二进制安装k8s集群-部署kube-apiserver(六)

148次阅读
没有评论

共计 9030 个字符,预计需要花费 23 分钟才能阅读完成。

API Server 简介
k8s API Server 提供了 k8s 各类资源对象(pod,RC,Service 等)的增删改查及 watch 等 HTTP Rest 接口,是整个系统的数据总线和数据中心。

kubernetes API Server 的功能:

一, 提供了集群管理的 REST API 接口 (包括认证授权、数据校验以及集群状态变更);
二, 提供其他模块之间的数据交互和通信的枢纽(其他模块通过 API Server 查询或修改数据,只有 API Server 才直接操作 etcd);
三, 是资源配额控制的入口;
四, 拥有完备的集群安全机制

安装 kubapi

tar xf kubernetes-server-linux-amd64.tar.gz 
mv kubernetes /usr/local/kubernetes-v1.15.2
ln -s kubernetes-v1.15.2 kubernetes   

[root@hdss7-22 kubernetes]#rm -rf kubernetes-src.tar.gz 
[root@hdss7-22 kubernetes]#cd server/bin/
[root@hdss7-22 bin]# rm -rf *_tag
[root@hdss7-22 bin]# rm -rf *.tar

签发 apiserver-client 证书:apiserver 与 etc 通信用的证书。apiserver 是客户端,etcd 是服务端

[root@hdss7-200 ~]# vim /opt/certs/client-csr.json
{
    "CN": "k8s-node",
    "hosts": [ ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}

签发证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client

[root@hdss7-200 certs]# ll
total 52
-rw-r--r--. 1 root root  840 Apr 20 10:25 ca-config.json
-rw-r--r--. 1 root root  993 Apr 18 17:47 ca.csr
-rw-r--r--. 1 root root  332 Apr 18 17:40 ca-csr.json
-rw-------. 1 root root 1675 Apr 18 17:47 ca-key.pem
-rw-r--r--. 1 root root 1346 Apr 18 17:47 ca.pem
-rw-r--r--. 1 root root  993 Apr 21 11:36 client.csr
-rw-r--r--. 1 root root  280 Apr 21 11:36 client-csr.json
-rw-------. 1 root root 1679 Apr 21 11:36 client-key.pem
-rw-r--r--. 1 root root 1363 Apr 21 11:36 client.pem
-rw-r--r--. 1 root root 1062 Apr 20 10:36 etcd-peer.csr
-rw-r--r--. 1 root root  363 Apr 20 10:28 etcd-peer-csr.json
-rw-------. 1 root root 1675 Apr 20 10:36 etcd-peer-key.pem
-rw-r--r--. 1 root root 1428 Apr 20 10:36 etcd-peer.pem

[root@hdss7-200 certs]# vim apiserver-csr.json
{
    "CN": "k8s-apiserver",
    "hosts": [
        "127.0.0.1",
        "192.168.0.1",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluster.local",
        "10.4.7.10",
        "10.4.7.21",
        "10.4.7.22",
        "10.4.7.23"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}


cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver

设置主机的 host 理论如果使用了本机的 dns 是不需要的。

cat >>/etc/hosts<<EOF
10.4.7.200 hdss7-200
10.4.7.11  hdss7-11
10.4.7.12  hdss7-12
10.4.7.21  hdss7-21
10.4.7.22  hdss7-22
EOF

注意我的安装目录是在 /usr/local/ 下并设置了软链。

[root@hdss7-21 bin]# mkdir cert
[root@hdss7-21 bin]# cd cert/
最后有个点,表示拷贝到当前目录

[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/ca.pem . 
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/ca-key.pem .
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/client.pem .
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/client-key.pem .
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/apiserver.pem .
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/apiserver-key.pem .

创建配置文件路径

[root@hdss7-22 bin]# mkdir config
[root@hdss7-22 bin]# cd config/
[root@hdss7-21 config]# vim audit.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      # Resource "pods" doesn't match requests to any subresource of pods,
      # which is consistent with the RBAC policy.
      resources: ["pods"]
  # Log "pods/log", "pods/status" at Metadata level
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]

  # Don't log requests to a configmap called "controller-leader"
  - level: None
    resources:
    - group: ""
      resources: ["configmaps"]
      resourceNames: ["controller-leader"]

  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # core API group
      resources: ["endpoints", "services"]

  # Don't log authenticated requests to certain non-resource URL paths.
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*" # Wildcard matching.
    - "/version"

  # Log the request body of configmap changes in kube-system.
  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    # This rule only applies to resources in the "kube-system" namespace.
    # The empty string "" can be used to select non-namespaced resources.
    namespaces: ["kube-system"]

  # Log configmap and secret changes in all other namespaces at the Metadata level.
  - level: Metadata
    resources:
    - group: "" # core API group
      resources: ["secrets", "configmaps"]

  # Log all other resources in core and extensions at the Request level.
  - level: Request
    resources:
    - group: "" # core API group
    - group: "extensions" # Version of group should NOT be included.

  # A catch-all rule to log all other requests at the Metadata level.
  - level: Metadata
    # Long-running requests like watches that fall under this rule will not
    # generate an audit event in RequestReceived.
    omitStages:
      - "RequestReceived"

拷贝配置文件到各个机器上,这个文件可以参考 k8s 的官方文档。

[root@hdss7-21 config]# scp audit.yaml  hdss7-22:/usr/local/kubernetes/server/bin/config/

编写启动脚本(注意脚本转义符号后面别带空格,保证能在一行的一定要在一行)

[root@hdss7-21 config]# vim /usr/local/kubernetes/server/bin/kube-apiserver.sh
#!/bin/bash
./kube-apiserver \
  --apiserver-count 2 \
  --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
  --audit-policy-file ./conf/audit.yaml \
  --authorization-mode RBAC \
  --client-ca-file ./cert/ca.pem \
  --requestheader-client-ca-file ./cert/ca.pem \
  --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
  --etcd-cafile ./cert/ca.pem \
  --etcd-certfile ./cert/client.pem \
  --etcd-keyfile ./cert/client-key.pem \
  --etcd-servers https://10.4.7.12:2379,https://10.4.7.21:2379,https://10.4.7.22:2379 \
  --service-account-key-file ./cert/ca-key.pem \
  --service-cluster-ip-range 192.168.0.0/16 \
  --service-node-port-range 3000-29999 \
  --target-ram-mb=1024 \
  --kubelet-client-certificate ./cert/client.pem \
  --kubelet-client-key ./cert/client-key.pem \
  --log-dir  /data/logs/kubernetes/kube-apiserver \
  --tls-cert-file ./cert/apiserver.pem \
  --tls-private-key-file ./cert/apiserver-key.pem \
  --v 2


mkdir /data/logs/kubernetes/kube-apiserver/ -p

查看帮助命令,查看每行的意思

[root@hdss7-21 bin]# ./kube-apiserver --help|grep -A 5 target-ram-mb 
[root@hdss7-21 bin]# chmod +x kube-apiserver.sh

创建后台启动

[root@hdss7-21 bin]# vim /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-7-21]
command=/usr/local/kubernetes/server/bin/kube-apiserver.sh      ; the program (relative uses PATH, can take args)
numprocs=1                                                      ; number of processes copies to start (def 1)
directory=/usr/local/kubernetes/server/bin                      ; directory to cwd to before exec (def no cwd)
autostart=true                                                  ; start at supervisord start (default: true)
autorestart=true                                                ; retstart at unexpected quit (default: true)
startsecs=30                                                    ; number of secs prog must stay running (def. 1)
startretries=3                                                  ; max # of serial start failures (default 3)
exitcodes=0,2                                                   ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                                 ; signal used to kill process (default TERM)
stopwaitsecs=10                                                 ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                       ; setuid to this UNIX account to run the program
redirect_stderr=true                                            ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log        ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                    ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                                        ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                     ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                                     ; emit events on stdout writes (default false)

另外一台 22 做同样配置更改下 supervisord 启动名称即可(方便区分)

[program:kube-apiserver-7-22]

配置反向代理
HDSS7-11 和 HDSS7-12 上同时操作

nginx 配置

[root@hdss7-11 ~]# yum install -y nginx    
yum -y install nginx-all-modules.noarch

因为要使用 nginx 的四层代理,所以 yum 安装的适合要注意下。

头部添加

load_module /usr/lib64/nginx/modules/ngx_stream_module.so;

在 http 层外添加

include /etc/nginx/tcp.d/*.conf;

不然使用 stream 模块会报错因为 stream 不是 http 代理

[root@hdss7-11 ~]# vim /etc/nginx/tcp.d/kube-apiserver.conf
stream {
    upstream kube-apiserver {
        server 10.4.7.21:6443     max_fails=3 fail_timeout=30s;
        server 10.4.7.22:6443     max_fails=3 fail_timeout=30s;
    }
    server {
        listen 7443;
        proxy_connect_timeout 2s;
        proxy_timeout 900s;
        proxy_pass kube-apiserver;
    }
}

[root@hdss7-12 nginx]# systemctl start nginx
[root@hdss7-12 一样的脚本
nginx]# systemctl enable nginx

配置 keepalived

[root@hdss7-11 nginx]# vim /etc/keepalived/check_port.sh 
#!/bin/bash
#keepalived 监控端口脚本
#使用方法:#在 keepalived 的配置文件中
#vrrp_script check_port {# 创建一个 vrrp_script 脚本, 检查配置
#    script "/etc/keepalived/check_port.sh 6379" #配置监听的端口
#    interval 2 #检查脚本的频率, 单位(秒)#}
CHK_PORT=$1
if [-n "$CHK_PORT"];then
        PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
        if [$PORT_PROCESS -eq 0];then
                echo "Port $CHK_PORT Is Not Used,End."
                exit 1
        fi
else
        echo "Check Port Cant Be Empty!"
fi

chmod +x /etc/keepalived/check_port.sh


#hdss7-11 的 keepalived 的配置文件如下
vim /etc/keepalived/keepalived.conf 

! Configuration File for keepalived

global_defs {router_id 10.4.7.11}

vrrp_script chk_nginx {
    script "/etc/keepalived/check_port.sh 7443"
    interval 2
    weight -20
}

vrrp_instance VI_1 {
    state MASTER
    interface ens33
    virtual_router_id 251
    priority 100
    advert_int 1
    mcast_src_ip 10.4.7.11
    nopreempt

    authentication {
        auth_type PASS
        auth_pass 11111111
    }
    track_script {chk_nginx}
    virtual_ipaddress {10.4.7.10}
}

注意 root@hdss7-12 一样的端口检测脚本!

[root@hdss7-12 nginx]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {router_id 10.4.7.12}
vrrp_script chk_nginx {
        script "/etc/keepalived/check_port.sh 7443"
        interval 2
        weight -20
}
vrrp_instance VI_1 {
        state BACKUP
        interface ens33
        virtual_router_id 251
        mcast_src_ip 10.4.7.12
        priority 90
        advert_int 1
        authentication {
                auth_type PASS
                auth_pass 11111111
        }
        track_script {chk_nginx}
        virtual_ipaddress {10.4.7.10}
}

启动 keepalived 并设置开启自启

[root@hdss7-12 nginx]# systemctl start keepalived
[root@hdss7-12 nginx]# systemctl enable keepalived

ip addr 查看虚拟 ip
就可以看到 10.4.7.10 这个 vip 地址了。

正文完
 0
yx
版权声明:本站原创文章,由 yx 于2022-05-05发表,共计9030字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处。
评论(没有评论)
验证码