目标

启动k8s master

说明

我们使用staticPod启动k8s master 的全部组件 前面我们已经使用staticPod启动了etcd群集,下面我们只需要将配置文件直接放到kubelet的staticPod目录中即可。

部署

创建kube-master.yaml,并放到“/etc/kubernetes/kubelet.d/”

  1. apiVersion: v1
  2. kind: Pod
  3. metadata:
  4.   name: kube-master
  5.   namespace: kube-system
  6.   labels:
  7.     name: kube-master
  8. spec:
  9.   restartPolicy: Always
  10.   hostNetwork: true
  11.   containers:
  12.   - name: kube-apiserver
  13.     image: hub.k8s.com/google-containers/kube-apiserver:v1.9.0
  14.     command:
  15.     - 'kube-apiserver'
  16.     - '--bind-address=0.0.0.0'
  17.     - '--insecure-bind-address=0.0.0.0'
  18.     - '--secure-port=6443'
  19.     - '--insecure-port=8080'
  20.     - '--apiserver-count=3'
  21.     - '--service-cluster-ip-range=10.254.0.0/16'
  22.     - '--client-ca-file=/opt/kubernetes/pki/ca.pem'
  23.     - '--service-account-key-file=/opt/kubernetes/pki/ca-key.pem'
  24.     - '--tls-ca-file=/opt/kubernetes/pki/ca.pem'
  25.     - '--tls-cert-file=/opt/kubernetes/pki/kubernetes.pem'
  26.     - '--tls-private-key-file=/opt/kubernetes/pki/kubernetes-key.pem'
  27.     - '--kubelet-certificate-authority=/opt/kubernetes/pki/ca.pem'
  28.     - '--kubelet-client-certificate=/opt/kubernetes/pki/kubernetes.pem'
  29.     - '--kubelet-client-key=/opt/kubernetes/pki/kubernetes-key.pem'
  30.     - '--kubelet-https=true'
  31.     - '--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds'
  32.     - '--advertise-address=10.10.1.21'
  33.     - '--authorization-mode=RBAC,Node'
  34.     - '--allow-privileged=true'
  35.     - '--etcd-servers=http://etcd1.k8s.com:2379,http://etcd2.k8s.com:2379,http://etcd3.k8s.com'
  36.     securityContext:
  37.       privileged: true
  38.     livenessProbe:
  39.       httpGet:
  40.         scheme: HTTP
  41.         host: 127.0.0.1
  42.         port: 8080
  43.         path: /healthz
  44.       initialDelaySeconds: 15
  45.       timeoutSeconds: 15
  46.     ports:
  47.     - name: http
  48.       containerPort: 8080
  49.       protocol: TCP
  50.     - name: https
  51.       containerPort: 6443
  52.       protocol: TCP
  53.     volumeMounts:
  54.     - name: pki
  55.       mountPath: /opt/kubernetes/pki/
  56.       readOnly: false
  57.   - name: kube-controller-manager
  58.     image: hub.k8s.com/google-containers/kube-controller-manager:v1.9.0
  59.     command:
  60.     - 'kube-controller-manager'
  61.     - '--address=0.0.0.0'
  62.     - '--cluster-cidr=10.254.0.0/16 '
  63.     - '--master=http://127.0.0.1:8080'
  64.     - '--leader-elect=true'
  65.     - '--root-ca-file=/opt/kubernetes/pki/ca.pem'
  66.     - '--service-account-private-key-file=/opt/kubernetes/pki/ca-key.pem'
  67.     - '--cluster-signing-cert-file=/opt/kubernetes/pki/ca.pem'
  68.     - '--cluster-signing-key-file=/opt/kubernetes/pki/ca-key.pem'
  69.     - '--logtostderr=true'
  70.     - '--v=1'
  71.     securityContext:
  72.       privileged: false
  73.     livenessProbe:
  74.       httpGet:
  75.         scheme: HTTP
  76.         host: 127.0.0.1
  77.         port: 10252
  78.         path: /healthz
  79.         initialDelaySeconds: 15
  80.         timeoutSeconds: 15
  81.     ports:
  82.     - containerPort: 10252
  83.       protocol: TCP
  84.     volumeMounts:
  85.     - name: pki
  86.       mountPath: /opt/kubernetes/pki/
  87.       readOnly: true
  88.   - name: kube-scheduler
  89.     image: hub.k8s.com/google-containers/kube-scheduler:v1.9.0
  90.     command:
  91.     - 'kube-scheduler'
  92.     - '--address=0.0.0.0'
  93.     - '--leader-elect=true'
  94.     - '--master=http://127.0.0.1:8080'
  95.     - '--logtostderr=true'
  96.     - '--v=1'
  97.     securityContext:
  98.       privileged: false
  99.     livenessProbe:
  100.       httpGet:
  101.         scheme: HTTP
  102.         host: 127.0.0.1
  103.         port: 10251
  104.         path: /healthz
  105.         initialDelaySeconds: 15
  106.         timeoutSeconds: 15
  107.     ports:
  108.     - containerPort: 10251
  109.       protocol: TCP
  110.   volumes:
  111.   - name: pki
  112.     hostPath:
  113.       path: /etc/kubernetes/pki/

上述文件中,需要将证书文件放到指定的主机目录中。 重启kubelet

参数 含义 默认值
—bind-address HTTPS 安全接口的监听地址 0.0.0.0
—insecure-bind-address HTTP不安全接口的监听地址 127.0.0.1
—secure-port HTTPS 安全接口的监听端口 6443
—insecure-port HTTP不安全接口的监听端口 8080
—apiserver-count apisever的数量 1
—service-cluster-ip-range service 要使用的网段,使用 CIDR 格式,参考 kubernetes 中 service 的定义
—client-ca-file
—service-account-key-file
—tls-ca-file
—tls-cert-file
—tls-private-key-file
—kubelet-certificate-authority
—kubelet-client-certificate
—kubelet-client-key
—kubelet-https
—admission-control 准入控制 AlwaysAdmit
—advertise-address 通过该 ip 地址向集群其他节点公布 api server 的信息,必须能够被其他节点访问 null
—authorization-mode 授权模式 ,安全接口上的授权 AlwaysAllow
—allow-privileged 是否允许 privileged 容器运行 false
—etcd-servers

验证

shell># kubectl get cs

  1. NAME                 STATUS    MESSAGE              ERROR
  2. controller-manager   Healthy   ok                   
  3. scheduler            Healthy   ok                   
  4. etcd-1               Healthy   {"health": "true"}   
  5. etcd-0               Healthy   {"health": "true"}   
  6. etcd-2               Healthy   {"health": "true"}

修改与kubelet的相关RBAC

说明

下面的配置必须去做,否则我们的node因为权限不足无法创建pod. 这里我们需要配置RBAC权限允许kubernetes API server 去接入每个节点的Kubelet API 去检索metrics, logs, 和Pod中运行的命令。
我们将kubelet 的认证模式设置为webhook(—authorization-mode=webhook),Webhook模式使用SubjectAccessReview API来确定授权
创建“system:kube-apiserver-to-kubelet” ClusterRole有权限访问Kubelet API,并执行与管理Pod相关最常见的任务:
创建yaml文件

  1. apiVersion: rbac.authorization.k8s.io/v1beta1
  2. kind: ClusterRole
  3. metadata:
  4.   annotations:
  5.     rbac.authorization.kubernetes.io/autoupdate: "true"
  6.   labels:
  7.     kubernetes.io/bootstrapping: rbac-defaults
  8.   name: system:kube-apiserver-to-kubelet
  9. rules:
  10.   - apiGroups:
  11.       - ""
  12.     resources:
  13.       - nodes/proxy
  14.       - nodes/stats
  15.       - nodes/log
  16.       - nodes/spec
  17.       - nodes/metrics
  18.     verbs:
  19.       - "*"

Kubernetes API 使用kubernetes用户去访问kubelet,使用由—kubelet-client-certificate标志定义的客户端证书进行身份验证。 将”system:kube-apiserver-to-kubelet” ClusterRole 绑定到“kubernetes:”用户。

  1. apiVersion: rbac.authorization.k8s.io/v1beta1
  2. kind: ClusterRoleBinding
  3. metadata:
  4.   name: system:kube-apiserver
  5.   namespace: ""
  6. roleRef:
  7.   apiGroup: rbac.authorization.k8s.io
  8.   kind: ClusterRole
  9.   name: system:kube-apiserver-to-kubelet
  10. subjects:
  11.   - apiGroup: rbac.authorization.k8s.io
  12.     kind: User
  13.     name: kubernetes

赋予kubelet所在用户组访问API权限

  1. kind: ClusterRole
  2. apiVersion: rbac.authorization.k8s.io/v1beta1
  3. metadata:
  4.   name: secret-reader
  5. rules:
  6. - apiGroups: [""]
  7.   resources: ["*"]
  8.   verbs: ["get", "watch", "list"]
  9. ---
  10. kind: ClusterRoleBinding
  11. apiVersion: rbac.authorization.k8s.io/v1beta1
  12. metadata:
  13.   name: read-secrets-global
  14. subjects:
  15. - kind: Group
  16.   name: "system:nodes"
  17.   apiGroup: rbac.authorization.k8s.io
  18. roleRef:
  19.   kind: ClusterRole
  20.   name: secret-reader
  21.   apiGroup: rbac.authorization.k8s.io

创建CluseRoleBing “read-secrets-global” 并与“system:nodes”组绑定在一起,赋予system:nodes组内所有成员(所有node节点,单个用户名为:“system:node:Node1.k8s.com”)读取全部secrets的权限

设置节点role

为方便管理和操作。我们对k8s中的全部节点使用role标签。操作如下

  1. kubectl label node master1.k8s.com kubernetes.io/role=master

配置说明

这个章节将对上面配置文件参数说明。 apiserver 配置说明

验证

  1. kubectl get nodes -w
  2. NAME              STATUS    ROLES     AGE       VERSION
  3. master1.k8s.com   Ready     master    106d      v1.9.0

特别说明

特别感谢:http://www.recall704.com/cloud/k8s-node-roles/ 通过代码,我们可以知道,k8s 把 label node-role.kubernetes.io/=”” 和 kubernetes.io/role=”“ 来定义角色。 所以 master 可以这样

  1. kubectl label node 192.168.88.201 node-role.kubernetes.io/master=true

其它节点

在本实验中,我们需要有3个master节点,上例中为master1的配置过程,所以我们需要按照如上步骤在部署两个master节点。 说明:修改“kube-master.yaml”中的“—advertise-address”为master2、master3的地址。