Kubernetes Master節點部署三個服務:kube-apiserver、kube-controller-manager、kube-scheduler和一個命令工具kubectl.
Master節點來負責整個集群的管理和控制,其中
kube-apiserver 服務提供了HTTP Rest接口的關鍵服務進程,是Kuberneters裡所有資源的增刪改查等操作的唯一入口,也是集群控制的入口進程.
kube-controller-manager 服務 是kubernetes裡面所有資源對象的自動化控制中心,可以理解為資源對象的”大總管”
kube-scheduler 服務負責資源調度(pod調度)的進程,相當於公交公司的”調度室”。
Kubernetes API服務部署:
1.準備軟件包,軟件包
<code>[root@k8s-master kubernetes]# wget https://storage.googleapis.com/kubernetes-release/release/v1.13.6/kubernetes-server-linux-amd64.tar.gz/<code>
解壓安裝包,並添加可執行文件:
<code>[root@k8s-master ]# tar zxvf kubernetes-server-linux-amd64.tar.gz -C /usr/local/src/ [root@k8s-master kubernetes]# cd /usr/local/src/kubernetes [root@k8s-master kubernetes]#cp server/bin/kube-apiserver /opt/kubernetes/bin/ [root@k8s-master kubernetes]#cp server/bin/kube-controller-manager /opt/kubernetes/bin/ [root@k8s-master kubernetes]#cp server/bin/kube-scheduler /opt/kubernetes/bin//<code>
2.創建生成CSR的 JSON 配置文件:
<code>[root@k8s-master ssl]# cd /usr/local/src/ssl/ [root@k8s-master ssl]# cat > kubernetes-csr.json3.生成 kubernetes 證書和私鑰,並分發到所以節點.
<code>[root@k8s-master src]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \ -ca-key=/opt/kubernetes/ssl/ca-key.pem \ -config=/opt/kubernetes/ssl/ca-config.json \ -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes [root@k8s-master ssl]# cp kubernetes*.pem /opt/kubernetes/ssl/ [root@k8s-master ssl]# scp kubernetes*.pem 10.88.0.2:/opt/kubernetes/ssl/ [root@k8s-master ssl]# scp kubernetes*.pem 10.88.0.3:/opt/kubernetes/ssl//<code>4.創建 kube-apiserver 使用的客戶端 token 文件
<code>[root@k8s-master ~]# head -c 16 /dev/urandom | od -An -t x | tr -d ' ' e135c7a413de5a64ce6131177db5d1ca [root@k8s-master ~]# vim /opt/kubernetes/ssl/bootstrap-token.csv e135c7a413de5a64ce6131177db5d1ca,kubelet-bootstrap,10001,"system:kubelet-bootstrap"/<code>5.創建基礎用戶名/密碼認證配置(密碼、用戶名、uid為後面創建dashborad後用戶認證)
<code>[root@k8s-master ~]# vim /opt/kubernetes/ssl/basic-auth.csv admin,admin,1 readonly,readonly,2/<code>.6.部署Kubernetes API Server
<code>[root@k8s-master ~]# cat > /usr/lib/systemd/system/kube-apiserver.service7.啟動API Server服務
<code>[root@k8s-master ~]# systemctl daemon-reload [root@k8s-master ~]# systemctl enable kube-apiserver [root@k8s-master ~]# systemctl start kube-apiserver [root@k8s-master ~]# systemctl status kube-apiserver ● kube-apiserver.service - Kubernetes API Server Loaded: loaded (/usr/lib/systemd/system/kube-apiserver.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2020-05-04 20:08:56 CST; 37min ago Docs: https://github.com/GoogleCloudPlatform/kubernetes Main PID: 1653 (kube-apiserver) CGroup: /system.slice/kube-apiserver.service └─1653 /opt/kubernetes/bin/kube-apiserver --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction --bind-address=10.88.0.1 --insecure-bind-address=127.0.0.1 --authorizatio... May 04 20:08:50 k8s-master kube-apiserver[1653]: Flag --admission-control has been deprecated, Use --enable-admission-plugins or --disable-admission-plugins instead. Will be removed in a future version. May 04 20:08:50 k8s-master kube-apiserver[1653]: Flag --insecure-bind-address has been deprecated, This flag will be removed in a future version. May 04 20:08:52 k8s-master kube-apiserver[1653]: [restful] 2020/05/04 20:08:52 log.go:33: [restful/swagger] listing is available at https://10.88.0.1:6443/swaggerapi May 04 20:08:52 k8s-master kube-apiserver[1653]: [restful] 2020/05/04 20:08:52 log.go:33: [restful/swagger] https://10.88.0.1:6443/swaggerui/ is mapped to folder /swagger-ui/ May 04 20:08:53 k8s-master kube-apiserver[1653]: [restful] 2020/05/04 20:08:53 log.go:33: [restful/swagger] listing is available at https://10.88.0.1:6443/swaggerapi May 04 20:08:53 k8s-master kube-apiserver[1653]: [restful] 2020/05/04 20:08:53 log.go:33: [restful/swagger] https://10.88.0.1:6443/swaggerui/ is mapped to folder /swagger-ui/ May 04 20:08:56 k8s-master systemd[1]: Started Kubernetes API Server. May 04 20:24:18 k8s-master kube-apiserver[1653]: E0504 20:24:18.407244 1653 watcher.go:208] watch chan error: etcdserver: mvcc: required revision has been compacted May 04 20:37:42 k8s-master kube-apiserver[1653]: E0504 20:37:42.478189 1653 watcher.go:208] watch chan error: etcdserver: mvcc: required revision has been compacted May 04 20:45:47 k8s-master kube-apiserver[1653]: E0504 20:45:47.522654 1653 watcher.go:208] watch chan error: etcdserver: mvcc: required revision has been compacted /<code>部署Controller Manager服務
<code>[root@k8s-master ~]# cat > /usr/lib/systemd/system/kube-controller-manager.service啟動Controller Manager
<code>[root@k8s-master ~]# systemctl daemon-reload [root@k8s-master ~]# systemctl enable kube-controller-manager [root@k8s-master ~]# systemctl start kube-controller-manager [root@k8s-master ~]# systemctl status kube-controller-manager ● kube-controller-manager.service - Kubernetes Controller Manager Loaded: loaded (/usr/lib/systemd/system/kube-controller-manager.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2020-05-04 20:09:45 CST; 37min ago Docs: https://github.com/GoogleCloudPlatform/kubernetes Main PID: 1718 (kube-controller) CGroup: /system.slice/kube-controller-manager.service └─1718 /opt/kubernetes/bin/kube-controller-manager --address=127.0.0.1 --master=http://127.0.0.1:8080 --allocate-node-cidrs=true --service-cluster-ip-range=10.1.0.0/16 --cluster-cidr=10.2.0.0/16 --cluster-name=kubernetes --cluster-... May 04 20:09:45 k8s-master systemd[1]: Started Kubernetes Controller Manager. May 04 20:09:45 k8s-master kube-controller-manager[1718]: Flag --address has been deprecated, see --bind-address instead. May 04 20:09:56 k8s-master kube-controller-manager[1718]: E0504 20:09:56.274117 1718 core.go:76] Failed to start service controller: WARNING: no cloud provider provided, services of type LoadBalancer will fail May 04 20:09:56 k8s-master kube-controller-manager[1718]: E0504 20:09:56.283832 1718 resource_quota_controller.go:171] initial monitor sync has error: couldn't start monitor for resource "extensions/v1beta1, Resource=networ...networkpolicies" May 04 20:09:57 k8s-master kube-controller-manager[1718]: E0504 20:09:57.777615 1718 resource_quota_controller.go:437] failed to sync resource monitors: couldn't start monitor for resource "extensions/v1beta1, Resource=netw...networkpolicies" Hint: Some lines were ellipsized, use -l to show in full. /<code>部署Kubernetes Scheduler:
<code>[root@k8s-master ~]# cat > /usr/lib/systemd/system/kube-scheduler.service啟動Kubernetes Scheduler
<code>[root@k8s-master ~]# systemctl daemon-reload [root@k8s-master ~]# systemctl enable kube-scheduler [root@k8s-master ~]# systemctl start kube-scheduler [root@k8s-master ~]# systemctl status kube-scheduler ● kube-scheduler.service - Kubernetes Scheduler Loaded: loaded (/usr/lib/systemd/system/kube-scheduler.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2020-05-04 20:10:12 CST; 37min ago Docs: https://github.com/GoogleCloudPlatform/kubernetes Main PID: 1785 (kube-scheduler) CGroup: /system.slice/kube-scheduler.service └─1785 /opt/kubernetes/bin/kube-scheduler --address=127.0.0.1 --master=http://127.0.0.1:8080 --leader-elect=true --v=2 --logtostderr=false --log-dir=/opt/kubernetes/log May 04 20:10:12 k8s-master systemd[1]: Started Kubernetes Scheduler. /<code>部署kubectl 命令行工具
1.準備二進制命令包
<code>[root@k8s-master ~]# cd /usr/local/src/kubernetes/server/bin/ [root@k8s-master bin]# cp kubectl /opt/kubernetes/bin//<code>2.創建 admin 證書籤名請求
<code>[root@k8s-master ~]# cd /usr/local/src/ssl/ [root@k8s-master ssl]# cat > admin-csr.json3.生成 admin 證書和私鑰:
<code>[root@k8s-master ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \ -ca-key=/opt/kubernetes/ssl/ca-key.pem \ -config=/opt/kubernetes/ssl/ca-config.json \ -profile=kubernetes admin-csr.json | cfssljson -bare admin [root@k8s-master ssl]# ls -l admin* -rw-r--r-- 1 root root 1009 May 4 20:11 admin.csr -rw-r--r-- 1 root root 230 May 4 20:11 admin-csr.json -rw------- 1 root root 1675 May 4 20:11 admin-key.pem -rw-r--r-- 1 root root 1399 May 4 20:11 admin.pem [root@k8s-master ssl]# cp admin*.pem /opt/kubernetes/ssl//<code>4.設置集群參數
<code>[root@k8s-master ssl]# kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://10.88.0.1:6443 Cluster "kubernetes" set.Cluster "kubernetes" set./<code>5.設置客戶端認證參數
<code>[root@k8s-master ssl]# kubectl config set-credentials admin \ --client-certificate=/opt/kubernetes/ssl/admin.pem \ --embed-certs=true \ --client-key=/opt/kubernetes/ssl/admin-key.pem User "admin" set./<code>6.設置上下文參數
<code>[root@k8s-master ssl]# kubectl config set-context kubernetes \ --cluster=kubernetes \ --user=admin Context "kubernetes" created./<code>7.設置默認上下文
<code>[root@k8s-master ssl]# kubectl config use-context kubernetes Switched to context "kubernetes"./<code>8.使用kubectl工具
<code>[root@k8s-master ssl]# kubectl get cs NAME STATUS MESSAGE ERROR controller-manager Healthy ok scheduler Healthy ok etcd-1 Healthy {"health": "true"} etcd-2 Healthy {"health": "true"} etcd-0 Healthy {"health": "true"}/<code>9.驗證master節點功能:
<code># kubectl get componentstatuses NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-2 Healthy {"health": "true"} etcd-1 Healthy {"health": "true"} etcd-0 Healthy {"health": "true"}/<code>