美文网首页
k8s学习笔记-7-apiserver

k8s学习笔记-7-apiserver

作者: xlgao | 来源:发表于2020-07-27 15:02 被阅读0次

7 部署apiserver

下载k8s的包

  1. 部署apiserver的节点为node2 node3

  2. 下载kubernetes包,进入kubernetes的github页面:


    图片.png
  3. 进入tags页签:https://github.com/kubernetes/kubernetes/tags

    图片.png
  4. 选择要下载的版本:https://github.com/kubernetes/kubernetes/releases/tag/v1.16.13

    图片.png
  5. 点击 CHANGELOG-xxx.md 进入说明页面,往下找对应版本的Server binaries:


    图片.png
  6. 下载Server Binaries:
    https://dl.k8s.io/v1.16.10/kubernetes-server-linux-amd64.tar.gz

解压k8s包

[root@node3 bin]# tar xf kubernetes-server-linux-amd64.tar.gz 
[root@node3 bin]# mv kubernetes kubernetes-v1.15.11
[root@node3 bin]#  ln -s /opt/src/kubernetes-v1.15.11/ /opt/kubernetes
[root@node3 bin]# cd /opt/kubernetes/server/bin
[root@node3 bin]#  rm -rf  *.tar  *_tag

6.4 签发证书

  • 签发证书使用node5节点
  1. 签发client证书,apiserver和etcd通信用的证书
[root@node5 certs]# cd /opt/certs/
[root@node5 certs]# vim /opt/certs/client-csr.json
{
    "CN": "k8s-node",
    "hosts": [
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}
[root@node5 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
2020/01/06 13:42:47 [INFO] generate received request
2020/01/06 13:42:47 [INFO] received CSR
2020/01/06 13:42:47 [INFO] generating key: rsa-2048
2020/01/06 13:42:47 [INFO] encoded CSR
2020/01/06 13:42:47 [INFO] signed certificate with serial number 268276380983442021656020268926931973684313260543
2020/01/06 13:42:47 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@node5 certs]# ls client* -l
-rw-r--r-- 1 root root  993 Jan  6 13:42 client.csr
-rw-r--r-- 1 root root  280 Jan  6 13:42 client-csr.json
-rw------- 1 root root 1679 Jan  6 13:42 client-key.pem
-rw-r--r-- 1 root root 1363 Jan  6 13:42 client.pem
  1. 签发server证书,apiserver和其他k8s组件通信使用的证书,hosts中将所有可能作为apiserver的ip添加进去,VIP 也要加入
[root@node5 certs]#  vim /opt/certs/apiserver-csr.json

{
    "CN": "k8s-apiserver",
    "hosts": [
        "127.0.0.1",
        "192.168.0.1",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluster.local",
        "172.16.6.180",
        "172.16.6.181",
        "172.16.6.182",
        "172.16.6.183",
        "172.16.6.184"  
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
    ]
}

[root@node5 certs]#  cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver
2020/01/06 13:46:56 [INFO] generate received request
2020/01/06 13:46:56 [INFO] received CSR
2020/01/06 13:46:56 [INFO] generating key: rsa-2048
2020/01/06 13:46:56 [INFO] encoded CSR
2020/01/06 13:46:56 [INFO] signed certificate with serial number 573076691386375893093727554861295529219004473872
2020/01/06 13:46:56 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@node5 certs]# ls apiserver* -l
-rw-r--r-- 1 root root 1249 Jan  6 13:46 apiserver.csr
-rw-r--r-- 1 root root  566 Jan  6 13:45 apiserver-csr.json
-rw------- 1 root root 1675 Jan  6 13:46 apiserver-key.pem
-rw-r--r-- 1 root root 1598 Jan  6 13:46 apiserver.pem
  1. 证书下发到需要安装apiserver服务的节点。
  • 在需要安装apiserver的节点创建certs目录
mkdir /opt/kubernetes/server/bin/certs
  • 在签发证书节点将刚才签发的client证书和server证书下发:
scp apiserver-key.pem apiserver.pem ca-key.pem ca.pem client-key.pem client.pem    node2:/opt/kubernetes/server/bin/certs/

6.5 配置apiserver的日志审计

[root@node3 conf]# cat audit.yaml 
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      # Resource "pods" doesn't match requests to any subresource of pods,
      # which is consistent with the RBAC policy.
      resources: ["pods"]
  # Log "pods/log", "pods/status" at Metadata level
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]

  # Don't log requests to a configmap called "controller-leader"
  - level: None
    resources:
    - group: ""
      resources: ["configmaps"]
      resourceNames: ["controller-leader"]

  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # core API group
      resources: ["endpoints", "services"]

  # Don't log authenticated requests to certain non-resource URL paths.
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*" # Wildcard matching.
    - "/version"

  # Log the request body of configmap changes in kube-system.
  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    # This rule only applies to resources in the "kube-system" namespace.
    # The empty string "" can be used to select non-namespaced resources.
    namespaces: ["kube-system"]

  # Log configmap and secret changes in all other namespaces at the Metadata level.
  - level: Metadata
    resources:
    - group: "" # core API group
      resources: ["secrets", "configmaps"]

  # Log all other resources in core and extensions at the Request level.
  - level: Request
    resources:
    - group: "" # core API group
    - group: "extensions" # Version of group should NOT be included.

  # A catch-all rule to log all other requests at the Metadata level.
  - level: Metadata
    # Long-running requests like watches that fall under this rule will not
    # generate an audit event in RequestReceived.
    omitStages:
      - "RequestReceived"

配置apiserver的启动脚本

  1. apiserver启动脚本
[root@node3 conf]# cat /opt/kubernetes/server/bin/kube-apiserver-startup.sh 
#!/bin/bash

WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit

/opt/kubernetes/server/bin/kube-apiserver \
    --apiserver-count 2 \
    --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
    --audit-policy-file ./conf/audit.yaml \
    --authorization-mode RBAC \
    --client-ca-file ./certs/ca.pem \
    --requestheader-client-ca-file ./certs/ca.pem \
    --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
    --etcd-cafile ./certs/ca.pem \
    --etcd-certfile ./certs/client.pem \
    --etcd-keyfile ./certs/client-key.pem \
    --etcd-servers https://172.16.6.182:2379,https://172.16.6.183:2379,https://172.16.6.184:2379 \
    --service-account-key-file ./certs/ca-key.pem \
    --service-cluster-ip-range 192.168.0.0/16 \
    --service-node-port-range 3000-29999 \
    --target-ram-mb=1024 \
    --kubelet-client-certificate ./certs/client.pem \
    --kubelet-client-key ./certs/client-key.pem \
    --log-dir  /data/logs/kubernetes/kube-apiserver \
    --tls-cert-file ./certs/apiserver.pem \
    --tls-private-key-file ./certs/apiserver-key.pem \
    --v 2

chmod +x /opt/kubernetes/serever/bin/kube-apiserver-startup.sh
  1. 创建日志目录
mkdir /data/logs/kubernetes/kube-apiserver/audit-log

配置supervisor启动配置

[root@node3 conf]# cat /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-node2]
command=/opt/kubernetes/server/bin/kube-apiserver-startup.sh
numprocs=1
directory=/opt/kubernetes/server/bin
autostart=true
autorestart=true
startsecs=30
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=root
redirect_stderr=true
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log
stdout_logfile_maxbytes=64MB
stdout_logfile_backups=5
stdout_capture_maxbytes=1MB
stdout_events_enabled=false

[root@node2 bin]# supervisorctl update
[root@node2 bin]# supervisorctl status
etcd-server-node2                 RUNNING   pid 23637, uptime 22:26:08
kube-apiserver-node2            RUNNING   pid 32591, uptime 0:05:37

启停apiserver

[root@node2 bin]# supervisorctl start kube-apiserver-node2 
[root@node2 bin]# supervisorctl stop kube-apiserver-node2 
[root@node2 bin]# supervisorctl restart kube-apiserver-node2 
[root@node2 bin]# supervisorctl status kube-apiserver-node2 

相关文章

网友评论

      本文标题:k8s学习笔记-7-apiserver

      本文链接:https://www.haomeiwen.com/subject/ppuzlktx.html