本文已参与「新人创作礼」活动,一起开启掘金创作之路
kube-apiserver是无状态的,部署到3个Master节点,通过nginx进行代理访问,从而保证服务高可用
后续的部署都涉及到参数配置,apiVersion 和 kind 取值参考 kubernetes.io/docs/refere…
一、下载并分发二进制文件到3个master节点
[root@master1 ~]# cd /opt/install/
[root@master1 install]# wget https://dl.k8s.io/v1.23.5/bin/linux/amd64/kube-apiserver
[root@master1 install]# chmod +x kube-apiserver
[root@master1 install]# mv kube-apiserver /opt/k8s/bin/
[root@master1 install]# for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
scp /opt/k8s/bin/kube-apiserver root@${node_ip}:/opt/k8s/bin/
ssh root@${node_ip} "chmod +x /opt/k8s/bin/kube-apiserver"
done
>>> 192.168.66.131
kube-apiserver 100% 125MB 216.7MB/s 00:00
>>> 192.168.66.132
kube-apiserver 100% 125MB 152.6MB/s 00:00
>>> 192.168.66.133
kube-apiserver 100% 125MB 156.9MB/s 00:00
[root@master1 install]#
二、创建加密配置文件
[root@master1 ~]# cd /opt/install/kubeconfig
[root@master1 kubeconfig]# export ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
[root@master1 kubeconfig]# echo $ENCRYPTION_KEY
GIiTvJ0fyGBdB+Gh+FXzMh5T2FBPRPKVN+7nFVJwhBM=
[root@master1 kubeconfig]# cat > encryption-config.yaml <<EOF
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: ${ENCRYPTION_KEY}
- identity: {}
EOF
[root@master1 kubeconfig]# for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
scp encryption-config.yaml root@${node_ip}:/opt/k8s/etc/encryption-config.yaml
done
>>> 192.168.66.131
encryption-config.yaml 100% 240 315.5KB/s 00:00
>>> 192.168.66.132
encryption-config.yaml 100% 240 103.6KB/s 00:00
>>> 192.168.66.133
encryption-config.yaml 100% 240 203.2KB/s 00:00
[root@master1 kubeconfig]#
三、创建并分发审计策略
1、创建审计策略文件 audit-policy.yaml
[root@master1 ~]# cd /opt/install/kubeconfig
[root@master1 kubeconfig]# cat > audit-policy.yaml <<EOF
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
# The following requests were manually identified as high-volume and low-risk, so drop them.
- level: None
resources:
- group: ""
resources:
- endpoints
- services
- services/status
users:
- 'k8s-demo-kube-proxy'
verbs:
- watch
- level: None
resources:
- group: ""
resources:
- nodes
- nodes/status
userGroups:
- 'system:nodes'
verbs:
- get
- level: None
namespaces:
- kube-system
resources:
- group: ""
resources:
- endpoints
users:
- 'k8s-demo-ctrl-mgr'
- 'k8s-demo-scheduler'
- 'system:serviceaccounts'
- 'kube-system:endpoint-controller'
verbs:
- get
- update
- level: None
resources:
- group: ""
resources:
- namespaces
- namespaces/status
- namespaces/finalize
users:
- 'k8s-demo-apiserver'
verbs:
- get
# Don't log HPA fetching metrics.
- level: None
resources:
- group: metrics.k8s.io
users:
- 'k8s-demo-ctrl-mgr'
verbs:
- get
- list
# Don't log these read-only URLs.
- level: None
nonResourceURLs:
- '/healthz*'
- /version
- '/swagger*'
# Don't log events requests.
- level: None
resources:
- group: ""
resources:
- events
# node and pod status calls from nodes are high-volume and can be large, don't log responses
# for expected updates from nodes
- level: Request
omitStages:
- RequestReceived
resources:
- group: ""
resources:
- nodes/status
- pods/status
users:
- kubelet
- 'system:node-problem-detector'
- 'system:serviceaccount:kube-system:node-problem-detector'
verbs:
- update
- patch
- level: Request
omitStages:
- RequestReceived
resources:
- group: ""
resources:
- nodes/status
- pods/status
userGroups:
- 'system:nodes'
verbs:
- update
- patch
# deletecollection calls can be large, don't log responses for expected namespace deletions
- level: Request
omitStages:
- RequestReceived
users:
- 'system:serviceaccount:kube-system:namespace-controller'
verbs:
- deletecollection
# Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
# so only log at the Metadata level.
- level: Metadata
omitStages:
- RequestReceived
resources:
- group: ""
resources:
- secrets
- configmaps
- group: authentication.k8s.io
resources:
- tokenreviews
# Get repsonses can be large; skip them.
- level: Request
omitStages:
- RequestReceived
resources:
- group: ""
- group: admissionregistration.k8s.io
- group: apiextensions.k8s.io
- group: apiregistration.k8s.io
- group: apps
- group: authentication.k8s.io
- group: authorization.k8s.io
- group: autoscaling
- group: batch
- group: certificates.k8s.io
- group: extensions
- group: metrics.k8s.io
- group: networking.k8s.io
- group: policy
- group: rbac.authorization.k8s.io
- group: scheduling.k8s.io
- group: settings.k8s.io
- group: storage.k8s.io
verbs:
- get
- list
- watch
# Default level for known APIs
- level: RequestResponse
omitStages:
- RequestReceived
resources:
- group: ""
- group: admissionregistration.k8s.io
- group: apiextensions.k8s.io
- group: apiregistration.k8s.io
- group: apps
- group: authentication.k8s.io
- group: authorization.k8s.io
- group: autoscaling
- group: batch
- group: certificates.k8s.io
- group: extensions
- group: metrics.k8s.io
- group: networking.k8s.io
- group: policy
- group: rbac.authorization.k8s.io
- group: scheduling.k8s.io
- group: settings.k8s.io
- group: storage.k8s.io
# Default level for all other requests.
- level: Metadata
omitStages:
- RequestReceived
EOF
[root@master1 kubeconfig]# ll
总用量 20
-rw-r--r-- 1 root root 4297 4月 9 11:08 audit-policy.yaml
-rw-r--r-- 1 root root 240 4月 9 11:04 encryption-config.yaml
-rw------- 1 root root 6427 4月 9 10:26 kubectl.kubeconfig
[root@master1 kubeconfig]#
k8s-demo-kube-proxy、k8s-demo-ctrl-mgr、'k8s-demo-schedulerk8s-demo-ctrl-mgr等这些用户名在前面的生成证书的时候确定的,可以根据自己的环境修改
2、分发审计策略文件到3个master节点
[root@master1 ~]# cd /opt/install/kubeconfig
[root@master1 kubeconfig]# for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
scp audit-policy.yaml root@${node_ip}:/opt/k8s/etc/audit-policy.yaml
done
>>> 192.168.66.131
audit-policy.yaml 100% 4297 3.5MB/s 00:00
>>> 192.168.66.132
audit-policy.yaml 100% 4297 3.4MB/s 00:00
>>> 192.168.66.133
audit-policy.yaml 100% 4297 2.8MB/s 00:00
[root@master1 kubeconfig]#
四、部署kube-apiserver服务
1、创建kube-apiserver systemd unit模板文件
- 模板文件名称 apiserver.service.template
- 参数含义参考 kubernetes.io/zh/docs/ref…
[root@master1 ~]# cd /opt/install/service
[root@master1 service]# cat > apiserver.service.template <<EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
WorkingDirectory=${K8S_DIR}/kube-apiserver
ExecStart=${K8S_DIR}/bin/kube-apiserver \\
--advertise-address=##NODE_IP## \\
--default-not-ready-toleration-seconds=360 \\
--default-unreachable-toleration-seconds=360 \\
--max-mutating-requests-inflight=2000 \\
--max-requests-inflight=4000 \\
--default-watch-cache-size=200 \\
--delete-collection-workers=2 \\
--encryption-provider-config=${K8S_DIR}/etc/encryption-config.yaml \\
--etcd-cafile=${K8S_DIR}/etc/cert/ca.pem \\
--etcd-certfile=${K8S_DIR}/etc/cert/apiserver.pem \\
--etcd-keyfile=${K8S_DIR}/etc/cert/apiserver-key.pem \\
--etcd-servers=${ETCD_ENDPOINTS} \\
--bind-address=##NODE_IP## \\
--secure-port=6443 \\
--tls-cert-file=${K8S_DIR}/etc/cert/apiserver.pem \\
--tls-private-key-file=${K8S_DIR}/etc/cert/apiserver-key.pem \\
--audit-log-maxage=15 \\
--audit-log-maxbackup=3 \\
--audit-log-maxsize=100 \\
--audit-log-truncate-enabled \\
--audit-log-path=${K8S_DIR}/kube-apiserver/audit.log \\
--audit-policy-file=/opt/k8s/etc/audit-policy.yaml \\
--profiling \\
--client-ca-file=${K8S_DIR}/etc/cert/ca.pem \\
--enable-bootstrap-token-auth \\
--requestheader-allowed-names="k8s-demo-aggregator" \\
--requestheader-client-ca-file=${K8S_DIR}/etc/cert/ca.pem \\
--requestheader-extra-headers-prefix="X-Remote-Extra-" \\
--requestheader-group-headers=X-Remote-Group \\
--requestheader-username-headers=X-Remote-User \\
--service-account-key-file=/opt/k8s/etc/cert/ca.pem \\
--authorization-mode=Node,RBAC \\
--anonymous-auth=false \\
--runtime-config=api/all=true \\
--enable-admission-plugins=NodeRestriction \\
--allow-privileged=true \\
--apiserver-count=3 \\
--event-ttl=168h \\
--kubelet-certificate-authority=${K8S_DIR}/etc/cert/ca.pem \\
--kubelet-client-certificate=${K8S_DIR}/etc/cert/apiserver.pem \\
--kubelet-client-key=${K8S_DIR}/etc/cert/apiserver-key.pem \\
--kubelet-timeout=10s \\
--proxy-client-cert-file=${K8S_DIR}/etc/cert/aggregator-client.pem \\
--proxy-client-key-file=${K8S_DIR}/etc/cert/aggregator-client-key.pem \\
--service-cluster-ip-range=${SERVICE_CIDR} \\
--service-node-port-range=${NODE_PORT_RANGE} \\
--service-account-issuer=api \\
--service-account-key-file=${K8S_DIR}/etc/cert/service-account.pub \\
--service-account-signing-key-file=${K8S_DIR}/etc/cert/service-account-key.pem \\
--v=2
Restart=on-failure
RestartSec=10
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
- --requestheader-allowed-names:不能为空,值用逗号分割,这里设置为"k8s-demo-aggregator"
- 在--proxy-client-cert-file证书中配置CN名称为"k8s-demo-aggregator"
- --secret-port:https监听端口
- --insecure-port=0:关闭监听 http 非安全端口(8080)
- --authorization-mode=Node,RBAC 开启Node和RBAC授权模式k8s把用户和组的关系交给认证模块处理,k8s关注的是对资源的操作管控,即Role和ClusterRole
- --anonymous-auth=false 拒绝未授权的请求
- --kubelet-*:如果指定,则使用https访问kubelet APIs;需要为证书对应的用户用户定义RBAC规则,否则访问kubelet API时提示未授权
- 如果kube-apiserver机器没有运行kube-proxy,则还需要添加--enable-aggregator-routing=true参数
- --audit-log-version string 默认值:"audit.k8s.io/v1"
- Feature Gates 参考 kubernetes.io/docs/refere…
2、分发kube-apiserver systemd unit文件到3个master节点
[root@master1 ~]# cd /opt/install/service
[root@master1 service]# for (( i=0; i < 3; i++ ))
do
sed -e "s/##NODE_NAME##/${MASTER_NAMES[i]}/" -e "s/##NODE_IP##/${MASTER_IPS[i]}/" apiserver.service.template > apiserver-${MASTER_IPS[i]}.service
done
[root@master1 service]# ll apiserver*.service
-rw-r--r-- 1 root root 2553 4月 9 11:20 apiserver-192.168.66.131.service
-rw-r--r-- 1 root root 2553 4月 9 11:20 apiserver-192.168.66.132.service
-rw-r--r-- 1 root root 2553 4月 9 11:20 apiserver-192.168.66.133.service
[root@master1 service]# for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p ${K8S_DIR}/kube-apiserver"
scp apiserver-${node_ip}.service root@${node_ip}:/etc/systemd/system/kube-apiserver.service
done
>>> 192.168.66.131
apiserver-192.168.66.131.service 100% 2553 935.4KB/s 00:00
>>> 192.168.66.132
apiserver-192.168.66.132.service 100% 2553 788.9KB/s 00:00
>>> 192.168.66.133
apiserver-192.168.66.133.service 100% 2553 850.1KB/s 00:00
[root@master1 service]#
3、启动kube-apiserver服务,并检查服务状态
# 启动kube-apiserver服务
[root@master1 ~]# for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "systemctl daemon-reload && systemctl enable kube-apiserver && systemctl restart kube-apiserver"
done
>>> 192.168.66.131
>>> 192.168.66.132
>>> 192.168.66.133
# 查看进程和端口
[root@master1 ~]# ss -lnpt | grep kube-apiserver
LISTEN 0 4096 192.168.66.131:6443 *:* users:(("kube-apiserver",pid=5463,fd=7))
# 查看服务是否启动成功
[root@master1 ~]# for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "systemctl status kube-apiserver |grep 'Active:'"
done
>>> 192.168.66.131
Active: active (running) since 六 2022-04-09 12:13:18 CST; 53s ago
>>> 192.168.66.132
Active: active (running) since 六 2022-04-09 12:13:21 CST; 50s ago
>>> 192.168.66.133
Active: active (running) since 六 2022-04-09 12:13:23 CST; 48s ago
#查看集群信息
[root@master1 ~]# kubectl cluster-info
Kubernetes master is running at https://127.0.0.1:8443
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
#查看所有资源
[root@master1 ~]# kubectl get all --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default service/kubernetes ClusterIP 10.66.0.1 <none> 443/TCP 62s
# 查看服务
[root@master1 cert]# kubectl get svc --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.66.0.1 <none> 443/TCP 2m
# 查看组件状态,可略写为 kubectl get cs
[root@master1 ~]# kubectl get componentstatuses
NAME STATUS MESSAGE ERROR
controller-manager Unhealthy Get "https://127.0.0.1:10257/healthz": dial tcp 127.0.0.1:10257: connect: connection refused
scheduler Unhealthy Get "https://127.0.0.1:10259/healthz": dial tcp 127.0.0.1:10259: connect: connection refused
etcd-2 Healthy {"health":"true","reason":""}
etcd-0 Healthy {"health":"true","reason":""}
etcd-1 Healthy {"health":"true","reason":""}
[root@master1 ~]# kubectl get ep
NAME ENDPOINTS AGE
kubernetes 192.168.66.131:6443,192.168.66.132:6443,192.168.66.133:6443 6m15s
#如果上述状态异常,可以查看日志
[root@master1 ~]# journalctl -u kube-apiserver
- kube-apiserver审计日志存放路径 /opt/k8s/kube-apiserver/audit.log ,如下所示:
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"b757516b-1a2d-46bb-aa9a-f3f4a5715e9e","stage":"ResponseComplete","requestURI":"/apis/discovery.k8s.io/v1/namespaces/default/endpointslices/kubernetes","verb":"get","user":{"username":"system:apiserver","uid":"fa394460-1716-4bf5-b585-dbbb145970d7","groups":["system:masters"]},"sourceIPs":["192.168.66.131"],"userAgent":"kube-apiserver/v1.23.5 (linux/amd64) kubernetes/c285e78","objectRef":{"resource":"endpointslices","namespace":"default","name":"kubernetes","apiGroup":"discovery.k8s.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2022-04-09T04:16:40.668360Z","stageTimestamp":"2022-04-09T04:16:40.669994Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}
五、kube-apiserver服务初始化了哪些数据呢?
1、namespace
[root@master1 ~]# kubectl get ns
NAME STATUS AGE
default Active 9m7s
kube-node-lease Active 9m9s
kube-public Active 9m9s
kube-system Active 9m9s
2、Role
[root@master1 ~]# kubectl get Role --all-namespaces
NAMESPACE NAME CREATED AT
kube-public system:controller:bootstrap-signer 2022-04-10T10:12:22Z
kube-system extension-apiserver-authentication-reader 2022-04-10T10:12:22Z
kube-system system::leader-locking-kube-controller-manager 2022-04-10T10:12:22Z
kube-system system::leader-locking-kube-scheduler 2022-04-10T10:12:22Z
kube-system system:controller:bootstrap-signer 2022-04-10T10:12:22Z
kube-system system:controller:cloud-provider 2022-04-10T10:12:22Z
kube-system system:controller:token-cleaner 2022-04-10T10:12:22Z
3、ClusterRole
[root@master1 ~]# kubectl get ClusterRole
NAME CREATED AT
admin 2022-04-10T10:12:21Z
cluster-admin 2022-04-10T10:12:21Z
edit 2022-04-10T10:12:21Z
system:aggregate-to-admin 2022-04-10T10:12:21Z
system:aggregate-to-edit 2022-04-10T10:12:21Z
system:aggregate-to-view 2022-04-10T10:12:22Z
system:auth-delegator 2022-04-10T10:12:22Z
system:basic-user 2022-04-10T10:12:21Z
system:certificates.k8s.io:certificatesigningrequests:nodeclient 2022-04-10T10:12:22Z
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2022-04-10T10:12:22Z
system:certificates.k8s.io:kube-apiserver-client-approver 2022-04-10T10:12:22Z
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2022-04-10T10:12:22Z
system:certificates.k8s.io:kubelet-serving-approver 2022-04-10T10:12:22Z
system:certificates.k8s.io:legacy-unknown-approver 2022-04-10T10:12:22Z
system:controller:attachdetach-controller 2022-04-10T10:12:22Z
system:controller:certificate-controller 2022-04-10T10:12:22Z
system:controller:clusterrole-aggregation-controller 2022-04-10T10:12:22Z
system:controller:cronjob-controller 2022-04-10T10:12:22Z
system:controller:daemon-set-controller 2022-04-10T10:12:22Z
system:controller:deployment-controller 2022-04-10T10:12:22Z
system:controller:disruption-controller 2022-04-10T10:12:22Z
system:controller:endpoint-controller 2022-04-10T10:12:22Z
system:controller:endpointslice-controller 2022-04-10T10:12:22Z
system:controller:endpointslicemirroring-controller 2022-04-10T10:12:22Z
system:controller:ephemeral-volume-controller 2022-04-10T10:12:22Z
system:controller:expand-controller 2022-04-10T10:12:22Z
system:controller:generic-garbage-collector 2022-04-10T10:12:22Z
system:controller:horizontal-pod-autoscaler 2022-04-10T10:12:22Z
system:controller:job-controller 2022-04-10T10:12:22Z
system:controller:namespace-controller 2022-04-10T10:12:22Z
system:controller:node-controller 2022-04-10T10:12:22Z
system:controller:persistent-volume-binder 2022-04-10T10:12:22Z
system:controller:pod-garbage-collector 2022-04-10T10:12:22Z
system:controller:pv-protection-controller 2022-04-10T10:12:22Z
system:controller:pvc-protection-controller 2022-04-10T10:12:22Z
system:controller:replicaset-controller 2022-04-10T10:12:22Z
system:controller:replication-controller 2022-04-10T10:12:22Z
system:controller:resourcequota-controller 2022-04-10T10:12:22Z
system:controller:root-ca-cert-publisher 2022-04-10T10:12:22Z
system:controller:route-controller 2022-04-10T10:12:22Z
system:controller:service-account-controller 2022-04-10T10:12:22Z
system:controller:service-controller 2022-04-10T10:12:22Z
system:controller:statefulset-controller 2022-04-10T10:12:22Z
system:controller:ttl-after-finished-controller 2022-04-10T10:12:22Z
system:controller:ttl-controller 2022-04-10T10:12:22Z
system:discovery 2022-04-10T10:12:21Z
system:heapster 2022-04-10T10:12:22Z
system:kube-aggregator 2022-04-10T10:12:22Z
system:kube-controller-manager 2022-04-10T10:12:22Z
system:kube-dns 2022-04-10T10:12:22Z
system:kube-scheduler 2022-04-10T10:12:22Z
system:kubelet-api-admin 2022-04-10T10:12:22Z
system:monitoring 2022-04-10T10:12:21Z
system:node 2022-04-10T10:12:22Z
system:node-bootstrapper 2022-04-10T10:12:22Z
system:node-problem-detector 2022-04-10T10:12:22Z
system:node-proxier 2022-04-10T10:12:22Z
system:persistent-volume-provisioner 2022-04-10T10:12:22Z
system:public-info-viewer 2022-04-10T10:12:21Z
system:service-account-issuer-discovery 2022-04-10T10:12:22Z
system:volume-scheduler 2022-04-10T10:12:22Z
view 2022-04-10T10:12:21Z
4、RoleBinding
[root@master1 ~]# kubectl get RoleBinding -o wide -A
NAMESPACE NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS
kube-public system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 48m kube-system/bootstrap-signer
kube-system system::extension-apiserver-authentication-reader Role/extension-apiserver-authentication-reader 48m system:kube-controller-manager, system:kube-scheduler
kube-system system::leader-locking-kube-controller-manager Role/system::leader-locking-kube-controller-manager 48m system:kube-controller-manager kube-system/kube-controller-manager
kube-system system::leader-locking-kube-scheduler Role/system::leader-locking-kube-scheduler 48m system:kube-scheduler kube-system/kube-scheduler
kube-system system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 48m kube-system/bootstrap-signer
kube-system system:controller:cloud-provider Role/system:controller:cloud-provider 48m kube-system/cloud-provider
kube-system system:controller:token-cleaner Role/system:controller:token-cleaner 48m kube-system/token-cleaner
5、ClusterRoleBinding
[root@master1 ~]# kubectl get ClusterRoleBinding -o wide -A
NAME ROLE AGE USERS GROUPS SERVICEACCOUNTS
cluster-admin ClusterRole/cluster-admin 46m system:masters
system:basic-user ClusterRole/system:basic-user 46m system:authenticated
system:controller:attachdetach-controller ClusterRole/system:controller:attachdetach-controller 46m kube-system/attachdetach-controller
system:controller:certificate-controller ClusterRole/system:controller:certificate-controller 46m kube-system/certificate-controller
system:controller:clusterrole-aggregation-controller ClusterRole/system:controller:clusterrole-aggregation-controller 46m kube-system/clusterrole-aggregation-controller
system:controller:cronjob-controller ClusterRole/system:controller:cronjob-controller 46m kube-system/cronjob-controller
system:controller:daemon-set-controller ClusterRole/system:controller:daemon-set-controller 46m kube-system/daemon-set-controller
system:controller:deployment-controller ClusterRole/system:controller:deployment-controller 46m kube-system/deployment-controller
system:controller:disruption-controller ClusterRole/system:controller:disruption-controller 46m kube-system/disruption-controller
system:controller:endpoint-controller ClusterRole/system:controller:endpoint-controller 46m kube-system/endpoint-controller
system:controller:endpointslice-controller ClusterRole/system:controller:endpointslice-controller 46m kube-system/endpointslice-controller
system:controller:endpointslicemirroring-controller ClusterRole/system:controller:endpointslicemirroring-controller 46m kube-system/endpointslicemirroring-controller
system:controller:ephemeral-volume-controller ClusterRole/system:controller:ephemeral-volume-controller 46m kube-system/ephemeral-volume-controller
system:controller:expand-controller ClusterRole/system:controller:expand-controller 46m kube-system/expand-controller
system:controller:generic-garbage-collector ClusterRole/system:controller:generic-garbage-collector 46m kube-system/generic-garbage-collector
system:controller:horizontal-pod-autoscaler ClusterRole/system:controller:horizontal-pod-autoscaler 46m kube-system/horizontal-pod-autoscaler
system:controller:job-controller ClusterRole/system:controller:job-controller 46m kube-system/job-controller
system:controller:namespace-controller ClusterRole/system:controller:namespace-controller 46m kube-system/namespace-controller
system:controller:node-controller ClusterRole/system:controller:node-controller 46m kube-system/node-controller
system:controller:persistent-volume-binder ClusterRole/system:controller:persistent-volume-binder 46m kube-system/persistent-volume-binder
system:controller:pod-garbage-collector ClusterRole/system:controller:pod-garbage-collector 46m kube-system/pod-garbage-collector
system:controller:pv-protection-controller ClusterRole/system:controller:pv-protection-controller 46m kube-system/pv-protection-controller
system:controller:pvc-protection-controller ClusterRole/system:controller:pvc-protection-controller 46m kube-system/pvc-protection-controller
system:controller:replicaset-controller ClusterRole/system:controller:replicaset-controller 46m kube-system/replicaset-controller
system:controller:replication-controller ClusterRole/system:controller:replication-controller 46m kube-system/replication-controller
system:controller:resourcequota-controller ClusterRole/system:controller:resourcequota-controller 46m kube-system/resourcequota-controller
system:controller:root-ca-cert-publisher ClusterRole/system:controller:root-ca-cert-publisher 46m kube-system/root-ca-cert-publisher
system:controller:route-controller ClusterRole/system:controller:route-controller 46m kube-system/route-controller
system:controller:service-account-controller ClusterRole/system:controller:service-account-controller 46m kube-system/service-account-controller
system:controller:service-controller ClusterRole/system:controller:service-controller 46m kube-system/service-controller
system:controller:statefulset-controller ClusterRole/system:controller:statefulset-controller 46m kube-system/statefulset-controller
system:controller:ttl-after-finished-controller ClusterRole/system:controller:ttl-after-finished-controller 46m kube-system/ttl-after-finished-controller
system:controller:ttl-controller ClusterRole/system:controller:ttl-controller 46m kube-system/ttl-controller
system:discovery ClusterRole/system:discovery 46m system:authenticated
system:kube-controller-manager ClusterRole/system:kube-controller-manager 46m system:kube-controller-manager
system:kube-dns ClusterRole/system:kube-dns 46m kube-system/kube-dns
system:kube-scheduler ClusterRole/system:kube-scheduler 46m system:kube-scheduler
system:monitoring ClusterRole/system:monitoring 46m system:monitoring
system:node ClusterRole/system:node 46m
system:node-proxier ClusterRole/system:node-proxier 46m system:kube-proxy
system:public-info-viewer ClusterRole/system:public-info-viewer 46m system:authenticated, system:unauthenticated
system:service-account-issuer-discovery ClusterRole/system:service-account-issuer-discovery 46m system:serviceaccounts
system:volume-scheduler ClusterRole/system:volume-scheduler 46m system:kube-scheduler
6、api-resources
[root@master1 install]# kubectl api-resources
NAME SHORTNAMES APIVERSION NAMESPACED KIND
bindings v1 true Binding
componentstatuses cs v1 false ComponentStatus
configmaps cm v1 true ConfigMap
endpoints ep v1 true Endpoints
events ev v1 true Event
limitranges limits v1 true LimitRange
namespaces ns v1 false Namespace
nodes no v1 false Node
persistentvolumeclaims pvc v1 true PersistentVolumeClaim
persistentvolumes pv v1 false PersistentVolume
pods po v1 true Pod
podtemplates v1 true PodTemplate
replicationcontrollers rc v1 true ReplicationController
resourcequotas quota v1 true ResourceQuota
secrets v1 true Secret
serviceaccounts sa v1 true ServiceAccount
services svc v1 true Service
mutatingwebhookconfigurations admissionregistration.k8s.io/v1 false MutatingWebhookConfiguration
validatingwebhookconfigurations admissionregistration.k8s.io/v1 false ValidatingWebhookConfiguration
customresourcedefinitions crd,crds apiextensions.k8s.io/v1 false CustomResourceDefinition
apiservices apiregistration.k8s.io/v1 false APIService
controllerrevisions apps/v1 true ControllerRevision
daemonsets ds apps/v1 true DaemonSet
deployments deploy apps/v1 true Deployment
replicasets rs apps/v1 true ReplicaSet
statefulsets sts apps/v1 true StatefulSet
tokenreviews authentication.k8s.io/v1 false TokenReview
localsubjectaccessreviews authorization.k8s.io/v1 true LocalSubjectAccessReview
selfsubjectaccessreviews authorization.k8s.io/v1 false SelfSubjectAccessReview
selfsubjectrulesreviews authorization.k8s.io/v1 false SelfSubjectRulesReview
subjectaccessreviews authorization.k8s.io/v1 false SubjectAccessReview
horizontalpodautoscalers hpa autoscaling/v2 true HorizontalPodAutoscaler
cronjobs cj batch/v1 true CronJob
jobs batch/v1 true Job
certificatesigningrequests csr certificates.k8s.io/v1 false CertificateSigningRequest
leases coordination.k8s.io/v1 true Lease
endpointslices discovery.k8s.io/v1 true EndpointSlice
events ev events.k8s.io/v1 true Event
flowschemas flowcontrol.apiserver.k8s.io/v1beta2 false FlowSchema
prioritylevelconfigurations flowcontrol.apiserver.k8s.io/v1beta2 false PriorityLevelConfiguration
storageversions internal.apiserver.k8s.io/v1alpha1 false StorageVersion
ingressclasses networking.k8s.io/v1 false IngressClass
ingresses ing networking.k8s.io/v1 true Ingress
networkpolicies netpol networking.k8s.io/v1 true NetworkPolicy
runtimeclasses node.k8s.io/v1 false RuntimeClass
poddisruptionbudgets pdb policy/v1 true PodDisruptionBudget
podsecuritypolicies psp policy/v1beta1 false PodSecurityPolicy
clusterrolebindings rbac.authorization.k8s.io/v1 false ClusterRoleBinding
clusterroles rbac.authorization.k8s.io/v1 false ClusterRole
rolebindings rbac.authorization.k8s.io/v1 true RoleBinding
roles rbac.authorization.k8s.io/v1 true Role
priorityclasses pc scheduling.k8s.io/v1 false PriorityClass
csidrivers storage.k8s.io/v1 false CSIDriver
csinodes storage.k8s.io/v1 false CSINode
csistoragecapacities storage.k8s.io/v1beta1 true CSIStorageCapacity
storageclasses sc storage.k8s.io/v1 false StorageClass
volumeattachments storage.k8s.io/v1 false VolumeAttachment
参考
- 先用起来,通过操作实践认识kubernetes(k8s),积累多了自然就理解了
- 把理解的知识分享出来,自造福田,自得福缘
- 追求简单,容易使人理解,知识的上下文也是知识的一部分,例如版本,时间等
- 欢迎留言交流,也可以提出问题,一般在周末回复和完善文档
- Jason@vip.qq.com 2022-4-9
