Kubernetes实战：下载kubernetes启动apiserver

下载kubernetes

通过二进制版本包安装 kubernetes ，下载需要科学上网，此处安装1.15.2版本。

下载方式：

1. 进入kubernetes的github页面: https://github.com/kubernetes/kubernetes

2. 进入tags页签: https://github.com/kubernetes/kubernetes/tags

3. 选择要下载的版本: https://github.com/kubernetes/kubernetes/releases/tag/v1.15.2

4. 点击 CHANGELOG-${version}.md 进入说明页面: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md#downloads-for-v1152

5. 下载Server Binaries: https://dl.k8s.io/v1.15.2/kubernetes-server-linux-amd64.tar.gz

cd /opt/src
wget https://dl.k8s.io/v1.15.2/kubernetes-server-linux-amd64.tar.gz

如果下载速度太慢，可以在Windows主机下载，用文件夹共享到虚拟机，再通过内网复制。

scp hdss7-200:/opt/src/kubernetes-server-linux-amd64.tar.gz .

解压安装

tar -xf kubernetes-server-linux-amd64.tar.gz 
mv kubernetes /opt/kubernetes-v1.15.2
ln -s /opt/kubernetes-v1.15.2 /opt/kubernetes
ll /opt/kubernetes

删除无用的文件

#删除安装包
cd /opt/src
rm -f kubernetes-server-linux-amd64.tar.gz 
#删除源代码文件
cd /opt/kubernetes
rm -f kubernetes-src.tar.gz  
# 删除*.tar *_tag 镜像文件
cd server/bin/   
rm -f *.tar *_tag  

部署kube-apiserver

• 操作 hdss7-200 主机

签发client 证书，用于 apiserver 和 etcd 通信

cd /opt/certs/
vim /opt/certs/client-csr.json

内容如下：

{
    "CN": "k8s-node",
    "hosts": [
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}

生成证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
​
# 查看
ls client* -l

签发server证书，用于apiserver 和 其它k8s组件 通信

vim /opt/certs/apiserver-csr.json

内容如下，hosts中将所有可能作为apiserver的ip添加进去，10.4.7.10 也要加入

{
    "CN": "k8s-apiserver",
    "hosts": [
        "127.0.0.1",
        "192.168.0.1",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluster.local",
        "10.4.7.10",
        "10.4.7.21",
        "10.4.7.22",
        "10.4.7.23"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}

生成证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver
​
# 查看
ls apiserver* -l

*下发证书到每个主机

for i in 21 22;do echo hdss7-$i;ssh hdss7-$i "mkdir /opt/kubernetes/server/bin/certs";scp apiserver-key.pem apiserver.pem ca-key.pem ca.pem client-key.pem client.pem hdss7-$i:/opt/kubernetes/server/bin/certs/;done

配置apiserver日志审计

• aipserver 操作的服务器：hdss7-21，hdss7-22

创建配置文件

mkdir /opt/kubernetes/conf
vim /opt/kubernetes/conf/audit.yaml

打开文件后，设置 :set paste，避免自动缩进，内容如下

apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      # Resource "pods" doesn't match requests to any subresource of pods,
      # which is consistent with the RBAC policy.
      resources: ["pods"]
  # Log "pods/log", "pods/status" at Metadata level
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]
​
  # Don't log requests to a configmap called "controller-leader"
  - level: None
    resources:
    - group: ""
      resources: ["configmaps"]
      resourceNames: ["controller-leader"]
​
  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # core API group
      resources: ["endpoints", "services"]
​
  # Don't log authenticated requests to certain non-resource URL paths.
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*" # Wildcard matching.
    - "/version"
​
  # Log the request body of configmap changes in kube-system.
  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    # This rule only applies to resources in the "kube-system" namespace.
    # The empty string "" can be used to select non-namespaced resources.
    namespaces: ["kube-system"]
​
  # Log configmap and secret changes in all other namespaces at the Metadata level.
  - level: Metadata
    resources:
    - group: "" # core API group
      resources: ["secrets", "configmaps"]
​
  # Log all other resources in core and extensions at the Request level.
  - level: Request
    resources:
    - group: "" # core API group
    - group: "extensions" # Version of group should NOT be included.
​
  # A catch-all rule to log all other requests at the Metadata level.
  - level: Metadata
    # Long-running requests like watches that fall under this rule will not
    # generate an audit event in RequestReceived.
    omitStages:
      - "RequestReceived"

启动apiserver

• aipserver 操作的服务器：hdss7-21，hdss7-22

复制证书（如果已经在hdss7-200主机下发过证书此步可跳过）

mkdir /opt/kubernetes/server/bin/certs
cd /opt/kubernetes/server/bin/certs
scp hdss7-200:/opt/certs/\{apiserver-key.pem,apiserver.pem,ca-key.pem,ca.pem,client-key.pem,client.pem\} .

创建启动脚本

cd /opt/kubernetes/server/bin/
vim kube-apiserver-startup.sh

内容如下

#!/bin/bash
​
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
​
/opt/kubernetes/server/bin/kube-apiserver \
    --apiserver-count 2 \
    --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
    --audit-policy-file ../../conf/audit.yaml \
    --authorization-mode RBAC \
    --client-ca-file ./certs/ca.pem \
    --requestheader-client-ca-file ./certs/ca.pem \
    --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
    --etcd-cafile ./certs/ca.pem \
    --etcd-certfile ./certs/client.pem \
    --etcd-keyfile ./certs/client-key.pem \
    --etcd-servers https://10.4.7.12:2379,https://10.4.7.21:2379,https://10.4.7.22:2379 \
    --service-account-key-file ./certs/ca-key.pem \
    --service-cluster-ip-range 192.168.0.0/16 \
    --service-node-port-range 3000-29999 \
    --target-ram-mb=1024 \
    --kubelet-client-certificate ./certs/client.pem \
    --kubelet-client-key ./certs/client-key.pem \
    --log-dir  /data/logs/kubernetes/kube-apiserver \
    --tls-cert-file ./certs/apiserver.pem \
    --tls-private-key-file ./certs/apiserver-key.pem \
    --v 2

• • “etcd-servers” : 分别是三台 etcd 的地址

修改权限和目录

chmod +x kube-apiserver-startup.sh 

配置supervisor启动配置

vim /etc/supervisord.d/kube-apiserver.ini

内容如下：

[program:kube-apiserver-7-21]
command=/opt/kubernetes/server/bin/kube-apiserver-startup.sh
numprocs=1
directory=/opt/kubernetes/server/bin
autostart=true
autorestart=true
startsecs=30
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=root
redirect_stderr=true
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log
stdout_logfile_maxbytes=64MB
stdout_logfile_backups=5
stdout_capture_maxbytes=1MB
stdout_events_enabled=false

开启进程

mkdir -p /data/logs/kubernetes/kube-apiserver/
supervisorctl update
​
supervisorctl status

查看进程

netstat -lntp|grep api
ps uax|grep kube-apiserver|grep -v grep

启停apiserver命令

supervisorctl start kube-apiserver-7-21
supervisorctl stop kube-apiserver-7-21
supervisorctl restart kube-apiserver-7-21
supervisorctl status kube-apiserver-7-21