0
点赞
收藏
分享

微信扫一扫

kubernetes通过二进制部署 v1.23.17 之Master Node

陆佃 2024-12-02 阅读 19

一.简介

生产环境常用二进制部署,二进制部署与kubeadm部署方式不同的是,二进制安装方式需要自己生成所有的证书,包括etcd及k8s组件的(kube-apiserver,kube-controller-manager,kube-scheduler等)证书。证书有效期可以直接更改为876000小时,即100年,生成证书时注意IP地址不要漏掉,可以预留,不能少。

使用kubeadm安装k8s时,kubectl连接API用到的kubeconfig文件是kubeadm自动生成的,使用二进制安装方式需要手动生成

二.二进制部署kubernetes

1.资源分配 centos7.X

master

192.168.77.159

2C 8G

kube-apiserver,kube-controller-manager,kube-scheduler,etcd1

node1

192.168.77.156

2C 8G

kubelet,kube-proxy,docker ,etcd2

node2

192.168.77.157

2C 8G

kubelet,kube-proxy,docker ,etcd3

node3

192.168.77.158

2C 8G

kubelet,kube-proxy,docker ,etcd4

2.虚拟机准备

#以下步骤k8s所有节点执行
#配置hosts
cat >> /etc/hosts << EOF
192.168.77.159 master
192.168.77.156 node1
192.168.77.157 node2
192.168.77.158 node2
EOF
#关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
#关闭selinux
setenforce 0
sed -i 's/enforcing/disabled/' /etc/selinux/config
#关闭swap分区
#临时关闭
swapoff -a && sysctl -w vm.swappiness=0
#永久关闭
sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab
#允许iptable检查桥接流量
cat <<EOF | tee /etc/modules-load.d/k8s.conf
br_netfilter
EOF

cat <<EOF | tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
#检查各个节点MAC地址或product_uuid,虚拟机可能会不一样
ifconfig  ens33  | grep ether | awk '{print $2}'
cat /sys/class/dmi/id/product_uuid
#时间同步
yum install ntpdate -y
ntpdate time2.windows.com
clock -w

3.部署etcd存储集群

准备证书生成工具cfssl

#master节点
#安装开源证书生成工具cfssl
#cfssl软件包下载 可以浏览器下载后上传
mkdir -p /k8s/softwares
cd /k8s/softwares
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
#授予执行权限
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
#创建软连接
ln -s /k8s/softwares/cfssl_linux-amd64 /usr/local/bin/cfssl
ln -s /k8s/softwares/cfssljson_linux-amd64 /usr/local/bin/cfssljson
ln -s /k8s/softwares/cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

自签证书颁发机构CA并自签etcd的https证书

#master节点
#创建cfssl工作目录
mkdir -p /k8s/softwares/TLS/{etcd,k8s}
cd /k8s/softwares/TLS/etcd
#自签证书颁发机构CA 过期时间100年
cat > ca-config.json << 'EOF'
{
  "signing": {
    "default": {
      "expiry": "876000h"
    },
    "profiles": {
      "etcd": {
         "expiry": "876000h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat > ca-csr.json << 'EOF'
{
    "CN": "etcd",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF
#生成ca证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#检查生成证书 
ll *.pem
#签发etcd的https证书
cat > server-csr.json << 'EOF'
{
    "CN": "etcd",
    "hosts": [
    "192.168.77.156",
    "192.168.77.157",
    "192.168.77.158",   
    "192.168.77.159"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        }
    ]
}
EOF
#hosts字段中IP为所有节点ip,一个不能少,为方便扩容IP可预留
#生成etcd的https证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server
#检查生成证书
ll server*.pem

部署etcd集群 github下载地址

#master节点操作
#etcd软件包下载  可以浏览器下载后上传
mkdir -p /k8s/softwares/ && cd /k8s/softwares/
wget https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz
#创建etcd工作目录
mkdir -p /opt/etcd/{bin,cfg,ssl}
#解压
tar xf etcd-v3.4.9-linux-amd64.tar.gz
#etcd执行文件移动到/opt/etcd/bin/
cp /k8s/softwares/etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
#创建etcd配置文件(注意各个节点配置要修改)
cat > /opt/etcd/cfg/etcd.conf << 'EOF'
#[Member]
#节点名称 全局唯一 其他三个为etcd2 etcd3 etcd4
ETCD_NAME="etcd1"
#数据目录
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
#集群通信监听地址 对应各个服务器本地IP
ETCD_LISTEN_PEER_URLS="https://192.168.77.159:2380"
#客户端访问监听地址 对应各个服务器本地IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.77.159:2379"
#[Clustering]
#集群通告地址 对应各个服务器本地IP
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.77.159:2380"
#客户端通告地址 对应各个服务器本地IP
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.77.159:2379"
#集群节点地址
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.77.159:2380,etcd2=https://192.168.77.156:2380,etcd3=https://192.168.77.157:2380,etcd4=https://192.168.77.158:2380"
#集群token
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#加入集群的当前状态 new加入新集群
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
#将生成的etcd证书拷贝到/opt/etcd/ssl/目录下
cd /k8s/softwares/TLS/etcd
cp ca.pem /opt/etcd/ssl/
cp ca-key.pem /opt/etcd/ssl/
cp server.pem /opt/etcd/ssl/
cp server-key.pem /opt/etcd/ssl/
#配置systemd管理etcd
cat > /usr/lib/systemd/system/etcd.service << 'EOF'
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
#将maser上/opt/etcd下的文件拷贝到其他各个节点
scp -r /opt/etcd/ root@192.168.77.156:/opt/
scp -r /opt/etcd/ root@192.168.77.157:/opt/
scp -r /opt/etcd/ root@192.168.77.158:/opt/
#将maser上etcd.service文件拷贝到其他各个节点
scp /usr/lib/systemd/system/etcd.service root@192.168.77.156:/usr/lib/systemd/system/
scp /usr/lib/systemd/system/etcd.service root@192.168.77.157:/usr/lib/systemd/system/
scp /usr/lib/systemd/system/etcd.service root@192.168.77.158:/usr/lib/systemd/system/
#各个节点修改/opt/etcd/cfg/etcd.conf配置文件
#etcd2节点操作 192.168.77.156
sed -i 's/ETCD_NAME="etcd1"/ETCD_NAME="etcd2"/g' /opt/etcd/cfg/etcd.conf
sed -i '1,14s/192.168.77.159/192.168.77.156/g' /opt/etcd/cfg/etcd.conf
#etcd3节点操作 192.168.77.157
sed -i 's/ETCD_NAME="etcd1"/ETCD_NAME="etcd3"/g' /opt/etcd/cfg/etcd.conf
sed -i '1,14s/192.168.77.159/192.168.77.157/g' /opt/etcd/cfg/etcd.conf
#etcd4节点操作 192.168.77.158
sed -i 's/ETCD_NAME="etcd1"/ETCD_NAME="etcd4"/g' /opt/etcd/cfg/etcd.conf
sed -i '1,14s/192.168.77.159/192.168.77.158/g' /opt/etcd/cfg/etcd.conf
#所有etcd节点操作
#重新加载systemd
systemctl daemon-reload
#设置开启启动
systemctl start etcd
systemctl enable etcd
#使用ETCDCTL_API=3命令行工具查看etcd集群状态
ETCDCTL_API=3 /opt/etcd/bin/etcdctl \
--cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem \
--endpoints="https://192.168.77.156:2379,https://192.168.77.156:2379,https://192.168.77.156:2379,https://192.168.77.159:2379" \
endpoint health

etcd默认使用2379端口对外提供服务,使用端口2380端口对内提供服务

kubernetes通过二进制部署 v1.23.17  之Master Node_二进制

4.docker部署  docker下载地址

#所有节点执行
#下载docker二进制软件包
cd /k8s/softwares/
wget https://download.docker.com/linux/static/stable/x86_64/docker-20.10.24.tgz
#解压
tar -xf docker-20.10.24.tgz
#将docker文件复制到/usr/bin/
cp -r ./docker/*  /usr/bin/
#配置镜像加速
mkdir -p /etc/docker
cat > /etc/docker/daemon.json << 'EOF'
{    "registry-mirrors": [
        "https://docker.rainbond.cc",
        "https://docker.m.daocloud.io",
        "https://mirror.baidubce.com",
        "https://docker.mirrors.ustc.edu.cn",
        "https://docker.nju.edu.cn",
        "https://mirror.iscas.ac.cn"]
}
EOF
#配置systemd管理docker
cat > /etc/systemd/system/docker.service <<'EOF'
[Unit]
Description=Docker Service
After=network.target

[Service]
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF
#重新加载systemd
systemctl daemon-reload
#启动docker 开机自启
systemctl start docker
systemctl enable docker

5.部署master node(安装api-server ,control manager ,scheduler组件)

#master节点 
#生成kube-apiserver证书
#自签证书颁发机构CA 过期时间100年
cd /k8s/softwares/TLS/k8s
cat > ca-config.json << 'EOF'
{
  "signing": {
    "default": {
      "expiry": "876000h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "876000h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
cat > ca-csr.json << 'EOF'
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "kubernetes",
            "OU": "System"
        }
    ]
}
EOF
#生成ca证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#检查生成证书 
ll *.pem
#签发kube-apiserver的https证书
cat > server-csr.json << 'EOF'
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "192.168.77.156",
      "192.168.77.157",
      "192.168.77.158",
      "192.168.77.159",
      "192.168.77.160",
      "192.168.77.161",
      "192.168.77.162",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "kubernetes",
            "OU": "System"
        }
    ]
}
EOF
#hosts字段中IP为所有节点及lb相关ip,一个不能少,为方便扩容IP可预留
#生成kube-apiserver的https证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
#检查生成证书
ll server*.pem

部署kubernetes组件  github下载地址 Server Binaries

#master节点
#下载二进制软件包
cd /k8s/softwares/
wget https://dl.k8s.io/v1.23.17/kubernetes-server-linux-amd64.tar.gz
#创建k8s工作目录
mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs} 
#解压
tar xf kubernetes-server-linux-amd64.tar.gz
#拷贝到k8s工作目录下
cd kubernetes/server/bin
cp kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bin
#创建软连接
ln -s /opt/kubernetes/bin/* /usr/local/bin/
#kubectl拷贝到/usr/bin/
cp kubectl /usr/bin/

部署kube-apiserver

cat > /opt/kubernetes/cfg/kube-apiserver.conf << 'EOF'
KUBE_APISERVER_OPTS="--v=2 \
--logtostderr=false \
--log-dir=/opt/kubernetes/logs \
--etcd-servers=https://192.168.77.156:2379,https://192.168.77.157:2379,https://192.168.77.158:2379,https://192.168.77.159:2379 \
--bind-address=192.168.77.159 \
--secure-port=6443 \
--advertise-address=192.168.77.159 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth=true \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-32767 \
--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \
--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \
--tls-cert-file=/opt/kubernetes/ssl/server.pem  \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--service-account-signing-key-file=/opt/kubernetes/ssl/server-key.pem \
--service-account-issuer=https://kubernetes.default.svc.cluster.local \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
EOF
#将生成的kube-apiserver证书拷贝到/opt/kubernetes/ssl/目录下
cd /k8s/softwares/TLS/k8s
cp ca.pem /opt/kubernetes/ssl/
cp ca-key.pem /opt/kubernetes/ssl/
cp server.pem /opt/kubernetes/ssl/
cp server-key.pem /opt/kubernetes/ssl/
#创建token文件 启用TLS Bootstrapping机制需要
#生成token 随机字符串
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
60c6bd0e973c8956870d8338c8d1f6f7
#创建token文件      格式: token,用户名,UID,用户组
cat > /opt/kubernetes/cfg/token.csv << 'EOF'
60c6bd0e973c8956870d8338c8d1f6f7,kubelet-bootstrap,10001,"system:node-bootstrapper"
EOF
#配置systemdctl管理apiserver
cat > /usr/lib/systemd/system/kube-apiserver.service << 'EOF'
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS

Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
#重新加载systemd
systemctl daemon-reload
#启动 开机自启
systemctl start kube-apiserver
systemctl enable kube-apiserver
#检查进程 端口6443用于接收HTTPS请求,用于基于Token文件或客户端证书等认证
netstat -tlunp | grep 6443

kube-api启动参数解释

--logtostderr:日志标准错误输出控制台
--v:日志等级
--log-dir:日志目录
--etcd-servers:etcd集群地址
--bind-address:监听地址 默认0.0.0.0
--secure-port:https安全端口 默认6443
--advertise-address:集群通告地址
--allow-privileged:启用授权
--service-cluster-ip-range:Service虚拟IP地址段,指定Service Cluster IP地址段
--enable-admission-plugins:准入控制模块 AAA
--authorization-mode:认证授权,启用RBAC授权和节点自管理
--enable-bootstrap-token-auth:启用TLS bootstrap机制,apiserver上启用Bootstrap Token认证
--token-auth-file:指定bootstrap token文件路径
--service-node-port-range:Service nodeport类型默认分配端口范围
--kubelet-client-xxx:apiserver访问kubelet客户端证书
--service-account-xxx:1.27版本必须添加--service-account-issuer,--service-account-signing-key-file
--tls-xxx-file:apiserver https证书
--etcd-xxxfile:连接Etcd集群证书
--audit-log-xxx:审计日志

部署kube-control-manager

#创建证书请求文件
cd /k8s/softwares/TLS/k8s
cat > kube-controller-manager-csr.json << 'EOF'
{
  "CN": "system:kube-controller-manager",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing", 
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF
#生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager

#生成kubeconfig文件
KUBE_CONFIG="/opt/kubernetes/cfg/kube-controller-manager.kubeconfig"
KUBE_APISERVER="https://192.168.77.159:6443"

kubectl config set-cluster kubernetes \
  --certificate-authority=/opt/kubernetes/ssl/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${KUBE_CONFIG}

kubectl config set-credentials kube-controller-manager \
  --client-certificate=./kube-controller-manager.pem \
  --client-key=./kube-controller-manager-key.pem \
  --embed-certs=true \
  --kubeconfig=${KUBE_CONFIG}

kubectl config set-context default \
  --cluster=kubernetes \
  --user=kube-controller-manager \
  --kubeconfig=${KUBE_CONFIG}

kubectl config use-context default --kubeconfig=${KUBE_CONFIG}


#创建配置文件
cat > /opt/kubernetes/cfg/kube-controller-manager.conf << 'EOF'
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/logs \
--leader-elect=true \
--kubeconfig=/opt/kubernetes/cfg/kube-controller-manager.kubeconfig \
--bind-address=127.0.0.1 \
--allocate-node-cidrs=true \
--cluster-cidr=10.244.0.0/16 \
--service-cluster-ip-range=10.0.0.0/24 \
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem  \
--root-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \
--cluster-signing-duration=876000h0m0s"
EOF
#配置systemd管理kube-control-manager
cat > /usr/lib/systemd/system/kube-controller-manager.service << 'EOF'
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
#重新加载systemd
systemctl daemon-reload
#启动 开机自启
systemctl start kube-controller-manager
systemctl enable kube-controller-manager

部署kube-scheduler

#创建证书请求文件
cd /k8s/softwares/TLS/k8s
cat > kube-scheduler-csr.json << 'EOF'
{
  "CN": "system:kube-scheduler",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF
#生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler

#生成kubeconfig文件
KUBE_CONFIG="/opt/kubernetes/cfg/kube-scheduler.kubeconfig"
KUBE_APISERVER="https://192.168.77.159:6443"

kubectl config set-cluster kubernetes \
  --certificate-authority=/opt/kubernetes/ssl/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${KUBE_CONFIG}

cd /k8s/softwares/TLS/k8s
kubectl config set-credentials kube-scheduler \
  --client-certificate=./kube-scheduler.pem \
  --client-key=./kube-scheduler-key.pem \
  --embed-certs=true \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config set-context default \
  --cluster=kubernetes \
  --user=kube-scheduler \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}

#创建配置文件
cat > /opt/kubernetes/cfg/kube-scheduler.conf << 'EOF'
KUBE_SCHEDULER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/logs \
--leader-elect=true \
--kubeconfig=/opt/kubernetes/cfg/kube-scheduler.kubeconfig \
--bind-address=127.0.0.1"
EOF
#配置systemd管理scheduler
cat > /usr/lib/systemd/system/kube-scheduler.service << 'EOF'
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf
ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
#重新加载systemd
systemctl daemon-reload
#开启 开机启动
systemctl start kube-scheduler
systemctl enable kube-scheduler

查看集群状态

kubectl get cs

The connection to the server localhost:8080 was refused - did you specify the right host or port?

生成kubectl连接kubeconfig文件

#生成kubectl连接集群的证书和私钥,具有admin权限
#创建证书请求文件
cd /k8s/softwares/TLS/k8s
cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF
#生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
#生成kubectl连接kubeconfig文件
mkdir /root/.kube
KUBE_CONFIG="/root/.kube/config"
KUBE_APISERVER="https://192.168.77.159:6443"

kubectl config set-cluster kubernetes \
  --certificate-authority=/opt/kubernetes/ssl/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${KUBE_CONFIG}

cd /k8s/softwares/TLS/k8s
kubectl config set-credentials cluster-admin \
  --client-certificate=./admin.pem \
  --client-key=./admin-key.pem \
  --embed-certs=true \
  --kubeconfig=${KUBE_CONFIG}

kubectl config set-context default \
  --cluster=kubernetes \
  --user=cluster-admin \
  --kubeconfig=${KUBE_CONFIG}

kubectl config use-context default --kubeconfig=${KUBE_CONFIG}

查看集群状态

#使用kubectl查看集群状态
kubectl get cs

kubernetes通过二进制部署 v1.23.17  之Master Node_Master Node_02



举报

相关推荐

0 条评论