CN: Common Name,浏览器使用该字段验证网站是否合法,一般写的是域名。非常重要。浏览器使用该字段验证网站是否合法 C: Country, 国家 ST: State,州,省 L: Locality,地区,城市 O: Organization Name,组织名称,公司名称 OU: Organization Unit Name,组织单位名称,公司部门
生成CA证书和私钥
/opt/certs
1 2 3 4 5 6 7
[root@hdss7-200 certs]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 2019/01/18 09:31:19 [INFO] generating a new CA key and certificate from CSR 2019/01/18 09:31:19 [INFO] generate received request 2019/01/18 09:31:19 [INFO] received CSR 2019/01/18 09:31:19 [INFO] generating key: rsa-2048 2019/01/18 09:31:19 [INFO] encoded CSR 2019/01/18 09:31:19 [INFO] signed certificate with serial number 345276964513449660162382535043012874724976422200
生成ca.pem、ca.csr、ca-key.pem(CA私钥,需妥善保管)
/opt/certs
1 2 3 4 5 6
[root@hdss7-200 certs]# ls -l -rw-r--r-- 1 root root 836 Jan 16 11:04 ca-config.json -rw-r--r-- 1 root root 332 Jan 16 11:10 ca-csr.json -rw------- 1 root root 1675 Jan 16 11:17 ca-key.pem -rw-r--r-- 1 root root 1001 Jan 16 11:17 ca.csr -rw-r--r-- 1 root root 1354 Jan 16 11:17 ca.pem
[Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com After=network.target [Service] Type=notify # the default is not to use systemd for cgroups because the delegate issues still # exists and systemd currently does not support the cgroup feature set required # for containers run by docker ExecStart=/usr/bin/dockerd ExecReload=/bin/kill -s HUP $MAINPID # Having non-zero Limit*s causes performance problems due to accounting overhead # in the kernel. We recommend using cgroups to do container-local accounting. LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity # Uncomment TasksMax if your systemd version supports it. # Only systemd 226 and above support this version. #TasksMax=infinity TimeoutStartSec=0 # set delegate yes so that systemd does not reset the cgroups of docker containers Delegate=yes # kill only the docker process, not all processes in the cgroup KillMode=process [Install] WantedBy=multi-user.target
[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json | cfssljson -bare etcd-peer 2019/01/18 09:35:09 [INFO] generate received request 2019/01/18 09:35:09 [INFO] received CSR 2019/01/18 09:35:09 [INFO] generating key: rsa-2048 2019/01/18 09:35:09 [INFO] encoded CSR 2019/01/18 09:35:10 [INFO] signed certificate with serial number 324191491384928915605254764031096067872154649010 2019/01/18 09:35:10 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
检查生成的证书、私钥
/opt/certs
1 2 3 4 5
[root@hdss7-200 certs]# ls -l|grep etcd -rw-r--r-- 1 root root 387 Jan 18 12:32 etcd-peer-csr.json -rw------- 1 root root 1679 Jan 18 12:32 etcd-peer-key.pem -rw-r--r-- 1 root root 1074 Jan 18 12:32 etcd-peer.csr -rw-r--r-- 1 root root 1432 Jan 18 12:32 etcd-peer.pem
[program:etcd-server-7-12] command=/opt/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/etcd ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=22 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=etcd ; setuid to this UNIX account to run the program redirect_stderr=false ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) stderr_logfile=/data/logs/etcd-server/etcd.stderr.log ; stderr log path, NONE for none; default AUTO stderr_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stderr_logfile_backups=4 ; # of stderr logfile backups (default 10) stderr_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stderr_events_enabled=false ; emit events on stderr writes (default false)
注意:etcd集群各主机启动配置略有不同,配置其他节点时注意修改。
启动etcd服务并检查
HDSS7-12.host.com上:
1 2 3 4
[root@hdss7-12 certs]# supervisorctl start all etcd-server-7-12: started [root@hdss7-12 certs]# supervisorctl status etcd-server-7-12 RUNNING pid 6692, uptime 0:00:05
安装部署启动检查所有集群规划主机上的etcd服务
略
检查集群状态
3台均启动后,检查集群状态
1 2 3 4 5 6 7 8 9 10
[root@hdss7-12 ~]# /opt/etcd/etcdctl cluster-health member 988139385f78284 is healthy: got healthy result from http://127.0.0.1:2379 member 5a0ef2a004fc4349 is healthy: got healthy result from http://127.0.0.1:2379 member f4a0cb0a765574a8 is healthy: got healthy result from http://127.0.0.1:2379 cluster is healthy [root@hdss7-12 ~]# /opt/etcd/etcdctl member list 988139385f78284: name=etcd-server-7-22 peerURLs=https://10.4.7.22:2380 clientURLs=http://127.0.0.1:2379,https://10.4.7.22:2379 isLeader=false 5a0ef2a004fc4349: name=etcd-server-7-21 peerURLs=https://10.4.7.21:2380 clientURLs=http://127.0.0.1:2379,https://10.4.7.21:2379 isLeader=false f4a0cb0a765574a8: name=etcd-server-7-12 peerURLs=https://10.4.7.12:2380 clientURLs=http://127.0.0.1:2379,https://10.4.7.12:2379 isLeader=true
[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json | cfssljson -bare client 2019/01/18 14:02:50 [INFO] generate received request 2019/01/18 14:02:50 [INFO] received CSR 2019/01/18 14:02:50 [INFO] generating key: rsa-2048 2019/01/18 14:02:51 [INFO] encoded CSR 2019/01/18 14:02:51 [INFO] signed certificate with serial number 423108651040279300242366884100637974155370861448 2019/01/18 14:02:51 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
检查生成的证书、私钥
1 2 3 4
[root@hdss7-200 certs]# ls -l|grep client -rw------- 1 root root 1679 Jan 21 11:13 client-key.pem -rw-r--r-- 1 root root 989 Jan 21 11:13 client.csr -rw-r--r-- 1 root root 1367 Jan 21 11:13 client.pem
[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json | cfssljson -bare apiserver 2019/01/18 14:05:44 [INFO] generate received request 2019/01/18 14:05:44 [INFO] received CSR 2019/01/18 14:05:44 [INFO] generating key: rsa-2048 2019/01/18 14:05:46 [INFO] encoded CSR 2019/01/18 14:05:46 [INFO] signed certificate with serial number 633406650960616624590510576685608580490218676227 2019/01/18 14:05:46 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
检查生成的证书、私钥
1 2 3 4 5 6
[root@hdss7-200 certs]# ls -l|grep apiserver total 72 -rw-r--r-- 1 root root 406 Jan 21 14:10 apiserver-csr.json -rw------- 1 root root 1675 Jan 21 14:11 apiserver-key.pem -rw-r--r-- 1 root root 1082 Jan 21 14:11 apiserver.csr -rw-r--r-- 1 root root 1599 Jan 21 14:11 apiserver.pem
拷贝证书至各运算节点,并创建配置
HDSS7-21.host.com上:
拷贝证书、私钥,注意私钥文件属性600
/opt/kubernetes/server/bin/cert
1 2 3 4 5 6 7 8
[root@hdss7-21 cert]# ls -l /opt/kubernetes/server/bin/cert total 40 -rw------- 1 root root 1676 Jan 21 16:39 apiserver-key.pem -rw-r--r-- 1 root root 1599 Jan 21 16:36 apiserver.pem -rw------- 1 root root 1675 Jan 21 13:55 ca-key.pem -rw-r--r-- 1 root root 1354 Jan 21 13:50 ca.pem -rw------- 1 root root 1679 Jan 21 13:53 client-key.pem -rw-r--r-- 1 root root 1368 Jan 21 13:53 client.pem
apiVersion: audit.k8s.io/v1beta1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages: - "RequestReceived" rules: # Log pod changes at RequestResponse level - level: RequestResponse resources: - group: "" # Resource "pods" doesn't match requests to any subresource of pods, # which is consistent with the RBAC policy. resources: ["pods"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata resources: - group: "" resources: ["pods/log", "pods/status"] # Don't log requests to a configmap called "controller-leader" - level: None resources: - group: "" resources: ["configmaps"] resourceNames: ["controller-leader"] # Don't log watch requests by the "system:kube-proxy" on endpoints or services - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" # core API group resources: ["endpoints", "services"] # Don't log authenticated requests to certain non-resource URL paths. - level: None userGroups: ["system:authenticated"] nonResourceURLs: - "/api*" # Wildcard matching. - "/version" # Log the request body of configmap changes in kube-system. - level: Request resources: - group: "" # core API group resources: ["configmaps"] # This rule only applies to resources in the "kube-system" namespace. # The empty string "" can be used to select non-namespaced resources. namespaces: ["kube-system"] # Log configmap and secret changes in all other namespaces at the Metadata level. - level: Metadata resources: - group: "" # core API group resources: ["secrets", "configmaps"] # Log all other resources in core and extensions at the Request level. - level: Request resources: - group: "" # core API group - group: "extensions" # Version of group should NOT be included. # A catch-all rule to log all other requests at the Metadata level. - level: Metadata # Long-running requests like watches that fall under this rule will not # generate an audit event in RequestReceived. omitStages: - "RequestReceived"
[program:kube-apiserver] command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=22 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=false ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) stderr_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stderr.log ; stderr log path, NONE for none; default AUTO stderr_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stderr_logfile_backups=4 ; # of stderr logfile backups (default 10) stderr_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stderr_events_enabled=false ; emit events on stderr writes (default false)
启动服务并检查
HDSS7-21.host.com上:
1 2 3 4 5
[root@hdss7-21 bin]# supervisorctl update kube-apiserverr: added process group [root@hdss7-21 bin]# supervisorctl status etcd-server-7-21 RUNNING pid 6661, uptime 1 day, 8:41:13 kube-apiserver RUNNING pid 43765, uptime 2:09:41
安装部署启动检查所有集群规划主机上的kube-apiserver
略
配4层反向代理
HDSS7-11.host.com,HDSS7-12.host.com上:
nginx配置
/etc/nginx/nginx.conf
1 2 3 4 5 6 7 8 9 10 11 12
stream { upstream kube-apiserver { server 10.4.7.21:6443 max_fails=3 fail_timeout=30s; server 10.4.7.22:6443 max_fails=3 fail_timeout=30s; } server { listen 7443; proxy_connect_timeout 2s; proxy_timeout 900s; proxy_pass kube-apiserver; } }
keepalived配置
check_port.sh
/etc/keepalived/check_port.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
#!/bin/bash #keepalived 监控端口脚本 #使用方法: #在keepalived的配置文件中 #vrrp_script check_port {#创建一个vrrp_script脚本,检查配置 # script "/etc/keepalived/check_port.sh 6379" #配置监听的端口 # interval 2 #检查脚本的频率,单位(秒) #} CHK_PORT=$1 if [ -n "$CHK_PORT" ];then PORT_PROCESS=`ss -lt|grep $CHK_PORT|wc -l` if [ $PORT_PROCESS -eq 0 ];then echo "Port $CHK_PORT Is Not Used,End." exit 1 fi else echo "Check Port Cant Be Empty!" fi
[program:kube-controller-manager] command=/opt/kubernetes/server/bin/kube-controller-manager.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=22 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=false ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/kubernetes/kube-controller-manager/controll.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) stderr_logfile=/data/logs/kubernetes/kube-controller-manager/controll.stderr.log ; stderr log path, NONE for none; default AUTO stderr_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stderr_logfile_backups=4 ; # of stderr logfile backups (default 10) stderr_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stderr_events_enabled=false ; emit events on stderr writes (default false)
[program:kube-scheduler] command=/opt/kubernetes/server/bin/kube-scheduler.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=22 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=false ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/kubernetes/kube-scheduler/scheduler.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) stderr_logfile=/data/logs/kubernetes/kube-scheduler/scheduler.stderr.log ; stderr log path, NONE for none; default AUTO stderr_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stderr_logfile_backups=4 ; # of stderr logfile backups (default 10) stderr_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stderr_events_enabled=false ; emit events on stderr writes (default false)
[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server kubelet-csr.json | cfssljson -bare kubelet 2019/01/18 17:51:16 [INFO] generate received request 2019/01/18 17:51:16 [INFO] received CSR 2019/01/18 17:51:16 [INFO] generating key: rsa-2048 2019/01/18 17:51:17 [INFO] encoded CSR 2019/01/18 17:51:17 [INFO] signed certificate with serial number 48870268157415133698067712395152321546974943470 2019/01/18 17:51:17 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
检查生成的证书、私钥
/opt/certs
1 2 3 4 5 6
[root@hdss7-200 certs]# ls -l|grep kubelet total 88 -rw-r--r-- 1 root root 415 Jan 22 16:58 kubelet-csr.json -rw------- 1 root root 1679 Jan 22 17:00 kubelet-key.pem -rw-r--r-- 1 root root 1086 Jan 22 17:00 kubelet.csr -rw-r--r-- 1 root root 1456 Jan 22 17:00 kubelet.pem
拷贝证书至各运算节点,并创建配置
HDSS7-21.host.com上:
拷贝证书、私钥,注意私钥文件属性600
/opt/kubernetes/server/bin/cert
1 2 3 4 5 6 7 8 9 10
[root@hdss7-21 cert]# ls -l /opt/kubernetes/server/bin/cert total 40 -rw------- 1 root root 1676 Jan 21 16:39 apiserver-key.pem -rw-r--r-- 1 root root 1599 Jan 21 16:36 apiserver.pem -rw------- 1 root root 1675 Jan 21 13:55 ca-key.pem -rw-r--r-- 1 root root 1354 Jan 21 13:50 ca.pem -rw------- 1 root root 1679 Jan 21 13:53 client-key.pem -rw-r--r-- 1 root root 1368 Jan 21 13:53 client.pem -rw------- 1 root root 1679 Jan 22 17:00 kubelet-key.pem -rw-r--r-- 1 root root 1456 Jan 22 17:00 kubelet.pem
[program:kube-kubelet] command=/opt/kubernetes/server/bin/kubelet-721.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=22 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=false ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/kubernetes/kube-kubelet/kubelet.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) stderr_logfile=/data/logs/kubernetes/kube-kubelet/kubelet.stderr.log ; stderr log path, NONE for none; default AUTO stderr_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stderr_logfile_backups=4 ; # of stderr logfile backups (default 10) stderr_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stderr_events_enabled=false ; emit events on stderr writes (default false)
[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client kube-proxy-csr.json | cfssljson -bare kube-proxy-client 2019/01/18 18:14:23 [INFO] generate received request 2019/01/18 18:14:23 [INFO] received CSR 2019/01/18 18:14:23 [INFO] generating key: rsa-2048 2019/01/18 18:14:23 [INFO] encoded CSR 2019/01/18 18:14:23 [INFO] signed certificate with serial number 375797145588654714099258750873820528127028390681 2019/01/18 18:14:23 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
检查生成的证书、私钥
/opt/certs
1 2 3 4 5
[root@hdss7-200 certs]# ls -l|grep kube-proxy -rw------- 1 root root 1679 Jan 22 17:31 kube-proxy-client-key.pem -rw-r--r-- 1 root root 1005 Jan 22 17:31 kube-proxy-client.csr -rw-r--r-- 1 root root 1383 Jan 22 17:31 kube-proxy-client.pem -rw-r--r-- 1 root root 268 Jan 22 17:23 kube-proxy-csr.json
拷贝证书至各运算节点,并创建配置
HDSS7-21.host.com上:
拷贝证书、私钥,注意私钥文件属性600
/opt/kubernetes/server/bin/cert
1 2 3 4 5 6 7 8 9 10 11 12
[root@hdss7-21 cert]# ls -l /opt/kubernetes/server/bin/cert total 40 -rw------- 1 root root 1676 Jan 21 16:39 apiserver-key.pem -rw-r--r-- 1 root root 1599 Jan 21 16:36 apiserver.pem -rw------- 1 root root 1675 Jan 21 13:55 ca-key.pem -rw-r--r-- 1 root root 1354 Jan 21 13:50 ca.pem -rw------- 1 root root 1679 Jan 21 13:53 client-key.pem -rw-r--r-- 1 root root 1368 Jan 21 13:53 client.pem -rw------- 1 root root 1679 Jan 22 17:00 kubelet-key.pem -rw-r--r-- 1 root root 1456 Jan 22 17:00 kubelet.pem -rw------- 1 root root 1679 Jan 22 17:31 kube-proxy-client-key.pem -rw-r--r-- 1 root root 1383 Jan 22 17:31 kube-proxy-client.pem
[program:kube-proxy] command=/opt/kubernetes/server/bin/kube-proxy-721.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=22 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=false ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/kubernetes/kube-proxy/proxy.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) stderr_logfile=/data/logs/kubernetes/kube-proxy/proxy.stderr.log ; stderr log path, NONE for none; default AUTO stderr_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stderr_logfile_backups=4 ; # of stderr logfile backups (default 10) stderr_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stderr_events_enabled=false ; emit events on stderr writes (default false)
[program:flanneld] command=/opt/flannel/flanneld.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/flannel ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=22 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=false ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/flanneld/flanneld.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) stderr_logfile=/data/logs/flanneld/flanneld.stderr.log ; stderr log path, NONE for none; default AUTO stderr_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stderr_logfile_backups=4 ; # of stderr logfile backups (default 10) stderr_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stderr_events_enabled=false ; emit events on stderr writes (default false)
apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard # Allows editing resource and makes sure it is created first. addonmanager.kubernetes.io/mode: EnsureExists name: kubernetes-dashboard-certs namespace: kube-system type: Opaque --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard # Allows editing resource and makes sure it is created first. addonmanager.kubernetes.io/mode: EnsureExists name: kubernetes-dashboard-key-holder namespace: kube-system type: Opaque
vi /data/k8s-yaml/dashboard/configmap.yaml
1 2 3 4 5 6 7 8 9
apiVersion: v1 kind: ConfigMap metadata: labels: k8s-app: kubernetes-dashboard # Allows editing resource and makes sure it is created first. addonmanager.kubernetes.io/mode: EnsureExists name: kubernetes-dashboard-settings namespace: kube-system
apiVersion: v1 kind: Service metadata: labels: task: monitoring # For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons) # If you are NOT using this as an addon, you should comment out this line. kubernetes.io/cluster-service: 'true' kubernetes.io/name: Heapster name: heapster namespace: kube-system spec: ports: - port: 80 targetPort: 8082 selector: k8s-app: heapster
应用资源配置清单
任意运算节点上:
1 2 3 4 5 6 7
[root@hdss7-21 ~]# kubectl apply -f http://k8s-yaml.od.com/dashboard/heapster/rbac.yaml serviceaccount/heapster created clusterrolebinding.rbac.authorization.k8s.io/heapster created [root@hdss7-21 ~]# kubectl apply -f http://k8s-yaml.od.com/dashboard/heapster/deployment.yaml deployment.extensions/heapster created [root@hdss7-21 ~]# kubectl apply -f http://k8s-yaml.od.com/dashboard/heapster/svc.yaml service/heapster created