下载文件
下载地址:kubernetes.io/zh-cn/relea…
将二进制文件复制到 /usr/local/bin 目录下
sudo cp kube-controller-manager /usr/local/bin/
赋予执行权限
sudo chmod +x /usr/local/bin/kube-controller-manager
签发 kube-controller-manager 证书
cfssl 证书配置新增 kube-controller-manager 配置
cat config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"digital signature",
"key encipherment",
"cert sign",
"crl sign"
],
"expiry": "43800h",
"ca_constraint": {
"is_ca": true,
"max_path_len": 0
}
},
"etcd": {
"usages": [
"digital signature",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
},
"kube-apiserver": {
"usages": [
"digital signature",
"key encipherment",
"server auth"
],
"expiry": "8760h"
},
"kube-controller-manager": {
"usages": [
"digital signature",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
创建证书请求文件 kube-controller-manager-csr.json
cat kube-controller-manager-csr.json
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Guangdong",
"L": "Guangzhou",
"O": "system:kube-controller-manager",
"OU": "Technology"
}
]
}
签发证书
cfssl gencert -ca=kubernetes-ca.pem -ca-key=kubernetes-ca-key.pem -config=config.json -profile=kube-controller-manager kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
2024/11/27 23:35:12 [INFO] generate received request
2024/11/27 23:35:12 [INFO] received CSR
2024/11/27 23:35:12 [INFO] generating key: rsa-2048
2024/11/27 23:35:12 [INFO] encoded CSR
2024/11/27 23:35:12 [INFO] signed certificate with serial number 204110259641379798009299667947650411027522667012
2024/11/27 23:35:12 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
ls kube-controller-manager*
kube-controller-manager.csr kube-controller-manager-csr.json kube-controller-manager-key.pem kube-controller-manager.pem
安装 kubectl
下载地址:kubernetes.io/zh-cn/relea…
将二进制文件复制到 /usr/local/bin 目录下
sudo cp kubectl /usr/local/bin/
赋予执行权限
sudo chmod +x /usr/local/bin/kubectl
生成 kubeconfig 文件
创建 kubeconfig 文件
kubectl config set-cluster kubernetes --certificate-authority=/home/we8/k8s/cfssl/kubernetes-chain.pem --embed-certs=true --server=https://10.0.30.47:6443 --kubeconfig=/home/we8/k8s/kubeconfig/kube-controller-manager
Cluster "kubernetes" set.
设置凭证
kubectl config set-credentials system:kube-controller-manager --client-certificate=/home/we8/k8s/cfssl/kube-controller-manager.pem --client-key=/home/we8/k8s/cfssl/kube-controller-manager-key.pem --embed-certs=true --kubeconfig=/home/we8/k8s/kubeconfig/kube-controller-manager
User "system:kube-controller-manager" set.
设置上下文
kubectl config set-context system:kube-controller-manager@kubernetes --cluster=kubernetes --user=system:kube-controller-manager --kubeconfig=/home/we8/k8s/kubeconfig/kube-controller-manager
Context "system:kube-controller-manager@kubernetes" created.
切换上下文
kubectl config use-context system:kube-controller-manager@kubernetes --kubeconfig=/home/we8/k8s/kubeconfig/kube-controller-manager
Switched to context "system:kube-controller-manager@kubernetes"
启动 kube-controller-manager
创建 systemd 配置文件
cat /etc/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
ExecStart=/usr/local/bin/kube-controller-manager \
--allocate-node-cidrs=true \
--authentication-kubeconfig=/home/we8/k8s/kubeconfig/kube-controller-manager \
--authorization-kubeconfig=/home/we8/k8s/kubeconfig/kube-controller-manager \
--bind-address=0.0.0.0 \
--client-ca-file=/home/we8/k8s/cfssl/kubernetes-chain.pem \
--cluster-cidr=10.244.0.0/16 \
--cluster-name=kubernetes \
--cluster-signing-cert-file=/home/we8/k8s/cfssl/kube-controller-manager.pem \
--cluster-signing-key-file=/home/we8/k8s/cfssl/kube-controller-manager-key.pem \
--kubeconfig=/home/we8/k8s/kubeconfig/kube-controller-manager \
--leader-elect=true \
--node-cidr-mask-size=24 \
--root-ca-file=/home/we8/k8s/cfssl/kubernetes-chain.pem \
--service-account-private-key-file=/home/we8/k8s/cfssl/root-ca-key.pem \
--service-cluster-ip-range=10.96.0.0/12 \
--requestheader-client-ca-file=/home/we8/k8s/cfssl/kubernetes-chain.pem \
--v=2
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable kube-controller-manager.service
sudo systemctl start kube-controller-manager.service
sudo systemctl status kube-controller-manager.service
虽然 kube-controller-manager 查看 status 启动成功了,注意要看看 systemd 日志是否有报错,对报错进行排查解决
