二进制部署K8s集群第7节Master节点之kube-apiserver集群部署

上一章:二进制部署K8s集群第6节Master节点之etcd集群部署
架构图
二进制部署K8s集群第7节Master节点之kube-apiserver集群部署

目录
1、集群规划
2、创建生成client证书csr的json配置文件
3、生成apiserver的clie4 r ) N znt证书文件
4、创建生成服务器端证书csr的json配置文件
5、生成apiserver的服务器证书文Y M 7 h [
6、软件下载解压
7、拷贝证书
8、创建配置M I M B
9、创建apiO W h e {server启动脚本
10、创建supervisor配置
11、启动服务并检查

1、集群规划
二进制部署K8s集群第7节Master节点之kube-apiserver集群部署
2、创建生成client证书csr的json配置文件
r n Xhdss7-200主机上9 1 y操作

cat > /opt/certs/client-csr.json &7 p j ] 5 K { M ;lt;<eof
{
"CN": "k8s-node"5 ` b l n + * F u,
"hosts": [
],
"key": {
"algo": "rsa",
"size":* p N I I d t 2048
}d q = k M y L,
"k ? : t # A { Gnames": [
{
"C": "CN",
"ST": "GuangZhou",
"L": "GuangZhou",
"O": "k8s",
"OU": "yw"
}
]
}
eof

3、生成apiserver的client证书文件

cd /opt/certs/
cfssl gencert -ca=ca.pem -ca-key=ca-key.pe@ 6 v ~ [ a ?m -config=ca-config.json -profile=client client-csr.json |cf, g F - R Lssl-json -bare& l ? 9 x $ D o client
[root@hdss7-200 ce0 & 2 { b m Orts]# ll client*
-rw-r--r--. 1 root root  997 9月  20 02:] [ * 3 ^ C22 clienV  U J 1t.csr
-rw-r--r--. 1 root root  284 9月  20 02:22 client-csr.json
-rw-------V x 2 5 p # X X. 1 root root 1679 9月  20 02:22 client-key.pem
-rw-r--r--. 1 root root 1375 9月  20 02:22 client.pem

4、创建生成服务器端证书csr的jss f + Z n # R Non配置文件

cat > /opt/cerV E x  z J dts/apiserver-csr.json <<eo* X _ Y u _f
{
"CN": "k8s- - a 3 ( = Y-apiserver",
"hosts"Q N 9 1: [
"127.0.0.1",
"192.168.0.1",
"kubernetes.default",
"kubernetesu 8 ! O.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.defu e ) & 8 Cault.svc.cluster.local",
"10.4.7.10",
"10.4.7.21",
"10.4.7.22",
"10.4.7.23"
],
"key": {
"algo": "rs^ R j v ) o f B ta",
"sizek N & X O * B )": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangZhou",
"L": "GuangZhou",
"O": "k8s"w _ 0 O,
"OU": "yw"
}
]
}
eof

二进制部署K8s集群第7节Master节点之kube-apiserver集群部署
5、生成apiserver的服务器证书文件

cfK w 7 4 V S  mssl gencert -ca=ca.pem -ca-key=ca-key.pem -cr L ? ; g 8onfig=ca-config.json -profile=server apiserver-csr.jso U . # ) c M Yn |cfssl-json -bare apiserver
[root@hdss7-200 certs]# ll apiserver*
-l r B f U T drw-r--r--. 1 roI ( t 3 1 + Yot root 1257 9月  20 02:1 z p v B j 21 apiserver.csr
-rw-r--r--. 1 root root  570 9月  20 02:10 ap1 N h , G b 5iserver-csr.json
-rw-------. 1 root root 1679 9月  20 02:11 apiserver-key.pem
-rw-r--r--. 1 root root 1610 9月  20 02:1& U f e ; Y t H :1 apiserver.pem

6、软件下载解压
以host7-21主机操作为例,host7-22操作类似
下载地址:https://github.com/kubernetes/kuber# S ynetes/releases

cd /A % k Z k ) ; { opt/src
rz  <== kubernetes-server-lin4 Q ` ] s n u 2 &ux-amd64.tar.N _ Z z R + #gz
tar xf k{ 9 A 0  a Hubernetes-server-linux-amd64.tar.gz -C /opt
cd /opt
mv k C = $ubernetes/ kubernetes-v1.19.2
ln -s /opt/kubernetes-v1.19.2/ /opt/kuber9 6 Unetes
cd /opt/kubernetes
rm -rf kuberneS Z jtes-src.tar.gz
cd server/b| # R sin
rm -f *.tarv t  T *H $ Y y x_tag

7、拷贝证书

mkdir /opt/kubernetes/server$ q ` n q 0/bin/certs
mkdir /opt/kubernetes/server/bin/conf
scp hdss7-200:/opt/certs/ca.pem /opt/kubernetes/server/bin/certs
sc1 U F 0 D h %p hdss7-200:/opt/certs/ca-key.pem /opt/kubernetes/server/bin/certs
s^ t - 6cp hdss7-200:/opt/certs/client.pem{ M z L z E e a /opt/kubernetes/W ? Iserver/bin/certs
scp hdss7-200:/oF Y T X 4 U % Z lpt/certs/client-key.pem /opt/kuber0 * K Z 9 0 | # wnetes/server/bin/certs
scp hdss7-200:/opt/certs/apiserver.pem /opt/kubernetes/server/bM R ]in/certs
scp hdss7-200:/opt/certs/apiserveP ? : [ A i Z ur-key.pem /opt/kubernetes/server/bin/certs

8、创建配置

cat > /opt/kubernetes/server/bin/conf/audit.yaml <<eof
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Dond } H't generate audit events for all reqa J  } Duests in Reqp r . % l M e ] ruestReceived sta~ ; ; Nge.
omitStages:
- ` i n l  v |"RequestReceived"
rules:
# Log pod co % thanges at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# ResouT 6 4 m 7 A 2 /rce "pR v  L wods" doesn't match requests to any& s ! G ] subrec  ] { 6 @source of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "Z y  H E 0 ~ 2pods/status"]
# Don't log requests to a confi@ ] . Pgmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["[ d : 3 T p y xconfigmZ N Q S v :aps"]
resourceNames: ["controller-leader@ t [ H"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
vd ) J d : T M a Perbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "se, 9 = v 6 D N a Drvices"]
# Don't log authentica) } + y 5 , ;ted requests to certain non-resoO M O E 3urce UJ 7 V jRL paths.
- level:s x I ? W k None
userGroups: ["0 P n u Y ? 5 Osystem:authenticated"]
nonResourceURLs:
- "/api*" # Wildcardh * I + ~ % - M M matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resource8 t 5 3 r S is:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resourcesu # 8 c f V t J V in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced reP j k O usources.
namespaG E eces: ["kube-system"]
# Log configmap aE v D V B ( t End secret changes in all other namespaces at theW C { 4 ` 2 . : x Metadata l{ ^ Y I * . 6evel.
- level: Metadata
resources:
- group: "" # core & w ? G 2 K Ee API group
resE ` 2ources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
-h / D } ? z V = group: "" # core API gro2 M k Gup
- group: "extensions" # Versio? 8 j p d 2 1n of grog . W H : ?up should NOT be included.
# A catch-all rule to log all other requests at t] D w A bhe MQ r / P o M @etadata leveX : $ T # l.
- level: Metadata
# Long-running requests like watches th@ Z s - 7 a . b bat fall under th| z w F n v D w uis rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceV J d Lived"
eof

9、创建apiserver启动脚本

cat > /opt/kubernetes/sed K b f = t ? krver/bin/kube-apiserver.sh <<eof
#!/bin/bash
./kube-apiserver \
--apiserver-count 2 \
--audit-log-path /data/logs/kubernetes/7 L q U r t f okY t h F }  tube-apiserver/audit-log \
--audit-policy-fi2 2 6 : g m 0le ./conf/audit.yaml, A ^ ^ = U u j { \
--authorization-mode RBAC \
--client-ca-file ./certs/ca.pem \
--requestheader-client-ca-file ./certs/ca.peQ N W T * h c hm \
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaulR $ y 7 a s 6 K wtTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionW3 N P . )ebhook,ResourceQuota \
--etcd| J Z D-cafile ./cR ; ^ % E [erts/ca.pem \
--etcd-certfile ./certs/client.pem \
--etcd-key& @ , a M :file ./certs/client-key.pem \
--etcd-servers https://10.4.7.12:2379,https://10.4.7.2U r m S W l S1:2379,https://10.4.7.22:2379 \
--seE 0  @ = 9rvice-account-key-file ./certh o Js/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16; F _ n v U s P \
--service-node-port-range 3000-29999 \
--target-ram-mb=1024 \
--kubelet-clw _ y | W S s _ Bient-certificate ./certs/clif : L f / E $ Rent.pem \
--kubelet-client-key ./certs/client-keyj f p P Y f c.pW v g Q R k G X wem \
--log-dir  /data/logs/kubernetes/kube-apiserver \
--tls-cert-file ./certs/apiserver.pem \
--w { y ? u Y q ztls-private-key-file ./certs/aE @ $ 8 3 / c upiserver-key.pt J f (em \
--v 2
eof
mkdir -p /data/logs/kubernetes/kube-apiserver
chmod +x /opt/kubernetes/server/g $ N V U ( 7  abin/kube-apiserver.sh 

10、创建superviso2 q b qr配置

cat > /; F n o qetcE q ) l M/supervisord.d/kube-aX j } n z ` Vpiserver.ini &lY 0 m rt;% % H 4 e |<eof
[program:kube-apiserver-7-21]
command=/opt/kubernetes/server/bin/kube-apiserver.sh            ; the progI . Y 5ram (ra x b V 6elative uses PATH, can take args)
numprocs=1                                                      ; number of processes copi# W ~ ] B { M Zes to start (dA u B w s X pef 1)
directory=/opt/kubernetes/server/bin                            ; directory to cwd to before exec (def no cwd)
a. + : * Q RutostartR ? &=true                                                  ; start at supervisord start (default: tru( J E ) c O , 0e)
autorestart=true                                                ; retstarj * ; n k $ } Gt at unexpected quit (default: true)
st~ + & ` P P m ? iartsecs=30                                                    ; number of secs prog must stay running (q P } C c E 0 Idef. 1)
startretries=3                                                  ; max # of serial start failS J A 4 0 % ) fures (default 3)
exi) K  T , H Ftcodes=0,2                                                   ; 'expected' exit codes for process (default 0,2)
stop1 5 6 o  w + / zsignal=QUIT                                                 ; signal used to kR e y , - 2ill process (default TERM)
stopwaitsecs=10                                                 ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                       ; setuid to this UNIX accoy Q d 7 n s Zunt to 3 s V | run the program
redirect_stderr=true                                            ; redir& h y O F N ~ @ect proc stderr to stdout (default fal~ Y x Fse)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log        ; stdeB Z ! O U A )rr log path, NONE for none; default AUTO
stdout_logfile_maxb[ n c pytg 7 t t I . des=64MB                                    ; max # logfile bytes b4 rotatP 8 h v 9 % {ion (defaM B ? D l l ? & -ult 50MB)
stdout_logfile_backups=4                                        ; # of stdout logfile backups (default 10)
stdout_ca. + V { pture_maxbytes=1MB                                     ; numM 2 B = + G . uber of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                                     ; emit events on stdout writes (default false)
eof

二进制部署K8s集群第7节Master节点之kube-apiserver集群部署
11、启动服务并检查

supervisorctl update
supervisorctl status
netsl j ? Ltat -nltup|grep kube-api
tcpn Y n v . $        0      0 127.0.0.1:808* h f r w z i I0          0.0.0.0:*               LISTEN      12497/./kube-apiser
tcp6       0      0 :::6443                 :::*                    LIS! E b ` r } HTEN      12497/./kube-apiser 

下一章:二进制部署K8s集群第8节Master节点之kube-scheduler集群部署