Eight. Deploy kube-apiserver
The next three chapters are to deploy Kube-Master related services, including: kube-apiserver, kube-controller-manager, kube-scheduler.
-
Three components are deployed on one node, which is one deployment unit.
-
The kube-apiserver is stateless. Clients such as kubelet can specify multiple api-servers through the startup parameter "--api-servers", but only the first one takes effect, that is, the specified multiple api-servers do not achieve high availability The purpose (may be solved in subsequent versions), so api-server HA can be done through load balancing.
-
The kube-controller-manager and kube-scheduler will modify the status information of the cluster. If the related services on the three nodes take effect at the same time, there will be synchronization and consistency problems, so the two services can only be in the master-slave relationship. kukubernetes uses lease-lock to implement leader election, specific to kube-controller-manager and kube-scheduler, with the parameter "--leader-elect=true" when starting.
1. Create kube-apiserver certificate
1) Create a kube-apiserver certificate signing request
# api-server enable mutual TLS authentication [root@kubenode1 ~] # mkdir -p /etc/kubernetes/apiserver [root@kubenode1 ~] # cd /etc/kubernetes/apiserver/ [root@kubenode1 apiserver] # touch apiserver-csr .json # When the hosts field is not empty, specify the list of IPs and domain names authorized to use the certificate; #Add a node IP to the cluster and generate a certificate for distribution once; #The front-end ha node also needs to communicate with the apiserver; #At the same time , specify more A service ip (Service Cluster IP) named kubernetes registered with a domain name and kube-apiserver, usually the first IP of the network segment specified by the --service-cluster-ip-range option value [root@kubenode1 apiserver] # vim apiserver-csr.json { " CN " : " kubernetes " , " hosts " : [ " 127.0.0.1 " , " 172.30.200.10 " , " 172.30.200.11 " , " 172.30.200.12", "172.30.200.21", "172.30.200.22", "172.30.200.23", "169.169.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "ChengDu", "L": "ChengDu", "O": "k8s", "OU": "cloudteam" } ] }
2) Generate kube-apiserver certificate and private key
[root@kubenode1 apiserver]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \ -ca-key=/etc/kubernetes/ssl/ca-key.pem \ -config=/etc/kubernetes/ssl/ca-config.json \ -profile=kubernetes apiserver-csr.json | cfssljson -bare apiserver
# 分发apiserver.pem,apiserver-key.pem [root@kubenode1 apiserver]# scp apiserver.pem apiserver-key.pem [email protected]:/etc/kubernetes/apiserver/ [root@kubenode1 apiserver]# scp apiserver.pem apiserver-key.pem [email protected]:/etc/kubernetes/apiserver/
2. Configure the systemd unit file of kube-apiserver
The relevant executables are already deployed when kubectl is deployed.
1) Create the client token file used by kube-apiserver
The kubelet sends registration information to the kube-apiserver when it starts. Authentication is required in a two-way TLS encrypted communication environment. Manually generating a certificate/private key for the kubelet is feasible when the number of nodes is small and the number is fixed. Using the TLS Bootstrapping mechanism can enable a large number of The node node automatically completes the registration request to the kube-apiserver.
Principle : When the kubelet starts for the first time, it sends a TLS Bootstrapping request to the kube-apiserver. The kube-apiserver verifies whether the token in the kubelet request is consistent with the token.
[root@kubenode1 ~]# mkdir -p /etc/kubernetes/bootstrap [root@kubenode1 ~]# cd /etc/kubernetes/bootstrap/ [root@kubenode1 bootstrap]# cat > token.csv << EOF ${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap" EOF # 分发 [root@kubenode1 ~]# scp /etc/kubernetes/bootstrap/token.csv [email protected]:/etc/kubernetes/bootstrap/ [root@kubenode1 ~]# scp /etc/kubernetes/bootstrap/token.csv [email protected]:/etc/kubernetes/bootstrap/
2) Configure the systemd unit file of kube-apiserver
[root@kubenode1 ~]# touch /usr/lib/systemd/system/kube-apiserver.service [root@kubenode1 ~]# vim /usr/lib/systemd/system/kube-apiserver.service [Unit] Description = Kubernetes API Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] User=root EnvironmentFile = / usr / local / kubernetes / kube- apiserver.conf ExecStart=/usr/local/kubernetes/bin/kube-apiserver $KUBE_API_ARGS Restart=on-failure RestartSec=5 Type=notify LimitNOFILE = 65536 [Install] WantedBy=multi-user.target
#Startup parameter file; # --admission-control: The admission control mechanism of the kuberneres cluster , each control module takes effect in turn in the form of plug-ins, and the cluster must include ServiceAccount; # --bind-address: cannot be 127.0.0.1; HTTPS service is enabled on port 6443 of this address, the default value is 0.0.0.0; # --insecure-port=0: Disable insecure http service, enabled by default, port 8080, set to 0 to disable; --secure-port=6443: https secure port, the default is 6443, 0 means disabled; # --authorization-mode: use RBAC authorization mode on the secure port, and reject requests that do not pass authorization; # --service-cluster-ip-range: specify the Service Cluster IP address segment, the external route of this address segment is unreachable; # --service-node-port-range: Specify the port range of NodePort; # --storage-backend: Persistent storage type, the default is etcd3 after v1.6; # - -enable-swagger-ui: When set to true, enable swagger-ui web page, which can be accessed through usl/swagger-ui of apiserver, default is false; # --allow-privileged: When set to true, kubernetes is allowed in Pod Run container applications with system privileges; # --audit-log-*: Audit log related; # --event-ttl: The retention time of each time in the apiserver, the default is 1h, usually used for auditing and tracking; # --logtostderr: The default is true, output to stderr , do not output to the log; # --log-dir: log directory; # --v: log level [root@kubenode1 ~] # touch /usr/local/kubernetes/kube-apiserver.conf [root@kubenode1 ~] # vim /usr/local/kubernetes/kube-apiserver.conf KUBE_API_ARGS= " --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \ --advertise-address=172.30.200.21 \ --bind-address=172.30.200.21 \ --insecure-port=0 \ --authorization-mode=Node,RBAC \ --runtime-config=rbac.authorization.k8s.io/v1beta1 \ --kubelet-https=true \ --token-auth-file=/etc/kubernetes/bootstrap/token.csv \ --service-cluster-ip-range=169.169.0.0/16 \ --service-node-port-range=10000-60000 \ --tls-cert-file = / etc / kubernetes / apiserver / apiserver.pem \ --tls-private-key-file=/etc/kubernetes/apiserver/apiserver-key.pem \ --client-ca-file=/etc/kubernetes/ssl/ca.pem \ --service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \ --etcd-cafile = / etc / kubernetes / ssl / ca.pem \ --etcd-certfile = / etc / kubernetes / apiserver / apiserver.pem \ --etcd-keyfile=/etc/kubernetes/apiserver/apiserver-key.pem \ --storage-backend=etcd3 \ --etcd-servers=https://172.30.200.21:2379,https://172.30.200.22:2379,https://172.30.200.23:2379 \ --enable-swagger-ui=true \ --allow-privileged=true \ --apiserver-count=3 \ --audit-log-maxage=30 \ --audit-log-maxbackup=3 \ --audit-log-maxsize=100 \ --audit-log-path=/var/lib/audit.log \ --event-ttl=1h \ --logtostderr=false \ --log-dir = / var / log / kubernetes / apiserver \ --v=2 1>>/var/log/kubernetes/apiserver/kube-apiserver.log 2>&1" #Create log directory [root@kubenode1 ~] # mkdir -p /var/log/kubernetes/apiserver
3. Start and verify
[root@kubenode1 ~]# systemctl daemon-reload [root@kubenode1 ~]# systemctl enable kube-apiserver [root@kubenode1 ~]# systemctl start kube-apiserver [root@kubenode1 ~]# systemctl status kube-apiserver
