kubernetes中Master节点如何安装与配置

这篇文章主要介绍kubernetes中Master节点如何安装与配置，文中介绍的非常详细，具有一定的参考价值，感兴趣的小伙伴们一定要看完！

一：简介
1.kubernetes master节点包含以下组件：kube-apiserver,kube-scheduler和kube-controller-manager。 这三个组件需要部署在同一台机器上。 同时只能有一个kube-scheduler,kube-controller-manager进程处于工作状态，如果运行多个，则需要通过选举产生一个leader.

2.在/etc/kubernetes/ssl目录下，准备好可能用到的证书文件。
admin-key.pem admin.pem ca-key.pem ca.pem kube-proxy-key.pem，kube-proxy.pem kubernetes-key.pem kubernetes.pem

3.下载安装文件 wget https://storage.googleapis.com/kubernetes-release/release/v1.8.5/kubernetes-server-linux-amd64.tar.gz
tar -xzvf kubernetes-server-linux-amd64.tar.gz
cd kubernetes
tar -xzvf kubernetes-src.tar.gz
复制二进制文件到指定目录
cp -r server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kube-proxy,kubelet} /usrbin/

二：配置和启动 kube-apiserver

1.service配置文件 /usr/lib/systemd/system/kube-apiserver.service

点击(此处)折叠或打开

1. [Unit]

2. Description=Kubernetes API Service

3. Documentation=https://github.com/GoogleCloudPlatform/kubernetes

4. After=network.target

5. After=etcd.service

7. [Service]

8. EnvironmentFile=-/etc/kubernetes/config

9. EnvironmentFile=-/etc/kubernetes/apiserver

10. ExecStart=/usr/bin/kube-apiserver \

11.          $KUBE_LOGTOSTDERR \

12.          $KUBE_LOG_LEVEL \

13.          $KUBE_ETCD_SERVERS \

14.          $KUBE_API_ADDRESS \

15.          $KUBE_API_PORT \

16.          $KUBELET_PORT \

17.          $KUBE_ALLOW_PRIV \

18.          $KUBE_SERVICE_ADDRESSES \

19.          $KUBE_ADMISSION_CONTROL \

20.          $KUBE_API_ARGS

21. Restart=on-failure

22. Type=notify

23. LimitNOFILE=65536

25. [Install]

26. WantedBy=multi-user.target

2.配置文件/etc/kubernetes/config

点击(此处)折叠或打开

1. ###

2. # kubernetes system config

3. #

4. # The following values are used to configure various aspects of all

5. # kubernetes services, including

6. #

7. # kube-apiserver.service

8. # kube-controller-manager.service

9. # kube-scheduler.service

10. # kubelet.service

11. # kube-proxy.service

13. # logging to stderr means we get it in the systemd journal

14. KUBE_LOGTOSTDERR="–logtostderr=true"

16. # journal message level, 0 is debug

17. KUBE_LOG_LEVEL="–v=0"

19. # Should this cluster be allowed to run privileged docker containers

20. KUBE_ALLOW_PRIV="–allow-privileged=true"

22. # How the controller-manager, scheduler, and proxy find the apiserver

23. KUBE_MASTER="–master=http://10.116.137.196:8080"

该配置文件同时被kube-apiserver、kube-controller-manager、kubescheduler、kubelet、kube-proxy使用。

3.配置文件 /etc/kubernetes/apiserver

点击(此处)折叠或打开

1. ###

2. ## kubernetes system config

3. ##

4. ## The following values are used to configure the kube-apiserver

5. ##

6. #

7. ## The address on the local server to listen to.

8. KUBE_API_ADDRESS="–advertise-address=10.116.137.196 –bind-address=10.116.137.196 –insecure-bind-address=10.116.137.196"

9. #

10. ## The port on the local server to listen on.

11. #KUBE_API_PORT="–port=8080"

12. #

13. ## Port minions listen on

14. #KUBELET_PORT="–kubelet-port=10250"

15. #

16. ## Comma separated list of nodes in the etcd cluster

17. KUBE_ETCD_SERVERS="–etcd-servers=https://10.116.137.196:2379,https://10.116.82.28:2379,https://10.116.36.57:2379"

18. #

19. ## Address range to use for services

20. KUBE_SERVICE_ADDRESSES="–service-cluster-ip-range=10.254.0.0/16"

21. #

22. ## default admission control policies

23. KUBE_ADMISSION_CONTROL="–admission-control=ServiceAccount,NamespaceLifecycle,NamespaceExists,LimitRanger,ResourceQuota"

24. #

25. ## Add your own!

26. KUBE_API_ARGS="–authorization-mode=RBAC –runtime-config=rbac.authorization.k8s.io/v1beta1 –kubelet-https=true –experimental-bootstrap-token-auth –token-auth-file=/etc/kubernetes/token.csv –service-node-port-range=30000-32767 –tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem –tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem –client-ca-file=/etc/kubernetes/ssl/ca.pem –service-account-key-file=/etc/kubernetes/ssl/ca-key.pem –etcd-cafile=/etc/kubernetes/ssl/ca.pem –etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem –etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem –enable-swagger-ui=true –apiserver-count=1 –audit-log-maxage=30 –audit-log-maxbackup=3 –audit-log-maxsize=100 –audit-log-path=/var/lib/audit.log –event-ttl=1h"

a. –authorization-mode=RBAC 指定在安全端口使用 RBAC 授权模式，拒绝未通过授权的请求；

b. kube-scheduler、kube-controller-manager 一般和 kube-apiserver 部署在同一台机器上，它们使非安全端口和 kube-apiserver通信;
kubelet、kube-proxy、kubectl 部署在其它 Node 节点上，如果通过安全端?访问 kube-apiserver，则必须先通过 TLS 证书认证，再通过
RBAC 授权；

c. kube-proxy、kubectl 通过在使?的证书?指定相关的 User、Group来达到通过 RBAC 授权的?的；

d. 如果使用了 kubelet TLS Boostrap 机制，则不能再指定 –kubeletcertificate-authority 、 –kubelet-client-certificate 和 –kubelet-client-key 选项，否则后续 kube-apiserver 校验 kubelet 证
书时出现 ”x509: certificate signed by unknown authority“ 错误；

e. –admission-control 值必须包含 ServiceAccount ；

f. –bind-address 不能为 127.0.0.1 ；

g. runtime-config 配置为 rbac.authorization.k8s.io/v1beta1 ，表示运行时的apiVersion；

h. –service-cluster-ip-range 指定 Service Cluster IP 地址段，该地址段不能路由可达；

i. 缺省情况下 kubernetes 对象保存在 etcd /registry 路径下，可以通过 –etcd-prefix 参数进行调整；

4.启动kube-apiserver

systemctl daemon-reload
systemctl enable kube-apiserver
systemctl start kube-apiserver
systemctl status kube-apiserver

三：配置和启动 kube-controller-manager
1. 服务文件/usr/lib/systemd/system/kube-controller-manager.service

点击(此处)折叠或打开

1. [Unit]

2. Description=Kubernetes Controller Manager

3. Documentation=https://github.com/GoogleCloudPlatform/kubernetes

5. [Service]

6. EnvironmentFile=-/etc/kubernetes/config

7. EnvironmentFile=-/etc/kubernetes/controller-manager

8. ExecStart=/usr/bin/kube-controller-manager \

9.          $KUBE_LOGTOSTDERR \

10.          $KUBE_LOG_LEVEL \

11.          $KUBE_MASTER \

12.          $KUBE_CONTROLLER_MANAGER_ARGS

13. Restart=on-failure

14. LimitNOFILE=65536

15. [Install]

16. WantedBy=multi-user.target

2.配置文件 /etc/kubernetes/controller-manager

点击(此处)折叠或打开

1. ###

2. # The following values are used to configure the kubernetes controller-manager

3. # defaults from config and apiserver should be adequate

4. # Add your own!

5. KUBE_CONTROLLER_MANAGER_ARGS="–address=127.0.0.1 –service-cluster-ip-range=10.254.0.0/16 –cluster-name=kubernetes –cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem –cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem –service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem –root-ca-file=/etc/kubernetes/ssl/ca.pem –leader-elect=true"

a. –service-cluster-ip-range 参数指定 Cluster 中 Service 的CIDR范围，该?络在各 Node 间必须路由不可达，必须和 kube-apiserver中的参数一致；

b. –cluster-signing-* 指定的证书和私钥文件用来签名为 TLSBootStrap 创建的证书和私钥；

c. –root-ca-file 用来对 kube-apiserver 证书进行校验，指定该参数后，才会在Pod 容器的 ServiceAccount 中放置该 CA 证书文件；

d. –address 值必须为 127.0.0.1 ，因为当前 kube-apiserver 期望scheduler 和 controller-manager 在同一台机器

3.启动 kube-controller-manager
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl start kube-controller-manager

四：配置和启动 kube-scheduler
1. 服务文件/usr/lib/systemd/system/kube-scheduler.service

点击(此处)折叠或打开

1. [Unit]

2. Description=Kubernetes Scheduler Plugin

3. Documentation=https://github.com/GoogleCloudPlatform/kubernetes

5. [Service]

6. EnvironmentFile=-/etc/kubernetes/config

7. EnvironmentFile=-/etc/kubernetes/scheduler

8. ExecStart=/usr/bin/kube-scheduler \

9.     $KUBE_LOGTOSTDERR \

10.     $KUBE_LOG_LEVEL \

11.     $KUBE_MASTER \

12.     $KUBE_SCHEDULER_ARGS

13. Restart=on-failure

14. LimitNOFILE=65536

16. [Install]

17. WantedBy=multi-user.target

2. 配置文件/etc/kubernetes/scheduler

点击(此处)折叠或打开

1. ###

2. # kubernetes scheduler config

3. # default config should be adequate

4. # Add your own!

5. KUBE_SCHEDULER_ARGS="–leader-elect=true –address=127.0.0.1"

3.启动 kube-scheduler
systemctl daemon-reload
systemctl enable kube-scheduler
systemctl start kube-scheduler

五：验证 master 节点功能

以上是“kubernetes中Master节点如何安装与配置”这篇文章的所有内容，感谢各位的阅读！希望分享的内容对大家有帮助，更多相关知识，欢迎关注云搜网行业资讯频道！