学习K8S之路.2--- K8S集群安装部署(一)
kubernetes的五个组件基本介绍:
master节点的三个组件
- kube-apiserver
整个集群的唯一入口,并提供认证、授权、访问控制、API注册和发现等机制。
- kube-controller-manager
控制器管理器 负责维护集群的状态,比如故障检测、自动扩展、滚动更新等。保证资源到达期望值。
- kube-scheduler
调度器 经过策略调度POD到合适的节点上面运行。分别有预选策略和优选策略。
node节点的两个组件
- kubelet
在集群节点上运行的代理,kubelet会通过各种机制来确保容器处于运行状态且健康。kubelet不会管理不是由kubernetes创建的容器。kubelet接收POD的期望状态(副本数、镜像、网络等),并调用容器运行环境来实现预期状态。
kubelet会定时汇报节点的状态给apiserver,作为scheduler调度的基础。kubelet会对镜像和容器进行清理,避免不必要的文件资源占用。
- kube-proxy
kube-proxy是集群中节点上运行的网络代理,是实现service资源功能组件之一。kube-proxy建立了POD网络和集群网络之间的关系。不同node上的service流量转发规则会通过kube-proxy来调用apiserver访问etcd进行规则更新。
service流量调度方式有三种方式:userspace(废弃,性能很差)、iptables(性能差,复杂,即将废弃)、ipvs(性能好,转发方式清晰)。
一:实验架构
1:此图仅供参考,IP地址发生变化
2:IP及架构规划
注:主机域名:host.com 业务域名:auth.com
| 主机名称 | 角色 | IP地址 | 部署服务与组件 | 硬件配置 |
| k8s-6-92.host.com | 代理节点1 | 192.168.6.92 | bind9、nginx(L4)、keepalived、supervisor | 2C 4G 50G |
| k8s-6-93.host.com | 代理节点2 | 192.168.6.93 | etcd、nginx(L4)、keepalived、supervisor | 2C 4G 50G |
| k8s-6-94.host.com | 运算节点1 | 192.168.6.94 | etcd、kube-apiserver、kube-controller-manager、kube-scheduler kube-kubelet、kube-proxy,supervisor | 4C 8G 50G |
| k8s-6-95.host.com | 运算节点2 | 192.168.6.95 | etcd、kube-apiserver、kube-controller-manager、kube-scheduler kube-kubelet、kube-proxy,supervisor | 4C 8G 50G |
| k8s-6-96.host.com | 运维主机 | 192.168.6.96 | docker 私有仓库、资源配置清单仓库、提供共享存储(NFS)、签发证书 | 2C 4G 50G |
二:基础配置:
1:关闭selinux # 临时关闭 setenforce 0 # 永久关闭 sed –i ‘s/SELINUX=enforcing/SELINUX=disabled/g’ /etc/selinux/config 2:关闭防火墙 systemctl stop firewalld systemctl disable firewalld 3:同步时间 ntpdate time1.aliyun.com 4:修改主机名 方法一: hostnamectl set-hostname k8s-6-92.host.com 方法二: vi /etc/hostname 5:添加epel源 yum install epel-release 6:安装必要的依赖包 yum install wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils -y
三:在代理节点(192.168.6.92)上安装bind 9服务
1:安装bind服务 6-92 ~]# yum install -y bind
2:修改配置文件 6-92 ~]# vi /etc/named.conf listen-on port 53 { 192.168.6.92; }; listen-on-v6 port 53 { ::1; }; //删除此行 allow-query { any; }; forwarders { 192.168.6.1; }; recursion yes; dnssec-enable no; dnssec-validation no 修改完成,进行检查配置文件: 6-92 ~]# named-checkconf 3:区域配置文件 在/etc/named.rfc1912.zones文件最后添加如下内容: 6-92 ~]# vi /etc/named.rfc1912.zones
zone "host.com" IN { type master; file "host.com.zone"; allow-update { 192.168.6.92; };
}; zone "auth.com" IN {
type master; file "auth.com.zone"; allow-update { 192.168.6.92; };
}; 4:编辑区域主配置文件 6-92 ~]# vi /var/named/host.com.zone $ORIGIN host.com. $TTL 600 ; 10 minutes @ IN SOA dns.host.com. dnsadmin.host.com. ( 2020042901 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.host.com. $TTL 60 ; 1 minute dns A 192.168.6.92 k8s-6-92 A 192.168.6.92 k8s-6-93 A 192.168.6.93 k8s-6-94 A 192.168.6.94 k8s-6-95 A 192.168.6.95 k8s-6-96 A 192.168.6.96 6-92 ~]# vi /var/named/auth.com.zone $ORIGIN auth.com. $TTL 600 ; 10 minutes @ IN SOA dns.auth.com. dnsadmin.auth.com. ( 2020042901 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.auth.com. $TTL 60 ; 1 minute dns A 192.168.6.92 修改完成,进行检查配置文件: 6-92 ~]# named-checkconf 5:启动bind 6-92 ~]# systemctl start named 6:验证DNS解析是否正常 6-92 ~]# dig -t A k8s-6-92.host.com @192.168.6.92 +short 192.168.6.92 7:配置DNS客户端 6-92 ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens192 # 在文件最后面添加如下: DNS1=192.168.6.92
8:重启网卡
6-92 ~]# /etc/init.d/network restart
9:查看resolv.conf配置文件
6-92 ~]# cat /etc/resolv.conf
search host.com
nameserver 192.168.6.92
10:验证 ping www.baidu.com ping k8s-6-92.host.com ping k8s-6-92 以上均能ping通,说明DNS已安装完成
四:准备签发证书环境
自签证书只在运维主机(192.168.6.96)上操作即可:
1:安装CFSSL
6-96 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl 6-96 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json 6-96 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo 6-96 ~]# chmod +x /usr/bin/cfssl*
2:创建生成ca证书csr的json配置文件
6-96 certs]# mkdir /opt/certs
6-96 certs]# cd /opt/certs
6-96 certs]# vi /opt/certs/ca-csr.json
{
"CN": "AuthEdu",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
##############配置说明###########
CN:Common Name,浏览器使用该字段验证网站是否合法,一般写的是域名,很重要,浏览器使用该字段验证网站是否合法
C:Country 国家
ST:State 州,省
L:Locality 地区,城市
O:Organization Name 组织名称,公司名称
OU:Organization Unit Name 组织单位名称,部门
3:生成ca证书文件
6-96 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca 6-96 certs]# ll -rw-r--r-- 1 root root 993 4月 29 11:18 ca.csr -rw-r--r-- 1 root root 326 4月 29 11:15 ca-csr.json -rw------- 1 root root 1679 4月 29 11:18 ca-key.pem -rw-r--r-- 1 root root 1338 4月 29 11:18 ca.pem
五:部署Docker
在运算节点(192.168.6.94,192.168.6.95)和运维主机(192.168.6.96)上操作:
1:安装Docker
~]# curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
2:配置Docker
~]# mkdir /etc/docker ~]# vi /etc/docker/daemon.json { "graph": "/data/docker", "storage-driver": "overlay2", "insecure-registries": ["registry.access.redhat.com","quay.io","harbor.auth.com"], "registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"], "bip": "172.6.94.1/24", "exec-opts": ["native.cgroupdriver=systemd"], "live-restore": true } ########## bip要根据宿主机ip变化 注意:k8s6-94.host.com bip 172.6.94.1/24 k8s6-95.host.com bip 172.6.95.1/24 k8s6-96.host.com bip 172.6.96.1/24
3:启动Docker
mkdir -p /data/docker
systemctl start docker
systemctl enable docker
docker --version
六:部署docker镜像私有仓库harbor
在运维主机(192.168.6.96)上安装私有仓库harbor
1:下载软件并解压
harbor官网github地址 https://github.com/goharbor/harbor opt]# tar zxf harbor-offline-installer-v1.8.3.tgz opt]# mv harbor harbor-v1.8.3 opt]# ln -s /opt/harbor-v1.8.3 /opt/harbor
2:配置harbor
opt]# vi /opt/harbor/harbor.yml
hostname: harbor.auth.com http: port: 180 harbor_admin_password:Harbor12345 data_volume: /data/harbor log: level: info rotate_count: 50 rotate_size:200M location: /data/harbor/logs opt]# mkdir -p /data/harbor/logs
3:安装docker-compose
opt]# yum install docker-compose -y
如果安装报错:
yum -y install epel-release
4:安装harbor
harbor]# ./install.sh
5:检查harbor启动情况
harbor]# docker-compose ps
harbor]# docker ps -a
6:安装Nginx对harbor进行反向代理
1:安装nginx 省略 2:配置nginx vhosts]# /usr/local/nginx/conf/vhosts/harbor.auth.com.conf server { listen 80; server_name harbor.auth.com; client_max_body_size 1000m; location / { proxy_pass http://127.0.0.1:180; } } 3:启动nginx
7:配置DNS,在192.168.6.92服务器上操作
1:vi /var/named/auth.com.zone 1:# 注意序列号 +1 由2020042901 变为:2020042902 2:添加一条A记录 harbor A 192.168.6.96 2:重启DNS systemctl restart named 3:验证 6-92 ~]# dig -t A harbor.auth.com @192.168.6.92 +short 192.168.6.96
8:验证harbor页面
1、浏览器输入:harbor.auth.com 用户名:admin 密码:Harbor12345 2、新建项目:public 访问级别:公开
9:下载镜像并给镜像打tag
-6-96 ~]# docker pull nginx -6-96 ~]# docker tag 602e111c06b6 harbor.auth.com/public/nginx:1.7.9 -6-96 ~]# docker images
10:登录harbor并上传到仓库
-6-96 ~]# docker login harbor.auth.com 输入用户名:admin 密码:Harbor12345 -6-96 ~]# docker push harbor.auth.com/public/nginx:1.7.9 去页面,public仓库中查看是否有nginx 镜像
七:部署master节点
7.1:etcd集群,搭建的个数必须为奇数,本次搭建三台
| IP地址 | 主机名称 | 角色 |
| 192.168.6.93 | k8s-6-93.host.com | lead |
| 192.168.6.94 | k8s-6-94.host.com | follow |
| 192.168.6.95 | k8s-6-95.host.com | follow |
第一步:先在运维主机(192.168.6.96)上创建证书
7.1.1:在运维主机(192.168.6.96)上创建基于根证书的config配置文件
-6-96 ~]# vi /opt/certs/ca-config.json { "signing": { "default": { "expiry": "175200h" }, "profiles": { "server": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "client auth" ] }, "peer": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } }
7.1.2:创建生成自签发证书的csr的json配置文件
-6-96 ~]# vi /opt/certs/etcd-peer-csr.json { "CN": "k8s-etcd", # hosts中的IP,可以写上后期可能添加部署的服务器IP "hosts": [ "192.168.6.92", "192.168.6.93", "192.168.6.94", "192.168.6.95" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ] }
7.1.3:生成etcd证书文件
-6-96 ~]# cd /opt/certs/ -6-96 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer
7.1.4:检查生成的证书文件
-6-96 certs]# ll | grep etcd etcd-peer.csr etcd-peer-csr.json etcd-peer-key.pem etcd-peer.pem
第二步:开始安装etcd集群,需要在192.168.6.93,192.168.6.94,192.168.6.95服务器上操作
以192.168.6.93服务器上安装为例
7.1.5:创建etcd用户
-6-93 ~]# useradd -s /sbin/nologin -M etcd
7.1.6:下载软件,解压,做软连接
https://github.com/etcd-io/etcd/tags -6-93 ~]# tar xf etcd-v3.1.20-linux-amd64.tar.gz -C /opt/ -6-93 ~]# cd /opt/ -6-93 opt]# mv etcd-v3.1.20-linux-amd64 etcd-v3.1.20 -6-93 opt]# ln -s /opt/etcd-v3.1.20 /opt/etcd
7.1.7:创建目录,拷贝证书文件
# 创建目录 -6-93 etcd]# mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server # 拷贝生成的证书文件 -6-93]# cd /opt/etcd/certs -6-93 certs]# scp 192.168.6.96:/opt/certs/ca.pem . -6-93 certs]# scp 192.168.6.96:/opt/certs/etcd-peer.pem . -6-93 certs]# scp 192.168.6.96:/opt/certs/etcd-peer-key.pem .
7.1.8:创建etcd服务启动脚本
-6-93]# vi /opt/etcd/etcd-server-startup.sh #!/bin/sh ./etcd --name etcd-server-6-93 \ --data-dir /data/etcd/etcd-server \ --listen-peer-urls https://192.168.6.93:2380 \ --listen-client-urls https://192.168.6.93:2379,http://127.0.0.1:2379 \ --quota-backend-bytes 8000000000 \ --initial-advertise-peer-urls https://192.168.6.93:2380 \ --advertise-client-urls https://192.168.6.93:2379,http://127.0.0.1:2379 \ --initial-cluster etcd-server-6-93=https://192.168.6.93:2380,etcd-server-6-94=https://192.168.6.94:2380,etcd-server-6-95=https://192.168.6.95:2380 \ --ca-file ./certs/ca.pem \ --cert-file ./certs/etcd-peer.pem \ --key-file ./certs/etcd-peer-key.pem \ --client-cert-auth \ --trusted-ca-file ./certs/ca.pem \ --peer-ca-file ./certs/ca.pem \ --peer-cert-file ./certs/etcd-peer.pem \ --peer-key-file ./certs/etcd-peer-key.pem \ --peer-client-cert-auth \ --peer-trusted-ca-file ./certs/ca.pem \ --log-output stdout
7.1.9:脚本添加执行权限,对目录进行授权
-6-93]# chmod +x /opt/etcd/etcd-server-startup.sh -6-93]# chown -R etcd.etcd /opt/etcd-v3.1.20/ /data/etcd/ /data/logs/etcd-server/
7.1.10:安装supervisor软件
-6-93]# yum install epel-release -6-93]# yum install supervisor -y -6-93]# systemctl start supervisord -6-93]# systemctl enable supervisord
7.1.11:创建supervisor配置
-6-93]# vi /etc/supervisord.d/etcd-server.ini [program:etcd-server-6-93] command=/opt/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/etcd ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=etcd ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false)
7.1.12:启动etcd服务并检查
-6-93 ~]# supervisorctl update -6-93 ~]# supervisorctl status -6-93 ~]# netstat -nlput | grep etcd
7.1.13:部署集群其他服务器,需要注意如下地方:
/opt/etcd/etcd-server-startup.sh --name --listen-peer-urls --listen-client-urls --initial-advertise-peer-urls --advertise-client-urls ########## /etc/supervisord.d/etcd-server.ini [program:etcd-server-7-12]
7.1.14:检查集群状态
-6-93 ~]# /opt/etcd -6-93 etcd]# ./etcdctl cluster-health -6-93 etcd]# ./etcdctl member list
7.2:部署kube-apiserver集群
kube-apiserver集群需要在192.168.6.94,192.168.6.95两台服务器上进行部署
7.2.1:下载软件,解压,做软连接
以192.168.6.94服务器上安装为例
https://github.com/kubernetes/kubernetes 下载方法:点击版本号--》CHANGELOG-1.16.9.md--》DOWNLOAD --》server binaries--》找到kubenetes-server-linux-amd64.tar.gz -6-94 ~]# tar zxf kubernetes-server-linux-amd64.tar.gz -6-94 ~]# mv kubernetes /opt/kubernetes-v1.16.9 -6-94 opt]# ln -s /opt/kubernetes-v1.16.9 /opt/kubernetes -6-94 opt]# cd /opt/kubernetes -6-94 kubernetes]# rm -rf kubernetes-src.tar.gz -6-94 kubernetes]# cd /opt/kubernetes/server/bin -6-94 bin]# rm -rf *.tar -6-94 bin]# rm -rf *_tag
7.2.2:在运维主机(192.168.6.96)上签发client证书
7.2.2.1:创建生成证书签名请求(csr)的json配置文件 -6-96 certs]# vi /opt/certs/client-csr.json { "CN": "k8s-node", "hosts": [ ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ] } 7.2.2.2:生成client证书文件 -6-96 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client 7.2.2.3:检查生成的证书文件 -6-96 certs]# ll | grep client -rw-r--r-- 1 root root 993 5月 2 15:18 client.csr -rw-r--r-- 1 root root 280 5月 2 15:17 client-csr.json -rw------- 1 root root 1675 5月 2 15:18 client-key.pem -rw-r--r-- 1 root root 1363 5月 2 15:18 client.pem
7.2.3:在运维主机(192.168.6.96)上签发kube-apiserver证书
7.2.3.1:创建生成证书csr的json配置文件 -6-96 certs]# vi /opt/certs/apiserver-csr.json # hosts 只能写IP地址,不能写IP端,可以为后期可能添加部署的IP { "CN": "k8s-apiserver", "hosts": [ "127.0.0.1", "10.100.0.1", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local", "192.168.6.89", "192.168.6.92", "192.168.6.93", "192.168.6.94", "192.168.6.95" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ] } 注释:10.100.0.1 是集群的虚拟IP地址,192.168.6.89 是Nginx的VIP地址
7.2.3.2:生成kube-apiserver证书文件 -6-96 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver 7.2.3.3:检查生成的证书文件 k8s-6-96 certs]# ll | grep apiserver -rw-r--r-- 1 root root 1257 5月 2 15:27 apiserver.csr -rw-r--r-- 1 root root 602 5月 2 15:24 apiserver-csr.json -rw------- 1 root root 1675 5月 2 15:27 apiserver-key.pem -rw-r--r-- 1 root root 1602 5月 2 15:27 apiserver.pem
7.2.4:拷贝证书至各运算节点
以192.168.6.94部署为例: -6-94 bin]# mkdir /opt/kubernetes/server/bin/certs -6-94 bin]# cd /opt/kubernetes/server/bin/certs -6-94 certs]# scp 192.168.6.96:/opt/certs/ca.pem . -6-94 certs]# scp 192.168.6.96:/opt/certs/ca-key.pem . -6-94 certs]# scp 192.168.6.96:/opt/certs/client.pem . -6-94 certs]# scp 192.168.6.96:/opt/certs/client-key.pem . -6-94 certs]# scp 192.168.6.96:/opt/certs/apiserver.pem . -6-94 certs]# scp 192.168.6.96:/opt/certs/apiserver-key.pem .
7.2.5:创建配置
-6-94 certs]# mkdir /opt/kubernetes/server/bin/conf -6-94 certs]# cd /opt/kubernetes/server/bin/conf -94 conf]# vi audit.yaml apiVersion: audit.k8s.io/v1beta1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages: - "RequestReceived" rules: # Log pod changes at RequestResponse level - level: RequestResponse resources: - group: "" # Resource "pods" doesn't match requests to any subresource of pods, # which is consistent with the RBAC policy. resources: ["pods"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata resources: - group: "" resources: ["pods/log", "pods/status"] # Don't log requests to a configmap called "controller-leader" - level: None resources: - group: "" resources: ["configmaps"] resourceNames: ["controller-leader"] # Don't log watch requests by the "system:kube-proxy" on endpoints or services - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" # core API group resources: ["endpoints", "services"] # Don't log authenticated requests to certain non-resource URL paths. - level: None userGroups: ["system:authenticated"] nonResourceURLs: - "/api*" # Wildcard matching. - "/version" # Log the request body of configmap changes in kube-system. - level: Request resources: - group: "" # core API group resources: ["configmaps"] # This rule only applies to resources in the "kube-system" namespace. # The empty string "" can be used to select non-namespaced resources. namespaces: ["kube-system"] # Log configmap and secret changes in all other namespaces at the Metadata level. - level: Metadata resources: - group: "" # core API group resources: ["secrets", "configmaps"] # Log all other resources in core and extensions at the Request level. - level: Request resources: - group: "" # core API group - group: "extensions" # Version of group should NOT be included. # A catch-all rule to log all other requests at the Metadata level. - level: Metadata # Long-running requests like watches that fall under this rule will not # generate an audit event in RequestReceived. omitStages: - "RequestReceived"
7.2.6:创建apiserver启动脚本
-6-94 bin]# vi /opt/kubernetes/server/bin/kube-apiserver.sh #!/bin/bash ./kube-apiserver \ --apiserver-count 2 \ --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \ --audit-policy-file ./conf/audit.yaml \ --authorization-mode RBAC \ --client-ca-file ./certs/ca.pem \ --requestheader-client-ca-file ./certs/ca.pem \ --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \ --etcd-cafile ./certs/ca.pem \ --etcd-certfile ./certs/client.pem \ --etcd-keyfile ./certs/client-key.pem \ --etcd-servers https://192.168.6.93:2379,https://192.168.6.94:2379,https://192.168.6.95:2379 \ --service-account-key-file ./certs/ca-key.pem \ --service-cluster-ip-range 10.100.0.0/16 \ --service-node-port-range 3000-29999 \ --target-ram-mb=1024 \ --kubelet-client-certificate ./certs/client.pem \ --kubelet-client-key ./certs/client-key.pem \ --log-dir /data/logs/kubernetes/kube-apiserver \ --tls-cert-file ./certs/apiserver.pem \ --tls-private-key-file ./certs/apiserver-key.pem \ --v 2
7.2.7:授权和创建目录
-6-94 bin]# chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh -6-94 bin]# mkdir -p /data/logs/kubernetes/kube-apiserver
7.2.8:创建supervisor配置
-6-94 bin]# vi /etc/supervisord.d/kube-apiserver.ini [program:kube-apiserver-6-94] command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false)
7.2.9:启动服务并检查
-6-94 bin]# supervisorctl update -6-94 bin]# supervisorctl status -6-94 bin]# netstat -nltup|grep kube-api
7.2.10:部署集群其他服务器,需要注意如下地方:
# 不同的地方 /etc/supervisord.d/kube-apiserver.ini [program:kube-apiserver-6-94]
在运算节点(192.168.6.94和192.168.6.95)上kube-apiserver 已部署完成,下节将继续往下部署......
浙公网安备 33010602011771号