一、安裝部署kube-apiserver
獲取最新更新以及文章用到的軟件包,請移步點擊:查看更新
1、生成kube-apiserver證書,自簽證書頒發機構(CA)
cd ~/TLS/k8s cat > ca-config.json << EOF { "signing": { "default": { "expiry": "175200h" }, "profiles": { "kubernetes": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json << EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 生成證書 ls *pem ca-key.pem ca.pem
2、創建證書申請文件,使用自簽CA簽發kube-apiserver HTTPS證書
cd ~/TLS/k8s cat > server-csr.json << EOF { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "192.168.112.110", "192.168.112.111", "192.168.112.112", "192.168.112.113", "192.168.112.114", "192.168.112.115", "192.168.112.120", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server 生成證書 ls server*pem server-key.pem server.pem
上述文件hosts字段中IP為所有Master/LB/VIP IP,一個都不能少!為了方便后期擴容可以多寫幾個預留的IP。
3、下載二進制包
下載地址: https://storage.googleapis.com/kubernetes-release/release/v1.20.4/kubernetes-server-linux-amd64.tar.gz
4、解壓二進制包
mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs} tar zxvf kubernetes-server-linux-amd64.tar.gz cd kubernetes/server/bin cp kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bin cp kubectl /usr/bin/
5、創建kube-apiserver配置文件
cat > /opt/kubernetes/cfg/kube-apiserver.conf << EOF KUBE_APISERVER_OPTS="--logtostderr=false \\ --v=2 \\ --log-dir=/opt/kubernetes/logs \\ --etcd-servers=https://192.168.112.110:2379,https://192.168.112.111:2379,https://192.168.112.112:2379 \\ --bind-address=192.168.112.110 \\ --secure-port=6443 \\ --advertise-address=192.168.112.110 \\ --allow-privileged=true \\ --service-cluster-ip-range=10.0.0.0/24 \\ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\ --authorization-mode=RBAC,Node \\ --enable-bootstrap-token-auth=true \\ --token-auth-file=/opt/kubernetes/cfg/token.csv \\ --service-node-port-range=30000-32767 \\ --kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \\ --kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \\ --tls-cert-file=/opt/kubernetes/ssl/server.pem \\ --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\ --client-ca-file=/opt/kubernetes/ssl/ca.pem \\ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\ --etcd-cafile=/opt/kubernetes/ssl/etcd/ca.pem \\ --etcd-certfile=/opt/kubernetes/ssl/etcd/server.pem \\ --etcd-keyfile=/opt/kubernetes/ssl/etcd/server-key.pem \\ --service-account-issuer=api \\ --service-account-signing-key-file=/opt/kubernetes/ssl/server-key.pem \\ --requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \\ --proxy-client-cert-file=/opt/kubernetes/ssl/server.pem \\ --proxy-client-key-file=/opt/kubernetes/ssl/server-key.pem \\ --requestheader-allowed-names=kubernetes \\ --requestheader-extra-headers-prefix=X-Remote-Extra- \\ --requestheader-group-headers=X-Remote-Group \\ --requestheader-username-headers=X-Remote-User \\ --enable-aggregator-routing=true \\ --audit-log-maxage=30 \\ --audit-log-maxbackup=3 \\ --audit-log-maxsize=100 \\ --audit-log-path=/opt/kubernetes/logs/k8s-audit.log" EOF 注:上面兩個\ \ 第一個是轉義符,第二個是換行符,使用轉義符是為了使用EOF保留換行符。 –logtostderr:啟用日志 —v:日志等級 –log-dir:日志目錄 –etcd-servers:etcd集群地址 –bind-address:監聽地址 –secure-port:https安全端口 –advertise-address:集群通告地址 –allow-privileged:啟用授權 –service-cluster-ip-range:Service虛擬IP地址段 –enable-admission-plugins:准入控制模塊 –authorization-mode:認證授權,啟用RBAC授權和節點自管理 –enable-bootstrap-token-auth:啟用TLS bootstrap機制 –token-auth-file:bootstrap token文件 –service-node-port-range:Service nodeport類型默認分配端口范圍 –kubelet-client-xxx:apiserver訪問kubelet客戶端證書 –tls-xxx-file:apiserver https證書 –etcd-xxxfile:連接Etcd集群證書 –audit-log-xxx:審計日志
6、拷貝剛才生成的證書
cp ~/TLS/k8s/ca*pem ~/TLS/k8s/server*pem /opt/kubernetes/ssl/
7、systemd管理apiserver
cat > /usr/lib/systemd/system/kube-apiserver.service << EOF [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF
8、啟用 TLS Bootstrapping 機制
TLS Bootstraping:Master apiserver啟用TLS認證后,Node節點kubelet和kube-proxy要與kube-apiserver進行通信,必須使用CA簽發的有效證書才可以,當Node節點很多時,這種客戶端證書頒發需要大量工作,同樣也會增加集群擴展復雜度。為了簡化流程,Kubernetes引入了TLS bootstraping機制來自動頒發客戶端證書,kubelet會以一個低權限用戶自動向apiserver申請證書,kubelet的證書由apiserver動態簽署。所以強烈建議在Node上使用這種方式,目前主要用於kubelet,kube-proxy還是由我們統一頒發一個證書。
TLS bootstraping 工作流程:
1)創建上述配置文件中token文件:
cat > /opt/kubernetes/cfg/token.csv << EOF c47ffb939f5ca36231d9e3121a252940,kubelet-bootstrap,10001,"system:node-bootstrapper" EOF
格式:token,用戶名,UID,用戶組,
token也可自行生成替換:
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
2)簽發admin證書
cd ~/TLS/k8s cat > admin-csr.json << EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin cp admin.pem admin-key.pem /opt/kubernetes/ssl
3)創建config文件
mkdir /root/.kube/ && cd /root/.kube/ cat > config << EOF apiVersion: v1 clusters: - cluster: certificate-authority: /opt/kubernetes/ssl/ca.pem server: https://192.168.112.120:7443 name: kubernetes contexts: - context: cluster: kubernetes user: admin name: default current-context: default kind: Config preferences: {} users: - name: admin user: client-certificate: /opt/kubernetes/ssl/admin.pem client-key: /opt/kubernetes/ssl/admin-key.pem EOF
9、拷貝安裝文件至另一台master節點上
scp -r /opt/kubernetes/ root@192.168.112.111:/opt scp -r /root/.kube/config root@192.168.112.111:/root/.kube scp /usr/lib/systemd/system/kube-apiserver.service root@192.168.112.111:/usr/lib/systemd/system/
注意:從節點記得修改kube-apiserver.conf中的主機IP地址
10、啟動並設置開機啟動
systemctl daemon-reload
systemctl start kube-apiserver systemctl enable kube-apiserver
二、安裝nginx和keepalived,對apiserver做高可用負載
1、在兩台master節點安裝nginx
1)編輯yum文件
vim /etc/yum.repos.d/nginx.repo [nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true [nginx-mainline] name=nginx mainline repo baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/ gpgcheck=1 enabled=0 gpgkey=https://nginx.org/keys/nginx_signing.key module_hotfixes=true
2)安裝最新版nginx
yum install nginx -y
2、編輯nginx配置文件,nginx四層負載,必須與http同級
vi /etc/nginx/nginx.conf stream { upstream kube-apiserver { server 192.168.112.110:6443 max_fails=3 fail_timeout=30s; server 192.168.112.111:6443 max_fails=3 fail_timeout=30s; } server { listen 7443; proxy_connect_timeout 2s; proxy_timeout 900s; proxy_pass kube-apiserver; } }
3、啟動nginx
nginx -t
systemctl start nginx
systemctl enable nginx
4、部署keepalived實現高可用
yum install keepalived -y
5、編寫keepalived監控腳本
vi /etc/keepalived/check_port.sh #!/bin/bash #keepalived 監控端口腳本 #使用方法: #在keepalived的配置文件中 #vrrp_script check_port {#創建一個vrrp_script腳本,檢查配置 # script "/etc/keepalived/check_port.sh 6379" #配置監聽的端口 # interval 2 #檢查腳本的頻率,單位(秒) #} CHK_PORT=$1 if [ -n "$CHK_PORT" ];then PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l` if [ $PORT_PROCESS -eq 0 ];then echo "Port $CHK_PORT Is Not Used,End." exit 1 fi else echo "Check Port Cant Be Empty!" fi
6、對監控腳本授權
chmod +x /etc/keepalived/check_port.sh
7、編輯keepalived配置文件,注意主從配置文件不一樣
vi /etc/keepalived/keepalived.conf 主: ! Configuration File for keepalived global_defs { router_id 192.168.112.110 } vrrp_script chk_nginx { script "/etc/keepalived/check_port.sh 7443" interval 2 weight -20 } vrrp_instance VI_1 { state MASTER interface ens192 修改網卡名字 virtual_router_id 251 priority 100 advert_int 1 mcast_src_ip 192.168.112.110 nopreempt #非搶占式 ,當主節點掛了以后,從節點vip飄到從上,主節點恢復以后,不主動飄回主,需要手動重啟keepalived authentication { auth_type PASS auth_pass 11111111 } track_script { chk_nginx } virtual_ipaddress { 192.168.112.120 } } 從: ! Configuration File for keepalived global_defs { router_id 192.168.112.111 } vrrp_script chk_nginx { script "/etc/keepalived/check_port.sh 7443" interval 2 weight -20 } vrrp_instance VI_1 { state BACKUP interface ens192 修改網卡名字 virtual_router_id 251 mcast_src_ip 192.168.112.111 priority 90 advert_int 1 authentication { auth_type PASS auth_pass 11111111 } track_script { chk_nginx } virtual_ipaddress { 192.168.112.120 } }
8、啟動keepalived並配置開機自啟
systemctl start keepalived
systemctl enable keepalived
9、檢查VIP情況
如果keepalived出現腦裂問題,兩台上面都有vip,可以加入以下配置,將多播修改成單播
至此,apiserver部署完成,並且配置了負載高可用。
10、授權kubelet-bootstrap用戶允許請求證書
kubectl create clusterrolebinding kubelet-bootstrap \ --clusterrole=system:node-bootstrapper \ --user=kubelet-bootstrap