linux cpu占用率如何看
255
2022-11-09
第四篇(二进制部署k8s集群---master集群部署)
第四篇(二进制部署k8s集群---master集群部署)
本文在以下主机上操作部署k8s集群k8s-master1:192.168.206.31k8s-master2:192.168.206.32k8s-master3:192.168.206.33
kubernetes master 节点主要包含的组件:kube-apiserverkube-schedulerkube-controller-manager目前这三个组件需要部署在同一台机器上。kube-scheduler、kube-controller-manager 和 kube-apiserver 三者的功能紧密相关;同时只能有一个 kube-scheduler、kube-controller-manager 进程处于工作状态,如果运行多个,则需要通过选举产生一个 leader;
一、部署kubectl命令工具
kubectl 是 kubernetes 集群的命令行管理工具,kubectl 默认从 ~/.kube/config 文件读取 kube-apiserver 地址、证书、用户名等信息,如果没有配置,执行 kubectl 命令时可能会出错。1、下载kubectl
wget https://dl.k8s.io/v1.12.3/kubernetes-server-linux-amd64.tar.gz tar -xzvf kubernetes-server-linux-amd64.tar.gz cd kubernetes/server/bin/ cp kube-apiserver kubeadm kube-controller-manager kubectl kube-scheduler /opt/kubernetes/bin/
2、创建请求证书
cat > admin-csr.json < 3、创建~/.kube/config文件 mkdir -p ~/.kube
kubectl config set-cluster kubernetes \
--certificate-authority=/data/ssl/ca.pem \
--embed-certs=true \
--server=\
--kubeconfig=kubectl.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials admin \
--client-certificate=admin.pem \
--client-key=admin-key.pem \
--embed-certs=true \
--kubeconfig=kubectl.kubeconfig
# 设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin \
--kubeconfig=kubectl.kubeconfig
# 设置默认上下文
kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig
这个地方是复制到~/.kube/目录下名字为config不要搞错了
cp kubectl.kubeconfig ~/.kube/config 二、部署api-server 1、创建kube-apiserver的证书签名请求: cat > kubernetes-csr.json < 3、创建加密配置文件 cat > encryption-config.yaml < 4、创建kube-apiserver systemd unit文件 cat > /etc/systemd/system/kube-apiserver.service << EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
ExecStart=/opt/kubernetes/bin/kube-apiserver \
--enable-admission-plugins=Initializers,NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \
--anonymous-auth=false \
--experimental-encryption-provider-config=/opt/kubernetes/ssl/kubernetes/encryption-config.yaml \
--advertise-address=192.168.206.31 \
--bind-address=192.168.206.31 \
--insecure-port=0 \
--authorization-mode=Node,RBAC \
--runtime-config=api/all \
--enable-bootstrap-token-auth \
--service-cluster-ip-range=10.254.0.0/16 \
--service-node-port-range=30000-32700 \
--tls-cert-file=/opt/kubernetes/ssl/kubernetes/kubernetes.pem \
--tls-private-key-file=/opt/kubernetes/ssl/kubernetes/kubernetes-key.pem \
--client-ca-file=/opt/kubernetes/ssl/kubernetes/ca.pem \
--kubelet-client-certificate=/opt/kubernetes/ssl/kubernetes/kubernetes.pem \
--kubelet-client-key=/opt/kubernetes/ssl/kubernetes/kubernetes-key.pem \
--service-account-key-file=/opt/kubernetes/ssl/kubernetes/ca-key.pem \
--etcd-cafile=/opt/kubernetes/ssl/kubernetes/ca.pem \
--etcd-certfile=/opt/kubernetes/ssl/kubernetes/kubernetes.pem \
--etcd-keyfile=/opt/kubernetes/ssl/kubernetes/kubernetes-key.pem \
--etcd-servers=\
--enable-swagger-ui=true \
--allow-privileged=true \
--apiserver-count=3 \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/opt/kubernetes/log/kube-apiserver-audit.log \
--event-ttl=1h \
--alsologtostderr=true \
--logtostderr=false \
--log-dir=/opt/kubernetes/log \
--v=2
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
--experimental-encryption-provider-config:启用加密特性;
--authorization-mode=Node,RBAC: 开启 Node 和 RBAC 授权模式,拒绝未授权的请求;
--enable-admission-plugins:启用 ServiceAccount 和 NodeRestriction;
--service-account-key-file:签名 ServiceAccount Token 的公钥文件,kube-controller-manager 的 --service-account-private-key-file 指定私钥文件,两者配对使用;
--tls-*-file:指定 apiserver 使用的证书、私钥和 CA 文件。--client-ca-file 用于验证 client (kue-controller-manager、kube-scheduler、kubelet、kube-proxy 等)请求所带的证书;
--kubelet-client-certificate、--kubelet-client-key:如果指定,则使用 访问 kubelet APIs;需要为证书对应的用户(上面 kubernetes*.pem 证书的用户为 kubernetes) 用户定义 RBAC 规则,否则访问 kubelet API 时提示未授权;
--bind-address: 不能为 127.0.0.1,否则外界不能访问它的安全端口 6443;
--insecure-port=0:关闭监听非安全端口(8080);
--service-cluster-ip-range: 指定 Service Cluster IP 地址段;
--service-node-port-range: 指定 NodePort 的端口范围;
--runtime-config=api/all=true: 启用所有版本的 APIs,如 autoscaling/v2alpha1;
--enable-bootstrap-token-auth:启用 kubelet bootstrap 的 token 认证;
--apiserver-count=3:指定集群运行模式,多台 kube-apiserver 会通过 leader 选举产生一个工作节点,其它节点处于阻塞状态;
这些也要分发kube-apiserver.service文件到其他master 7、启动api-server服务 systemctl stop kube-apiserver
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl start kube-apiserver 8、检查api-server和集群状态 [root@k8s-master1 ~]# netstat -ptln | grep kube-apiserve
tcp 0 0 192.168.206.31:6443 0.0.0.0:* LISTEN 985/kube-apiserver
[root@k8s-master1 ~]# kubectl cluster-info
Kubernetes master is running at https://192.168.206.30:8443
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'. 9、授予kubernetes证书访问kubelet api权限 kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes 三、部署kube-controller-manager该集群包含 3 个节点,启动后将通过竞争选举机制产生一个 leader 节点,其它节点为阻塞状态。当 leader 节点不可用后,剩余节点将再次进行选举产生新的 leader 节点,从而保证服务的可用性。为保证通信安全,本文档先生成 x509 证书和私钥,kube-controller-manager 在如下两种情况下使用该证书: 1、创建kube-controller-manager证书请求: cat > kube-controller-manager-csr.json << EOF
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [
"127.0.0.1",
"192.168.206.31",
"192.168.206.32",
"192.168.206.33"
],
"names": [
{
"C": "CN",
"ST": "Zhejiang",
"L": "hangzhou",
"O": "system:kube-controller-manager",
"OU": "System"
}
]
}
EOF
hosts 列表包含所有 kube-controller-manager 节点 IP;
CN 为 system:kube-controller-manager、O 为 system:kube-controller-manager,kubernetes 内置的 ClusterRoleBindings system:kube-controller-manager 赋予 kube-controller-manager 工作所需的权限。
生成证书和私钥:
cfssl gencert -ca=/data/ssl/ca.pem \
-ca-key=/data/ssl/ca-key.pem \
-config=/data/ssl/ca-config.json \
-profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
将生成的证书和私钥分发到所有 master 节点
mkdir /opt/kubernetes/ssl/kube-controller-manager
cp kube-controller-manager*.pem /opt/kubernetes/ssl/kube-controller-manager/ 2、创建和分发kubeconfig文件 kubectl config set-cluster kubernetes \
--certificate-authority=/data/ssl/ca.pem \
--embed-certs=true \
--server=\
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=kube-controller-manager.pem \
--client-key=kube-controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-context system:kube-controller-manager \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config use-context system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig
分发 kube-controller-manager.kubeconfig 到所有 master 节点
cp kube-controller-manager.kubeconfig /opt/kubernetes/ssl/kube-controller-manager/
cp /opt/kubernetes/ssl/kubernetes/ca* /opt/kubernetes/ssl/kube-controller-manager/ 3、创建和分发kube-controller-manager systemd unit文件 cat > /etc/systemd/system/kube-controller-manager.service << EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/opt/kubernetes/bin/kube-controller-manager \
--address=127.0.0.1 \
--kubeconfig=/opt/kubernetes/ssl/kube-controller-manager/kube-controller-manager.kubeconfig \
--authentication-kubeconfig=/opt/kubernetes/ssl/kube-controller-manager/kube-controller-manager.kubeconfig \
--service-cluster-ip-range=10.254.0.0/16 \
--cluster-name=kubernetes \
--cluster-signing-cert-file=/opt/kubernetes/ssl/kube-controller-manager/ca.pem \
--cluster-signing-key-file=/opt/kubernetes/ssl/kube-controller-manager/ca-key.pem \
--experimental-cluster-signing-duration=8760h \
--root-ca-file=/opt/kubernetes/ssl/kube-controller-manager/ca.pem \
--service-account-private-key-file=/opt/kubernetes/ssl/kube-controller-manager/ca-key.pem \
--leader-elect=true \
--feature-gates=RotateKubeletServerCertificate=true \
--controllers=*,bootstrapsigner,tokencleaner \
--horizontal-pod-autoscaler-use-rest-clients=true \
--horizontal-pod-autoscaler-sync-period=10s \
--tls-cert-file=/opt/kubernetes/ssl/kube-controller-manager/kube-controller-manager.pem \
--tls-private-key-file=/opt/kubernetes/ssl/kube-controller-manager/kube-controller-manager-key.pem \
--use-service-account-credentials=true \
--alsologtostderr=true \
--logtostderr=false \
--log-dir=/opt/kubernetes/log \
--v=2
Restart=on
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
分发kube-controller-manager systemd unit文件到其他master服务器
-address:指定监听的地址为127.0.0.1
--kubeconfig:指定 kubeconfig 文件路径,kube-controller-manager 使用它连接和验证 kube-apiserver;
--cluster-signing-*-file:签名 TLS Bootstrap 创建的证书;
--experimental-cluster-signing-duration:指定 TLS Bootstrap 证书的有效期;
--root-ca-file:放置到容器 ServiceAccount 中的 CA 证书,用来对 kube-apiserver 的证书进行校验;
--service-account-private-key-file:签名 ServiceAccount 中 Token 的私钥文件,必须和 kube-apiserver 的 --service-account-key-file 指定的公钥文件配对使用;
--service-cluster-ip-range :指定 Service Cluster IP 网段,必须和 kube-apiserver 中的同名参数一致;
--leader-elect=true:集群运行模式,启用选举功能;被选为 leader 的节点负责处理工作,其它节点为阻塞状态;
--feature-gates=RotateKubeletServerCertificate=true:开启 kublet server 证书的自动更新特性;
--controllers=*,bootstrapsigner,tokencleaner:启用的控制器列表,tokencleaner 用于自动清理过期的 Bootstrap token;
--horizontal-pod-autoscaler-*:custom metrics 相关参数,支持 autoscaling/v2alpha1;
--tls-cert-file、--tls-private-key-file:使用 输出 metrics 时使用的 Server 证书和秘钥;
--use-service-account-credentials=true: 4、启动kube-controller-manager服务 systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl start kube-controller-manager 5、检查kube-controller-manager服务 [root@k8s-master1 ssl]# netstat -lnpt|grep kube-controll
tcp 0 0 127.0.0.1:10252 0.0.0.0:* LISTEN 17906/kube-controll
tcp6 0 0 :::10257 :::* LISTEN 17906/kube-controll 6、查看当前kube-controller-manager的leader [root@master1 ssl]# kubectl get endpoints kube-controller-manager --namespace=kube-system -o yaml
apiVersion: v1
kind: Endpoints
metadata:
annotations:
control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"master1_0f2ea8d8-2955-11eb-84f5-000c296e7f49","leaseDurationSeconds":15,"acquireTime":"2020-11-18T04:18:06Z","renewTime":"2020-11-18T04:20:33Z","leaderTransitions":0}'
creationTimestamp: 2020-11-18T04:18:06Z
name: kube-controller-manager
namespace: kube-system
resourceVersion: "3578"
selfLink: /api/v1/namespaces/kube-system/endpoints/kube-controller-manager
uid: 0f2fc6db-2955-11eb-b0b5-000c29979eeb 四、部署kube-scheduler该集群包含 3 个节点,启动后将通过竞争选举机制产生一个 leader 节点,其它节点为阻塞状态。当 leader 节点不可用后,剩余节点将再次进行选举产生新的 leader 节点,从而保证服务的可用性。1、创建kube-scheduler证书请求 cat > kube-scheduler-csr.json << EOF
{
"CN": "system:kube-scheduler",
"hosts": [
"127.0.0.1",
"192.168.206.31",
"192.168.206.32",
"192.168.206.33"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Zhejiang",
"L": "hangzhou",
"O": "system:kube-scheduler",
"OU": "System"
}
]
}
EOF
hosts 列表包含所有 kube-scheduler 节点 IP;
CN 为 system:kube-scheduler、O 为 system:kube-scheduler,kubernetes 内置的 ClusterRoleBindings system:kube-scheduler 将赋予 kube-scheduler 工作所需的权限。
生成证书和私钥:
cfssl gencert -ca=/data/ssl/ca.pem \
-ca-key=/data/ssl/ca-key.pem \
-config=/data/ssl/ca-config.json \
-profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler 2、创建和分发kube-scheduler.kubeconfig文件 kubectl config set-cluster kubernetes \
--certificate-authority=/data/ssl/ca.pem \
--embed-certs=true \
--server=\
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \
--client-certificate=kube-scheduler.pem \
--client-key=kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-context system:kube-scheduler \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config use-context system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig
分发 kubeconfig 到所有 master 节点
mkdir /opt/kubernetes/ssl/kube-scheduler
cp kube-scheduler.kubeconfig /opt/kubernetes/ssl/kube-scheduler 3、创建和分发kube-scheduler systemd unit文件 cat > /etc/systemd/system/kube-scheduler.service << EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/opt/kubernetes/bin/kube-scheduler \
--address=127.0.0.1 \
--kubeconfig=/opt/kubernetes/ssl/kube-scheduler/kube-scheduler.kubeconfig \
--leader-elect=true \
--alsologtostderr=true \
--logtostderr=false \
--log-dir=/opt/kubernetes/log \
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
--address:在 127.0.0.1:10251 端口接收 /metrics 请求;kube-scheduler 目前还不支持接收 请求;
--kubeconfig:指定 kubeconfig 文件路径,kube-scheduler 使用它连接和验证 kube-apiserver;
--leader-elect=true:集群运行模式,启用选举功能;被选为 leader 的节点负责处理工作,其它节点为阻塞状态; 4、启动kube-scheduler服务 systemctl daemon-reload
systemctl enable kube-scheduler
systemctl start kube-scheduler 5、查看当前kube-scheduler的leader [root@master1 kube-scheduler]# kubectl get endpoints kube-scheduler --namespace=kube-system -o yaml
apiVersion: v1
kind: Endpoints
metadata:
annotations:
control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"master1_c2b12771-2957-11eb-a36d-000c296e7f49","leaseDurationSeconds":15,"acquireTime":"2020-11-18T04:37:28Z","renewTime":"2020-11-18T04:38:58Z","leaderTransitions":0}'
creationTimestamp: 2020-11-18T04:37:28Z
name: kube-scheduler
namespace: kube-system
resourceVersion: "4509"
selfLink: /api/v1/namespaces/kube-system/endpoints/kube-scheduler
uid: c34cf106-2957-11eb-a5a4-000c2936c402 6、在所有master节点上验证功能是否正常 [root@master1 kube-scheduler]# kubectl get componentstatuses
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。
相关文章
发表评论
暂时没有评论,来抢沙发吧~