二進(jìn)制安裝K8s之部署kube-apiserver
一唧龄、生成 kube-apiserver 證書
1、自簽證書頒發(fā)機(jī)構(gòu)(CA)
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
- 生成證書ca-key.pem 稼病、 ca.pem:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cp /data/docker/TSL/k8s/*.pem /data/k8s/ssl/
2选侨、使用自簽CA簽發(fā)kube-apiserver HTTPS證書
#ip地址包含k8s集群所有ip,LBIP以及負(fù)載均衡的虛擬IP建議多寫
#文件hosts字段中IP為所有Master/LB/VIP IP然走,一個(gè)都不能少援制!為了方便后期擴(kuò)容可以多寫幾個(gè)預(yù)留的IP。
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"10.0.0.1",
"192.168.100.170",
"192.168.100.171",
"192.168.100.172",
"192.168.100.173",
"192.168.100.174",
"192.168.100.175",
"192.168.100.176",
"192.168.100.177",
"192.168.100.178",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
- 生成證書:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
cp ./server*.pem /data/k8s/ssl/
二芍瑞、下載k8s 二進(jìn)制包
1晨仑、下載k8s
github 地址
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG
注:打開鏈接你會(huì)發(fā)現(xiàn)里面有很多包,下載一個(gè)server包就夠了拆檬,包含了Master和Worker Node二進(jìn)制文件洪己。
1、解壓
tar -zxvf kubernetes-server-linux-amd64.tar.gz
#復(fù)制二進(jìn)制文件
cp kube-apiserver kube-controller-manager kube-scheduler kubelet kube-proxy /data/k8s/bin/
cp kubectl /usr/local/bin/
2竟贯、部署kube-apiserver答捕,創(chuàng)建配置文件
cat > /data/k8s/config/kube-apiserver.conf << EOF
KUBE_APISERVER_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/data/k8s/logs \\
--etcd-servers=https://192.168.100.170:2379,https://192.168.100.171:2379,https://192.168.100.172:2379 \\
--bind-address=192.168.100.170 \\
--secure-port=6443 \\
--advertise-address=192.168.100.170 \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
--authorization-mode=RBAC,Node \\
--enable-bootstrap-token-auth=true \\
--token-auth-file=/data/k8s/config/token.csv \\
--service-node-port-range=30000-32767 \\
--kubelet-client-certificate=/data/k8s/ssl/server.pem \\
--kubelet-client-key=/data/k8s/ssl/server-key.pem \\
--tls-cert-file=/data/k8s/ssl/server.pem \\
--tls-private-key-file=/data/k8s/ssl/server-key.pem \\
--client-ca-file=/data/k8s/ssl/ca.pem \\
--service-account-key-file=/data/k8s/ssl/ca-key.pem \\
--service-account-issuer=api \\
--service-account-signing-key-file=/data/k8s/ssl/server-key.pem \\
--etcd-cafile=/data/etcd/ssl/ca.pem \\
--etcd-certfile=/data/etcd/ssl/server.pem \\
--etcd-keyfile=/data/etcd/ssl/server-key.pem \\
--requestheader-allowed-names=kubernetes \\
--requestheader-extra-headers-prefix=X-Remote-Extra- \\
--requestheader-group-headers=X-Remote-Group \\
--requestheader-username-headers=X-Remote-User \\
--proxy-client-cert-file=/data/k8s/ssl/server.pem \\
--proxy-client-key-file=/data/k8s/ssl/server-key.pem \\
--audit-log-maxage=30 \\
--audit-log-maxbackup=3 \\
--audit-log-maxsize=100 \\
--audit-log-path=/data/k8s/logs/k8s-audit.log"
EOF
注:上面兩個(gè)\ \ 第一個(gè)是轉(zhuǎn)義符,第二個(gè)是換行符屑那,使用轉(zhuǎn)義符是為了使用EOF保留換行符拱镐。
- –logtostderr:?jiǎn)⒂萌罩?/li>
- —v:日志等級(jí)
- –log-dir:日志目錄
- –etcd-servers:etcd集群地址
- –bind-address:監(jiān)聽地址
- –secure-port:https安全端口
- –advertise-address:集群通告地址
- –allow-privileged:?jiǎn)⒂檬跈?quán)
- –service-cluster-ip-range:Service虛擬IP地址段
- –enable-admission-plugins:準(zhǔn)入控制模塊
- –authorization-mode:認(rèn)證授權(quán)艘款,啟用RBAC授權(quán)和節(jié)點(diǎn)自管理
- –enable-bootstrap-token-auth:?jiǎn)⒂肨LS bootstrap機(jī)制
- –token-auth-file:bootstrap token文件
- –service-node-port-range:Service nodeport類型默認(rèn)分配端口范圍
- –kubelet-client-xxx:apiserver訪問kubelet客戶端證書
- –tls-xxx-file:apiserver https證書
- –etcd-xxxfile:連接Etcd集群證書
- –audit-log-xxx:審計(jì)日志
4、啟用 TLS Bootstrapping 機(jī)制
TLS Bootstraping:Master apiserver啟用TLS認(rèn)證后沃琅,Node節(jié)點(diǎn)kubelet和kube-proxy要與kube-apiserver進(jìn)行通信哗咆,必須使用CA簽發(fā)的有效證書才可以,當(dāng)Node節(jié)點(diǎn)很多時(shí)益眉,這種客戶端證書頒發(fā)需要大量工作晌柬,同樣也會(huì)增加集群擴(kuò)展復(fù)雜度。為了簡(jiǎn)化流程郭脂,Kubernetes引入了TLS bootstraping機(jī)制來(lái)自動(dòng)頒發(fā)客戶端證書年碘,kubelet會(huì)以一個(gè)低權(quán)限用戶自動(dòng)向apiserver申請(qǐng)證書,kubelet的證書由apiserver動(dòng)態(tài)簽署朱庆。所以強(qiáng)烈建議在Node上使用這種方式盛泡,目前主要用于kubelet,kube-proxy還是由我們統(tǒng)一頒發(fā)一個(gè)證書娱颊。
TLS bootstraping 工作流程:
創(chuàng)建上述配置文件中token文件:
- 生成隨機(jī)token
格式:token傲诵,用戶名,UID箱硕,用戶組
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
a752d78ab37a51fa7c38ad94346317ac
- 創(chuàng)建上述配置文件中token文件:
下面文件中的token拴竹,替換成上面生成的token
cat >/data/k8s/config/token.csv << EOF
a752d78ab37a51fa7c38ad94346317ac,kubelet-bootstrap,10001,"system:node-bootstrapper"
EOF
5、systemd管理apiserver
注意修改里面的路徑比如:kube-apiserver.conf 文件路徑
cat > /usr/lib/systemd/system/kube-apiserver.service << EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/data/k8s/config/kube-apiserver.conf
ExecStart=/data/k8s/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
6剧罩、啟動(dòng)并設(shè)置開機(jī)啟動(dòng)
systemctl daemon-reload
systemctl start kube-apiserver
systemctl enable kube-apiserver
