• K8S入门系列之集群二进制部署--> master篇(二)


    组件版本和配置策略

    组件版本

    主要配置策略

    • kube-apiserver:
      使用 keepalived 和 haproxy 实现 3 节点高可用;
      关闭非安全端口 8080 和匿名访问;
      在安全端口 6443 接收 https 请求;
      严格的认证和授权策略 (x509、token、RBAC);
      开启 bootstrap token 认证,支持 kubelet TLS bootstrapping;
      使用 https 访问 kubelet、etcd,加密通信;

    • kube-controller-manager:
      3 节点高可用;主备备
      关闭非安全端口,在安全端口 10252 接收 https 请求;
      使用 kubeconfig 访问 apiserver 的安全端口;
      自动 approve kubelet 证书签名请求 (CSR),证书过期后自动轮转;
      各 controller 使用自己的 ServiceAccount 访问 apiserver;

    • kube-scheduler:
      3 节点高可用;主备备
      使用 kubeconfig 访问 apiserver 的安全端口;

    • kubelet:
      使用 kubeadm 动态创建 bootstrap token,也可以在 apiserver 中静态配置;
      使用 TLS bootstrap 机制自动生成 client 和 server 证书,过期后自动轮转;
      在 KubeletConfiguration 类型的 JSON 文件配置主要参数;
      关闭只读端口,在安全端口 10250 接收 https 请求,对请求进行认证和授权,拒绝匿名访问和非授权访问;
      使用 kubeconfig 访问 apiserver 的安全端口;

    • kube-proxy:
      使用 kubeconfig 访问 apiserver 的安全端口;
      在 KubeProxyConfiguration 类型的 JSON 文件配置主要参数;
      使用 ipvs 代理模式;

    • 集群插件:

    1. 系统初始化

    1.01 系统环境&&基本环境配置

    [root@localhost ~]# uname -a
    Linux localhost.localdomain 4.18.0-80.11.2.el8_0.x86_64 #1 SMP Tue Sep 24 11:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
    [root@localhost ~]# cat /etc/redhat-release 
    CentOS Linux release 8.0.1905 (Core) 
    

    1.02 修改各个节点的对应hostname, 并分别写入/etc/hosts

    hostnamectl set-hostname k8s-master01
    ...
    # 写入hosts--> 注意是 >> 表示不改变原有内容追加!
    cat>> /etc/hosts <<EOF
    
    192.168.2.201 k8s-master01
    192.168.2.202 k8s-master02
    192.168.2.203 k8s-master03
    192.168.2.11 k8s-node01
    192.168.2.12 k8s-node02
    EOF
    

    1.03 安装依赖包和常用工具

    yum install wget vim yum-utils net-tools tar chrony curl jq ipvsadm ipset conntrack iptables sysstat libseccomp -y
    

    1.04 所有节点关闭firewalld, dnsmasq, selinux以及swap

    # 关闭防火墙并清空防火墙规则
    systemctl disable firewalld && systemctl stop firewalld && systemctl status firewalld
    iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat
    iptables -P FORWARD ACCEP
    
    # 关闭dnsmasq否则可能导致docker容器无法解析域名!(centos8不存在!)
    systemctl disable --now dnsmasq 
    
    # 关闭selinux  --->selinux=disabled 需重启生效!
    setenforce 0 && sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
    
    # 关闭swap --->注释掉swap那一行, 需重启生效!
    swapoff -a && sed -i '/ swap / s/^(.*)$/# 1/g' /etc/fstab
    

    1.05 所有节点设置时间同步

    timedatectl set-timezone Asia/Shanghai
    timedatectl set-local-rtc 0
    
    yum install chrony -y
    systemctl enable chronyd && systemctl start chronyd && systemctl status chronyd
    

    1.06 调整内核参数, k8s必备参数!

    # 先加载模块
    modprobe br_netfilter
    
    cat> kubernetes.conf <<EOF
    net.bridge.bridge-nf-call-iptables=1
    net.bridge.bridge-nf-call-ip6tables=1
    net.ipv6.conf.all.disable_ipv6=1
    net.netfilter.nf_conntrack_max = 6553500
    net.nf_conntrack_max = 6553500
    net.ipv4.tcp_max_tw_buckets = 4096
    EOF
    
    • net.bridge.bridge-nf-call-iptables=1 二层的网桥在转发包时也会被iptables的FORWARD规则所过滤
    • net.ipv6.conf.all.disable_ipv6=1 禁用整个系统所有的ipv6接口, 预防触发docker的bug
    • net.netfilter.nf_conntrack_max 这个默认值是65535,当服务器上的连接超过这个数的时候,系统会将数据包丢掉,直到小于这个值或达到过期时间net.netfilter.nf_conntrack_tcp_timeout_established,默认值432000,5天。期间的数据包都会丢掉。
    • net.ipv4.tcp_max_tw_buckets 这个默认值18000,服务器TIME-WAIT状态套接字的数量限制,如果超过这个数量, 新来的TIME-WAIT套接字会直接释放。过多的TIME-WAIT影响服务器性能,根据服务自行设置.
    cp kubernetes.conf  /etc/sysctl.d/kubernetes.conf
    sysctl -p /etc/sysctl.d/kubernetes.conf
    

    1.07 所有节点创建k8s工作目录并设置环境变量!

    # 在每台机器上创建目录:
    mkdir -p /opt/k8s/{bin,cert,script,kube-apiserver,kube-controller-manager,kube-scheduler,kubelet,kube-proxy}
    mkdir -p /opt/etcd/{bin,cert}
    mkdir -p /opt/lib/etcd
    mkdir -p /opt/flanneld/{bin,cert}
    mkdir -p /root/.kube
    mkdir -p /var/log/kubernetes
    
    # 在每台机器上添加环境变量:
    sh -c "echo 'PATH=/opt/k8s/bin:/opt/etcd/bin:/opt/flanneld/bin:$PATH:$HOME/bin:$JAVA_HOME/bin' >> /etc/profile.d/k8s.sh"
    
    source /etc/profile.d/k8s.sh
    

    1.08 无密码 ssh 登录其它节点(为了部署方便!!!)

    生成秘钥对

    [root@k8s-master01 ~]# ssh-keygen
    

    将自己的公钥发给其他服务器

    [root@k8s-master01 ~]# ssh-copy-id root@k8s-master01
    [root@k8s-master01 ~]# ssh-copy-id root@k8s-master02
    [root@k8s-master01 ~]# ssh-copy-id root@k8s-master03
    

    2. 创建CA根证书和密钥

    • 为确保安全, kubernetes 系统各组件需要使用 x509 证书对通信进行加密和认证。
    • CA (Certificate Authority) 是自签名的根证书,用来签名后续创建的其它证书。

    2.01 安装cfssl工具集

    [root@k8s-master01 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
    [root@k8s-master01 ~]# mv cfssl_linux-amd64 /opt/k8s/bin/cfssl
    
    [root@k8s-master01 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
    [root@k8s-master01 ~]# mv cfssljson_linux-amd64 /opt/k8s/bin/cfssljson
    
    [root@k8s-master01 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
    [root@k8s-master01 ~]# mv cfssl-certinfo_linux-amd64 /opt/k8s/bin/cfssl-certinfo
    
    chmod +x /opt/k8s/bin/*
    

    2.02 创建根证书CA

    • CA 证书是集群所有节点共享的,只需要创建一个CA证书,后续创建的所有证书都由它签名。

    2.02.01 创建配置文件

    • CA 配置文件用于配置根证书的使用场景 (profile) 和具体参数 (usage,过期时间、服务端认证、客户端认证、加密等),后续在签名其它证书时需要指定特定场景。
    [root@k8s-master01 ~]# cd /opt/k8s/cert/
    
    [root@k8s-master01 cert]# cat> ca-config.json <<EOF
    {
        "signing": {
            "default": {
                "expiry": "876000h"
            },
            "profiles": {
                "kubernetes": {
                    "usages": [
                        "signing",
                        "key encipherment",
                        "server auth",
                        "client auth"
                    ],
                    "expiry": "876000h"
                }
            }
        }
    }
    EOF
    
    • signing :表示该证书可用于签名其它证书,生成的 ca.pem 证书中CA=TRUE;
    • server auth :表示 client 可以用该该证书对 server 提供的证书进行验证;
    • client auth :表示 server 可以用该该证书对 client 提供的证书进行验证;

    2.02.02 创建证书签名请求文件

    [root@k8s-master01 cert]# cat > ca-csr.json <<EOF
    {
        "CN": "kubernetes",
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "ST": "BeiJing",
                "L": "BeiJing",
                "O": "k8s",
                "OU": "steams"
            }
        ]
    }
    EOF
    
    • CN: Common Name ,kube-apiserver 从证书中提取该字段作为请求的用户名(User Name),浏览器使用该字段验证网站是否合法;
    • O: Organization ,kube-apiserver 从证书中提取该字段作为请求用户所属的组(Group);
    • kube-apiserver 将提取的 User、Group 作为 RBAC 授权的用户标识;

    2.02.03 生成CA证书和密钥

    [root@k8s-master01 cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
    
    # 查看是否生成!
    [root@k8s-master01 cert]# ls
    ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem
    

    2.02.04 分发证书文件

    • 简单脚本, 注意传参! 后期想写整合脚本的话可以拿来用!
    • 将生成的 CA 证书、秘钥文件、配置文件拷贝到所有节点的/opt/k8s/cert 目录下:
    [root@k8s-master01 cert]# vi /opt/k8s/script/scp_k8s_cacert.sh 
    
    MASTER_IPS=("$1" "$2" "$3")
    for master_ip in ${MASTER_IPS[@]};do
        echo ">>> ${master_ip}"
        scp /opt/k8s/cert/ca*.pem /opt/k8s/cert/ca-config.json root@${master_ip}:/opt/k8s/cert
    done
    
    [root@k8s-master01 cert]# bash /opt/k8s/script/scp_k8s_cacert.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    3. 部署etcd集群

    • etcd 是基于Raft的分布式key-value存储系统,由CoreOS开发,常用于服务发现、共享配置以及并发控制(如leader选举、分布式锁等)
    • kubernetes 使用 etcd 存储所有运行数据。所以部署三节点高可用!

    3.01 下载二进制文件

    [root@k8s-master01 ~]# wget https://github.com/etcd-io/etcd/releases/download/v3.3.17/etcd-v3.3.17-linux-amd64.tar.gz
    [root@k8s-master01 ~]# tar -xvf etcd-v3.3.17-linux-amd64.tar.gz 
    

    3.02 创建etcd证书和密钥

    • etcd集群要与k8s-->apiserver通信, 所以需要用证书签名验证!

    3.02.01 创建证书签名请求

    [root@k8s-master01 cert]# cat > /opt/etcd/cert/etcd-csr.json <<EOF
    {
        "CN": "etcd",
        "hosts": [
            "127.0.0.1",
            "192.168.2.201",
            "192.168.2.202",
            "192.168.2.203"
        ],
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "ST": "BeiJing",
                "L": "BeiJing",
                "O": "k8s",
                "OU": "steams"
            }
        ]
    }
    EOF
    
    • hosts 字段指定授权使用该证书的 etcd 节点 IP 或域名列表,这里将 etcd 集群的三个节点 IP 都列在其中

    3.02.02 生成证书和私钥

    [root@k8s-master01 ~]# cfssl gencert -ca=/opt/k8s/cert/ca.pem -ca-key=/opt/k8s/cert/ca-key.pem -config=/opt/k8s/cert/ca-config.json -profile=kubernetes /opt/etcd/cert/etcd-csr.json | cfssljson -bare /opt/etcd/cert/etcd
    
    # 查看是否生成!
    [root@k8s-master01 ~]# ls /opt/etcd/cert/*
    etcd.csr       etcd-csr.json  etcd-key.pem   etcd.pem  
    

    3.02.03 分发生成的证书, 私钥和etcd安装文件到各etcd节点

    [root@k8s-master01 ~]# vi /opt/k8s/script/scp_etcd.sh
    
    MASTER_IPS=("$1" "$2" "$3")
    for master_ip in ${MASTER_IPS[@]};do
            echo ">>> ${master_ip}"
            scp /root/etcd-v3.3.17-linux-amd64/etcd* root@${master_ip}:/opt/etcd/bin
            ssh root@${master_ip} "chmod +x /opt/etcd/bin/*"
            scp /opt/etcd/cert/etcd*.pem root@${master_ip}:/opt/etcd/cert/
    done
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/scp_etcd.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    3.03 创建etcd的systemd unit模板及etcd配置文件

    创建etcd的systemd unit模板

    [root@k8s-master01 ~]# vi /opt/etcd/etcd.service.template
    
    [Unit]
    Description=Etcd Server
    After=network.target
    After=network-online.target
    Wants=network-online.target
    Documentation=https://github.com/coreos
    
    [Service]
    User=root
    Type=notify
    WorkingDirectory=/opt/lib/etcd/
    ExecStart=/opt/etcd/bin/etcd 
        --data-dir=/opt/lib/etcd 
        --name ##ETCD_NAME## 
        --cert-file=/opt/etcd/cert/etcd.pem 
        --key-file=/opt/etcd/cert/etcd-key.pem 
        --trusted-ca-file=/opt/k8s/cert/ca.pem 
        --peer-cert-file=/opt/etcd/cert/etcd.pem 
        --peer-key-file=/opt/etcd/cert/etcd-key.pem 
        --peer-trusted-ca-file=/opt/k8s/cert/ca.pem 
        --peer-client-cert-auth 
        --client-cert-auth 
        --listen-peer-urls=https://##MASTER_IP##:2380 
        --initial-advertise-peer-urls=https://##MASTER_IP##:2380 
        --listen-client-urls=https://##MASTER_IP##:2379,http://127.0.0.1:2379 
        --advertise-client-urls=https://##MASTER_IP##:2379 
        --initial-cluster-token=etcd-cluster-0    
        --initial-cluster=etcd0=https://192.168.2.201:2380,etcd1=https://192.168.2.202:2380,etcd2=https://192.168.2.203:2380 
        --initial-cluster-state=new    
    Restart=on-failure
    RestartSec=5
    LimitNOFILE=65536
    [Install]
    WantedBy=multi-user.target
    
    • 本示例用脚本替换变量-->##ETCD_NAME##, ##MASTER_IP##
    • WorkingDirectory 、 --data-dir:指定工作目录和数据目录为/opt/lib/etcd ,需在启动服务前创建这个目录;
    • --name :指定各个节点名称,当 --initial-cluster-state 值为new时, --name的参数值必须位于--initial-cluster 列表中;
    • --cert-file 、 --key-file:etcd server 与 client 通信时使用的证书和私钥;
    • --trusted-ca-file:签名 client 证书的 CA 证书,用于验证 client 证书;
    • --peer-cert-file 、 --peer-key-file:etcd 与 peer 通信使用的证书和私钥;
    • --peer-trusted-ca-file:签名 peer 证书的 CA 证书,用于验证 peer 证书;

    3.04 为各节点创建和分发etcd systemd unit文件

    [root@k8s-master01 ~]# vi /opt/k8s/script/etcd_service.sh
    
    ETCD_NAMES=("etcd0" "etcd1" "etcd2")
    MASTER_IPS=("$1" "$2" "$3")
    #替换模板文件中的变量,为各节点创建systemd unit文件
    for (( i=0; i < 3; i++ ));do
            sed -e "s/##ETCD_NAME##/${ETCD_NAMES[i]}/g" -e "s/##MASTER_IP##/${MASTER_IPS[i]}/g" /opt/etcd/etcd.service.template > /opt/etcd/etcd-${MASTER_IPS[i]}.service
    done
    #分发生成的systemd unit和etcd的配置文件:
    for master_ip in ${MASTER_IPS[@]};do
            echo ">>> ${master_ip}"
            scp /opt/etcd/etcd-${master_ip}.service root@${master_ip}:/etc/systemd/system/etcd.service
    done
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/etcd_service.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    3.05 启动etcd服务

    [root@k8s-master01 ~]# vi /opt/k8s/script/etcd.sh
    
    MASTER_IPS=("$1" "$2" "$3")
    #启动 etcd 服务
    for master_ip in ${MASTER_IPS[@]};do
            echo ">>> ${master_ip}"
            ssh root@${master_ip} "systemctl daemon-reload && systemctl enable etcd && systemctl start etcd"
    done
    #检查启动结果,确保状态为 active (running)
    for master_ip in ${MASTER_IPS[@]};do
            echo ">>> ${master_ip}"
            ssh root@${master_ip} "systemctl status etcd|grep Active"
    done
    #验证服务状态,输出均为healthy 时表示集群服务正常
    for master_ip in ${MASTER_IPS[@]};do
            echo ">>> ${master_ip}"
            ETCDCTL_API=3 /opt/etcd/bin/etcdctl 
                --endpoints=https://${master_ip}:2379 
                --cacert=/opt/k8s/cert/ca.pem 
                --cert=/opt/etcd/cert/etcd.pem 
                --key=/opt/etcd/cert/etcd-key.pem endpoint health
    done 
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/etcd.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    4. 部署flannel网络

    • kubernetes要求集群内各节点(包括master节点)能通过Pod网段互联互通。flannel使用vxlan技术为各节点创建一个可以互通的Pod网络,使用的端口为UDP 8472,需要开放该端口(如公有云 AWS 等)。
    • flannel第一次启动时,从etcd获取Pod网段信息,为本节点分配一个未使用的 /24段地址,然后创建 flannel.1(也可能是其它名称) 接口。
    • flannel将分配的Pod网段信息写入/run/flannel/docker文件,docker后续使用这个文件中的环境变量设置docker0网桥。

    4.01 下载flannel二进制文件

    [root@k8s-master01 ~]# wget https://github.com/coreos/flannel/releases/download/v0.11.0/flannel-v0.11.0-linux-amd64.tar.gz
    [root@k8s-master01 ~]# mkdir flanneld
    [root@k8s-master01 ~]# tar -xvf flannel-v0.11.0-linux-amd64.tar.gz -C flanneld
    

    4.02 创建flannel证书和密钥

    • flannel从etcd集群存取网段分配信息,而etcd集群启用了双向x509证书认证,所以需要flanneld 生成证书和私钥。

    4.02.01 创建证书签名请求

    [root@k8s-master01 ~]# cat > /opt/flanneld/cert/flanneld-csr.json <<EOF
    {
        "CN": "flanneld",
        "hosts": [],
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "ST": "BeiJing",
                "L": "BeiJing",
                "O": "k8s",
                "OU": "steams"
            }
        ]
    }
    EOF
    
    • 该证书只会被 kubectl 当做 client 证书使用,所以 hosts 字段为空;

    4.02.02 生成证书和密钥

    [root@k8s-master01 ~]# cfssl gencert -ca=/opt/k8s/cert/ca.pem -ca-key=/opt/k8s/cert/ca-key.pem -config=/opt/k8s/cert/ca-config.json -profile=kubernetes /opt/flanneld/cert/flanneld-csr.json | cfssljson -bare /opt/flanneld/cert/flanneld
    
    [root@k8s-master01 ~]# ll /opt/flanneld/cert/flanneld*
    flanneld.csr       flanneld-csr.json  flanneld-key.pem   flanneld.pem   
    

    4.02.03 将flanneld二进制文件和生成的证书和私钥分发到所有节点(包含node节点!)

    [root@k8s-master01 ~]# vi /opt/k8s/script/scp_flanneld.sh
    
    MASTER_IPS=("$1" "$2" "$3")
    for master_ip in ${MASTER_IPS[@]};do
        echo ">>> ${master_ip}"
        scp /root/flanneld/flanneld /root/flanneld/mk-docker-opts.sh root@${master_ip}:/opt/flanneld/bin/
        ssh root@${master_ip} "chmod +x /opt/flanneld/bin/*"
        scp /opt/flanneld/cert/flanneld*.pem root@${master_ip}:/opt/flanneld/cert
    done
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/scp_flanneld.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    4.03 向etcd 写入集群Pod网段信息

    • flanneld当前版本(v0.11.0)不支持etcd v3,故需使用etcd v2 API写入配置key和网段数据;
    • 特别注意etcd版本匹配!!!

    向etcd 写入集群Pod网段信息(一个节点操作就可以了!)

    [root@k8s-master01 ~]# ETCDCTL_API=2 etcdctl 
    --endpoints="https://192.168.2.201:2379,https://192.168.2.202:2379,https://192.168.2.203:2379" 
    --ca-file=/opt/k8s/cert/ca.pem 
    --cert-file=/opt/flanneld/cert/flanneld.pem 
    --key-file=/opt/flanneld/cert/flanneld-key.pem 
    set /atomic.io/network/config '{"Network":"10.30.0.0/16","SubnetLen": 24, "Backend": {"Type": "vxlan"}}'
    
    # 返回如下信息(写入的Pod网段"Network"必须是/16 段地址,必须与kube-controller-manager的--cluster-cidr参数值一致) 
    {"Network":"10.30.0.0/16","SubnetLen": 24, "Backend": {"Type": "vxlan"}}
    

    4.04 创建flanneld的systemd unit文件

    [root@k8s-master01 ~]# vi /opt/flanneld/flanneld.service.template
    
    [Unit]
    Description=Flanneld overlay address etcd agent
    After=network.target
    After=network-online.target
    Wants=network-online.target
    After=etcd.service
    Before=docker.service
    
    [Service]
    Type=notify
    ExecStart=/opt/flanneld/bin/flanneld 
    -etcd-cafile=/opt/k8s/cert/ca.pem 
    -etcd-certfile=/opt/flanneld/cert/flanneld.pem 
    -etcd-keyfile=/opt/flanneld/cert/flanneld-key.pem 
    -etcd-endpoints=https://192.168.2.201:2379,https://192.168.2.202:2379,https://192.168.2.203:2379 
    -etcd-prefix=/atomic.io/network 
    -iface=eth0
    ExecStartPost=/opt/flanneld/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/docker
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    RequiredBy=docker.service
    
    • mk-docker-opts.sh脚本将分配给flanneld的Pod子网网段信息写入/run/flannel/docker文件,后续docker启动时使用这个文件中的环境变量配置docker0 网桥;
    • flanneld使用系统缺省路由所在的接口与其它节点通信,对于有多个网络接口(如内网和公网)的节点,可以用-iface参数指定通信接口,如上面的eth1接口;
    • flanneld 运行时需要 root 权限;

    4.05 分发flanneld systemd unit文件到所有节点,启动并检查flanneld服务

    [root@k8s-master01 ~]# vi /opt/k8s/script/flanneld_service.sh
    
    MASTER_IPS=("$1" "$2" "$3")
    for master_ip in ${MASTER_IPS[@]};do
        echo ">>> ${master_ip}"
     #分发 flanneld systemd unit 文件到所有节点
        scp /opt/flanneld/flanneld.service.template root@${master_ip}:/etc/systemd/system/flanneld.service
     #启动 flanneld 服务
        ssh root@${master_ip} "systemctl daemon-reload && systemctl enable flanneld && systemctl restart flanneld"
     #检查启动结果
        ssh root@${master_ip} "systemctl status flanneld|grep Active"
    done
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/flanneld_service.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    4.06 检查分配给各 flanneld 的 Pod 网段信息

    # 查看集群 Pod 网段(/16)
    [root@k8s-master01 ~]# ETCDCTL_API=2 etcdctl 
    --endpoints="https://192.168.2.201:2379,https://192.168.2.202:2379,https://192.168.2.203:2379" 
    --ca-file=/opt/k8s/cert/ca.pem 
    --cert-file=/opt/flanneld/cert/flanneld.pem 
    --key-file=/opt/flanneld/cert/flanneld-key.pem 
    get /atomic.io/network/config
    # 输出:
    {"Network":"10.30.0.0/16","SubnetLen": 24, "Backend": {"Type": "vxlan"}}
    
    # 查看已分配的 Pod 子网段列表(/24)
    [root@k8s-master01 ~]# ETCDCTL_API=2 etcdctl 
    --endpoints="https://192.168.2.201:2379,https://192.168.2.202:2379,https://192.168.2.203:2379" 
    --ca-file=/opt/k8s/cert/ca.pem 
    --cert-file=/opt/flanneld/cert/flanneld.pem 
    --key-file=/opt/flanneld/cert/flanneld-key.pem 
    ls /atomic.io/network/subnets
    # 输出:
    /atomic.io/network/subnets/10.30.34.0-24
    /atomic.io/network/subnets/10.30.41.0-24
    /atomic.io/network/subnets/10.30.7.0-24
    
    # 查看某一 Pod 网段对应的节点 IP 和 flannel 接口地址
    [root@k8s-master01 ~]# ETCDCTL_API=2 etcdctl 
    --endpoints="https://192.168.2.201:2379,https://192.168.2.202:2379,https://192.168.2.203:2379" 
    --ca-file=/opt/k8s/cert/ca.pem 
    --cert-file=/opt/flanneld/cert/flanneld.pem 
    --key-file=/opt/flanneld/cert/flanneld-key.pem 
    get /atomic.io/network/subnets/10.30.34.0-24
    # 输出:
    {"PublicIP":"192.168.2.202","BackendType":"vxlan","BackendData":{"VtepMAC":"e6:b2:85:07:9f:c0"}}
    
    # 验证各节点能通过 Pod 网段互通, 注意输出的pod网段!
    [root@k8s-master01 ~]# vi /opt/k8s/script/ping_flanneld.sh
    MASTER_IPS=("$1" "$2" "$3")
    for master_ip in ${MASTER_IPS[@]};do
        echo ">>> ${master_ip}"
     #在各节点上部署 flannel 后,检查是否创建了 flannel 接口(名称可能为 flannel0、flannel.0、flannel.1 等)
        ssh ${master_ip} "/usr/sbin/ip addr show flannel.1|grep -w inet"
     #在各节点上 ping 所有 flannel 接口 IP,确保能通
        ssh ${master_ip} "ping -c 1 10.30.34.0"
        ssh ${master_ip} "ping -c 1 10.30.41.0"
        ssh ${master_ip} "ping -c 1 10.30.7.0"
    done
    # 运行!
    [root@k8s-master01 ~]# bash /opt/k8s/script/ping_flanneld.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    5. 部署kubectl命令行工具

    • kubectl 是 kubernetes 集群的命令行管理工具
    • kubectl 默认从 ~/.kube/config 文件读取 kube-apiserver 地址、证书、用户名等信息,如果没有配置,执行 kubectl 命令时可能会出错:
    • 本文档只需要部署一次,生成的 kubeconfig 文件与机器无关。

    5.01 下载kubectl二进制文件, 并分发所有节点(包含node!)

    • kubernetes-server-linux-amd64.tar.gz包含所有组件!
    [root@k8s-master01 ~]# wget https://dl.k8s.io/v1.16.2/kubernetes-server-linux-amd64.tar.gz
    
    [root@k8s-master01 ~]# tar -zxvf kubernetes-server-linux-amd64.tar.gz
    
    [root@k8s-master01 ~]# vi /opt/k8s/script/kubectl_environment.sh
    
    MASTER_IPS=("$1" "$2" "$3")
    for master_ip in ${MASTER_IPS[@]};do
        echo ">>> ${master_ip}"
        scp /root/kubernetes/server/bin/kubectl root@${master_ip}:/opt/k8s/bin/
    done
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/kubectl_environment.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    5.02 创建 admin 证书和私钥

    • kubectl 与 apiserver https 安全端口通信,apiserver 对提供的证书进行认证和授权。
    • kubectl 作为集群的管理工具,需要被授予最高权限。这里创建具有最高权限的admin 证书。

    创建证书签名请求

    [root@k8s-master01 ~]# cat > /opt/k8s/cert/admin-csr.json <<EOF
    {
        "CN": "admin",
        "hosts": [],
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "ST": "BeiJing",
                "L": "BeiJing",
                "O": "system:masters",
                "OU": "steams"
            }
        ]
    }
    EOF
    
    • O 为 system:masters ,kube-apiserver 收到该证书后将请求的 Group 设置为system:masters;
    • 预定义的 ClusterRoleBinding cluster-admin 将 Group system:masters 与Role cluster-admin 绑定,该 Role 授予所有 API的权限;
    • 该证书只会被 kubectl 当做 client 证书使用,所以 hosts 字段为空;

    生成证书和私钥

    [root@k8s-master01 ~]# cfssl gencert -ca=/opt/k8s/cert/ca.pem 
    -ca-key=/opt/k8s/cert/ca-key.pem 
    -config=/opt/k8s/cert/ca-config.json 
    -profile=kubernetes /opt/k8s/cert/admin-csr.json | cfssljson -bare /opt/k8s/cert/admin
    
    [root@k8s-master01 ~]# ll /opt/k8s/cert/admin*
    admin.csr       admin-csr.json  admin-key.pem   admin.pem  
    

    5.03 创建和分发 kubeconfig 文件

    5.03.01 创建kubeconfig文件

    • kubeconfig 为 kubectl 的配置文件,包含访问 apiserver 的所有信息,如 apiserver 地址、CA 证书和自身使用的证书;

    step.1 设置集群参数, --server=${KUBE_APISERVER}, 指定IP和端口; 本文使用的是haproxy的VIP和端口;如果没有haproxy代理,就用实际服务的IP和端口!

    [root@k8s-master01 ~]# kubectl config set-cluster kubernetes 
    --certificate-authority=/opt/k8s/cert/ca.pem 
    --embed-certs=true 
    --server=https://192.168.2.210:8443 
    --kubeconfig=/root/.kube/kubectl.kubeconfig
    

    step.2 设置客户端认证参数

    [root@k8s-master01 ~]# kubectl config set-credentials kube-admin 
    --client-certificate=/opt/k8s/cert/admin.pem 
    --client-key=/opt/k8s/cert/admin-key.pem 
    --embed-certs=true 
    --kubeconfig=/root/.kube/kubectl.kubeconfig
    

    step.3 设置上下文参数

    [root@k8s-master01 ~]#  kubectl config set-context kube-admin@kubernetes 
    --cluster=kubernetes 
    --user=kube-admin 
    --kubeconfig=/root/.kube/kubectl.kubeconfig
    

    step.4设置默认上下文

    [root@k8s-master01 ~]# kubectl config use-context kube-admin@kubernetes --kubeconfig=/root/.kube/kubectl.kubeconfig
    

    --certificate-authority :验证 kube-apiserver 证书的根证书;
    --client-certificate 、 --client-key :刚生成的 admin 证书和私钥,连接 kube-apiserver 时使用;
    --embed-certs=true :将 ca.pem 和 admin.pem 证书内容嵌入到生成的kubectl.kubeconfig 文件中(不加时,写入的是证书文件路径);

    5.03.02 验证kubeconfig文件

    [root@k8s-master01 ~]# kubectl config view --kubeconfig=/root/.kube/kubectl.kubeconfig
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://192.168.2.210:8443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: kube-admin
      name: kube-admin@kubernetes
    current-context: kube-admin@kubernetes
    kind: Config
    preferences: {}
    users:
    - name: kube-admin
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    

    5.03.03 分发 kubeclt 和kubeconfig 文件,分发到所有使用kubectl 命令的节点

    [root@k8s-master01 ~]# vi /opt/k8s/script/scp_kubectl_config.sh
    
    MASTER_IPS=("$1" "$2" "$3")
    for master_ip in ${MASTER_IPS[@]};do
        echo ">>> ${master_ip}"
        scp /root/kubernetes/server/bin/kubectl root@${master_ip}:/opt/k8s/bin/
        ssh root@${master_ip} "chmod +x /opt/k8s/bin/*"
        scp /root/.kube/kubectl.kubeconfig root@${master_ip}:/root/.kube/config
    done
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/scp_kubectl_config.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    6. 部署master节点

    • kubernetes master 节点运行如下组件:
      kube-apiserver
      kube-scheduler
      kube-controller-manager

    • kube-scheduler 和 kube-controller-manager 可以以集群模式运行,通过 leader 选举产生一个工作进程,其它进程处于阻塞模式。

    • 对于 kube-apiserver,可以运行多个实例, 但对其它组件需要提供统一的访问地址,该地址需要高可用。本文档使用 keepalived 和 haproxy 实现 kube-apiserver VIP 高可用和负载均衡。

    • 因为对master做了keepalived高可用,所以3台服务器都有可能会升成master服务器(主master宕机,会有从升级为主);因此所有的master操作,在3个服务器上都要进行。

    下载最新版本的二进制文件, 想办法!!!

    [root@k8s-master01 ~]# wget https://dl.k8s.io/v1.16.2/kubernetes-server-linux-amd64.tar.gz
    
    [root@k8s-master01 ~]# wget https://dl.k8s.io/v1.16.2/kubernetes-server-linux-amd64.tar.gz
    

    将二进制文件拷贝到所有 master 节点

    [root@k8s-master01 ~]# vi /opt/k8s/script/scp_master.sh
    
    MASTER_IPS=("$1" "$2" "$3")
    for master_ip in ${MASTER_IPS[@]};do
        echo ">>> ${master_ip}"
        scp /root/kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler} root@${master_ip}:/opt/k8s/bin/
        ssh root@${master_ip} "chmod +x /opt/k8s/bin/*"
    done
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/scp_master.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    6.01 部署高可用组件

    • 本文档讲解使用 keepalived 和 haproxy 实现 kube-apiserver 高可用的步骤:
      keepalived 提供 kube-apiserver 对外服务的 VIP;
      haproxy 监听 VIP,后端连接所有 kube-apiserver 实例,提供健康检查和负载均衡功能;
    • 运行 keepalived 和 haproxy 的节点称为 LB 节点。由于 keepalived 是一主多备运行模式,故至少两个 LB 节点。
    • 本文档复用 master 节点的三台机器,haproxy 监听的端口(8443) 需要与 kube-apiserver的端口 6443 不同,避免冲突。
    • keepalived 在运行过程中周期检查本机的 haproxy 进程状态,如果检测到 haproxy 进程异常,则触发重新选主的过程,VIP 将飘移到新选出来的主节点,从而实现 VIP 的高可用。
    • 所有组件(如 kubeclt、apiserver、controller-manager、scheduler 等)都通过 VIP 和haproxy 监听的 8443 端口访问 kube-apiserver 服务。

    6.01.01 安装软件包,配置haproxy 配置文件

    [root@k8s-master01 ~]# yum install keepalived haproxy -y
    
    [root@k8s-master01 ~]# vi /etc/haproxy/haproxy.cfg 
    global
        log /dev/log local0
        log /dev/log local1 notice
        chroot /var/lib/haproxy
        stats socket /var/run/haproxy-admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        nbproc 1
    defaults
        log global
        timeout connect 5000
        timeout client 10m
        timeout server 10m
    listen admin_stats
        bind 0.0.0.0:10080
        mode http
        log 127.0.0.1 local0 err
        stats refresh 30s
        stats uri /status
        stats realm welcome login Haproxy
        stats auth haproxy:123456
        stats hide-version
        stats admin if TRUE
    listen k8s-master
        bind 0.0.0.0:8443
        mode tcp
        option tcplog
        balance source
        server 192.168.2.201 192.168.2.201:6443 check inter 2000 fall 2 rise 2 weight 1
        server 192.168.2.202 192.168.2.202:6443 check inter 2000 fall 2 rise 2 weight 1
        server 192.168.2.203 192.168.2.203:6443 check inter 2000 fall 2 rise 2 weight 1
    
    • haproxy 在 10080 端口输出 status 信息;
    • haproxy 监听所有接口的 8443 端口,该端口与环境变量 ${KUBE_APISERVER} 指定的端口必须一致;
    • server 字段列出所有kube-apiserver监听的 IP 和端口;

    6.01.02 在其他服务器安装、下发haproxy 配置文件;并启动检查haproxy服务

    [root@k8s-master01 ~]# vi /opt/k8s/script/haproxy.sh
    
    MASTER_IPS=("$1" "$2" "$3")
    for master_ip in ${MASTER_IPS[@]};do
        echo ">>> ${master_ip}"
     #安装haproxy
        ssh root@${master_ip} "yum install -y keepalived haproxy"
     #下发配置文件
        scp /etc/haproxy/haproxy.cfg root@${master_ip}:/etc/haproxy
     #启动检查haproxy服务
        ssh root@${master_ip} "systemctl restart haproxy"
        ssh root@${master_ip} "systemctl enable haproxy.service"
        ssh root@${master_ip} "systemctl status haproxy|grep Active"
     #检查 haproxy 是否监听6443 端口
        ssh root@${master_ip} "netstat -lnpt|grep haproxy"
    done
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/haproxy.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    输出类似:

    Active: active (running) since Tue 2019-11-12 01:54:41 CST; 543ms ago
    tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      4995/haproxy        
    tcp        0      0 0.0.0.0:10080           0.0.0.0:*               LISTEN      4995/haproxy   
    

    6.01.03 配置和启动 keepalived 服务

    • keepalived 是一主(master)多备(backup)运行模式,故有两种类型的配置文件。
    • master 配置文件只有一份,backup 配置文件视节点数目而定,对于本文档而言,规划如下:
      master: 192.168.2.201
      backup:192.168.2.202、192.168.2.203

    在192.168.2.201 master主服务;配置文件:

    [root@k8s-master01 ~]# vim /etc/keepalived/keepalived.conf
    
    global_defs {
        router_id keepalived_ha_121
    }
    vrrp_script check-haproxy {
        script "killall -0 haproxy"
        interval 5
        weight -30
    }
    vrrp_instance VI-k8s-master {
        state MASTER
        priority 120    # 第一台从为110, 以此类推!
        dont_track_primary
        interface eth0
        virtual_router_id 121
        advert_int 3
        track_script {
            check-haproxy
        }
        virtual_ipaddress {
            192.168.2.210
        }
    }
    
    • 我的VIP 所在的接口nterface 为 eth0;根据自己的情况改变
    • 使用 killall -0 haproxy 命令检查所在节点的 haproxy 进程是否正常。如果异常则将权重减少(-30),从而触发重新选主过程;
    • router_id、virtual_router_id 用于标识属于该 HA 的 keepalived 实例,如果有多套keepalived HA,则必须各不相同;

    在192.168.2.202, 192.168.2.203两台backup 服务;配置文件:

    [root@k8s-master02 ~]# vi /etc/keepalived/keepalived.conf
    
    global_defs {
            router_id keepalived_ha_122_123
    }
    vrrp_script check-haproxy {
            script "killall -0 haproxy"
            interval 5
            weight -30
    }
    vrrp_instance VI-k8s-master {
            state BACKUP
            priority 110   # 第2台从为100
            dont_track_primary
            interface eth0
            virtual_router_id 121
            advert_int 3
            track_script {
            check-haproxy
            }
            virtual_ipaddress {
                192.168.2.210
            }
    }
    
    • priority 的值必须小于 master 的值;两个从的值也需要不一样;

    开启keepalived 服务

    [root@k8s-master01 ~]# systemctl restart keepalived && systemctl enable keepalived && systemctl status keepalived
    
    [root@k8s-master01 ~]# ip addr
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
        link/ether 00:15:5d:00:68:05 brd ff:ff:ff:ff:ff:ff
        inet 192.168.2.101/24 brd 192.168.2.255 scope global noprefixroute eth0
           valid_lft forever preferred_lft forever
        inet 192.168.2.10/32 scope global eth0
           valid_lft forever preferred_lft forever
        inet6 fe80::f726:9d22:2b89:694c/64 scope link noprefixroute 
           valid_lft forever preferred_lft forever
    3: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default 
        link/ether aa:43:e5:bb:88:28 brd ff:ff:ff:ff:ff:ff
        inet 10.30.34.0/32 scope global flannel.1
           valid_lft forever preferred_lft forever
        inet6 fe80::a843:e5ff:febb:8828/64 scope link 
           valid_lft forever preferred_lft forever
    
    • 在master主服务器上能看到eth0网卡上已经有VIP的IP地址存在

    6.01.04 查看 haproxy 状态页面

    • 浏览器访问 192.168.2.210:10080/status 地址

    6.02 部署 kube-apiserver 组件

    下载二进制文件

    • kubernetes_server 包里有, 已经解压到/opt/k8s/bin下

    6.02.01 创建 kube-apiserver证书和私钥

    创建证书签名请求(host地址多加几个备用--> "192.168.2.8","192.168.2.9")

    [root@k8s-master01 ~]# cat > /opt/k8s/cert/kube-apiserver-csr.json <<EOF
    {
        "CN": "kubernetes",
        "hosts": [
            "127.0.0.1",
            "10.96.0.1",
            "192.168.2.210",
            "192.168.2.201",
            "192.168.2.202",
            "192.168.2.203",
            "192.168.2.8",
            "192.168.2.9"
            "kubernetes",
            "kubernetes.default",
            "kubernetes.default.svc",
            "kubernetes.default.svc.cluster",
            "kubernetes.default.svc.cluster.local"
        ],
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
              "C": "CN",
              "ST": "BeiJing",
              "L": "BeiJing",
              "O": "k8s",
              "OU": "steams"
            }
        ]
    }
    EOF
    
    • hosts 字段指定授权使用该证书的 IP 或域名列表,这里列出了 VIP 、apiserver节点 IP、kubernetes 服务 IP 和域名;
    • 域名最后字符不能是 . (如不能为kubernetes.default.svc.cluster.local. ),否则解析时失败,提示: x509:cannot parse dnsName "kubernetes.default.svc.cluster.local." ;
    • 如果使用非 cluster.local 域名,如 opsnull.com ,则需要修改域名列表中的最后两个域名为: kubernetes.default.svc.opsnull 、 kubernetes.default.svc.opsnull.com
    • kubernetes 服务 IP 是 apiserver 自动创建的,一般是 --service-cluster-ip-range 参数指定的网段的第一个IP,后续可以通过如下命令获取:
      kubectl get svc kubernetes

    生成证书和私钥

    [root@k8s-master01 ~]# cfssl gencert -ca=/opt/k8s/cert/ca.pem 
    -ca-key=/opt/k8s/cert/ca-key.pem 
    -config=/opt/k8s/cert/ca-config.json 
    -profile=kubernetes /opt/k8s/cert/kube-apiserver-csr.json | cfssljson -bare /opt/k8s/cert/kube-apiserver
    
    [root@k8s-master01 ~]# ll /opt/k8s/cert/kube-apiserver*
    kube-apiserver.csr      kube-apiserver-csr.json  kube-apiserver-key.pem  kube-apiserver.pem 
    

    6.02.02 创建加密配置文件

    产生一个用来加密Etcd 的 Key:

    [root@k8s-master01 ~]# head -c 32 /dev/urandom | base64
    # 返回一个key, 每台master节点需要用一样的 Key!!!
    muqIUutYDd5ARLtsg/W1CYWs3g8Fq9uJO/lDpSsv9iw=
    

    使用这个加密的key,创建加密配置文件

    [root@k8s-master01 ~]# vi encryption-config.yaml
    
    kind: EncryptionConfig
    apiVersion: v1
    resources:
      - resources:
          - secrets
        providers:
          - aescbc:
              keys:
                - name: key1
                  secret: muqIUutYDd5ARLtsg/W1CYWs3g8Fq9uJO/lDpSsv9iw=
          - identity: {}
    

    6.02.03 将生成的证书和私钥文件、加密配置文件拷贝到master节点的/opt/k8s目录下

    [root@k8s-master01 ~]# vi /opt/k8s/script/scp_apiserver.sh
    
    MASTER_IPS=("$1" "$2" "$3")
    for master_ip in ${MASTER_IPS[@]};do
        echo  ">>> ${master_ip}"
        scp /opt/k8s/cert/kube-apiserver*.pem root@${master_ip}:/opt/k8s/cert/
        scp /root/encryption-config.yaml root@${master_ip}:/opt/k8s/
    done 
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/scp_apiserver.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    6.02.04 创建 kube-apiserver 的 systemd unit 模板文件

    [root@k8s-master01 ~]# vi /opt/k8s/kube-apiserver/kube-apiserver.service.template
    
    [Unit]
    Description=Kubernetes API Server
    Documentation=https://github.com/GoogleCloudPlatform/kubernetes
    After=network.target
    
    [Service]
    ExecStart=/opt/k8s/bin/kube-apiserver 
    --enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota 
    --anonymous-auth=false 
    --experimental-encryption-provider-config=/opt/k8s/encryption-config.yaml 
    --advertise-address=##MASTER_IP## 
    --bind-address=##MASTER_IP## 
    --insecure-port=0 
    --secure-port=6443 
    --authorization-mode=Node,RBAC 
    --runtime-config=api/all 
    --enable-bootstrap-token-auth 
    --service-cluster-ip-range=10.96.0.0/16 
    --service-node-port-range=30000-50000 
    --tls-cert-file=/opt/k8s/cert/kube-apiserver.pem 
    --tls-private-key-file=/opt/k8s/cert/kube-apiserver-key.pem 
    --client-ca-file=/opt/k8s/cert/ca.pem 
    --kubelet-client-certificate=/opt/k8s/cert/kube-apiserver.pem 
    --kubelet-client-key=/opt/k8s/cert/kube-apiserver-key.pem 
    --service-account-key-file=/opt/k8s/cert/ca-key.pem 
    --etcd-cafile=/opt/k8s/cert/ca.pem 
    --etcd-certfile=/opt/k8s/cert/kube-apiserver.pem 
    --etcd-keyfile=/opt/k8s/cert/kube-apiserver-key.pem 
    --etcd-servers=https://192.168.2.201:2379,https://192.168.2.202:2379,https://192.168.2.203:2379 
    --enable-swagger-ui=true 
    --allow-privileged=true 
    --apiserver-count=3 
    --audit-log-maxage=30 
    --audit-log-maxbackup=3 
    --audit-log-maxsize=100 
    --audit-log-path=/var/log/kube-apiserver-audit.log 
    --event-ttl=1h 
    --alsologtostderr=true 
    --logtostderr=false 
    --log-dir=/var/log/kubernetes 
    --v=2
    Restart=on-failure
    RestartSec=5
    Type=notify
    LimitNOFILE=65536
    
    [Install]
    WantedBy=multi-user.target
    
    • -experimental-encryption-provider-config :启用加密特性;
    • --authorization-mode=Node,RBAC : 开启 Node 和 RBAC 授权模式,拒绝未授权的请求;
    • --enable-admission-plugins :启用 ServiceAccount 和NodeRestriction ;
    • --service-account-key-file :签名 ServiceAccount Token 的公钥文件,kube-controller-manager 的 --service-account-private-key-file 指定私钥文件,两者配对使用;
    • --tls-*-file :指定 apiserver 使用的证书、私钥和 CA 文件。 --client-ca-file 用于验证 client (kue-controller-manager、kube-scheduler、kubelet、kube-proxy 等)请求所带的证书;
    • --kubelet-client-certificate 、 --kubelet-client-key :如果指定,则使用 https 访问 kubelet APIs;需要为证书对应的用户定义 RBAC 规则,否则访问 kubelet API 时提示未授权;
    • --bind-address : 不能为 127.0.0.1 ,否则外界不能访问它的安全端口6443;
    • --insecure-port=0 :关闭监听非安全端口(8080);
    • --service-cluster-ip-range : 指定 Service Cluster IP 地址段;
    • --service-node-port-range : 指定 NodePort 的端口范围;
    • --runtime-config=api/all=true : 启用所有版本的 APIs,如autoscaling/v2alpha1;
    • --enable-bootstrap-token-auth :启用 kubelet bootstrap 的 token 认证;
    • --apiserver-count=3 :指定集群运行模式,多台 kube-apiserver 会通过 leader选举产生一个工作节点,其它节点处于阻塞状态;

    6.02.05 为各master节点创建和分发 kube-apiserver的systemd unit文件; 启动检查 kube-apiserver 服务

    [root@k8s-master01 ~]# vi /opt/k8s/script/apiserver_service.sh
    
    MASTER_IPS=("$1" "$2" "$3")
    #替换模板文件中的变量,为各节点创建 systemd unit 文件
    for (( i=0; i < 3; i++ ));do
        sed "s/##MASTER_IP##/${MASTER_IPS[i]}/" /opt/k8s/kube-apiserver/kube-apiserver.service.template > /opt/k8s/kube-apiserver/kube-apiserver-${MASTER_IPS[i]}.service
    done
    #启动并检查 kube-apiserver 服务
    for master_ip in ${MASTER_IPS[@]};do
        echo ">>> ${master_ip}"
        scp /opt/k8s/kube-apiserver/kube-apiserver-${master_ip}.service root@${master_ip}:/etc/systemd/system/kube-apiserver.service
        ssh root@${master_ip} "systemctl daemon-reload && systemctl enable kube-apiserver && systemctl restart kube-apiserver"
        ssh root@${master_ip} "systemctl status kube-apiserver |grep 'Active:'"
    done
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/apiserver_service.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    6.02.06 打印 kube-apiserver 写入 etcd 的数据

    [root@k8s-master01 ~]# ETCDCTL_API=3 etcdctl 
    --endpoints="https://192.168.2.201:2379,https://192.168.2.202:2379,https://192.168.2.203:2379" 
    --cacert=/opt/k8s/cert/ca.pem 
    --cert=/opt/etcd/cert/etcd.pem 
    --key=/opt/etcd/cert/etcd-key.pem 
    get /registry/ --prefix --keys-only
    

    6.02.07 检查集群信息

    [root@k8s-master01 ~]# kubectl cluster-info
    Kubernetes master is running at https://192.168.2.210:8443
    
    [root@k8s-master01 ~]# kubectl get all --all-namespaces
    NAMESPACE   NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
    default     service/kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   49m
    
    # 6443: 接收 https 请求的安全端口,对所有请求做认证和授权;
    # 由于关闭了非安全端口,故没有监听 8080;
    [root@k8s-master01 ~]# ss -nutlp |grep apiserver
    tcp    LISTEN   0        128         192.168.2.201:6443           0.0.0.0:*      users:(("kube-apiserver",pid=4425,fd=6)) 
    

    6.03 部署高可用kube-controller-manager 集群

    • 该集群包含 3 个节点,启动后将通过竞争选举机制产生一个 leader 节点,其它节点为阻塞状态。当 leader 节点不可用后,剩余节点将再次进行选举产生新的 leader 节点,从而保证服务的可用性。
    • 为保证通信安全,本文档先生成 x509 证书和私钥,kube-controller-manager 在如下两种情况下使用该证书:
      与 kube-apiserver 的安全端口通信时;
      在安全端口(https,10252) 输出 prometheus 格式的 metrics;

    准备工作:下载kube-controller-manager二进制文件(包含在kubernetes-server包里, 已解压发送)

    6.03.01 创建 kube-controller-manager 证书和私钥

    创建证书签名请求:

    [root@k8s-master01 ~]# cat > /opt/k8s/cert/kube-controller-manager-csr.json <<EOF
    {
        "CN": "system:kube-controller-manager",
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "hosts": [
            "127.0.0.1",
            "192.168.2.201",
            "192.168.2.202",
            "192.168.2.203"
        ],
        "names": [
            {
                "C": "CN",
                "ST": "BeiJing",
                "L": "BeiJing",
                "O": "system:kube-controller-manager",
                "OU": "steams"
            }
        ]
    }
    EOF
    
    • hosts 列表包含所有 kube-controller-manager 节点 IP;
    • CN 为 system:kube-controller-manager、O 为 system:kube-controller-manager(kubernetes 内置的 ClusterRoleBindings system:kube-controller-manager 赋予kube-controller-manager 工作所需的权限.)

    生成证书和私钥

    cfssl gencert -ca=/opt/k8s/cert/ca.pem 
    -ca-key=/opt/k8s/cert/ca-key.pem 
    -config=/opt/k8s/cert/ca-config.json 
    -profile=kubernetes /opt/k8s/cert/kube-controller-manager-csr.json | cfssljson -bare /opt/k8s/cert/kube-controller-manager
    
    [root@k8s-master01 ~]# ll /opt/k8s/cert/kube-controller-manager*
    kube-controller-manager.csr       kube-controller-manager-csr.json  kube-controller-manager-key.pem   kube-controller-manager.pem  
    

    6.03.02 创建.kubeconfig 文件

    • kubeconfig 文件包含访问 apiserver 的所有信息,如 apiserver 地址、CA 证书和自身使用的证书;

    执行命令,生成kube-controller-manager.kubeconfig文件

    # step.1 设置集群参数:
    [root@k8s-master01 ~]# kubectl config set-cluster kubernetes 
    --certificate-authority=/opt/k8s/cert/ca.pem 
    --embed-certs=true 
    --server=https://192.168.2.210:8443 
    --kubeconfig=/opt/k8s/kube-controller-manager/kube-controller-manager.kubeconfig
    
    # step.2 设置客户端认证参数
    [root@k8s-master01 ~]# kubectl config set-credentials system:kube-controller-manager 
    --client-certificate=/opt/k8s/cert/kube-controller-manager.pem 
    --client-key=/opt/k8s/cert/kube-controller-manager-key.pem 
    --embed-certs=true 
    --kubeconfig=/opt/k8s/kube-controller-manager/kube-controller-manager.kubeconfig
    
    # step.3 设置上下文参数
    [root@k8s-master01 ~]# kubectl config set-context system:kube-controller-manager@kubernetes 
    --cluster=kubernetes 
    --user=system:kube-controller-manager 
    --kubeconfig=/opt/k8s/kube-controller-manager/kube-controller-manager.kubeconfig
    
    # tep.4 设置默认上下文
    [root@k8s-master01 ~]# kubectl config use-context system:kube-controller-manager@kubernetes 
    --kubeconfig=/opt/k8s/kube-controller-manager/kube-controller-manager.kubeconfig
    

    验证kube-controller-manager.kubeconfig文件

    [root@k8s-master01 ~]# kubectl config view --kubeconfig=/opt/k8s/kube-controller-manager/kube-controller-manager.kubeconfig
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://192.168.2.210:8443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: system:kube-controller-manager
      name: system:kube-controller-manager@kubernetes
    current-context: system:kube-controller-manager@kubernetes
    kind: Config
    preferences: {}
    users:
    - name: system:kube-controller-manager
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    

    分发生成的证书和私钥、kubeconfig 到所有 master 节点

    [root@k8s-master01 ~]# vi /opt/k8s/script/scp_controller_manager.sh
    
    MASTER_IPS=("$1" "$2" "$3")
    for master_ip in ${MASTER_IPS[@]};do
        echo ">>> ${master_ip}"
        scp /opt/k8s/cert/kube-controller-manager*.pem root@${master_ip}:/opt/k8s/cert/
        scp /opt/k8s/kube-controller-manager/kube-controller-manager.kubeconfig root@${master_ip}:/opt/k8s/kube-controller-manager/
    done
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/scp_controller_manager.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    6.03.03 创建和分发 kube-controller-manager 的 systemd unit 文件

    [root@k8s-master01 ~]# vi /opt/k8s/kube-controller-manager/kube-controller-manager.service.template
    
    [Unit]
    Description=Kubernetes Controller Manager
    Documentation=https://github.com/GoogleCloudPlatform/kubernetes
    
    [Service]
    ExecStart=/opt/k8s/bin/kube-controller-manager 
    --port=0 
    --secure-port=10252 
    --bind-address=127.0.0.1 
    --kubeconfig=/opt/k8s/kube-controller-manager/kube-controller-manager.kubeconfig 
    --service-cluster-ip-range=10.96.0.0/16 
    --cluster-name=kubernetes 
    --cluster-signing-cert-file=/opt/k8s/cert/ca.pem 
    --cluster-signing-key-file=/opt/k8s/cert/ca-key.pem 
    --experimental-cluster-signing-duration=876000h 
    --root-ca-file=/opt/k8s/cert/ca.pem 
    --service-account-private-key-file=/opt/k8s/cert/ca-key.pem 
    --leader-elect=true 
    --feature-gates=RotateKubeletServerCertificate=true 
    --controllers=*,bootstrapsigner,tokencleaner 
    --horizontal-pod-autoscaler-use-rest-clients=true 
    --horizontal-pod-autoscaler-sync-period=10s 
    --tls-cert-file=/opt/k8s/cert/kube-controller-manager.pem 
    --tls-private-key-file=/opt/k8s/cert/kube-controller-manager-key.pem 
    --use-service-account-credentials=true 
    --alsologtostderr=true 
    --logtostderr=false 
    --log-dir=/var/log/kubernetes 
    --v=2
    Restart=on
    Restart=on-failure
    RestartSec=5
    
    [Install]
    WantedBy=multi-user.target
    
    • --port=0:关闭监听 http /metrics 的请求,同时 --address 参数无效,--bind-address 参数有效;
    • --secure-port=10252、--bind-address=0.0.0.0: 在所有网络接口监听 10252 端口的 https /metrics 请求;
    • --kubeconfig:指定 kubeconfig 文件路径,kube-controller-manager 使用它连接和验证 kube-apiserver;
    • --cluster-signing-*-file:签名 TLS Bootstrap 创建的证书;
    • --experimental-cluster-signing-duration:指定 TLS Bootstrap 证书的有效期;
    • --root-ca-file:放置到容器 ServiceAccount 中的 CA 证书,用来对 kube-apiserver 的证书进行校验;
    • --service-account-private-key-file:签名 ServiceAccount 中 Token 的私钥文件,必须和 kube-apiserver 的 --service-account-key-file 指定的公钥文件配对使用;
    • --service-cluster-ip-range :指定 Service Cluster IP 网段,必须和 kube-apiserver 中的同名参数一致;
    • --leader-elect=true:集群运行模式,启用选举功能;被选为 leader 的节点负责处理工作,其它节点为阻塞状态;
    • --feature-gates=RotateKubeletServerCertificate=true:开启 kublet server 证书的自动更新特性;
    • --controllers=*,bootstrapsigner,tokencleaner:启用的控制器列表,tokencleaner 用于自动清理过期的 Bootstrap token;
    • --horizontal-pod-autoscaler-*:custom metrics 相关参数,支持 autoscaling/v2alpha1;
    • --tls-cert-file、--tls-private-key-file:使用 https 输出 metrics 时使用的 Server 证书和秘钥;
    • --use-service-account-credentials=true:

    6.03.04 kube-controller-manager 的权限

    • ClusteRole: system:kube-controller-manager 的权限很小,只能创建 secret、serviceaccount 等资源对象,各 controller 的权限分散到 ClusterRole system:controller:XXX 中。
    • 需要在 kube-controller-manager 的启动参数中添加 --use-service-account-credentials=true 参数,这样 main controller 会为各 controller 创建对应的 ServiceAccount XXX-controller。
    • 内置的 ClusterRoleBinding system:controller:XXX 将赋予各 XXX-controller ServiceAccount 对应的 ClusterRole system:controller:XXX 权限。

    6.03.05 分发systemd unit 文件到所有master 节点;启动检查 kube-controller-manager 服务

    [root@k8s-master01 ~]# vi /opt/k8s/script/controller_manager_service.sh
    
    MASTER_IPS=("$1" "$2" "$3")
    for master_ip in ${MASTER_IPS[@]};do
            echo ">>> ${master_ip}"
            scp /opt/k8s/kube-controller-manager/kube-controller-manager.service.template root@${master_ip}:/etc/systemd/system/kube-controller-manager.service
            ssh root@${master_ip} "systemctl daemon-reload && systemctl enable kube-controller-manager && systemctl start kube-controller-manager "
            ssh root@${master_ip} "systemctl status kube-controller-manager|grep Active"
    done
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/controller_manager_service.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    6.03.6 查看输出的 metric

    [root@k8s-master01 ~]# ss -nutlp |grep kube-controll
    tcp    LISTEN   0        128             127.0.0.1:10252          0.0.0.0:*      users:(("kube-controller",pid=9382,fd=6))  
    

    6.03.07 测试 kube-controller-manager 集群的高可用

    • 停掉一个或两个节点的 kube-controller-manager 服务,观察其它节点的日志,看是否获取了 leader 权限。
    • 查看当前的 leader
    [root@k8s-master02 ~]# kubectl get endpoints kube-controller-manager --namespace=kube-system -o yaml
    

    6.04 部署高可用 kube-scheduler 集群

    • 该集群包含 3 个节点,启动后将通过竞争选举机制产生一个 leader 节点,其它节点为阻塞状态。当 leader 节点不可用后,剩余节点将再次进行选举产生新的 leader 节点,从而保证服务的可用性。
    • 为保证通信安全,本文档先生成 x509 证书和私钥,kube-scheduler 在如下两种情况下使用该证书:
      与 kube-apiserver 的安全端口通信;
      在安全端口(https,10251) 输出 prometheus 格式的 metrics;

    准备工作:下载kube-scheduler 的二进制文件---^^^

    6.04.01 创建 kube-scheduler 证书和私钥

    创建证书签名请求:

    [root@k8s-master01 ~]# cat > /opt/k8s/cert/kube-scheduler-csr.json <<EOF
    {
        "CN": "system:kube-scheduler",
        "hosts": [
          "127.0.0.1",
          "192.168.2.201",
          "192.168.2.202",
          "192.168.2.203"
        ],
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
          {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "system:kube-scheduler",
            "OU": "steams"
          }
        ]
    }
    EOF
    
    • hosts 列表包含所有 kube-scheduler 节点 IP;
    • CN 为 system:kube-scheduler、O 为 system:kube-scheduler (kubernetes 内置的 ClusterRoleBindings system:kube-scheduler 将赋予 kube-scheduler 工作所需的权限.)

    生成证书和私钥

    [root@k8s-master01 ~]# cfssl gencert -ca=/opt/k8s/cert/ca.pem 
    -ca-key=/opt/k8s/cert/ca-key.pem 
    -config=/opt/k8s/cert/ca-config.json 
    -profile=kubernetes /opt/k8s/cert/kube-scheduler-csr.json | cfssljson -bare /opt/k8s/cert/kube-scheduler
    
    [root@k8s-master01 ~]# ll /opt/k8s/cert/kube-scheduler*
    kube-scheduler.csr       kube-scheduler-csr.json  kube-scheduler-key.pem   kube-scheduler.pem  
    

    6.04.02 创建kubeconfig 文件

    • kubeconfig 文件包含访问 apiserver 的所有信息,如 apiserver 地址、CA 证书和自身使用的证书;

    执行命令,生成kube-scheduler.kubeconfig文件

    # step.1 设置集群参数
    [root@k8s-master01 ~]# kubectl config set-cluster kubernetes 
    --certificate-authority=/opt/k8s/cert/ca.pem 
    --embed-certs=true 
    --server=https://192.168.2.210:8443 
    --kubeconfig=/opt/k8s/kube-scheduler/kube-scheduler.kubeconfig
    
    # step.2 设置客户端认证参数
    [root@k8s-master01 ~]# kubectl config set-credentials system:kube-scheduler 
    --client-certificate=/opt/k8s/cert/kube-scheduler.pem 
    --client-key=/opt/k8s/cert/kube-scheduler-key.pem 
    --embed-certs=true  
    --kubeconfig=/opt/k8s/kube-scheduler/kube-scheduler.kubeconfig
    
    # step.3 设置上下文参数
    [root@k8s-master01 ~]# kubectl config set-context system:kube-scheduler@kubernetes 
    --cluster=kubernetes 
    --user=system:kube-scheduler 
    --kubeconfig=/opt/k8s/kube-scheduler/kube-scheduler.kubeconfig
    
    # step.4设置默认上下文
    [root@k8s-master01 ~]# kubectl config use-context system:kube-scheduler@kubernetes 
    --kubeconfig=/opt/k8s/kube-scheduler/kube-scheduler.kubeconfig
    

    验证kube-controller-manager.kubeconfig文件

    [root@k8s-master01 ~]# kubectl config view --kubeconfig=/opt/k8s/kube-scheduler/kube-scheduler.kubeconfig
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority-data: DATA+OMITTED
        server: https://192.168.2.210:8443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: system:kube-scheduler
      name: system:kube-scheduler@kubernetes
    current-context: system:kube-scheduler@kubernetes
    kind: Config
    preferences: {}
    users:
    - name: system:kube-scheduler
      user:
        client-certificate-data: REDACTED
        client-key-data: REDACTED
    

    6.04.03 分发生成的证书和私钥、kubeconfig 到所有 master 节点

    [root@k8s-master01 ~]# vi /opt/k8s/script/scp_scheduler.sh
    
    MASTER_IPS=("$1" "$2" "$3")
    for master_ip in ${MASTER_IPS[@]};do
            echo ">>> ${master_ip}"
            scp /opt/k8s/cert/kube-scheduler*.pem root@${master_ip}:/opt/k8s/cert/
            scp /opt/k8s/kube-scheduler/kube-scheduler.kubeconfig root@${master_ip}:/opt/k8s/kube-scheduler/
    done
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/scp_scheduler.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    6.04.04 创建kube-scheduler 的 systemd unit 文件

    [root@k8s-master01 ~]# vi /opt/k8s/kube-scheduler/kube-scheduler.service.template
    
    [Unit]
    Description=Kubernetes Scheduler
    Documentation=https://github.com/GoogleCloudPlatform/kubernetes
    
    [Service]
    ExecStart=/opt/k8s/bin/kube-scheduler 
      --address=127.0.0.1 
      --kubeconfig=/opt/k8s/kube-scheduler/kube-scheduler.kubeconfig 
      --leader-elect=true 
      --alsologtostderr=true 
      --logtostderr=false 
      --log-dir=/var/log/kubernetes 
      --v=2
    Restart=on-failure
    RestartSec=5
    
    [Install]
    WantedBy=multi-user.target
    
    • ps: kube-scheduler目前仅支持http, 所以少了一大推相关安全设定!
    • --address:在 127.0.0.1:10251 端口接收 http /metrics 请求;kube-scheduler 目前还不支持接收 https 请求;
    • --kubeconfig:指定 kubeconfig 文件路径,kube-scheduler 使用它连接和验证 kube-apiserver;
    • --leader-elect=true:集群运行模式,启用选举功能;被选为 leader 的节点负责处理工作,其它节点为阻塞状态;

    6.04.05 分发systemd unit 文件到所有master 节点;启动检查kube-scheduler 服务

    [root@k8s-master01 ~]# vi /opt/k8s/script/scheduler_service.sh
    
    MASTER_IPS=("$1" "$2" "$3")
    for master_ip in ${MASTER_IPS[@]};do
            echo ">>> ${master_ip}"
            scp /opt/k8s/kube-scheduler/kube-scheduler.service.template root@${master_ip}:/etc/systemd/system/kube-scheduler.service
            ssh root@${master_ip} "systemctl daemon-reload && systemctl enable kube-scheduler && systemctl start kube-scheduler && systemctl status kube-scheduler|grep Active"
    done
    
    [root@k8s-master01 ~]# bash /opt/k8s/script/scheduler_service.sh 192.168.2.201 192.168.2.202 192.168.2.203
    

    6.04.06 查看输出的 metric

    • kube-scheduler 监听 10251 端口,接收 http 请求:
    [root@k8s-master01 ~]# ss -nutlp |grep kube-scheduler
    tcp    LISTEN   0        128             127.0.0.1:10251          0.0.0.0:*      users:(("kube-scheduler",pid=8584,fd=6))                                       
    tcp    LISTEN   0        128                     *:10259                *:*      users:(("kube-scheduler",pid=8584,fd=7))   
                                        
    [root@k8s-master01 ~]# curl -s http://127.0.0.1:10251/metrics |head
    # HELP apiserver_audit_event_total [ALPHA] Counter of audit events generated and sent to the audit backend.
    # TYPE apiserver_audit_event_total counter
    apiserver_audit_event_total 0
    # HELP apiserver_audit_requests_rejected_total [ALPHA] Counter of apiserver requests rejected due to an error in audit logging backend.
    # TYPE apiserver_audit_requests_rejected_total counter
    apiserver_audit_requests_rejected_total 0
    # HELP apiserver_client_certificate_expiration_seconds [ALPHA] Distribution of the remaining lifetime on the certificate used to authenticate a request.
    # TYPE apiserver_client_certificate_expiration_seconds histogram
    apiserver_client_certificate_expiration_seconds_bucket{le="0"} 0
    apiserver_client_certificate_expiration_seconds_bucket{le="1800"} 0
    

    6.04.07 测试 kube-scheduler 集群的高可用

    • 停掉一个或两个节点的 kube-scheduler 服务,观察其它节点的日志,看是否获取了 leader 权限。
    • 查看当前的 leader
    [root@k8s-master02 ~]# kubectl get endpoints kube-scheduler --namespace=kube-system -o yaml
    

    master集群已部署完毕!

  • 相关阅读:
    pycharm日常填坑
    django学习笔记一
    selenium自动化框架介绍------unittest版本
    appium使用教程(三)-------------用例编写
    appium使用教程(二)-------------连接手机
    appium使用教程(一 环境搭建)-------------2.安装部署
    appium使用教程(一 环境搭建)-------------1.准备阶段
    活着的意义
    jQuery插件的编写相关技术 设计总结和最佳实践
    精选10款HTML5手机模板
  • 原文地址:https://www.cnblogs.com/colman/p/11871809.html
Copyright © 2020-2023  润新知