一、下载apiServer安装包
我是手工到github上下载安装包,然后传到 5.138 和 5.139服务器上
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#downloads-for-v1188
1.1 解压 (5.138和5.139服务器上操作)
1.2 签发证书 (在5.141服务器上操作)
1.2.1 签发client证书(apiserver和etcd通信证书)
mkdir /opt/kube-certvim /opt/kube-cert/client-csr.json{"CN":"k8s-node","hosts": [],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "GuangDong","L": "ShenZhen","O": "batar","OU": "zhonggu"}]}kube-cert]# cfssl gencert -ca=../ca.pem -ca-key=../ca-key.pem -config=../ca-config.json -profile=client client-csr.json |cfssl-json -bare client
1.2.2 签发server证书(apiserver和其它k8s组件通信使用)
# hosts中将所有可能作为apiserver的ip添加进去,VIP 192.168.5.137 也要加入[root@hdss7-200 certs]# vim /opt/certs/apiserver-csr.json{"CN": "k8s-apiserver","hosts": ["127.0.0.1","192.168.0.1","kubernetes.default","kubernetes.default.svc","kubernetes.default.svc.cluster","kubernetes.default.svc.cluster.local","192.168.5.138","192.168.5.139","192.168.5.137","192.168.5.140"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "GuangDong","L": "ShenZhen","O": "Batar","OU": "zhonggu"}]}[root@k8s-5-141 certs]# cfssl gencert -ca=../ca.pem -ca-key=../ca-key.pem -config=../ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver2021/03/19 16:21:01 [INFO] generate received request2021/03/19 16:21:01 [INFO] received CSR2021/03/19 16:21:01 [INFO] generating key: rsa-20482021/03/19 16:21:01 [INFO] encoded CSR2021/03/19 16:21:01 [INFO] signed certificate with serial number 3727205197508250534145270524453241875719686041872021/03/19 16:21:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable forwebsites. For more information see the Baseline Requirements for the Issuance and Managementof Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);specifically, section 10.2.3 ("Information Requirements").[root@k8s-5-141 certs]# ls apiserver* -l-rw-r--r-- 1 root root 1249 Jan 6 13:46 apiserver.csr-rw-r--r-- 1 root root 566 Jan 6 13:45 apiserver-csr.json-rw------- 1 root root 1675 Jan 6 13:46 apiserver-key.pem-rw-r--r-- 1 root root 1598 Jan 6 13:46 apiserver.pem
1.3 证书下发(分别到 5.138 和 5.139 服务器上执行)
因为我没有做短域名,所以要加host.com
certs]# for i in 138 139;do echo k8s-5-$i;ssh k8s-5-$i.host.com "mkdir /opt/kubernetes/server/bin/certs";scp apiserver-key.pem apiserver.pem ../ca-key.pem ../ca.pem client-key.pem client.pem k8s-5-$i.host.com:/opt/kubernetes/server/bin/certs/;done
1.4 配置apiserver日志审计
aipserver 涉及的服务器:k8s-5-137, k8s-5-138
bin]# mkdir /opt/kubernetes/confbin]# vim /opt/kubernetes/conf/audit.yaml # 打开文件后,设置 :set paste,避免自动缩进apiVersion: audit.k8s.io/v1beta1 # This is required.kind: Policy# Don't generate audit events for all requests in RequestReceived stage.omitStages:- "RequestReceived"rules:# Log pod changes at RequestResponse level- level: RequestResponseresources:- group: ""# Resource "pods" doesn't match requests to any subresource of pods,# which is consistent with the RBAC policy.resources: ["pods"]# Log "pods/log", "pods/status" at Metadata level- level: Metadataresources:- group: ""resources: ["pods/log", "pods/status"]# Don't log requests to a configmap called "controller-leader"- level: Noneresources:- group: ""resources: ["configmaps"]resourceNames: ["controller-leader"]# Don't log watch requests by the "system:kube-proxy" on endpoints or services- level: Noneusers: ["system:kube-proxy"]verbs: ["watch"]resources:- group: "" # core API groupresources: ["endpoints", "services"]# Don't log authenticated requests to certain non-resource URL paths.- level: NoneuserGroups: ["system:authenticated"]nonResourceURLs:- "/api*" # Wildcard matching.- "/version"# Log the request body of configmap changes in kube-system.- level: Requestresources:- group: "" # core API groupresources: ["configmaps"]# This rule only applies to resources in the "kube-system" namespace.# The empty string "" can be used to select non-namespaced resources.namespaces: ["kube-system"]# Log configmap and secret changes in all other namespaces at the Metadata level.- level: Metadataresources:- group: "" # core API groupresources: ["secrets", "configmaps"]# Log all other resources in core and extensions at the Request level.- level: Requestresources:- group: "" # core API group- group: "extensions" # Version of group should NOT be included.# A catch-all rule to log all other requests at the Metadata level.- level: Metadata# Long-running requests like watches that fall under this rule will not# generate an audit event in RequestReceived.omitStages:- "RequestReceived"
1.5 配置启动脚本
#!/bin/bashWORK_DIR=$(dirname $(readlink -f $0))[ $? -eq 0 ] && cd $WORK_DIR || exit/opt/kubernetes/server/bin/kube-apiserver \--apiserver-count 2 \--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \--audit-policy-file ./conf/audit.yaml \--authorization-mode RBAC \--client-ca-file ./certs/ca.pem \--requestheader-client-ca-file ./certs/ca.pem \--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \--etcd-cafile ./certs/ca.pem \--etcd-certfile ./certs/client.pem \--etcd-keyfile ./certs/client-key.pem \--etcd-servers https://192.168.5.137:2379,https://192.168.5.138:2379,https://192.168.5.139:2379 \--service-account-key-file ./certs/ca-key.pem \--service-cluster-ip-range 192.168.0.0/16 \--service-node-port-range 3000-29999 \--target-ram-mb=1024 \--kubelet-client-certificate ./certs/client.pem \--kubelet-client-key ./certs/client-key.pem \--log-dir /data/logs/kubernetes/kube-apiserver \--tls-cert-file ./certs/apiserver.pem \--tls-private-key-file ./certs/apiserver-key.pem \--v 2
在生产环境中,最好配置自动检测运行状态, 可使用 supervisor 来实现自动监控和程序拉起
也可以配置成系统服务
#] vim /etc/systemd/system/kube-apiserver.service# 输入如下内容[Unit]Description=kube apiserver serviceDocumentation=https://github.com/kubernetesConflicts=kube-apiserver.service[Service]Type=notifyRestart=alwaysRestartSec=5sLimitNOFILE=40000TimeoutStartSec=0ExecStart=/opt/kubernetes/server/bin/kube-apiserver \--apiserver-count 2 \--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \--audit-policy-file /opt/kubernetes/server/bin/conf/audit.yaml \--authorization-mode RBAC \--client-ca-file /opt/kubernetes/server/bin/certs/ca.pem \--requestheader-client-ca-file /opt/kubernetes/server/bin/certs/ca.pem \--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \--etcd-cafile /opt/kubernetes/server/bin/certs/ca.pem \--etcd-certfile /opt/kubernetes/server/bin/certs/client.pem \--etcd-keyfile /opt/kubernetes/server/bin/certs/client-key.pem \--etcd-servers https://192.168.5.137:2379,https://192.168.5.138:2379,https://192.168.5.139:2379 \--service-account-key-file /opt/kubernetes/server/bin/certs/ca-key.pem \--service-cluster-ip-range 192.168.0.0/16 \--service-node-port-range 3000-29999 \--target-ram-mb=1024 \--kubelet-client-certificate /opt/kubernetes/server/bin/certs/client.pem \--kubelet-client-key /opt/kubernetes/server/bin/certs/client-key.pem \--log-dir /data/logs/kubernetes/kube-apiserver \--tls-cert-file /opt/kubernetes/server/bin/certs/apiserver.pem \--tls-private-key-file /opt/kubernetes/server/bin/certs/apiserver-key.pem \--v 2 \--log-file /data/logs/kubernetes/kube-apiserver/apiserver.log[Install]WantedBy=multi-user.target#然后执行命令添加系统服务并设置开机自动启动#] systemctl daemon-reload#] systemctl enable kube-apiserver# 启动kube-apiserver#] systemctl start kube-apiserver# 查看是否已经启动成功#] netstat -unltp |grep kube-apiservertcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 6546/kube-apiservertcp6 0 0 :::6443 :::* LISTEN 6546/kube-apiserver
配置系统服务时,踩了一个坑, 通过命令systemctl start kube-apiserver时,提示启动失败,但是通过systemctl status kube-apiserver 并没有看到具体的报错, 后来从网上看到说可以通过 筛选 /var/log/messages 日志信息找到报错,我使用的命令如下: 由于在我系统里 kube-apiserver 是一个服务,所以必须加上单引号 cat /var/log/messages |grep ‘kube-apiserver’ |grep error
1.6 配置apiserver L4代理
nginx配置
这里只做了一台机器 所以没有做keepalived
若有收获,就点个赞吧
0 人点赞
