下载二进制文件
下载地址:kubernetes.io/zh-cn/relea…
下载对应操作系统的 kube-apiserver 到服务器上
将 kube-apiserver 复制到 /usr/local/bin 目录下
sudo cp kube-apiserver /usr/local/bin/
ll /usr/local/bin/
total 114332
drwxr-xr-x 2 root root 4096 Nov 26 23:42 ./
drwxr-xr-x 11 root root 4096 Apr 28 2024 ../
-rwxr-xr-x 1 root root 11890840 Nov 15 00:07 cfssl*
-rwxr-xr-x 1 root root 8413336 Nov 15 00:07 cfssl-certinfo*
-rwxr-xr-x 1 root root 6205592 Nov 15 00:07 cfssljson*
-rw-r--r-- 1 root root 90542232 Nov 26 23:42 kube-apiserver
kube-apiserver 没有执行权限,给它赋予执行权限
sudo chmod +x /usr/local/bin/kube-apiserver
ll /usr/local/bin/
total 114332
drwxr-xr-x 2 root root 4096 Nov 26 23:42 ./
drwxr-xr-x 11 root root 4096 Apr 28 2024 ../
-rwxr-xr-x 1 root root 11890840 Nov 15 00:07 cfssl*
-rwxr-xr-x 1 root root 8413336 Nov 15 00:07 cfssl-certinfo*
-rwxr-xr-x 1 root root 6205592 Nov 15 00:07 cfssljson*
-rwxr-xr-x 1 root root 90542232 Nov 26 23:42 kube-apiserver*
签发 kube-apiserver 证书
添加 kube-apiserver 证书生成配置
cat config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"cert sign",
"crl sign"
],
"expiry": "43800h",
"ca_constraint": {
"is_ca": true,
"max_path_len": 0
}
},
"etcd": {
"usages": [
"digital signature",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
},
"kube-apiserver": {
"usages": [
"digital signature",
"key encipherment",
"server auth"
],
"expiry": "8760h"
}
}
}
}
创建 kube-apiserver 证书请求文件
cat kube-apiserver-csr.json
{
"CN": "kube-apiserver",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Guangdong",
"L": "Guangzhou",
"O": "Chillcy",
"OU": "Technology"
}
],
"hosts": [
"127.0.0.1",
"localhost",
"10.0.30.47",
"10.0.30.26",
"10.0.30.31",
"10.0.30.10",
"172.16.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster.local"
]
}
使用 kubernetes 中间证书签发 kube-apiserver 终端证书
cfssl gencert -ca=kubernetes-ca.pem -ca-key=kubernetes-ca-key.pem -config=config.json -profile=kube-apiserver kube-apiserver-csr.json | cfssljson -bare kube-apiserver
2024/11/26 23:06:56 [INFO] generate received request
2024/11/26 23:06:56 [INFO] received CSR
2024/11/26 23:06:56 [INFO] generating key: rsa-2048
2024/11/26 23:06:57 [INFO] encoded CSR
2024/11/26 23:06:57 [INFO] signed certificate with serial number 226925649340808363862318326236759599201312496917
ls kube-apiserver*
kube-apiserver.csr kube-apiserver-csr.json kube-apiserver-key.pem kube-apiserver.pem
信任 ETCD 证书
将 etcd 证书复制到 /usr/local/share/ca-certificates 目录下,并且 .pem 后缀改为 .crt,然后更新系统信任证书
sudo cp etcd.pem /usr/local/share/ca-certificates/
cd /usr/local/share/ca-certificates && sudo mv etcd.pem etcd.crt
sudo update-ca-certificates
创建 kube-apiserver systemd 配置文件
cat /etc/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
ExecStart=/usr/local/bin/kube-apiserver \
--advertise-address=10.0.30.47 \
--bind-address=0.0.0.0 \
--secure-port=6443 \
--etcd-servers=https://10.0.30.26:2379,https://10.0.30.31:2379,https://10.0.30.10:2379 \
--etcd-certfile=/home/we8/k8s/cfssl/etcd.pem \
--etcd-keyfile=/home/we8/k8s/cfssl/etcd-key.pem \
--etcd-cafile=/home/we8/k8s/cfssl/kubernetes-chain.pem \
--tls-cert-file=/home/we8/k8s/cfssl/kube-apiserver.pem \
--tls-private-key-file=/home/we8/k8s/cfssl/kube-apiserver-key.pem \
--client-ca-file=/home/we8/k8s/cfssl/kubernetes-chain.pem \
--service-account-key-file=/home/we8/k8s/cfssl/kube-apiserver.pem \
--service-account-signing-key-file=/home/we8/k8s/cfssl/kube-apiserver-key.pem \
--service-account-issuer=https://kubernetes.default.svc.cluster.local \
--service-cluster-ip-range=172.16.0.0/16 \
--service-node-port-range=30000-32767 \
--authorization-mode=Node,RBAC \
--audit-log-path=/var/log/kubernetes/audit.log \
--allow-privileged=true \
--kubelet-client-certificate=/home/we8/k8s/cfssl/kubelet.pem \
--kubelet-client-key=/home/we8/k8s/cfssl/kubelet-key.pem \
--v=2
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
启动 kube-apiserver
sudo systemctl daemon-reload
sudo systemctl enable kube-apiserver.service
sudo systemctl start kube-apiserver.service
sudo systemctl status kube-apiserver.service
