Generate an apiserver certificate!
vim ca-csr.json
{
"CN": "kubernetes"."key": {
"algo": "rsa"."size": 2048}."names": [{"C": "CN"."L": "BeiJing"."ST": "BeiJing"."O": "k8s"."OU": "System"
}
]
}
vim ca-config.json
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"kubernetes": {
"expiry": "876000h"."usages": [
"signing"."key encipherment"."server auth"."client auth"]}}}}Copy the code
Example Create a CA configuration JSON file
The configuration files required to create the Apiserver certificate
vim kube-proxy-csr.json
{
"CN": "system:kube-proxy"."hosts": []."key": {
"algo": "rsa"."size": 2048}."names": [{"C": "CN"."L": "BeiJing"."ST": "BeiJing"."O": "k8s"."OU": "System"
}
]
}
vim server-csr.json
{
"CN": "kubernetes"."hosts": [
"10.0.0.1"."127.0.0.1"."kubernetes"."kubernetes.default"."kubernetes.default.svc"."kubernetes.default.svc.cluster"."kubernetes.default.svc.cluster.local"."10.100.97.55"."10.100.97.78"."10.100.97.79"."10.100.97.80"."10.100.97.81"."10.100.97.82"."10.100.97.83"]."key": {
"algo": "rsa"."size": 2048}."names": [{"C": "CN"."L": "BeiJing"."ST": "BeiJing"."O": "k8s"."OU": "System"}}]Copy the code
├─ ├─ kube-proxy csr.json ├─ Kube-proxy csr.json ├─ Csr-proxy csr.json
Production certificate
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
Copy the code
The deployment of the master
Binary package download address: github.com/kubernetes/…
mkdir -p /opt/kubernetes/{bin,cfg,k8s,ssl}
wget "https://dl.k8s.io/v1.16.1/kubernetes-server-linux-amd64.tar.gz"
tar xvf kubernetes-server-linux-amd64.tar.gz
cp *.pem /opt/kubernetes/ssl/
cp /usr/local/ SRC/kubernetes/server/bin / {kube - apiserver kube - controller - manager, kube - the scheduler, kubectl} / opt/kubernetes/bin/binary file location: Kubernetes /server/bin Creates the configuration file /opt/kubernetes/ CFG /# # # # #
vim kube-apiserver.conf
KUBE_APISERVER_OPTS="--logtostderr=false \ --v=2 \ --log-dir=/opt/kubernetes/logs \ - etcd - the servers = https://10.100.97.78:2379, https://10.100.97.79:2379, https://10.100.97.55:2379 \ -- bd-address =10.100.97.78 \ --secure port=6443 \ --advertise-address=10.100.97.78 \ --allow-privileged=true \ - service - cluster - IP - range = 10.0.0.0/24 \ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \ --authorization-mode=RBAC,Node \ --enable-bootstrap-token-auth=true \ --token-auth-file=/opt/kubernetes/cfg/token.csv \ --service-node-port-range=30000-32767 \ --kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \ --kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \ --tls-cert-file=/opt/kubernetes/ssl/server.pem \ --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \ --client-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \ --etcd-cafile=/opt/etcd/ssl/ca.pem \ --etcd-certfile=/opt/etcd/ssl/server.pem \ --etcd-keyfile=/opt/etcd/ssl/server-key.pem \ --audit-log-maxage=30 \ --audit-log-maxbackup=3 \ --audit-log-maxsize=100 \ --audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
# # # # #
vim kube-controller-manager.conf
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \ --v=2 \ --log-dir=/opt/kubernetes/logs \ -- leader-ELECT =true \ --master=127.0.0.1:8080 \ --address=127.0.0.1 \ --allocate-node-cidrs=true \ --cluster-cidr=192.244.0.0/16 \ - service - cluster - IP - range = 192.0.0.0/24 \ - cluster - signing - cert - file = / opt/kubernetes/SSL/ca pem \ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \ --root-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ --experimental-cluster-signing-duration=87600h0m0s"
# # # # #
vim kube-scheduler.conf
KUBE_SCHEDULER_OPTS="--logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs -- leader-ELECT --master=127.0.0.1:8080 \ - = address 127.0.0.1"
Copy the code
Create the startup file to /usr/lib/systemd/system
##########cat kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
# # # # # # # # # # # # # # # # # # # # # #
cat kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
# # # # # # # # # # # # # # # # # # # # # # # #cat kube-scheduler.service [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf ExecStart=/opt/kubernetes/bin/kube-scheduler$KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
# # # # # # # # # # # # # # #Enable TLS Bootstrapping vim/opt/kubernetes/CFG/token. The CSVCopy the code
[root@master1 cfg]# tree /opt/kubernetes/├─ bin │ ├─ Heavy Exercises, ├─ Heavy Exercises, exercises, exercises, exercises, exercises, exercises, exercises, exercises, exercises, exercises Kube - apiserver. Conf │ ├ ─ ─ kube - controller - manager. Conf │ ├ ─ ─ kube - the scheduler. The conf │ └ ─ ─ token. The CSV ├ ─ ─ k8s └ ─ ─ SSL ├ ─ ─ Ca - key. Pem ├ ─ ─ ca. Pem ├ ─ ─ kube - proxy - key. Pem ├ ─ ─ kube - proxy. Pem ├ ─ ─ server - key. Pem └ ─ ─ for server pem# # # # # # # # # # # # # # # # # #
Copy the code
Manual startup can detect errors in parameters
/opt/kubernetes/bin/kube-apiserver --logtostderr=true--v=2 --log-dir=/opt/kubernetes/logs - etcd - the servers = https://10.100.97.78:2379, https://10.100.97.79:2379, https://10.100.97.55:2379, bind - address = 10.100.97.78 - secure - port = 6443 - advertise - address = 10.100.97.78 - allow - ring =true- service - cluster - IP - range = 10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --enable-bootstrap-token-auth=true --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-32767 --kubelet-client-certificate=/opt/kubernetes/ssl/server.pem --kubelet-client-key=/opt/kubernetes/ssl/server-key.pem --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/etcd/ssl/ca.pem --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pem --audit-log-maxage=30 --audit-log-maxbackup=3 --audit-log-maxsize=100 --audit-log-path=/opt/kubernetes/logs/k8s-audit.log
systemctl start kube-apiserver
systemctl start kube-controller-manager
systemctl start kube-scheduler
systemctl enable kube-apiserver
systemctl enable kube-controller-manager
systemctl enable kube-scheduler
Copy the code
Click here to see more Kubernetes cluster building practices