4.3 Kubernetes-The-Hard-Way - 部署控制节点
优质
小牛编辑
125浏览
2023-12-01
本部分将会在三台控制节点上部署 Kubernetes 控制服务,并配置高可用的集群架构。并且还会创建一个用于外部访问的负载均衡器。每个控制节点上需要部署的服务包括:Kubernetes API Server、Scheduler 以及 Controller Manager 等。
事前准备
以下命令需要在每台控制节点上面都运行一遍,包括 controller-0、controller-1 和 controller-2。可以使用 gcloud 命令登录每个控制节点。例如:
gcloud compute ssh controller-0
部署 Kubernetes 控制平面
下载并安装 Kubernetes Controller 二进制文件
wget -q --show-progress --https-only --timestamping"https://storage.googleapis.com/kubernetes-release/release/v1.9.0/bin/linux/amd64/kube-apiserver""https://storage.googleapis.com/kubernetes-release/release/v1.9.0/bin/linux/amd64/kube-controller-manager""https://storage.googleapis.com/kubernetes-release/release/v1.9.0/bin/linux/amd64/kube-scheduler""https://storage.googleapis.com/kubernetes-release/release/v1.9.0/bin/linux/amd64/kubectl"chmod +x kube-apiserver kube-controller-manager kube-scheduler kubectlsudo mv kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/local/bin/
配置 Kubernetes API Server
sudo mkdir -p /var/lib/kubernetes/sudo mv ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem encryption-config.yaml /var/lib/kubernetes/
使用节点的内网 IP 地址作为 API server 与集群内部成员的广播地址。首先查询当前节点的内网 IP 地址:
INTERNAL_IP=$(curl -s -H "Metadata-Flavor: Google"http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip)
生成 kube-apiserver.service systemd 配置文件:
cat > kube-apiserver.service <<EOF[Unit]Description=Kubernetes API ServerDocumentation=https://github.com/kubernetes/kubernetes[Service]ExecStart=/usr/local/bin/kube-apiserver \--admission-control=Initializers,NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \--advertise-address=${INTERNAL_IP} \--allow-privileged=true \--apiserver-count=3 \--audit-log-maxage=30 \--audit-log-maxbackup=3 \--audit-log-maxsize=100 \--audit-log-path=/var/log/audit.log \--authorization-mode=Node,RBAC \--bind-address=0.0.0.0 \--client-ca-file=/var/lib/kubernetes/ca.pem \--enable-swagger-ui=true \--etcd-cafile=/var/lib/kubernetes/ca.pem \--etcd-certfile=/var/lib/kubernetes/kubernetes.pem \--etcd-keyfile=/var/lib/kubernetes/kubernetes-key.pem \--etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \--event-ttl=1h \--experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \--insecure-bind-address=127.0.0.1 \--kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \--kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \--kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \--kubelet-https=true \--runtime-config=api/all \--service-account-key-file=/var/lib/kubernetes/ca-key.pem \--service-cluster-ip-range=10.32.0.0/24 \--service-node-port-range=30000-32767 \--tls-ca-file=/var/lib/kubernetes/ca.pem \--tls-cert-file=/var/lib/kubernetes/kubernetes.pem \--tls-private-key-file=/var/lib/kubernetes/kubernetes-key.pem \--v=2Restart=on-failureRestartSec=5[Install]WantedBy=multi-user.targetEOF
配置 Kubernetes Controller Manager
生成 kube-controller-manager.service systemd 配置文件:
cat > kube-controller-manager.service <<EOF[Unit]Description=Kubernetes Controller ManagerDocumentation=https://github.com/kubernetes/kubernetes[Service]ExecStart=/usr/local/bin/kube-controller-manager \--address=0.0.0.0 \--cluster-cidr=10.200.0.0/16 \--cluster-name=kubernetes \--cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \--cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \--leader-elect=true \--master=http://127.0.0.1:8080 \--root-ca-file=/var/lib/kubernetes/ca.pem \--service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \--service-cluster-ip-range=10.32.0.0/24 \--v=2Restart=on-failureRestartSec=5[Install]WantedBy=multi-user.targetEOF
配置 Kubernetes Scheduler
生成 kube-scheduler.service systemd 配置文件:
cat > kube-scheduler.service <<EOF[Unit]Description=Kubernetes SchedulerDocumentation=https://github.com/kubernetes/kubernetes[Service]ExecStart=/usr/local/bin/kube-scheduler \--leader-elect=true \--master=http://127.0.0.1:8080 \--v=2Restart=on-failureRestartSec=5[Install]WantedBy=multi-user.targetEOF
启动控制器服务
sudo mv kube-apiserver.service kube-scheduler.service kube-controller-manager.service /etc/systemd/system/sudo systemctl daemon-reloadsudo systemctl enable kube-apiserver kube-controller-manager kube-schedulersudo systemctl start kube-apiserver kube-controller-manager kube-scheduler
请等待 10 秒以便 Kubernetes API Server 初始化。
验证
kubectl get componentstatuses
将输出结果
NAME STATUS MESSAGE ERRORcontroller-manager Healthy okscheduler Healthy oketcd-2 Healthy {"health": "true"}etcd-0 Healthy {"health": "true"}etcd-1 Healthy {"health": "true"}
记得在每台控制节点上面都运行一遍,包括
controller-0、controller-1和controller-2。
Kubelet RBAC 授权
本节将会配置 API Server 访问 Kubelet API 的 RBAC 授权。访问 Kubelet API 是获取 metrics、日志以及执行容器命令所必需的。
这里设置 Kubeket
--authorization-mode为Webhook模式。Webhook 模式使用 SubjectAccessReview API 来决定授权。
gcloud compute ssh controller-0
创建 system:kube-apiserver-to-kubelet ClusterRole 以允许请求 Kubelet API 和执行许用来管理 Pods 的任务:
cat <<EOF | kubectl apply -f -apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRolemetadata:annotations:rbac.authorization.kubernetes.io/autoupdate: "true"labels:kubernetes.io/bootstrapping: rbac-defaultsname: system:kube-apiserver-to-kubeletrules:- apiGroups:- ""resources:- nodes/proxy- nodes/stats- nodes/log- nodes/spec- nodes/metricsverbs:- "*"EOF
Kubernetes API Server 使用客户端凭证授权 Kubelet 为 kubernetes 用户,此凭证用 --kubelet-client-certificate flag 来定义。
绑定 system:kube-apiserver-to-kubelet ClusterRole 到 kubernetes 用户:
cat <<EOF | kubectl apply -f -apiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata:name: system:kube-apiservernamespace: ""roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: system:kube-apiserver-to-kubeletsubjects:- apiGroup: rbac.authorization.k8s.iokind: Username: kubernetesEOF
Kubernetes 前端负载均衡器
本节将会建立一个位于 Kubernetes API Servers 前端的外部负载均衡器。 kubernetes-the-hard-way 静态 IP 地址将会配置在这个负载均衡器上。
本指南创建的虚拟机内部并没有操作负载均衡器的权限,需要到创建这些虚拟机的那台机器上去做下面的操作。
创建外部负载均衡器网络资源:
gcloud compute target-pools create kubernetes-target-poolgcloud compute target-pools add-instances kubernetes-target-pool--instances controller-0,controller-1,controller-2KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way--region $(gcloud config get-value compute/region)--format 'value(name)')gcloud compute forwarding-rules create kubernetes-forwarding-rule--address ${KUBERNETES_PUBLIC_ADDRESS}--ports 6443--region $(gcloud config get-value compute/region)--target-pool kubernetes-target-pool
验证
查询 kubernetes-the-hard-way 静态 IP 地址:
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way--region $(gcloud config get-value compute/region)--format 'value(address)')
发送一个查询 Kubernetes 版本信息的 HTTP 请求
curl --cacert ca.pem https://${KUBERNETES_PUBLIC_ADDRESS}:6443/version
结果为
{"major": "1","minor": "9","gitVersion": "v1.9.0","gitCommit": "925c127ec6b946659ad0fd596fa959be43f0cc05","gitTreeState": "clean","buildDate": "2017-12-15T20:55:30Z","goVersion": "go1.9.2","compiler": "gc","platform": "linux/amd64"}