此处可以使用 tmux 打开三个终端窗口进行,并行输入,也可以在三台机器上分开执行
[root@centos7-a ~]# cd k8s-scripts [root@centos7-a k8s-scripts]# vim install-controller-manager.sh [root@centos7-a k8s-scripts]# bash install-controller-manager.sh 127.0.0.1脚本内容如下
#!/bin/bash MASTER_ADDRESS=${1:-"127.0.0.1"} cat <<EOF >/opt/kubernetes/cfg/kube-controller-manager KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \\ --v=2 \\ --log-dir=http://www.likecs.com/opt/kubernetes/logs/kube-controller-manager \\ --master=${MASTER_ADDRESS}:8080 \\ --leader-elect=true \\ --bind-address=0.0.0.0 \\ --service-cluster-ip-range=10.96.0.0/12 \\ --cluster-name=kubernetes \\ --cluster-signing-cert-file=http://www.likecs.com/opt/kubernetes/ssl/ca.pem \\ --cluster-signing-key-file=http://www.likecs.com/opt/kubernetes/ssl/ca-key.pem \\ --service-account-private-key-file=http://www.likecs.com/opt/kubernetes/ssl/ca-key.pem \\ --experimental-cluster-signing-duration=87600h0m0s \\ --feature-gates=RotateKubeletServerCertificate=true \\ --feature-gates=RotateKubeletClientCertificate=true \\ --allocate-node-cidrs=true \\ --cluster-cidr=10.244.0.0/16 \\ --root-ca-file=http://www.likecs.com/opt/kubernetes/ssl/ca.pem" EOF cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager ExecStart=http://www.likecs.com/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-controller-manager systemctl restart kube-controller-manager 3.7 查看组件状态在三台机器上任意一台执行kubectl get cs
[root@centos7-a k8s-scripts]# kubectl get cs NAME STATUS MESSAGE ERROR etcd-1 Healthy {"health":"true"} etcd-2 Healthy {"health":"true"} etcd-0 Healthy {"health":"true"} controller-manager Healthy ok scheduler Healthy ok 3.8 配置kubelet证书自动申请 CSR、审核及自动续期 3.8.1 节点自动创建 CSR 请求节点 kubelet 启动时自动创建 CSR 请求,将kubelet-bootstrap用户绑定到系统集群角色 ,这个是为了颁发证书用的权限
# Bind kubelet-bootstrap user to system cluster roles. kubectl create clusterrolebinding kubelet-bootstrap \ --clusterrole=system:node-bootstrapper \ --user=kubelet-bootstrap 3.8.2 证书审批及自动续期1)手动审批脚本(启动 node 节点 kubelet 之后操作)
vim k8s-csr-approve.sh #!/bin/bash CSRS=$(kubectl get csr | awk '{if(NR>1) print $1}') for csr in $CSRS; do kubectl certificate approve $csr; done自动审批及续期
创建自动批准相关 CSR 请求的 ClusterRole
[root@centos7-a ~]# mkdir yaml [root@centos7-a ~]# cd yaml/ [root@centos7-a yaml]# vim tls-instructs-csr.yaml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver rules: - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests/selfnodeserver"] verbs: ["create"] [root@centos7-a yaml]# kubectl apply -f tls-instructs-csr.yaml自动批准 kubelet-bootstrap 用户 TLS bootstrapping 首次申请证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-approve-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --user=kubelet-bootstrap自动批准 system:nodes 组用户更新 kubelet 自身与 apiserver 通讯证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeclient --group=system:nodes自动批准 system:nodes 组用户更新 kubelet 10250 api 端口证书的 CSR 请求
kubectl create clusterrolebinding node-server-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeserver --group=system:nodes自动获签后的状态如下:
[root@centos7-a kubelet]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR CONDITION csr-44lt8 4m10s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued csr-45njg 0s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued csr-nsbc9 4m9s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued csr-vk64f 4m9s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued csr-wftvq 59s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued 3.9 安装 kube-proxy拷贝对应包至所有节点
[root@centos7-nginx ~]# cd k8s-1.18.3/kubernetes/server/bin/ [root@centos7-nginx bin]# ansible k8s -m copy -a "src=./kube-proxy dest=http://www.likecs.com/opt/kubernetes/bin mode=755"