二进制部署k8s集群v1.23.9版本-7-安装controller-manager组件

7.1、集群规划

主机名	角色	IP
hfqg1-201	controller-manager	192.168.1.201
hfqg1-202	controller-manager	192.168.1.202
hfqg1-203	controller-manager	192.168.1.203

7.2、生成controller-manager证书

192.168.1.200服务器上操作
生成证书请求文件

cd /opt/certs
[root@hfqg1-200 certs]# cat kube-controller-manager-csr.json
{
"CN": "system:kube-controller-manager",
"hosts": [
"127.0.0.1",
"192.168.1.196",
"192.168.1.197",
"192.168.1.198",
"192.168.1.199",
"192.168.1.200",
"192.168.1.201",
"192.168.1.202",
"192.168.1.203"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "system:masters",
"OU": "system"
}
]
}

说明：

• CN：这里的CN值非常重要，kube-controller-manager能否正常与kubee-apiserver通信与此值有关，K8S默认会提取CN字段的值作为用户名，这实际是指K8S的“RoleBinding/ClusterRoleBinding”资源中“subjects：kind”的值为“User”
• hosts：kube-controller-manager运行节点的IP地址。
• O：无实际意义。
• OU：无实际意义。
• hosts 列表包含所有 kube-controller-manager 节点 IP；
• CN 为 system:kube-controller-manager、O 为 system:kube-controller-manager，kubernetes 内置的 ClusterRoleBindings system:kube-controller-manager 赋予 kube-controller-manager 工作所需的权限。

生成证书

cd /opt/certs
cfssl gencert
-ca=ca.pem
-ca-key=ca-key.pem
-config=ca-config.json
-profile=kubernetes
kube-controller-manager-csr.json | cfssl-json -bare kube-controller-manager

ls -l kube-controller-manager*

7.3、生成kubeconfig配置文件

192.168.1.201服务器上操作
编写生成kubeconfig配置文件的脚本
cd /opt/kubernetes/server/bin/k8s-shell

[root@hfqg1-201 k8s-shell]# cat kube-controller-manager-config.sh
#!/bin/bash
KUBE_CONFIG="/opt/kubernetes/server/bin/conf/kube-controller-manager.kubeconfig"
KUBE_APISERVER="https://192.168.1.196:8443"
kubectl config set-cluster kubernetes
--certificate-authority=/opt/kubernetes/server/bin/certs/ca.pem
--embed-certs=true
--server=${KUBE_APISERVER}
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials kube-controller-manager
--client-certificate=/opt/kubernetes/server/bin/certs/kube-controller-manager.pem
--client-key=/opt/kubernetes/server/bin/certs/kube-controller-manager-key.pem
--embed-certs=true
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default
--cluster=kubernetes
--user=kube-controller-manager
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=$

生成配置文件
chmod +x kube-controller-manager-config.sh
./kube-controller-manager-config.sh
把生成的配置文件拷贝到202和203主机上。
scp -r kube-controller-manager.kubeconfig hfqg1-202:/opt/kubernetes/server/bin/conf
scp -r kube-controller-manager.kubeconfig hfqg1-203:/opt/kubernetes/server/bin/conf

7.4、创建自启动脚本

cd /opt/kubernetes/server/bin
[root@hfqg1-201 bin]# cat kube-controller-manager.sh
#!/bin/bash
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/kubernetes/server/bin/kube-controller-manager
--cluster-name=kubernetes
--bind-address=127.0.0.1
--service-cluster-ip-range=192.168.0.0/16
--leader-elect=true
--controllers=*,bootstrapsigner,tokencleaner
--kubeconfig=/opt/kubernetes/server/bin/conf/kube-controller-manager.kubeconfig
--tls-cert-file=/opt/kubernetes/server/bin/certs/kube-controller-manager.pem
--tls-private-key-file=/opt/kubernetes/server/bin/certs/kube-controller-manager-key.pem
--cluster-signing-cert-file=/opt/kubernetes/server/bin/certs/ca.pem
--cluster-signing-key-file=/opt/kubernetes/server/bin/certs/ca-key.pem
--cluster-signing-duration=175200h0m0s
--root-ca-file=/opt/kubernetes/server/bin/certs/ca.pem
--use-service-account-credentials=false
--allocate-node-cidrs=true
--cluster-cidr=172.1.0.0/16
--log-dir=/data/logs/kubernetes/kube-controller-manager
--v=2

调整权限
chmod +x kube-controller-manager.sh
创建日志目录
mkdir -p /data/logs/kubernetes/kube-controller-manager

7.5、创建supervisor配置文件

[root@hfqg1-201 bin]# cat /etc/supervisord.d/kube-controller-manager.ini
[program:kube-controller-manager-1-201]
command=/opt/kubernetes/server/bin/kube-controller-manager.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-controller-manager/controller.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false

7.6、启动controller-manager服务

supervisorctl update
supervisorctl status

7.7、其它节点部署controller-manager

把启动脚本、supervisor配置文件拷贝到202和203主机
scp -r /opt/kubernetes/server/bin/kube-controller-manager.sh hfqg1-202:/opt/kubernetes/server/bin/
scp -r /opt/kubernetes/server/bin/kube-controller-manager.sh hfqg1-203:/opt/kubernetes/server/bin/
scp -r /etc/supervisord.d/kube-controller-manager.ini hfqg1-202:/etc/supervisord.d/
scp -r /etc/supervisord.d/kube-controller-manager.ini hfqg1-203:/etc/supervisord.d/
修改程序名称、创建日志目录
mkdir -p /data/logs/kubernetes/kube-controller-manager
202服务器

203服务器

分别启动controller-manager服务
supervisorctl update
supervisorctl status
至此，controller-manager组件安装完成。