k8s系列-15-master节点安装

k8s系列-15-master节点安装

这篇我们部署k8s的master节点，也就是所谓的控制平面，为了保证高可用，我们这里采用了两个master节点，还记得master节点上部署什么内容吗？回忆一下子，分别是api-server，scheduler和controller manager。

​​配置Apiserver​​

PS：该操作在两个master节点上都需要执行。1、移动证书

[root@node1 ~]# mkdir -p /etc/kubernetes/ssl[root@node1 ~]# mv ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \ service-account-key.pem service-account.pem \ proxy-client.pem proxy-client-key.pem \ /etc/kubernetes/ssl[root@node1 ~]# ls /etc/kubernetes/ssl/ca-key.pem ca.pem kubernetes-key.pem kubernetes.pem proxy-client-key.pem proxy-client.pem service-account-key.pem service-account.pem[root@node1 ~]#

2、配置服务

# 该master节点的IP地址，注意，两个节点需要各自配置自己的IP地址[root@node1 ~]# IP=192.168.112.130# 申明apiserver的数量[root@node1 ~]# APISERVER_COUNT=2# 申明etcd节点信息，以空格分开[root@node1 ~]# ETCD_ENDPOINTS=(192.168.112.130 192.168.112.131 192.168.112.132)# 创建apiserver管理服务[root@node1 ~]# cat < /etc/systemd/system/kube-apiserver.service[Unit]Description=Kubernetes API ServerDocumentation=\\ --advertise-address=${IP} \\ --allow-privileged=true \\ --apiserver-count=${APISERVER_COUNT} \\ --audit-log-maxage=30 \\ --audit-log-maxbackup=3 \\ --audit-log-maxsize=100 \\ --audit-log-path=/var/log/audit.log \\ --authorization-mode=Node,RBAC \\ --bind-address=0.0.0.0 \\ --client-ca-file=/etc/kubernetes/ssl/ca.pem \\ --enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\ --etcd-cafile=/etc/kubernetes/ssl/ca.pem \\ --etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem \\ --etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem \\ --etcd-servers=\\ --event-ttl=1h \\ --kubelet-certificate-authority=/etc/kubernetes/ssl/ca.pem \\ --kubelet-client-certificate=/etc/kubernetes/ssl/kubernetes.pem \\ --kubelet-client-key=/etc/kubernetes/ssl/kubernetes-key.pem \\ --service-account-issuer=api \\ --service-account-key-file=/etc/kubernetes/ssl/service-account.pem \\ --service-account-signing-key-file=/etc/kubernetes/ssl/service-account-key.pem \\ --api-audiences=api,vault,factors \\ --service-cluster-ip-range=10.233.0.0/16 \\ --service-node-port-range=30000-32767 \\ --proxy-client-cert-file=/etc/kubernetes/ssl/proxy-client.pem \\ --proxy-client-key-file=/etc/kubernetes/ssl/proxy-client-key.pem \\ --runtime-config=api/all=true \\ --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem \\ --requestheader-allowed-names=aggregator \\ --requestheader-extra-headers-prefix=X-Remote-Extra- \\ --requestheader-group-headers=X-Remote-Group \\ --requestheader-username-headers=X-Remote-User \\ --tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem \\ --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem \\ --v=1Restart=on-failureRestartSec=5[Install]WantedBy=multi-user.targetEOF[root@node1 ~]#

​​配置controller-manager​​

PS：该操作在两个master节点上都需要执行。1、移动证书

[root@node1 ~]# mv kube-controller-manager.kubeconfig /etc/kubernetes/[root@node1 ~]# ls /etc/kubernetes/kube-controller-manager.kubeconfig ssl[root@node1 ~]#

2、配置服务

[root@node1 ~]# cat < /etc/systemd/system/kube-controller-manager.service[Unit]Description=Kubernetes Controller ManagerDocumentation=\\ --bind-address=0.0.0.0 \\ --cluster-cidr=10.200.0.0/16 \\ --cluster-name=kubernetes \\ --cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \\ --cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \\ --cluster-signing-duration=876000h0m0s \\ --kubeconfig=/etc/kubernetes/kube-controller-manager.kubeconfig \\ --leader-elect=true \\ --root-ca-file=/etc/kubernetes/ssl/ca.pem \\ --service-account-private-key-file=/etc/kubernetes/ssl/service-account-key.pem \\ --service-cluster-ip-range=10.233.0.0/16 \\ --use-service-account-credentials=true \\ --v=1Restart=on-failureRestartSec=5[Install]WantedBy=multi-user.targetEOF[root@node1 ~]#

​​配置scheduler服务​​

PS：该操作在两个master节点上都需要执行。1、移动证书

[root@node1 ~]# mv kube-scheduler.kubeconfig /etc/kubernetes[root@node1 ~]# ls /etc/kubernetes/kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ssl[root@node1 ~]#

2、配置服务

[root@node1 ~]# cat < /etc/systemd/system/kube-scheduler.service[Unit]Description=Kubernetes SchedulerDocumentation=\\ --authentication-kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \\ --authorization-kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \\ --kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \\ --leader-elect=true \\ --bind-address=0.0.0.0 \\ --port=0 \\ --v=1Restart=on-failureRestartSec=5[Install]WantedBy=multi-user.targetEOF[root@node1 ~]#

​​启动服务​​

PS：该操作在两个master节点上都需要执行。

[root@node1 ~]# systemctl daemon-reload[root@node1 ~]# systemctl enable kube-apiserverCreated symlink from /etc/systemd/system/multi-user.target.wants/kube-apiserver.service to /etc/systemd/system/kube-apiserver.service.[root@node1 ~]# systemctl enable kube-controller-managerCreated symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /etc/systemd/system/kube-controller-manager.service.[root@node1 ~]# systemctl enable kube-schedulerCreated symlink from /etc/systemd/system/multi-user.target.wants/kube-scheduler.service to /etc/systemd/system/kube-scheduler.service.[root@node1 ~]# systemctl restart kube-apiserver[root@node1 ~]# systemctl restart kube-controller-manager[root@node1 ~]# systemctl restart kube-scheduler

​​验证服务​​

端口验证，看下端口是否都启动了，确保不会有服务没有启动。

[root@node1 ~]# netstat -ntlp | grep kubetcp6 0 0 :::6443 :::* LISTEN 4834/kube-apiserver tcp6 0 0 :::10252 :::* LISTEN 4855/kube-controlle tcp6 0 0 :::10257 :::* LISTEN 4855/kube-controlle tcp6 0 0 :::10259 :::* LISTEN 4872/kube-scheduler [root@node1 ~]#

日志验证，查看是否有错误日志，确保相关服务是正常启动的。

[root@node1 ~]# journalctl -xe

​​配置kubectl​​

PS：该操作在两个master节点上都需要执行。

# 创建配置目录 [root@node1 ~]# mkdir ~/.kube/# 移动证书[root@node1 ~]# mv ~/admin.kubeconfig ~/.kube/config# 测试[root@node1 ~]# kubectl get nodesNo resources found[root@node1 ~]#

空的是正常的，因为我们还没有启动任何pod服务。由于在执行kubectl的一些命令时，apiserver会转发到kubelet，这里需要定义一些规则，授权apiserver可以访问kubelet api。PS：这个命令只需要在一个master节点上执行即可。

[root@node1 ~]# kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetesclusterrolebinding.rbac.authorization.k8s.io/kube-apiserver:kubelet-apis created[root@node1 ~]#

至此，本文结束，我们已经将master上的所需服务全部安装完成了，下一篇我们将开始安装worker节点上的服务。

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。