5 搭建apiserver

安装apiserver

安装部署主控节点服务 -- apiserver

部署kube-apiserver集群
集群规划

主机名			角色			ip
rstx-203.rongbiz.cn	kube-apiserver		192.168.1.203
rstx-204.rongbiz.cn	kube-apiserver		192.168.1.204
rstx-201.rongbiz.cn	4层负载均衡		192.168.1.201
rstx-202.rongbiz.cn	4层负载均衡		192.168.1.202

注意:这里192.168.1.201和192.168.1.202使用nginx做4层负载均衡器,用keepalive跑一个vip:192.168.1.110,代理两个kube-apiserver,实现高可用

这里部署文档以HDSS7-14.host.com主机为例,另外一台运算节点部署方法类似



下载软件,解压,做软连接,安装1.15.2
[root@rstx-203 ~]# cd /opt/src/
[root@rstx-203 src]# ls
kubernetes-server-linux-amd64-v1.15.2.tar.gz

查看文件大小
[root@rstx-203 src]# du -sh kubernetes-server-linux-amd64-v1.15.2.tar.gz

[root@rstx-203 src]# tar xf kubernetes-server-linux-amd64-v1.15.4.tar.gz -C /opt
[root@rstx-203 src]# cd ..
[root@rstx-203 opt]# mv kubernetes/ kubernetes-v1.15.2

做软连接,方便以后更新
[root@rstx-203 opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes
[root@rstx-203 opt]# ll
总用量 0
drwx--x--x 4 root root  28 12月 10 14:28 containerd
lrwxrwxrwx 1 root root  17 12月 10 16:45 etcd -> /opt/etcd-v3.1.20
drwxr-xr-x 4 etcd etcd 166 12月 10 17:43 etcd-v3.1.20
lrwxrwxrwx 1 root root  24 12月 10 18:33 kubernetes -> /opt/kubernetes-v1.15.2/
drwxr-xr-x 4 root root  79 8月   5 18:01 kubernetes-v1.15.2
drwxr-xr-x 2 root root  97 12月 10 18:29 src

[root@rstx-203 opt]# cd kubernetes
[root@rstx-203 kubernetes]# ls
addons  kubernetes-src.tar.gz  LICENSES  server

删除源码包
[root@rstx-203 kubernetes]# rm -rf kubernetes-src.tar.gz 

[root@rstx-203 kubernetes]# cd server/bin/

删除没用的文件docker镜像等
[root@rstx-203 bin]# rm -rf *.tar
[root@rstx-203 bin]# rm -rf *_tag 

剩余一些可执行文件
[root@rstx-203 bin]# ll
总用量 884636
-rwxr-xr-x 1 root root  43534816 8月   5 18:01 apiextensions-apiserver
-rwxr-xr-x 1 root root 100548640 8月   5 18:01 cloud-controller-manager
-rwxr-xr-x 1 root root 200648416 8月   5 18:01 hyperkube
-rwxr-xr-x 1 root root  40182208 8月   5 18:01 kubeadm
-rwxr-xr-x 1 root root 164501920 8月   5 18:01 kube-apiserver
-rwxr-xr-x 1 root root 116397088 8月   5 18:01 kube-controller-manager
-rwxr-xr-x 1 root root  42985504 8月   5 18:01 kubectl
-rwxr-xr-x 1 root root 119616640 8月   5 18:01 kubelet
-rwxr-xr-x 1 root root  36987488 8月   5 18:01 kube-proxy
-rwxr-xr-x 1 root root  38786144 8月   5 18:01 kube-scheduler
-rwxr-xr-x 1 root root   1648224 8月   5 18:01 mounter


签发apiserver-client证书:apiserver与etc通信用的证书。apiserver是客户端,etcd是服务端
运维主机HDSS-248.host.com上

创建生成证书签名请求(csr)的JSON配置文件	-- 此目录下有,直接上传修改,不要粘贴复制
[root@rstx-53 ~]# cd /opt/certs/

[root@rstx-53 ~]# vi /opt/certs/client-csr.json
{
    "CN": "k8s-node",
    "hosts": [
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}

[root@rstx-53 certs]# cfssl gencerts -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client



创建签名请求(csr)的JSON配置文件,apiserver,server端证书 -- 直接上传
[root@rstx-53 certs]# vi apiserver-csr.json
{
    "CN": "k8s-apiserver",
    "hosts": [
        "127.0.0.1",
        "10.254.0.1",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluster.local",
        "192.168.1.110",
        "192.168.1.203",
        "192.168.1.204",
        "192.168.1.123"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}


[root@rstx-53 certs]# cfssl gencerts -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver

[root@rstx-53 certs]# ll
总用量 80
total 24
-rw------- 1 root root 1679 Nov 10 17:42 apiserver-key.pem
-rw-r--r-- 1 root root 1598 Nov 10 17:42 apiserver.pem
-rw------- 1 root root 1679 Nov 10 17:41 ca-key.pem
-rw-r--r-- 1 root root 1346 Nov 10 17:41 ca.pem
-rw------- 1 root root 1675 Nov 10 17:41 client-key.pem
-rw-r--r-- 1 root root 1363 Nov 10 17:41 client.pem


拷贝证书
[root@rstx-203 ~]# cd /opt/kubernetes/server/bin/
[root@rstx-203 bin]# mkdir certs
[root@rstx-203 bin]# cd certs/
最后有个点,表示拷贝到当前目录
[root@rstx-203 certs]# scp rstx-53:/opt/certs/ca.pem . 
[root@rstx-203 certs]# scp rstx-53:/opt/certs/ca-key.pem .
[root@rstx-203 certs]# scp rstx-53:/opt/certs/client.pem .
[root@rstx-203 certs]# scp rstx-53:/opt/certs/client-key.pem .
[root@rstx-203 certs]# scp rstx-53:/opt/certs/apiserver.pem .
[root@rstx-203 certs]# scp rstx-53:/opt/certs/apiserver-key.pem .

创建启动配置脚本 -- 直接上传
[root@rstx-203 certs]# cd /opt/kubernetes/server/bin
[root@rstx-203 bin]# mkdir conf
[root@rstx-203 bin]# cd conf/
[root@rstx-203 conf]# 
[root@rstx-203 conf]# vi audit.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      # Resource "pods" doesn't match requests to any subresource of pods,
      # which is consistent with the RBAC policy.
      resources: ["pods"]
  # Log "pods/log", "pods/status" at Metadata level
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]

  # Don't log requests to a configmap called "controller-leader"
  - level: None
    resources:
    - group: ""
      resources: ["configmaps"]
      resourceNames: ["controller-leader"]

  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # core API group
      resources: ["endpoints", "services"]

  # Don't log authenticated requests to certsain non-resource URL paths.
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*" # Wildcard matching.
    - "/version"

  # Log the request body of configmap changes in kube-system.
  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    # This rule only applies to resources in the "kube-system" namespace.
    # The empty string "" can be used to select non-namespaced resources.
    namespaces: ["kube-system"]

  # Log configmap and secret changes in all other namespaces at the Metadata level.
  - level: Metadata
    resources:
    - group: "" # core API group
      resources: ["secrets", "configmaps"]

  # Log all other resources in core and extensions at the Request level.
  - level: Request
    resources:
    - group: "" # core API group
    - group: "extensions" # Version of group should NOT be included.

  # A catch-all rule to log all other requests at the Metadata level.
  - level: Metadata
    # Long-running requests like watches that fall under this rule will not
    # generate an audit event in RequestReceived.
    omitStages:
      - "RequestReceived"

编写启动脚本	-- 直接上传
[root@rstx-203 config]# vi /opt/kubernetes/server/bin/kube-apiserver.sh
#!/bin/bash
./kube-apiserver \
  --apiserver-count 2 \
  --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
  --audit-policy-file ./conf/audit.yaml \
  --authorization-mode RBAC \
  --client-ca-file ./certs/ca.pem \
  --requestheader-client-ca-file ./certs/ca.pem \
  --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
  --etcd-cafile ./certs/ca.pem \
  --etcd-certfile ./certs/client.pem \
  --etcd-keyfile ./certs/client-key.pem \
  --etcd-servers https://192.168.1.202:2379,https://192.168.1.203:2379,https://192.168.1.204:2379 \
  --service-account-key-file ./certs/ca-key.pem \
  --service-cluster-ip-range 10.254.0.0/16 \
  --service-node-port-range 3000-29999 \
  --target-ram-mb=1024 \
  --kubelet-client-certificate ./certs/client.pem \
  --kubelet-client-key ./certs/client-key.pem \
  --log-dir  /data/logs/kubernetes/kube-apiserver \
  --tls-cert-file ./certs/apiserver.pem \
  --tls-private-key-file ./certs/apiserver-key.pem \
  --v 2


查看帮助命令,查看每行的意思
[root@rstx-203 bin]# ./kube-apiserver --help|grep -A 5 target-ram-mb 

添加执行权限
[root@rstx-203 bin]# chmod +x kube-apiserver.sh

[root@rstx-203 bin]# mkdir /data/logs/kubernetes/kube-apiserver -p

创建后台启动
[root@rstx-203 bin]# vi /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-203]					# 21根据实际IP地址更改
command=/opt/kubernetes/server/bin/kube-apiserver.sh            ; the program (relative uses PATH, can take args)
numprocs=1                                                      ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin                            ; directory to cwd to before exec (def no cwd)
autostart=true                                                  ; start at supervisord start (default: true)
autorestart=true                                                ; retstart at unexpected quit (default: true)
startsecs=30                                                    ; number of secs prog must stay running (def. 1)
startretries=3                                                  ; max # of serial start failures (default 3)
exitcodes=0,2                                                   ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                                 ; signal used to kill process (default TERM)
stopwaitsecs=10                                                 ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                       ; setuid to this UNIX account to run the program
redirect_stderr=true                                            ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log        ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                    ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                                        ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                     ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                                     ; emit events on stdout writes (default false)
killasgroup=true
stopasgroup=true

[root@rstx-203 bin]# mkdir -p /data/logs/kubernetes/kube-apiserver

[root@rstx-203 bin]# supervisorctl update

[root@rstx-203 bin]# netstat -luntp | grep kube-api
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      27303/./kube-apiser 
tcp6       0      0 :::6443                 :::*                    LISTEN      27303/./kube-apiser 

4 设置四层反向代理及安装VIP

安装部署主控节点4层反向代理服务

部署在rstx-201 rstx-2012机器上,用VIP 192.168.1.110的7443端口,反代rstx-203、rstx-204的apiserver6443端口


rstx-201和rstx-2012上同时操作

nginx配置
[root@rstx-201 ~]# yum install yum-utils

sudo yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
yum install openresty	
ln -s /usr/local/openresty/nginx/  /etc/nginx
[root@rstx-201 ~]# vi /etc/nginx/nginx.conf		-- 直接上传
stream {
    upstream kube-apiserver {
        server 192.168.1.203:6443     max_fails=3 fail_timeout=30s;
        server 192.168.1.204:6443     max_fails=3 fail_timeout=30s;
    }
    server {
        listen 7443;
        proxy_connect_timeout 2s;
        proxy_timeout 900s;
        proxy_pass kube-apiserver;
    }
}


检查配置文件
[root@rstx-201 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@rstx-201 ~]# systemctl start nginx
[root@rstx-201 ~]# systemctl enable nginx


keepalived安装配置
[root@rstx-201 ~]# yum install keepalived -y

编写监听脚本	-- 直接上传
[root@rstx-201 ~]# vi /etc/keepalived/check_port.sh	
#!/bin/bash
#keepalived 监控端口脚本
#使用方法:
#在keepalived的配置文件中
#vrrp_script check_port {#创建一个vrrp_script脚本,检查配置
#    script "/etc/keepalived/check_port.sh 6379" #配置监听的端口
#    interval 2 #检查脚本的频率,单位(秒)
#}
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
        PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
        if [ $PORT_PROCESS -eq 0 ];then
                echo "Port $CHK_PORT Is Not Used,End."
                exit 1
        fi
else
        echo "Check Port Cant Be Empty!"
fi

[root@rstx-201 ~]# # chmod +x /etc/keepalived/check_port.sh


配置keepalived	-- 删除原文件,直接上传修改
keepalived 主:
[root@rstx-201 ~]# vi /etc/keepalived/keepalived.conf 
! Configuration File for keepalived

global_defs {
   router_id 192.168.1.201

}

vrrp_script chk_nginx {
    script "/etc/keepalived/check_port.sh 7443"
    interval 2
    weight -20
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0	# 根据实际网卡更改
    virtual_router_id 251
    priority 100
    advert_int 1
    mcast_src_ip 192.168.1.201
    nopreempt

    authentication {
        auth_type PASS
        auth_pass 11111111
    }
    track_script {
         chk_nginx
    }
    virtual_ipaddress {
        192.168.1.110
    }
}



keepalived从:    -- 直接上传
[root@rstx-202 ~]# vi /etc/keepalived/keepalived.conf 
! Configuration File for keepalived
global_defs {
        router_id 192.168.1.202
	script_user root
        enable_script_security 
}
vrrp_script chk_nginx {
        script "/etc/keepalived/check_port.sh 7443"
        interval 2
        weight -20
}
vrrp_instance VI_1 {
        state BACKUP
        interface eth0		# 根据实际网卡更改
        virtual_router_id 251
        mcast_src_ip 192.168.1.202
        priority 90
        advert_int 1
        authentication {
                auth_type PASS
                auth_pass 11111111
        }
        track_script {
                chk_nginx
        }
        virtual_ipaddress {
                192.168.1.110
        }
}


[root@rstx-201 keepalived]# ss -lnt|grep 7443|wc -l         
1

[root@rstx-201 ~]# systemctl start keepalived
[root@rstx-201 ~]# systemctl enable keepalived


如果vip出现变动,主keepalived恢复后,一定要确认主keepalived端口起来, 服务搞好,重启keepalived,是vip变回主keepalived
[root@rstx-201 ~]# netstat -luntp | grep 7443
tcp        0      0 0.0.0.0:7443            0.0.0.0:*               LISTEN      22071/nginx: master 

上一篇:建立私有CA实现证书申请颁发


下一篇:配置安全web服务