二进制部署K8s集群第7节Master节点之kube-apiserver集群部署

二进制部署K8s集群第7节Master节点之kube-apiserver集群部署

目录1、集群规划2、创建生成client证书csr的json配置文件3、生成apiserver的client证书文件4、创建生成服务器端证书csr的json配置文件5、生成apiserver的服务器证书文件6、软件下载解压7、拷贝证书8、创建配置9、创建apiserver启动脚本10、创建supervisor配置11、启动服务并检查

cat > /opt/certs/client-csr.json <<'eof' { "CN": "k8s-node", "hosts": [ ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangZhou", "L": "GuangZhou", "O": "k8s", "OU": "yw" } ] } eof

3、生成apiserver的client证书文件

cd /opt/certs/ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client [root@hdss7-200 certs]# ll client* -rw-r--r--. 1 root root 997 9月 20 02:22 client.csr -rw-r--r--. 1 root root 284 9月 20 02:22 client-csr.json -rw-------. 1 root root 1679 9月 20 02:22 client-key.pem -rw-r--r--. 1 root root 1375 9月 20 02:22 client.pem

4、创建生成服务器端证书csr的json配置文件

cat > /opt/certs/apiserver-csr.json <<'eof' { "CN": "k8s-apiserver", "hosts": [ "127.0.0.1", "192.168.0.1", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local", "10.4.7.10", "10.4.7.21", "10.4.7.22", "10.4.7.23" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "GuangZhou", "L": "GuangZhou", "O": "k8s", "OU": "yw" } ] } eof

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver [root@hdss7-200 certs]# ll apiserver* -rw-r--r--. 1 root root 1257 9月 20 02:11 apiserver.csr -rw-r--r--. 1 root root 570 9月 20 02:10 apiserver-csr.json -rw-------. 1 root root 1679 9月 20 02:11 apiserver-key.pem -rw-r--r--. 1 root root 1610 9月 20 02:11 apiserver.pem

6、软件下载解压以host7-21主机操作为例，host7-22操作类似下载地址：/opt/src rz <== kubernetes-server-linux-amd64.tar.gz tar xf kubernetes-server-linux-amd64.tar.gz -C /opt cd /opt mv kubernetes/ kubernetes-v1.19.2 ln -s /opt/kubernetes-v1.19.2/ /opt/kubernetes cd /opt/kubernetes rm -rf kubernetes-src.tar.gz cd server/bin rm -f *.tar *_tag

7、拷贝证书

mkdir /opt/kubernetes/server/bin/certs mkdir /opt/kubernetes/server/bin/conf scp hdss7-200:/opt/certs/ca.pem /opt/kubernetes/server/bin/certs scp hdss7-200:/opt/certs/ca-key.pem /opt/kubernetes/server/bin/certs scp hdss7-200:/opt/certs/client.pem /opt/kubernetes/server/bin/certs scp hdss7-200:/opt/certs/client-key.pem /opt/kubernetes/server/bin/certs scp hdss7-200:/opt/certs/apiserver.pem /opt/kubernetes/server/bin/certs scp hdss7-200:/opt/certs/apiserver-key.pem /opt/kubernetes/server/bin/certs

8、创建配置

cat > /opt/kubernetes/server/bin/conf/audit.yaml <<'eof' apiVersion: audit.k8s.io/v1beta1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages: - "RequestReceived" rules: # Log pod changes at RequestResponse level - level: RequestResponse resources: - group: "" # Resource "pods" doesn't match requests to any subresource of pods, # which is consistent with the RBAC policy. resources: ["pods"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata resources: - group: "" resources: ["pods/log", "pods/status"] # Don't log requests to a configmap called "controller-leader" - level: None resources: - group: "" resources: ["configmaps"] resourceNames: ["controller-leader"] # Don't log watch requests by the "system:kube-proxy" on endpoints or services - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" # core API group resources: ["endpoints", "services"] # Don't log authenticated requests to certain non-resource URL paths. - level: None userGroups: ["system:authenticated"] nonResourceURLs: - "/api*" # Wildcard matching. - "/version" # Log the request body of configmap changes in kube-system. - level: Request resources: - group: "" # core API group resources: ["configmaps"] # This rule only applies to resources in the "kube-system" namespace. # The empty string "" can be used to select non-namespaced resources. namespaces: ["kube-system"] # Log configmap and secret changes in all other namespaces at the Metadata level. - level: Metadata resources: - group: "" # core API group resources: ["secrets", "configmaps"] # Log all other resources in core and extensions at the Request level. - level: Request resources: - group: "" # core API group - group: "extensions" # Version of group should NOT be included. # A catch-all rule to log all other requests at the Metadata level. - level: Metadata # Long-running requests like watches that fall under this rule will not # generate an audit event in RequestReceived. omitStages: - "RequestReceived" eof

9、创建apiserver启动脚本

cat > /opt/kubernetes/server/bin/kube-apiserver.sh <<'eof' #!/bin/bash ./kube-apiserver \ --apiserver-count 2 \ --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \ --audit-policy-file ./conf/audit.yaml \ --authorization-mode RBAC \ --client-ca-file ./certs/ca.pem \ --requestheader-client-ca-file ./certs/ca.pem \ --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \ --etcd-cafile ./certs/ca.pem \ --etcd-certfile ./certs/client.pem \ --etcd-keyfile ./certs/client-key.pem \ --etcd-servers \ --service-account-key-file ./certs/ca-key.pem \ --service-cluster-ip-range 192.168.0.0/16 \ --service-node-port-range 3000-29999 \ --target-ram-mb=1024 \ --kubelet-client-certificate ./certs/client.pem \ --kubelet-client-key ./certs/client-key.pem \ --log-dir /data/logs/kubernetes/kube-apiserver \ --tls-cert-file ./certs/apiserver.pem \ --tls-private-key-file ./certs/apiserver-key.pem \ ----allow-privileged \ --v 2 eof mkdir -p /data/logs/kubernetes/kube-apiserver chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh

10、创建supervisor配置

cat > /etc/supervisord.d/kube-apiserver.ini <

supervisorctl update supervisorctl status netstat -nltup|grep kube-api tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 12497/./kube-apiser tcp6 0 0 :::6443 :::* LISTEN 12497/./kube-apiser

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。