使用二进制方式部署k8s(6)

使用二进制文件方式部署k8s(6)

kube-controller-manager部署

签发证书

master1节点执行

bash 复制代码
cd /opt/kubernetes/ssl

创建证书请求文件

json 复制代码
cat > manager-csr.json << EOF 
{
  "CN": "system:kube-controller-manager",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Beijing",
      "L": "Beijing",
      "O": "system:kube-controller-manager",
      "OU": "Kubernetes-manual"
    }
  ]
}
EOF

生成证书

bash 复制代码
cfssl gencert \
   -ca=/opt/kubernetes/ssl/ca.pem \
   -ca-key=/opt/kubernetes/ssl/ca-key.pem \
   -config=ca-config.json \
   -profile=kubernetes \
   manager-csr.json | cfssljson -bare /opt/kubernetes/ssl/controller-manager

将证书拷贝到其他master节点

bash 复制代码
NODES='master2 master3'; \
for NODE in $NODES; \
do \
for FILE in controller-manager.pem controller-manager-key.pem; \
do \
scp /opt/kubernetes/ssl/${FILE} $NODE:/opt/kubernetes/ssl/${FILE};\
done \
done

生成kubeconfig文件

master1节点执行

bash 复制代码
KUBE_CONFIG="/opt/kubernetes/cfg/controller-manager.kubeconfig" #配置文件存放路径
bash 复制代码
KUBE_APISERVER="https://192.168.153.200:16443" #kube-apiserver地址,这里用vip自动实现负载均衡

设置集群项

bash 复制代码
kubectl config set-cluster kubernetes \
     --certificate-authority=/opt/kubernetes/ssl/ca.pem \
     --embed-certs=true \
     --server=${KUBE_APISERVER} \
     --kubeconfig=${KUBE_CONFIG}
  • 定义一个名为kubernetes的集群配置
  • --certificate-authority: 指定CA根证书,用于验证apiserver的证书
  • --embed-certs=true: 将证书内容直接嵌入kubeconfig文件(而不是引用文件路径)
  • --server: 指定apiserver的访问地址
  • --kubeconfig: 指定写入的配置文件路径

设置用户项

bash 复制代码
kubectl config set-credentials system:kube-controller-manager \
     --client-certificate=/opt//kubernetes/ssl/controller-manager.pem \
     --client-key=/opt/kubernetes/ssl/controller-manager-key.pem \
     --embed-certs=true \
     --kubeconfig=${KUBE_CONFIG}
  • 定义一个名为system:kube-controller-manager的用户(对应ServiceAccount)
  • --client-certificate: controller-manager的客户端证书
  • --client-key: controller-manager的私钥
  • 这些证书由CA签发,用于向apiserver证明身份

设置环境项

bash 复制代码
kubectl config set-context system:kube-controller-manager@kubernetes \
    --cluster=kubernetes \
    --user=system:kube-controller-manager \
    --kubeconfig=${KUBE_CONFIG}
  • 创建名为system:kube-controller-manager@kubernetes的上下文
  • 将集群(kubernetes)和用户(system:kube-controller-manager)关联起来
  • 上下文定义了"使用哪个用户访问哪个集群"

设置默认环境

bash 复制代码
kubectl config use-context system:kube-controller-manager@kubernetes \
     --kubeconfig=${KUBE_CONFIG}
  • 将上面创建的上下文设置为默认使用
  • 当使用此kubeconfig文件时,自动使用该上下文配置

拷贝到其他master节点

bash 复制代码
NODES='master2 master3'; \
for NODE in $NODES; \
do \
scp /opt/kubernetes/cfg/controller-manager.kubeconfig $NODE:/opt/kubernetes/cfg;\
done

创建配置文件

bash 复制代码
cat > /opt/kubernetes/cfg/kube-controller-manager.conf << EOF
KUBE_CONTROLLER_MANAGER_OPTS="--v=2 \\
      --bind-address=127.0.0.1 \\
      --root-ca-file=/opt/kubernetes/ssl/ca.pem \\
      --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
      --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\
      --service-account-private-key-file=/opt/kubernetes/ssl/sa.key \\
      --kubeconfig=/opt/kubernetes/cfg/controller-manager.kubeconfig \\
      --leader-elect=true \\
      --use-service-account-credentials=true \\
      --node-monitor-grace-period=40s \\
      --node-monitor-period=5s \\
      --pod-eviction-timeout=2m0s \\
      --controllers=*,bootstrapsigner,tokencleaner \\
      --allocate-node-cidrs=true \\
      --service-cluster-ip-range=10.96.0.0/12 \\
      --cluster-cidr=172.16.0.0/12 \\
      --node-cidr-mask-size-ipv4=24 \\
      --requestheader-client-ca-file=/opt/kubernetes/ssl/front-proxy-ca.pem"
EOF

其中部分项意思如下

bash 复制代码
KUBE_CONTROLLER_MANAGER_OPTS="--v=2 \\       
      --bind-address=127.0.0.1 \\                     # 只监听本地回环地址,通常由kube-apiserver代理访问
      --root-ca-file=/opt/kubernetes/ssl/ca.pem \\     # CA根证书,用于验证kube-apiserver的证书
      --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\      # 用于签发集群证书的CA证书
      --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\   # 用于签发集群证书的CA私钥
      --service-account-private-key-file=/opt/kubernetes/ssl/sa.key \\  # ServiceAccount签名私钥
      --kubeconfig=/opt/kubernetes/cfg/controller-manager.kubeconfig \\ # kubeconfig配置文件路径
      --leader-elect=true \\                
      --use-service-account-credentials=true \\        # 使用ServiceAccount凭证而不是默认凭证
      --node-monitor-grace-period=40s \\               # 节点不可用判定宽限期
      --node-monitor-period=5s \\                      # 节点状态检查周期
      --pod-eviction-timeout=2m0s \\                   # Pod驱逐超时时间
      --controllers=*,bootstrapsigner,tokencleaner \\ 
      --allocate-node-cidrs=true \\        
      --service-cluster-ip-range=10.96.0.0/12 \\       # Service ClusterIP地址范围
      --cluster-cidr=172.16.0.0/12 \\                  # 集群Pod网络CIDR范围
      --node-cidr-mask-size-ipv4=24 \\                 # 每个节点分配的Pod子网掩码大小(/24)
      --requestheader-client-ca-file=/opt/kubernetes/ssl/front-proxy-ca.pem"  # 代理客户端CA证书

设置启动配置

bash 复制代码
cat > /usr/lib/systemd/system/kube-controller-manager.service << EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=always		# 服务退出时总是重启
RestartSec=10s		# 重启间隔时间:10秒
[Install]
WantedBy=multi-user.target
EOF

拷贝到其他master节点

bash 复制代码
NODES='master2 master3'; \
for NODE in $NODES; \
do \
scp /opt/kubernetes/cfg/kube-controller-manager.conf $NODE:/opt/kubernetes/cfg;\
scp /usr/lib/systemd/system/kube-controller-manager.service $NODE:/usr/lib/systemd/system/;\
done

启动

bash 复制代码
systemctl daemon-reload && systemctl enable --now kube-controller-manager

验证

bash 复制代码
systemctl status kube-controller-manager

kube-scheduler部署

签发证书

master1节点执行

bash 复制代码
cd /opt/kubernetes/ssl

创建证书请求文件

json 复制代码
cat > scheduler-csr.json << EOF 
{
  "CN": "system:kube-scheduler",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Beijing",
      "L": "Beijing",
      "O": "system:kube-scheduler",
      "OU": "Kubernetes-manual"
    }
  ]
}
EOF

生成证书

bash 复制代码
cfssl gencert \
   -ca=/opt/kubernetes/ssl/ca.pem \
   -ca-key=/opt/kubernetes/ssl/ca-key.pem \
   -config=ca-config.json \
   -profile=kubernetes \
   scheduler-csr.json | cfssljson -bare /opt/kubernetes/ssl/scheduler

将证书拷贝到其他master节点

bash 复制代码
NODES='master2 master3'; \
for NODE in $NODES; \
do \
for FILE in scheduler.pem scheduler-key.pem; \
do \
scp /opt/kubernetes/ssl/${FILE} $NODE:/opt/kubernetes/ssl/${FILE};\
done \
done

生成kubeconfig文件

master1节点执行

bash 复制代码
KUBE_CONFIG="/opt/kubernetes/cfg/scheduler.kubeconfig"

KUBE_APISERVER="https://192.168.153.200:16443"

kubectl config set-cluster kubernetes \
     --certificate-authority=/opt/kubernetes/ssl/ca.pem \
     --embed-certs=true \
     --server=${KUBE_APISERVER} \
     --kubeconfig=${KUBE_CONFIG}
     
kubectl config set-credentials system:kube-scheduler \
     --client-certificate=/opt/kubernetes/ssl/scheduler.pem \
     --client-key=/opt/kubernetes/ssl/scheduler-key.pem \
     --embed-certs=true \
     --kubeconfig=${KUBE_CONFIG}
     
kubectl config set-context system:kube-scheduler@kubernetes \
     --cluster=kubernetes \
     --user=system:kube-scheduler \
     --kubeconfig=${KUBE_CONFIG}
     
kubectl config use-context system:kube-scheduler@kubernetes \
     --kubeconfig=${KUBE_CONFIG}

拷贝到其他master节点

bash 复制代码
NODES='master2 master3'; \
for NODE in $NODES; \
do \
scp /opt/kubernetes/cfg/scheduler.kubeconfig $NODE:/opt/kubernetes/cfg;\
done

创建配置文件

bash 复制代码
cat > /opt/kubernetes/cfg/kube-scheduler.conf << EOF
KUBE_SCHEDULER_OPTS=" --v=2 \\
      --bind-address=127.0.0.1 \\
      --leader-elect=true \\
      --kubeconfig=/opt/kubernetes/cfg/scheduler.kubeconfig"
EOF

设置启动配置

bash 复制代码
cat > /usr/lib/systemd/system/kube-scheduler.service << EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
After=network.target


[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf
ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=always
RestartSec=10s

[Install]
WantedBy=multi-user.target
EOF

拷贝到其他master节点

bash 复制代码
NODES='master2 master3'; \
for NODE in $NODES; \
do \
scp /opt/kubernetes/cfg/kube-scheduler.conf $NODE:/opt/kubernetes/cfg;\
scp /usr/lib/systemd/system/kube-scheduler.service $NODE:/usr/lib/systemd/system/;\
done

启动

bash 复制代码
systemctl daemon-reload && systemctl enable --now kube-scheduler
相关推荐
运维老郭2 小时前
【K8s运维实战】Kubernetes临时存储卷实战:emptyDir核心用法与gitRepo弃用迁移指南
运维·云原生·kubernetes
AAA@峥6 小时前
容器数据不丢失:Docker 分层存储 + Volume 共享、备份迁移完整指南
运维·docker·容器
十年磨一剑~7 小时前
docker 为何每次 docker tag才能 docker push
docker·容器·eureka
gs801409 小时前
记一次多 Agent 架构在单节点 K8s 触发的 PID 耗尽与 Pod 驱逐(Evicted)大摸排
容器·架构·kubernetes
bukeyiwanshui10 小时前
20260701 k8s Metric Server
容器·贪心算法·kubernetes
江湖有缘10 小时前
基于Docker环境部署tillywork开源工作管理工具
docker·容器·开源
鸿儒51713 小时前
MR-50国产化GPU docker配置方法
docker·容器·mr
Zhu75814 小时前
在k8s集群部署ApacheHadoop单节点单数据副本
云原生·容器·kubernetes
Akamai中国14 小时前
Akamai收购安全企业浏览器提供商LayerX
人工智能·云原生·云计算·云服务