apiserver做为整个kubernetes集群的入口,重要程度可想而知,为了避免单点故障情况,在这里采用部署多个apiserver节点用来分担apiserver流量以及提供高可用性。前端调度可采用4或7层做反向代理,流量分担到后端的这几个apiserver节点,如有性能问题,还可以快速水平扩展,加入新的节点,分担流量。
安装部署 apiserver
节点
检查确认相应证文件文件及配置文件是否在指定路径
ls /etc/kubernetes/ssl/
ca-key.pem ca.pem kubernetes-key.pem kubernetes.pem
ls /etc/kubernetes/
bootstrap.kubeconfig kube-proxy.kubeconfig ssl token.csv
下载解压安装包文件及复制执行文件到 /usr/local/bin
目录
安装kube-apiserver
cp -v kube-apiserver /usr/local/bin/kube-apiserver
chmod +x /usr/local/bin/kube-apiserver
创建api server启动脚本
cat > /data/k8s/script/kube-apiserver_ctl << EOF
#!/bin/bash
source /data/k8s/script/config/env
source $workdir/config/kube-apiserver.conf
source $workdir/config/kube-config
name="kube-apiserver"
pidfile="$workdir/run/$name.pid"
test -d $workdir/run || mkdir -p $workdir/run
test -d $workdir/log/$name || mkdir -p $workdir/log/$name
display_help(){
echo "Usage: `basename $0` (start|stop)"
exit 0
}
if [ $# -ne 1 ];then
display_help
fi
KUBE_API_ARGS="--authorization-mode=Node,RBAC \
--runtime-config=rbac.authorization.k8s.io/v1beta1 \
--kubelet-https=true \
--enable-bootstrap-token-auth \
--token-auth-file=/etc/kubernetes/token.csv \
--service-node-port-range=30000-62767 \
--tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem \
--tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
--client-ca-file=/etc/kubernetes/ssl/ca.pem \
--service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/etc/kubernetes/ssl/ca.pem \
--etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem \
--etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem \
--enable-swagger-ui=true \
--apiserver-count=3 \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=$workdir/log/$name/audit.log \
--event-ttl=1h"
source $workdir/pid_utils/pid_util.sh
case $1 in
start)
exec $bin_dir/kube-apiserver \
$KUBE_LOGTOSTDERR \
$KUBE_LOG_LEVEL \
$KUBE_ETCD_SERVERS \
$KUBE_API_ADDRESS \
$KUBE_API_PORT \
$KUBELET_PORT \
$KUBE_ALLOW_PRIV \
$KUBE_SERVICE_ADDRESSES \
$KUBE_ADMISSION_CONTROL \
$KUBE_API_ARGS \
1>>$workdir/log/$name/$name.log 2>&1 &
for try in $(seq 0 9);do
sleep $try
echo "wait $name pid (try: $try)"
pid=$(lsof -t $bin_dir/kube-apiserver)
if [ -n "$pid" ]; then
echo "$pid" > $pidfile
echo "$name pid: $pid is running..."
break;
fi
done
;;
stop)
kill_and_wait $pidfile
;;
*)
display_help
;;
esac
EOF
KUBE_API_ARGS参数说明:
–service-node-port-range: 指定node port端口范围,默认值比较小,为避免端口不够用,需调整;
–tls-cert-file、–tls-private-key-file: 指定kube-apiserver证书文件路径;
–client-ca-file、–service-account-key-file:CA根证书;
–etcd-cafile、–etcd-certfile、–etcd-keyfile:指定与ETCD交互时使用的证书文件路径
创建/data/k8s/script/config/kube-apiserver.conf配置文件
cat > /data/k8s/script/config/kube-apiserver.conf <<EOF
# master端口
KUBE_API_PORT="--insecure-port=8080 --secure-port=6443"
# etcd集群信息
KUBE_ETCD_SERVERS="--etcd-servers=https://192.168.255.194:2379,https://192.168.255.195:2379,https://192.168.255.196:2379"
# k8s集群内部IP地址范围
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16"
KUBE_ADMISSION_CONTROL="--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction"
EOF
创建kube-config配置文件
cat > /data/k8s/script/config/kube-config << EOF
###
# kubernetes system config
#
# The following values are used to configure various aspects of all
# kubernetes services, including
#
# kube-apiserver.service
# kube-controller-manager.service
# kube-scheduler.service
# kubelet.service
# kube-proxy.service
# logging to stderr means we get it in the systemd journal
KUBE_LOGTOSTDERR="--logtostderr=true"
# journal message level, 0 is debug
KUBE_LOG_LEVEL="--v=0"
# Should this cluster be allowed to run privileged docker containers
KUBE_ALLOW_PRIV="--allow-privileged=true"
# How the controller-manager, scheduler, and proxy find the apiserver
KUBE_MASTER="--master=http://192.168.255.197:8080"
EOF
kube-config配置文件在所有的apiserver、kube-controller-manager、kube-scheduler、kubelet、kukbe-proxy 组件上共用
启动apiserver
chmod +x kube-apiserver_ctl
sh kube-apiserver_ctl start