使用二进制文件方式部署k8s(6)
kube-controller-manager部署
签发证书
master1节点执行
bash
cd /opt/kubernetes/ssl创建证书请求文件
json
cat > manager-csr.json << EOF
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:kube-controller-manager",
"OU": "Kubernetes-manual"
}
]
}
EOF生成证书
bash
cfssl gencert \
-ca=/opt/kubernetes/ssl/ca.pem \
-ca-key=/opt/kubernetes/ssl/ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
manager-csr.json | cfssljson -bare /opt/kubernetes/ssl/controller-manager将证书拷贝到其他master节点
bash
NODES='master2 master3'; \
for NODE in $NODES; \
do \
for FILE in controller-manager.pem controller-manager-key.pem; \
do \
scp /opt/kubernetes/ssl/${FILE} $NODE:/opt/kubernetes/ssl/${FILE};\
done \
done生成kubeconfig文件
master1节点执行
bash
KUBE_CONFIG="/opt/kubernetes/cfg/controller-manager.kubeconfig" #配置文件存放路径
bash
KUBE_APISERVER="https://192.168.153.200:16443" #kube-apiserver地址,这里用vip自动实现负载均衡设置集群项
bash
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}- 定义一个名为
kubernetes的集群配置 --certificate-authority: 指定CA根证书,用于验证apiserver的证书--embed-certs=true: 将证书内容直接嵌入kubeconfig文件(而不是引用文件路径)--server: 指定apiserver的访问地址--kubeconfig: 指定写入的配置文件路径
设置用户项
bash
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=/opt//kubernetes/ssl/controller-manager.pem \
--client-key=/opt/kubernetes/ssl/controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}- 定义一个名为
system:kube-controller-manager的用户(对应ServiceAccount) --client-certificate: controller-manager的客户端证书--client-key: controller-manager的私钥- 这些证书由CA签发,用于向apiserver证明身份
设置环境项
bash
kubectl config set-context system:kube-controller-manager@kubernetes \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=${KUBE_CONFIG}- 创建名为
system:kube-controller-manager@kubernetes的上下文 - 将集群(
kubernetes)和用户(system:kube-controller-manager)关联起来 - 上下文定义了"使用哪个用户访问哪个集群"
设置默认环境
bash
kubectl config use-context system:kube-controller-manager@kubernetes \
--kubeconfig=${KUBE_CONFIG}- 将上面创建的上下文设置为默认使用
- 当使用此kubeconfig文件时,自动使用该上下文配置
拷贝到其他master节点
bash
NODES='master2 master3'; \
for NODE in $NODES; \
do \
scp /opt/kubernetes/cfg/controller-manager.kubeconfig $NODE:/opt/kubernetes/cfg;\
done创建配置文件
bash
cat > /opt/kubernetes/cfg/kube-controller-manager.conf << EOF
KUBE_CONTROLLER_MANAGER_OPTS="--v=2 \\
--bind-address=127.0.0.1 \\
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--service-account-private-key-file=/opt/kubernetes/ssl/sa.key \\
--kubeconfig=/opt/kubernetes/cfg/controller-manager.kubeconfig \\
--leader-elect=true \\
--use-service-account-credentials=true \\
--node-monitor-grace-period=40s \\
--node-monitor-period=5s \\
--pod-eviction-timeout=2m0s \\
--controllers=*,bootstrapsigner,tokencleaner \\
--allocate-node-cidrs=true \\
--service-cluster-ip-range=10.96.0.0/12 \\
--cluster-cidr=172.16.0.0/12 \\
--node-cidr-mask-size-ipv4=24 \\
--requestheader-client-ca-file=/opt/kubernetes/ssl/front-proxy-ca.pem"
EOF其中部分项意思如下
bash
KUBE_CONTROLLER_MANAGER_OPTS="--v=2 \\
--bind-address=127.0.0.1 \\ # 只监听本地回环地址,通常由kube-apiserver代理访问
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\ # CA根证书,用于验证kube-apiserver的证书
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\ # 用于签发集群证书的CA证书
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\ # 用于签发集群证书的CA私钥
--service-account-private-key-file=/opt/kubernetes/ssl/sa.key \\ # ServiceAccount签名私钥
--kubeconfig=/opt/kubernetes/cfg/controller-manager.kubeconfig \\ # kubeconfig配置文件路径
--leader-elect=true \\
--use-service-account-credentials=true \\ # 使用ServiceAccount凭证而不是默认凭证
--node-monitor-grace-period=40s \\ # 节点不可用判定宽限期
--node-monitor-period=5s \\ # 节点状态检查周期
--pod-eviction-timeout=2m0s \\ # Pod驱逐超时时间
--controllers=*,bootstrapsigner,tokencleaner \\
--allocate-node-cidrs=true \\
--service-cluster-ip-range=10.96.0.0/12 \\ # Service ClusterIP地址范围
--cluster-cidr=172.16.0.0/12 \\ # 集群Pod网络CIDR范围
--node-cidr-mask-size-ipv4=24 \\ # 每个节点分配的Pod子网掩码大小(/24)
--requestheader-client-ca-file=/opt/kubernetes/ssl/front-proxy-ca.pem" # 代理客户端CA证书设置启动配置
bash
cat > /usr/lib/systemd/system/kube-controller-manager.service << EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=always # 服务退出时总是重启
RestartSec=10s # 重启间隔时间:10秒
[Install]
WantedBy=multi-user.target
EOF拷贝到其他master节点
bash
NODES='master2 master3'; \
for NODE in $NODES; \
do \
scp /opt/kubernetes/cfg/kube-controller-manager.conf $NODE:/opt/kubernetes/cfg;\
scp /usr/lib/systemd/system/kube-controller-manager.service $NODE:/usr/lib/systemd/system/;\
done启动
bash
systemctl daemon-reload && systemctl enable --now kube-controller-manager验证
bash
systemctl status kube-controller-manager
kube-scheduler部署
签发证书
master1节点执行
bash
cd /opt/kubernetes/ssl创建证书请求文件
json
cat > scheduler-csr.json << EOF
{
"CN": "system:kube-scheduler",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:kube-scheduler",
"OU": "Kubernetes-manual"
}
]
}
EOF生成证书
bash
cfssl gencert \
-ca=/opt/kubernetes/ssl/ca.pem \
-ca-key=/opt/kubernetes/ssl/ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
scheduler-csr.json | cfssljson -bare /opt/kubernetes/ssl/scheduler将证书拷贝到其他master节点
bash
NODES='master2 master3'; \
for NODE in $NODES; \
do \
for FILE in scheduler.pem scheduler-key.pem; \
do \
scp /opt/kubernetes/ssl/${FILE} $NODE:/opt/kubernetes/ssl/${FILE};\
done \
done生成kubeconfig文件
master1节点执行
bash
KUBE_CONFIG="/opt/kubernetes/cfg/scheduler.kubeconfig"
KUBE_APISERVER="https://192.168.153.200:16443"
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials system:kube-scheduler \
--client-certificate=/opt/kubernetes/ssl/scheduler.pem \
--client-key=/opt/kubernetes/ssl/scheduler-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context system:kube-scheduler@kubernetes \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context system:kube-scheduler@kubernetes \
--kubeconfig=${KUBE_CONFIG}拷贝到其他master节点
bash
NODES='master2 master3'; \
for NODE in $NODES; \
do \
scp /opt/kubernetes/cfg/scheduler.kubeconfig $NODE:/opt/kubernetes/cfg;\
done创建配置文件
bash
cat > /opt/kubernetes/cfg/kube-scheduler.conf << EOF
KUBE_SCHEDULER_OPTS=" --v=2 \\
--bind-address=127.0.0.1 \\
--leader-elect=true \\
--kubeconfig=/opt/kubernetes/cfg/scheduler.kubeconfig"
EOF设置启动配置
bash
cat > /usr/lib/systemd/system/kube-scheduler.service << EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf
ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=always
RestartSec=10s
[Install]
WantedBy=multi-user.target
EOF拷贝到其他master节点
bash
NODES='master2 master3'; \
for NODE in $NODES; \
do \
scp /opt/kubernetes/cfg/kube-scheduler.conf $NODE:/opt/kubernetes/cfg;\
scp /usr/lib/systemd/system/kube-scheduler.service $NODE:/usr/lib/systemd/system/;\
done启动
bash
systemctl daemon-reload && systemctl enable --now kube-scheduler