k8s集群之master节点部署
apiserver的部署
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | api-server的部署脚本[root@mast-1 k8s]# cat apiserver.sh #!/bin/bashMASTER_ADDRESS=$1 主节点IPETCD_SERVERS=$2 etcd地址cat <<EOF >/opt/kubernetes/cfg/kube-apiserverKUBE_APISERVER_OPTS="--logtostderr=true \\--v=4 \\--etcd-servers=${ETCD_SERVERS} \\--bind-address=${MASTER_ADDRESS} \\--secure-port=6443 \\--advertise-address=${MASTER_ADDRESS} \\--allow-privileged=true \\--service-cluster-ip-range=10.0.0.0/24 \\--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\--authorization-mode=RBAC,Node \\--kubelet-https=true \\--enable-bootstrap-token-auth \\--token-auth-file=/opt/kubernetes/cfg/token.csv \\--service-node-port-range=30000-50000 \\--tls-cert-file=/opt/kubernetes/ssl/server.pem \\--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\--client-ca-file=/opt/kubernetes/ssl/ca.pem \\--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\--etcd-cafile=/opt/etcd/ssl/ca.pem \\--etcd-certfile=/opt/etcd/ssl/server.pem \\--etcd-keyfile=/opt/etcd/ssl/server-key.pem"EOFcat <<EOF >/usr/lib/systemd/system/kube-apiserver.service[Unit]Description=Kubernetes API ServerDocumentation=https://github.com/kubernetes/kubernetes[Service]EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserverExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTSRestart=on-failure[Install]WantedBy=multi-user.targetEOFsystemctl daemon-reloadsystemctl enable kube-apiserversystemctl restart kube-apiserver |
下载二进制包
1 | [root@mast-1 k8s]# wget https://dl.k8s.io/v1.10.13/kubernetes-server-linux-amd64.tar.gz |
解压安装
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | [root@mast-1 k8s]# tar xf kubernetes-server-linux-amd64.tar.gz [root@mast-1 k8s]# cd kubernetes/server/bin/[root@mast-1 bin]# lsapiextensions-apiserver cloud-controller-manager.tar kube-apiserver kube-controller-manager kubectl kube-proxy.docker_tag kube-scheduler.docker_tagcloud-controller-manager hyperkube kube-apiserver.docker_tag kube-controller-manager.docker_tag kubelet kube-proxy.tar kube-scheduler.tarcloud-controller-manager.docker_tag kubeadm kube-apiserver.tar kube-controller-manager.tar kube-proxy kube-scheduler mounter[root@mast-1 ~]# mkdir /opt/kubernetes/{cfg,ssl,bin} -pvmkdir: 已创建目录 "/opt/kubernetes"mkdir: 已创建目录 "/opt/kubernetes/cfg"mkdir: 已创建目录 "/opt/kubernetes/ssl"mkdir: 已创建目录 "/opt/kubernetes/bin"[root@mast-1 bin]# cp kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/[root@mast-1 k8s]# ./apiserver.sh 192.168.10.11 https://192.168.10.11:2379,https://192.168.10.12:2379,https://192.168.10.13:2379[root@mast-1 k8s]# cd /opt/kubernetes/cfg/[root@mast-1 cfg]# vi kube-apiserver KUBE_APISERVER_OPTS="--logtostderr=false \--log-dir=/opt/kubernetes/logs \ 定义日志目录;注意创建此目录--v=4 \--etcd-servers=https://192.168.10.11:2379,https://192.168.10.12:2379,https://192.168.10.13:2379 \--bind-address=192.168.10.11 \ 绑定的IP地址--secure-port=6443 \ 端口基于https通信的--advertise-address=192.168.10.11 \ 集群通告地址;其他节点访问通告这个IP--allow-privileged=true \ 容器层的授权--service-cluster-ip-range=10.0.0.0/24 \ 负责均衡的虚拟IP--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \ 启用准入插件;决定是否要启用一些高级功能--authorization-mode=RBAC,Node \ 认证模式--kubelet-https=true \ api-server主动访问kubelet是使用https协议--enable-bootstrap-token-auth \ 认证客户端并实现自动颁发证书--token-auth-file=/opt/kubernetes/cfg/token.csv \ 指定token文件--service-node-port-range=30000-50000 \ node认证端口范围--tls-cert-file=/opt/kubernetes/ssl/server.pem \ apiserver 证书文件--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \--client-ca-file=/opt/kubernetes/ssl/ca.pem \--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \ ca证书--etcd-cafile=/opt/etcd/ssl/ca.pem \ etcd 证书--etcd-certfile=/opt/etcd/ssl/server.pem \--etcd-keyfile=/opt/etcd/ssl/server-key.pem" |
生成证书与token文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 | [root@mast-1 k8s]# cat k8s-cert.sh cat > ca-config.json <<EOF{ "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } }}EOFcat > ca-csr.json <<EOF{ "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ]}EOFcfssl gencert -initca ca-csr.json | cfssljson -bare ca -#-----------------------cat > server-csr.json <<EOF{ "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "10.206.176.19", master IP "10.206.240.188", LB;node节点不用写,写上也不错 "10.206.240.189", LB: "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ]}EOFcfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server#-----------------------cat > admin-csr.json <<EOF{ "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ]}EOFcfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin#-----------------------cat > kube-proxy-csr.json <<EOF{ "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ]}EOFcfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy[root@mast-1 k8s]# bash k8s-cert.sh 2019/04/22 18:05:08 [INFO] generating a new CA key and certificate from CSR2019/04/22 18:05:08 [INFO] generate received request2019/04/22 18:05:08 [INFO] received CSR2019/04/22 18:05:08 [INFO] generating key: rsa-20482019/04/22 18:05:09 [INFO] encoded CSR2019/04/22 18:05:09 [INFO] signed certificate with serial number 6314001277373035892482019102498568632845628279822019/04/22 18:05:09 [INFO] generate received request2019/04/22 18:05:09 [INFO] received CSR2019/04/22 18:05:09 [INFO] generating key: rsa-20482019/04/22 18:05:10 [INFO] encoded CSR2019/04/22 18:05:10 [INFO] signed certificate with serial number 993454660478440527703480564495710162548425783992019/04/22 18:05:10 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable forwebsites. For more information see the Baseline Requirements for the Issuance and Managementof Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);specifically, section 10.2.3 ("Information Requirements").2019/04/22 18:05:10 [INFO] generate received request2019/04/22 18:05:10 [INFO] received CSR2019/04/22 18:05:10 [INFO] generating key: rsa-20482019/04/22 18:05:11 [INFO] encoded CSR2019/04/22 18:05:11 [INFO] signed certificate with serial number 3092838895045568840511398225274201415442153968912019/04/22 18:05:11 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable forwebsites. For more information see the Baseline Requirements for the Issuance and Managementof Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);specifically, section 10.2.3 ("Information Requirements").2019/04/22 18:05:11 [INFO] generate received request2019/04/22 18:05:11 [INFO] received CSR2019/04/22 18:05:11 [INFO] generating key: rsa-20482019/04/22 18:05:11 [INFO] encoded CSR2019/04/22 18:05:11 [INFO] signed certificate with serial number 2866105190642535958465870344591491759509565571132019/04/22 18:05:11 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable forwebsites. For more information see the Baseline Requirements for the Issuance and Managementof Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);specifically, section 10.2.3 ("Information Requirements").[root@mast-1 k8s]# lsadmin.csr apiserver.sh ca-key.pem etcd-cert.sh kube-proxy.csr kubernetes scheduler.sh server.pemadmin-csr.json ca-config.json ca.pem etcd.sh kube-proxy-csr.json kubernetes-server-linux-amd64.tar.gz server.csradmin-key.pem ca.csr controller-manager.sh k8s-cert kube-proxy-key.pem kubernetes.tar.gz server-csr.jsonadmin.pem ca-csr.json etcd-cert k8s-cert.sh kube-proxy.pem master.zip |
生成token文件
1 2 3 4 5 6 7 8 9 | [root@mast-1 k8s]# cp ca-key.pem ca.pem server-key.pem server.pem /opt/kubernetes/ssl/[root@mast-1 k8s]#BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008[root@mast-1 k8s]#cat > token.csv <<EOF${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"EOF[root@mast-1 k8s]# cat token.csv 0fb61c46f8991b718eb38d27b605b008,kubelet-bootstrap,10001,"system:kubelet-bootstrap"[root@mast-1 k8s]# mv token.csv /opt/kubernetes/cfg/ |
启动apiserver
1 2 3 4 | [root@mast-1 k8s]# systemctl start kube-apiserver[root@mast-1 k8s]# ps -ef | grep apiserverroot 3264 1 99 20:35 ? 00:00:01 /opt/kubernetes/bin/kube-apiserver --logtostderr=false --log-dir=/opt/kubernetes/logs --v=4 --etcd-servers=https://192.168.10.11:2379,https://192.168.10.12:2379,https://192.168.10.13:2379 --bind-address=192.168.10.11 --secure-port=6443 --advertise-address=192.168.10.11 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/etcd/ssl/ca.pem --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pemroot 3274 1397 0 20:35 pts/0 00:00:00 grep --color=auto apiserver |
生成配置文件并启动controller-manager
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | [root@mast-1 k8s]# cat controller-manager.sh #!/bin/bashMASTER_ADDRESS=$1cat <<EOF >/opt/kubernetes/cfg/kube-controller-managerKUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \\ 日志配置--v=4 \\--master=${MASTER_ADDRESS}:8080 \\ apimaster端口--leader-elect=true \\--address=127.0.0.1 \\ --service-cluster-ip-range=10.0.0.0/24 \\--cluster-name=kubernetes \\--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\--root-ca-file=/opt/kubernetes/ssl/ca.pem \\--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\--experimental-cluster-signing-duration=87600h0m0s"EOFcat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service[Unit]Description=Kubernetes Controller ManagerDocumentation=https://github.com/kubernetes/kubernetes[Service]EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-managerExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTSRestart=on-failure[Install]WantedBy=multi-user.targetEOFsystemctl daemon-reloadsystemctl enable kube-controller-managersystemctl restart kube-controller-manager[root@mast-1 k8s]# bash controller-manager.sh 127.0.0.1 输入masterIP[root@mast-1 k8s]# ss -lntpState Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 192.168.10.11:6443 *:* users:(("kube-apiserver",pid=7604,fd=6))LISTEN 0 128 192.168.10.11:2379 *:* users:(("etcd",pid=1428,fd=7))LISTEN 0 128 127.0.0.1:2379 *:* users:(("etcd",pid=1428,fd=6))LISTEN 0 128 127.0.0.1:10252 *:* users:(("kube-controller",pid=7593,fd=3))LISTEN 0 128 192.168.10.11:2380 *:* users:(("etcd",pid=1428,fd=5))LISTEN 0 128 127.0.0.1:8080 *:* users:(("kube-apiserver",pid=7604,fd=5))LISTEN 0 128 *:22 *:* users:(("sshd",pid=902,fd=3))LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1102,fd=13))LISTEN 0 128 :::10257 :::* users:(("kube-controller",pid=7593,fd=5))LISTEN 0 128 :::22 :::* users:(("sshd",pid=902,fd=4))LISTEN 0 100 ::1:25 :::* users:(("master",pid=1102,fd=14)) |
生成配置文件,并启动scheduler
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | [root@mast-1 k8s]# cat scheduler.sh #!/bin/bashMASTER_ADDRESS=$1cat <<EOF >/opt/kubernetes/cfg/kube-schedulerKUBE_SCHEDULER_OPTS="--logtostderr=true \\--v=4 \\--master=${MASTER_ADDRESS}:8080 \\--leader-elect"EOFcat <<EOF >/usr/lib/systemd/system/kube-scheduler.service[Unit]Description=Kubernetes SchedulerDocumentation=https://github.com/kubernetes/kubernetes[Service]EnvironmentFile=-/opt/kubernetes/cfg/kube-schedulerExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTSRestart=on-failure[Install]WantedBy=multi-user.targetEOFsystemctl daemon-reloadsystemctl enable kube-schedulersystemctl restart kube-scheduler[root@mast-1 k8s]# bash scheduler.sh 127.0.0.1[root@mast-1 k8s]# ss -lntpState Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 192.168.10.11:2379 *:* users:(("etcd",pid=1428,fd=7))LISTEN 0 128 127.0.0.1:2379 *:* users:(("etcd",pid=1428,fd=6))LISTEN 0 128 127.0.0.1:10252 *:* users:(("kube-controller",pid=7809,fd=3))LISTEN 0 128 192.168.10.11:2380 *:* users:(("etcd",pid=1428,fd=5))LISTEN 0 128 *:22 *:* users:(("sshd",pid=902,fd=3))LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1102,fd=13))LISTEN 0 128 :::10251 :::* users:(("kube-scheduler",pid=8073,fd=3))LISTEN 0 128 :::10257 :::* users:(("kube-controller",pid=7809,fd=5))LISTEN 0 128 :::22 :::* users:(("sshd",pid=902,fd=4))LISTEN 0 100 ::1:25 :::* users:(("master",pid=1102,fd=14)) |
配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | [root@mast-1 k8s]# cat /opt/kubernetes/cfg/kube-controller-manager KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \--v=4 \--master=127.0.0.1:8080 \ API连接地址--leader-elect=true \ 自动做高可用选举--address=127.0.0.1 \ 地址,不对外提供服务--service-cluster-ip-range=10.0.0.0/24 \ 地址范围与apiserver配置一样--cluster-name=kubernetes \ 名字--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \签名--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \ 签名--root-ca-file=/opt/kubernetes/ssl/ca.pem \ 根证书--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ --experimental-cluster-signing-duration=87600h0m0s" 有效时间 |
配置文件
1 2 3 4 5 6 | [root@mast-1 k8s]# cat /opt/kubernetes/cfg/kube-scheduler KUBE_SCHEDULER_OPTS="--logtostderr=true \--v=4 \--master=127.0.0.1:8080 \--leader-elect" |
将客户端工具复制到/usr/bin目录下
1 | [root@mast-1 k8s]# cp kubernetes/server/bin/kubectl /usr/bin/ |
查看集群状态
1 2 3 4 5 6 7 | [root@mast-1 k8s]# kubectl get csNAME STATUS MESSAGE ERRORscheduler Healthy ok etcd-2 Healthy {"health":"true"} etcd-1 Healthy {"health":"true"} etcd-0 Healthy {"health":"true"} controller-manager Healthy ok |
草都可以从石头缝隙中长出来更可况你呢
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· 葡萄城 AI 搜索升级:DeepSeek 加持,客户体验更智能
· 什么是nginx的强缓存和协商缓存
· 一文读懂知识蒸馏