下载kubernetes 二进制文件
cd /usr/local/src/
wget http://xxxxx/1.19/kubernetes-server-linux-amd64.tar.gz
tar xzf kubernetes-server-linux-amd64.tar.gz kubernetes
cd kubernetes/server/bin/
cp kube-apiserver kube-controller-manager kube-scheduler kubectl /opt/kubernetes/bin/
- 集群部署需要将kubelet kube-proxy 放到node中/opt/kubernetes/bin/目录下
scp kubelet kube-proxy node_ip:/opt/kubernetes/bin/
配置api-server公私钥
cat > kubernetes-csr.json <<EOF
{
"hosts": [
"127.0.0.1",
"10.1.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"master_ip"
],
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"OU": "System",
"L": "ShangHai",
"O": "k8s",
"ST": "ShangHai"
}
]
}
EOF
cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \
-ca-key=/opt/kubernetes/ssl/ca-key.pem \
-config=/opt/kubernetes/ssl/ca-config.json \
-profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
cp kubernetes*.pem /opt/kubernetes/ssl/
生成kube-apiserver 配置文件
- mkdir -p /data/kubernetes/log
cat > /opt/kubernetes/cfg/kube-apiserver.conf << EOF
KUBE_APISERVER_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/data/kubernetes/log \\
--bind-address=master_ip \\
--secure-port=6443 \\
--advertise-address=master_ip \\
--allow-privileged=true \\
--service-cluster-ip-range=10.1.0.0/16 \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
--authorization-mode=RBAC,Node \\
--enable-bootstrap-token-auth=true \\
--token-auth-file=/opt/kubernetes/cfg/token.csv \\
--service-node-port-range=1-65535 \\
--kubelet-client-certificate=/opt/kubernetes/ssl/kubernetes.pem \\
--kubelet-client-key=/opt/kubernetes/ssl/kubernetes-key.pem \\
--tls-cert-file=/opt/kubernetes/ssl/kubernetes.pem \\
--tls-private-key-file=/opt/kubernetes/ssl/kubernetes-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-servers=https://master_ip:2379 \\
--etcd-cafile=/opt/kubernetes/ssl/ca.pem \\
--etcd-certfile=/opt/kubernetes/ssl/etcd.pem \\
--etcd-keyfile=/opt/kubernetes/ssl/etcd-key.pem \\
--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--proxy-client-cert-file=/opt/kubernetes/ssl/kubernetes.pem \\
--proxy-client-key-file=/opt/kubernetes/ssl/kubernetes-key.pem \\
--requestheader-allowed-names=kubernetes \\
--requestheader-extra-headers-prefix=X-Remote-Extra- \\
--requestheader-group-headers=X-Remote-Group \\
--requestheader-username-headers=X-Remote-User \\
--enable-aggregator-routing=true \\
--audit-log-maxage=30 \\
--audit-log-maxbackup=3 \\
--audit-log-maxsize=100 \\
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
EOF
- logtostderr:启用日志
- —v:日志等级
- –log-dir:日志目录
- –etcd-servers:etcd集群地址
- –bind-address:监听地址
- –secure-port:https安全端口
- –advertise-address:集群通告地址
- –allow-privileged:启用授权
- –service-cluster-ip-range:Service虚拟IP地址段
- –enable-admission-plugins:准入控制模块
- –authorization-mode:认证授权,启用RBAC授权和节点自管理
- –enable-bootstrap-token-auth:启用TLS bootstrap机制
- –token-auth-file:bootstrap token文件
- –service-node-port-range:Service nodeport类型默认分配端口范围
- –kubelet-client-xxx:apiserver访问kubelet客户端证书
- –tls-xxx-file:apiserver https证书
- –etcd-xxxfile:连接Etcd集群证书
- –audit-log-xxx:审计日志
- 如果集群部署 需要将证书复制到node /opt/kubernetes/ssl/
- 将–bind-address 改为master节点的ip
- 将etcd-servers 改为当前集群的etcd的ip:port
scp kubernetes*.pem node_ip:/opt/kubernetes/ssl/
创建kube-apiserver 使用的客户端token 文件
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
cat > /opt/kubernetes/cfg/token.csv << EOF
1064c534fb35c6d5a921df075d5281ac,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
配置kube-apiserver服务文件
cat > /usr/lib/systemd/system/kube-apiserver.service << EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
启动kube-apiserver
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl start kube-apiserver
systemctl status kube-apiserver
授权kubelet-bootstrap用户允许请求证书
kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap