搭建kubernetes高可用集群-05部署apiserver节点

apiserver做为整个kubernetes集群的入口,重要程度可想而知,为了避免单点故障情况,在这里采用部署多个apiserver节点用来分担apiserver流量以及提供高可用性。前端调度可采用4或7层做反向代理,流量分担到后端的这几个apiserver节点,如有性能问题,还可以快速水平扩展,加入新的节点,分担流量。

安装部署 apiserver 节点

检查确认相应证文件文件及配置文件是否在指定路径

ls /etc/kubernetes/ssl/
ca-key.pem  ca.pem  kubernetes-key.pem  kubernetes.pem

ls /etc/kubernetes/
bootstrap.kubeconfig  kube-proxy.kubeconfig  ssl  token.csv

下载解压安装包文件及复制执行文件到 /usr/local/bin 目录

安装kube-apiserver

cp -v kube-apiserver /usr/local/bin/kube-apiserver
chmod +x /usr/local/bin/kube-apiserver

创建api server启动脚本

cat > /data/k8s/script/kube-apiserver_ctl << EOF
#!/bin/bash

source /data/k8s/script/config/env
source $workdir/config/kube-apiserver.conf
source $workdir/config/kube-config

name="kube-apiserver"
pidfile="$workdir/run/$name.pid"

test -d $workdir/run || mkdir -p $workdir/run
test -d $workdir/log/$name || mkdir -p $workdir/log/$name

display_help(){
  echo "Usage: `basename $0` (start|stop)"
  exit 0
}

if [ $# -ne 1 ];then
  display_help
fi

KUBE_API_ARGS="--authorization-mode=Node,RBAC \
  --runtime-config=rbac.authorization.k8s.io/v1beta1 \
  --kubelet-https=true \
  --enable-bootstrap-token-auth \
  --token-auth-file=/etc/kubernetes/token.csv \
  --service-node-port-range=30000-62767 \
  --tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  --client-ca-file=/etc/kubernetes/ssl/ca.pem \
  --service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \
  --etcd-cafile=/etc/kubernetes/ssl/ca.pem \
  --etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem \
  --etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem \
  --enable-swagger-ui=true \
  --apiserver-count=3 \
  --audit-log-maxage=30 \
  --audit-log-maxbackup=3 \
  --audit-log-maxsize=100 \
  --audit-log-path=$workdir/log/$name/audit.log \
  --event-ttl=1h"

source $workdir/pid_utils/pid_util.sh
case $1 in
  start)
      exec $bin_dir/kube-apiserver \
             $KUBE_LOGTOSTDERR \
             $KUBE_LOG_LEVEL \
             $KUBE_ETCD_SERVERS \
             $KUBE_API_ADDRESS \
             $KUBE_API_PORT \
             $KUBELET_PORT \
             $KUBE_ALLOW_PRIV \
             $KUBE_SERVICE_ADDRESSES \
             $KUBE_ADMISSION_CONTROL \
             $KUBE_API_ARGS \
             1>>$workdir/log/$name/$name.log 2>&1 &

      for try in $(seq 0 9);do
            sleep $try
            echo "wait $name pid (try: $try)"
            pid=$(lsof -t $bin_dir/kube-apiserver)
            if [ -n "$pid" ]; then
                echo "$pid" > $pidfile
                echo "$name pid: $pid is running..."
                break;
            fi
       done
  ;;

  stop)
    kill_and_wait $pidfile
    ;;
  *)
    display_help
    ;;
esac
EOF

KUBE_API_ARGS参数说明:
–service-node-port-range: 指定node port端口范围,默认值比较小,为避免端口不够用,需调整;
–tls-cert-file、–tls-private-key-file: 指定kube-apiserver证书文件路径;
–client-ca-file、–service-account-key-file:CA根证书;
–etcd-cafile、–etcd-certfile、–etcd-keyfile:指定与ETCD交互时使用的证书文件路径

创建/data/k8s/script/config/kube-apiserver.conf配置文件

cat > /data/k8s/script/config/kube-apiserver.conf <<EOF
# master端口
KUBE_API_PORT="--insecure-port=8080 --secure-port=6443"
# etcd集群信息
KUBE_ETCD_SERVERS="--etcd-servers=https://192.168.255.194:2379,https://192.168.255.195:2379,https://192.168.255.196:2379"
# k8s集群内部IP地址范围
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16"
KUBE_ADMISSION_CONTROL="--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction"
EOF

创建kube-config配置文件

cat > /data/k8s/script/config/kube-config << EOF
###
# kubernetes system config
#
# The following values are used to configure various aspects of all
# kubernetes services, including
#
#   kube-apiserver.service
#   kube-controller-manager.service
#   kube-scheduler.service
#   kubelet.service
#   kube-proxy.service
# logging to stderr means we get it in the systemd journal
KUBE_LOGTOSTDERR="--logtostderr=true"

# journal message level, 0 is debug
KUBE_LOG_LEVEL="--v=0"

# Should this cluster be allowed to run privileged docker containers
KUBE_ALLOW_PRIV="--allow-privileged=true"

# How the controller-manager, scheduler, and proxy find the apiserver
KUBE_MASTER="--master=http://192.168.255.197:8080"
EOF

kube-config配置文件在所有的apiserver、kube-controller-manager、kube-scheduler、kubelet、kukbe-proxy 组件上共用

启动apiserver

chmod +x kube-apiserver_ctl
sh kube-apiserver_ctl start
-------------the end-------------