 conf]# vi audit.yaml
//日志审计
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
创建启动脚本
[root@zsf7-21 bin]# vi /opt/kubernetes/server/bin/kube-apiserver.sh
#!/bin/bash
./kube-apiserver \
--apiserver-count 2 \
--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
--audit-policy-file ./conf/audit.yaml \
--authorization-mode RBAC \
--client-ca-file ./certs/ca.pem \
--requestheader-client-ca-file ./certs/ca.pem \
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
--etcd-cafile ./certs/ca.pem \
--etcd-certfile ./certs/client.pem \
--etcd-keyfile ./certs/client-key.pem \
--etcd-servers https://10.4.7.12:2379,https://10.4.7.21:2379,https://10.4.7.22:2379 \
--service-account-key-file ./certs/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--service-node-port-range 3000-29999 \
--target-ram-mb=1024 \
--kubelet-client-certificate ./certs/client.pem \
--kubelet-client-key ./certs/client-key.pem \
--log-dir /data/logs/kubernetes/kube-apiserver \
--tls-cert-file ./certs/apiserver.pem \
--tls-private-key-file ./certs/apiserver-key.pem \
--v 2
[root@zsf7-21 bin]# chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh
[root@zsf7-21 bin]# mkdir -p /data/logs/kubernetes/kube-apiserver/audit-log
解释:
- apiserver-count: apiserver的数量,根据自己实际情况来更改
- audit-log-path:日志审计的日志目录存放地方
- audit-policy-file: 日志审计规则的配置文件
- authorization-mode: 认证的模式,目前使用基于角色的访问控制
- client-ca-file: 根证书存放的位置
- requestheader-client-ca-file:验证传入请求中的客户证书
- enable-admission-plugins:除了默认插件外启用的插件,顺序没关系
- etcd-cafile: etcd的根证书
- etcd-certfile: 请求etcd验证的证书
- etcd-keyfile: 请求etcd验证的私钥
- etcd-servers: etcd 服务的地址
- service-account-key-file: 服务的证书私钥
- service-cluster-ip-range: 用于分配服务集群IP。此范围不得与为 pods 分配给节点的任何 IP 范围重叠。(默认为10.0.0.0/24) clusterIP
- service-node-port-range: nodeport的端口范围,默认是30000-32767
- target-ram-mb:apiserver的内存限制,单位为MB(用于配置缓存大小等)
4) 创建supervisor 启动脚本
[root@zsf7-21 bin]# vi /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-7-21]
command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
[root@zsf7-21 bin]# mkdir -p /data/logs/kubernetes/kube-apiserver/
[root@zsf7-21 bin]# supervisorctl update
kube-apiserver-7-21: added process group
zsf7-22类比上面进行这边不分开写
[root@zsf7-22 src]# tar xvf kubernetes-server-linux-amd64.tar.gz -C /opt/
[root@zsf7-22 src]# cd /opt/
[root@zsf7-22 opt]# mv kubernetes/ kubernetes-1.15.4
[root@zsf7-22 opt]# ln -s kubernetes-1.15.4/ kubernetes
[root@zsf7-22 opt]# cd /opt/kubernetes/server/bin
[root@zsf7-22 bin]# rm -f *.tar *_tar
[root@zsf7-22 bin]# mkdir /opt/kubernetes/server/bin/certs/
[root@zsf7-200 certs]# scp ca.pem ca-key.pem client-key.pem client.pem apiserver.pem apiserver-key.pem root@10.4.7.22:/opt/kubernetes/server/bin/certs/
[root@zsf7-22 bin]# ll certs/
total 24
-rw------- 1 root root 1679 Aug 5 16:31 apiserver-key.pem
-rw-r--r-- 1 root root 1594 Aug 5 16:31 apiserver.pem
-rw------- 1 root root 1675 Aug 5 16:31 ca-key.pem
-rw-r--r-- 1 root root 1338 Aug 5 16:31 ca.pem
-rw------- 1 root root 1675 Aug 5 16:31 client-key.pem
-rw-r--r-- 1 root root 1363 Aug 5 16:31 client.pem
[root@zsf7-22 bin]# mkdir conf
[root@zsf7-22 bin]# vi conf/audit.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs