kubernetes集羣安裝指南:kube-controller-manager組件集羣部署

時間  2019-11-06
標籤 kubernetes 集羣 安裝 指南 kube controller manager 組件 部署 欄目 負載均衡 简体版
原文   原文鏈接

kube-controller-manager屬於master節點組件,kube-controller-manager集羣包含 3 個節點,啓動後將經過競爭選舉機制產生一個 leader 節點,其它節點爲阻塞狀態。當 leader 節點不可用後,剩餘節點將再次進行選舉產生新的 leader 節點,從而保證服務的高可用性。node

1 安裝準備

特別說明:這裏全部的操做都是在devops這臺機器上經過ansible工具執行;kube-controller-manager 在以下兩種狀況下使用證書:linux

  • 與 kube-apiserver 的安全端口通訊使用;
  • 在安全端口(https,10257) 輸出 prometheus 格式的 metrics;

1.1 環境變量定義

#################### Variable parameter setting ######################
KUBE_NAME=kube-controller-manager
K8S_INSTALL_PATH=/data/apps/k8s/kubernetes
K8S_BIN_PATH=${K8S_INSTALL_PATH}/sbin
K8S_LOG_DIR=${K8S_INSTALL_PATH}/logs
K8S_CONF_PATH=/etc/k8s/kubernetes
KUBE_CONFIG_PATH=/etc/k8s/kubeconfig
CA_DIR=/etc/k8s/ssl
SOFTWARE=/root/software
VERSION=v1.14.2
PACKAGE="kubernetes-server-${VERSION}-linux-amd64.tar.gz"
DOWNLOAD_URL=「」https://github.com/devops-apps/download/raw/master/kubernetes/${PACKAGE}"
ETH_INTERFACE=eth1
LISTEN_IP=$(ifconfig | grep -A 1 ${ETH_INTERFACE} |grep inet |awk '{print $2}')
USER=k8s
SERVICE_CIDR=10.254.0.0/22

1.2 下載和分發 kubernetes 二進制文件

訪問kubernetes github 官方地址下載穩定的 realease 包至本機;git

wget  $DOWNLOAD_URL -P $SOFTWARE

將kubernetes 軟件包分發到各個master節點服務器;github

sudo ansible master_k8s_vgs -m copy -a "src=${SOFTWARE}/$PACKAGE dest=${SOFTWARE}/" -b

2 部署kube-controller-manager集羣

2.1 安裝kube-controller-manager二進制文件

### 1.Check if the install directory exists.
if [ ! -d "$K8S_BIN_PATH" ]; then
     mkdir -p $K8S_BIN_PATH
fi

if [ ! -d "$K8S_LOG_DIR/$KUBE_NAME" ]; then
     mkdir -p $K8S_LOG_DIR/$KUBE_NAME
fi

if [ ! -d "$K8S_CONF_PATH" ]; then
     mkdir -p $K8S_CONF_PATH
fi

if [ ! -d "$KUBE_CONFIG_PATH" ]; then
     mkdir -p $KUBE_CONFIG_PATH
fi

### 2.Install kube-apiserver binary of kubernetes.
if [ ! -f "$SOFTWARE/kubernetes-server-${VERSION}-linux-amd64.tar.gz" ]; then
     wget $DOWNLOAD_URL -P $SOFTWARE >>/tmp/install.log  2>&1
fi
cd $SOFTWARE && tar -xzf kubernetes-server-${VERSION}-linux-amd64.tar.gz -C ./
cp -fp kubernetes/server/bin/$KUBE_NAME $K8S_BIN_PATH
ln -sf  $K8S_BIN_PATH/$KUBE_NAM /usr/local/bin
chown -R $USER:$USER $K8S_INSTALL_PATH
chmod -R 755 $K8S_INSTALL_PATH

2.2 分發 kubeconfig 文件和證書

分發證書
cd ${CA_DIR}
sudo ansible master_k8s_vgs -m  copy -a "src=ca.pem dest=${CA_DIR}/" -b
sudo ansible master_k8s_vgs -m  copy -a "src=ca-key.pem dest=${CA_DIR}/" -b
sudo ansible master_k8s_vgs -m  copy -a \
  "src=kubecontroller-manager.pem dest=${CA_DIR}/" -b
sudo ansible master_k8s_vgs -m  copy -a \
  "src=kubecontroller-manager-key.pem dest=${CA_DIR}/" -b
分發kubeconfig認證文件

kube-controller-manager使用 kubeconfig文件鏈接訪問 apiserver服務,該文件提供了 apiserver 地址、嵌入的 CA 證書和 kube-scheduler證書:shell

cd $KUBE_CONFIG_PATH
sudo ansible master_k8s_vgs -m  copy -a \
     "src=kube-controller-manager.kubeconfig dest=$KUBE_CONFIG_PATH/" -b

備註: 若是在前面小節已經同步過各組件kubeconfig和證書文件,此處能夠沒必要執行此操做;bootstrap

2.3 建立kube-controller-manager啓動服務

cat >/usr/lib/systemd/system/${KUBE_NAME}.service<<EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
User=${USER}
WorkingDirectory=${K8S_INSTALL_PATH}
ExecStart=${K8S_BIN_PATH}/${KUBE_NAME} \\
  --port=10252 \\
  --secure-port=10257 \\
  --bind-address=${LISTEN_IP} \\
  --address=127.0.0.1 \\
  --kubeconfig=${KUBE_CONFIG_PATH}/${KUBE_NAME}.kubeconfig \\
  --authentication-kubeconfig=${KUBE_CONFIG_PATH}/${KUBE_NAME}.kubeconfig \\
  --authorization-kubeconfig=${KUBE_CONFIG_PATH}/${KUBE_NAME}.kubeconfig \\
  --client-ca-file=${CA_DIR}/ca.pem \\
  --service-cluster-ip-range=${SERVICE_CIDR} \\
  --cluster-name=kubernetes \\
  --cluster-signing-cert-file=${CA_DIR}/ca.pem \\
  --cluster-signing-key-file=${CA_DIR}/ca-key.pem \\
  --root-ca-file=${CA_DIR}/ca.pem \\
  --service-account-private-key-file=${CA_DIR}/ca-key.pem \\
  --leader-elect=true \\
  --feature-gates=RotateKubeletServerCertificate=true \\
  --horizontal-pod-autoscaler-use-rest-clients=true \\
  --horizontal-pod-autoscaler-sync-period=10s \\
  --concurrent-service-syncs=2 \\
  --kube-api-qps=1000 \\
  --kube-api-burst=2000 \\
  --concurrent-gc-syncs=30 \\
  --concurrent-deployment-syncs=10 \\
  --terminated-pod-gc-threshold=10000 \\
  --controllers=*,bootstrapsigner,tokencleaner \\
  --requestheader-allowed-names="" \\
  --requestheader-client-ca-file=${CA_DIR}/ca.pem \\
  --requestheader-extra-headers-prefix="X-Remote-Extra-" \\
  --requestheader-group-headers=X-Remote-Group \\
  --requestheader-username-headers=X-Remote-User \\
  --tls-cert-file=${CA_DIR}/kube-controller-manager.pem \\
  --tls-private-key-file=${CA_DIR}/kube-controller-manager-key.pem \\
  --use-service-account-credentials=true \\
  --alsologtostderr=true \\
  --logtostderr=false \\
  --log-dir=${K8S_LOG_DIR}/${KUBE_NAME} \\
  --flex-volume-plugin-dir=${K8S_INSTALL_PATH}/libexec/kubernetes \\
  --v=2
Restart=on
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
  • --port=0:關閉監聽非安全端口(http),同時 --address 參數無效,--bind-address 參數有效;
  • --secure-port=1025二、--bind-address=0.0.0.0: 在全部網絡接口監聽 10252 端口的 https /metrics 請求;
  • --kubeconfig:指定 kubeconfig 文件路徑,kube-controller-manager 使用它鏈接和驗證 kube-apiserver;
  • --authentication-kubeconfig 和 --authorization-kubeconfig:kube-controller-manager 使用它鏈接 apiserver,對 client 的請求進行認證和受權。kube-controller-manager 再也不使用 --tls-ca-file 對請求 https metrics 的 Client 證書進行校驗。若是沒有配置這兩個 kubeconfig 參數,則 client 鏈接 kube-controller-manager https 端口的請求會被拒絕(提示權限不足)。
  • --cluster-signing-*-file:簽名 TLS Bootstrap 建立的證書;
  • --experimental-cluster-signing-duration:指定 TLS Bootstrap 證書的有效期;
  • --root-ca-file:放置到容器 ServiceAccount 中的 CA 證書,用來對 kube-apiserver 的證書進行校驗;
  • --service-account-private-key-file:簽名 ServiceAccount 中 Token 的私鑰文件,必須和 kube-apiserver 的 --service-account-key-file 指定的公鑰文件配對使用;
  • --service-cluster-ip-range :指定 Service Cluster IP 網段,必須和 kube-apiserver 中的同名參數一致;
  • --leader-elect=true:集羣運行模式,啓用選舉功能;被選爲 leader 的節點負責處理工做,其它節點爲阻塞狀態;
  • --controllers=*,bootstrapsigner,tokencleaner:啓用的控制器列表,tokencleaner 用於自動清理過時的 Bootstrap token;
  • --horizontal-pod-autoscaler-*:custom metrics 相關參數,支持 autoscaling/v2alpha1;
  • --tls-cert-file、--tls-private-key-file:使用 https 輸出 metrics 時使用的 Server 證書和祕鑰;
  • --use-service-account-credentials=true: kube-controller-manager 中各 controller 使用 serviceaccount 訪問 kube-apiserver;

2.4 檢查服務運行狀態

kube-controller-manager監聽10252和10257端口,兩個接口都對外提供 /metrics 和 /healthz 的訪問。api

  • 10252:接收 http 請求訪問,非安全端口,不須要認證受權,爲了安全建議偵聽地址爲127.0.0.1;
  • 10257:接收 https 請求訪問,安全端口,須要認證受權,能夠偵放任何地址; 
    sudo netstat -ntlp | grep kube-con
tcp  0      0 127.0.0.1:10252         0.0.0.0:*      LISTEN      2450/kube-controlle 
tcp  0      0 10.10.10.22:10257       0.0.0.0:*      LISTEN      2450/kube-controlle

注意:不少安裝文檔都是關閉了非安全端口,將安全端口改成10250,這會致使查看集羣狀態是報以下錯誤,執行 kubectl get cs命令時,apiserver 默認向 127.0.0.1 發送請求。當controller-manager、scheduler以集羣模式運行時,有可能和kube-apiserver不在一臺機器上,且訪問方式爲https,則 controller-manager或scheduler 的狀態爲 Unhealthy,但實際上它們工做正常。則會致使上述error,但實際集羣是安全狀態;安全

kubectl get componentstatuses
NAME                 STATUS      MESSAGE    ERROR
controller-manager  Unhealthy  dial tcp  127.0.0.1:10252: connect: connection refused
scheduler          Unhealthy  dial tcp  127.0.0.1:10251: connect: connection refused
etcd-0               Healthy     {"health":"true"}
etcd-2               Healthy     {"health":"true"}
etcd-1               Healthy     {"health":"true"}

正常輸出應該爲:
NAME                 STATUS    MESSAGE             ERROR
scheduler            Healthy   ok                  
controller-manager   Healthy   ok                  
etcd-2               Healthy   {"health":"true"}   
etcd-1               Healthy   {"health":"true"}   
etcd-0               Healthy   {"health":"true"}

查看服務是否運行服務器

systemctl status kube-controller-manager|grep Active

確保狀態爲 active (running),不然查看日誌,確認緣由:網絡

sudo journalctl -u kube-controller-manager

2.5 查看輸出的 metrics

注意:如下命令在 kube-controller-manager 節點上執行。

https方式訪問
curl -s --cacert /opt/k8s/work/ca.pem \
  --cert /opt/k8s/work/admin.pem \
  --key /opt/k8s/work/admin-key.pem \
  https://10.10.10.22:10257/metrics |head

http方式訪問
curl -s http://127.0.0.1:10252/metrics |head

2.6 kube-controller-manager 的權限設置

ClusteRole system:kube-controller-manager 的權限很小,只能建立 secret、serviceaccount 等資源對象,各 controller 的權限分散到 ClusterRole system:controller:XXX 中:

$ kubectl describe clusterrole system:kube-controller-manager
Name:         system:kube-controller-manager
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
  Resources                  Non-Resource URLs  Resource Names  Verbs
  ---------                  -----------------  --------------  -----
  secrets                                   []   []    [create delete get update]
  endpoints                                 []   []    [create get update]
  serviceaccounts                           []   []    [create get update]
  events                                    []   []    [create patch update]
  tokenreviews.authentication.k8s.io        []   []    [create]
  subjectacce***eviews.authorization.k8s.io []   []    [create]
  configmaps                                []   []    [get]
  namespaces                                []   []    [get]
  *.*                                       []   []    [list watch]

須要在kube-controller-manager的啓動參數中添加"--use-service-account-credentials=true"參數,這樣main controller將會爲各controller建立對應的ServiceAccount XXX-controller。而後內置的 ClusterRoleBinding system:controller:XXX則將賦予各XXX-controller ServiceAccount對應的ClusterRole system:controller:XXX 權限。

$ kubectl get clusterrole|grep controller
system:controller:attachdetach-controller                              17d
system:controller:certificate-controller                               17d
system:controller:clusterrole-aggregation-controller                   17d
system:controller:cronjob-controller                                   17d
system:controller:daemon-set-controller                                17d
system:controller:deployment-controller                                17d
system:controller:disruption-controller                                17d
system:controller:endpoint-controller                                  17d
system:controller:expand-controller                                    17d
system:controller:generic-garbage-collector                            17d
system:controller:horizontal-pod-autoscaler                            17d
system:controller:job-controller                                       17d
system:controller:namespace-controller                                 17d
system:controller:node-controller                                      17d
system:controller:persistent-volume-binder                             17d
system:controller:pod-garbage-collector                                17d
system:controller:pv-protection-controller                             17d
system:controller:pvc-protection-controller                            17d
system:controller:replicaset-controller                                17d
system:controller:replication-controller                               17d
system:controller:resourcequota-controller                             17d
system:controller:route-controller                                     17d
system:controller:service-account-controller                           17d
system:controller:service-controller                                   17d
system:controller:statefulset-controller                               17d
system:controller:ttl-controller                                       17d
system:kube-controller-manager                                         17d

以 deployment controller 爲例:

$ kubectl describe clusterrole system:controller:deployment-controller
Name:         system:controller:deployment-controller
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
  Resources                        Non-Resource URLs  Resource Names  Verbs
  ---------                        -----------------  --------------  -----
  replicasets.apps                 []   []  [create delete get list patch update watch]
  replicasets.extensions           []   []  [create delete get list patch update watch]
  events                           []   []  [create patch update]
  pods                             []   []  [get list update watch]
  deployments.apps                 []   []  [get list update watch]
  deployments.extensions           []   []  [get list update watch]
  deployments.apps/finalizers      []   []  [update]
  deployments.apps/status          []   []  [update]
  deployments.extensions/finalizers[]   []  [update]
  deployments.extensions/status    []   []  [update]

2.7 查看當前的 leader

kubectl get endpoints kube-controller-manager --namespace=kube-system -o yaml

2.8 測試kube-controller-manager集羣的高可用

隨機找一個或兩個 master 節點,停掉kube-controller-manager服務,看其它節點是否獲取了 leader 權限.

參考

關於 controller 權限和 use-service-account-credentials 參數:
https://github.com/kubernetes/kubernetes/issues/48208
kubelet 認證和受權:
https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authorization

安裝完成kube-controller-manager後,還須要安裝kube-scheduler,請參考:kubernetes集羣安裝指南:kube-scheduler組件集羣部署。關於kube-controller-manager腳本請此處獲取

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程