一、部署kube-controller-manager
文章用到的组件下载地址在阿里云网盘里面:https://www.aliyundrive.com/s/NYFaoRRQEgh ,需要注册的点击这个连接:https://pages.aliyundrive.com/mobile-page/web/beinvited.html?code=e01ec49
备用连接:链接:https://pan.baidu.com/s/1ujyUcTE5MyMycczOx9FG_A
提取码:vm1s
1、创建csr请求文件
cat > kube-controller-manager-csr.json << EOF { "CN": "system:kube-controller-manager", "key": { "algo": "rsa", "size": 2048 }, "hosts": [ "127.0.0.1", "192.168.112.131", "192.168.112.132", "192.168.112.133", "192.168.112.134", "192.168.112.135", "192.168.112.136", "192.168.112.130" ], "names": [ { "C": "CN", "ST": "Sichuan", "L": "Chengdu", "O": "system:kube-controller-manager", "OU": "system" } ] } EOF 生成证书 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
注:
hosts 列表包含所有 kube-controller-manager 节点 IP;
CN 为 system:kube-controller-manager、O 为 system:kube-controller-manager,kubernetes 内置的 ClusterRoleBindings system:kube-controller-manager 赋予 kube-controller-manager 工作所需的权限
2、创建kube-controller-manager的kubeconfig
设置集群参数 kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.112.130:7443 --kubeconfig=kube-controller-manager.kubeconfig 设置客户端认证参数 kubectl config set-credentials system:kube-controller-manager --client-certificate=kube-controller-manager.pem --client-key=kube-controller-manager-key.pem --embed-certs=true --kubeconfig=kube-controller-manager.kubeconfig 设置上下文参数 kubectl config set-context system:kube-controller-manager --cluster=kubernetes --user=system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig 设置默认上下文 kubectl config use-context system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig
3、创建配置文件
cat > /opt/kubernetes/cfg/kube-controller-manager.conf << EOF KUBE_CONTROLLER_MANAGER_OPTS="--secure-port=10257 \\ --bind-address=127.0.0.1 \\ --kubeconfig=/opt/kubernetes/cfg/kube-controller-manager.kubeconfig \\ --service-cluster-ip-range=10.255.0.0/16 \\ --cluster-name=kubernetes \\ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\ --allocate-node-cidrs=true \\ --cluster-cidr=10.0.0.0/16 \\ --experimental-cluster-signing-duration=175200h \\ --root-ca-file=/opt/kubernetes/ssl/ca.pem \\ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\ --leader-elect=true \\ --feature-gates=RotateKubeletServerCertificate=true \\ --controllers=*,bootstrapsigner,tokencleaner \\ --horizontal-pod-autoscaler-use-rest-clients=true \\ --horizontal-pod-autoscaler-sync-period=10s \\ --tls-cert-file=/opt/kubernetes/ssl/kube-controller-manager.pem \\ --tls-private-key-file=/opt/kubernetes/ssl/kube-controller-manager-key.pem \\ --use-service-account-credentials=true \\ --alsologtostderr=true \\ --logtostderr=false \\ --log-dir=/opt/kubernetes/logs \\ --v=2" EOF
4、创建启动文件
cat > /usr/lib/systemd/system/kube-controller-manager.service << EOF [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager.conf ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target EOF
5、同步相关文件到各个节点
cp kube-controller-manager*.pem /opt/kubernetes/ssl/ cp kube-controller-manager.kubeconfig /opt/kubernetes/cfg scp kube-controller-manager*.pem root@192.168.112.132:/opt/kubernetes/ssl/ scp kube-controller-manager.kubeconfig root@192.168.112.132:/opt/kubernetes/cfg
6、启动服务
systemctl daemon-reload systemctl enable kube-controller-manager systemctl start kube-controller-manager systemctl status kube-controller-manager
二、部署kube-scheduler
1、创建csr请求文件
cat > kube-scheduler-csr.json << EOF { "CN": "system:kube-scheduler", "hosts": [ "127.0.0.1", "192.168.112.131", "192.168.112.132", "192.168.112.133", "192.168.112.134", "192.168.112.135", "192.168.112.136", "192.168.112.130" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Sichuan", "L": "Chengdu", "O": "system:kube-scheduler", "OU": "system" } ] } EOF 生成证书 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
注:
hosts 列表包含所有 kube-scheduler 节点 IP;
CN 为 system:kube-scheduler、O 为 system:kube-scheduler,kubernetes 内置的 ClusterRoleBindings system:kube-scheduler 将赋予 kube-scheduler 工作所需的权限。
2、创建kube-scheduler的kubeconfig
设置集群参数 kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.112.130:7443 --kubeconfig=kube-scheduler.kubeconfig 设置客户端认证参数 kubectl config set-credentials system:kube-scheduler --client-certificate=kube-scheduler.pem --client-key=kube-scheduler-key.pem --embed-certs=true --kubeconfig=kube-scheduler.kubeconfig 设置上下文参数 kubectl config set-context system:kube-scheduler --cluster=kubernetes --user=system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig 设置默认上下文 kubectl config use-context system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig
3、创建配置文件
cat > /opt/kubernetes/cfg/kube-scheduler.conf << EOF KUBE_SCHEDULER_OPTS="--address=127.0.0.1 \ --kubeconfig=/opt/kubernetes/cfg/kube-scheduler.kubeconfig \ --leader-elect=true \ --alsologtostderr=true \ --logtostderr=false \ --log-dir=/opt/kubernetes/logs \ --v=2" EOF
4、创建服务启动文件
cat > /usr/lib/systemd/system/kube-scheduler.service << EOF [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler.conf ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target EOF
5、同步相关文件到各个节点
cp kube-scheduler*.pem /opt/kubernetes/ssl/ cp kube-scheduler.kubeconfig /opt/kubernetes/cfg scp kube-scheduler*.pem root@192.168.112.132:/opt/kubernetes/ssl/ scp kube-scheduler.kubeconfig root@192.168.112.132:/opt/kubernetes/cfg scp /usr/lib/systemd/system/kube-scheduler.service root@192.168.112.132:/usr/lib/systemd/system/
6、启动服务
systemctl daemon-reload systemctl enable kube-scheduler systemctl start kube-scheduler systemctl status kube-scheduler
三、部署kubelet
1、生成kubelet-bootstrap文件
#创建kubelet-bootstrap.kubeconfig BOOTSTRAP_TOKEN=$(awk -F "," '{print $1}' /opt/kubernetes/cfg/token.csv) #设置集群参数 kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.112.131:6443 --kubeconfig=kubelet-bootstrap.kubeconfig #设置客户端认证参数 kubectl config set-credentials kubelet-bootstrap --token=${BOOTSTRAP_TOKEN} --kubeconfig=kubelet-bootstrap.kubeconfig #设置上下文参数 kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=kubelet-bootstrap.kubeconfig #设置默认上下文 kubectl config use-context default --kubeconfig=kubelet-bootstrap.kubeconfig #创建角色绑定 kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
2、创建配置文件
cat > kubelet.json << EOF { "kind": "KubeletConfiguration", "apiVersion": "kubelet.config.k8s.io/v1beta1", "authentication": { "x509": { "clientCAFile": "/opt/kubernetes/ssl/ca.pem" }, "webhook": { "enabled": true, "cacheTTL": "2m0s" }, "anonymous": { "enabled": false } }, "authorization": { "mode": "Webhook", "webhook": { "cacheAuthorizedTTL": "5m0s", "cacheUnauthorizedTTL": "30s" } }, "address": "192.168.112.131", #注:kubelete.json配置文件address改为各个节点的ip地址 "port": 10250, "readOnlyPort": 10255, "cgroupDriver": "systemd", #如果docker的驱动为cgroupfs,处修改为cgroupfs。此处设置很重要,否则后面node节点无法加入到集群,写入配置文件时,记得去掉文中的中文注释,容易引起报错 "hairpinMode": "promiscuous-bridge", "serializeImagePulls": false, "featureGates": { "RotateKubeletClientCertificate": true, "RotateKubeletServerCertificate": true }, "clusterDomain": "cluster.local.", "clusterDNS": ["10.255.0.2"] } EOF
3、创建启动文件
cat > /usr/lib/systemd/system/kubelet.service << EOF [Unit] Description=Kubernetes Kubelet Documentation=https://github.com/kubernetes/kubernetes After=docker.service Requires=docker.service [Service] WorkingDirectory=/opt/kubernetes/kubelet ExecStart=/opt/kubernetes/bin/kubelet \\ --bootstrap-kubeconfig=/opt/kubernetes/cfg/kubelet-bootstrap.kubeconfig \\ --cert-dir=/opt/kubernetes/ssl \\ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\ --config=/opt/kubernetes/cfg/kubelet.json \\ --network-plugin=cni \\ --pod-infra-container-image=k8s.gcr.io/pause:3.2 \\ --alsologtostderr=true \\ --logtostderr=false \\ --log-dir=/opt/kubernetes/logs \\ --v=2 Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target EOF
注:
–hostname-override:显示名称,集群中唯一
–network-plugin:启用CNI
–kubeconfig:空路径,会自动生成,后面用于连接apiserver
–bootstrap-kubeconfig:首次启动向apiserver申请证书
–config:配置参数文件
–cert-dir:kubelet证书生成目录
–pod-infra-container-image:管理Pod网络容器的镜像
4、同步相关文件到各个节点
cd /root/TLS/k8s/kubernetes/server/bin cp kubelet /opt/kubernetes/bin/ cd /root/TLS/k8s cp kubelet-bootstrap.kubeconfig kubelet.json /opt/kubernetes/cfg/ scp kubelet-bootstrap.kubeconfig kubelet.json /opt/kubernetes/cfg/ cd /root/TLS/k8s/kubernetes/server/bin scp kubelet root@192.168.112.132:/opt/kubernetes/bin/ scp /usr/lib/systemd/system/kubelet.service root@192.168.112.132:/usr/lib/systemd/system/ scp /opt/kubernetes/cfg/token.csv root@192.168.112.133:/opt/kubernetes/cfg/ scp /opt/kubernetes/ssl/ca* root@192.168.112.133:/opt/kubernetes/ssl/
5、启动服务
mkdir /opt/kubernetes/kubelet systemctl daemon-reload systemctl enable kubelet systemctl start kubelet systemctl status kubelet
6、批准kubelet证书申请并加入集群
# 查看kubelet证书请求 kubectl get csr NAME AGE SIGNERNAME REQUESTOR CONDITION node-csr-uCEGPOIiDdlLODKts8J658HrFq9CZ--K6M4G7bjhk8A 6m3s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending # 批准申请 kubectl certificate approve node-csr-uCEGPOIiDdlLODKts8J658HrFq9CZ--K6M4G7bjhk8A # 查看节点 kubectl get nodes NAME STATUS ROLES AGE VERSION clihouse01 Ready <none> 16h v1.20.2 clihouse02 Ready <none> 16h v1.20.2 clihouse03 Ready <none> 16h v1.20.2 clihouse04 Ready <none> 16h v1.20.2
暂无评论内容