Kubernets二进制安装(7)之部署主控节点服务--apiserver二进制安装

kube-apiserver集群规划

主机名	角色	IP地址
mfyxw30.mfxyw.com	kube-apiserver主	192.168.80.30
mfyxw40.mfyxw.com	kube-apiserver从	192.168.80.40

温馨提示：这里部署文档以mfyxw30.mfyxw.com主机为例，另外两台主机安装部署方法类似

1.下载kubernetes软件

kubernetes的github链接：https://github.com/kubernetes

kubernetes-v1.15.10链接地址：https://dl.k8s.io/v1.15.10/kubernetes-server-linux-amd64.tar.gz

可以登录mfyxw30服务器下载

wget https://dl.k8s.io/v1.15.10/kubernetes-server-linux-amd64.tar.gz

#发现国内没有办法下载。只能自己想办法了。我下载好的kubernetes-v1.15.10上传到网盘

k8s-v1.15.10网盘地址

链接：https://pan.baidu.com/s/1qL_su3YppyyBGz-loKSHfg

提取码：3kfx

2.把kubernetes上传服务器，解压，软连接

#mfyxw30和mfyxw40都需要执行此操作，以mfyxw30为例

[root@mfyxw30 ~]#tar xf kubernetes-server-linux-amd64.tar.gz -C /opt

[root@mfyxw30 ~]#cd /opt

[root@mfyxw30 opt]#mv kubernetes kubernetes-v1.15.10

[root@mfyxw30 opt]#ln -s kubernetes-v1.15.10 kubernetes

3.删除kuberneters包不需要的文件

在mfyxw30主机上删除kubernetes包不需要的文件

[root@mfyxw30 ~]#cd /opt/kubernetes/server/bin

#tar后缀的是容器镜像包，不是采用kubeadm来安装，故可以删除

[root@mfyxw30 bin]#rm -fr *.tar

[root@mfyxw30 bin]#rm -fr *_tag

#kubernetes-src.tar.gz是kubernetes的go语言写的源码包，在此用不到

[root@mfyxw30 bin]#rm -fr /opt/kubernetes/kubernetes-src.tar.gz

在mfyxw40主机上删除kubernetes包不需要的文件

[root@mfyxw40 ~]#cd /opt/kubernetes/server/bin

#tar后缀的是容器镜像包，不是采用kubeadm来安装，故可以删除

[root@mfyxw40 bin]#rm -fr *.tar

[root@mfyxw40 bin]#rm -fr *_tag

#kubernetes-src.tar.gz是kubernetes的go语言写的源码包，在此用不到

[root@mfyxw40 bin]#rm /opt/kubernetes/kubernetes-src.tar.gz

4.创建生成证书签名请求(csr)的JSON配置文件

签发Client证书：apiserver和etcd集群间通信用的证书，在这个通信过程中，etcd是服务端，apiserver是客户端

#生成client证书签名请求配置文件是需要在签发证书的mfyxw50主机上执行

[root@mfyxw50 ~]#cat > /opt/certs/client-csr.json << EOF

{

    "CN": "k8s-node",

    "hosts": [

    ],

    "key": {

        "algo": "rsa",

        "size": 2048

    },

    "names": [

        {

            "C": "CN",

            "ST": "GuangDong",

            "L": "GuangZhou",

            "O": "od",

            "OU": "ops"

        }

    ]

}

EOF

5.生成client证书和私钥

#需要在签发证书主机mfyxw50上执行

[root@mfyxw50 ~]#cd /opt/certs

[root@mfyxw50 certs]#cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json | cfssljson -bare client

6.创建生成kube-apiserver证书签名请求(csr)的JSON配置文件

#生成kube-apiserver证书签名请求配置文件是需要在签发证书的mfyxw50主机上执行

[root@mfyxw50 ~]# cat > /opt/certs/apiserver-csr.json << EOF

{

    "CN": "apiserver",

    "hosts": [

        "127.0.0.1",

        "172.16.0.1",

        "kubernetes.default",

        "kubernetes.default.svc",

        "kubernetes.default.svc.cluster",

        "kubernetes.default.svc.cluster.local",

        "192.168.80.100",

        "192.168.80.20",

        "192.168.80.30",

        "192.168.80.40"

    ],

    "key": {

        "algo": "rsa",

        "size": 2048

    },

    "names": [

        {

            "C": "CN",

            "ST": "GuangDong",

            "L": "GuangZhou",

            "O": "od",

            "OU": "ops"

        }

    ]

}

EOF

7.生成kube-apiserver证书和私钥

#需要在签发证书主机mfyxw50上执行

[root@mfyxw50 ~]#cd /opt/certs

[root@mfyxw50 certs]#cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json | cfssljson -bare apiserver

8.将生成的证书复制至各运算节点

#在mfyxw30主机上创建certs目录

[root@mfyxw30 ~]#mkdir -p /opt/kubernetes/server/bin/cert

#在mfyxw40主机上创建cert目录

[root@mfyxw40 ~]#mkdir -p /opt/kubernetes/server/bin/cert

#在mfyxw50(证书签发主机)上把证书和私钥分别复制至mfyxw30和mfyxw40主机下/opt/kubernetes/server/bin/cert目录

[root@mfyxw50 ~]#cd /opt/certs/

[root@mfyxw50 ~]#scp -r ca.pem ca-key.pem apiserver.pem apiserver-key.pem client.pem client-key.pem mfyxw30:/opt/kubernetes/server/bin/cert/

[root@mfyxw50 ~]#scp -r ca.pem ca-key.pem apiserver.pem apiserver-key.pem client.pem client-key.pem mfyxw40:/opt/kubernetes/server/bin/cert/

9.查看复制过去的私钥的权限

#分别需要在mfyxw30和mfyxw40主机上查看，在此以mfyxw30截图为例,如果权限不是600，请修改为600

[root@mfyxw30 ~]#ls -l /opt/kubernetes/server/bin/cert/

[root@mfyxw40 ~]#ls -l /opt/kubernetes/server/bin/cert/

10.创建审计日志记录和采集配置文件

分别在mfyxw30和mfyxw40的路径/opt/kubernetes/server/bin/下创建conf目录

[root@mfyxw30 ~]#mkdir -p /opt/kubernetes/server/bin/conf

[root@mfyxw40 ~]#mkdir -p /opt/kubernetes/server/bin/conf

1.在mfyxw30主机上创建审计日志记录和采集配置文件

[root@mfyxw30 ~]#cat > /opt/kubernetes/server/bin/conf/audit.yaml << EOF

apiVersion: audit.k8s.io/v1beta1 # This is required.

kind: Policy

# Don't generate audit events for all requests in RequestReceived stage.

omitStages:

  - "RequestReceived"

rules:

  # Log pod changes at RequestResponse level

  - level: RequestResponse

    resources:

    - group: ""

      # Resource "pods" doesn't match requests to any subresource of pods,

      # which is consistent with the RBAC policy.

      resources: ["pods"]

  # Log "pods/log", "pods/status" at Metadata level

  - level: Metadata

    resources:

    - group: ""

      resources: ["pods/log", "pods/status"]

  # Don't log requests to a configmap called "controller-leader"

  - level: None

    resources:

    - group: ""

      resources: ["configmaps"]

      resourceNames: ["controller-leader"]

  # Don't log watch requests by the "system:kube-proxy" on endpoints or services

  - level: None

    users: ["system:kube-proxy"]

    verbs: ["watch"]

    resources:

    - group: "" # core API group

      resources: ["endpoints", "services"]

  # Don't log authenticated requests to certain non-resource URL paths.

  - level: None

    userGroups: ["system:authenticated"]

    nonResourceURLs:

    - "/api*" # Wildcard matching.

    - "/version"

  # Log the request body of configmap changes in kube-system.

  - level: Request

    resources:

    - group: "" # core API group

      resources: ["configmaps"]

    # This rule only applies to resources in the "kube-system" namespace.

    # The empty string "" can be used to select non-namespaced resources.

    namespaces: ["kube-system"]

  # Log configmap and secret changes in all other namespaces at the Metadata level.

  - level: Metadata

    resources:

    - group: "" # core API group

      resources: ["secrets", "configmaps"]

  # Log all other resources in core and extensions at the Request level.

  - level: Request

    resources:

    - group: "" # core API group

    - group: "extensions" # Version of group should NOT be included.

  # A catch-all rule to log all other requests at the Metadata level.

  - level: Metadata

    # Long-running requests like watches that fall under this rule will not

    # generate an audit event in RequestReceived.

    omitStages:

      - "RequestReceived"

EOF

2.在mfyxw40主机上创建审计日志记录和采集配置文件

[root@mfyxw40 ~]#cat > /opt/kubernetes/server/bin/conf/audit.yaml << EOF

apiVersion: audit.k8s.io/v1beta1 # This is required.

kind: Policy

# Don't generate audit events for all requests in RequestReceived stage.

omitStages:

  - "RequestReceived"

rules:

  # Log pod changes at RequestResponse level

  - level: RequestResponse

    resources:

    - group: ""

      # Resource "pods" doesn't match requests to any subresource of pods,

      # which is consistent with the RBAC policy.

      resources: ["pods"]

  # Log "pods/log", "pods/status" at Metadata level

  - level: Metadata

    resources:

    - group: ""

      resources: ["pods/log", "pods/status"]

  # Don't log requests to a configmap called "controller-leader"

  - level: None

    resources:

    - group: ""

      resources: ["configmaps"]

      resourceNames: ["controller-leader"]

  # Don't log watch requests by the "system:kube-proxy" on endpoints or services

  - level: None

    users: ["system:kube-proxy"]

    verbs: ["watch"]

    resources:

    - group: "" # core API group

      resources: ["endpoints", "services"]

  # Don't log authenticated requests to certain non-resource URL paths.

  - level: None

    userGroups: ["system:authenticated"]

    nonResourceURLs:

    - "/api*" # Wildcard matching.

    - "/version"

  # Log the request body of configmap changes in kube-system.

  - level: Request

    resources:

    - group: "" # core API group

      resources: ["configmaps"]

    # This rule only applies to resources in the "kube-system" namespace.

    # The empty string "" can be used to select non-namespaced resources.

    namespaces: ["kube-system"]

  # Log configmap and secret changes in all other namespaces at the Metadata level.

  - level: Metadata

    resources:

    - group: "" # core API group

      resources: ["secrets", "configmaps"]

  # Log all other resources in core and extensions at the Request level.

  - level: Request

    resources:

    - group: "" # core API group

    - group: "extensions" # Version of group should NOT be included.

  # A catch-all rule to log all other requests at the Metadata level.

  - level: Metadata

    # Long-running requests like watches that fall under this rule will not

    # generate an audit event in RequestReceived.

    omitStages:

      - "RequestReceived"

EOF

11.创建kube-apiserver启动脚本

在主机mfyxw30上创建kube-apiserver启动脚本

[root@mfyxw30 ~]#cat > /opt/kubernetes/server/bin/kube-apiserver.sh << EOF

#!/bin/bash

./kube-apiserver \

  --apiserver-count 2 \

  --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \

  --audit-policy-file ./conf/audit.yaml \

  --authorization-mode RBAC \

  --client-ca-file ./cert/ca.pem \

  --requestheader-client-ca-file ./cert/ca.pem \

  --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \

  --etcd-cafile ./cert/ca.pem \

  --etcd-certfile ./cert/client.pem \

  --etcd-keyfile ./cert/client-key.pem \

  --etcd-servers https://192.168.80.20:2379,https://192.168.80.30:2379,https://192.168.80.40:2379 \

  --service-account-key-file ./cert/ca-key.pem \

  --service-cluster-ip-range 172.16.0.0/16 \

  --service-node-port-range 3000-29999 \

  --target-ram-mb=1024 \

  --kubelet-client-certificate ./cert/client.pem \

  --kubelet-client-key ./cert/client-key.pem \

  --log-dir  /data/logs/kubernetes/kube-apiserver \

  --tls-cert-file ./cert/apiserver.pem \

  --tls-private-key-file ./cert/apiserver-key.pem \

  --v 2

EOF

在主机mfyxw40上创建kube-apiserver启动脚本

[root@mfyxw40 ~]#cat > /opt/kubernetes/server/bin/kube-apiserver.sh << EOF

#!/bin/bash

./kube-apiserver \

  --apiserver-count 2 \

  --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \

  --audit-policy-file ./conf/audit.yaml \

  --authorization-mode RBAC \

  --client-ca-file ./cert/ca.pem \

  --requestheader-client-ca-file ./cert/ca.pem \

  --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \

  --etcd-cafile ./cert/ca.pem \

  --etcd-certfile ./cert/client.pem \

  --etcd-keyfile ./cert/client-key.pem \

  --etcd-servers https://192.168.80.20:2379,https://192.168.80.30:2379,https://192.168.80.40:2379 \

  --service-account-key-file ./cert/ca-key.pem \

  --service-cluster-ip-range 172.16.0.0/16 \

  --service-node-port-range 3000-29999 \

  --target-ram-mb=1024 \

  --kubelet-client-certificate ./cert/client.pem \

  --kubelet-client-key ./cert/client-key.pem \

  --log-dir  /data/logs/kubernetes/kube-apiserver \

  --tls-cert-file ./cert/apiserver.pem \

  --tls-private-key-file ./cert/apiserver-key.pem \

  --v 2

EOF

12.调整权限和创建存放kupe-apiserver日志的目录

分别在mfyxw30和mfyxw40主机上对kube-apiserver.sh文件添加可执行权限，并创建存放kube-apiserver的日志文件的目录，以mfyxw30的截图为例

[root@mfyxw30 ~]#chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh

[root@mfyxw30 ~]#mkdir -p /data/logs/kubernetes/kube-apiserver

[root@mfyxw40 ~]#chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh

[root@mfyxw40 ~]#mkdir -p /data/logs/kubernetes/kube-apiserver

13.创建supervisor配置文件

为mfyxw30主机创建supervisor配置文件

[root@mfyxw30 ~]#cat > /etc/supervisord.d/kube-apiserver.ini << EOF

[program:kube-apiserver-80-30]

command=/opt/kubernetes/server/bin/kube-apiserver.sh            ; the program (relative uses PATH, can take args)

numprocs=1                                                      ; number of processes copies to start (def 1)

directory=/opt/kubernetes/server/bin                            ; directory to cwd to before exec (def no cwd)

autostart=true                                                  ; start at supervisord start (default: true)

autorestart=true                                                ; retstart at unexpected quit (default: true)

startsecs=30                                                    ; number of secs prog must stay running (def. 1)

startretries=3                                                  ; max # of serial start failures (default 3)

exitcodes=0,2                                                   ; 'expected' exit codes for process (default 0,2)

stopsignal=QUIT                                                 ; signal used to kill process (default TERM)

stopwaitsecs=10                                                 ; max num secs to wait b4 SIGKILL (default 10)

user=root                                                       ; setuid to this UNIX account to run the program

redirect_stderr=false                                           ; redirect proc stderr to stdout (default false)

stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log        ; stdout log path, NONE for none; default AUTO

stdout_logfile_maxbytes=64MB                                    ; max # logfile bytes b4 rotation (default 50MB)

stdout_logfile_backups=4                                        ; # of stdout logfile backups (default 10)

stdout_capture_maxbytes=1MB                                     ; number of bytes in 'capturemode' (default 0)

stdout_events_enabled=false                                     ; emit events on stdout writes (default false)

stderr_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stderr.log        ; stderr log path, NONE for none; default AUTO

stderr_logfile_maxbytes=64MB                                    ; max # logfile bytes b4 rotation (default 50MB)

stderr_logfile_backups=4                                        ; # of stderr logfile backups (default 10)

stderr_capture_maxbytes=1MB                                     ; number of bytes in 'capturemode' (default 0)

stderr_events_enabled=false                                     ; emit events on stderr writes (default false)

EOF

为mfyxw40主机创建supervisor配置文件

[root@mfyxw40 ~]#cat > /etc/supervisord.d/kube-apiserver.ini << EOF

[program:kube-apiserver-80-40]

command=/opt/kubernetes/server/bin/kube-apiserver.sh            ; the program (relative uses PATH, can take args)

numprocs=1                                                      ; number of processes copies to start (def 1)

directory=/opt/kubernetes/server/bin                            ; directory to cwd to before exec (def no cwd)

autostart=true                                                  ; start at supervisord start (default: true)

autorestart=true                                                ; retstart at unexpected quit (default: true)

startsecs=30                                                    ; number of secs prog must stay running (def. 1)

startretries=3                                                  ; max # of serial start failures (default 3)

exitcodes=0,2                                                   ; 'expected' exit codes for process (default 0,2)

stopsignal=QUIT                                                 ; signal used to kill process (default TERM)

stopwaitsecs=10                                                 ; max num secs to wait b4 SIGKILL (default 10)

user=root                                                       ; setuid to this UNIX account to run the program

redirect_stderr=false                                           ; redirect proc stderr to stdout (default false)

stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log        ; stdout log path, NONE for none; default AUTO

stdout_logfile_maxbytes=64MB                                    ; max # logfile bytes b4 rotation (default 50MB)

stdout_logfile_backups=4                                        ; # of stdout logfile backups (default 10)

stdout_capture_maxbytes=1MB                                     ; number of bytes in 'capturemode' (default 0)

stdout_events_enabled=false                                     ; emit events on stdout writes (default false)

stderr_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stderr.log        ; stderr log path, NONE for none; default AUTO

stderr_logfile_maxbytes=64MB                                    ; max # logfile bytes b4 rotation (default 50MB)

stderr_logfile_backups=4                                        ; # of stderr logfile backups (default 10)

stderr_capture_maxbytes=1MB                                     ; number of bytes in 'capturemode' (default 0)

stderr_events_enabled=false                                     ; emit events on stderr writes (default false)

EOF

14.启动supervisor服务并检查

在mfyxw30主机上，启动supervisor服务并检查，以mfyxw30图片为例，另一台机器同样方法启动服务和查看

[root@mfyxw30 ~]#supervisorctl update

[root@mfyxw30 ~]#supervisorctl status

[root@mfyxw30 ~]# netstat -luntp | grep api

在mfyxw40主机上，启动supervisor服务并检查

[root@mfyxw40 ~]#supervisorctl update

[root@mfyxw40 ~]#supervisorctl status

[root@mfyxw40 ~]# netstat -luntp | grep api