Configure and start kube-apiserver
Creating kube-apiserver.service
/usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Service
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
After=etcd.service
[Service]
EnvironmentFile=-/etc/kubernetes/config
ExecStart=/usr/local/bin/kube-apiserver \
--anonymous-auth=false \
--basic-auth-file=/etc/kubernetes/basic_auth_file \
$KUBE_LOGTOSTDERR \
$KUBE_LOG_LEVEL \
$KUBE_ALLOW_PRIV \
--etcd-servers=https://172.16.20.206:2379,https://172.16.20.207:2379,https://172.16.20.208:2379 \
--advertise-address=172.16.20.206 \
--bind-address=0.0.0.0 \
--insecure-bind-address=0.0.0.0 \
--service-cluster-ip-range=10.254.0.0/16 \
--admission-control=ServiceAccount,NamespaceLifecycle,NamespaceExists,LimitRanger,ResourceQuota \
--authorization-mode=RBAC,Node \
--runtime-config=rbac.authorization.k8s.io/v1beta1 \
--kubelet-https=true --enable-bootstrap-token-auth=true \
--token-auth-file=/etc/kubernetes/token.csv \
--service-node-port-range=30000-32767 \
--tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem \
--tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
--client-ca-file=/etc/kubernetes/ssl/ca.pem \
--service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/etc/kubernetes/ssl/ca.pem \
--etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem \
--etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem \
--enable-swagger-ui=true \
--apiserver-count=3 \
--allow-privileged=true \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/var/lib/audit.log \
--event-ttl=1h
Restart=on-failure
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
Explanation
--authorization-mode = RBAC secure port specified in the authorization using the RBAC model, reject a request for authorization failed;
Kube-Scheduler, Kube-Controller-Manager ships and kube-apiserver deployed on the same machine, and they use non-secure port kube-apiserver communication;
kubelet, Kube-Proxy, kubectl deployed on other node node, if through a secure port access kube-apiserver, you must first pass TLS certificate authentication, and then authorized by RBAC;
Kube-Proxy, kubectl by the use of a certificate related to the specified User, Group object is achieved by the RBAC authorization;
If the kubelet TLS Boostrap mechanism, no longer specifies --kubelet-certificate-authority, - kubelet -client-certificate and --kubelet-client- error;: key option, "certificate signed by unknown authority x509 " otherwise occur subsequent kube-apiserver check kubelet certificate
--admission-control value must contain ServiceAccount;
--bind-address can not be 127.0.0.1;
Runtime-config configuration apiVersion represent runtime: rbac.authorization.k8s.io/v1beta1
--service- cluster-ip-range specified Service Cluster IP addresses, the address section of the route can not reach;
kubernetes object is stored in the default etcd / registry path, can be adjusted by --etcd-prefix parameter;
Start kube-apiserver
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl start kube-apiserver
systemctl status kube-apiserver
Kube-controller-manager configuration
Creating kube-controller-manager.service
/usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
EnvironmentFile=-/etc/kubernetes/config
ExecStart=/usr/local/bin/kube-controller-manager \
$KUBE_LOGTOSTDERR \
$KUBE_LOG_LEVEL \
$KUBE_MASTER \
--address=127.0.0.1 \
--service-cluster-ip-range=10.254.0.0/16 \
--cluster-name=kubernetes \
--cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \
--service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem \
--root-ca-file=/etc/kubernetes/ssl/ca.pem \
--leader-elect=true
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
Explanation
= --Master HTTP: // {} MASTER_IP: 8080: a non-secure port 8080 and kube-apiserver communication;
--cluster-CIDR CIDR range specified in the Pod Cluster, the network must be routed up between the respective Node ( flanneld guaranteed);
--service Cluster-IP-range-specified parameters in the Cluster Service CIDR range, the network must be routed among the unreachable Node, must kube-apiserver parameters consistent;
--cluster-signing- * specified certificate and private key used to sign the certificate and private key file created for BootStrap TLS;
--root-CA-kube-apiserver file used to verify the certificate, after specified, the container will be in the Pod ServiceAccount placed in the CA certificate file;
--address value must be 127.0.0.1, because the current kube-apiserver expectations scheduler and controller-manager on the same machine
when deploying master cluster composed of multiple machines --leader-elect = true elected kube-controller-manager process in a working state
start up
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl start kube-controller-manager
verification
kubectl get componentstatuses
NAME STATUS MESSAGE ERROR
scheduler Unhealthy Get http://127.0.0.1:10251/healthz: dial tcp 127.0.0.1:10251: connect: connection refused
controller-manager Healthy ok
etcd-1 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}
Configuring kube-scheduler
Creating kube-scheduler.service
/usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler Plugin
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
EnvironmentFile=-/etc/kubernetes/config
ExecStart=/usr/local/bin/kube-scheduler \
$KUBE_LOGTOSTDERR \
$KUBE_LOG_LEVEL \
$KUBE_MASTER \
--leader-elect=true \
--address=127.0.0.1
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
start up
systemctl daemon-reload
systemctl start kube-scheduler
verification
kubectl get componentstatuses
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
kubectl get cs (上面命令的简写)
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}