共计 9030 个字符,预计需要花费 23 分钟才能阅读完成。
API Server 简介
k8s API Server 提供了 k8s 各类资源对象(pod,RC,Service 等)的增删改查及 watch 等 HTTP Rest 接口,是整个系统的数据总线和数据中心。
kubernetes API Server 的功能:
一, 提供了集群管理的 REST API 接口 (包括认证授权、数据校验以及集群状态变更);
二, 提供其他模块之间的数据交互和通信的枢纽(其他模块通过 API Server 查询或修改数据,只有 API Server 才直接操作 etcd);
三, 是资源配额控制的入口;
四, 拥有完备的集群安全机制
安装 kubapi
| tar xf kubernetes-server-linux-amd64.tar.gz | |
| mv kubernetes /usr/local/kubernetes-v1.15.2 | |
| ln -s kubernetes-v1.15.2 kubernetes | |
| [root@hdss7-22 kubernetes]#rm -rf kubernetes-src.tar.gz | |
| [root@hdss7-22 kubernetes]#cd server/bin/ | |
| [root@hdss7-22 bin]# rm -rf *_tag | |
| [root@hdss7-22 bin]# rm -rf *.tar |
签发 apiserver-client 证书:apiserver 与 etc 通信用的证书。apiserver 是客户端,etcd 是服务端
| [root@hdss7-200 ~]# vim /opt/certs/client-csr.json | |
| { | |
| "CN": "k8s-node", | |
| "hosts": [ ], | |
| "key": { | |
| "algo": "rsa", | |
| "size": 2048 | |
| }, | |
| "names": [ | |
| { | |
| "C": "CN", | |
| "ST": "beijing", | |
| "L": "beijing", | |
| "O": "od", | |
| "OU": "ops" | |
| } | |
| ] | |
| } |
签发证书
| cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client | |
| [root@hdss7-200 certs]# ll | |
| total 52 | |
| -rw-r--r--. 1 root root 840 Apr 20 10:25 ca-config.json | |
| -rw-r--r--. 1 root root 993 Apr 18 17:47 ca.csr | |
| -rw-r--r--. 1 root root 332 Apr 18 17:40 ca-csr.json | |
| -rw-------. 1 root root 1675 Apr 18 17:47 ca-key.pem | |
| -rw-r--r--. 1 root root 1346 Apr 18 17:47 ca.pem | |
| -rw-r--r--. 1 root root 993 Apr 21 11:36 client.csr | |
| -rw-r--r--. 1 root root 280 Apr 21 11:36 client-csr.json | |
| -rw-------. 1 root root 1679 Apr 21 11:36 client-key.pem | |
| -rw-r--r--. 1 root root 1363 Apr 21 11:36 client.pem | |
| -rw-r--r--. 1 root root 1062 Apr 20 10:36 etcd-peer.csr | |
| -rw-r--r--. 1 root root 363 Apr 20 10:28 etcd-peer-csr.json | |
| -rw-------. 1 root root 1675 Apr 20 10:36 etcd-peer-key.pem | |
| -rw-r--r--. 1 root root 1428 Apr 20 10:36 etcd-peer.pem | |
| [root@hdss7-200 certs]# vim apiserver-csr.json | |
| { | |
| "CN": "k8s-apiserver", | |
| "hosts": [ | |
| "127.0.0.1", | |
| "192.168.0.1", | |
| "kubernetes.default", | |
| "kubernetes.default.svc", | |
| "kubernetes.default.svc.cluster", | |
| "kubernetes.default.svc.cluster.local", | |
| "10.4.7.10", | |
| "10.4.7.21", | |
| "10.4.7.22", | |
| "10.4.7.23" | |
| ], | |
| "key": { | |
| "algo": "rsa", | |
| "size": 2048 | |
| }, | |
| "names": [ | |
| { | |
| "C": "CN", | |
| "ST": "beijing", | |
| "L": "beijing", | |
| "O": "od", | |
| "OU": "ops" | |
| } | |
| ] | |
| } | |
| cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver |
设置主机的 host 理论如果使用了本机的 dns 是不需要的。
| cat >>/etc/hosts<<EOF | |
| 10.4.7.200 hdss7-200 | |
| 10.4.7.11 hdss7-11 | |
| 10.4.7.12 hdss7-12 | |
| 10.4.7.21 hdss7-21 | |
| 10.4.7.22 hdss7-22 | |
| EOF |
注意我的安装目录是在 /usr/local/ 下并设置了软链。
[root@hdss7-21 bin]# mkdir cert
[root@hdss7-21 bin]# cd cert/
最后有个点,表示拷贝到当前目录
| [root@hdss7-21 cert]# scp hdss7-200:/opt/certs/ca.pem . | |
| [root@hdss7-21 cert]# scp hdss7-200:/opt/certs/ca-key.pem . | |
| [root@hdss7-21 cert]# scp hdss7-200:/opt/certs/client.pem . | |
| [root@hdss7-21 cert]# scp hdss7-200:/opt/certs/client-key.pem . | |
| [root@hdss7-21 cert]# scp hdss7-200:/opt/certs/apiserver.pem . | |
| [root@hdss7-21 cert]# scp hdss7-200:/opt/certs/apiserver-key.pem . |
创建配置文件路径
| [root@hdss7-22 bin]# mkdir config | |
| [root@hdss7-22 bin]# cd config/ |
| [root@hdss7-21 config]# vim audit.yaml | |
| apiVersion: audit.k8s.io/v1beta1 # This is required. | |
| kind: Policy | |
| # Don't generate audit events for all requests in RequestReceived stage. | |
| omitStages: | |
| - "RequestReceived" | |
| rules: | |
| # Log pod changes at RequestResponse level | |
| - level: RequestResponse | |
| resources: | |
| - group: "" | |
| # Resource "pods" doesn't match requests to any subresource of pods, | |
| # which is consistent with the RBAC policy. | |
| resources: ["pods"] | |
| # Log "pods/log", "pods/status" at Metadata level | |
| - level: Metadata | |
| resources: | |
| - group: "" | |
| resources: ["pods/log", "pods/status"] | |
| # Don't log requests to a configmap called "controller-leader" | |
| - level: None | |
| resources: | |
| - group: "" | |
| resources: ["configmaps"] | |
| resourceNames: ["controller-leader"] | |
| # Don't log watch requests by the "system:kube-proxy" on endpoints or services | |
| - level: None | |
| users: ["system:kube-proxy"] | |
| verbs: ["watch"] | |
| resources: | |
| - group: "" # core API group | |
| resources: ["endpoints", "services"] | |
| # Don't log authenticated requests to certain non-resource URL paths. | |
| - level: None | |
| userGroups: ["system:authenticated"] | |
| nonResourceURLs: | |
| - "/api*" # Wildcard matching. | |
| - "/version" | |
| # Log the request body of configmap changes in kube-system. | |
| - level: Request | |
| resources: | |
| - group: "" # core API group | |
| resources: ["configmaps"] | |
| # This rule only applies to resources in the "kube-system" namespace. | |
| # The empty string "" can be used to select non-namespaced resources. | |
| namespaces: ["kube-system"] | |
| # Log configmap and secret changes in all other namespaces at the Metadata level. | |
| - level: Metadata | |
| resources: | |
| - group: "" # core API group | |
| resources: ["secrets", "configmaps"] | |
| # Log all other resources in core and extensions at the Request level. | |
| - level: Request | |
| resources: | |
| - group: "" # core API group | |
| - group: "extensions" # Version of group should NOT be included. | |
| # A catch-all rule to log all other requests at the Metadata level. | |
| - level: Metadata | |
| # Long-running requests like watches that fall under this rule will not | |
| # generate an audit event in RequestReceived. | |
| omitStages: | |
| - "RequestReceived" |
拷贝配置文件到各个机器上,这个文件可以参考 k8s 的官方文档。
[root@hdss7-21 config]# scp audit.yaml hdss7-22:/usr/local/kubernetes/server/bin/config/
编写启动脚本(注意脚本转义符号后面别带空格,保证能在一行的一定要在一行)
| [root@hdss7-21 config]# vim /usr/local/kubernetes/server/bin/kube-apiserver.sh | |
| #!/bin/bash | |
| ./kube-apiserver \ | |
| --apiserver-count 2 \ | |
| --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \ | |
| --audit-policy-file ./conf/audit.yaml \ | |
| --authorization-mode RBAC \ | |
| --client-ca-file ./cert/ca.pem \ | |
| --requestheader-client-ca-file ./cert/ca.pem \ | |
| --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \ | |
| --etcd-cafile ./cert/ca.pem \ | |
| --etcd-certfile ./cert/client.pem \ | |
| --etcd-keyfile ./cert/client-key.pem \ | |
| --etcd-servers https://10.4.7.12:2379,https://10.4.7.21:2379,https://10.4.7.22:2379 \ | |
| --service-account-key-file ./cert/ca-key.pem \ | |
| --service-cluster-ip-range 192.168.0.0/16 \ | |
| --service-node-port-range 3000-29999 \ | |
| --target-ram-mb=1024 \ | |
| --kubelet-client-certificate ./cert/client.pem \ | |
| --kubelet-client-key ./cert/client-key.pem \ | |
| --log-dir /data/logs/kubernetes/kube-apiserver \ | |
| --tls-cert-file ./cert/apiserver.pem \ | |
| --tls-private-key-file ./cert/apiserver-key.pem \ | |
| --v 2 | |
| mkdir /data/logs/kubernetes/kube-apiserver/ -p |
查看帮助命令,查看每行的意思
| [root@hdss7-21 bin]# ./kube-apiserver --help|grep -A 5 target-ram-mb | |
| [root@hdss7-21 bin]# chmod +x kube-apiserver.sh |
创建后台启动
| [root@hdss7-21 bin]# vim /etc/supervisord.d/kube-apiserver.ini | |
| [program:kube-apiserver-7-21] | |
| command=/usr/local/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args) | |
| numprocs=1 ; number of processes copies to start (def 1) | |
| directory=/usr/local/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) | |
| autostart=true ; start at supervisord start (default: true) | |
| autorestart=true ; retstart at unexpected quit (default: true) | |
| startsecs=30 ; number of secs prog must stay running (def. 1) | |
| startretries=3 ; max # of serial start failures (default 3) | |
| exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) | |
| stopsignal=QUIT ; signal used to kill process (default TERM) | |
| stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) | |
| user=root ; setuid to this UNIX account to run the program | |
| redirect_stderr=true ; redirect proc stderr to stdout (default false) | |
| stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO | |
| stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) | |
| stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) | |
| stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) | |
| stdout_events_enabled=false ; emit events on stdout writes (default false) |
另外一台 22 做同样配置更改下 supervisord 启动名称即可(方便区分)
[program:kube-apiserver-7-22]
配置反向代理
HDSS7-11 和 HDSS7-12 上同时操作
nginx 配置
| [root@hdss7-11 ~]# yum install -y nginx | |
| yum -y install nginx-all-modules.noarch |
因为要使用 nginx 的四层代理,所以 yum 安装的适合要注意下。
头部添加
load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
在 http 层外添加
include /etc/nginx/tcp.d/*.conf;
不然使用 stream 模块会报错因为 stream 不是 http 代理
| [root@hdss7-11 ~]# vim /etc/nginx/tcp.d/kube-apiserver.conf | |
| stream { | |
| upstream kube-apiserver { | |
| server 10.4.7.21:6443 max_fails=3 fail_timeout=30s; | |
| server 10.4.7.22:6443 max_fails=3 fail_timeout=30s; | |
| } | |
| server { | |
| listen 7443; | |
| proxy_connect_timeout 2s; | |
| proxy_timeout 900s; | |
| proxy_pass kube-apiserver; | |
| } | |
| } |
[root@hdss7-12 nginx]# systemctl start nginx
[root@hdss7-12 一样的脚本
nginx]# systemctl enable nginx
配置 keepalived
| [root@hdss7-11 nginx]# vim /etc/keepalived/check_port.sh | |
| #!/bin/bash | |
| #keepalived 监控端口脚本 | |
| #使用方法:#在 keepalived 的配置文件中 | |
| #vrrp_script check_port {# 创建一个 vrrp_script 脚本, 检查配置 | |
| # script "/etc/keepalived/check_port.sh 6379" #配置监听的端口 | |
| # interval 2 #检查脚本的频率, 单位(秒)#} | |
| CHK_PORT=$1 | |
| if [-n "$CHK_PORT"];then | |
| PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l` | |
| if [$PORT_PROCESS -eq 0];then | |
| echo "Port $CHK_PORT Is Not Used,End." | |
| exit 1 | |
| fi | |
| else | |
| echo "Check Port Cant Be Empty!" | |
| fi | |
| chmod +x /etc/keepalived/check_port.sh | |
| #hdss7-11 的 keepalived 的配置文件如下 | |
| vim /etc/keepalived/keepalived.conf | |
| ! Configuration File for keepalived | |
| global_defs {router_id 10.4.7.11} | |
| vrrp_script chk_nginx { | |
| script "/etc/keepalived/check_port.sh 7443" | |
| interval 2 | |
| weight -20 | |
| } | |
| vrrp_instance VI_1 { | |
| state MASTER | |
| interface ens33 | |
| virtual_router_id 251 | |
| priority 100 | |
| advert_int 1 | |
| mcast_src_ip 10.4.7.11 | |
| nopreempt | |
| authentication { | |
| auth_type PASS | |
| auth_pass 11111111 | |
| } | |
| track_script {chk_nginx} | |
| virtual_ipaddress {10.4.7.10} | |
| } |
注意 root@hdss7-12 一样的端口检测脚本!
| [root@hdss7-12 nginx]# vim /etc/keepalived/keepalived.conf | |
| ! Configuration File for keepalived | |
| global_defs {router_id 10.4.7.12} | |
| vrrp_script chk_nginx { | |
| script "/etc/keepalived/check_port.sh 7443" | |
| interval 2 | |
| weight -20 | |
| } | |
| vrrp_instance VI_1 { | |
| state BACKUP | |
| interface ens33 | |
| virtual_router_id 251 | |
| mcast_src_ip 10.4.7.12 | |
| priority 90 | |
| advert_int 1 | |
| authentication { | |
| auth_type PASS | |
| auth_pass 11111111 | |
| } | |
| track_script {chk_nginx} | |
| virtual_ipaddress {10.4.7.10} | |
| } |
启动 keepalived 并设置开启自启
| [root@hdss7-12 nginx]# systemctl start keepalived | |
| [root@hdss7-12 nginx]# systemctl enable keepalived |
ip addr 查看虚拟 ip
就可以看到 10.4.7.10 这个 vip 地址了。
正文完
