kube-apiserver 集羣服務安裝
[TOC]html
</br></br>node
下面的操做依託於上一篇文章nginx
建立 kube-apiserver 證書
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
cat > kubernetes-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"10.0.20.10",
"10.0.20.11",
"10.0.20.12",
"10.0.20.13",
"vip.k8s.com",
"node01.k8s.com",
"node02.k8s.com",
"node03.k8s.com",
"10.254.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local."
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "4Paradigm"
}
]
}
EOF
#須要將集羣的全部IP及VIP添域名加進去
#若是要添加註意最後的逗號,不要忘記添加,不然下一步報錯
hosts 字段指定受權使用該證書的IP和域名列表,這裏列出了master節點IP、kubernetes服務的IP和域名git
kubernetes serviceIP是apiserver自動建立的,通常是–service-cluster-ip-range參數指定的網段的第一個IPgithub
$ kubectl get svc kubernetes NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.254.0.1 443/TCP 31d
生成證書和私鑰
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
cfssl gencert -ca=/opt/k8s/work/ca.pem \
-ca-key=/opt/k8s/work/ca-key.pem \
-config=/opt/k8s/work/ca-config.json \
-profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
ls kubernetes*pem
將生成的證書和私鑰文件拷貝到全部master節點json
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p /etc/kubernetes/cert"
scp kubernetes*.pem root@${node_ip}:/etc/kubernetes/cert/
done
建立加密配置文件
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
cat > encryption-config.yaml <<EOF
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: ${ENCRYPTION_KEY}
- identity: {}
EOF
將加密配置文件拷貝到master節點的/etc/kubernetes目錄下bootstrap
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
scp encryption-config.yaml root@${node_ip}:/etc/kubernetes/
done
建立審計策略文件
cd /opt/k8s/work source /opt/k8s/bin/environment.sh
cat > audit-policy.yaml <<EOF
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
# The following requests were manually identified as high-volume and low-risk, so drop them.
- level: None
resources:
- group: ""
resources:
- endpoints
- services
- services/status
users:
- 'system:kube-proxy'
verbs:
- watch
- level: None
resources:
- group: ""
resources:
- nodes
- nodes/status
userGroups:
- 'system:nodes'
verbs:
- get
- level: None
namespaces:
- kube-system
resources:
- group: ""
resources:
- endpoints
users:
- 'system:kube-controller-manager'
- 'system:kube-scheduler'
- 'system:serviceaccount:kube-system:endpoint-controller'
verbs:
- get
- update
- level: None
resources:
- group: ""
resources:
- namespaces
- namespaces/status
- namespaces/finalize
users:
- 'system:apiserver'
verbs:
- get
# Don't log HPA fetching metrics.
- level: None
resources:
- group: metrics.k8s.io
users:
- 'system:kube-controller-manager'
verbs:
- get
- list
# Don't log these read-only URLs.
- level: None
nonResourceURLs:
- '/healthz*'
- /version
- '/swagger*'
# Don't log events requests.
- level: None
resources:
- group: ""
resources:
- events
# node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes
- level: Request
omitStages:
- RequestReceived
resources:
- group: ""
resources:
- nodes/status
- pods/status
users:
- kubelet
- 'system:node-problem-detector'
- 'system:serviceaccount:kube-system:node-problem-detector'
verbs:
- update
- patch
- level: Request
omitStages:
- RequestReceived
resources:
- group: ""
resources:
- nodes/status
- pods/status
userGroups:
- 'system:nodes'
verbs:
- update
- patch
# deletecollection calls can be large, don't log responses for expected namespace deletions
- level: Request
omitStages:
- RequestReceived
users:
- 'system:serviceaccount:kube-system:namespace-controller'
verbs:
- deletecollection
# Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
# so only log at the Metadata level.
- level: Metadata
omitStages:
- RequestReceived
resources:
- group: ""
resources:
- secrets
- configmaps
- group: authentication.k8s.io
resources:
- tokenreviews
# Get repsonses can be large; skip them.
- level: Request
omitStages:
- RequestReceived
resources:
- group: ""
- group: admissionregistration.k8s.io
- group: apiextensions.k8s.io
- group: apiregistration.k8s.io
- group: apps
- group: authentication.k8s.io
- group: authorization.k8s.io
- group: autoscaling
- group: batch
- group: certificates.k8s.io
- group: extensions
- group: metrics.k8s.io
- group: networking.k8s.io
- group: policy
- group: rbac.authorization.k8s.io
- group: scheduling.k8s.io
- group: settings.k8s.io
- group: storage.k8s.io
verbs:
- get
- list
- watch
# Default level for known APIs
- level: RequestResponse
omitStages:
- RequestReceived
resources:
- group: ""
- group: admissionregistration.k8s.io
- group: apiextensions.k8s.io
- group: apiregistration.k8s.io
- group: apps
- group: authentication.k8s.io
- group: authorization.k8s.io
- group: autoscaling
- group: batch
- group: certificates.k8s.io
- group: extensions
- group: metrics.k8s.io
- group: networking.k8s.io
- group: policy
- group: rbac.authorization.k8s.io
- group: scheduling.k8s.io
- group: settings.k8s.io
- group: storage.k8s.io
# Default level for all other requests.
- level: Metadata
omitStages:
- RequestReceived
EOF
分發審計策略文件:後端
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
scp audit-policy.yaml root@${node_ip}:/etc/kubernetes/audit-policy.yaml
done
分發 kube-apiserver 二進制文件
把 kube-apiserver 二進制執行文件分發到全部 master 節點上api
cd /opt/k8s/work/
source /opt/k8s/bin/environment.sh
for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
scp kubernetes/server/bin/kube-apiserver root@${node_ip}:/opt/k8s/bin/
done
建立後續訪問 metrics-server 使用的證書
建立證書籤名請求:數組
cat > proxy-client-csr.json <<EOF
{
"CN": "aggregator",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "4Paradigm"
}
]
}
EOF
- CN 名稱須要位於 kube-apiserver 的 --requestheader-allowed-names 參數中,不然後續訪問 metrics 時會提示權限不足。
生成證書和私鑰:
cfssl gencert -ca=/etc/kubernetes/cert/ca.pem \ -ca-key=/etc/kubernetes/cert/ca-key.pem \ -config=/etc/kubernetes/cert/ca-config.json \ -profile=kubernetes proxy-client-csr.json | cfssljson -bare proxy-client ls proxy-client*.pem
將生成的證書和私鑰文件拷貝到全部 master 節點:
source /opt/k8s/bin/environment.sh
for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
scp proxy-client*.pem root@${node_ip}:/etc/kubernetes/cert/
done
建立 kube-apiserver systemd unit 模板文件
cd /opt/k8s/work source /opt/k8s/bin/environment.sh
cat > kube-apiserver.service.template <<EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
WorkingDirectory=${K8S_DIR}/kube-apiserver
ExecStart=/opt/k8s/bin/kube-apiserver \\
--advertise-address=##NODE_IP## \\
--default-not-ready-toleration-seconds=360 \\
--default-unreachable-toleration-seconds=360 \\
--feature-gates=DynamicAuditing=true \\
--max-mutating-requests-inflight=2000 \\
--max-requests-inflight=4000 \\
--default-watch-cache-size=200 \\
--delete-collection-workers=2 \\
--encryption-provider-config=/etc/kubernetes/encryption-config.yaml \\
--etcd-cafile=/etc/kubernetes/cert/ca.pem \\
--etcd-certfile=/etc/kubernetes/cert/kubernetes.pem \\
--etcd-keyfile=/etc/kubernetes/cert/kubernetes-key.pem \\
--etcd-servers=${ETCD_ENDPOINTS} \\
--bind-address=##NODE_IP## \\
--secure-port=6443 \\
--tls-cert-file=/etc/kubernetes/cert/kubernetes.pem \\
--tls-private-key-file=/etc/kubernetes/cert/kubernetes-key.pem \\
--insecure-port=0 \\
--audit-dynamic-configuration \\
--audit-log-maxage=15 \\
--audit-log-maxbackup=3 \\
--audit-log-maxsize=100 \\
--audit-log-truncate-enabled \\
--audit-log-path=${K8S_DIR}/kube-apiserver/audit.log \\
--audit-policy-file=/etc/kubernetes/audit-policy.yaml \\
--profiling \\
--anonymous-auth=false \\
--client-ca-file=/etc/kubernetes/cert/ca.pem \\
--enable-bootstrap-token-auth \\
--requestheader-allowed-names="aggregator" \\
--requestheader-client-ca-file=/etc/kubernetes/cert/ca.pem \\
--requestheader-extra-headers-prefix="X-Remote-Extra-" \\
--requestheader-group-headers=X-Remote-Group \\
--requestheader-username-headers=X-Remote-User \\
--service-account-key-file=/etc/kubernetes/cert/ca.pem \\
--authorization-mode=Node,RBAC \\
--runtime-config=api/all=true \\
--enable-admission-plugins=NodeRestriction \\
--allow-privileged=true \\
--apiserver-count=3 \\
--event-ttl=168h \\
--kubelet-certificate-authority=/etc/kubernetes/cert/ca.pem \\
--kubelet-client-certificate=/etc/kubernetes/cert/kubernetes.pem \\
--kubelet-client-key=/etc/kubernetes/cert/kubernetes-key.pem \\
--kubelet-https=true \\
--kubelet-timeout=10s \\
--proxy-client-cert-file=/etc/kubernetes/cert/proxy-client.pem \\
--proxy-client-key-file=/etc/kubernetes/cert/proxy-client-key.pem \\
--service-cluster-ip-range=${SERVICE_CIDR} \\
--service-node-port-range=${NODE_PORT_RANGE} \\
--logtostderr=true \\
--v=2
Restart=on-failure
RestartSec=10
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
--advertise-address:apiserver 對外通告的 IP(kubernetes 服務後端節點 IP);--default-*-toleration-seconds:設置節點異常相關的閾值;--max-*-requests-inflight:請求相關的最大閾值;--etcd-*:訪問 etcd 的證書和 etcd 服務器地址;--experimental-encryption-provider-config:指定用於加密 etcd 中 secret 的配置;--bind-address:https 監聽的 IP,不能爲 127.0.0.1,不然外界不能訪問它的安全端口 6443;--secret-port:https 監聽端口;--insecure-port=0:關閉監聽 http 非安全端口(8080);--tls-*-file:指定 apiserver 使用的證書、私鑰和 CA 文件;--audit-*:配置審計策略和審計日誌文件相關的參數;--client-ca-file:驗證 client (kue-controller-manager、kube-scheduler、kubelet、kube-proxy 等)請求所帶的證書;--enable-bootstrap-token-auth:啓用 kubelet bootstrap 的 token 認證;--requestheader-*:kube-apiserver 的 aggregator layer 相關的配置參數,proxy-client & HPA 須要使用;--requestheader-client-ca-file:用於簽名 --proxy-client-cert-file 和 --proxy-client-key-file 指定的證書;在啓用了 metric aggregator 時使用;--requestheader-allowed-names:不能爲空,值爲逗號分割的 --proxy-client-cert-file 證書的 CN 名稱,這裏設置爲 "aggregator";--service-account-key-file:簽名 ServiceAccount Token 的公鑰文件,kube-controller-manager 的 * *--service-account-private-key-file` 指定私鑰文件,二者配對使用;--runtime-config=api/all=true:啓用全部版本的 APIs,如 autoscaling/v2alpha1;--authorization-mode=Node,RBAC、--anonymous-auth=false:開啓 Node 和 RBAC 受權模式,拒絕未受權的請求;--enable-admission-plugins:啓用一些默認關閉的 plugins;--allow-privileged:運行執行 privileged 權限的容器;--apiserver-count=3:指定 apiserver 實例的數量;--event-ttl:指定 events 的保存時間;--kubelet-*:若是指定,則使用 https 訪問 kubelet APIs;須要爲證書對應的用戶(上面 kubernetes*.pem 證書的用戶爲 kubernetes) 用戶定義 RBAC 規則,不然訪問 kubelet API 時提示未受權;--proxy-client-*:apiserver 訪問 metrics-server 使用的證書;--service-cluster-ip-range:指定 Service Cluster IP 地址段;--service-node-port-range:指定 NodePort 的端口範圍;
若是 kube-apiserver 機器沒有運行 kube-proxy,則還須要添加 --enable-aggregator-routing=true 參數;
關於 --requestheader-XXX 相關參數,參考:
- https://github.com/kubernetes-incubator/apiserver-builder/blob/master/docs/concepts/auth.md
- https://docs.bitnami.com/kubernetes/how-to/configure-autoscaling-custom-metrics/
注意:
- requestheader-client-ca-file 指定的 CA 證書,必須具備 client auth and server auth;
- 若是 --requestheader-allowed-names 不爲空,且 --proxy-client-cert-file 證書的 CN 名稱不在 allowed-names 中,則後續查看 node 或 pods 的 metrics 失敗,提示:
[root@zhangjun-k8s01 1.8+]# kubectl top nodes Error from server (Forbidden): nodes.metrics.k8s.io is forbidden: User "aggregator" cannot list resource "nodes" in API group "metrics.k8s.io" at the cluster scope
爲各節點建立和分發 kube-apiserver systemd unit 文件
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for (( i=0; i < 3; i++ ))
do
sed -e "s/##NODE_NAME##/${NODE_NAMES[i]}/" -e "s/##NODE_IP##/${NODE_IPS[i]}/" kube-apiserver.service.template > kube-apiserver-${NODE_IPS[i]}.service
done
ls kube-apiserver*.service
- NODE_NAMES 和 NODE_IPS 爲相同長度的 bash 數組,分別爲節點名稱和對應的 IP;
分發生成的 systemd unit 文件:
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
scp kube-apiserver-${node_ip}.service root@${node_ip}:/etc/systemd/system/kube-apiserver.service
done
- 文件重命名爲 kube-apiserver.service;
啓動apiserver
source /opt/k8s/bin/environment.sh
for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p ${K8S_DIR}/kube-apiserver"
ssh root@${node_ip} "systemctl daemon-reload && systemctl enable kube-apiserver && systemctl restart kube-apiserver"
done
檢查服務是否正常
for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "systemctl status kube-apiserver |grep 'Active:'"
done
輸出結果以下
[root@node01 work]# for node_ip in ${MASTER_IPS[@]}
> do
> echo ">>> ${node_ip}"
> ssh root@${node_ip} "systemctl status kube-apiserver |grep 'Active:'"
> done
>>> 10.0.20.11
Active: active (running) since Thu 2019-12-05 14:29:01 CST; 29s ago
>>> 10.0.20.12
Active: active (running) since Thu 2019-12-05 14:29:27 CST; 3s ago
>>> 10.0.20.13
Active: active (running) since Thu 2019-12-05 14:29:27 CST; 3s ago
查看端口apiserver 啓動的端口:
for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "netstat -lntup|grep kube-apiserver |grep '6443'"
done
[root@node01 work]# for node_ip in ${MASTER_IPS[@]}
> do
> echo ">>> ${node_ip}"
> ssh root@${node_ip} "netstat -lntup|grep kube-apiserver |grep '6443'"
> done
>>> 10.0.20.11
tcp 0 0 10.0.20.11:6443 0.0.0.0:* LISTEN 2891/kube-apiserver
>>> 10.0.20.12
tcp 0 0 10.0.20.12:6443 0.0.0.0:* LISTEN 2391/kube-apiserver
>>> 10.0.20.13
tcp 0 0 10.0.20.13:6443 0.0.0.0:* LISTEN 2436/kube-apiserver
打印kube-apiserver寫入etcd數據
source /opt/k8s/bin/environment.sh
ETCDCTL_API=3 etcdctl \
--endpoints=${ETCD_ENDPOINTS} \
--cacert=/opt/k8s/work/ca.pem \
--cert=/opt/k8s/work/etcd.pem \
--key=/opt/k8s/work/etcd-key.pem \
get /registry/ --prefix --keys-only
相關文章
- 1. centos6.5 zookeeper 集羣服務安裝
- 2. Jenkins服務安裝詳解(集羣)
- 3. Hadoop集羣安裝-CDH5(5臺服務器集羣)
- 4. 羣集服務
- 5. linux下redis安裝與配置、集羣搭建、服務安裝
- 6. K8S集羣安裝 之 安裝主控節點apiserver服務
- 7. K8S集羣安裝部署 之 證書服務器安裝
- 8. K8S集羣安裝 之 安裝部署kube-scheduler服務
- 9. K8S集羣安裝 之 安裝主控節點etcd服務
- 10. Linux集羣中多節點服務器下Hadoop集羣安裝(安全可靠)
- 更多相關文章...
- • Swarm 集羣管理 - Docker教程
- • 啓動MySQL服務 - MySQL教程
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
- • Composer 安裝與使用
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
