kube-apiserver组件二进制部署
组件概述
Kubernetes API 服务器验证并配置 API 对象的数据, 这些对象包括 pods、services、replicationcontrollers 等。 API 服务器为 REST 操作提供服务,并为集群的共享状态提供前端, 所有其他组件都通过该前端进行交互。
证书准备
创建下载目录
[root@k8s-master1 ~]# mkdir -p /root/download
创建配置文件,日志存放目录
[root@k8s-master1 apiserver]# mkdir -p /root/kubernetes/kube-apiserver/{conf,log}
二进制文件
下载地址 :https://storage.googleapis.com/kubernetes-release/release/v1.18.18/kubernetes-server-linux-amd64.tar.gz
[root@k8s-master1 download]# wget https://storage.googleapis.com/kubernetes-release/release/v1.18.18/kubernetes-server-linux-amd64.tar.gz
解压文件到可执行目录
[root@k8s-master1 download]# tar -xzvf kubernetes-server-linux-amd64.tar.gz
[root@k8s-master1 download]# cp /root/download/kubernetes/server/bin/kube-apiserver /usr/local/bin/
创建kube-apiserver配置文件
cat /root/kubernetes/kube-apiserver/conf/kube-apiserver.conf
KUBE_APISERVER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/root/tools/kubernetes/apiserver/log \
--etcd-servers=https://10.6.1.85:2379,https://10.6.1.86:2379,https://10.6.1.87:2379 \
--bind-address=10.6.1.85 \
--secure-port=6443 \
--advertise-address=10.6.1.85 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth=true \
--token-auth-file=/root/tools/kubernetes/ssl/bootstrapping/token/token.csv \
--service-node-port-range=30000-50000 \
--kubelet-client-certificate=/root/tools/kubernetes/ssl/apiserver/apiserver.pem \
--kubelet-client-key=/root/tools/kubernetes/ssl/apiserver/apiserver-key.pem \
--tls-cert-file=/root/tools/kubernetes/ssl/apiserver/apiserver.pem \
--tls-private-key-file=/root/tools/kubernetes/ssl/apiserver/apiserver-key.pem \
--tls-min-version=VersionTLS12 \
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \
--client-ca-file=/root/tools/kubernetes/ssl/ca/ca.pem \
--service-account-key-file=/root/tools/kubernetes/ssl/ca/ca-key.pem \
--etcd-cafile=/root/tools/kubernetes/ssl/ca/ca.pem \
--etcd-certfile=/root/tools/kubernetes/ssl/etcd/etcd.pem \
--etcd-keyfile=/root/tools/kubernetes/ssl/etcd/etcd-key.pem \
--requestheader-client-ca-file=/root/tools/kubernetes/ssl/ca/ca.pem \
--proxy-client-cert-file=/root/tools/kubernetes/ssl/apiserver/apiserver.pem \
--proxy-client-key-file=/root/tools/kubernetes/ssl/apiserver/apiserver-key.pem \
--requestheader-allowed-names=kubernetes \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-group-headers=X-Remote-Group \
--requestheader-username-headers=X-Remote-User \
--enable-aggregator-routing=true \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/root/tools/kubernetes/apiserver/log/k8s-audit.log"
备注: 若不设置tls-cipher-suites和tls-min-version ,可能会导致漏洞扫描是提示加密套件不安全
创建kube-apiserver unit 文件
[root@k8s-master1 apiserver]# cat /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/root/tools/kubernetes/apiserver/conf/kube-apiserver.conf
ExecStart=/usr/local/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
启动服务
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl start kube-apiserver
systemctl status kube-apiserver
浙公网安备 33010602011771号