Kubernetes ServiceAccount的配置

开始配置Kubernetes集群的时候为了少出问题，都是在apiserver配置中去掉ServiceAccount采用非安全连接的方式，但在后面配置FEK日志的过程中，很多时候绕不开这个安全机制，但因为开始在centos上安装是通过yum的方式，所以那些ca.crt,server.crt,kubecfg.key等文件都是没有的。自己手工去建了好几次最后都有一些问题。

本文是基于git-hub中make-ca-cert方式自己建立，方法如下:

先把github中kubernetes代码都下栽到master本地。

# git clone https://github.com/kubernetes/kubernetes

修改make-ca-cert.sh,将第30行修改为kube(基于kube的组进行启动)

# update the below line with the group that exists on Kubernetes Master.

/* Use the user group with which you are planning to run kubernetes services */

cert_group=${CERT_GROUP:-kube}

运行make-ca-cert.sh

# cd kubernetes/cluster/saltbase/salt/generate-cert/

bash make-ca-cert.sh "192.168.0.105" "IP:192.168.0.105,IP:10.254.0.1,DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local"

这里192.168.0.105是master节点的ip,这种方式有个问题是master的ip变化的化证书可能有问题。不知道是否支持主机名设置。

 运行完后发现在/srv/kubernetes目录下已经把相关的key都生成了，把这些key考到所有的minion节点的相同目录。

然后配置/etc/kubernetes/apiserver

KUBE_API_ARGS="--secure-port=443 --client-ca-file=/srv/kubernetes/ca.crt --tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key"

配置/etc/kubernetes/controller-manager

KUBE_CONTROLLER_MANAGER_ARGS="--root-ca-file=/srv/kubernetes/ca.crt --service-account-private-key-file=/srv/kubernetes/server.key"

启动master和minion完成

On Master:

systemctl enable kube-apiserver

systemctl start kube-apiserver

systemctl enable kube-controller-manager

systemctl start kube-controller-manager

systemctl start kube-scheduler

systemctl start kube-scheduler

systemctl enable flanneld

systemctl start flanneld

 

Minions:

systemctl enable kube-proxy

systemctl start kube-proxy

systemctl enable kubelet

systemctl start kubelet

systemctl enable flanneld

systemctl start flanneld

systemctl enable docker

systemctl start docker

 

启动kube-apiserver的时候,如果是通过systemctl来启动的,可以在/etc/log/messages中看到启动日志

启动日志如下:

May 24 08:07:09 k8s-master pulseaudio[3094]: [alsa-sink-Intel ICH] alsa-sink.c: ALSA woke us up to write new data to the device, but there was actually nothing to write!
May 24 08:07:09 k8s-master pulseaudio[3094]: [alsa-sink-Intel ICH] alsa-sink.c: Most likely this is a bug in the ALSA driver 'snd_intel8x0'. Please report this issue to the ALSA developers.
May 24 08:07:09 k8s-master pulseaudio[3094]: [alsa-sink-Intel ICH] alsa-sink.c: We were woken up with POLLOUT set -- however a subsequent snd_pcm_avail() returned 0 or another value < min_avail.
May 24 08:07:47 k8s-master systemd: Starting Kubernetes API Server...
May 24 08:07:47 k8s-master kube-apiserver: Flag --port has been deprecated, see --insecure-port instead.
May 24 08:07:47 k8s-master kube-apiserver: I0524 08:07:47.680379 4239 config.go:562] Will report 192.168.0.105 as public IP address.
May 24 08:07:47 k8s-master kube-apiserver: E0524 08:07:47.726082 4239 reflector.go:199] k8s.io/kubernetes/plugin/pkg/admission/resourcequota/resource_access.go:83: Failed to list *api.ResourceQuota: Get http://0.0.0.0:8080/api/v1/resourcequotas?resourceVersion=0: dial tcp 0.0.0.0:8080: getsockopt: connection refused
May 24 08:07:47 k8s-master kube-apiserver: E0524 08:07:47.726161 4239 reflector.go:199] k8s.io/kubernetes/plugin/pkg/admission/serviceaccount/admission.go:119: Failed to list *api.Secret: Get http://0.0.0.0:8080/api/v1/secrets?fieldSelector=type%3Dkubernetes.io%2Fservice-account-token&resourceVersion=0: dial tcp 0.0.0.0:8080: getsockopt: connection refused
May 24 08:07:47 k8s-master kube-apiserver: E0524 08:07:47.726207 4239 reflector.go:199] k8s.io/kubernetes/plugin/pkg/admission/serviceaccount/admission.go:103: Failed to list *api.ServiceAccount: Get http://0.0.0.0:8080/api/v1/serviceaccounts?resourceVersion=0: dial tcp 0.0.0.0:8080: getsockopt: connection refused
May 24 08:07:47 k8s-master kube-apiserver: [restful] 2017/05/24 08:07:47 log.go:30: [restful/swagger] listing is available at https://192.168.0.105:443/swaggerapi/
May 24 08:07:47 k8s-master kube-apiserver: [restful] 2017/05/24 08:07:47 log.go:30: [restful/swagger] https://192.168.0.105:443/swaggerui/ is mapped to folder /swagger-ui/
May 24 08:07:47 k8s-master kube-apiserver: E0524 08:07:47.902354 4239 reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list *api.Namespace: Get http://0.0.0.0:8080/api/v1/namespaces?resourceVersion=0: dial tcp 0.0.0.0:8080: getsockopt: connection refused
May 24 08:07:47 k8s-master kube-apiserver: E0524 08:07:47.902419 4239 reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list *api.LimitRange: Get http://0.0.0.0:8080/api/v1/limitranges?resourceVersion=0: dial tcp 0.0.0.0:8080: getsockopt: connection refused
May 24 08:07:47 k8s-master systemd: Started Kubernetes API Server.
May 24 08:07:47 k8s-master kube-apiserver: I0524 08:07:47.923462 4239 serve.go:95] Serving securely on 0.0.0.0:443
May 24 08:07:47 k8s-master kube-apiserver: I0524 08:07:47.923542 4239 serve.go:109] Serving insecurely on 0.0.0.0:8080

我对这个Failed to list *api.Secret的错误查了半天网上的材料想要消除,但后来看起来应该没有太大影响.

如果通过systemctl 启动不成功,可能尝试命令行启动.

APIServer和Controller Manager的命令行启动方式

/usr/bin/kube-apiserver --logtostderr=true --v=0 --etcd-servers=http://k8s-master:2379 --address=192.168.0.105 --port=8080 --kubelet-port=10250 --allow-privileged=true --service-cluster-ip-range=10.254.0.0/16 --admission-control=ServiceAccount --insecure-bind-address=192.168.0.105 --client-ca-file=/srv/kubernetes/ca.crt --tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key --secure-port=443 

 

/usr/bin/kube-controller-manager --logtostderr=true --v=0 --master=http://k8s-master:8080 --root-ca-file=/srv/kubernetes/ca.crt --service-account-private-key-file=/srv/kubernetes/server.key