将二进制压缩包解压并放入指定位置
mkdir /k8s/master/{bin,config.ssl} -p tar -xvf kubernetes-server-linux-amd64.tar.gz cd kubernetes/server/bin/ cp kube-scheduler kube-apiserver kube-controller-manager kubectl /k8s/master/bin/
生成证书文件
cd /home/sslTools/ssl cat << EOF | tee api-ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "beijing", "ST": "beijing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -initca api-ca-csr.json | cfssljson -bare ca - # #创建server-csr.json cat << EOF | tee api-server-csr.json { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "192.168.1.250", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "beijing", "ST": "beijing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=k8s api-server-csr.json | cfssljson -bare server
cp *pem /k8s/master/ssl/ cp *pem /k8s/etcd/ssl/ ##替换node中的证书保持一致 scp *pem 192.168.1.251:/k8s/etcd/ssl scp *pem 192.168.1.251:/k8s/etcd/ssl
生成一个token值,记得先保存,以后再node节点时会用到
head -c 16 /dev/urandom | od -An -t x | tr -d ' ' 1aef0e8e0b24943e3b86db2d01afcc15
创建一个token文件
vi /k8s/master/config/token.csv 1aef0e8e0b24943e3b86db2d01afcc15,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
vi /k8s/master/config/kube-apiserver KUBE_APISERVER_OPTS="--logtostderr=true \ --v=4 \ --etcd-servers=http://192.168.1.250:2379,http://192.168.1.251:2379,http://192.168.1.252:2379 \ --bind-address=192.168.1.250 \ --secure-port=6443 \ --advertise-address=192.168.1.250 \ --allow-privileged=true \ --service-cluster-ip-range=10.0.0.0/24 \ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,NodeRestriction \ --authorization-mode=RBAC,Node \ --enable-bootstrap-token-auth \ --token-auth-file=/k8s/master/config/token.csv \ --service-node-port-range=30000-50000 \ --tls-cert-file=/k8s/master/ssl/server.pem \ --tls-private-key-file=/k8s/master/ssl/server-key.pem \ --client-ca-file=/k8s/master/ssl/ca.pem \ --service-account-key-file=/k8s/master/ssl/ca-key.pem \ --etcd-cafile=/k8s/master/ssl/ca.pem \ --etcd-certfile=/k8s/master/ssl/server.pem \ --etcd-keyfile=/k8s/master/ssl/server-key.pem"
vi /usr/lib/systemd/system/kube-apiserver.service [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/k8s/master/config/kube-apiserver ExecStart=/k8s/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl restart kube-apiserver
systemctl status kube-apiserver ps -ef |grep kube-apiserver
vi /k8s/master/config/kube-scheduler KUBE_SCHEDULER_OPT="--logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect"
vi /usr/lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/k8s/master/config/kube-scheduler ExecStart=/k8s/master/bin/kube-scheduler $KUBE_SCHEDULER_OPT Restart=on-failure [Install] WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler
systemctl status kube-scheduler
vi /k8s/master/config/kube-controller-manager KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \ --v=4 \ --master=127.0.0.1:8080 \ --leader-elect=true \ --address=127.0.0.1 \ --service-cluster-ip-range=10.0.0.0/24 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/k8s/master/ssl/ca.pem \ --cluster-signing-key-file=/k8s/master/ssl/ca-key.pem \ --root-ca-file=/k8s/master/ssl/ca.pem \ --service-account-private-key-file=/k8s/master/ssl/ca-key.pem"
vi /usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/k8s/master/config/kube-controller-manager ExecStart=/k8s/master/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl restart kube-controller-manager
systemctl status kube-controller-manager ps -ef |grep kube-controller-manager
现在我们已经将k8s的master,etcd集群配置完毕。
可以进行整体的健康状态检查
[[email protected] bin]# cd /k8s/master/bin/ [[email protected] bin]# ls kube-apiserver kube-controller-manager kubectl kube-scheduler [[email protected] bin]# ./kubectl get cs,nodes NAME STATUS MESSAGE ERROR componentstatus/etcd-1 Healthy {"health":"true"} componentstatus/etcd-2 Healthy {"health":"true"} componentstatus/controller-manager Healthy ok componentstatus/etcd-0 Healthy {"health":"true"} componentstatus/scheduler Healthy ok
可以修改/etc/profile文件将kubectl命令配置为环境变量
vi /etc/profile #最后加上一行 PATH=/k8s/master/bin:$PATH:$HOME/bin #刷新环境变量 source /etc/profile> 感谢k8s中文社区中 https://www.kubernetes.org.cn/4963.html 文章提供的信息帮助