k8s集群之master节点部署

apiserver的部署

    

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
api-server的部署脚本
[root@mast-1 k8s]# cat apiserver.sh
#!/bin/bash
 
MASTER_ADDRESS=$1   主节点IP
ETCD_SERVERS=$2        etcd地址
 
cat <<EOF >/opt/kubernetes/cfg/kube-apiserver
 
KUBE_APISERVER_OPTS="--logtostderr=true \\
--v=4 \\
--etcd-servers=${ETCD_SERVERS} \\
--bind-address=${MASTER_ADDRESS} \\
--secure-port=6443 \\
--advertise-address=${MASTER_ADDRESS} \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
--authorization-mode=RBAC,Node \\
--kubelet-https=true \\
--enable-bootstrap-token-auth \\
--token-auth-file=/opt/kubernetes/cfg/token.csv \\
--service-node-port-range=30000-50000 \\
--tls-cert-file=/opt/kubernetes/ssl/server.pem  \\
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
 
EOF
 
cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
 
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure
 
[Install]
WantedBy=multi-user.target
EOF
 
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl restart kube-apiserver

  下载二进制包

1
[root@mast-1 k8s]# wget https://dl.k8s.io/v1.10.13/kubernetes-server-linux-amd64.tar.gz

  解压安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[root@mast-1 k8s]# tar xf kubernetes-server-linux-amd64.tar.gz
[root@mast-1 k8s]# cd kubernetes/server/bin/
[root@mast-1 bin]# ls
apiextensions-apiserver              cloud-controller-manager.tar  kube-apiserver             kube-controller-manager             kubectl     kube-proxy.docker_tag  kube-scheduler.docker_tag
cloud-controller-manager             hyperkube                     kube-apiserver.docker_tag  kube-controller-manager.docker_tag  kubelet     kube-proxy.tar         kube-scheduler.tar
cloud-controller-manager.docker_tag  kubeadm                       kube-apiserver.tar         kube-controller-manager.tar         kube-proxy  kube-scheduler         mounter
[root@mast-1 ~]# mkdir /opt/kubernetes/{cfg,ssl,bin} -pv
mkdir: 已创建目录 "/opt/kubernetes"
mkdir: 已创建目录 "/opt/kubernetes/cfg"
mkdir: 已创建目录 "/opt/kubernetes/ssl"
mkdir: 已创建目录 "/opt/kubernetes/bin"
[root@mast-1 bin]# cp kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/
[root@mast-1 k8s]# ./apiserver.sh 192.168.10.11 https://192.168.10.11:2379,https://192.168.10.12:2379,https://192.168.10.13:2379
[root@mast-1 k8s]# cd /opt/kubernetes/cfg/
[root@mast-1 cfg]# vi kube-apiserver
KUBE_APISERVER_OPTS="--logtostderr=false \
--log-dir=/opt/kubernetes/logs \    定义日志目录;注意创建此目录
--v=4 \
--etcd-servers=https://192.168.10.11:2379,https://192.168.10.12:2379,https://192.168.10.13:2379 \
--bind-address=192.168.10.11 \   绑定的IP地址
--secure-port=6443 \   端口基于https通信的
--advertise-address=192.168.10.11 \    集群通告地址;其他节点访问通告这个IP
--allow-privileged=true \       容器层的授权
--service-cluster-ip-range=10.0.0.0/24 \   负责均衡的虚拟IP
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \  启用准入插件;决定是否要启用一些高级功能
--authorization-mode=RBAC,Node \    认证模式
--kubelet-https=true \  api-server主动访问kubelet是使用https协议
--enable-bootstrap-token-auth \   认证客户端并实现自动颁发证书
--token-auth-file=/opt/kubernetes/cfg/token.csv \      指定token文件
--service-node-port-range=30000-50000 \   node认证端口范围
--tls-cert-file=/opt/kubernetes/ssl/server.pem  \   apiserver 证书文件
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \   ca证书
--etcd-cafile=/opt/etcd/ssl/ca.pem \   etcd   证书
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"

  生成证书与token文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
[root@mast-1 k8s]# cat k8s-cert.sh
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
 
cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF
 
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
 
#-----------------------
 
cat > server-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "10.206.176.19",  master IP
      "10.206.240.188",  LB;node节点不用写,写上也不错
      "10.206.240.189",  LB:
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF
 
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
 
#-----------------------
 
cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF
 
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
 
#-----------------------
 
cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF
 
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
[root@mast-1 k8s]# bash k8s-cert.sh
2019/04/22 18:05:08 [INFO] generating a new CA key and certificate from CSR
2019/04/22 18:05:08 [INFO] generate received request
2019/04/22 18:05:08 [INFO] received CSR
2019/04/22 18:05:08 [INFO] generating key: rsa-2048
2019/04/22 18:05:09 [INFO] encoded CSR
2019/04/22 18:05:09 [INFO] signed certificate with serial number 631400127737303589248201910249856863284562827982
2019/04/22 18:05:09 [INFO] generate received request
2019/04/22 18:05:09 [INFO] received CSR
2019/04/22 18:05:09 [INFO] generating key: rsa-2048
2019/04/22 18:05:10 [INFO] encoded CSR
2019/04/22 18:05:10 [INFO] signed certificate with serial number 99345466047844052770348056449571016254842578399
2019/04/22 18:05:10 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
2019/04/22 18:05:10 [INFO] generate received request
2019/04/22 18:05:10 [INFO] received CSR
2019/04/22 18:05:10 [INFO] generating key: rsa-2048
2019/04/22 18:05:11 [INFO] encoded CSR
2019/04/22 18:05:11 [INFO] signed certificate with serial number 309283889504556884051139822527420141544215396891
2019/04/22 18:05:11 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
2019/04/22 18:05:11 [INFO] generate received request
2019/04/22 18:05:11 [INFO] received CSR
2019/04/22 18:05:11 [INFO] generating key: rsa-2048
2019/04/22 18:05:11 [INFO] encoded CSR
2019/04/22 18:05:11 [INFO] signed certificate with serial number 286610519064253595846587034459149175950956557113
2019/04/22 18:05:11 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@mast-1 k8s]# ls
admin.csr       apiserver.sh    ca-key.pem             etcd-cert.sh  kube-proxy.csr       kubernetes                            scheduler.sh     server.pem
admin-csr.json  ca-config.json  ca.pem                 etcd.sh       kube-proxy-csr.json  kubernetes-server-linux-amd64.tar.gz  server.csr
admin-key.pem   ca.csr          controller-manager.sh  k8s-cert      kube-proxy-key.pem   kubernetes.tar.gz                     server-csr.json
admin.pem       ca-csr.json     etcd-cert              k8s-cert.sh   kube-proxy.pem       master.zip

    

 生成token文件

1
2
3
4
5
6
7
8
9
[root@mast-1 k8s]# cp ca-key.pem ca.pem server-key.pem server.pem /opt/kubernetes/ssl/
[root@mast-1 k8s]#BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008
 
[root@mast-1 k8s]#cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
[root@mast-1 k8s]# cat token.csv
0fb61c46f8991b718eb38d27b605b008,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
[root@mast-1 k8s]# mv token.csv  /opt/kubernetes/cfg/

  

 启动apiserver

1
2
3
4
[root@mast-1 k8s]# systemctl start kube-apiserver
[root@mast-1 k8s]# ps -ef | grep apiserver
root       3264      1 99 20:35 ?        00:00:01 /opt/kubernetes/bin/kube-apiserver --logtostderr=false --log-dir=/opt/kubernetes/logs --v=4 --etcd-servers=https://192.168.10.11:2379,https:/
/192.168.10.12:2379,https://192.168.10.13:2379 --bind-address=192.168.10.11 --secure-port=6443 --advertise-address=192.168.10.11 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/etcd/ssl/ca.pem --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pemroot       3274   1397  0 20:35 pts/0    00:00:00 grep --color=auto apiserver

  生成配置文件并启动controller-manager

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
[root@mast-1 k8s]# cat controller-manager.sh
#!/bin/bash
 
MASTER_ADDRESS=$1
 
cat <<EOF >/opt/kubernetes/cfg/kube-controller-manager
 
 
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \\   日志配置
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\  apimaster端口
--leader-elect=true \\
--address=127.0.0.1 \\  
--service-cluster-ip-range=10.0.0.0/24 \\
--cluster-name=kubernetes \\
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem  \\
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--experimental-cluster-signing-duration=87600h0m0s"
 
EOF
 
cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
 
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
 
[Install]
WantedBy=multi-user.target
EOF
 
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl restart kube-controller-manager
[root@mast-1 k8s]# bash controller-manager.sh 127.0.0.1   输入masterIP
[root@mast-1 k8s]# ss -lntp
State       Recv-Q Send-Q                                                  Local Address:Port                                                                 Peer Address:Port             
LISTEN      0      128                                                     192.168.10.11:6443                                                                            *:*                  
users:(("kube-apiserver",pid=7604,fd=6))LISTEN      0      128                                                     192.168.10.11:2379                                                                            *:*                  
users:(("etcd",pid=1428,fd=7))LISTEN      0      128                                                         127.0.0.1:2379                                                                            *:*                  
users:(("etcd",pid=1428,fd=6))LISTEN      0      128                                                         127.0.0.1:10252                                                                           *:*                  
users:(("kube-controller",pid=7593,fd=3))LISTEN      0      128                                                     192.168.10.11:2380                                                                            *:*                  
users:(("etcd",pid=1428,fd=5))LISTEN      0      128                                                         127.0.0.1:8080                                                                            *:*                  
users:(("kube-apiserver",pid=7604,fd=5))LISTEN      0      128                                                                 *:22                                                                              *:*                  
users:(("sshd",pid=902,fd=3))LISTEN      0      100                                                         127.0.0.1:25                                                                              *:*                  
users:(("master",pid=1102,fd=13))LISTEN      0      128                                                                :::10257                                                                          :::*                  
users:(("kube-controller",pid=7593,fd=5))LISTEN      0      128                                                                :::22                                                                             :::*                  
users:(("sshd",pid=902,fd=4))LISTEN      0      100                                                               ::1:25                                                                             :::*                  
users:(("master",pid=1102,fd=14))

  生成配置文件,并启动scheduler

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
[root@mast-1 k8s]# cat scheduler.sh
#!/bin/bash
 
MASTER_ADDRESS=$1
 
cat <<EOF >/opt/kubernetes/cfg/kube-scheduler
 
KUBE_SCHEDULER_OPTS="--logtostderr=true \\
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\
--leader-elect"
 
EOF
 
cat <<EOF >/usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
 
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=on-failure
 
[Install]
WantedBy=multi-user.target
EOF
 
systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler
[root@mast-1 k8s]# bash scheduler.sh 127.0.0.1
[root@mast-1 k8s]# ss -lntp
State       Recv-Q Send-Q                                                  Local Address:Port                                                                 Peer Address:Port             
LISTEN      0      128                                                     192.168.10.11:2379                                                                            *:*                  
users:(("etcd",pid=1428,fd=7))LISTEN      0      128                                                         127.0.0.1:2379                                                                            *:*                  
users:(("etcd",pid=1428,fd=6))LISTEN      0      128                                                         127.0.0.1:10252                                                                           *:*                  
users:(("kube-controller",pid=7809,fd=3))LISTEN      0      128                                                     192.168.10.11:2380                                                                            *:*                  
users:(("etcd",pid=1428,fd=5))LISTEN      0      128                                                                 *:22                                                                              *:*                  
users:(("sshd",pid=902,fd=3))LISTEN      0      100                                                         127.0.0.1:25                                                                              *:*                  
users:(("master",pid=1102,fd=13))LISTEN      0      128                                                                :::10251                                                                          :::*                  
users:(("kube-scheduler",pid=8073,fd=3))LISTEN      0      128                                                                :::10257                                                                          :::*                  
users:(("kube-controller",pid=7809,fd=5))LISTEN      0      128                                                                :::22                                                                             :::*                  
users:(("sshd",pid=902,fd=4))LISTEN      0      100                                                               ::1:25                                                                             :::*                  
users:(("master",pid=1102,fd=14))

  配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@mast-1 k8s]# cat /opt/kubernetes/cfg/kube-controller-manager
 
 
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \
--v=4 \
--master=127.0.0.1:8080 \  API连接地址
--leader-elect=true \    自动做高可用选举
--address=127.0.0.1 \    地址,不对外提供服务
--service-cluster-ip-range=10.0.0.0/24 \  地址范围与apiserver配置一样
--cluster-name=kubernetes \    名字
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \签名
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem  \   签名
--root-ca-file=/opt/kubernetes/ssl/ca.pem \  根证书
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ 
--experimental-cluster-signing-duration=87600h0m0s"   有效时间

  配置文件

1
2
3
4
5
6
[root@mast-1 k8s]# cat /opt/kubernetes/cfg/kube-scheduler
 
KUBE_SCHEDULER_OPTS="--logtostderr=true \
--v=4 \
--master=127.0.0.1:8080 \
--leader-elect"

  将客户端工具复制到/usr/bin目录下

1
[root@mast-1 k8s]# cp kubernetes/server/bin/kubectl /usr/bin/

  查看集群状态

1
2
3
4
5
6
7
[root@mast-1 k8s]# kubectl get cs
NAME                 STATUS    MESSAGE             ERROR
scheduler            Healthy   ok                 
etcd-2               Healthy   {"health":"true"}  
etcd-1               Healthy   {"health":"true"}  
etcd-0               Healthy   {"health":"true"}  
controller-manager   Healthy   ok    

  

posted @   烟雨楼台,行云流水  阅读(768)  评论(0编辑  收藏  举报
编辑推荐:
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
阅读排行:
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· 葡萄城 AI 搜索升级:DeepSeek 加持,客户体验更智能
· 什么是nginx的强缓存和协商缓存
· 一文读懂知识蒸馏
点击右上角即可分享
微信分享提示