Kubernetes安裝之八:配置master之scheduler
都是3臺服務器須要操做的node
1.建立證書
mkdir -p /etc/ssl/kube-scheduler
cat > /etc/ssl/kube-scheduler/kube-scheduler-csr.json <<EOF
{
"CN": "system:kube-scheduler",
"hosts": [
"127.0.0.1",
"192.168.1.40",
"192.168.1.41",
"192.168.1.42"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "ChengDu",
"L": "ChengDu",
"O": "system:kube-scheduler",
"OU": "dessler"
}
]
}
EOF
複製代碼
cfssl gencert -ca=/etc/ssl/ca.pem \
-ca-key=/etc/ssl/ca-key.pem \
-config=/etc/ssl/ca-config.json \
-profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
複製代碼
ls
kube-scheduler.csr kube-scheduler-csr.json kube-scheduler-key.pem kube-scheduler.pem
複製代碼
- 說明:
- hosts 列表包含全部kube-scheduler 節點 IP
- CN 爲 system:kube-scheduler、O 爲 system:kube-scheduler,kubernetes 內置的 ClusterRoleBindings system:kube-scheduler 將賦予 kube-scheduler 工做所需的權限
2.建立kubeconfig 文件
kubectl config set-cluster kubernetes \
> --certificate-authority=/etc/ssl/ca.pem \
> --embed-certs=true \
> --server=https://192.168.1.43:8443 \
> --kubeconfig=kube-scheduler.kubeconfig
Cluster "kubernetes" set.
複製代碼
kubectl config set-credentials system:kube-scheduler \
> --client-certificate=/etc/ssl/kube-scheduler/kube-scheduler.pem \
> --client-key=/etc/ssl/kube-scheduler/kube-scheduler-key.pem \
> --embed-certs=true \
> --kubeconfig=kube-scheduler.kubeconfig
User "system:kube-scheduler" set.
複製代碼
kubectl config set-context system:kube-scheduler \
> --cluster=kubernetes \
> --user=system:kube-scheduler \
> --kubeconfig=kube-scheduler.kubeconfig
Context "system:kube-scheduler" created.
複製代碼
kubectl config use-context system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig
Switched to context "system:kube-scheduler".
複製代碼
3.分發配置文件證書二進制文件
4.配置kube-scheduler服務
cat > /usr/lib/systemd/system/kube-scheduler.service <<EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/opt/kubernetes/bin/kube-scheduler \\
--address=127.0.0.1 \\
--kubeconfig=/opt/kubernetes/cfg/kube-scheduler.kubeconfig \\
--leader-elect=true \\
--alsologtostderr=true \\
--logtostderr=false \\
--log-dir=/var/log/kubernetes \\
--v=2
Restart=on-failure
RestartSec=5
#User=k8s
[Install]
WantedBy=multi-user.target
EOF
複製代碼
- 說明:
- --address:在0.0.1:10251 端口接收 http /metrics 請求;kube-scheduler 目前還不支持接收 https 請求
- --kubeconfig:指定 kubeconfig 文件路徑,kube-scheduler 使用它鏈接和驗證 kube-apiserver
- --leader-elect=true:集羣運行模式,啓用選舉功能;被選爲 leader 的節點負責處理工做,其它節點爲阻塞狀態
- User=k8s:使用 k8s 帳戶運行
5.啓動服務
systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler
systemctl status kube-scheduler
複製代碼
6.檢查服務
curl -s http://127.0.0.1:10251/metrics |head
# HELP apiserver_audit_event_total Counter of audit events generated and sent to the audit backend.
# TYPE apiserver_audit_event_total counter
apiserver_audit_event_total 0
# HELP apiserver_audit_requests_rejected_total Counter of apiserver requests rejected due to an error in audit logging backend.
# TYPE apiserver_audit_requests_rejected_total counter
apiserver_audit_requests_rejected_total 0
# HELP apiserver_client_certificate_expiration_seconds Distribution of the remaining lifetime on the certificate used to authenticate a request.
# TYPE apiserver_client_certificate_expiration_seconds histogram
apiserver_client_certificate_expiration_seconds_bucket{le="0"} 0
apiserver_client_certificate_expiration_seconds_bucket{le="21600"} 0
複製代碼
kubectl get endpoints kube-scheduler --namespace=kube-system -o yaml
apiVersion: v1
kind: Endpoints
metadata:
annotations:
control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"host22_11b7b315-2f42-11e9-b608-525400a73b99","leaseDurationSeconds":15,"acquireTime":"2019-02-13T05:39:32Z","renewTime":"2019-02-14T06:30:41Z","leaderTransitions":5}'
creationTimestamp: "2019-01-30T08:32:08Z"
name: kube-scheduler
namespace: kube-system
resourceVersion: "1737721"
selfLink: /api/v1/namespaces/kube-system/endpoints/kube-scheduler
uid: 87dbdef5-2469-11e9-a032-525400c6cc24
複製代碼
7.配置自動approve kubelet CSR 請求
cat > /opt/kubernetes/cfg/csr-crb.yaml <<EOF
# Approve all CSRs for the group "system:bootstrappers"
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: auto-approve-csrs-for-group
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
apiGroup: rbac.authorization.k8s.io
---
# To let a node of the group "system:nodes" renew its own credentials
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: node-client-cert-renewal
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
apiGroup: rbac.authorization.k8s.io
---
# A ClusterRole which instructs the CSR approver to approve a node requesting a
# serving cert matching its client cert.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: approve-node-server-renewal-csr
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/selfnodeserver"]
verbs: ["create"]
---
# To let a node of the group "system:nodes" renew its own server credentials
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: node-server-cert-renewal
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: approve-node-server-renewal-csr
apiGroup: rbac.authorization.k8s.io
EOF
複製代碼
kubectl apply -f /opt/kubernetes/cfg/csr-crb.yaml
clusterrolebinding.rbac.authorization.k8s.io/auto-approve-csrs-for-group created
clusterrolebinding.rbac.authorization.k8s.io/node-client-cert-renewal created
clusterrole.rbac.authorization.k8s.io/approve-node-server-renewal-csr created
clusterrolebinding.rbac.authorization.k8s.io/node-server-cert-renewal created
複製代碼
- 說明:
- kubelet 啓動後使用 --bootstrap-kubeconfig 向 kube-apiserver 發送 CSR 請求,當這個 CSR 被 approve 後,kube-controller-manager 爲 kubelet 建立 TLS 客戶端證書、私鑰和 --kubeletconfig 文件。
- 注意:kube-controller-manager 須要配置--cluster-signing-cert-file 和 --cluster-signing-key-file參數,纔會爲 TLS Bootstrap 建立證書和私鑰。
相關文章
- 1. Kubernetes安裝之七:配置master之controller-manager
- 2. Kubernetes安裝之六:配置master之api-server
- 3. kubernetes之kube-ui安裝配置
- 4. kubernetes之二–kubernetes master nodes
- 5. kubernetes之Scheduler原理分析
- 6. k8s安裝之Master
- 7. kubernetes之八–kubernetes ReplicaSet
- 8. Kubernetes安裝之十:配置node節點之kube-proxy
- 9. Kubernetes安裝之九:配置node節點之kubelet
- 10. Kubernetes之一安裝
- 更多相關文章...
- • Git 安裝配置 - Git 教程
- • MySQL免安裝版配置教程 - MySQL教程
- • Composer 安裝與使用
- • Docker容器實戰(八) - 漫談 Kubernetes 的本質
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. Kubernetes安裝之七:配置master之controller-manager
- 2. Kubernetes安裝之六:配置master之api-server
- 3. kubernetes之kube-ui安裝配置
- 4. kubernetes之二–kubernetes master nodes
- 5. kubernetes之Scheduler原理分析
- 6. k8s安裝之Master
- 7. kubernetes之八–kubernetes ReplicaSet
- 8. Kubernetes安裝之十:配置node節點之kube-proxy
- 9. Kubernetes安裝之九:配置node節點之kubelet
- 10. Kubernetes之一安裝