K8S集羣安裝 之 安裝主控節點apiserver服務
1、在根證書服務器上建立client簽發證書申請文件
200 certs]# vi client-csr.json
{
"CN": "k8s-node",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
200 certs]# ll
[root@test-operator certs]# ll | grep client
-rw-r--r-- 1 root root 993 Feb 1 06:44 client.csr
-rw-r--r-- 1 root root 280 Feb 1 06:44 client-csr.json
-rw------- 1 root root 1679 Feb 1 06:44 client-key.pem
-rw-r--r-- 1 root root 1363 Feb 1 06:44 client.pem
2、在根證書服務器上建立apiserver簽發證書申請文件
200 certs]# vi apiserver-csr.json
200 certs]#
{
"CN": "k8s-apiserver",
"hosts": [
"127.0.0.1",
"192.168.0.1",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"10.3.153.221",
"10.3.153.222"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver
[root@test-operator certs]# ll | grep apiserver
-rw-r--r-- 1 root root 1249 Feb 1 06:49 apiserver.csr
-rw-r--r-- 1 root root 579 Feb 1 06:49 apiserver-csr.json
-rw------- 1 root root 1679 Feb 1 06:49 apiserver-key.pem
-rw-r--r-- 1 root root 1598 Feb 1 06:49 apiserver.pem
3、在兩臺節點服務器上安裝apiserver
# 221/222機器
etcd]# cd /opt/src/
src]# tar xf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/
opt]# mv kubernetes/ kubernetes-v1.15.2
opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes
opt]# cd kubernetes
kubernetes]# rm -rf kubernetes-src.tar.gz
kubernetes]# cd server/bin
bin]# rm -f *.tar
bin]# rm -f *_tag
~~~
# 221/222機器:
bin]# mkdir cert
bin]# cd cert/
# 把證書考過來
~~~
~~~
cert]# ll
總用量 24
-rw-------. 1 root root 1679 1月 12 22:01 apiserver-key.pem
-rw-r--r--. 1 root root 1598 1月 12 22:01 apiserver.pem
-rw-------. 1 root root 1679 1月 12 22:00 ca-key.pem
-rw-r--r--. 1 root root 1346 1月 12 22:00 ca.pem
-rw-------. 1 root root 1679 1月 12 22:01 client-key.pem
-rw-r--r--. 1 root root 1363 1月 12 22:00 client.pem
~~~
# 221/222機器:
cd /opt/kubernetes/server/bin
bin]# mkdir conf
bin]# cd conf/
conf]# vi audit.yaml #apiserver日誌審計配置文件
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
conf]# cd ..
bin]# vi /opt/kubernetes/server/bin/kube-apiserver.sh #apiserver啓動文件
#!/bin/bash
./kube-apiserver \
--apiserver-count 2 \
--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
--audit-policy-file ./conf/audit.yaml \
--authorization-mode RBAC \
--client-ca-file ./cert/ca.pem \
--requestheader-client-ca-file ./cert/ca.pem \
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
--etcd-cafile ./cert/ca.pem \
--etcd-certfile ./cert/client.pem \
--etcd-keyfile ./cert/client-key.pem \
--etcd-servers https://10.3.153.212:2379,https://10.3.153.221:2379,https://10.3.153.222:2379 \
--service-account-key-file ./cert/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--service-node-port-range 3000-29999 \
--target-ram-mb=1024 \
--kubelet-client-certificate ./cert/client.pem \
--kubelet-client-key ./cert/client-key.pem \
--log-dir /data/logs/kubernetes/kube-apiserver \
--tls-cert-file ./cert/apiserver.pem \
--tls-private-key-file ./cert/apiserver-key.pem \
--v 2
bin]# chmod +x kube-apiserver.sh
# 一處修改
bin]# vi /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-7-21]
command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
bin]# mkdir -p /data/logs/kubernetes/kube-apiserver
bin]# supervisorctl update
~~~
~~~
# 查看221/222兩臺機器是否跑起來了,可能比較慢在starting,等10秒
[root@test-nodes1 etcd]# supervisorctl status | grep apiserver
kube-apiserver-7-21 RUNNING pid 14810, uptime 1 day, 1:46:02
[root@test-nodes1 etcd]# netstat -tlunp | grep kube-apiser
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 14811/./kube-apiser
tcp6 0 0 :::6443 :::* LISTEN 14811/./kube-apiser
相關文章
- 1. K8S集羣安裝 之 安裝主控節點etcd服務
- 2. K8S集羣安裝 之 安裝部署主控節點L4反代服務
- 3. kube-apiserver 集羣服務安裝
- 4. Hadoop 集羣安裝(主節點安裝)
- 5. K8S集羣安裝 之 安裝部署運算節點服務--kubelet
- 6. K8S集羣安裝部署 之 證書服務器安裝
- 7. K8S集羣安裝 之 安裝部署kube-scheduler服務
- 8. k8s安裝之node節點
- 9. k8s 之二 kubeadm安裝k8s集羣
- 10. K8S 之 經過kubeadmin安裝K8S集羣
- 更多相關文章...
- • MacOS Docker 安裝 - Docker教程
- • Ubuntu Docker 安裝 - Docker教程
- • Composer 安裝與使用
- • IntelliJ IDEA安裝代碼格式化插件
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
