Kubernetes學習之路(三)之Mater節點二進制部署
K8S Mater節點部署
-
一、部署Kubernetes API服務部署
- apiserver提供集羣管理的REST API接口,包括認證受權、數據校驗以及集羣狀態變動等。
- 只有API Server才能直接操做etcd;
- 其餘模塊經過API Server查詢或修改數據
- 提供其餘模塊之間的數據交互和通訊樞紐
(1)準備軟件包
[root@linux-node1 ~]# cd /usr/local/src/kubernetes [root@linux-node1 kubernetes]# cp server/bin/kube-apiserver /opt/kubernetes/bin/ [root@linux-node1 kubernetes]# cp server/bin/kube-controller-manager /opt/kubernetes/bin/ [root@linux-node1 kubernetes]# cp server/bin/kube-scheduler /opt/kubernetes/bin/
只須要在linux-node1上拷貝
(2)建立生成CSR的 JSON 配置文件
[root@linux-node1 ~]# cd /usr/local/src/ssl
[root@linux-node1 ssl]# vim kubernetes-csr.json { "CN": "kubernetes", "hosts": [ "127.0.0.1", "192.168.56.110", #Master的ip地址 "10.1.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }
(3)生成 kubernetes 證書和私鑰
[root@linux-node1 ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \ -ca-key=/opt/kubernetes/ssl/ca-key.pem \ -config=/opt/kubernetes/ssl/ca-config.json \ -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes [root@linux-node1 ssl]# cp kubernetes*.pem /opt/kubernetes/ssl/ [root@linux-node1 ssl]# scp kubernetes*.pem 192.168.56.120:/opt/kubernetes/ssl/ [root@linux-node1 ssl]# scp kubernetes*.pem 192.168.56.130:/opt/kubernetes/ssl/
(4) 建立 kube-apiserver 使用的客戶端 token 文件
[root@linux-node1 ~]# head -c 16 /dev/urandom | od -An -t x | tr -d ' ' ad6d5bb607a186796d8861557df0d17f [root@linux-node1 ~]# vim /opt/kubernetes/ssl/bootstrap-token.csv ad6d5bb607a186796d8861557df0d17f,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
(5) 建立基礎用戶名/密碼認證配置
[root@linux-node1 ~]# vim /opt/kubernetes/ssl/basic-auth.csv admin,admin,1 readonly,readonly,2
(6) 部署Kubernetes API Server
[root@linux-node1 ~]# vim /usr/lib/systemd/system/kube-apiserver.service [Unit] Description=Kubernetes API Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] ExecStart=/opt/kubernetes/bin/kube-apiserver \ --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \ --bind-address=192.168.56.110 \ --insecure-bind-address=127.0.0.1 \ --authorization-mode=Node,RBAC \ --runtime-config=rbac.authorization.k8s.io/v1 \ --kubelet-https=true \ --anonymous-auth=false \ --basic-auth-file=/opt/kubernetes/ssl/basic-auth.csv \ --enable-bootstrap-token-auth \ --token-auth-file=/opt/kubernetes/ssl/bootstrap-token.csv \ --service-cluster-ip-range=10.1.0.0/16 \ --service-node-port-range=20000-40000 \ --tls-cert-file=/opt/kubernetes/ssl/kubernetes.pem \ --tls-private-key-file=/opt/kubernetes/ssl/kubernetes-key.pem \ --client-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \ --etcd-cafile=/opt/kubernetes/ssl/ca.pem \ --etcd-certfile=/opt/kubernetes/ssl/kubernetes.pem \ --etcd-keyfile=/opt/kubernetes/ssl/kubernetes-key.pem \ --etcd-servers=https://192.168.56.110:2379,https://192.168.56.120:2379,https://192.168.56.130:2379 \ --enable-swagger-ui=true \ --allow-privileged=true \ --audit-log-maxage=30 \ --audit-log-maxbackup=3 \ --audit-log-maxsize=100 \ --audit-log-path=/opt/kubernetes/log/api-audit.log \ --event-ttl=1h \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5 Type=notify LimitNOFILE=65536 [Install] WantedBy=multi-user.target
(7) 啓動API Server服務
[root@linux-node1 ~]# systemctl daemon-reload [root@linux-node1 ~]# systemctl enable kube-apiserver [root@linux-node1 ~]# systemctl start kube-apiserver [root@linux-node1 ~]# systemctl status kube-apiserver [root@linux-node1 ssl]# netstat -tulnp |grep kube-apiserver tcp 0 0 192.168.56.110:6443 0.0.0.0:* LISTEN 5052/kube-apiserver tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 5052/kube-apiserver
從監聽端口能夠看到api-server監聽在6443端口,同時也監聽了本地的8080端口,是提供kube-schduler和kube-controller使用。node
-
二、部署Controller Manager服務
- controller-manager由一系列的控制器組成,它經過apiserver監控整個集羣的狀態,並確保集羣處於預期的工做狀態。
(1)部署Controller Manager服務
[root@linux-node1 ~]# vim /usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/GoogleCloudPlatform/kubernetes [Service] ExecStart=/opt/kubernetes/bin/kube-controller-manager \ --address=127.0.0.1 \ --master=http://127.0.0.1:8080 \ --allocate-node-cidrs=true \ --service-cluster-ip-range=10.1.0.0/16 \ --cluster-cidr=10.2.0.0/16 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ --root-ca-file=/opt/kubernetes/ssl/ca.pem \ --leader-elect=true \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target
(2)啓動Controller Manager
[root@linux-node1 ~]# systemctl daemon-reload [root@linux-node1 scripts]# systemctl enable kube-controller-manager [root@linux-node1 scripts]# systemctl start kube-controller-manager [root@linux-node1 scripts]# systemctl status kube-controller-manager [root@linux-node1 ssl]# netstat -tulnp |grep kube-controlle tcp 0 0 127.0.0.1:10252 0.0.0.0:* LISTEN 5112/kube-controlle
從監聽端口上,能夠看到kube-controller監聽在本地的10252端口,外部是沒法直接訪問kube-controller,須要經過api-server才能進行訪問。linux
-
三、部署Kubernetes Scheduler
- scheduler負責分配調度Pod到集羣內的node節點
- 監聽kube-apiserver,查詢還未分配的Node的Pod
- 根據調度策略爲這些Pod分配節點
[root@linux-node1 ~]# vim /usr/lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/GoogleCloudPlatform/kubernetes [Service] ExecStart=/opt/kubernetes/bin/kube-scheduler \ --address=127.0.0.1 \ --master=http://127.0.0.1:8080 \ --leader-elect=true \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target [root@linux-node1 ~]# systemctl daemon-reload [root@linux-node1 scripts]# systemctl enable kube-scheduler [root@linux-node1 scripts]# systemctl start kube-scheduler [root@linux-node1 scripts]# systemctl status kube-scheduler [root@linux-node1 ssl]# netstat -tulnp |grep kube-scheduler tcp 0 0 127.0.0.1:10251 0.0.0.0:* LISTEN 5172/kube-scheduler
從kube-scheduler的監聽端口上,一樣能夠看到監聽在本地的10251端口上,外部沒法直接訪問,一樣是須要經過api-server進行訪問。git
-
四、部署kubectl 命令行工具
kubectl用於平常直接管理K8S集羣,那麼kubectl要進行管理k8s,就須要和k8s的組件進行通訊,也就須要用到證書。此時kubectl須要單獨部署,也是由於kubectl也是須要用到證書,而前面的kube-apiserver、kube-controller、kube-scheduler都是不須要用到證書,能夠直接經過服務進行啓動。github
(1)準備二進制命令包
[root@linux-node1 ~]# cd /usr/local/src/kubernetes/client/bin [root@linux-node1 bin]# cp kubectl /opt/kubernetes/bin/
(2)建立 admin 證書籤名請求
[root@linux-node1 ~]# cd /usr/local/src/ssl/ [root@linux-node1 ssl]# vim admin-csr.json { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:masters", "OU": "System" } ] }
(3)生成 admin 證書和私鑰
[root@linux-node1 ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \ -ca-key=/opt/kubernetes/ssl/ca-key.pem \ -config=/opt/kubernetes/ssl/ca-config.json \ -profile=kubernetes admin-csr.json | cfssljson -bare admin [root@linux-node1 ssl]# ls -l admin* -rw-r--r-- 1 root root 1009 Mar 5 12:29 admin.csr -rw-r--r-- 1 root root 229 Mar 5 12:28 admin-csr.json -rw------- 1 root root 1675 Mar 5 12:29 admin-key.pem -rw-r--r-- 1 root root 1399 Mar 5 12:29 admin.pem [root@linux-node1 ssl]# cp admin*.pem /opt/kubernetes/ssl/
(4)設置集羣參數
[root@linux-node1 ssl]# kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://192.168.56.110:6443 Cluster "kubernetes" set.
(5)設置客戶端認證參數
[root@linux-node1 ssl]# kubectl config set-credentials admin \ --client-certificate=/opt/kubernetes/ssl/admin.pem \ --embed-certs=true \ --client-key=/opt/kubernetes/ssl/admin-key.pem User "admin" set.
(6)設置上下文參數
[root@linux-node1 ssl]# kubectl config set-context kubernetes \ --cluster=kubernetes \ --user=admin Context "kubernetes" created.
(7)設置默認上下文
[root@linux-node1 src]# kubectl config use-context kubernetes Switched to context "kubernetes".
上面(4)-->(7)的配置是爲了在家目錄下生成config文件,以後kubectl和api通訊就須要用到該文件,這也就是說若是在其餘節點上須要用到這個kubectl,就須要將該文件拷貝到其餘節點。json
[root@linux-node1 ~]# cat .kube/config apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVUUszc2dUb0lrNlhmVDhFaUVvcXNNc2pQQUVzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJo ......
(8)使用kubectl工具
[root@linux-node1 ssl]# kubectl get cs NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-2 Healthy {"health": "true"} etcd-0 Healthy {"health": "true"} etcd-1 Healthy {"health": "true"}
相關文章
- 1. Kubernetes學習之路(四)之Node節點二進制部署
- 2. Kubernetes學習之路(二)之ETCD集羣二進制部署
- 3. kubernetes學習之二進制部署1.16
- 4. Kubernetes學習之路(七)之Coredns和Dashboard二進制部署
- 5. Kubernetes二進制部署(單節點)
- 6. Kubernetes二進制部署(多節點)
- 7. Kubernetes羣集之:二進制部署單etcd,多節點集羣
- 8. Kubernetes二進制部署——多master節點集羣部署(2)
- 9. Kubernetes學習之路(五)之Flannel網絡二進制部署和測試
- 10. 016.Kubernetes二進制部署全部節點kube-proxy
- 更多相關文章...
- • MySQL BIT、BINARY、VARBINARY、BLOB(二進制類型) - MySQL教程
- • C# 二進制文件的讀寫 - C#教程
- • 適用於PHP初學者的學習線路和建議
- • Kotlin學習(二)基本類型
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. Kubernetes學習之路(四)之Node節點二進制部署
- 2. Kubernetes學習之路(二)之ETCD集羣二進制部署
- 3. kubernetes學習之二進制部署1.16
- 4. Kubernetes學習之路(七)之Coredns和Dashboard二進制部署
- 5. Kubernetes二進制部署(單節點)
- 6. Kubernetes二進制部署(多節點)
- 7. Kubernetes羣集之:二進制部署單etcd,多節點集羣
- 8. Kubernetes二進制部署——多master節點集羣部署(2)
- 9. Kubernetes學習之路(五)之Flannel網絡二進制部署和測試
- 10. 016.Kubernetes二進制部署全部節點kube-proxy