­

二进制安装k8s集群(8)-安装kube-apiserver

上一篇文章里我们主要介绍harbor的安装以及简单使用,这里我们主要介绍安装kube-apiserver。这里我们采用下载二进制binary制作linux systemd的方式安装,并开启kube-apiserver的ssl。这里在github下载kubernetes(1.15.1版本)。同时请提前制作好kuber-apiserver的ssl证书,可以参考以前文章中制作docker的cert。

下载kubernetes: 

# download client binary  wget https://dl.k8s.io/v1.15.1/kubernetes-client-linux-amd64.tar.gz  # download server binary  wget https://dl.k8s.io/v1.15.1/kubernetes-server-linux-amd64.tar.gz  # download node binary  wget https://dl.k8s.io/v1.15.1/kubernetes-node-linux-amd64.tar.gz    tar -xzvf kubernetes-client-linux-amd64.tar.gz  tar -xzvf kubernetes-server-linux-amd64.tar.gz  tar -xzvf kubernetes-node-linux-amd64.tar.gz

copy binary文件: 

cp /opt/sw/kubernetes/install/kubernetes/server/bin/kube-apiserver /usr/bin/  whereis kube-apiserver

copy 证书文件:

因为kube-apiserver需要和etcd通讯,需要和kubeltet通讯,本身还提供api服务,这些通讯都我们开启ssl认证,所以请提前制作好相应的证书并copy到配置目录(可以参考以前文章中制作docker的cert)。 

mkdir -p /etc/kubernetes/apiserver  mkdir -p /etc/kubernetes/apiserver/cert/etcd  mkdir -p /etc/kubernetes/apiserver/cert/kubelet  mkdir -p /etc/kubernetes/apiserver/cert/server

创建basic-auth和static-token-auth文件:

这里提供一下kube-apiserver的basic auth和静态token访问配置文件

touch /etc/kubernetes/apiserver/k8s-auth-static-token.csv  cat > /etc/kubernetes/apiserver/k8s-auth-static-token.csv <<EOF  token,user,uid  abc123_,rodney,rodney  EOF    touch /etc/kubernetes/apiserver/k8s-auth-static-password.csv  cat > /etc/kubernetes/apiserver/k8s-auth-static-password.csv <<EOF  password,user,uid  abc123_,rodney,rodney  EOF

创建kube-apiserver配置文件:

这里的配置非常多,就不逐一介绍了,感兴趣的同学请查阅kube-apiserver的配置文档或者参考kube-apiserver binary的help命令。 

touch /etc/kubernetes/apiserver/k8s-apiserver.conf    cat > /etc/kubernetes/apiserver/k8s-apiserver.conf <<EOF  KUBE_ADDRESS="--advertise-address=172.20.11.41 --bind-address=172.20.11.41 --insecure-bind-address=127.0.0.1"  KUBE_API_PORT="--port=8080 --secure-port=6443"  KUBE_ETCD_SERVERS="--storage-backend=etcd3 --etcd-servers=https://172.20.11.41:2379,https://172.20.11.42:2379,https://172.20.11.43:2379   --etcd-cafile=/etc/kubernetes/apiserver/cert/etcd/ca.crt   --etcd-certfile=/etc/kubernetes/apiserver/cert/etcd/etcd-client.crt   --etcd-keyfile=/etc/kubernetes/apiserver/cert/etcd/etcd-client.key"  KUBE_KUBELET="--kubelet-port=10250   --kubelet-https=true   --kubelet-certificate-authority=/etc/kubernetes/apiserver/cert/kubelet/ca.crt   --kubelet-client-certificate=/etc/kubernetes/apiserver/cert/kubelet/k8skubelet-client.crt   --kubelet-client-key=/etc/kubernetes/apiserver/cert/kubelet/k8skubelet-client.key"  KUBE_ADMISSION_CONTROL="--admission-control=ServiceAccount,NamespaceLifecycle,NamespaceExists,LimitRanger,ResourceQuota"  KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16"  KUBE_NODE_PORT="--service-node-port-range=80-30000"  KUBE_API_TLS="--tls-cert-file=/etc/kubernetes/apiserver/cert/server/k8sapiserver-server.crt   --tls-private-key-file=/etc/kubernetes/apiserver/cert/server/k8sapiserver-server.key   --client-ca-file=/etc/kubernetes/apiserver/cert/server/ca.crt"  KUBE_API_ARGS="--service-account-key-file=/etc/kubernetes/apiserver/cert/server/k8sapiserver-server.key   --basic-auth-file=/etc/kubernetes/apiserver/k8s-auth-static-password.csv   --token-auth-file=/etc/kubernetes/apiserver/k8s-auth-static-token.csv"  # logging to stderr means can get in systemd journal  KUBE_LOGTOSTDERR="--logtostderr=true"  # journal message level, 0 is debug  KUBE_LOG_LEVEL="--v=0"  # Should this cluster be allowed to run privileged docker containers  KUBE_ALLOW_PRIV="--allow-privileged=true"  EOF    source /etc/kubernetes/apiserver/k8s-apiserver.conf

创建kube-apiserver systemd unit文件:

touch /usr/lib/systemd/system/kube-apiserver.service    cat > /usr/lib/systemd/system/kube-apiserver.service <<EOF  [Unit]  Description=Kubernetes API Service  After=network.target network-online.target  Wants=network-online.target    [Service]  Type=simple  EnvironmentFile=/etc/kubernetes/apiserver/k8s-apiserver.conf  ExecStartPre=source /etc/kubernetes/apiserver/k8s-apiserver.conf  ExecStart=/usr/bin/kube-apiserver   ${KUBE_API_ADDRESS}   $KUBE_API_PORT   $KUBE_ETCD_SERVERS   $KUBE_KUBELET   $KUBE_ADMISSION_CONTROL   $KUBE_SERVICE_ADDRESSES   $KUBE_NODE_PORT   $KUBE_API_TLS   $KUBE_API_ARGS   $KUBE_LOGTOSTDERR   $KUBE_LOG_LEVEL   $KUBE_ALLOW_PRIV  Restart=on-failure  LimitNOFILE=65536    [Install]  WantedBy=multi-user.target  EOF

reload并且设置开机服务启动: 

systemctl daemon-reload  systemctl enable kube-apiserver

打开kube-apiserver防火墙访问端口:这里配置是6443 

firewall-cmd --list-all  firewall-cmd --permanent --zone=public --add-port=6443/tcp  firewall-cmd --reload  firewall-cmd --list-all

启动服务查看状态: 

systemctl start kube-apiserver  systemctl status kube-apiserver

目前先写到这里,下一篇文章里我们继续介绍k8s组件kubectl的安装。

VirMach 便宜 VPS

QNews

QNews