都是3台服务器需要操作的
1.创建证书
mkdir -p /etc/ssl/kube-scheduler
cat > /etc/ssl/kube-scheduler/kube-scheduler-csr.json <<EOF
{
"CN": "system:kube-scheduler",
"hosts": [
"127.0.0.1",
"192.168.1.40",
"192.168.1.41",
"192.168.1.42"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "ChengDu",
"L": "ChengDu",
"O": "system:kube-scheduler",
"OU": "dessler"
}
]
}
EOF
cfssl gencert -ca=/etc/ssl/ca.pem \
-ca-key=/etc/ssl/ca-key.pem \
-config=/etc/ssl/ca-config.json \
-profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
ls
kube-scheduler.csr kube-scheduler-csr.json kube-scheduler-key.pem kube-scheduler.pem
- 说明:
- hosts 列表包含所有kube-scheduler 节点 IP
- CN 为 system:kube-scheduler、O 为 system:kube-scheduler,kubernetes 内置的 ClusterRoleBindings system:kube-scheduler 将赋予 kube-scheduler 工作所需的权限
2.创建kubeconfig 文件
kubectl config set-cluster kubernetes \
> --certificate-authority=/etc/ssl/ca.pem \
> --embed-certs=true \
> --server=https://192.168.1.43:8443 \
> --kubeconfig=kube-scheduler.kubeconfig
Cluster "kubernetes" set.
kubectl config set-credentials system:kube-scheduler \
> --client-certificate=/etc/ssl/kube-scheduler/kube-scheduler.pem \
> --client-key=/etc/ssl/kube-scheduler/kube-scheduler-key.pem \
> --embed-certs=true \
> --kubeconfig=kube-scheduler.kubeconfig
User "system:kube-scheduler" set.
kubectl config set-context system:kube-scheduler \
> --cluster=kubernetes \
> --user=system:kube-scheduler \
> --kubeconfig=kube-scheduler.kubeconfig
Context "system:kube-scheduler" created.
kubectl config use-context system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig
Switched to context "system:kube-scheduler".
3.分发配置文件证书二进制文件
4.配置kube-scheduler服务
cat > /usr/lib/systemd/system/kube-scheduler.service <<EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/opt/kubernetes/bin/kube-scheduler \\
--address=127.0.0.1 \\
--kubeconfig=/opt/kubernetes/cfg/kube-scheduler.kubeconfig \\
--leader-elect=true \\
--alsologtostderr=true \\
--logtostderr=false \\
--log-dir=/var/log/kubernetes \\
--v=2
Restart=on-failure
RestartSec=5
#User=k8s
[Install]
WantedBy=multi-user.target
EOF
- 说明:
- --address:在0.0.1:10251 端口接收 http /metrics 请求;kube-scheduler 目前还不支持接收 https 请求
- --kubeconfig:指定 kubeconfig 文件路径,kube-scheduler 使用它连接和验证 kube-apiserver
- --leader-elect=true:集群运行模式,启用选举功能;被选为 leader 的节点负责处理工作,其它节点为阻塞状态
- User=k8s:使用 k8s 账户运行
5.启动服务
systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler
systemctl status kube-scheduler
6.检查服务
curl -s http://127.0.0.1:10251/metrics |head
# HELP apiserver_audit_event_total Counter of audit events generated and sent to the audit backend.
# TYPE apiserver_audit_event_total counter
apiserver_audit_event_total 0
# HELP apiserver_audit_requests_rejected_total Counter of apiserver requests rejected due to an error in audit logging backend.
# TYPE apiserver_audit_requests_rejected_total counter
apiserver_audit_requests_rejected_total 0
# HELP apiserver_client_certificate_expiration_seconds Distribution of the remaining lifetime on the certificate used to authenticate a request.
# TYPE apiserver_client_certificate_expiration_seconds histogram
apiserver_client_certificate_expiration_seconds_bucket{le="0"} 0
apiserver_client_certificate_expiration_seconds_bucket{le="21600"} 0
kubectl get endpoints kube-scheduler --namespace=kube-system -o yaml
apiVersion: v1
kind: Endpoints
metadata:
annotations:
control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"host22_11b7b315-2f42-11e9-b608-525400a73b99","leaseDurationSeconds":15,"acquireTime":"2019-02-13T05:39:32Z","renewTime":"2019-02-14T06:30:41Z","leaderTransitions":5}'
creationTimestamp: "2019-01-30T08:32:08Z"
name: kube-scheduler
namespace: kube-system
resourceVersion: "1737721"
selfLink: /api/v1/namespaces/kube-system/endpoints/kube-scheduler
uid: 87dbdef5-2469-11e9-a032-525400c6cc24
7.配置自动approve kubelet CSR 请求
cat > /opt/kubernetes/cfg/csr-crb.yaml <<EOF
# Approve all CSRs for the group "system:bootstrappers"
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: auto-approve-csrs-for-group
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
apiGroup: rbac.authorization.k8s.io
---
# To let a node of the group "system:nodes" renew its own credentials
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: node-client-cert-renewal
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
apiGroup: rbac.authorization.k8s.io
---
# A ClusterRole which instructs the CSR approver to approve a node requesting a
# serving cert matching its client cert.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: approve-node-server-renewal-csr
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/selfnodeserver"]
verbs: ["create"]
---
# To let a node of the group "system:nodes" renew its own server credentials
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: node-server-cert-renewal
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: approve-node-server-renewal-csr
apiGroup: rbac.authorization.k8s.io
EOF
kubectl apply -f /opt/kubernetes/cfg/csr-crb.yaml
clusterrolebinding.rbac.authorization.k8s.io/auto-approve-csrs-for-group created
clusterrolebinding.rbac.authorization.k8s.io/node-client-cert-renewal created
clusterrole.rbac.authorization.k8s.io/approve-node-server-renewal-csr created
clusterrolebinding.rbac.authorization.k8s.io/node-server-cert-renewal created
- 说明:
- kubelet 启动后使用 --bootstrap-kubeconfig 向 kube-apiserver 发送 CSR 请求,当这个 CSR 被 approve 后,kube-controller-manager 为 kubelet 创建 TLS 客户端证书、私钥和 --kubeletconfig 文件。
- 注意:kube-controller-manager 需要配置--cluster-signing-cert-file 和 --cluster-signing-key-file参数,才会为 TLS Bootstrap 创建证书和私钥。
