A deployment kube controller — the manager
1.1 Introduction to Kube-Controller-Manager
In this experiment, a three-instance kube-Controller-Manager cluster is deployed. After startup, a leader node will be generated through the competitive election mechanism, and other nodes are in the blocked state. When the leader node becomes unavailable, the blocking node elects a new Leader node to ensure the availability of the service.
To ensure communication security, this document is an X509 certificate and private key, which kube-Controller-Manager uses in the following two cases:
- Communicate with the secure port of Kube-Apiserver;
- Output metrics in Prometheus format on the secure port (HTTPS, 10252).
1.2 Creating the Kube-Controller-Manager certificate and private key
1 [root@master01 ~]# cd /opt/k8s/work 2 [root@master01 work]# source /root/environment.sh 3 [root@master01 work]# cat > kube-controller-manager-csr.json <<EOF 4 { 5 "CN": "system:kube-controller-manager", 6 "hosts": [7 "127.0.0.1", 8 "172.24.8.71", 9 "172.24.8.72", 10 "172.24.8.73," 11 "172.24.8.100 12]", "key" : {14 "algo" : "rsa", 15 "size": 2048 16 }, 17 "names": [ 18 { 19 "C": "CN", 20 "ST": "Shanghai", 21 "L": "Shanghai", 22 "O": "System :kube-controller-manager", 23 "OU": "system "24} 25] 26} 27 EOF # create kube-controller-manager CA certificate request fileCopy the code
Explanation:
The hosts list contains the IP addresses of all kube-controller-Manager nodes.
System :kube-controller-manager, Kubernetes’ built-in ClusterRoleBindings System: Kube-Controller-Manager gives kube-Controller-Manager the permissions it needs to work.
1 [root@master01 ~]# cd /opt/k8s/work 2 [root@master01 work]# cfssl gencert -ca=/opt/k8s/work/ca.pem \ 3 -ca-key=/opt/k8s/work/ca-key.pem -config=/opt/k8s/work/ca-config.json \ 4 -profile=kubernetes Kube - controller - the manager - CSR. Json | cfssljson - bare kube - controller - manager # generate keys and certificatesCopy the code
Warning: You need to perform this step only on master01.
1.3 Distributing certificates and Private Keys
1 [root@master01 ~]# cd /opt/k8s/work
2 [root@master01 work]# source /root/environment.sh
3 [root@master01 work]# for master_ip in ${MASTER_IPS[@]}
4 do
5 echo ">>> ${master_ip}"
6 scp kube-controller-manager*.pem root@${master_ip}:/etc/kubernetes/cert/
7 done
Copy the code
Warning: You need to perform this step only on master01.
1.4 Create and distribute KubeconFig
Kube-controller-manager uses the Kubeconfig file to access the apiserver, which provides the apiserver address, the embedded CA certificate, and the Kube-Controller-Manager certificate:
1 [root@master01 ~]# cd /opt/k8s/work 2 [root@master01 work]# source /root/environment.sh 3 [root@master01 work]# kubectl config set-cluster kubernetes \ 4 --certificate-authority=/opt/k8s/work/ca.pem \ 5 --embed-certs=true \ 6 --server=${KUBE_APISERVER} \ 7 --kubeconfig=kube-controller-manager.kubeconfig 8 9 [root@master01 work]# kubectl config set-credentials system:kube-controller-manager \ 10 --client-certificate=kube-controller-manager.pem \ 11 --client-key=kube-controller-manager-key.pem \ 12 --embed-certs=true \ 13 --kubeconfig=kube-controller-manager.kubeconfig 14 15 [root@master01 work]# kubectl config set-context system:kube-controller-manager \ 16 --cluster=kubernetes \ 17 --user=system:kube-controller-manager \ 18 --kubeconfig=kube-controller-manager.kubeconfig 19 20 [root@master01 work]# kubectl config use-context system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig 21 22 [root@master01 ~]# cd /opt/k8s/work 23 [root@master01 work]# source /root/environment.sh 24 [root@master01 work]# for master_ip in ${MASTER_IPS[@]} 25 do 26 echo ">>> ${master_ip}" 27 scp kube-controller-manager.kubeconfig root@${master_ip}:/etc/kubernetes/ 28 doneCopy the code
Warning: You need to perform this step only on master01.
Create systemd for kube-controller-manager
1 [root@master01 ~]# cd /opt/k8s/work 2 [root@master01 work]# source /root/environment.sh 3 [root@master01 work]# cat > kube-controller-manager.service.template <<EOF 4 [Unit] 5 Description=Kubernetes Controller Manager 6 Documentation=https://github.com/GoogleCloudPlatform/kubernetes 7 8 [Service] 9 WorkingDirectory=${K8S_DIR}/kube-controller-manager 10 ExecStart=/opt/k8s/bin/kube-controller-manager \\ 11 --secure-port=10257 \\ 12 --bind-address=127.0.0.1 \\ 13 --profiling \ 14 --cluster-name=kubernetes \ 15 --controllers=*,bootstrapsigner,tokencleaner \\ 16 --kube-api-qps=1000 \\ 17 --kube-api-burst=2000 \\ 18 --leader-elect \\ 19 --use-service-account-credentials\\ 20 --concurrent-service-syncs=2 \\ 21 --tls-cert-file=/etc/kubernetes/cert/kube-controller-manager.pem \\ 22 --tls-private-key-file=/etc/kubernetes/cert/kube-controller-manager-key.pem \\ 23 --authentication-kubeconfig=/etc/kubernetes/kube-controller-manager.kubeconfig \\ 24 --client-ca-file=/etc/kubernetes/cert/ca.pem \\ 25 --requestheader-allowed-names="system:metrics-server" \\ 26 --requestheader-client-ca-file=/etc/kubernetes/cert/ca.pem \\ 27 --requestheader-extra-headers-prefix="X-Remote-Extra-" \\ 28 --requestheader-group-headers=X-Remote-Group \\ 29 --requestheader-username-headers=X-Remote-User \\ 30 --cluster-signing-cert-file=/etc/kubernetes/cert/ca.pem \\ 31 --cluster-signing-key-file=/etc/kubernetes/cert/ca-key.pem \\ 32 --experimental-cluster-signing-duration=87600h \\ 33 --horizontal-pod-autoscaler-sync-period=10s \\ 34 --concurrent-deployment-syncs=10 \\ 35 --concurrent-gc-syncs=30 \\ 36 --node-cidr-mask-size=24 \\ 37 --service-cluster-ip-range=${SERVICE_CIDR} \\ 38 --cluster-cidr=${CLUSTER_CIDR} \\ 39 --pod-eviction-timeout=6m \\ 40 --terminated-pod-gc-threshold=10000 \\ 41 --root-ca-file=/etc/kubernetes/cert/ca.pem \\ 42 --service-account-private-key-file=/etc/kubernetes/cert/ca-key.pem \\ 43 --kubeconfig=/etc/kubernetes/kube-controller-manager.kubeconfig \\ 44 --logtostderr=true \\ 45 --v=2 46 Restart=on-failure 47 RestartSec=5 48 49 [Install] 50 WantedBy=multi-user.target 51 EOFCopy the code
Warning: You need to perform this step only on master01.
1.6 distribute systemd
1 [root@master01 ~]# cd /opt/k8s/work 2 [root@master01 work]# source /root/environment.sh 3 [root@master01 work]# for master_ip in ${MASTER_IPS[@]} 4 do 5 echo ">>> ${master_ip}" 6 scp kube-controller-manager.service.template Root @ ${master_ip} : / etc/systemd/system/kube - controller - manager. The service done # 7 distribution systemCopy the code
Warning: You need to perform this step only on master01.
Two start and verify
2.1 Starting the kube-Controller-manager service
1 [root@master01 ~]# cd /opt/k8s/work
2 [root@master01 work]# source /root/environment.sh
3 [root@master01 work]# for master_ip in ${MASTER_IPS[@]}
4 do
5 echo ">>> ${master_ip}"
6 ssh root@${master_ip} "mkdir -p ${K8S_DIR}/kube-controller-manager"
7 ssh root@${master_ip} "systemctl daemon-reload && systemctl enable kube-controller-manager && systemctl restart kube-controller-manager"
8 done
Copy the code
Warning: You need to perform this step only on master01.
2.2 Checking the Kube-Controller-Manager service
1 [root@master01 ~]# cd /opt/k8s/work
2 [root@master01 work]# source /root/environment.sh
3 [root@master01 work]# for master_ip in ${MASTER_IPS[@]}
4 do
5 echo ">>> ${master_ip}"
6 ssh root@${master_ip} "systemctl status kube-controller-manager|grep Active"
7 done
Copy the code
Warning: You need to perform this step only on master01.
2.3 Viewing metrics of the output
1 [root@master01 work]# curl -s --cacert /opt/k8s/work/ca.pem --cert /opt/k8s/work/admin.pem --key / opt/k8s/work/admin - key. Pem https://127.0.0.1:10257/metrics | headCopy the code
Warning: You need to perform this step only on master01.
2.4 Viewing Permissions
1 [root@master01 ~]# kubectl describe clusterrole system:kube-controller-manager
Copy the code
ClusteRole System: Kube-Controller-Manager has very limited permissions. It can only create resource objects such as Secret and ServiceAccount. The permission of each controller is distributed to ClusterRole System: Controller :XXX.
When the –use-service-account-credentials=true parameter is added to the kube-controller-manager startup parameters, The Main Controller then creates a ServiceAccount xxx-Controller for each controller. The built-in ClusterRoleBinding System: Controller :XXX assigns the Corresponding ClusterRole System: Controller :XXX to each XXX-Controller ServiceAccount Permissions.
1 [root@master01 ~]# kubectl get clusterrole | grep controller
Copy the code
Such as deployment controller:
1 [root@master01 ~]# kubectl describe clusterrole system:controller:deployment-controller
Copy the code
Warning: You need to perform this step only on master01.
2.5 Viewing the Current Leader
1 [root@master01 ~]# kubectl get endpoints kube-controller-manager --namespace=kube-system -o yaml
Copy the code
Kubelet authentication and authorization: kubernetes. IO/docs/admin /…