Kubernetes集群部署之四Master節點部署

Kubernetes Master節點部署三個服務：kube-apiserver、kube-controller-manager、kube-scheduler和一個命令工具kubectl.

Master節點來負責整個集群的管理和控制，其中

kube-apiserver 服務提供了HTTP Rest接口的關鍵服務進程，是Kuberneters裡所有資源的增刪改查等操作的唯一入口，也是集群控制的入口進程.

kube-controller-manager 服務 是kubernetes裡面所有資源對象的自動化控制中心，可以理解為資源對象的”大總管”

kube-scheduler 服務負責資源調度(pod調度)的進程，相當於公交公司的”調度室”。

Kubernetes API服務部署：

1.準備軟件包,軟件包

<code>[root@k8s-master kubernetes]# wget https://storage.googleapis.com/kubernetes-release/release/v1.13.6/kubernetes-server-linux-amd64.tar.gz/<code>

解壓安裝包,並添加可執行文件：

<code>[root@k8s-master ]# tar zxvf kubernetes-server-linux-amd64.tar.gz -C  /usr/local/src/
[root@k8s-master kubernetes]# cd /usr/local/src/kubernetes
[root@k8s-master kubernetes]#cp server/bin/kube-apiserver /opt/kubernetes/bin/
[root@k8s-master kubernetes]#cp server/bin/kube-controller-manager /opt/kubernetes/bin/
[root@k8s-master kubernetes]#cp server/bin/kube-scheduler /opt/kubernetes/bin//<code>

2.創建生成CSR的 JSON 配置文件:

<code>[root@k8s-master ssl]# cd /usr/local/src/ssl/
[root@k8s-master ssl]# cat > kubernetes-csr.json 
3.生成 kubernetes 證書和私鑰,並分發到所以節點.
<code>[root@k8s-master src]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \
   -ca-key=/opt/kubernetes/ssl/ca-key.pem \
   -config=/opt/kubernetes/ssl/ca-config.json \
   -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes

[root@k8s-master ssl]# cp kubernetes*.pem /opt/kubernetes/ssl/
[root@k8s-master ssl]# scp kubernetes*.pem 10.88.0.2:/opt/kubernetes/ssl/
[root@k8s-master ssl]# scp kubernetes*.pem 10.88.0.3:/opt/kubernetes/ssl//<code>
4.創建 kube-apiserver 使用的客戶端 token 文件
<code>[root@k8s-master ~]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
e135c7a413de5a64ce6131177db5d1ca
[root@k8s-master ~]# vim /opt/kubernetes/ssl/bootstrap-token.csv
e135c7a413de5a64ce6131177db5d1ca,kubelet-bootstrap,10001,"system:kubelet-bootstrap"/<code>
5.創建基礎用戶名/密碼認證配置(密碼、用戶名、uid為後面創建dashborad後用戶認證) 
<code>[root@k8s-master ~]# vim /opt/kubernetes/ssl/basic-auth.csv
admin,admin,1
readonly,readonly,2/<code>
.6.部署Kubernetes API Server
<code>[root@k8s-master ~]# cat > /usr/lib/systemd/system/kube-apiserver.service 
7.啟動API Server服務
<code>[root@k8s-master ~]# systemctl daemon-reload
[root@k8s-master ~]# systemctl enable kube-apiserver
[root@k8s-master ~]# systemctl start kube-apiserver
[root@k8s-master ~]# systemctl status kube-apiserver
● kube-apiserver.service - Kubernetes API Server
   Loaded: loaded (/usr/lib/systemd/system/kube-apiserver.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-05-04 20:08:56 CST; 37min ago
     Docs: https://github.com/GoogleCloudPlatform/kubernetes
 Main PID: 1653 (kube-apiserver)
   CGroup: /system.slice/kube-apiserver.service
           └─1653 /opt/kubernetes/bin/kube-apiserver --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction --bind-address=10.88.0.1 --insecure-bind-address=127.0.0.1 --authorizatio...

May 04 20:08:50 k8s-master kube-apiserver[1653]: Flag --admission-control has been deprecated, Use --enable-admission-plugins or --disable-admission-plugins instead. Will be removed in a future version.
May 04 20:08:50 k8s-master kube-apiserver[1653]: Flag --insecure-bind-address has been deprecated, This flag will be removed in a future version.
May 04 20:08:52 k8s-master kube-apiserver[1653]: [restful] 2020/05/04 20:08:52 log.go:33: [restful/swagger] listing is available at https://10.88.0.1:6443/swaggerapi
May 04 20:08:52 k8s-master kube-apiserver[1653]: [restful] 2020/05/04 20:08:52 log.go:33: [restful/swagger] https://10.88.0.1:6443/swaggerui/ is mapped to folder /swagger-ui/
May 04 20:08:53 k8s-master kube-apiserver[1653]: [restful] 2020/05/04 20:08:53 log.go:33: [restful/swagger] listing is available at https://10.88.0.1:6443/swaggerapi
May 04 20:08:53 k8s-master kube-apiserver[1653]: [restful] 2020/05/04 20:08:53 log.go:33: [restful/swagger] https://10.88.0.1:6443/swaggerui/ is mapped to folder /swagger-ui/
May 04 20:08:56 k8s-master systemd[1]: Started Kubernetes API Server.
May 04 20:24:18 k8s-master kube-apiserver[1653]: E0504 20:24:18.407244    1653 watcher.go:208] watch chan error: etcdserver: mvcc: required revision has been compacted
May 04 20:37:42 k8s-master kube-apiserver[1653]: E0504 20:37:42.478189    1653 watcher.go:208] watch chan error: etcdserver: mvcc: required revision has been compacted
May 04 20:45:47 k8s-master kube-apiserver[1653]: E0504 20:45:47.522654    1653 watcher.go:208] watch chan error: etcdserver: mvcc: required revision has been compacted
/<code>
部署Controller Manager服務
<code>[root@k8s-master ~]# cat > /usr/lib/systemd/system/kube-controller-manager.service 
啟動Controller Manager
<code>[root@k8s-master ~]# systemctl daemon-reload
[root@k8s-master ~]# systemctl enable kube-controller-manager
[root@k8s-master ~]# systemctl start kube-controller-manager
[root@k8s-master ~]# systemctl status kube-controller-manager
● kube-controller-manager.service - Kubernetes Controller Manager
   Loaded: loaded (/usr/lib/systemd/system/kube-controller-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-05-04 20:09:45 CST; 37min ago
     Docs: https://github.com/GoogleCloudPlatform/kubernetes
 Main PID: 1718 (kube-controller)
   CGroup: /system.slice/kube-controller-manager.service
           └─1718 /opt/kubernetes/bin/kube-controller-manager --address=127.0.0.1 --master=http://127.0.0.1:8080 --allocate-node-cidrs=true --service-cluster-ip-range=10.1.0.0/16 --cluster-cidr=10.2.0.0/16 --cluster-name=kubernetes --cluster-...

May 04 20:09:45 k8s-master systemd[1]: Started Kubernetes Controller Manager.
May 04 20:09:45 k8s-master kube-controller-manager[1718]: Flag --address has been deprecated, see --bind-address instead.
May 04 20:09:56 k8s-master kube-controller-manager[1718]: E0504 20:09:56.274117    1718 core.go:76] Failed to start service controller: WARNING: no cloud provider provided, services of type LoadBalancer will fail
May 04 20:09:56 k8s-master kube-controller-manager[1718]: E0504 20:09:56.283832    1718 resource_quota_controller.go:171] initial monitor sync has error: couldn't start monitor for resource "extensions/v1beta1, Resource=networ...networkpolicies"
May 04 20:09:57 k8s-master kube-controller-manager[1718]: E0504 20:09:57.777615    1718 resource_quota_controller.go:437] failed to sync resource monitors: couldn't start monitor for resource "extensions/v1beta1, Resource=netw...networkpolicies"
Hint: Some lines were ellipsized, use -l to show in full.
/<code>
部署Kubernetes Scheduler:
<code>[root@k8s-master ~]# cat > /usr/lib/systemd/system/kube-scheduler.service 
啟動Kubernetes Scheduler
<code>[root@k8s-master ~]# systemctl daemon-reload
[root@k8s-master ~]# systemctl enable kube-scheduler
[root@k8s-master ~]# systemctl start kube-scheduler
[root@k8s-master ~]# systemctl status kube-scheduler
● kube-scheduler.service - Kubernetes Scheduler
   Loaded: loaded (/usr/lib/systemd/system/kube-scheduler.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-05-04 20:10:12 CST; 37min ago
     Docs: https://github.com/GoogleCloudPlatform/kubernetes
 Main PID: 1785 (kube-scheduler)
   CGroup: /system.slice/kube-scheduler.service
           └─1785 /opt/kubernetes/bin/kube-scheduler --address=127.0.0.1 --master=http://127.0.0.1:8080 --leader-elect=true --v=2 --logtostderr=false --log-dir=/opt/kubernetes/log

May 04 20:10:12 k8s-master systemd[1]: Started Kubernetes Scheduler.
/<code>
部署kubectl 命令行工具
1.準備二進制命令包
<code>[root@k8s-master ~]# cd /usr/local/src/kubernetes/server/bin/
[root@k8s-master bin]# cp kubectl /opt/kubernetes/bin//<code>
2.創建 admin 證書籤名請求
<code>[root@k8s-master ~]# cd /usr/local/src/ssl/
[root@k8s-master ssl]# cat > admin-csr.json 
3.生成 admin 證書和私鑰：
<code>[root@k8s-master ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \
   -ca-key=/opt/kubernetes/ssl/ca-key.pem \
   -config=/opt/kubernetes/ssl/ca-config.json \
   -profile=kubernetes admin-csr.json | cfssljson -bare admin
   
[root@k8s-master ssl]# ls -l admin*
-rw-r--r-- 1 root root 1009 May  4 20:11 admin.csr
-rw-r--r-- 1 root root  230 May  4 20:11 admin-csr.json
-rw------- 1 root root 1675 May  4 20:11 admin-key.pem
-rw-r--r-- 1 root root 1399 May  4 20:11 admin.pem

[root@k8s-master ssl]# cp  admin*.pem /opt/kubernetes/ssl//<code>
4.設置集群參數 
<code>[root@k8s-master ssl]# kubectl config set-cluster kubernetes \
   --certificate-authority=/opt/kubernetes/ssl/ca.pem \
   --embed-certs=true \
   --server=https://10.88.0.1:6443
Cluster "kubernetes" set.Cluster "kubernetes" set./<code>
5.設置客戶端認證參數
<code>[root@k8s-master ssl]# kubectl config set-credentials admin \
   --client-certificate=/opt/kubernetes/ssl/admin.pem \
   --embed-certs=true \
   --client-key=/opt/kubernetes/ssl/admin-key.pem
User "admin" set./<code>
6.設置上下文參數
<code>[root@k8s-master ssl]# kubectl config set-context kubernetes \
   --cluster=kubernetes \
   --user=admin
Context "kubernetes" created./<code>
7.設置默認上下文
<code>[root@k8s-master ssl]# kubectl config use-context kubernetes
Switched to context "kubernetes"./<code>
8.使用kubectl工具
<code>[root@k8s-master ssl]# kubectl get cs
NAME                 STATUS    MESSAGE              ERROR
controller-manager   Healthy   ok                   
scheduler            Healthy   ok                   
etcd-1               Healthy   {"health": "true"}   
etcd-2               Healthy   {"health": "true"}   
etcd-0               Healthy   {"health": "true"}/<code>
9.驗證master節點功能：
<code># kubectl get componentstatuses
NAME                 STATUS    MESSAGE              ERROR
scheduler            Healthy   ok                   
controller-manager   Healthy   ok                   
etcd-2               Healthy   {"health": "true"}   
etcd-1               Healthy   {"health": "true"}   
etcd-0               Healthy   {"health": "true"}/<code>