我是靠谱客的博主 简单母鸡,最近开发中收集的这篇文章主要介绍k8s二进制安装-5,安装kube-apiserver,觉得挺不错的,现在分享给大家,希望可以做个参考。

概述

下载kubernetes 二进制文件

cd /usr/local/src/
wget http://xxxxx/1.19/kubernetes-server-linux-amd64.tar.gz 
tar xzf kubernetes-server-linux-amd64.tar.gz kubernetes
cd kubernetes/server/bin/
cp kube-apiserver kube-controller-manager kube-scheduler kubectl /opt/kubernetes/bin/
  • 集群部署需要将kubelet kube-proxy 放到node中/opt/kubernetes/bin/目录下
scp kubelet kube-proxy node_ip:/opt/kubernetes/bin/

配置api-server公私钥

  • cd /usr/local/src/ssl/
cat > kubernetes-csr.json <<EOF
{
    "hosts": [
        "127.0.0.1",
        "10.1.0.1",
        "kubernetes",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluster.local",
        "master_ip"
    ],
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "OU": "System",
            "L": "ShangHai",
            "O": "k8s",
            "ST": "ShangHai"
        }
    ]
}

EOF

cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem 
-ca-key=/opt/kubernetes/ssl/ca-key.pem 
-config=/opt/kubernetes/ssl/ca-config.json 
-profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes

cp kubernetes*.pem /opt/kubernetes/ssl/

生成kube-apiserver 配置文件

  • mkdir -p /data/kubernetes/log
cat > /opt/kubernetes/cfg/kube-apiserver.conf << EOF
KUBE_APISERVER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/data/kubernetes/log \
--bind-address=master_ip \
--secure-port=6443 \
--advertise-address=master_ip \
--allow-privileged=true \
--service-cluster-ip-range=10.1.0.0/16 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth=true \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=1-65535 \
--kubelet-client-certificate=/opt/kubernetes/ssl/kubernetes.pem \
--kubelet-client-key=/opt/kubernetes/ssl/kubernetes-key.pem \
--tls-cert-file=/opt/kubernetes/ssl/kubernetes.pem  \
--tls-private-key-file=/opt/kubernetes/ssl/kubernetes-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-servers=https://master_ip:2379 \
--etcd-cafile=/opt/kubernetes/ssl/ca.pem \
--etcd-certfile=/opt/kubernetes/ssl/etcd.pem \
--etcd-keyfile=/opt/kubernetes/ssl/etcd-key.pem \
--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \
--proxy-client-cert-file=/opt/kubernetes/ssl/kubernetes.pem \
--proxy-client-key-file=/opt/kubernetes/ssl/kubernetes-key.pem \
--requestheader-allowed-names=kubernetes \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-group-headers=X-Remote-Group \
--requestheader-username-headers=X-Remote-User \
--enable-aggregator-routing=true \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
EOF
  • logtostderr:启用日志
  • —v:日志等级
  • –log-dir:日志目录
  • –etcd-servers:etcd集群地址
  • –bind-address:监听地址
  • –secure-port:https安全端口
  • –advertise-address:集群通告地址
  • –allow-privileged:启用授权
  • –service-cluster-ip-range:Service虚拟IP地址段
  • –enable-admission-plugins:准入控制模块
  • –authorization-mode:认证授权,启用RBAC授权和节点自管理
  • –enable-bootstrap-token-auth:启用TLS bootstrap机制
  • –token-auth-file:bootstrap token文件
  • –service-node-port-range:Service nodeport类型默认分配端口范围
  • –kubelet-client-xxx:apiserver访问kubelet客户端证书
  • –tls-xxx-file:apiserver https证书
  • –etcd-xxxfile:连接Etcd集群证书
  • –audit-log-xxx:审计日志
  • 如果集群部署 需要将证书复制到node /opt/kubernetes/ssl/
  • 将–bind-address 改为master节点的ip
  • 将etcd-servers 改为当前集群的etcd的ip:port
scp kubernetes*.pem node_ip:/opt/kubernetes/ssl/

创建kube-apiserver 使用的客户端token 文件

head -c 16 /dev/urandom | od -An -t x | tr -d ' '
  • 将token 写入csv中
cat > /opt/kubernetes/cfg/token.csv << EOF
1064c534fb35c6d5a921df075d5281ac,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF

配置kube-apiserver服务文件

cat > /usr/lib/systemd/system/kube-apiserver.service << EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF

启动kube-apiserver

systemctl daemon-reload
systemctl enable kube-apiserver
systemctl start kube-apiserver
systemctl status kube-apiserver

授权kubelet-bootstrap用户允许请求证书

kubectl create clusterrolebinding kubelet-bootstrap 
--clusterrole=system:node-bootstrapper 
--user=kubelet-bootstrap

最后

以上就是简单母鸡为你收集整理的k8s二进制安装-5,安装kube-apiserver的全部内容,希望文章能够帮你解决k8s二进制安装-5,安装kube-apiserver所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。

本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
点赞(47)

评论列表共有 0 条评论

立即
投稿
返回
顶部