Kubernetes 0-1 binary build K8S (3) deploy Master

Writing in the front

The detailed process of building a K8S cluster using binary is recorded and shared. Due to the lengthy operation, it will be written in four parts:

The machine to prepare
Deploy the ETCD cluster
The deployment of the Master
The deployment of the Node

We already know that there are three components of KuBE-Apiserver, Kube-Controller-Manager and Kube-Scheduler on the Master of K8S. In addition to installing these components on the Master machine, you also need to install the Kubectl tool if you want to operate the cluster on the Master machine.

Install kubectl

Kubectl is included in the kubernetes installation package and is easy to deploy:

cd /root/kubernetes/resources/
tar -zxvf ./kubernetes-server-linux-amd64.tar.gz
cp kubernetes/server/bin/kubectl /usr/bin
kubectl api-versions
Copy the code

Make kubernetes certificate

mkdir /root/kubernetes/resources/cert/kubernetes /etc/kubernetes/{ssl,bin} -p
cp kubernetes/server/bin/kube-apiserver kubernetes/server/bin/kube-controller-manager kubernetes/server/bin/kube-scheduler /etc/kubernetes/bin
cd /root/kubernetes/resources/cert/kubernetes
Copy the code

The next step is to do it on the Master machine, editing ca-config.json

vim ca-config.json
Copy the code

Write the following contents to the file:

{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h"."usages": [
            "signing"."key encipherment"."server auth"."client auth"]}}}}Copy the code

Edit the ca – CSR. Json:

vim ca-csr.json
Copy the code

Write the following contents to the file:

{
    "CN": "kubernetes"."key": {
        "algo": "rsa"."size": 2048
    },
    "names": [{"C": "CN"."L": "Hunan"."ST": "Changsha"."O": "kubernetes"."OU": "System"}}]Copy the code

Generate ca certificates and keys:

cfssl gencert -initca ca-csr.json | cfssljson -bare ca
Copy the code

Create kube-apiserver, kube-proxy, admin certificate, kube-apiserver-csr.json

vim kube-apiserver-csr.json
Copy the code

Write the following contents to the file:

{
    "CN": "kubernetes"."hosts": [
        "10.0.0.1"."127.0.0.1"."kubernetes"."kubernetes.default"."kubernetes.default.svc"."kubernetes.default.svc.cluster"."kubernetes.default.svc.cluster.local"."192.168.115.131"."192.168.115.132"."192.168.115.133"]."key": {
        "algo": "rsa"."size": 2048
    },
    "names": [{"C": "CN"."L": "Hunan"."ST": "Changsha"."O": "kubernetes"."OU": "System"}}]Copy the code

Edit kube – proxy – CSR. Json:

vim kube-proxy-csr.json
Copy the code

Write the following contents to the file:

{
    "CN": "system:kube-proxy"."hosts": []."key": {
        "algo": "rsa"."size": 2048
    },
    "names": [{"C": "CN"."L": "Hunan"."ST": "Changsha"."O": "kubernetes"."OU": "System"}}]Copy the code

To edit the admin – CSR. Json:

vim admin-csr.json
Copy the code

Write the following contents to the file:

{
    "CN": "admin"."hosts": []."key": {
        "algo": "rsa"."size": 2048
    },
    "names": [{"C": "CN"."L": "Hunan"."ST": "Changsha"."O": "system:masters"."OU": "System"}}]Copy the code

Generate certificates and keys

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-apiserver-csr.json | cfssljson -bare kube-apiserver
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
#Files generated in this directoryll -rw-r--r--. 1 root root 1001 May 28 00:32 admin.csr -rw-r--r--. 1 root root 282 May 28 00:32 admin-csr.json -rw-------. 1 root root 1679 May 28 00:32 admin-key.pem -rw-r--r--. 1 root root 1407 May 28 00:32 admin.pem -rw-r--r--. 1 root root 294 May 28 00:30 ca-config.json -rw-r--r--. 1 root root 1013 May 28 00:31 ca.csr -rw-r--r--. 1 root root 284  May 28 00:30 ca-csr.json -rw-------. 1 root root 1675 May 28 00:31 ca-key.pem -rw-r--r--. 1 root root 1383 May 28 00:31  ca.pem -rw-r--r--. 1 root root 1273 May 28 00:32 kube-apiserver.csr -rw-r--r--. 1 root root 597 May 28 00:31 kube-apiserver-csr.json -rw-------. 1 root root 1679 May 28 00:32 kube-apiserver-key.pem -rw-r--r--. 1 root root 1655 May 28 00:32 kube-apiserver.pem -rw-r--r--. 1 root root 1009 May 28 00:32 kube-proxy.csr -rw-r--r--. 1 root root 287 May  28 00:31 kube-proxy-csr.json -rw-------. 1 root root 1679 May 28 00:32 kube-proxy-key.pem -rw-r--r--. 1 root root 1411 May 28 00:32 kube-proxy.pemCopy the code

Copy the kube-proxy certificate to Node:

To create a directory on the Node machine, run the following command:

mkdir /etc/kubernetes/ -p
Copy the code

Copy is then performed on the Master machine.

cp ca.pem ca-key.pem kube-apiserver.pem kube-apiserver-key.pem kube-proxy.pem kube-proxy-key.pem /etc/kubernetes/ssl scp - r/etc/kubernetes/SSL 192.168.115.132: / etc/kubernetes SCP - r/etc/kubernetes/SSL 192.168.115.133: / etc/kubernetesCopy the code

Create TLSBootstrapping Token

cd /etc/kubernetes
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
# on the execution step will get a token, such as d5c5d767b64db39db132b433e9c45fbc, edit the file token. The CSV when needed
vim token.csv
Copy the code

Write the file content to replace the generated token

d5c5d767b64db39db132b433e9c45fbc,kubelet-bootstrap,10001,"system:node-bootstrapper"
Copy the code

Install kube – apiserver

Prepare the Kube-Apiserver configuration file

vim apiserver
Copy the code

Run the uplink command to write the following content to the file:

KUBE_API_ARGS="--logtostderr=false \
--v=2 \
--log-dir=/var/log/kubernetes \
- etcd - the servers = https://192.168.115.131:2379, https://192.168.115.132:2379, https://192.168.115.133:2379\
- the bind - address = 192.168.115.131\
--secure-port=6443 \
- advertise - address = 192.168.115.131\
--allow-privileged=true \
- service - cluster - IP - range = 10.0.0.0/24\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth=true \
--token-auth-file=/etc/kubernetes/token.csv \
--service-node-port-range=30000-32767 \
--kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem \
--kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem \
--tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.pem  \
--tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver-key.pem \
--client-ca-file=/etc/kubernetes/ssl/ca.pem \
--service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/etc/etcd/ssl/ca.pem \
--etcd-certfile=/etc/etcd/ssl/server.pem \
--etcd-keyfile=/etc/etcd/ssl/server-key.pem \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/var/logs/kubernetes/k8s-audit.log"
Copy the code

Prepare the Kube-Apiserver service configuration file

vim /usr/lib/systemd/system/kube-apiserver.service
Copy the code

Run the uplink command to write the following content to the file:

[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=etcd.service
Wants=etcd.service

[Service]
Type=notify
EnvironmentFile=/etc/kubernetes/apiserver
ExecStart=/etc/kubernetes/bin/kube-apiserver $KUBE_API_ARGS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
Copy the code

Start the kube – apiserver:

systemctl daemon-reload
systemctl start kube-apiserver
systemctl enable kube-apiserver
systemctl status kube-apiserver
Copy the code

Install kube controller — the manager

Prepare the kube-Controller-manger configuration file

vim controller-manager
Copy the code

Run the uplink command to write the following content to the file:

KUBE_CONTROLLER_MANAGER_ARGS="--logtostderr=false \
--v=2 \
--log-dir=/var/log/kubernetes \
--leader-elect=true \
- master = 127.0.0.1:8080\
- the bind - address = 127.0.0.1\
--allocate-node-cidrs=true \
- cluster - cidr = 10.244.0.0/16\
- service - cluster - IP - range = 10.0.0.0/24\
--cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem  \
--root-ca-file=/etc/kubernetes/ssl/ca.pem \
--service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem \
--experimental-cluster-signing-duration=87600h0m0s"
Copy the code

Prepare the kube-Controller-manger service configuration file

vim /usr/lib/systemd/system/kube-controller-manager.service
Copy the code

Run the uplink command to write the following content to the file:

[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=kube-apiserver.service
Requires=kube-apiserver.service

[Service]
EnvironmentFile=/etc/kubernetes/controller-manager
ExecStart=/etc/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_ARGS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
Copy the code

Start kube – controller – manager:

systemctl daemon-reload
systemctl start kube-controller-manager
systemctl enable kube-controller-manager
systemctl status kube-controller-manager
Copy the code

Install kube – the scheduler

Prepare the Kube-Scheduler configuration file

vim scheduler
Copy the code

Run the uplink command to write the following content to the file:

KUBE_SCHEDULER_ARGS="--logtostderr=false \
--v=2 \
--log-dir=/var/log/kubernetes \
- master = 127.0.0.1:8080\
--leader-elect \
- the bind - = address 127.0.0.1"Copy the code

Prepare the Kube-Scheduler service configuration file

vim /usr/lib/systemd/system/kube-scheduler.service
Copy the code

Run the uplink command to write the following content to the file:

[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=kube-apiserver.service
Requires=kube-apiserver.service

[Service]
EnvironmentFile=/etc/kubernetes/scheduler
ExecStart=/etc/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_ARGS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
Copy the code

Start the kube – the scheduler:

systemctl daemon-reload
systemctl start kube-scheduler
systemctl enable kube-scheduler
systemctl status kube-scheduler
Copy the code

Kubelet – the bootstrap authorization

kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap
Copy the code

Checking Master Status

kubectl get cs
Copy the code

If the Master deployment is successful, the output should be:

NAME                 STATUS    MESSAGE             ERROR
scheduler            Healthy   ok                  
controller-manager   Healthy   ok                  
etcd-2               Healthy   {"health":"true"}   
etcd-1               Healthy   {"health":"true"}   
etcd-0               Healthy   {"health":"true"}
Copy the code

Authorized kubelet apiserver

Prepare the apiserver-to-kubelet-rbac.yaml file

cd /root/kubernetes/resources
vim apiserver-to-kubelet-rbac.yaml 
Copy the code

Run the uplink command to write the following content to the file:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:kube-apiserver-to-kubelet
rules:
  - apiGroups:
      - ""
    resources:
      - nodes/proxy
      - nodes/stats
      - nodes/log
      - nodes/spec
      - nodes/metrics
      - pods/log
    verbs:
      - "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: system:kube-apiserver
  namespace: ""
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:kube-apiserver-to-kubelet
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: kubernetes
    
# This role allows full access to the kubelet API
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubelet-api-admin
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups:
  - ""
  resources:
  - nodes/proxy
  - nodes/log
  - nodes/stats
  - nodes/metrics
  - nodes/spec
  verbs:
  - "*"
# This binding gives the kube-apiserver user full access to the kubelet API
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kube-apiserver-kubelet-api-admin
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubelet-api-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kube-apiserver    
Copy the code

Run the following command:

kubectl apply -f apiserver-to-kubelet-rbac.yaml 
Copy the code

The third section deploys the Master successfully.

Kubernetes 0-1 binary build K8S (3) deploy Master

Writing in the front

Install kubectl

Make kubernetes certificate

Create TLSBootstrapping Token

Install kube – apiserver

Install kube controller — the manager

Install kube – the scheduler

Kubelet – the bootstrap authorization

Authorized kubelet apiserver

Related Posts

Reading the Myth of the Man-month

How to Become a DevOps Engineer in Six months or Less, Part 1: Basics

Alibaba Kubernetes ability and then be recognised CNCF | cloud native ecological weekly Vol. 32