kubernetes部署-controller-manager

controller-manager组件

创建配置文件

vim /opt/kubernetes/cfg/kube-controller-manager #新建配置文件

KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \\  
--v=4 \\  
--master=127.0.0.1:8080 \\  
--leader-elect=true \\  
--address=127.0.0.1 \\  
--service-cluster-ip-range=10.0.0.0/24 \\  
--cluster-name=kubernetes \\  
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\  
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\  
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\  
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem"  
  
vim /usr/lib/systemd/system/kube-controller-manager.service #新建服务文件  
[Unit]  
Description=Kubernetes Controller Manager  
Documentation=https://github.com/kubernetes/kubernetes  
  
[Service]  
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager  
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS  
Restart=on-failure  
  
[Install]  
WantedBy=multi-user.target  
  
systemctl daemon-reload  
systemctl enable kube-controller-manager  
systemctl restart kube-controller-manager  

检查

/opt/kubernetes/bin/kubectl get cs  
NAME STATUS MESSAGE ERROR  
controller-manager Healthy ok   
scheduler Healthy ok   
etcd-0 Healthy {"health":"true"}   
etcd-1 Healthy {"health":"true"}   
etcd-2 Healthy {"health":"true"}  

说明
Master apiserver启用TLS认证后，Node节点kubelet组件想要加入集群，必须使用CA签发的有效证书才能与apiserver通信，当Node节点很多时，签署证书是一件很繁琐的事情，因此有了TLS Bootstrapping机制，kubelet会以一个低权限用户自动向apiserver申请证书，kubelet的证书由apiserver动态签署

master操作

vim /etc/profile  
export PATH=/opt/kubernetes/bin:$PATH  
source /etc/profile  
  
将kubelet-bootstrap用户绑定到系统集群角色  
/opt/kubernetes/bin/kubectl create clusterrolebinding kubelet-bootstrap \\  
--clusterrole=system:node-bootstrapper \\--user=kubelet-bootstrap  
  
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created  
  
  
cd /data/ssl/k8s/  
  
创建kubeconfig文件  
在生成kubernetes证书的目录下执行以下命令生成kubeconfig文件：  
  
  
vim kubeconfig.sh  
# 创建kubelet bootstrapping kubeconfig  
# 注意更新密码 和IP  
BOOTSTRAP_TOKEN=a94c6c11f24690b71065cb73647f2702 #token之前生成过具体查看token文件  
KUBE_APISERVER="https://10.167.130.205:6443"  
  
# 设置集群参数  
kubectl config set-cluster kubernetes \\  
--certificate-authority=./ca.pem \\  
--embed-certs=true \\  
--server=${KUBE_APISERVER} \\  
--kubeconfig=bootstrap.kubeconfig  
  
# 设置客户端认证参数  
kubectl config set-credentials kubelet-bootstrap \\  
--token=${BOOTSTRAP_TOKEN} \\  
--kubeconfig=bootstrap.kubeconfig  
  
# 设置上下文参数  
kubectl config set-context default \\  
--cluster=kubernetes \\  
--user=kubelet-bootstrap \\  
--kubeconfig=bootstrap.kubeconfig  
  
# 设置默认上下文  
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig  
  
#----------------------  
  
# 创建kube-proxy kubeconfig文件  
  
kubectl config set-cluster kubernetes \\  
--certificate-authority=./ca.pem \\  
--embed-certs=true \\  
--server=${KUBE_APISERVER} \\  
--kubeconfig=kube-proxy.kubeconfig  
  
kubectl config set-credentials kube-proxy \\  
--client-certificate=./kube-proxy.pem \\  
--client-key=./kube-proxy-key.pem \\  
--embed-certs=true \\  
--kubeconfig=kube-proxy.kubeconfig  
  
kubectl config set-context default \\  
--cluster=kubernetes \\  
--user=kube-proxy \\  
--kubeconfig=kube-proxy.kubeconfig  
  
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig  
#------------------------------------------------  
  
[root@node k8s]# pwd  
/data/ssl/k8s  
[root@node k8s]# ./kubeconfig.sh   
  
  
ls bootstrap.kubeconfig kube-proxy.kubeconfig  
scp bootstrap.kubeconfig kube-proxy.kubeconfig root@node01:/opt/kubernetes/cfg/  
scp bootstrap.kubeconfig kube-proxy.kubeconfig root@node02:/opt/kubernetes/cfg/  
  
cd /data/src/kubernetes/server/bin  
  
scp kubelet kube-proxy root@node01:/opt/kubernetes/bin/  
scp kubelet kube-proxy root@node02:/opt/kubernetes/bin/