Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to install and configure the Master node in kubernetes. It is very detailed and has a certain reference value. Friends who are interested must read it!

One: brief introduction

The 1.kubernetes master node contains the following components: kube-apiserver,kube-scheduler and kube-controller-manager. These three components need to be deployed on the same machine. There can be only one kube-scheduler,kube-controller-manager process working at the same time, and if you run more than one, you need to elect a leader.

two。 In the / etc/kubernetes/ssl directory, prepare the certificate files that you may use.

Admin-key.pem admin.pem ca-key.pem ca.pem kube-proxy-key.pem,kube-proxy.pem kubernetes-key.pem kubernetes.pem

3. Download the installation file wget https://storage.googleapis.com/kubernetes-release/release/v1.8.5/kubernetes-server-linux-amd64.tar.gz

Tar-xzvf kubernetes-server-linux-amd64.tar.gz

Cd kubernetes

Tar-xzvf kubernetes-src.tar.gz

Copy binaries to the specified directory

Cp-r server/bin/ {kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kube-proxy,kubelet} / usrbin/

Two: configure and start kube-apiserver

1.service profile / usr/lib/systemd/system/kube-apiserver.service

Click (here) to collapse or open

[Unit]

Description=Kubernetes API Service

Documentation= https://github.com/GoogleCloudPlatform/kubernetes

After=network.target

After=etcd.service

[Service]

EnvironmentFile=-/etc/kubernetes/config

EnvironmentFile=-/etc/kubernetes/apiserver

ExecStart=/usr/bin/kube-apiserver\

$KUBE_LOGTOSTDERR\

$KUBE_LOG_LEVEL\

$KUBE_ETCD_SERVERS\

$KUBE_API_ADDRESS\

$KUBE_API_PORT\

$KUBELET_PORT\

$KUBE_ALLOW_PRIV\

$KUBE_SERVICE_ADDRESSES\

$KUBE_ADMISSION_CONTROL\

$KUBE_API_ARGS

Restart=on-failure

Type=notify

LimitNOFILE=65536

[Install]

WantedBy=multi-user.target

two。 Configuration file / etc/kubernetes/config

Click (here) to collapse or open

# # #

# kubernetes system config

#

# The following values are used to configure various aspects of all

# kubernetes services, including

#

# kube-apiserver.service

# kube-controller-manager.service

# kube-scheduler.service

# kubelet.service

# kube-proxy.service

# logging to stderr means we get it in the systemd journal

KUBE_LOGTOSTDERR= "--logtostderr=true"

# journal message level, 0 is debug

KUBE_LOG_LEVEL= "--vault 0"

# Should this cluster be allowed to run privileged docker containers

KUBE_ALLOW_PRIV= "--allow-privileged=true"

# How the controller-manager, scheduler, and proxy find the apiserver

KUBE_MASTER= "--master= http://10.116.137.196:8080"

The configuration file is also used by kube-apiserver, kube-controller-manager, kubescheduler, kubelet, and kube-proxy.

3. Configuration file / etc/kubernetes/apiserver

Click (here) to collapse or open

# # #

# # kubernetes system config

# #

# # The following values are used to configure the kube-apiserver

# #

#

# # The address on the local server to listen to.

KUBE_API_ADDRESS= "- advertise-address=10.116.137.196-bind-address=10.116.137.196-insecure-bind-address=10.116.137.196"

#

# # The port on the local server to listen on.

# KUBE_API_PORT= "--port=8080"

#

# # Port minions listen on

# KUBELET_PORT= "--kubelet-port=10250"

#

# # Comma separated list of nodes in the etcd cluster

KUBE_ETCD_SERVERS= "--etcd-servers= https://10.116.137.196:2379,https://10.116.82.28:2379,https://10.116.36.57:2379"

#

# # Address range to use for services

KUBE_SERVICE_ADDRESSES= "--service-cluster-ip-range=10.254.0.0/16"

#

# # default admission control policies

KUBE_ADMISSION_CONTROL= "--admission-control=ServiceAccount,NamespaceLifecycle,NamespaceExists,LimitRanger,ResourceQuota"

#

# # Add your own!

KUBE_API_ARGS= "- authorization-mode=RBAC-runtime-config=rbac.authorization.k8s.io/v1beta1-kubelet-https=true-experimental-bootstrap-token-auth-token-auth-file=/etc/kubernetes/token.csv-service-node-port-range=30000-32767-tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem-tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem-client-ca-file=/etc/kubernetes/ssl/ca.pem- -service-account-key-file=/etc/kubernetes/ssl/ca-key.pem-etcd-cafile=/etc/kubernetes/ssl/ca.pem-- etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem-etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem-- enable-swagger-ui=true-- apiserver-count=1-- audit-log-maxage=30-- audit-log-maxbackup=3-- audit-log-maxsize=100-- audit-log-path=/var/lib/audit.log-- event-ttl=1h "

A.-- authorization-mode=RBAC specifies to use RBAC authorization mode on secure ports and rejects requests that are not authorized

B. kube-scheduler, kube-controller-manager and kube-apiserver are generally deployed on the same machine, and they enable non-secure ports to communicate with kube-apiserver

Kubelet, kube-proxy, kubectl are deployed on other Node nodes, if through the secure side? To access kube-apiserver, you must first pass the TLS certificate authentication before passing the

RBAC authorization

C. Kube-proxy, kubectl by making? Donovan's certificate? Specify the relevant User and Group to achieve the RBAC authorized? Of

d. If the kubelet TLS Boostrap mechanism is used, the-- kubeletcertificate-authority,-- kubelet-client-certificate and-- kubelet-client-key options can no longer be specified, otherwise the kubelet certificate will be verified by kube-apiserver later.

"x509: certificate signed by unknown authority" error occurred in the book

E.-- the admission-control value must contain ServiceAccount

F.-- bind-address cannot be 127.0.0.1

G. runtime-config is configured as rbac.authorization.k8s.io/v1beta1, which represents the apiVersion at run time

H.-- service-cluster-ip-range specifies the Service Cluster IP address range, which is not routable and reachable

i. By default, kubernetes objects are saved under the etcd / registry path, which can be adjusted with the-- etcd-prefix parameter.

4. Start kube-apiserver

Systemctl daemon-reload

Systemctl enable kube-apiserver

Systemctl start kube-apiserver

Systemctl status kube-apiserver

Three: configure and start kube-controller-manager

1. Service File / usr/lib/systemd/system/kube-controller-manager.service

Click (here) to collapse or open

[Unit]

Description=Kubernetes Controller Manager

Documentation= https://github.com/GoogleCloudPlatform/kubernetes

[Service]

EnvironmentFile=-/etc/kubernetes/config

EnvironmentFile=-/etc/kubernetes/controller-manager

ExecStart=/usr/bin/kube-controller-manager\

$KUBE_LOGTOSTDERR\

$KUBE_LOG_LEVEL\

$KUBE_MASTER\

$KUBE_CONTROLLER_MANAGER_ARGS

Restart=on-failure

LimitNOFILE=65536

[Install]

WantedBy=multi-user.target

two。 Configuration file / etc/kubernetes/controller-manager

Click (here) to collapse or open

# # #

# The following values are used to configure the kubernetes controller-manager

# defaults from config and apiserver should be adequate

# Add your own!

KUBE_CONTROLLER_MANAGER_ARGS= "- address=127.0.0.1-service-cluster-ip-range=10.254.0.0/16-cluster-name=kubernetes-cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem-cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem-service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem-root-ca-file=/etc/kubernetes/ssl/ca.pem-leader-elect=true"

A.-- the service-cluster-ip-range parameter specifies the CIDR range of Service in Cluster, which? The routing between Node must be unreachable and must be consistent with the parameters in kube-apiserver.

B.-the certificate and private key file specified by cluster-signing-* is used to sign the certificate and private key created for TLSBootStrap.

C.-- root-ca-file is used to verify the kube-apiserver certificate. This parameter is specified before the CA certificate file is placed in the ServiceAccount of the Pod container.

D.-- the address value must be 127.0.0.1 because the current kube-apiserver expects scheduler and controller-manager to be on the same machine

3. Start kube-controller-manager

Systemctl daemon-reload

Systemctl enable kube-controller-manager

Systemctl start kube-controller-manager

Four: configure and start kube-scheduler

1. Service File / usr/lib/systemd/system/kube-scheduler.service

Click (here) to collapse or open

[Unit]

Description=Kubernetes Scheduler Plugin

Documentation= https://github.com/GoogleCloudPlatform/kubernetes

[Service]

EnvironmentFile=-/etc/kubernetes/config

EnvironmentFile=-/etc/kubernetes/scheduler

ExecStart=/usr/bin/kube-scheduler\

$KUBE_LOGTOSTDERR\

$KUBE_LOG_LEVEL\

$KUBE_MASTER\

$KUBE_SCHEDULER_ARGS

Restart=on-failure

LimitNOFILE=65536

[Install]

WantedBy=multi-user.target

two。 Configuration file / etc/kubernetes/scheduler

Click (here) to collapse or open

# # #

# kubernetes scheduler config

# default config should be adequate

# Add your own!

KUBE_SCHEDULER_ARGS= "- leader-elect=true-address=127.0.0.1"

3. Start kube-scheduler

Systemctl daemon-reload

Systemctl enable kube-scheduler

Systemctl start kube-scheduler

Five: verify the function of master node

These are all the contents of the article "how to install and configure Master nodes in kubernetes". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.