k8s集群之master节点部署
apiserver的部署
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | api-server的部署脚本 [root@mast-1 k8s] # cat apiserver.sh #!/bin/bash MASTER_ADDRESS=$1 主节点IP ETCD_SERVERS=$2 etcd地址 cat <<EOF > /opt/kubernetes/cfg/kube-apiserver KUBE_APISERVER_OPTS="--logtostderr=true \\ --v=4 \\ --etcd-servers=${ETCD_SERVERS} \\ --bind-address=${MASTER_ADDRESS} \\ --secure-port=6443 \\ --advertise-address=${MASTER_ADDRESS} \\ --allow-privileged=true \\ --service-cluster-ip-range=10.0.0.0/24 \\ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\ --authorization-mode=RBAC,Node \\ --kubelet-https=true \\ --enable-bootstrap-token-auth \\ --token-auth-file=/opt/kubernetes/cfg/token.csv \\ --service-node-port-range=30000-50000 \\ --tls-cert-file=/opt/kubernetes/ssl/server.pem \\ --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\ --client-ca-file=/opt/kubernetes/ssl/ca.pem \\ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\ --etcd-cafile=/opt/etcd/ssl/ca.pem \\ --etcd-certfile=/opt/etcd/ssl/server.pem \\ --etcd-keyfile=/opt/etcd/ssl/server-key.pem" EOF cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-apiserver systemctl restart kube-apiserver |
下载二进制包
1 | [root@mast-1 k8s] # wget https://dl.k8s.io/v1.10.13/kubernetes-server-linux-amd64.tar.gz |
解压安装
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | [root@mast-1 k8s] # tar xf kubernetes-server-linux-amd64.tar.gz [root@mast-1 k8s] # cd kubernetes/server/bin/ [root@mast-1 bin] # ls apiextensions-apiserver cloud-controller-manager. tar kube-apiserver kube-controller-manager kubectl kube-proxy.docker_tag kube-scheduler.docker_tag cloud-controller-manager hyperkube kube-apiserver.docker_tag kube-controller-manager.docker_tag kubelet kube-proxy. tar kube-scheduler. tar cloud-controller-manager.docker_tag kubeadm kube-apiserver. tar kube-controller-manager. tar kube-proxy kube-scheduler mounter [root@mast-1 ~] # mkdir /opt/kubernetes/{cfg,ssl,bin} -pv mkdir : 已创建目录 "/opt/kubernetes" mkdir : 已创建目录 "/opt/kubernetes/cfg" mkdir : 已创建目录 "/opt/kubernetes/ssl" mkdir : 已创建目录 "/opt/kubernetes/bin" [root@mast-1 bin] # cp kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/ [root@mast-1 k8s] # ./apiserver.sh 192.168.10.11 https://192.168.10.11:2379,https://192.168.10.12:2379,https://192.168.10.13:2379 [root@mast-1 k8s] # cd /opt/kubernetes/cfg/ [root@mast-1 cfg] # vi kube-apiserver KUBE_APISERVER_OPTS="--logtostderr= false \ --log- dir = /opt/kubernetes/logs \ 定义日志目录;注意创建此目录 -- v =4 \ --etcd-servers=https: //192 .168.10.11:2379,https: //192 .168.10.12:2379,https: //192 .168.10.13:2379 \ --bind-address=192.168.10.11 \ 绑定的IP地址 --secure-port=6443 \ 端口基于https通信的 --advertise-address=192.168.10.11 \ 集群通告地址;其他节点访问通告这个IP --allow-privileged= true \ 容器层的授权 --service-cluster-ip-range=10.0.0.0 /24 \ 负责均衡的虚拟IP -- enable -admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \ 启用准入插件;决定是否要启用一些高级功能 --authorization-mode=RBAC,Node \ 认证模式 --kubelet-https= true \ api-server主动访问kubelet是使用https协议 -- enable -bootstrap-token-auth \ 认证客户端并实现自动颁发证书 --token-auth- file = /opt/kubernetes/cfg/token .csv \ 指定token文件 --service-node-port-range=30000-50000 \ node认证端口范围 --tls-cert- file = /opt/kubernetes/ssl/server .pem \ apiserver 证书文件 --tls-private-key- file = /opt/kubernetes/ssl/server-key .pem \ --client-ca- file = /opt/kubernetes/ssl/ca .pem \ --service-account-key- file = /opt/kubernetes/ssl/ca-key .pem \ ca证书 --etcd-cafile= /opt/etcd/ssl/ca .pem \ etcd 证书 --etcd-certfile= /opt/etcd/ssl/server .pem \ --etcd-keyfile= /opt/etcd/ssl/server-key .pem" |
生成证书与token文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 | [root@mast-1 k8s] # cat k8s-cert.sh cat > ca-config.json <<EOF { "signing" : { "default" : { "expiry" : "87600h" }, "profiles" : { "kubernetes" : { "expiry" : "87600h" , "usages" : [ "signing" , "key encipherment" , "server auth" , "client auth" ] } } } } EOF cat > ca-csr.json <<EOF { "CN" : "kubernetes" , "key" : { "algo" : "rsa" , "size" : 2048 }, "names" : [ { "C" : "CN" , "L" : "Beijing" , "ST" : "Beijing" , "O" : "k8s" , "OU" : "System" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #----------------------- cat > server-csr.json <<EOF { "CN" : "kubernetes" , "hosts" : [ "10.0.0.1" , "127.0.0.1" , "10.206.176.19" , master IP "10.206.240.188" , LB;node节点不用写,写上也不错 "10.206.240.189" , LB: "kubernetes" , "kubernetes.default" , "kubernetes.default.svc" , "kubernetes.default.svc.cluster" , "kubernetes.default.svc.cluster.local" ], "key" : { "algo" : "rsa" , "size" : 2048 }, "names" : [ { "C" : "CN" , "L" : "BeiJing" , "ST" : "BeiJing" , "O" : "k8s" , "OU" : "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server #----------------------- cat > admin-csr.json <<EOF { "CN" : "admin" , "hosts" : [], "key" : { "algo" : "rsa" , "size" : 2048 }, "names" : [ { "C" : "CN" , "L" : "BeiJing" , "ST" : "BeiJing" , "O" : "system:masters" , "OU" : "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin #----------------------- cat > kube-proxy-csr.json <<EOF { "CN" : "system:kube-proxy" , "hosts" : [], "key" : { "algo" : "rsa" , "size" : 2048 }, "names" : [ { "C" : "CN" , "L" : "BeiJing" , "ST" : "BeiJing" , "O" : "k8s" , "OU" : "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy [root@mast-1 k8s] # bash k8s-cert.sh 2019 /04/22 18:05:08 [INFO] generating a new CA key and certificate from CSR 2019 /04/22 18:05:08 [INFO] generate received request 2019 /04/22 18:05:08 [INFO] received CSR 2019 /04/22 18:05:08 [INFO] generating key: rsa-2048 2019 /04/22 18:05:09 [INFO] encoded CSR 2019 /04/22 18:05:09 [INFO] signed certificate with serial number 631400127737303589248201910249856863284562827982 2019 /04/22 18:05:09 [INFO] generate received request 2019 /04/22 18:05:09 [INFO] received CSR 2019 /04/22 18:05:09 [INFO] generating key: rsa-2048 2019 /04/22 18:05:10 [INFO] encoded CSR 2019 /04/22 18:05:10 [INFO] signed certificate with serial number 99345466047844052770348056449571016254842578399 2019 /04/22 18:05:10 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v .1.1.6, from the CA /Browser Forum (https: //cabforum .org); specifically, section 10.2.3 ( "Information Requirements" ). 2019 /04/22 18:05:10 [INFO] generate received request 2019 /04/22 18:05:10 [INFO] received CSR 2019 /04/22 18:05:10 [INFO] generating key: rsa-2048 2019 /04/22 18:05:11 [INFO] encoded CSR 2019 /04/22 18:05:11 [INFO] signed certificate with serial number 309283889504556884051139822527420141544215396891 2019 /04/22 18:05:11 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v .1.1.6, from the CA /Browser Forum (https: //cabforum .org); specifically, section 10.2.3 ( "Information Requirements" ). 2019 /04/22 18:05:11 [INFO] generate received request 2019 /04/22 18:05:11 [INFO] received CSR 2019 /04/22 18:05:11 [INFO] generating key: rsa-2048 2019 /04/22 18:05:11 [INFO] encoded CSR 2019 /04/22 18:05:11 [INFO] signed certificate with serial number 286610519064253595846587034459149175950956557113 2019 /04/22 18:05:11 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v .1.1.6, from the CA /Browser Forum (https: //cabforum .org); specifically, section 10.2.3 ( "Information Requirements" ). [root@mast-1 k8s] # ls admin.csr apiserver.sh ca-key.pem etcd-cert.sh kube-proxy.csr kubernetes scheduler.sh server.pem admin-csr.json ca-config.json ca.pem etcd.sh kube-proxy-csr.json kubernetes-server-linux-amd64. tar .gz server.csr admin-key.pem ca.csr controller-manager.sh k8s-cert kube-proxy-key.pem kubernetes. tar .gz server-csr.json admin.pem ca-csr.json etcd-cert k8s-cert.sh kube-proxy.pem master.zip |
生成token文件
1 2 3 4 5 6 7 8 9 | [root@mast-1 k8s]# cp ca-key.pem ca.pem server-key.pem server.pem /opt/kubernetes/ssl/ [root@mast-1 k8s]#BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008 [root@mast-1 k8s]#cat > token.csv <<EOF ${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001, "system:kubelet-bootstrap" EOF [root@mast-1 k8s]# cat token.csv 0fb61c46f8991b718eb38d27b605b008,kubelet-bootstrap,10001, "system:kubelet-bootstrap" [root@mast-1 k8s]# mv token.csv /opt/kubernetes/cfg/ |
启动apiserver
1 2 3 4 | [root@mast-1 k8s] # systemctl start kube-apiserver [root@mast-1 k8s] # ps -ef | grep apiserver root 3264 1 99 20:35 ? 00:00:01 /opt/kubernetes/bin/kube-apiserver --logtostderr= false --log- dir = /opt/kubernetes/logs -- v =4 --etcd-servers=https: //192 .168.10.11:2379,https:/ /192 .168.10.12:2379,https: //192 .168.10.13:2379 --bind-address=192.168.10.11 --secure-port=6443 --advertise-address=192.168.10.11 --allow-privileged= true --service-cluster-ip-range=10.0.0.0 /24 -- enable -admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https= true -- enable -bootstrap-token-auth --token-auth- file = /opt/kubernetes/cfg/token .csv --service-node-port-range=30000-50000 --tls-cert- file = /opt/kubernetes/ssl/server .pem --tls-private-key- file = /opt/kubernetes/ssl/server-key .pem --client-ca- file = /opt/kubernetes/ssl/ca .pem --service-account-key- file = /opt/kubernetes/ssl/ca-key .pem --etcd-cafile= /opt/etcd/ssl/ca .pem --etcd-certfile= /opt/etcd/ssl/server .pem --etcd-keyfile= /opt/etcd/ssl/server-key .pemroot 3274 1397 0 20:35 pts /0 00:00:00 grep --color=auto apiserver |
生成配置文件并启动controller-manager
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | [root@mast-1 k8s] # cat controller-manager.sh #!/bin/bash MASTER_ADDRESS=$1 cat <<EOF > /opt/kubernetes/cfg/kube-controller-manager KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \\ 日志配置 --v=4 \\ --master=${MASTER_ADDRESS}:8080 \\ apimaster端口 --leader-elect=true \\ --address=127.0.0.1 \\ --service-cluster-ip-range=10.0.0.0/24 \\ --cluster-name=kubernetes \\ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\ --root-ca-file=/opt/kubernetes/ssl/ca.pem \\ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\ --experimental-cluster-signing-duration=87600h0m0s" EOF cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-controller-manager systemctl restart kube-controller-manager [root@mast-1 k8s] # bash controller-manager.sh 127.0.0.1 输入masterIP [root@mast-1 k8s] # ss -lntp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 192.168.10.11:6443 *:* users :(( "kube-apiserver" ,pid=7604,fd=6))LISTEN 0 128 192.168.10.11:2379 *:* users :(( "etcd" ,pid=1428,fd=7))LISTEN 0 128 127.0.0.1:2379 *:* users :(( "etcd" ,pid=1428,fd=6))LISTEN 0 128 127.0.0.1:10252 *:* users :(( "kube-controller" ,pid=7593,fd=3))LISTEN 0 128 192.168.10.11:2380 *:* users :(( "etcd" ,pid=1428,fd=5))LISTEN 0 128 127.0.0.1:8080 *:* users :(( "kube-apiserver" ,pid=7604,fd=5))LISTEN 0 128 *:22 *:* users :(( "sshd" ,pid=902,fd=3))LISTEN 0 100 127.0.0.1:25 *:* users :(( "master" ,pid=1102,fd=13))LISTEN 0 128 :::10257 :::* users :(( "kube-controller" ,pid=7593,fd=5))LISTEN 0 128 :::22 :::* users :(( "sshd" ,pid=902,fd=4))LISTEN 0 100 ::1:25 :::* users :(( "master" ,pid=1102,fd=14)) |
生成配置文件,并启动scheduler
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | [root@mast-1 k8s] # cat scheduler.sh #!/bin/bash MASTER_ADDRESS=$1 cat <<EOF > /opt/kubernetes/cfg/kube-scheduler KUBE_SCHEDULER_OPTS="--logtostderr=true \\ --v=4 \\ --master=${MASTER_ADDRESS}:8080 \\ --leader-elect" EOF cat <<EOF >/usr/lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-scheduler systemctl restart kube-scheduler [root@mast-1 k8s] # bash scheduler.sh 127.0.0.1 [root@mast-1 k8s] # ss -lntp State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 192.168.10.11:2379 *:* users :(( "etcd" ,pid=1428,fd=7))LISTEN 0 128 127.0.0.1:2379 *:* users :(( "etcd" ,pid=1428,fd=6))LISTEN 0 128 127.0.0.1:10252 *:* users :(( "kube-controller" ,pid=7809,fd=3))LISTEN 0 128 192.168.10.11:2380 *:* users :(( "etcd" ,pid=1428,fd=5))LISTEN 0 128 *:22 *:* users :(( "sshd" ,pid=902,fd=3))LISTEN 0 100 127.0.0.1:25 *:* users :(( "master" ,pid=1102,fd=13))LISTEN 0 128 :::10251 :::* users :(( "kube-scheduler" ,pid=8073,fd=3))LISTEN 0 128 :::10257 :::* users :(( "kube-controller" ,pid=7809,fd=5))LISTEN 0 128 :::22 :::* users :(( "sshd" ,pid=902,fd=4))LISTEN 0 100 ::1:25 :::* users :(( "master" ,pid=1102,fd=14)) |
配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | [root@mast-1 k8s] # cat /opt/kubernetes/cfg/kube-controller-manager KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr= true \ -- v =4 \ --master=127.0.0.1:8080 \ API连接地址 --leader-elect= true \ 自动做高可用选举 --address=127.0.0.1 \ 地址,不对外提供服务 --service-cluster-ip-range=10.0.0.0 /24 \ 地址范围与apiserver配置一样 --cluster-name=kubernetes \ 名字 --cluster-signing-cert- file = /opt/kubernetes/ssl/ca .pem \签名 --cluster-signing-key- file = /opt/kubernetes/ssl/ca-key .pem \ 签名 --root-ca- file = /opt/kubernetes/ssl/ca .pem \ 根证书 --service-account-private-key- file = /opt/kubernetes/ssl/ca-key .pem \ --experimental-cluster-signing-duration=87600h0m0s" 有效时间 |
配置文件
1 2 3 4 5 6 | [root@mast-1 k8s] # cat /opt/kubernetes/cfg/kube-scheduler KUBE_SCHEDULER_OPTS="--logtostderr= true \ -- v =4 \ --master=127.0.0.1:8080 \ --leader-elect" |
将客户端工具复制到/usr/bin目录下
1 | [root@mast-1 k8s] # cp kubernetes/server/bin/kubectl /usr/bin/ |
查看集群状态
1 2 3 4 5 6 7 | [root@mast-1 k8s] # kubectl get cs NAME STATUS MESSAGE ERROR scheduler Healthy ok etcd-2 Healthy { "health" : "true" } etcd-1 Healthy { "health" : "true" } etcd-0 Healthy { "health" : "true" } controller-manager Healthy ok |
草都可以从石头缝隙中长出来更可况你呢
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· 葡萄城 AI 搜索升级:DeepSeek 加持,客户体验更智能
· 什么是nginx的强缓存和协商缓存
· 一文读懂知识蒸馏