当前位置: 首页 > 文档资料 > Kubernetes 指南 >

4.3 Kubernetes-The-Hard-Way - 部署控制节点

优质
小牛编辑
130浏览
2023-12-01

本部分将会在三台控制节点上部署 Kubernetes 控制服务,并配置高可用的集群架构。并且还会创建一个用于外部访问的负载均衡器。每个控制节点上需要部署的服务包括:Kubernetes API Server、Scheduler 以及 Controller Manager 等。

事前准备

以下命令需要在每台控制节点上面都运行一遍,包括 controller-0controller-1controller-2。可以使用 gcloud 命令登录每个控制节点。例如:

  1. gcloud compute ssh controller-0

部署 Kubernetes 控制平面

下载并安装 Kubernetes Controller 二进制文件

  1. wget -q --show-progress --https-only --timestamping
  2. "https://storage.googleapis.com/kubernetes-release/release/v1.9.0/bin/linux/amd64/kube-apiserver"
  3. "https://storage.googleapis.com/kubernetes-release/release/v1.9.0/bin/linux/amd64/kube-controller-manager"
  4. "https://storage.googleapis.com/kubernetes-release/release/v1.9.0/bin/linux/amd64/kube-scheduler"
  5. "https://storage.googleapis.com/kubernetes-release/release/v1.9.0/bin/linux/amd64/kubectl"
  6. chmod +x kube-apiserver kube-controller-manager kube-scheduler kubectl
  7. sudo mv kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/local/bin/

配置 Kubernetes API Server

  1. sudo mkdir -p /var/lib/kubernetes/
  2. sudo mv ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem encryption-config.yaml /var/lib/kubernetes/

使用节点的内网 IP 地址作为 API server 与集群内部成员的广播地址。首先查询当前节点的内网 IP 地址:

  1. INTERNAL_IP=$(curl -s -H "Metadata-Flavor: Google"
  2. http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip)

生成 kube-apiserver.service systemd 配置文件:

  1. cat > kube-apiserver.service <<EOF
  2. [Unit]
  3. Description=Kubernetes API Server
  4. Documentation=https://github.com/kubernetes/kubernetes
  5. [Service]
  6. ExecStart=/usr/local/bin/kube-apiserver \
  7. --admission-control=Initializers,NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \
  8. --advertise-address=${INTERNAL_IP} \
  9. --allow-privileged=true \
  10. --apiserver-count=3 \
  11. --audit-log-maxage=30 \
  12. --audit-log-maxbackup=3 \
  13. --audit-log-maxsize=100 \
  14. --audit-log-path=/var/log/audit.log \
  15. --authorization-mode=Node,RBAC \
  16. --bind-address=0.0.0.0 \
  17. --client-ca-file=/var/lib/kubernetes/ca.pem \
  18. --enable-swagger-ui=true \
  19. --etcd-cafile=/var/lib/kubernetes/ca.pem \
  20. --etcd-certfile=/var/lib/kubernetes/kubernetes.pem \
  21. --etcd-keyfile=/var/lib/kubernetes/kubernetes-key.pem \
  22. --etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \
  23. --event-ttl=1h \
  24. --experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \
  25. --insecure-bind-address=127.0.0.1 \
  26. --kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \
  27. --kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \
  28. --kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \
  29. --kubelet-https=true \
  30. --runtime-config=api/all \
  31. --service-account-key-file=/var/lib/kubernetes/ca-key.pem \
  32. --service-cluster-ip-range=10.32.0.0/24 \
  33. --service-node-port-range=30000-32767 \
  34. --tls-ca-file=/var/lib/kubernetes/ca.pem \
  35. --tls-cert-file=/var/lib/kubernetes/kubernetes.pem \
  36. --tls-private-key-file=/var/lib/kubernetes/kubernetes-key.pem \
  37. --v=2
  38. Restart=on-failure
  39. RestartSec=5
  40. [Install]
  41. WantedBy=multi-user.target
  42. EOF

配置 Kubernetes Controller Manager

生成 kube-controller-manager.service systemd 配置文件:

  1. cat > kube-controller-manager.service <<EOF
  2. [Unit]
  3. Description=Kubernetes Controller Manager
  4. Documentation=https://github.com/kubernetes/kubernetes
  5. [Service]
  6. ExecStart=/usr/local/bin/kube-controller-manager \
  7. --address=0.0.0.0 \
  8. --cluster-cidr=10.200.0.0/16 \
  9. --cluster-name=kubernetes \
  10. --cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \
  11. --cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \
  12. --leader-elect=true \
  13. --master=http://127.0.0.1:8080 \
  14. --root-ca-file=/var/lib/kubernetes/ca.pem \
  15. --service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \
  16. --service-cluster-ip-range=10.32.0.0/24 \
  17. --v=2
  18. Restart=on-failure
  19. RestartSec=5
  20. [Install]
  21. WantedBy=multi-user.target
  22. EOF

配置 Kubernetes Scheduler

生成 kube-scheduler.service systemd 配置文件:

  1. cat > kube-scheduler.service <<EOF
  2. [Unit]
  3. Description=Kubernetes Scheduler
  4. Documentation=https://github.com/kubernetes/kubernetes
  5. [Service]
  6. ExecStart=/usr/local/bin/kube-scheduler \
  7. --leader-elect=true \
  8. --master=http://127.0.0.1:8080 \
  9. --v=2
  10. Restart=on-failure
  11. RestartSec=5
  12. [Install]
  13. WantedBy=multi-user.target
  14. EOF

启动控制器服务

  1. sudo mv kube-apiserver.service kube-scheduler.service kube-controller-manager.service /etc/systemd/system/
  2. sudo systemctl daemon-reload
  3. sudo systemctl enable kube-apiserver kube-controller-manager kube-scheduler
  4. sudo systemctl start kube-apiserver kube-controller-manager kube-scheduler

请等待 10 秒以便 Kubernetes API Server 初始化。

验证

  1. kubectl get componentstatuses

将输出结果

  1. NAME STATUS MESSAGE ERROR
  2. controller-manager Healthy ok
  3. scheduler Healthy ok
  4. etcd-2 Healthy {"health": "true"}
  5. etcd-0 Healthy {"health": "true"}
  6. etcd-1 Healthy {"health": "true"}

记得在每台控制节点上面都运行一遍,包括 controller-0controller-1controller-2

Kubelet RBAC 授权

本节将会配置 API Server 访问 Kubelet API 的 RBAC 授权。访问 Kubelet API 是获取 metrics、日志以及执行容器命令所必需的。

这里设置 Kubeket --authorization-modeWebhook 模式。Webhook 模式使用 SubjectAccessReview API 来决定授权。

  1. gcloud compute ssh controller-0

创建 system:kube-apiserver-to-kubelet ClusterRole 以允许请求 Kubelet API 和执行许用来管理 Pods 的任务:

  1. cat <<EOF | kubectl apply -f -
  2. apiVersion: rbac.authorization.k8s.io/v1beta1
  3. kind: ClusterRole
  4. metadata:
  5. annotations:
  6. rbac.authorization.kubernetes.io/autoupdate: "true"
  7. labels:
  8. kubernetes.io/bootstrapping: rbac-defaults
  9. name: system:kube-apiserver-to-kubelet
  10. rules:
  11. - apiGroups:
  12. - ""
  13. resources:
  14. - nodes/proxy
  15. - nodes/stats
  16. - nodes/log
  17. - nodes/spec
  18. - nodes/metrics
  19. verbs:
  20. - "*"
  21. EOF

Kubernetes API Server 使用客户端凭证授权 Kubelet 为 kubernetes 用户,此凭证用 --kubelet-client-certificate flag 来定义。

绑定 system:kube-apiserver-to-kubelet ClusterRole 到 kubernetes 用户:

  1. cat <<EOF | kubectl apply -f -
  2. apiVersion: rbac.authorization.k8s.io/v1beta1
  3. kind: ClusterRoleBinding
  4. metadata:
  5. name: system:kube-apiserver
  6. namespace: ""
  7. roleRef:
  8. apiGroup: rbac.authorization.k8s.io
  9. kind: ClusterRole
  10. name: system:kube-apiserver-to-kubelet
  11. subjects:
  12. - apiGroup: rbac.authorization.k8s.io
  13. kind: User
  14. name: kubernetes
  15. EOF

Kubernetes 前端负载均衡器

本节将会建立一个位于 Kubernetes API Servers 前端的外部负载均衡器。 kubernetes-the-hard-way 静态 IP 地址将会配置在这个负载均衡器上。

本指南创建的虚拟机内部并没有操作负载均衡器的权限,需要到创建这些虚拟机的那台机器上去做下面的操作。

创建外部负载均衡器网络资源:

  1. gcloud compute target-pools create kubernetes-target-pool
  2. gcloud compute target-pools add-instances kubernetes-target-pool
  3. --instances controller-0,controller-1,controller-2
  4. KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way
  5. --region $(gcloud config get-value compute/region)
  6. --format 'value(name)')
  7. gcloud compute forwarding-rules create kubernetes-forwarding-rule
  8. --address ${KUBERNETES_PUBLIC_ADDRESS}
  9. --ports 6443
  10. --region $(gcloud config get-value compute/region)
  11. --target-pool kubernetes-target-pool

验证

查询 kubernetes-the-hard-way 静态 IP 地址:

  1. KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way
  2. --region $(gcloud config get-value compute/region)
  3. --format 'value(address)')

发送一个查询 Kubernetes 版本信息的 HTTP 请求

  1. curl --cacert ca.pem https://${KUBERNETES_PUBLIC_ADDRESS}:6443/version

结果为

  1. {
  2. "major": "1",
  3. "minor": "9",
  4. "gitVersion": "v1.9.0",
  5. "gitCommit": "925c127ec6b946659ad0fd596fa959be43f0cc05",
  6. "gitTreeState": "clean",
  7. "buildDate": "2017-12-15T20:55:30Z",
  8. "goVersion": "go1.9.2",
  9. "compiler": "gc",
  10. "platform": "linux/amd64"
  11. }