结合拓扑图(如下图所示)安装部署kube-apiserver
一、创建认证证书
1、创建生成kube-apiserver服务的证书和密钥
(1)创建生成CSR的 JSON 配置文件
<code>[root@k8s-master ~]# cd /usr/local/kubernetes/ssl/
[root@k8s-master ssl]# vim kube-apiserver-csr.json
添加:
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"10.0.0.1",
"192.168.1.1",
"192.168.1.2",
"192.168.1.3",
"k8s-node-1",
"k8s-node-2",
"k8s-master",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}/<code>
(2)生成kube-apiserver证书和私钥
<code>[root@k8s-master ssl]# cfssl gencert -ca=/usr/local/kubernetes/ssl/ca.pem -ca-key=/usr/local/kubernetes/ssl/ca-key.pem -config=/usr/local/kubernetes/ssl/ca-config.json -profile=kubernetes /usr/local/kubernetes/ssl/kube-apiserver-csr.json | cfssljson -bare kube-apiserver/<code>
2、创建kube-proxy证书和私钥
(1)创建生成CSR的 JSON 配置文件
<code>[root@k8s-master ssl]# vim kube-proxy-csr.json
添加:
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
} /<code>
(2)生成kube-proxy证书和私钥
<code>[root@k8s-master ssl]# cfssl gencert -ca=/usr/local/kubernetes/ssl/ca.pem -ca-key=/usr/local/kubernetes/ssl/ca-key.pem -config=/usr/local/kubernetes/ssl/ca-config.json -profile=kubernetes /usr/local/kubernetes/ssl/kube-proxy-csr.json | cfssljson -bare kube-proxy/<code>
(3)分发证书:
由于kube-proxy也要使用此证书,所有提前分发到node节点。
<code>[root@k8s-master ssl]# scp kube-proxy*.pem 192.168.1.1:/usr/local/kubernetes/ssl/
[root@k8s-master ssl]# scp kube-proxy*.pem 192.168.1.2:/usr/local/kubernetes/ssl//<code>
3、创建ServiceAccount Key
<code>[root@k8s-master ssl]# openssl genrsa -out sa.key
[root@k8s-master ssl]# openssl rsa -in /usr/local/kubernetes/ssl/sa.key -pubout -out /usr/local/kubernetes/ssl/sa.pub/<code>
4、创建 kube-apiserver 使用的客户端 token 文件
<code>[root@k8s-master ~]# head -c 16 /dev/urandom | od -An -t x | tr -d ' ' ##会产生一串字符串
58efbbf2c450bc6de0052e28ce47fa9c/<code>
<code>[root@k8s-master ~]# vim /usr/local/kubernetes/ssl/token.csv
修改:
58efbbf2c450bc6de0052e28ce47fa9c,kubelet-bootstrap,10001,"system:kubelet-bootstrap" ##用生成的字符串替换下面的 “58ef.... ”这一串数字/<code>
二、安装kube-apiserver
1、下载并释放kubernetes软件包
<code>[root@k8s-master ~]# tar -zxvf kubernetes-server-linux-amd64.tar.gz -C /usr/src/
[root@k8s-master ~]# cd /usr/src/kubernetes/server/bin/
[root@k8s-master bin]# cp kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/local/kubernetes/bin/
[root@k8s-master bin]# ls /usr/local/kubernetes/bin//<code>
2、创建 kube-apiserver配置文件
<code>[root@k8s-master ~]# vim /usr/local/kubernetes/conf/kube-apiserver
添加:
KUBE_APISERVER_OPTS="--v=2 \\
--enable-swagger-ui=true \\
--logtostderr=true \\
--log-dir=/usr/local/kubernetes/logs/
--allow-privileged=true \\
--bind-address=0.0.0.0 \\
--secure-port=6443 \\
--insecure-port=0 \\
--advertise-address=192.168.1.3 \\
--service-cluster-ip-range=10.0.0.0/12 \\
--service-node-port-range=30000-32767 \\
--etcd-servers=https://192.168.1.1:2379,https://192.168.1.2:2379,https://192.168.1.3:2379 \\
--etcd-cafile=/usr/local/kubernetes/ssl/ca.pem \\
--etcd-certfile=/usr/local/kubernetes/ssl/etcd.pem \\
--etcd-keyfile=/usr/local/kubernetes/ssl/etcd-key.pem \\
--client-ca-file=/usr/local/kubernetes/ssl/ca.pem \\
--tls-cert-file=/usr/local/kubernetes/ssl/kube-apiserver.pem \\
--tls-private-key-file=/usr/local/kubernetes/ssl/kube-apiserver-key.pem \\
--kubelet-client-certificate=/usr/local/kubernetes/ssl/kube-apiserver.pem \\
--kubelet-client-key=/usr/local/kubernetes/ssl/kube-apiserver-key.pem \\
--service-account-key-file=/usr/local/kubernetes/ssl/sa.pub \\
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota \\
--authorization-mode=Node,RBAC \\
--enable-bootstrap-token-auth=true \\
--requestheader-client-ca-file=/usr/local/kubernetes/ssl/ca.pem \\
--proxy-client-cert-file=/usr/local/kubernetes/ssl/kube-proxy.pem \\
--proxy-client-key-file=/usr/local/kubernetes/ssl/kube-proxy-key.pem \\
--requestheader-allowed-names=aggregator \\
--requestheader-group-headers=X-Remote-Group \\
--requestheader-extra-headers-prefix=X-Remote-Extra- \\
--requestheader-username-headers=X-Remote-User \\
--token-auth-file=/usr/local/kubernetes/ssl/token.csv"/<code>
3、配置kube-apiserver服务配置文件
<code>[root@k8s-master ~]# vim /usr/lib/systemd/system/kube-apiserver.service
添加:
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/usr/local/kubernetes/conf/kube-apiserver
ExecStart=/usr/local/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target/<code>
4、启动kube-apiserver服务
<code>[root@k8s-master ~]# systemctl enable kube-apiserver
[root@k8s-master ~]# systemctl start kube-apiserver/<code>
5、查看kube-apiserver服务运行状态
<code>[root@k8s-master ~]# systemctl status kube-apiserver.service/<code>
<code>[root@k8s-master ~]# ps -ef |grep kube-apiserver/<code>
<code>[root@k8s-master ~]# netstat -tulpn | grep kube-apiserve/<code>
<code>[root@k8s-master ~]# netstat -anpt | grep 6443/<code>
閱讀更多 DoDo在線 的文章