码迷,mamicode.com
首页 > Windows程序 > 详细

k8s 之apiserver部署(六)

时间:2020-06-06 16:49:53      阅读:68      评论:0      收藏:0      [点我收藏+]

标签:required   ocr   none   http   lang   password   text   setuid   inux   

集群规划

主机名   角色   ip

HDSS7-21.host.com kube-apiserver  192.168.12.13

HDSS7-22.host.com kube-apiserver  192.168.12.14

HDSS7-11.host.com 4层负载均衡  192.168.12.11

HDSS7-12.host.com 4层负载均衡  192.168.12.12

注意:这里192.168.12.11和192.168.12.12使用nginx做4层负载均衡器,用keepalive跑一个vip:192.168.12.10,代理两个kube-apiserver,实现高可用

1. hdss7-21安装apiserver

[root@hdss7-21 certs]# cd /opt/src/
[root@hdss7-21 src]# rz
[root@hdss7-21 src]# tar xf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/
[root@hdss7-21 src]# cd ..
[root@hdss7-21 opt]# mv kubernetes/ kubernetes-v1.15.2
[root@hdss7-21 opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes
[root@hdss7-21 opt]# cd kubernetes
[root@hdss7-21 kubernetes]# rm -rf kubernetes-src.tar.gz 
[root@hdss7-21 kubernetes]# cd server/bin/
[root@hdss7-21 bin]# rm -rf *.tar
[root@hdss7-21 bin]# rm -rf *_tag
签发apiserver-client证书:apiserver与etc通信用的证书。apiserver是客户端,etcd是服务端
运维主机HDSS-200.host.com上
[root@hdss7-21 bin]#  cd /opt/kubernetes/server/bin/
[root@hdss7-21 bin]# mkdir cert
[root@hdss7-21 bin]# cd cert/
[root@hdss7-21 cert]# ls
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/ca.pem . 
root@hdss7-200‘s password: 
ca.pem                                                          100% 1334   505.1KB/s   00:00    
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/apiserver.pem ./
root@hdss7-200‘s password: 
apiserver.pem                                                   100% 1586   913.6KB/s   00:00    
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/apiserver-key.pem ./
root@hdss7-200‘s password: 
apiserver-key.pem                                               100% 1675   711.1KB/s   00:00    
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/ca-key.pem ./
root@hdss7-200‘s password: 
ca-key.pem                                                      100% 1679     1.3MB/s   00:00    
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/client-key.pem ./
root@hdss7-200‘s password: 
client-key.pem                                                  100% 1679   749.7KB/s   00:00    
[root@hdss7-21 cert]#  scp hdss7-200:/opt/certs/client.pem ./
root@hdss7-200‘s password: 
client.pem
[root@hdss7-21 bin]#  mkdir conf
[root@hdss7-21 bin]# cd /opt/kubernetes/server/bin/conf
[root@hdss7-21 conf]#  vi audit.yaml
[root@hdss7-21 conf]# cat audit.yaml 
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don‘t generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      # Resource "pods" doesn‘t match requests to any subresource of pods,
      # which is consistent with the RBAC policy.
      resources: ["pods"]
  # Log "pods/log", "pods/status" at Metadata level
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]

  # Don‘t log requests to a configmap called "controller-leader"
  - level: None
    resources:
    - group: ""
      resources: ["configmaps"]
      resourceNames: ["controller-leader"]

  # Don‘t log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # core API group
      resources: ["endpoints", "services"]

  # Don‘t log authenticated requests to certain non-resource URL paths.
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*" # Wildcard matching.
    - "/version"

  # Log the request body of configmap changes in kube-system.
  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    # This rule only applies to resources in the "kube-system" namespace.
    # The empty string "" can be used to select non-namespaced resources.
    namespaces: ["kube-system"]

  # Log configmap and secret changes in all other namespaces at the Metadata level.
  - level: Metadata
    resources:
    - group: "" # core API group
      resources: ["secrets", "configmaps"]

  # Log all other resources in core and extensions at the Request level.
  - level: Request
    resources:
    - group: "" # core API group
    - group: "extensions" # Version of group should NOT be included.

  # A catch-all rule to log all other requests at the Metadata level.
  - level: Metadata
    # Long-running requests like watches that fall under this rule will not
    # generate an audit event in RequestReceived.
    omitStages:
      - "RequestReceived"
[root@hdss7-21 conf]# 
[root@hdss7-21 conf]# cat /opt/kubernetes/server/bin/kube-apiserver.sh
#!/bin/bash
./kube-apiserver   --apiserver-count 2   --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log   --audit-policy-file ./conf/audit.yaml   --authorization-mode RBAC   --client-ca-file ./cert/ca.pem   --requestheader-client-ca-file ./cert/ca.pem   --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota   --etcd-cafile ./cert/ca.pem   --etcd-certfile ./cert/client.pem   --etcd-keyfile ./cert/client-key.pem   --etcd-servers https://192.168.12.12:2379,https://192.168.12.21:2379,https://192.168.12.22:2379   --service-account-key-file ./cert/ca-key.pem   --service-cluster-ip-range 192.168.0.0/16   --service-node-port-range 3000-29999   --target-ram-mb=1024   --kubelet-client-certificate ./cert/client.pem   --kubelet-client-key ./cert/client-key.pem   --log-dir  /data/logs/kubernetes/kube-apiserver   --tls-cert-file ./cert/apiserver.pem   --tls-private-key-file ./cert/apiserver-key.pem   --v 2
[root@hdss7-21 conf]# chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh
[root@hdss7-21 conf]#  vi /etc/supervisord.d/kube-apiserver.ini
[root@hdss7-21 conf]# cat /etc/supervisord.d/kube-apiserver.ini 
[program:kube-apiserver-7-21]
command=/opt/kubernetes/server/bin/kube-apiserver.sh            ; the program (relative uses PATH, can take args)
numprocs=1                                                      ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin                            ; directory to cwd to before exec (def no cwd)
autostart=true                                                  ; start at supervisord start (default: true)
autorestart=true                                                ; retstart at unexpected quit (default: true)
startsecs=30                                                    ; number of secs prog must stay running (def. 1)
startretries=3                                                  ; max # of serial start failures (default 3)
exitcodes=0,2                                                   ; ‘expected‘ exit codes for process (default 0,2)
stopsignal=QUIT                                                 ; signal used to kill process (default TERM)
stopwaitsecs=10                                                 ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                       ; setuid to this UNIX account to run the program
redirect_stderr=true                                            ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log        ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                    ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                                        ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                     ; number of bytes in ‘capturemode‘ (default 0)
stdout_events_enabled=false                                     ; emit events on stdout writes (default false)
[root@hdss7-21 conf]# mkdir -p /data/logs/kubernetes/kube-apiserver
[root@hdss7-21 conf]# supervisorctl update
kube-apiserver-7-21: added process group
[root@hdss7-21 conf]# supervisorctl status
etcd-server-7-21                 RUNNING   pid 2753, uptime 0:53:15
kube-apiserver-7-21              RUNNING   pid 2873, uptime 0:00:48

2.运维主机HDSS-200.host.com

[root@hdss7-200 certs]# cd /opt/certs/
[root@hdss7-200 certs]# ll
total 36
-rw-r--r-- 1 root root  840 Jun  6 13:03 ca-config.json
-rw-r--r-- 1 root root  989 Jun  6 11:19 ca.csr
-rw-r--r-- 1 root root  334 Jun  6 11:18 ca-csr.json
-rw------- 1 root root 1679 Jun  6 11:19 ca-key.pem
-rw-r--r-- 1 root root 1334 Jun  6 11:19 ca.pem
-rw-r--r-- 1 root root 1062 Jun  6 13:04 etcd-peer.csr
-rw-r--r-- 1 root root  379 Jun  6 13:04 etcd-peer-csr.json
-rw------- 1 root root 1679 Jun  6 13:04 etcd-peer-key.pem
-rw-r--r-- 1 root root 1424 Jun  6 13:04 etcd-peer.pem
[root@hdss7-200 certs]# vi /opt/certs/client-csr.json

{
    "CN": "k8s-node",
    "hosts": [
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}
[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
[root@hdss7-200 certs]# vi apiserver-csr.json
{
    "CN": "k8s-apiserver",
    "hosts": [
        "127.0.0.1",
        "192.254.0.1",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluster.local",
        "192.168.12.21",
        "192.168.12.21",
        "192.168.12.23"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}
[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver

3 hdss7-22安装apiserver

[root@hdss7-22 src]# tar xf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/
[root@hdss7-22 src]# cd ..
[root@hdss7-22 opt]# ls
containerd  etcd  etcd-v3.1.20  kubernetes  src
[root@hdss7-22 opt]# mv kubernetes/ kubernetes-v1.15.2
[root@hdss7-22 opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes
[root@hdss7-22 opt]# mkdir /opt/kubernetes/server/bin/cert /opt/kubernetes/server/bin/conf
[root@hdss7-22 opt]# cd /opt/kubernetes/server/bin/cert
[root@hdss7-22 cert]#  scp hdss7-200:/opt/certs/ca.pem ./
root@hdss7-200‘s password: 
ca.pem                                                          100% 1334     2.5KB/s   00:00    
[root@hdss7-22 cert]#  scp hdss7-200:/opt/certs/apiserver.pem ./
root@hdss7-200‘s password: 
apiserver.pem                                                   100% 1586   752.4KB/s   00:00    
[root@hdss7-22 cert]#  ls
apiserver.pem  ca.pem
[root@hdss7-22 cert]# scp hdss7-200:/opt/certs/apiserver-key.pem ./
root@hdss7-200‘s password: 
apiserver-key.pem                                               100% 1675     1.2MB/s   00:00    
[root@hdss7-22 cert]# scp hdss7-200:/opt/certs/ca-key.pem ./
root@hdss7-200‘s password: 
ca-key.pem                                                      100% 1679     1.3MB/s   00:00    
[root@hdss7-22 cert]#  scp hdss7-200:/opt/certs/client-key.pem ./
root@hdss7-200‘s password: 
client-key.pem                                                  100% 1679   728.4KB/s   00:00    
[root@hdss7-22 cert]# scp hdss7-200:/opt/certs/client.pem ./
root@hdss7-200‘s password: 
client.pem   
[root@hdss7-22 conf]# vim audit.yaml 
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don‘t generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      # Resource "pods" doesn‘t match requests to any subresource of pods,
      # which is consistent with the RBAC policy.
      resources: ["pods"]
  # Log "pods/log", "pods/status" at Metadata level
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]

  # Don‘t log requests to a configmap called "controller-leader"
  - level: None
    resources:
    - group: ""
      resources: ["configmaps"]
      resourceNames: ["controller-leader"]

  # Don‘t log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # core API group
      resources: ["endpoints", "services"]

  # Don‘t log authenticated requests to certain non-resource URL paths.
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*" # Wildcard matching.
    - "/version"

  # Log the request body of configmap changes in kube-system.
  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    # This rule only applies to resources in the "kube-system" namespace.
    # The empty string "" can be used to select non-namespaced resources.
    namespaces: ["kube-system"]

  # Log configmap and secret changes in all other namespaces at the Metadata level.
  - level: Metadata
    resources:
    - group: "" # core API group
      resources: ["secrets", "configmaps"]

  # Log all other resources in core and extensions at the Request level.
  - level: Request
    resources:
    - group: "" # core API group
    - group: "extensions" # Version of group should NOT be included.

  # A catch-all rule to log all other requests at the Metadata level.
  - level: Metadata
    # Long-running requests like watches that fall under this rule will not
    # generate an audit event in RequestReceived.
    omitStages:
      - "RequestReceived"
[root@hdss7-22 conf]# vi /opt/kubernetes/server/bin/kube-apiserver.sh
#!/bin/bash
./kube-apiserver   --apiserver-count 2   --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log   --audit-policy-file ./conf/audit.yaml   --authorization-mode RBAC   --client-ca-file ./cert/ca.pem   --requestheader-client-ca-file ./cert/ca.pem   --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota   --etcd-cafile ./cert/ca.pem   --etcd-certfile ./cert/client.pem   --etcd-keyfile ./cert/client-key.pem   --etcd-servers https://192.168.12.12:2379,https://192.168.12.21:2379,https://192.168.12.22:2379   --service-account-key-file ./cert/ca-key.pem   --service-cluster-ip-range 192.168.0.0/16   --service-node-port-range 3000-29999   --target-ram-mb=1024   --kubelet-client-certificate ./cert/client.pem   --kubelet-client-key ./cert/client-key.pem   --log-dir  /data/logs/kubernetes/kube-apiserver   --tls-cert-file ./cert/apiserver.pem   --tls-private-key-file ./cert/apiserver-key.pem   --v 2
[root@hdss7-22 conf]# vi /etc/supervisord.d/kube-apiserver.ini
[root@hdss7-22 conf]#  chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh
[program:kube-apiserver-7-22]
command=/opt/kubernetes/server/bin/kube-apiserver.sh            ; the program (relative uses PATH, can take args)
numprocs=1                                                      ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin                            ; directory to cwd to before exec (def no cwd)
autostart=true                                                  ; start at supervisord start (default: true)
autorestart=true                                                ; retstart at unexpected quit (default: true)
startsecs=30                                                    ; number of secs prog must stay running (def. 1)
startretries=3                                                  ; max # of serial start failures (default 3)
exitcodes=0,2                                                   ; ‘expected‘ exit codes for process (default 0,2)
stopsignal=QUIT                                                 ; signal used to kill process (default TERM)
stopwaitsecs=10                                                 ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                       ; setuid to this UNIX account to run the program
redirect_stderr=true                                            ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log        ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                    ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                                        ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                     ; number of bytes in ‘capturemode‘ (default 0)
stdout_events_enabled=false                                     ; emit events on stdout writes (default false)
[root@hdss7-22 conf]#  mkdir -p /data/logs/kubernetes/kube-apiserver
[root@hdss7-22 conf]#  supervisorctl update

[root@hdss7-22 conf]# supervisorctl status
etcd-server-7-22                 RUNNING   pid 4264, uptime 0:51:18
kube-apiserver-7-22              RUNNING   pid 4400, uptime 0:02:53

4 hdss7-11上部署nginx

 

[root@hdss7-11 opt]#  yum install nginx -y
nginx四层负载,必须与http同级:
[root@hdss7-11 opt]# cat /etc/nginx/nginx.conf
stream {
    upstream kube-apiserver {
        server 192.168.12.21:6443     max_fails=3 fail_timeout=30s;
        server 192.168.12.22:6443     max_fails=3 fail_timeout=30s;
    }
    server {
        listen 7443;
        proxy_connect_timeout 2s;
        proxy_timeout 900s;
        proxy_pass kube-apiserver;
    }
}
[root@hdss7-11 opt]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@hdss7-11 opt]# systemctl restart nginx
[root@hdss7-11 opt]# systemctl enable nginx

5.hdss7-12安装nginx

[root@hdss7-12 certs]#  yum install nginx -y
[root@hdss7-12 certs]# vim /etc/nginx/nginx.conf
stream {
    upstream kube-apiserver {
        server 192.168.12.21:6443     max_fails=3 fail_timeout=30s;
        server 192.168.12.22:6443     max_fails=3 fail_timeout=30s;
    }
    server {
        listen 7443;
        proxy_connect_timeout 2s;
        proxy_timeout 900s;
        proxy_pass kube-apiserver;
    }
}
[root@hdss7-12 certs]# 
[root@hdss7-12 certs]# 
[root@hdss7-12 certs]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@hdss7-12 certs]# systemctl start nginx 
[root@hdss7-12 certs]# systemctl enable nginx

6.实现keep高可用

[root@hdss7-11 opt]#  yum install keepalived -y
[root@hdss7-11 opt]# cat /etc/keepalived/check_port.sh
#!/bin/bash
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
        PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
        if [ $PORT_PROCESS -eq 0 ];then
                echo "Port $CHK_PORT Is Not Used,End."
                exit 1
        fi
else
        echo "Check Port Cant Be Empty!"
fi
[root@hdss7-11 opt]# chmod +x /etc/keepalived/check_port.sh
[root@hdss7-11 opt]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   router_id 192.168.12.11

}

vrrp_script chk_nginx {
    script "/etc/keepalived/check_port.sh 7443"
    interval 2
    weight -20
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 251
    priority 100
    advert_int 1
    mcast_src_ip 192.168.12.11
    nopreempt   

    authentication {
        auth_type PASS
        auth_pass 11111111
    }
    track_script {
         chk_nginx
    }
    virtual_ipaddress {
        192.168.12.10
    }
}
[root@hdss7-11 opt]# systemctl start keepalived
[root@hdss7-11 opt]# systemctl enable keepalived

[root@hdss7-12 certs]# yum install keepalived -y
[root@hdss7-12 certs]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   router_id 192.168.12.11

}

vrrp_script chk_nginx {
    script "/etc/keepalived/check_port.sh 7443"
    interval 2
    weight -20
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 251
    priority 100
    advert_int 1
    mcast_src_ip 192.168.12.11
    nopreempt   

    authentication {
        auth_type PASS
        auth_pass 11111111
    }
    track_script {
         chk_nginx
    }
    virtual_ipaddress {
        192.168.12.10
    }
}

[root@hdss7-12 certs]# cat /etc/keepalived/check_port.sh 
#!/bin/bash
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
        PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
        if [ $PORT_PROCESS -eq 0 ];then
                echo "Port $CHK_PORT Is Not Used,End."
                exit 1
        fi
else
        echo "Check Port Cant Be Empty!"
fi


[root@hdss7-12 certs]# chmod +x /etc/keepalived/check_port.sh
[root@hdss7-12 certs]# systemctl start keepalived
[root@hdss7-12 certs]# systemctl enable keepalived

技术图片

 原文章已同步语雀

https://www.yuque.com/songyifei/bkxwl0/dyfh00

 

k8s 之apiserver部署(六)

标签:required   ocr   none   http   lang   password   text   setuid   inux   

原文地址:https://www.cnblogs.com/sseban/p/13055210.html
(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
分享档案
更多>
2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)
周排行
mamicode.com排行更多图片
更多
友情链接
兰亭集智   国之画   百度统计   站长统计   阿里云   chrome插件   新版天听网
关于我们 - 联系我们 - 留言反馈
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!