kubernetes master 节点安装配置步骤
下载或者拷贝相关二进制文件
从工作节点拷贝 CA 证书和私钥,admin 证书和私钥
生成 kubernetes、aggregator proxy 证书和私钥
创建 basic-auth.csv
创建 kube-apiserver、kube-controller-manager、kube-scheduler 的 systemd unit 文件
启动服务
Making master nodes SchedulingDisabled
Setting master role name
安装相关插件
# 集群网络插件,可以支持calico, flannel, kube-router, cilium" flannel" # 服务网段 (Service CIDR),注意不要与内网已有网段冲突" 10.68.0.0/16" # kubernetes 服务 IP (预分配,一般是 SERVICE_CIDR 中第一个IP)" 10.68.0.1" # 集群 DNS 服务 IP (从 SERVICE_CIDR 中预分配)" 10.68.0.2" # POD 网段 (Cluster CIDR),注意不要与内网已有网段冲突" 172.20.0.0/16" # 服务端口范围 (NodePort Range)" 20000-40000" # 集群 DNS 域名" cluster.local." # 需要说明的是集群的 apiserver 地址应该是负载均衡的地址# MASTER_IP 为负载均衡主节点地址" 192.168.1.12" " https://192.168.1.12:8443" # 集群 basic auth 使用的用户名和密码,用于 basic-auth.csv" admin" " test1234" --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem
--client-ca-file=/etc/kubernetes/ssl/ca.pem
--service-account-key-file=/etc/kubernetes/ssl/ca-key.pem
--kubelet-client-certificate=/etc/kubernetes/ssl/admin.pem
--kubelet-client-key=/etc/kubernetes/ssl/admin-key.pem
--tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem
--tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem
--proxy-client-cert-file=/etc/kubernetes/ssl/aggregator-proxy.pem
--proxy-client-key-file=/etc/kubernetes/ssl/aggregator-proxy-key.pem
--basic-auth-file=/etc/kubernetes/ssl/basic-auth.csv
# --service-cluster-ip-range={{ SERVICE_CIDR }}# --service-node-port-range={{ NODE_PORT_RANGE }}# etcd kube-controller-manager 配置参数说明 # --service-cluster-ip-range={{ SERVICE_CIDR }}# --cluster-cidr={{ CLUSTER_CIDR }}192.168.1.1
192.168.1.2
mkdir -p /opt/kube/bin /etc/kubernetes/ssl
# 从工作节点拷贝 kube-master 相关二进制文件# 从工作节点拷贝 CA 证书和私钥# 创建 kubernetes 证书签名请求,以 192.168.1.1 为例# hosts 相当于扩展认证,即一个证书的网站可以是 *.youku.com,也是可以是 *.google.com# 在 hosts 中配置 k8s 集群 master 节点证书配置,可以添加多个ip和域名# 需要添加负载均衡的两个 ip" CN" " kubernetes" " hosts" " 127.0.0.1" " 192.168.1.12" " 192.168.1.11" " 192.168.1.1" " 10.68.0.2" " kubernetes" " kubernetes.default" " kubernetes.default.svc" " kubernetes.default.svc.cluster" " kubernetes.default.svc.cluster.local" " key" " algo" " rsa" " size" " names" " C" " CN" " ST" " WH" " L" " XS" " O" " k8s" " OU" " System" # 创建 kubernetes 证书和私钥cd /etc/kubernetes/ssl && /opt/kube/bin/cfssl gencert \
-ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/etc/kubernetes/ssl/ca-config.json \
-profile=kubernetes kubernetes-csr.json | /opt/kube/bin/cfssljson -bare kubernetes
# 创建 aggregator proxy 证书签名请求" CN" " aggregator" " hosts" " key" " algo" " rsa" " size" " names" " C" " CN" " ST" " HangZhou" " L" " XS" " O" " k8s" " OU" " System" # 创建 aggregator-proxy 证书和私钥cd /etc/kubernetes/ssl && /opt/kube/bin/cfssl gencert \
-ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/etc/kubernetes/ssl/ca-config.json \
-profile=kubernetes aggregator-proxy-csr.json | /opt/kube/bin/cfssljson -bare aggregator-proxy
# 创建 basic-auth.csv
# 创建 kube-apiserver 的 systemd unit 文件,以 192.168.1.1 为例# ############# 配置选项分类 ############### File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). # If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.# 包含HTTPS的默认x509证书的文件。 (CA证书,如果有的话,在服务器证书之后连接)。 如果启用了HTTPS服务,并且未提供--tls-cert-file和--tls-private-key-file,则会生成自签名证书和密钥用于公共地址并保存到--cert-dir指定的目录中。# If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.# File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify ServiceAccount tokens. The specified file can contain multiple keys, and the flag can be specified multiple times with different files. # If unspecified, --tls-private-key-file is used. Must be specified when --service-account-signing-key is provided# Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. # WARNING: generally do not depend on authorization being already done for incoming requests.# Path to a client cert file for TLS.# Client certificate used to prove the identity of the aggregator or kube-apiserver when it must call out during a request. This includes proxying requests to a user api-server and calling out to webhook admission plugins. # It is expected that this cert includes a signature from the CA in the --requestheader-client-ca-file flag. # That CA is published in the 'extension-apiserver-authentication' configmap in the kube-system namespace. Components receiving calls from kube-aggregator should use that CA to perform their half of the mutual TLS verification.# 其他相关选项说明| od -An -t x | tr -d ' ' " system:kubelet-bootstrap" # kubelet 启动时会向 kube-apiserver 发送 tsl bootstrap 请求,所以需要将 bootstrap 的 token设置成对应的角色,这样 kubectl 才有权限创建该请求。# 创建 kube-controller-manager 的 systemd unit 文件\ # 新版本没有该选项# ############# 配置选项分类 ############### 新版本没有该选项# 创建 kube-scheduler 的 systemd unit 文件# ############# 配置选项分类 ##############enable kube-apiserver kube-controller-manager kube-scheduler
systemctl daemon-reload
systemctl restart kube-apiserver
systemctl restart kube-controller-manager
systemctl restart kube-scheduler
kubectl get node
# Making master nodes SchedulingDisabled,以 192.168.1.1 为例# Setting master role name,以 192.168.1.1 为例 