Kubernetes安装之八:配置master之scheduler

时间  2019-12-13
标签 kubernetes 安装 之八 配置 master scheduler 繁體版
原文   原文链接

都是3台服务器须要操做的node

1.建立证书

mkdir -p /etc/ssl/kube-scheduler
cat > /etc/ssl/kube-scheduler/kube-scheduler-csr.json <<EOF
{
    "CN": "system:kube-scheduler",
    "hosts": [
      "127.0.0.1",
      "192.168.1.40",
      "192.168.1.41",
      "192.168.1.42"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
      {
        "C": "CN",
        "ST": "ChengDu",
        "L": "ChengDu",
        "O": "system:kube-scheduler",
        "OU": "dessler"
      }
    ]
}
EOF
复制代码

cfssl gencert -ca=/etc/ssl/ca.pem \
  -ca-key=/etc/ssl/ca-key.pem \
  -config=/etc/ssl/ca-config.json \
  -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
复制代码

ls
kube-scheduler.csr  kube-scheduler-csr.json  kube-scheduler-key.pem  kube-scheduler.pem
复制代码

  • 说明:
  • hosts 列表包含全部kube-scheduler 节点 IP
  • CN 为 system:kube-scheduler、O 为 system:kube-scheduler,kubernetes 内置的 ClusterRoleBindings system:kube-scheduler 将赋予 kube-scheduler 工做所需的权限

2.建立kubeconfig 文件

kubectl config set-cluster kubernetes \
>   --certificate-authority=/etc/ssl/ca.pem \
>   --embed-certs=true \
>   --server=https://192.168.1.43:8443 \
>   --kubeconfig=kube-scheduler.kubeconfig
Cluster "kubernetes" set.
复制代码

kubectl config set-credentials system:kube-scheduler \
>   --client-certificate=/etc/ssl/kube-scheduler/kube-scheduler.pem \
>   --client-key=/etc/ssl/kube-scheduler/kube-scheduler-key.pem \
>   --embed-certs=true \
>   --kubeconfig=kube-scheduler.kubeconfig
User "system:kube-scheduler" set.
复制代码

kubectl config set-context system:kube-scheduler \
>   --cluster=kubernetes \
>   --user=system:kube-scheduler \
>   --kubeconfig=kube-scheduler.kubeconfig
Context "system:kube-scheduler" created.
复制代码

kubectl config use-context system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig
Switched to context "system:kube-scheduler".
复制代码

3.分发配置文件证书二进制文件

4.配置kube-scheduler服务

cat > /usr/lib/systemd/system/kube-scheduler.service <<EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes

[Service]
ExecStart=/opt/kubernetes/bin/kube-scheduler \\
  --address=127.0.0.1 \\
  --kubeconfig=/opt/kubernetes/cfg/kube-scheduler.kubeconfig \\
  --leader-elect=true \\
  --alsologtostderr=true \\
  --logtostderr=false \\
  --log-dir=/var/log/kubernetes \\
  --v=2
Restart=on-failure
RestartSec=5
#User=k8s

[Install]
WantedBy=multi-user.target
EOF
复制代码

  • 说明:
  • --address:在0.0.1:10251 端口接收 http /metrics 请求;kube-scheduler 目前还不支持接收 https 请求
  • --kubeconfig:指定 kubeconfig 文件路径,kube-scheduler 使用它链接和验证 kube-apiserver
  • --leader-elect=true:集群运行模式,启用选举功能;被选为 leader 的节点负责处理工做,其它节点为阻塞状态
  • User=k8s:使用 k8s 帐户运行

5.启动服务

systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler
systemctl status kube-scheduler
复制代码

6.检查服务

curl -s http://127.0.0.1:10251/metrics |head
# HELP apiserver_audit_event_total Counter of audit events generated and sent to the audit backend.
# TYPE apiserver_audit_event_total counter
apiserver_audit_event_total 0
# HELP apiserver_audit_requests_rejected_total Counter of apiserver requests rejected due to an error in audit logging backend.
# TYPE apiserver_audit_requests_rejected_total counter
apiserver_audit_requests_rejected_total 0
# HELP apiserver_client_certificate_expiration_seconds Distribution of the remaining lifetime on the certificate used to authenticate a request.
# TYPE apiserver_client_certificate_expiration_seconds histogram
apiserver_client_certificate_expiration_seconds_bucket{le="0"} 0
apiserver_client_certificate_expiration_seconds_bucket{le="21600"} 0
复制代码

kubectl get endpoints kube-scheduler --namespace=kube-system  -o yaml
apiVersion: v1
kind: Endpoints
metadata:
  annotations:
    control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"host22_11b7b315-2f42-11e9-b608-525400a73b99","leaseDurationSeconds":15,"acquireTime":"2019-02-13T05:39:32Z","renewTime":"2019-02-14T06:30:41Z","leaderTransitions":5}'
  creationTimestamp: "2019-01-30T08:32:08Z"
  name: kube-scheduler
  namespace: kube-system
  resourceVersion: "1737721"
  selfLink: /api/v1/namespaces/kube-system/endpoints/kube-scheduler
  uid: 87dbdef5-2469-11e9-a032-525400c6cc24
复制代码

7.配置自动approve kubelet CSR 请求

cat > /opt/kubernetes/cfg/csr-crb.yaml <<EOF
 # Approve all CSRs for the group "system:bootstrappers"
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: auto-approve-csrs-for-group
 subjects:
 - kind: Group
   name: system:bootstrappers
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
   name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
   apiGroup: rbac.authorization.k8s.io
---
 # To let a node of the group "system:nodes" renew its own credentials
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: node-client-cert-renewal
 subjects:
 - kind: Group
   name: system:nodes
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
   name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
   apiGroup: rbac.authorization.k8s.io
---
# A ClusterRole which instructs the CSR approver to approve a node requesting a
# serving cert matching its client cert.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: approve-node-server-renewal-csr
rules:
- apiGroups: ["certificates.k8s.io"]
  resources: ["certificatesigningrequests/selfnodeserver"]
  verbs: ["create"]
---
 # To let a node of the group "system:nodes" renew its own server credentials
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: node-server-cert-renewal
 subjects:
 - kind: Group
   name: system:nodes
   apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
   name: approve-node-server-renewal-csr
   apiGroup: rbac.authorization.k8s.io
EOF
复制代码

kubectl apply -f /opt/kubernetes/cfg/csr-crb.yaml
clusterrolebinding.rbac.authorization.k8s.io/auto-approve-csrs-for-group created
clusterrolebinding.rbac.authorization.k8s.io/node-client-cert-renewal created
clusterrole.rbac.authorization.k8s.io/approve-node-server-renewal-csr created
clusterrolebinding.rbac.authorization.k8s.io/node-server-cert-renewal created

复制代码

  • 说明:
  • kubelet 启动后使用 --bootstrap-kubeconfig 向 kube-apiserver 发送 CSR 请求,当这个 CSR 被 approve 后,kube-controller-manager 为 kubelet 建立 TLS 客户端证书、私钥和 --kubeletconfig 文件。
  • 注意:kube-controller-manager 须要配置--cluster-signing-cert-file 和 --cluster-signing-key-file参数,才会为 TLS Bootstrap 建立证书和私钥。
相关文章
相关标签/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公众号
   欢迎关注本站公众号,获取更多信息
联系我们 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程