API Server简介
k8s API Server提供了k8s各类资源对象(pod,RC,Service等)的增删改查及watch等HTTP Rest接口,是整个系统的数据总线和数据中心。
kubernetes API Server的功能:
一,提供了集群管理的REST API接口(包括认证授权、数据校验以及集群状态变更);
二,提供其他模块之间的数据交互和通信的枢纽(其他模块通过API Server查询或修改数据,只有API Server才直接操作etcd);
三,是资源配额控制的入口;
四,拥有完备的集群安全机制
安装kubapi
tar xf kubernetes-server-linux-amd64.tar.gz
mv kubernetes /usr/local/kubernetes-v1.15.2
ln -s kubernetes-v1.15.2 kubernetes
[root@hdss7-22 kubernetes]#rm -rf kubernetes-src.tar.gz
[root@hdss7-22 kubernetes]#cd server/bin/
[root@hdss7-22 bin]# rm -rf *_tag
[root@hdss7-22 bin]# rm -rf *.tar签发apiserver-client证书:apiserver与etc通信用的证书。apiserver是客户端,etcd是服务端
[root@hdss7-200 ~]# vim /opt/certs/client-csr.json
{
"CN": "k8s-node",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}签发证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
[root@hdss7-200 certs]# ll
total 52
-rw-r--r--. 1 root root 840 Apr 20 10:25 ca-config.json
-rw-r--r--. 1 root root 993 Apr 18 17:47 ca.csr
-rw-r--r--. 1 root root 332 Apr 18 17:40 ca-csr.json
-rw-------. 1 root root 1675 Apr 18 17:47 ca-key.pem
-rw-r--r--. 1 root root 1346 Apr 18 17:47 ca.pem
-rw-r--r--. 1 root root 993 Apr 21 11:36 client.csr
-rw-r--r--. 1 root root 280 Apr 21 11:36 client-csr.json
-rw-------. 1 root root 1679 Apr 21 11:36 client-key.pem
-rw-r--r--. 1 root root 1363 Apr 21 11:36 client.pem
-rw-r--r--. 1 root root 1062 Apr 20 10:36 etcd-peer.csr
-rw-r--r--. 1 root root 363 Apr 20 10:28 etcd-peer-csr.json
-rw-------. 1 root root 1675 Apr 20 10:36 etcd-peer-key.pem
-rw-r--r--. 1 root root 1428 Apr 20 10:36 etcd-peer.pem
[root@hdss7-200 certs]# vim apiserver-csr.json
{
"CN": "k8s-apiserver",
"hosts": [
"127.0.0.1",
"192.168.0.1",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"10.4.7.10",
"10.4.7.21",
"10.4.7.22",
"10.4.7.23"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver设置主机的host理论如果使用了本机的dns是不需要的。
cat >>/etc/hosts<<EOF
10.4.7.200 hdss7-200
10.4.7.11 hdss7-11
10.4.7.12 hdss7-12
10.4.7.21 hdss7-21
10.4.7.22 hdss7-22
EOF注意我的安装目录是在/usr/local/ 下并设置了软链。
[root@hdss7-21 bin]# mkdir cert
[root@hdss7-21 bin]# cd cert/
最后有个点,表示拷贝到当前目录
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/ca.pem .
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/ca-key.pem .
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/client.pem .
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/client-key.pem .
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/apiserver.pem .
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/apiserver-key.pem .创建配置文件路径
[root@hdss7-22 bin]# mkdir config
[root@hdss7-22 bin]# cd config/[root@hdss7-21 config]# vim audit.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"拷贝配置文件到各个机器上,这个文件可以参考k8s的官方文档。
[root@hdss7-21 config]# scp audit.yaml hdss7-22:/usr/local/kubernetes/server/bin/config/编写启动脚本(注意脚本转义符号后面别带空格,保证能在一行的一定要在一行)
[root@hdss7-21 config]# vim /usr/local/kubernetes/server/bin/kube-apiserver.sh
#!/bin/bash
./kube-apiserver \
--apiserver-count 2 \
--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
--audit-policy-file ./conf/audit.yaml \
--authorization-mode RBAC \
--client-ca-file ./cert/ca.pem \
--requestheader-client-ca-file ./cert/ca.pem \
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
--etcd-cafile ./cert/ca.pem \
--etcd-certfile ./cert/client.pem \
--etcd-keyfile ./cert/client-key.pem \
--etcd-servers https://10.4.7.12:2379,https://10.4.7.21:2379,https://10.4.7.22:2379 \
--service-account-key-file ./cert/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--service-node-port-range 3000-29999 \
--target-ram-mb=1024 \
--kubelet-client-certificate ./cert/client.pem \
--kubelet-client-key ./cert/client-key.pem \
--log-dir /data/logs/kubernetes/kube-apiserver \
--tls-cert-file ./cert/apiserver.pem \
--tls-private-key-file ./cert/apiserver-key.pem \
--v 2
mkdir /data/logs/kubernetes/kube-apiserver/ -p查看帮助命令,查看每行的意思
[root@hdss7-21 bin]# ./kube-apiserver --help|grep -A 5 target-ram-mb
[root@hdss7-21 bin]# chmod +x kube-apiserver.sh创建后台启动
[root@hdss7-21 bin]# vim /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-7-21]
command=/usr/local/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/usr/local/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)另外一台22做同样配置更改下supervisord启动名称即可(方便区分)
[program:kube-apiserver-7-22]配置反向代理
HDSS7-11和HDSS7-12上同时操作
nginx配置
[root@hdss7-11 ~]# yum install -y nginx
yum -y install nginx-all-modules.noarch因为要使用nginx的四层代理,所以yum安装的适合要注意下。
头部添加
load_module /usr/lib64/nginx/modules/ngx_stream_module.so;在http层外添加
include /etc/nginx/tcp.d/*.conf;不然使用stream模块会报错因为stream不是http代理
[root@hdss7-11 ~]# vim /etc/nginx/tcp.d/kube-apiserver.conf
stream {
upstream kube-apiserver {
server 10.4.7.21:6443 max_fails=3 fail_timeout=30s;
server 10.4.7.22:6443 max_fails=3 fail_timeout=30s;
}
server {
listen 7443;
proxy_connect_timeout 2s;
proxy_timeout 900s;
proxy_pass kube-apiserver;
}
}[root@hdss7-12 nginx]# systemctl start nginx
[root@hdss7-12 一样的脚本
nginx]# systemctl enable nginx
配置keepalived
[root@hdss7-11 nginx]# vim /etc/keepalived/check_port.sh
#!/bin/bash
#keepalived 监控端口脚本
#使用方法:
#在keepalived的配置文件中
#vrrp_script check_port {#创建一个vrrp_script脚本,检查配置
# script "/etc/keepalived/check_port.sh 6379" #配置监听的端口
# interval 2 #检查脚本的频率,单位(秒)
#}
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
if [ $PORT_PROCESS -eq 0 ];then
echo "Port $CHK_PORT Is Not Used,End."
exit 1
fi
else
echo "Check Port Cant Be Empty!"
fi
chmod +x /etc/keepalived/check_port.sh
#hdss7-11的keepalived的配置文件如下
vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 10.4.7.11
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 251
priority 100
advert_int 1
mcast_src_ip 10.4.7.11
nopreempt
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.4.7.10
}
}注意root@hdss7-12 一样的端口检测脚本!
[root@hdss7-12 nginx]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 10.4.7.12
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
virtual_router_id 251
mcast_src_ip 10.4.7.12
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.4.7.10
}
}
启动keepalived并设置开启自启
[root@hdss7-12 nginx]# systemctl start keepalived
[root@hdss7-12 nginx]# systemctl enable keepalivedip addr 查看虚拟ip
就可以看到10.4.7.10这个vip地址了。
