目录

一 kubernetes软件包下载

创建工作目录

二 部署api-server

创建api-server文件

生成apiserver证书

配置token自动颁发证书

创建配置文件

创建apiserver服务配置文件

同步文件

---

一 kubernetes软件包下载

https://github.com/kubernetes/kuberneteshttps://github.com/kubernetes/kubernetes

[root@master k8s-work]# ls
etcd_work  kubernetes-server-linux-amd64.tar.gz

[root@master k8s-work]# tar xf kubernetes-server-linux-amd64.tar.gz
[root@master k8s-work]# cd kubernetes/server/bin
[root@master bin]# cp kube-apiserver kube-controller-manager kube-scheduler kubectl \
kubelet kube-proxy  /usr/local/bin/
[root@master bin]# scp kubelet kube-proxy node1:/usr/local/bin
[root@master bin]# scp kubelet kube-proxy node2:/usr/local/bin
[root@master bin]# scp kubelet kube-proxy node3:/usr/local/bin

创建工作目录

mkdir -p /etc/kubernetes/
mkdir -p /etc/kubernetes/ssl
mkdir -p /var/log/kubernetes

二 部署api-server

创建api-server文件

cat > kubernetes-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
    "192.168.1.111",
    "192.168.1.110",
    "192.168.1.112",
    "192.168.1.113",
    "10.96.0.1",   
    "kubernetes",
    "kubernetes.default",
    "kubernetes,dafault.svc",
    "kubernetes,dafault.svc.cluster",
    "kubernetes,dafault.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "nanjing",
            "ST": "nanjing"
        }
    ]
}
EOF

生成apiserver证书

[root@master k8s-work]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kube-apiserver

配置token自动颁发证书

cat > token.csv << EOF
4136692876ad4b01bb9dd0988480ebba,kubelet-bootstrap,10001,"system:node-bootstrapper"
EOF

创建配置文件

cat > /etc/kubernetes/kube-apiserver.conf << EOF
KUBE_APISERVER_OPTS="KUBE_APISERVER_OPTS="--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction,DefaultStorageClass \
--anonymous-auth=false \
--bind-address=192.168.1.110 \
--secure-port=6443 \
--advertise-address=192.168.1.110 \
--insecure-port=0 \
--service-cluster-ip-range=10.96.0.0/16 \
--authorization-mode=RBAC,Node \
--runtime-config=api/all=true \
--enable-bootstrap-token-auth=true \
--token-auth-file=/etc/kubernetes/ssl/token.csv \
--service-node-port-range=30000-32767 \
--tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.pem  \
--tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver-key.pem \
--client-ca-file=/etc/kubernetes/ssl/ca.pem \
--kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem \
--kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem \
--service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \
--service-account-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \
--service-account-issuer=api \
--etcd-cafile=/etc/etcd/ssl/ca.pem \
--etcd-certfile=/etc/etcd/ssl/etcd.pem \
--etcd-keyfile=/etc/etcd/ssl/etcd-key.pem \
--etcd-servers=https://192.168.1.110:2379 \
--enable-swagger-ui=true \
--allow-privileged=true \
--apiserver-count=1 \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/var/log/kube-apiserver-audit.log" \
--event-ttl=1h \
--log-dir=/var/log/kubernetes \
--alsologtostderr=true \
--logtostderr=false \
--v=2"
EOF

创建apiserver服务配置文件

ps：按道理应该是调用上述文件但是一直报错内存问题，所以新增方式如下

[root@master log]# cat  /etc/systemd/system/kube-apiserver.service 
[Unit]
Description=Kubernetes API Server
After=etcd.service

[Service]
##EnvironmentFile=-/etc/kubernetes/kube-apiserver.conf
##ExecStart=/usr/local/bin/kube-apiserver $KUBE_APISERVER_OPTS 
ExecStart=/usr/local/bin/kube-apiserver \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction,DefaultStorageClass \
--anonymous-auth=false \
--bind-address=192.168.1.110 \
--secure-port=6443 \
--advertise-address=192.168.1.110 \
--insecure-port=0 \
--service-cluster-ip-range=10.96.0.0/16 \
--authorization-mode=RBAC,Node \
--runtime-config=api/all=true \
--enable-bootstrap-token-auth=true \
--token-auth-file=/etc/kubernetes/ssl/token.csv \
--service-node-port-range=30000-32767 \
--tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.pem  \
--tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver-key.pem \
--client-ca-file=/etc/kubernetes/ssl/ca.pem \
--kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem \
--kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem \
--service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \
--service-account-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \
--service-account-issuer=api \
--etcd-cafile=/etc/etcd/ssl/ca.pem \
--etcd-certfile=/etc/etcd/ssl/etcd.pem \
--etcd-keyfile=/etc/etcd/ssl/etcd-key.pem \
--etcd-servers=https://192.168.1.110:2379 \
--enable-swagger-ui=true \
--allow-privileged=true \
--apiserver-count=1 \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/var/log/kube-apiserver-audit.log" \
--event-ttl=1h \
--log-dir=/var/log/kubernetes \
--alsologtostderr=true \
--logtostderr=false \
--v=2

 
Restart=on-failure
RestartSec=5
Type=notify
limitNOFILE=65536

[Install]
WantedBy=multi-user.target

同步文件

[root@master k8s-work]# cp ca*.pem /etc/kubernetes/ssl/
[root@master k8s-work]# cp kube-apiserver*.pem /etc/kubernetes/ssl/
[root@master k8s-work]# cp token.csv /etc/kubernetes/ssl/ 
##若是多master 此操作还需要发送给其他master节点 和配置文件
[root@master log]# cat 1.sh 
systemctl daemon-reload
echo "" > messages
systemctl restart  kube-apiserver  && systemctl status kube-apiserver
[root@master ~]# curl --insecure https://192.168.1.110:6443
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}[root@master ~]