一、部署kube-controller-manager組件
獲取最新更新以及文章用到的軟件包,請移步點擊:查看更新
1、創建配置文件
cat > /opt/kubernetes/cfg/kube-controller-manager.conf << EOF KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \\ --v=2 \\ --log-dir=/opt/kubernetes/logs \\ --leader-elect=true \\ --master=127.0.0.1:8080 \\ --bind-address=127.0.0.1 \\ --allocate-node-cidrs=true \\ --cluster-cidr=10.244.0.0/16 \\ --service-cluster-ip-range=10.0.0.0/24 \\ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\ --root-ca-file=/opt/kubernetes/ssl/ca.pem \\ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\ --experimental-cluster-signing-duration=87600h0m0s" EOF
–master:通過本地非安全本地端口8080連接apiserver。
–leader-elect:當該組件啟動多個時,自動選舉(HA)
–cluster-signing-cert-file/–cluster-signing-key-file:自動為kubelet頒發證書的CA,與apiserver保持一致
注意:k8s 1.20版本以后的api就沒有8080端口了,kube-controller-manager.conf配置文件替換成下面一個。
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \ --v=2 \ --log-dir=/opt/kubernetes/logs \ --leader-elect=true \ --kubeconfig=/opt/kubernetes/cfg/kube-controller-manager.kubeconfig \ --bind-address=127.0.0.1 \ --allocate-node-cidrs=true \ --cluster-cidr=10.244.0.0/16 \ --service-cluster-ip-range=10.0.0.0/24 \ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \ --root-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ --cluster-signing-duration=87600h0m0s"
2、創建連接文件
cat > /opt/kubernetes/cfg/kube-controller-manager.kubeconfig << EOF apiVersion: v1 clusters: - cluster: certificate-authority: /opt/kubernetes/ssl/ca.pem server: https://192.168.112.120:7443 name: kubernetes contexts: - context: cluster: kubernetes user: kube-controller-manager name: default current-context: default kind: Config preferences: {} users: - name: kube-controller-manager user: client-certificate: /opt/kubernetes/ssl/kube-controller-manager.pem client-key: /opt/kubernetes/ssl/kube-controller-manager-key.pem
EOF
3、簽發證書
cd /root/TLS/k8s/ cat > kube-controller-manager-csr.json << EOF { "CN": "system:kube-controller-manager", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager 生成證書 scp kube-controller-manager.pem kube-controller-manager-key.pem /opt/kubernetes/ssl/ 拷貝證書
4、systemd管理controller-manager
cat > /usr/lib/systemd/system/kube-controller-manager.service << EOF [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF
5、啟動並設置開機啟動
systemctl daemon-reload systemctl start kube-controller-manager systemctl enable kube-controller-manager
二、 部署kube-scheduler組件
1、創建配置文件
cat > /opt/kubernetes/cfg/kube-scheduler.conf << EOF KUBE_SCHEDULER_OPTS="--logtostderr=false \\ --v=2 \\ --log-dir=/opt/kubernetes/logs \\ --leader-elect \\ --master=127.0.0.1:8080 \\ --bind-address=127.0.0.1" EOF
注意:k8s 1.20版本以后的api就沒有8080端口了,kube-scheduler.conf 配置文件替換成下面一個。
vim /opt/kubernetes/cfg/kube-scheduler.conf
KUBE_SCHEDULER_OPTS="--logtostderr=false \ --v=2 \ --log-dir=/opt/kubernetes/logs \ --leader-elect \ --kubeconfig=/opt/kubernetes/cfg/kube-scheduler.kubeconfig \ --bind-address=127.0.0.1"
–master:通過本地非安全本地端口8080連接apiserver。
–leader-elect:當該組件啟動多個時,自動選舉(HA)
2、創建連接文件
cat > /opt/kubernetes/cfg/kube-scheduler.kubeconfig << EOF apiVersion: v1 clusters: - cluster: certificate-authority: /opt/kubernetes/ssl/ca.pem server: https://192.168.112.120:7443 name: kubernetes contexts: - context: cluster: kubernetes user: kube-scheduler name: default current-context: default kind: Config preferences: {} users: - name: kube-scheduler user: client-certificate: /opt/kubernetes/ssl/kube-scheduler.pem client-key: /opt/kubernetes/ssl/kube-scheduler-key.pem EOF
3、簽發證書
cd /root/TLS/k8s/
cat > kube-scheduler-csr.json << EOF { "CN": "system:kube-scheduler", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler 生成證書
scp kube-scheduler.pem kube-scheduler-key.pem /opt/kubernetes/ssl/ 拷貝證書
4、systemd管理scheduler
cat > /usr/lib/systemd/system/kube-scheduler.service << EOF
[Unit]
Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF
5、啟動並設置開機啟動
systemctl daemon-reload systemctl start kube-scheduler systemctl enable kube-scheduler
6、查看集群狀態
所有組件都已經啟動成功,通過kubectl工具查看當前集群組件狀態:
kubectl get cs NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-2 Healthy {"health":"true"} etcd-1 Healthy {"health":"true"} etcd-0 Healthy {"health":"true"}
如上輸出說明Master節點組件運行正常。