碼上歡樂
相關內容    簡體    繁體

[k8s]k8s api-server啟動systemd參數分析

本文轉載自   查看原文   2017-11-21 18:39   1193 

默認2個參數就可以啟動(必需)

kube-apiserver \
    --service-cluster-ip-range=10.254.0.0/16 \
    --etcd-servers=http://192.168.14.132:2379

默認http是127.0.0.1:8080 https://0.0.0.0:6443

設置insecure-bind-address(默認127.0.0.1)

kube-apiserver \
    --service-cluster-ip-range=10.254.0.0/16 \
    --etcd-servers=http://192.168.14.132:2379 \
    --insecure-bind-address=0.0.0.0

設置訪問api的日志

kube-apiserver \
    --service-cluster-ip-range=10.254.0.0/16 \
    --etcd-servers=http://192.168.14.132:2379 \
    --audit-log-path=/root/apiserver.log

開啟記錄juneral日志(修改非安全ip)

kube-apiserver \
    --service-cluster-ip-range=10.254.0.0/16 \
    --etcd-servers=http://127.0.0.1:2379 \
    --insecure-bind-address=0.0.0.0 \
    --logtostderr=false \                     #log to standard error instead of files (default true) 默認是true
    --v=2
--v=0的時候日志很少,--v2日志較多

將juneral日志記錄到文件

kube-apiserver \
  --service-cluster-ip-range=10.254.0.0/16 \
  --etcd-servers=http://192.168.14.132:2379 \
  --insecure-bind-address=0.0.0.0 \
  --logtostderr=false \
  --log-dir=/root/logs \
  --v=2
  --audit-log-path=/root/apiserver.log

這里如果--v2時候,感覺audit日志也被juneral日志包含了.
audit和logtostderr分別都不設置,則啥都不記錄.

設置swagger(默認關閉)

kube-apiserver \
  --service-cluster-ip-range=10.254.0.0/16 \
  --etcd-servers=http://192.168.14.132:2379 \
  --insecure-bind-address=0.0.0.0 \
  --enable-swagger-ui=true \
  --audit-log-path=/root/apiserver.log

http://192.168.14.132:8080/swagger-ui/

稍微完善點的寫法

kube-apiserver \
  --service-cluster-ip-range=10.254.0.0/16 \
  --etcd-servers=http://192.168.14.132:2379 \
  --enable-swagger-ui=true \
  --audit-log-path=/var/log/kubernetes/apiserver.log \
  --audit-log-maxsize=100 \
  --audit-log-maxbackup=3 \
  --audit-log-maxage=30 \
  --event-ttl=1h \ 
  --logtostderr=true \
  --v=2

kube-apiserver \
  --service-cluster-ip-range=10.254.0.0/16 \
  --etcd-servers=http://192.168.14.132:2379 \
  --enable-swagger-ui=true \
  --audit-log-path=/var/log/kubernetes/apiserver.log \
  --audit-log-maxsize=100 \
  --audit-log-maxbackup=3 \
  --audit-log-maxage=30 \
  --event-ttl=1h \ 
  --logtostderr=false \
  --log-dir=/root/logs \
  --v=2

kube-apiserver參數解析

參考: https://kubernetes.io/docs/reference/generated/kube-apiserver/
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

cat  > kube-apiserver.service <<EOF
...
[Service]
ExecStart=/usr/local/bin/kube-apiserver \\
#++++++++++++++++++++++++++++++++++++++++++
#必需區
#++++++++++++++++++++++++++++++++++++++++++
    --service-cluster-ip-range=10.254.0.0/16 \\
    --etcd-servers=http://192.168.14.132:2379


#++++++++++++++++++++++++++++++++++++++++++
# 監聽ip區---http https 監聽的ip+port
#++++++++++++++++++++++++++++++++++++++++++
  --apiserver-count=3 \\(default 1)
  --advertise-address=192.168.14.132 \\ #告訴別人在我是誰[ members of the cluster][默認 --bind-address]

  --insecure-bind-address=192.168.14.132 \\ #非安全端口監聽的ip(default 127.0.0.1)
  --insecure-port=8080 \\ # 非安全端口監聽的端口(默認8080)
  --bind-address=0.0.0.0 \\ # 安全端口監聽的ip(default 0.0.0.0)
  --secure-port=6443 \\     # 安全端口(默認6443)


  --service-node-port-range=30000-65535 \\(default 30000-32767)
  --runtime-config=rbac.authorization.k8s.io/v1alpha1 \\ # 打開或關閉針對某個api版本支持
#++++++++++++++++++++++++++++++++++++++++++
# 授權區----授權模式 准入插件 是否允許容器特權 
#++++++++++++++++++++++++++++++++++++++++++
    --authorization-mode=RBAC \\ # 授權模式(default "AlwaysAllow")
    --admission-control=ServiceAccount,DefaultStorageClass,ResourceQuota(基於pod和容器的配額),LimitRanger(基於ns的配額),NamespaceLifecycle(隨着ns被刪其包含的資源也被刪除) \\ 值得注意的是他還有 AlwaysPullImages這個控制參數


    --allow-privileged=true \\   # docker run --privileged [default=false]
    --enable-swagger-ui=true \\
  
    #Enable to allow secrets of type 'bootstrap.kubernetes.io/token' in the 'kube-system' namespace to be used for TLS bootstrapping authentication.
    --experimental-bootstrap-token-auth \\
    #(If set, the file that will be used to secure the secure port of the API server via token authentication.)
    --token-auth-file=/etc/kubernetes/token.csv \\ 


#++++++++++++++++++++++++++++++++++++++++++
# 證書區
#++++++++++++++++++++++++++++++++++++++++++
    --client-ca-file=/etc/kubernetes/ssl/ca.crt \\
    --service-account-key-file=/etc/kubernetes/ssl/ca.key \\
    --tls-cert-file=/etc/kubernetes/ssl/server.crt \\
    --tls-private-key-file=/etc/kubernetes/ssl/server.key \\

    --etcd-cafile=/etc/kubernetes/ssl/ca.pem \\
    --etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem \\
    --etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem \\
    --etcd-servers=https://192.168.14.132:2379,https://192.168.14.133:2379,https://192.168.14.134:2379  \\


#++++++++++++++++++++++++++++++++++++++++++
# 日志區
#++++++++++++++++++++++++++++++++++++++++++
    --audit-log-path=/var/log/kubernetes/apiserver.log \\ #審計日志路徑
    --audit-log-maxsize=100 \\#日志文件最大大小(單位MB),超過后自動做輪轉(默認為100MB)
    --audit-log-maxbackup=3 \\#舊日志文件最多保留個數
    --audit-log-maxage=30 \\  #舊日志最長保留天數
    --event-ttl=1h \\ 
    --logtostderr=false \\ #不輸出到
    ----log-dir=/root/logs \\ 輸出到文件夾
    --v=2 #級別0比級別2輸出的日志少


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 K8S學習筆記之修改K8S的api-server證書 k8s學習(一)——kubectl與api-server之間的交互核心過程 k8s 創建 webToken 授權用於 api-server 訪問 k8s api k8s 二進制部署-啟動api-server 報錯 Error: unknown flag: --etcdservers ,啟動 kubelet Kubelet: cannot create certificate signing request k8s啟動 K8S Api Server認證 k8s 組件介紹-API Server k8s restful API 結構分析 k8s學習 - API
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM