【容器化】Kubernetes二进制高可用部署4-Kube-Apiserver高可用部署

零、目录

• 【容器化】Kubernetes二进制高可用部署1-准备
• 【容器化】Kubernetes二进制高可用部署2-ca根证书
• 【容器化】kubernetes二进制高可用部署3-etcd高可用部署
• 【容器化】kubernetes二进制高可用部署4-kube-apiserver高可用部署
• 【容器化】kubernetes二进制高可用部署5-HA和Keepalived部署
• 【容器化】kubernetes二进制高可用部署6-kube-controller和kube-scheduler部署
• 【容器化】kubernetes二进制高可用部署7-kubelet和kube-proxy部署
• 【容器化】kubernetes二进制高可用部署8-Calico网络插件部署
• 【容器化】kubernetes二进制高可用部署9-Flannel网络插件部署
• 【容器化】kubernetes二进制高可用部署10-coredns部署

一、说明

本文将在三个虚拟机上都部署kube-apiserver服务，已达到一个三节点的kube-apiserver高可用集群。

二、修改hosts文件

# 所有节点执行
cat << EOF >> /etc/hosts
192.168.56.105 k8s1
192.168.56.106 k8s2
192.168.56.107 k8s3
EOF

三、kube-apiserver证书生成

ssl配置文件

注意点：

• alt_names的值指定为节点ip
• 169.169.0.1：kubernetes 服务 IP 是 apiserver 自动创建的，一般是 –service-cluster-ip-range 参数指定的网段的第一个IP

# 192.168.56.105节点执行
cat << EOF > /etc/kubernetes/pki/master_ssl.cnf
[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[ req_distinguished_name ]

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = k8s1
DNS.6 = k8s2
DNS.7 = k8s3
IP.1 = 169.169.0.1
IP.2 = 192.168.56.105
IP.3 = 192.168.56.106
IP.4 = 192.168.56.107
IP.5 = 192.168.56.250
EOF

服务端证书

# 192.168.56.105节点执行
openssl genrsa -out /etc/kubernetes/pki/apiserver.key 2048
openssl req -new -key /etc/kubernetes/pki/apiserver.key -config /etc/kubernetes/pki/master_ssl.cnf -subj "/CN=192.168.56.105" -out /etc/kubernetes/pki/apiserver.csr
openssl x509 -req -in /etc/kubernetes/pki/apiserver.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile /etc/kubernetes/pki/master_ssl.cnf -out /etc/kubernetes/pki/apiserver.crt

复制kube-apiserver证书到106、107虚拟机

# 192.168.56.106和192.168.56.107节点执行
scp -r root@192.168.56.105:/etc/kubernetes/pki/apiserver.* /etc/kubernetes/pki/

四、下载kubernetes并解压并把二进制文件复制到/usr/bin目录

# 所有节点上执行
wget -O /usr/local/src/kubernetes-server-v1.19.0.tar.gz https://dl.k8s.io/v1.19.0/kubernetes-server-linux-amd64.tar.gz
tar -C /usr/local/src/ -zxvf /usr/local/src/kubernetes-server-v1.19.0.tar.gz
cp /usr/local/src/kubernetes/server/bin/kube-apiserver /usr/bin/

五、创建kube-apiserver服务

创建kube-apiserver配置文件

# 192.168.56.105节点配置
cat << EOF > /etc/kubernetes/apiserver.conf
KUBE_API_ARGS="--insecure-port=0 \
--secure-port=6443 \
--advertise-address=192.168.56.105 \
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt \
--tls-private-key-file=/etc/kubernetes/pki/apiserver.key \
--client-ca-file=/etc/kubernetes/pki/ca.crt \
--apiserver-count=3 \
--endpoint-reconciler-type=master-count \
--etcd-servers=https://192.168.56.105:2379,https://192.168.56.106:2379,https://192.168.56.107:2379 \
--etcd-cafile=/etc/kubernetes/pki/ca.crt \
--etcd-certfile=/etc/etcd/pki/etcd_client.crt \
--etcd-keyfile=/etc/etcd/pki/etcd_client.key \
--service-cluster-ip-range=169.169.0.0/16 \
--service-node-port-range=30000-32767 \
--allow-privileged=true \
--logtostderr=false --log-dir=/var/log/kubernetes --v=0"
EOF


# 192.168.56.106节点配置
cat << EOF > /etc/kubernetes/apiserver.conf
KUBE_API_ARGS="--insecure-port=0 \
--secure-port=6443 \
--advertise-address=192.168.56.106 \
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt \
--tls-private-key-file=/etc/kubernetes/pki/apiserver.key \
--client-ca-file=/etc/kubernetes/pki/ca.crt \
--apiserver-count=3 \
--endpoint-reconciler-type=master-count \
--etcd-servers=https://192.168.56.105:2379,https://192.168.56.106:2379,https://192.168.56.107:2379 \
--etcd-cafile=/etc/kubernetes/pki/ca.crt \
--etcd-certfile=/etc/etcd/pki/etcd_client.crt \
--etcd-keyfile=/etc/etcd/pki/etcd_client.key \
--service-cluster-ip-range=169.169.0.0/16 \
--service-node-port-range=30000-32767 \
--allow-privileged=true \
--logtostderr=false --log-dir=/var/log/kubernetes --v=0"
EOF


# 192.168.56.107节点配置
cat << EOF > /etc/kubernetes/apiserver.conf
KUBE_API_ARGS="--insecure-port=0 \
--secure-port=6443 \
--advertise-address=192.168.56.107 \
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt \
--tls-private-key-file=/etc/kubernetes/pki/apiserver.key \
--client-ca-file=/etc/kubernetes/pki/ca.crt \
--apiserver-count=3 \
--endpoint-reconciler-type=master-count \
--etcd-servers=https://192.168.56.105:2379,https://192.168.56.106:2379,https://192.168.56.107:2379 \
--etcd-cafile=/etc/kubernetes/pki/ca.crt \
--etcd-certfile=/etc/etcd/pki/etcd_client.crt \
--etcd-keyfile=/etc/etcd/pki/etcd_client.key \
--service-cluster-ip-range=169.169.0.0/16 \
--service-node-port-range=30000-32767 \
--allow-privileged=true \
--logtostderr=false --log-dir=/var/log/kubernetes --v=0"
EOF

创建系统服务文件

# 所有节点执行
cat << EOF > /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=/etc/kubernetes/apiserver.conf
ExecStart=/usr/bin/kube-apiserver \$KUBE_API_ARGS
Restart=always

[Install]
WantedBy=multi-user.target
EOF

启动kube-apiserver服务

# 所有节点执行
systemctl daemon-reload
systemctl start kube-apiserver
systemctl enable kube-apiserver

六、kube-apiserver服务验证

# 查看服务运行状态
systemctl status kube-apiserver

# 访问kube-apiserver是否有内容成功返回
curl -v -k https://192.168.56.105:6443

结果截图

(•̀ᴗ•́)و ̑̑