kubernetes集群之kube-controller-manager
编写证书请求文件
[root@master-1 work]# vim kube-controller-manager-csr.json
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [
"127.0.0.1",
"192.168.10.28",
"192.168.10.29",
"192.168.10.30",
"192.168.10.31"
],
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "system:kube-controller-manager",
"OU": "system"
}
]
}
签发证书
[root@master-1 work]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
2022/01/15 10:45:21 [INFO] generate received request
2022/01/15 10:45:21 [INFO] received CSR
2022/01/15 10:45:21 [INFO] generating key: rsa-2048
2022/01/15 10:45:21 [INFO] encoded CSR
2022/01/15 10:45:21 [INFO] signed certificate with serial number 511951674798984195538527015611202564940649002918
2022/01/15 10:45:21 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
#创建kube-controller-manager的kubeconfig
1.设置集群参数
[root@master-1 work]# kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.10.29:6443 --kubeconfig=kube-controller-manager.kubeconfig Cluster "kubernetes" set. 您在 /var/spool/mail/root 中有新邮件 [root@master-1 work]# kubectl config set-credentials system:kube-controller-manager --client-certificate=kube-controller-manager.pem --client-key=kube-controller-manager-key.pem --embed-certs=true --kubeconfig=kube-controller-manager.kubeconfig User "system:kube-controller-manager" set. [root@master-1 work]# kubectl config set-context system:kube-controller-manager --cluster=kubernetes --user=system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig Context "system:kube-controller-manager" created. [root@master-1 work]# kubectl config use-context system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig Switched to context "system:kube-controller-manager". 您在 /var/spool/mail/root 中有新邮件
#创建配置文件kube-controller-manager.conf
[root@master-1 work]# vim kube-controller-manager.conf KUBE_CONTROLLER_MANAGER_OPTS="--secure-port=10257 \ --bind-address=127.0.0.1 \ --kubeconfig=/etc/kubernetes/kube-controller-manager.kubeconfig \ --service-cluster-ip-range=10.255.0.0/16 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \ --allocate-node-cidrs=true \ --cluster-cidr=10.0.0.0/16 \ --experimental-cluster-signing-duration=87600h \ --root-ca-file=/etc/kubernetes/ssl/ca.pem \ --service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem \ --leader-elect=true \ --feature-gates=RotateKubeletServerCertificate=true \ --controllers=*,bootstrapsigner,tokencleaner \ --horizontal-pod-autoscaler-use-rest-clients=true \ --horizontal-pod-autoscaler-sync-period=10s \ --tls-cert-file=/etc/kubernetes/ssl/kube-controller-manager.pem \ --tls-private-key-file=/etc/kubernetes/ssl/kube-controller-manager-key.pem \ --use-service-account-credentials=true \ --alsologtostderr=true \ --logtostderr=false \ --log-dir=/var/log/kubernetes \ --v=2"
创建启动文件
cat /usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/etc/kubernetes/kube-controller-manager.conf ExecStart=/usr/local/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target
拷贝文件
[root@master-1 work]# cp kube-controller-manager*.pem /etc/kubernetes/ssl/ [root@xianchaomaster1 work]# cp kube-controller-manager.kubeconfig /etc/kubernetes/ [root@master-1 work]# cp kube-controller-manager.conf /etc/kubernetes/ [root@master-1 work]# cp kube-controller-manager.service /usr/lib/systemd/system/ [root@master-1 work]# rsync -vaz kube-controller-manager*.pem master-2:/etc/kubernetes/ssl/ sending incremental file list sent 88 bytes received 12 bytes 200.00 bytes/sec total size is 3,184 speedup is 31.84 您在 /var/spool/mail/root 中有新邮件 [root@master-1 work]# rsync -vaz kube-controller-manager*.pem master-3:/etc/kubernetes/ssl/ sending incremental file list kube-controller-manager-key.pem kube-controller-manager.pem sent 2,505 bytes received 54 bytes 5,118.00 bytes/sec total size is 3,184 speedup is 1.24 [root@master-1 work]# rsync -vaz kube-controller-manager.kubeconfig kube-controller-manager.conf master-2:/etc/kubernetes sending incremental file list kube-controller-manager.conf kube-controller-manager.kubeconfig sent 624 bytes received 114 bytes 1,476.00 bytes/sec total size is 7,581 speedup is 10.27 您在 /var/spool/mail/root 中有新邮件 [root@master-1 work]# rsync -vaz kube-controller-manager.kubeconfig kube-controller-manager.conf master-3:/etc/kubernetes sending incremental file list kube-controller-manager.conf kube-controller-manager.kubeconfig sent 624 bytes received 114 bytes 1,476.00 bytes/sec total size is 7,581 speedup is 10.27 [root@master-1 work]# rsync -vaz kube-controller-manager.service master-2:/usr/lib/systemd/system/ sending incremental file list kube-controller-manager.service sent 111 bytes received 41 bytes 304.00 bytes/sec total size is 324 speedup is 2.13 [root@master-1 work]# rsync -vaz kube-controller-manager.service master-3:/usr/lib/systemd/system/ sending incremental file list kube-controller-manager.service sent 111 bytes received 41 bytes 304.00 bytes/sec total size is 324 speedup is 2.13 [root@master-1 work]#
启动
systemctl daemon-reload systemctl enable kube-controller-manager systemctl start kube-controller-manager systemctl status kube-controller-manager
草都可以从石头缝隙中长出来更可况你呢
