k8s 之apiserver部署(六)

集群规划

主机名   角色   ip

HDSS7-21.host.com kube-apiserver  192.168.12.13

HDSS7-22.host.com kube-apiserver  192.168.12.14

HDSS7-11.host.com 4层负载均衡  192.168.12.11

HDSS7-12.host.com 4层负载均衡  192.168.12.12

注意：这里192.168.12.11和192.168.12.12使用nginx做4层负载均衡器，用keepalive跑一个vip：192.168.12.10，代理两个kube-apiserver，实现高可用

1. hdss7-21安装apiserver

[root@hdss7-21 certs]# cd /opt/src/ [root@hdss7-21 src]# rz [root@hdss7-21 src]# tar xf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/ [root@hdss7-21 src]# cd .. [root@hdss7-21 opt]# mv kubernetes/ kubernetes-v1.15.2 [root@hdss7-21 opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes [root@hdss7-21 opt]# cd kubernetes [root@hdss7-21 kubernetes]# rm -rf kubernetes-src.tar.gz [root@hdss7-21 kubernetes]# cd server/bin/ [root@hdss7-21 bin]# rm -rf *.tar [root@hdss7-21 bin]# rm -rf *_tag 签发apiserver-client证书：apiserver与etc通信用的证书。apiserver是客户端，etcd是服务端 运维主机HDSS-200.host.com上 [root@hdss7-21 bin]# cd /opt/kubernetes/server/bin/ [root@hdss7-21 bin]# mkdir cert [root@hdss7-21 bin]# cd cert/ [root@hdss7-21 cert]# ls [root@hdss7-21 cert]# scp hdss7-200:/opt/certs/ca.pem . root@hdss7-200's password: ca.pem 100% 1334 505.1KB/s 00:00 [root@hdss7-21 cert]# scp hdss7-200:/opt/certs/apiserver.pem ./ root@hdss7-200's password: apiserver.pem 100% 1586 913.6KB/s 00:00 [root@hdss7-21 cert]# scp hdss7-200:/opt/certs/apiserver-key.pem ./ root@hdss7-200's password: apiserver-key.pem 100% 1675 711.1KB/s 00:00 [root@hdss7-21 cert]# scp hdss7-200:/opt/certs/ca-key.pem ./ root@hdss7-200's password: ca-key.pem 100% 1679 1.3MB/s 00:00 [root@hdss7-21 cert]# scp hdss7-200:/opt/certs/client-key.pem ./ root@hdss7-200's password: client-key.pem 100% 1679 749.7KB/s 00:00 [root@hdss7-21 cert]# scp hdss7-200:/opt/certs/client.pem ./ root@hdss7-200's password: client.pem [root@hdss7-21 bin]# mkdir conf [root@hdss7-21 bin]# cd /opt/kubernetes/server/bin/conf [root@hdss7-21 conf]# vi audit.yaml [root@hdss7-21 conf]# cat audit.yaml apiVersion: audit.k8s.io/v1beta1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages:  - "RequestReceived" rules:  # Log pod changes at RequestResponse level  - level: RequestResponse  resources:  - group: ""  # Resource "pods" doesn't match requests to any subresource of pods,  # which is consistent with the RBAC policy.  resources: ["pods"]  # Log "pods/log", "pods/status" at Metadata level  - level: Metadata  resources:  - group: ""  resources: ["pods/log", "pods/status"]   # Don't log requests to a configmap called "controller-leader"  - level: None  resources:  - group: ""  resources: ["configmaps"]  resourceNames: ["controller-leader"]   # Don't log watch requests by the "system:kube-proxy" on endpoints or services  - level: None  users: ["system:kube-proxy"]  verbs: ["watch"]  resources:  - group: "" # core API group  resources: ["endpoints", "services"]   # Don't log authenticated requests to certain non-resource URL paths.  - level: None  userGroups: ["system:authenticated"]  nonResourceURLs:  - "/api*" # Wildcard matching.  - "/version"   # Log the request body of configmap changes in kube-system.  - level: Request  resources:  - group: "" # core API group  resources: ["configmaps"]  # This rule only applies to resources in the "kube-system" namespace.  # The empty string "" can be used to select non-namespaced resources.  namespaces: ["kube-system"]   # Log configmap and secret changes in all other namespaces at the Metadata level.  - level: Metadata  resources:  - group: "" # core API group  resources: ["secrets", "configmaps"]   # Log all other resources in core and extensions at the Request level.  - level: Request  resources:  - group: "" # core API group  - group: "extensions" # Version of group should NOT be included.   # A catch-all rule to log all other requests at the Metadata level.  - level: Metadata  # Long-running requests like watches that fall under this rule will not  # generate an audit event in RequestReceived.  omitStages:  - "RequestReceived" [root@hdss7-21 conf]# [root@hdss7-21 conf]# cat /opt/kubernetes/server/bin/kube-apiserver.sh #!/bin/bash ./kube-apiserver \  --apiserver-count 2 \  --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \  --audit-policy-file ./conf/audit.yaml \  --authorization-mode RBAC \  --client-ca-file ./cert/ca.pem \  --requestheader-client-ca-file ./cert/ca.pem \  --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \  --etcd-cafile ./cert/ca.pem \  --etcd-certfile ./cert/client.pem \  --etcd-keyfile ./cert/client-key.pem \  --etcd-servers https://192.168.12.12:2379,https://192.168.12.21:2379,https://192.168.12.22:2379 \  --service-account-key-file ./cert/ca-key.pem \  --service-cluster-ip-range 192.168.0.0/16 \  --service-node-port-range 3000-29999 \  --target-ram-mb=1024 \  --kubelet-client-certificate ./cert/client.pem \  --kubelet-client-key ./cert/client-key.pem \  --log-dir /data/logs/kubernetes/kube-apiserver \  --tls-cert-file ./cert/apiserver.pem \  --tls-private-key-file ./cert/apiserver-key.pem \  --v 2 [root@hdss7-21 conf]# chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh [root@hdss7-21 conf]# vi /etc/supervisord.d/kube-apiserver.ini [root@hdss7-21 conf]# cat /etc/supervisord.d/kube-apiserver.ini [program:kube-apiserver-7-21] command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) [root@hdss7-21 conf]# mkdir -p /data/logs/kubernetes/kube-apiserver [root@hdss7-21 conf]# supervisorctl update kube-apiserver-7-21: added process group [root@hdss7-21 conf]# supervisorctl status etcd-server-7-21 RUNNING pid 2753, uptime 0:53:15 kube-apiserver-7-21 RUNNING pid 2873, uptime 0:00:48 

2.运维主机HDSS-200.host.com

[root@hdss7-200 certs]# cd /opt/certs/ [root@hdss7-200 certs]# ll total 36 -rw-r--r-- 1 root root 840 Jun 6 13:03 ca-config.json -rw-r--r-- 1 root root 989 Jun 6 11:19 ca.csr -rw-r--r-- 1 root root 334 Jun 6 11:18 ca-csr.json -rw------- 1 root root 1679 Jun 6 11:19 ca-key.pem -rw-r--r-- 1 root root 1334 Jun 6 11:19 ca.pem -rw-r--r-- 1 root root 1062 Jun 6 13:04 etcd-peer.csr -rw-r--r-- 1 root root 379 Jun 6 13:04 etcd-peer-csr.json -rw------- 1 root root 1679 Jun 6 13:04 etcd-peer-key.pem -rw-r--r-- 1 root root 1424 Jun 6 13:04 etcd-peer.pem [root@hdss7-200 certs]# vi /opt/certs/client-csr.json  {  "CN": "k8s-node",  "hosts": [  ],  "key": {  "algo": "rsa",  "size": 2048  },  "names": [  {  "C": "CN",  "ST": "beijing",  "L": "beijing",  "O": "od",  "OU": "ops"  }  ] } [root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client [root@hdss7-200 certs]# vi apiserver-csr.json {  "CN": "k8s-apiserver",  "hosts": [  "127.0.0.1",  "192.254.0.1",  "kubernetes.default",  "kubernetes.default.svc",  "kubernetes.default.svc.cluster",  "kubernetes.default.svc.cluster.local",  "192.168.12.21",  "192.168.12.21",  "192.168.12.23"  ],  "key": {  "algo": "rsa",  "size": 2048  },  "names": [  {  "C": "CN",  "ST": "beijing",  "L": "beijing",  "O": "od",  "OU": "ops"  }  ] } [root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver 

3 hdss7-22安装apiserver

[root@hdss7-22 src]# tar xf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/ [root@hdss7-22 src]# cd .. [root@hdss7-22 opt]# ls containerd etcd etcd-v3.1.20 kubernetes src [root@hdss7-22 opt]# mv kubernetes/ kubernetes-v1.15.2 [root@hdss7-22 opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes [root@hdss7-22 opt]# mkdir /opt/kubernetes/server/bin/cert /opt/kubernetes/server/bin/conf [root@hdss7-22 opt]# cd /opt/kubernetes/server/bin/cert [root@hdss7-22 cert]# scp hdss7-200:/opt/certs/ca.pem ./ root@hdss7-200's password: ca.pem 100% 1334 2.5KB/s 00:00 [root@hdss7-22 cert]# scp hdss7-200:/opt/certs/apiserver.pem ./ root@hdss7-200's password: apiserver.pem 100% 1586 752.4KB/s 00:00 [root@hdss7-22 cert]# ls apiserver.pem ca.pem [root@hdss7-22 cert]# scp hdss7-200:/opt/certs/apiserver-key.pem ./ root@hdss7-200's password: apiserver-key.pem 100% 1675 1.2MB/s 00:00 [root@hdss7-22 cert]# scp hdss7-200:/opt/certs/ca-key.pem ./ root@hdss7-200's password: ca-key.pem 100% 1679 1.3MB/s 00:00 [root@hdss7-22 cert]# scp hdss7-200:/opt/certs/client-key.pem ./ root@hdss7-200's password: client-key.pem 100% 1679 728.4KB/s 00:00 [root@hdss7-22 cert]# scp hdss7-200:/opt/certs/client.pem ./ root@hdss7-200's password: client.pem [root@hdss7-22 conf]# vim audit.yaml apiVersion: audit.k8s.io/v1beta1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages:  - "RequestReceived" rules:  # Log pod changes at RequestResponse level  - level: RequestResponse  resources:  - group: ""  # Resource "pods" doesn't match requests to any subresource of pods,  # which is consistent with the RBAC policy.  resources: ["pods"]  # Log "pods/log", "pods/status" at Metadata level  - level: Metadata  resources:  - group: ""  resources: ["pods/log", "pods/status"]   # Don't log requests to a configmap called "controller-leader"  - level: None  resources:  - group: ""  resources: ["configmaps"]  resourceNames: ["controller-leader"]   # Don't log watch requests by the "system:kube-proxy" on endpoints or services  - level: None  users: ["system:kube-proxy"]  verbs: ["watch"]  resources:  - group: "" # core API group  resources: ["endpoints", "services"]   # Don't log authenticated requests to certain non-resource URL paths.  - level: None  userGroups: ["system:authenticated"]  nonResourceURLs:  - "/api*" # Wildcard matching.  - "/version"   # Log the request body of configmap changes in kube-system.  - level: Request  resources:  - group: "" # core API group  resources: ["configmaps"]  # This rule only applies to resources in the "kube-system" namespace.  # The empty string "" can be used to select non-namespaced resources.  namespaces: ["kube-system"]   # Log configmap and secret changes in all other namespaces at the Metadata level.  - level: Metadata  resources:  - group: "" # core API group  resources: ["secrets", "configmaps"]   # Log all other resources in core and extensions at the Request level.  - level: Request  resources:  - group: "" # core API group  - group: "extensions" # Version of group should NOT be included.   # A catch-all rule to log all other requests at the Metadata level.  - level: Metadata  # Long-running requests like watches that fall under this rule will not  # generate an audit event in RequestReceived.  omitStages:  - "RequestReceived" [root@hdss7-22 conf]# vi /opt/kubernetes/server/bin/kube-apiserver.sh #!/bin/bash ./kube-apiserver \  --apiserver-count 2 \  --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \  --audit-policy-file ./conf/audit.yaml \  --authorization-mode RBAC \  --client-ca-file ./cert/ca.pem \  --requestheader-client-ca-file ./cert/ca.pem \  --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \  --etcd-cafile ./cert/ca.pem \  --etcd-certfile ./cert/client.pem \  --etcd-keyfile ./cert/client-key.pem \  --etcd-servers https://192.168.12.12:2379,https://192.168.12.21:2379,https://192.168.12.22:2379 \  --service-account-key-file ./cert/ca-key.pem \  --service-cluster-ip-range 192.168.0.0/16 \  --service-node-port-range 3000-29999 \  --target-ram-mb=1024 \  --kubelet-client-certificate ./cert/client.pem \  --kubelet-client-key ./cert/client-key.pem \  --log-dir /data/logs/kubernetes/kube-apiserver \  --tls-cert-file ./cert/apiserver.pem \  --tls-private-key-file ./cert/apiserver-key.pem \  --v 2 [root@hdss7-22 conf]# vi /etc/supervisord.d/kube-apiserver.ini [root@hdss7-22 conf]# chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh [program:kube-apiserver-7-22] command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) [root@hdss7-22 conf]# mkdir -p /data/logs/kubernetes/kube-apiserver [root@hdss7-22 conf]# supervisorctl update  [root@hdss7-22 conf]# supervisorctl status etcd-server-7-22 RUNNING pid 4264, uptime 0:51:18 kube-apiserver-7-22 RUNNING pid 4400, uptime 0:02:53 

4 hdss7-11上部署nginx

 

[root@hdss7-11 opt]# yum install nginx -y nginx四层负载，必须与http同级： [root@hdss7-11 opt]# cat /etc/nginx/nginx.conf stream {  upstream kube-apiserver {  server 192.168.12.21:6443 max_fails=3 fail_timeout=30s;  server 192.168.12.22:6443 max_fails=3 fail_timeout=30s;  }  server {  listen 7443;  proxy_connect_timeout 2s;  proxy_timeout 900s;  proxy_pass kube-apiserver;  } } [root@hdss7-11 opt]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@hdss7-11 opt]# systemctl restart nginx [root@hdss7-11 opt]# systemctl enable nginx 

5.hdss7-12安装nginx

[root@hdss7-12 certs]# yum install nginx -y [root@hdss7-12 certs]# vim /etc/nginx/nginx.conf stream {  upstream kube-apiserver {  server 192.168.12.21:6443 max_fails=3 fail_timeout=30s;  server 192.168.12.22:6443 max_fails=3 fail_timeout=30s;  }  server {  listen 7443;  proxy_connect_timeout 2s;  proxy_timeout 900s;  proxy_pass kube-apiserver;  } } [root@hdss7-12 certs]# [root@hdss7-12 certs]# [root@hdss7-12 certs]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@hdss7-12 certs]# systemctl start nginx [root@hdss7-12 certs]# systemctl enable nginx 

6.实现keep高可用

[root@hdss7-11 opt]# yum install keepalived -y [root@hdss7-11 opt]# cat /etc/keepalived/check_port.sh #!/bin/bash CHK_PORT=$1 if [ -n "$CHK_PORT" ];then  PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`  if [ $PORT_PROCESS -eq 0 ];then  echo "Port $CHK_PORT Is Not Used,End."  exit 1  fi else  echo "Check Port Cant Be Empty!" fi [root@hdss7-11 opt]# chmod +x /etc/keepalived/check_port.sh [root@hdss7-11 opt]# cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived  global_defs {  router_id 192.168.12.11  }  vrrp_script chk_nginx {  script "/etc/keepalived/check_port.sh 7443"  interval 2  weight -20 }  vrrp_instance VI_1 {  state MASTER  interface eth0  virtual_router_id 251  priority 100  advert_int 1  mcast_src_ip 192.168.12.11  nopreempt   authentication {  auth_type PASS  auth_pass 11111111  }  track_script {  chk_nginx  }  virtual_ipaddress {  192.168.12.10  } } [root@hdss7-11 opt]# systemctl start keepalived [root@hdss7-11 opt]# systemctl enable keepalived 

[root@hdss7-12 certs]# yum install keepalived -y [root@hdss7-12 certs]# cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived  global_defs {  router_id 192.168.12.11  }  vrrp_script chk_nginx {  script "/etc/keepalived/check_port.sh 7443"  interval 2  weight -20 }  vrrp_instance VI_1 {  state MASTER  interface eth0  virtual_router_id 251  priority 100  advert_int 1  mcast_src_ip 192.168.12.11  nopreempt   authentication {  auth_type PASS  auth_pass 11111111  }  track_script {  chk_nginx  }  virtual_ipaddress {  192.168.12.10  } }  [root@hdss7-12 certs]# cat /etc/keepalived/check_port.sh #!/bin/bash CHK_PORT=$1 if [ -n "$CHK_PORT" ];then  PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`  if [ $PORT_PROCESS -eq 0 ];then  echo "Port $CHK_PORT Is Not Used,End."  exit 1  fi else  echo "Check Port Cant Be Empty!" fi   [root@hdss7-12 certs]# chmod +x /etc/keepalived/check_port.sh [root@hdss7-12 certs]# systemctl start keepalived [root@hdss7-12 certs]# systemctl enable keepalived 

 原文章已同步语雀

https://www.yuque.com/songyifei/bkxwl0/dyfh00