05-2. 部署 kube-apiserver 集群

本文档讲解部署一个三实例 kube-apiserver 集群的步骤.

注意:如果没有特殊指明,本文档的所有操作均在 zhangjun-k8s-01 节点上执行

创建 kubernetes-master 证书和私钥

创建证书签名请求:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. cat > kubernetes-csr.json <<EOF
  4. {
  5.   "CN": "kubernetes-master",
  6.   "hosts": [
  7.     "127.0.0.1",
  8.     "172.27.138.251",
  9.     "172.27.137.229",
  10.     "172.27.138.239",
  11.     "${CLUSTER_KUBERNETES_SVC_IP}",
  12.     "kubernetes",
  13.     "kubernetes.default",
  14.     "kubernetes.default.svc",
  15.     "kubernetes.default.svc.cluster",
  16.     "kubernetes.default.svc.cluster.local.",
  17.     "kubernetes.default.svc.${CLUSTER_DNS_DOMAIN}."
  18.   ],
  19.   "key": {
  20.     "algo": "rsa",
  21.     "size": 2048
  22.   },
  23.   "names": [
  24.     {
  25.       "C": "CN",
  26.       "ST": "BeiJing",
  27.       "L": "BeiJing",
  28.       "O": "k8s",
  29.       "OU": "opsnull"
  30.     }
  31.   ]
  32. }
  33. EOF
  • hosts 字段指定授权使用该证书的 IP 和域名列表,这里列出了 master 节点 IP、kubernetes 服务的 IP 和域名;

生成证书和私钥:

  1. cfssl gencert -ca=/opt/k8s/work/ca.pem \
  2.   -ca-key=/opt/k8s/work/ca-key.pem \
  3.   -config=/opt/k8s/work/ca-config.json \
  4.   -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
  5. ls kubernetes*pem

将生成的证书和私钥文件拷贝到所有 master 节点:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. for node_ip in ${NODE_IPS[@]}
  4.   do
  5.     echo ">>> ${node_ip}"
  6.     ssh root@${node_ip} "mkdir -p /etc/kubernetes/cert"
  7.     scp kubernetes*.pem root@${node_ip}:/etc/kubernetes/cert/
  8.   done

创建加密配置文件

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. cat > encryption-config.yaml <<EOF
  4. kind: EncryptionConfig
  5. apiVersion: v1
  6. resources:
  7.   - resources:
  8.       - secrets
  9.     providers:
  10.       - aescbc:
  11.           keys:
  12.             - name: key1
  13.               secret: ${ENCRYPTION_KEY}
  14.       - identity: {}
  15. EOF

将加密配置文件拷贝到 master 节点的 /etc/kubernetes 目录下:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. for node_ip in ${NODE_IPS[@]}
  4.   do
  5.     echo ">>> ${node_ip}"
  6.     scp encryption-config.yaml root@${node_ip}:/etc/kubernetes/
  7.   done

创建审计策略文件

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. cat > audit-policy.yaml <<EOF
  4. apiVersion: audit.k8s.io/v1beta1
  5. kind: Policy
  6. rules:
  7.   # The following requests were manually identified as high-volume and low-risk, so drop them.
  8.   - level: None
  9.     resources:
  10.       - group: ""
  11.         resources:
  12.           - endpoints
  13.           - services
  14.           - services/status
  15.     users:
  16.       - 'system:kube-proxy'
  17.     verbs:
  18.       - watch
  20.   - level: None
  21.     resources:
  22.       - group: ""
  23.         resources:
  24.           - nodes
  25.           - nodes/status
  26.     userGroups:
  27.       - 'system:nodes'
  28.     verbs:
  29.       - get
  31.   - level: None
  32.     namespaces:
  33.       - kube-system
  34.     resources:
  35.       - group: ""
  36.         resources:
  37.           - endpoints
  38.     users:
  39.       - 'system:kube-controller-manager'
  40.       - 'system:kube-scheduler'
  41.       - 'system:serviceaccount:kube-system:endpoint-controller'
  42.     verbs:
  43.       - get
  44.       - update
  46.   - level: None
  47.     resources:
  48.       - group: ""
  49.         resources:
  50.           - namespaces
  51.           - namespaces/status
  52.           - namespaces/finalize
  53.     users:
  54.       - 'system:apiserver'
  55.     verbs:
  56.       - get
  58.   # Don't log HPA fetching metrics.
  59.   - level: None
  60.     resources:
  61.       - group: metrics.k8s.io
  62.     users:
  63.       - 'system:kube-controller-manager'
  64.     verbs:
  65.       - get
  66.       - list
  68.   # Don't log these read-only URLs.
  69.   - level: None
  70.     nonResourceURLs:
  71.       - '/healthz*'
  72.       - /version
  73.       - '/swagger*'
  75.   # Don't log events requests.
  76.   - level: None
  77.     resources:
  78.       - group: ""
  79.         resources:
  80.           - events
  82.   # node and pod status calls from nodes are high-volume and can be large, don't log responses
  83.   # for expected updates from nodes
  84.   - level: Request
  85.     omitStages:
  86.       - RequestReceived
  87.     resources:
  88.       - group: ""
  89.         resources:
  90.           - nodes/status
  91.           - pods/status
  92.     users:
  93.       - kubelet
  94.       - 'system:node-problem-detector'
  95.       - 'system:serviceaccount:kube-system:node-problem-detector'
  96.     verbs:
  97.       - update
  98.       - patch
  100.   - level: Request
  101.     omitStages:
  102.       - RequestReceived
  103.     resources:
  104.       - group: ""
  105.         resources:
  106.           - nodes/status
  107.           - pods/status
  108.     userGroups:
  109.       - 'system:nodes'
  110.     verbs:
  111.       - update
  112.       - patch
  114.   # deletecollection calls can be large, don't log responses for expected namespace deletions
  115.   - level: Request
  116.     omitStages:
  117.       - RequestReceived
  118.     users:
  119.       - 'system:serviceaccount:kube-system:namespace-controller'
  120.     verbs:
  121.       - deletecollection
  123.   # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
  124.   # so only log at the Metadata level.
  125.   - level: Metadata
  126.     omitStages:
  127.       - RequestReceived
  128.     resources:
  129.       - group: ""
  130.         resources:
  131.           - secrets
  132.           - configmaps
  133.       - group: authentication.k8s.io
  134.         resources:
  135.           - tokenreviews
  136.   # Get repsonses can be large; skip them.
  137.   - level: Request
  138.     omitStages:
  139.       - RequestReceived
  140.     resources:
  141.       - group: ""
  142.       - group: admissionregistration.k8s.io
  143.       - group: apiextensions.k8s.io
  144.       - group: apiregistration.k8s.io
  145.       - group: apps
  146.       - group: authentication.k8s.io
  147.       - group: authorization.k8s.io
  148.       - group: autoscaling
  149.       - group: batch
  150.       - group: certificates.k8s.io
  151.       - group: extensions
  152.       - group: metrics.k8s.io
  153.       - group: networking.k8s.io
  154.       - group: policy
  155.       - group: rbac.authorization.k8s.io
  156.       - group: scheduling.k8s.io
  157.       - group: settings.k8s.io
  158.       - group: storage.k8s.io
  159.     verbs:
  160.       - get
  161.       - list
  162.       - watch
  164.   # Default level for known APIs
  165.   - level: RequestResponse
  166.     omitStages:
  167.       - RequestReceived
  168.     resources:
  169.       - group: ""
  170.       - group: admissionregistration.k8s.io
  171.       - group: apiextensions.k8s.io
  172.       - group: apiregistration.k8s.io
  173.       - group: apps
  174.       - group: authentication.k8s.io
  175.       - group: authorization.k8s.io
  176.       - group: autoscaling
  177.       - group: batch
  178.       - group: certificates.k8s.io
  179.       - group: extensions
  180.       - group: metrics.k8s.io
  181.       - group: networking.k8s.io
  182.       - group: policy
  183.       - group: rbac.authorization.k8s.io
  184.       - group: scheduling.k8s.io
  185.       - group: settings.k8s.io
  186.       - group: storage.k8s.io
  188.   # Default level for all other requests.
  189.   - level: Metadata
  190.     omitStages:
  191.       - RequestReceived
  192. EOF

分发审计策略文件:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. for node_ip in ${NODE_IPS[@]}
  4.   do
  5.     echo ">>> ${node_ip}"
  6.     scp audit-policy.yaml root@${node_ip}:/etc/kubernetes/audit-policy.yaml
  7.   done

创建后续访问 metrics-server 或 kube-prometheus 使用的证书

创建证书签名请求:

  1. cd /opt/k8s/work
  2. cat > proxy-client-csr.json <<EOF
  3. {
  4.   "CN": "aggregator",
  5.   "hosts": [],
  6.   "key": {
  7.     "algo": "rsa",
  8.     "size": 2048
  9.   },
  10.   "names": [
  11.     {
  12.       "C": "CN",
  13.       "ST": "BeiJing",
  14.       "L": "BeiJing",
  15.       "O": "k8s",
  16.       "OU": "opsnull"
  17.     }
  18.   ]
  19. }
  20. EOF
  • CN 名称需要位于 kube-apiserver 的 --requestheader-allowed-names 参数中,否则后续访问 metrics 时会提示权限不足。

生成证书和私钥:

  1. cfssl gencert -ca=/etc/kubernetes/cert/ca.pem \
  2.   -ca-key=/etc/kubernetes/cert/ca-key.pem  \
  3.   -config=/etc/kubernetes/cert/ca-config.json  \
  4.   -profile=kubernetes proxy-client-csr.json | cfssljson -bare proxy-client
  5. ls proxy-client*.pem

将生成的证书和私钥文件拷贝到所有 master 节点:

  1. source /opt/k8s/bin/environment.sh
  2. for node_ip in ${NODE_IPS[@]}
  3.   do
  4.     echo ">>> ${node_ip}"
  5.     scp proxy-client*.pem root@${node_ip}:/etc/kubernetes/cert/
  6.   done

创建 kube-apiserver systemd unit 模板文件

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. cat > kube-apiserver.service.template <<EOF
  4. [Unit]
  5. Description=Kubernetes API Server
  6. Documentation=https://github.com/GoogleCloudPlatform/kubernetes
  7. After=network.target
  9. [Service]
  10. WorkingDirectory=${K8S_DIR}/kube-apiserver
  11. ExecStart=/opt/k8s/bin/kube-apiserver \\
  12.   --advertise-address=##NODE_IP## \\
  13.   --default-not-ready-toleration-seconds=360 \\
  14.   --default-unreachable-toleration-seconds=360 \\
  15.   --feature-gates=DynamicAuditing=true \\
  16.   --max-mutating-requests-inflight=2000 \\
  17.   --max-requests-inflight=4000 \\
  18.   --default-watch-cache-size=200 \\
  19.   --delete-collection-workers=2 \\
  20.   --encryption-provider-config=/etc/kubernetes/encryption-config.yaml \\
  21.   --etcd-cafile=/etc/kubernetes/cert/ca.pem \\
  22.   --etcd-certfile=/etc/kubernetes/cert/kubernetes.pem \\
  23.   --etcd-keyfile=/etc/kubernetes/cert/kubernetes-key.pem \\
  24.   --etcd-servers=${ETCD_ENDPOINTS} \\
  25.   --bind-address=##NODE_IP## \\
  26.   --secure-port=6443 \\
  27.   --tls-cert-file=/etc/kubernetes/cert/kubernetes.pem \\
  28.   --tls-private-key-file=/etc/kubernetes/cert/kubernetes-key.pem \\
  29.   --insecure-port=0 \\
  30.   --audit-dynamic-configuration \\
  31.   --audit-log-maxage=15 \\
  32.   --audit-log-maxbackup=3 \\
  33.   --audit-log-maxsize=100 \\
  34.   --audit-log-truncate-enabled \\
  35.   --audit-log-path=${K8S_DIR}/kube-apiserver/audit.log \\
  36.   --audit-policy-file=/etc/kubernetes/audit-policy.yaml \\
  37.   --profiling \\
  38.   --anonymous-auth=false \\
  39.   --client-ca-file=/etc/kubernetes/cert/ca.pem \\
  40.   --enable-bootstrap-token-auth \\
  41.   --requestheader-allowed-names="aggregator" \\
  42.   --requestheader-client-ca-file=/etc/kubernetes/cert/ca.pem \\
  43.   --requestheader-extra-headers-prefix="X-Remote-Extra-" \\
  44.   --requestheader-group-headers=X-Remote-Group \\
  45.   --requestheader-username-headers=X-Remote-User \\
  46.   --service-account-key-file=/etc/kubernetes/cert/ca.pem \\
  47.   --authorization-mode=Node,RBAC \\
  48.   --runtime-config=api/all=true \\
  49.   --enable-admission-plugins=NodeRestriction \\
  50.   --allow-privileged=true \\
  51.   --apiserver-count=3 \\
  52.   --event-ttl=168h \\
  53.   --kubelet-certificate-authority=/etc/kubernetes/cert/ca.pem \\
  54.   --kubelet-client-certificate=/etc/kubernetes/cert/kubernetes.pem \\
  55.   --kubelet-client-key=/etc/kubernetes/cert/kubernetes-key.pem \\
  56.   --kubelet-https=true \\
  57.   --kubelet-timeout=10s \\
  58.   --proxy-client-cert-file=/etc/kubernetes/cert/proxy-client.pem \\
  59.   --proxy-client-key-file=/etc/kubernetes/cert/proxy-client-key.pem \\
  60.   --service-cluster-ip-range=${SERVICE_CIDR} \\
  61.   --service-node-port-range=${NODE_PORT_RANGE} \\
  62.   --logtostderr=true \\
  63.   --v=2
  64. Restart=on-failure
  65. RestartSec=10
  66. Type=notify
  67. LimitNOFILE=65536
  69. [Install]
  70. WantedBy=multi-user.target
  71. EOF
  • --advertise-address:apiserver 对外通告的 IP(kubernetes 服务后端节点 IP);
  • --default-*-toleration-seconds:设置节点异常相关的阈值;
  • --max-*-requests-inflight:请求相关的最大阈值;
  • --etcd-*:访问 etcd 的证书和 etcd 服务器地址;
  • --bind-address: https 监听的 IP,不能为 127.0.0.1,否则外界不能访问它的安全端口 6443;
  • --secret-port:https 监听端口;
  • --insecure-port=0:关闭监听 http 非安全端口(8080);
  • --tls-*-file:指定 apiserver 使用的证书、私钥和 CA 文件;
  • --audit-*:配置审计策略和审计日志文件相关的参数;
  • --client-ca-file:验证 client (kue-controller-manager、kube-scheduler、kubelet、kube-proxy 等)请求所带的证书;
  • --enable-bootstrap-token-auth:启用 kubelet bootstrap 的 token 认证;
  • --requestheader-*:kube-apiserver 的 aggregator layer 相关的配置参数,proxy-client & HPA 需要使用;
  • --requestheader-client-ca-file:用于签名 --proxy-client-cert-file--proxy-client-key-file 指定的证书;在启用了 metric aggregator 时使用;
  • --requestheader-allowed-names:不能为空,值为逗号分割的 --proxy-client-cert-file 证书的 CN 名称,这里设置为 “aggregator”;
  • --service-account-key-file:签名 ServiceAccount Token 的公钥文件,kube-controller-manager 的 --service-account-private-key-file 指定私钥文件,两者配对使用;
  • --runtime-config=api/all=true: 启用所有版本的 APIs,如 autoscaling/v2alpha1;
  • --authorization-mode=Node,RBAC--anonymous-auth=false: 开启 Node 和 RBAC 授权模式,拒绝未授权的请求;
  • --enable-admission-plugins:启用一些默认关闭的 plugins;
  • --allow-privileged:运行执行 privileged 权限的容器;
  • --apiserver-count=3:指定 apiserver 实例的数量;
  • --event-ttl:指定 events 的保存时间;
  • --kubelet-*:如果指定,则使用 https 访问 kubelet APIs;需要为证书对应的用户(上面 kubernetes*.pem 证书的用户为 kubernetes) 用户定义 RBAC 规则,否则访问 kubelet API 时提示未授权;
  • --proxy-client-*:apiserver 访问 metrics-server 使用的证书;
  • --service-cluster-ip-range: 指定 Service Cluster IP 地址段;
  • --service-node-port-range: 指定 NodePort 的端口范围;

如果 kube-apiserver 机器没有运行 kube-proxy,则还需要添加 --enable-aggregator-routing=true 参数;

关于 --requestheader-XXX 相关参数,参考:

注意:

  1. --requestheader-client-ca-file 指定的 CA 证书,必须具有 client auth and server auth
  2. 如果 --requestheader-allowed-names 不为空,且 --proxy-client-cert-file 证书的 CN 名称不在 allowed-names 中,则后续查看 node 或 pods 的 metrics 失败,提示:
    1. $ kubectl top nodes
    2. Error from server (Forbidden): nodes.metrics.k8s.io is forbidden: User "aggregator" cannot list resource "nodes" in API group "metrics.k8s.io" at the cluster scope

为各节点创建和分发 kube-apiserver systemd unit 文件

替换模板文件中的变量,为各节点生成 systemd unit 文件:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. for (( i=0; i < 3; i++ ))
  4.   do
  5.     sed -e "s/##NODE_NAME##/${NODE_NAMES[i]}/" -e "s/##NODE_IP##/${NODE_IPS[i]}/" kube-apiserver.service.template > kube-apiserver-${NODE_IPS[i]}.service 
  6.   done
  7. ls kube-apiserver*.service
  • NODE_NAMES 和 NODE_IPS 为相同长度的 bash 数组,分别为节点名称和对应的 IP;

分发生成的 systemd unit 文件:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. for node_ip in ${NODE_IPS[@]}
  4.   do
  5.     echo ">>> ${node_ip}"
  6.     scp kube-apiserver-${node_ip}.service root@${node_ip}:/etc/systemd/system/kube-apiserver.service
  7.   done

启动 kube-apiserver 服务

  1. source /opt/k8s/bin/environment.sh
  2. for node_ip in ${NODE_IPS[@]}
  3.   do
  4.     echo ">>> ${node_ip}"
  5.     ssh root@${node_ip} "mkdir -p ${K8S_DIR}/kube-apiserver"
  6.     ssh root@${node_ip} "systemctl daemon-reload && systemctl enable kube-apiserver && systemctl restart kube-apiserver"
  7.   done

检查 kube-apiserver 运行状态

  1. source /opt/k8s/bin/environment.sh
  2. for node_ip in ${NODE_IPS[@]}
  3.   do
  4.     echo ">>> ${node_ip}"
  5.     ssh root@${node_ip} "systemctl status kube-apiserver |grep 'Active:'"
  6.   done

确保状态为 active (running),否则查看日志,确认原因:

  1. journalctl -u kube-apiserver

检查集群状态

  1. $ kubectl cluster-info
  2. Kubernetes master is running at https://172.27.138.251:6443
  4. To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
  6. $ kubectl get all --all-namespaces
  7. NAMESPACE   NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
  8. default     service/kubernetes   ClusterIP   10.254.0.1   <none>        443/TCP   3m53s
  10. $ kubectl get componentstatuses
  11. NAME                 AGE
  12. controller-manager   <unknown>
  13. scheduler            <unknown>
  14. etcd-0               <unknown>
  15. etcd-2               <unknown>
  16. etcd-1               <unknown>
  • Kubernetes 1.16.6 存在 Bugs 导致返回结果一直为 <unknown>,但 kubectl get cs -o yaml 可以返回正确结果;

检查 kube-apiserver 监听的端口

  1. $ sudo netstat -lnpt|grep kube
  2. tcp        0      0 172.27.138.251:6443     0.0.0.0:*               LISTEN      101442/kube-apiserv
  • 6443: 接收 https 请求的安全端口,对所有请求做认证和授权;
  • 由于关闭了非安全端口,故没有监听 8080;