vim /opt/kubernetes/cfg/kube-controller-manager #新建配置文件
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \\
--v=4 \\
--master=127.0.0.1:8080 \\
--leader-elect=true \\
--address=127.0.0.1 \\
--service-cluster-ip-range=10.0.0.0/24 \\
--cluster-name=kubernetes \\
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem"
vim /usr/lib/systemd/system/kube-controller-manager.service #新建服务文件
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl restart kube-controller-manager
/opt/kubernetes/bin/kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-0 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
说明
Master apiserver启用TLS认证后,Node节点kubelet组件想要加入集群,必须使用CA签发的有效证书才能与apiserver通信,当Node节点很多时,签署证书是一件很繁琐的事情,因此有了TLS Bootstrapping机制,kubelet会以一个低权限用户自动向apiserver申请证书,kubelet的证书由apiserver动态签署
vim /etc/profile
export PATH=/opt/kubernetes/bin:$PATH
source /etc/profile
将kubelet-bootstrap用户绑定到系统集群角色
/opt/kubernetes/bin/kubectl create clusterrolebinding kubelet-bootstrap \\
--clusterrole=system:node-bootstrapper \\--user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
cd /data/ssl/k8s/
创建kubeconfig文件
在生成kubernetes证书的目录下执行以下命令生成kubeconfig文件:
vim kubeconfig.sh
# 创建kubelet bootstrapping kubeconfig
# 注意更新密码 和IP
BOOTSTRAP_TOKEN=a94c6c11f24690b71065cb73647f2702 #token之前生成过具体查看token文件
KUBE_APISERVER="https://10.167.130.205:6443"
# 设置集群参数
kubectl config set-cluster kubernetes \\
--certificate-authority=./ca.pem \\
--embed-certs=true \\
--server=${KUBE_APISERVER} \\
--kubeconfig=bootstrap.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \\
--token=${BOOTSTRAP_TOKEN} \\
--kubeconfig=bootstrap.kubeconfig
# 设置上下文参数
kubectl config set-context default \\
--cluster=kubernetes \\
--user=kubelet-bootstrap \\
--kubeconfig=bootstrap.kubeconfig
# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
#----------------------
# 创建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes \\
--certificate-authority=./ca.pem \\
--embed-certs=true \\
--server=${KUBE_APISERVER} \\
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \\
--client-certificate=./kube-proxy.pem \\
--client-key=./kube-proxy-key.pem \\
--embed-certs=true \\
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \\
--cluster=kubernetes \\
--user=kube-proxy \\
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
#------------------------------------------------
[root@node k8s]# pwd
/data/ssl/k8s
[root@node k8s]# ./kubeconfig.sh
ls bootstrap.kubeconfig kube-proxy.kubeconfig
scp bootstrap.kubeconfig kube-proxy.kubeconfig root@node01:/opt/kubernetes/cfg/
scp bootstrap.kubeconfig kube-proxy.kubeconfig root@node02:/opt/kubernetes/cfg/
cd /data/src/kubernetes/server/bin
scp kubelet kube-proxy root@node01:/opt/kubernetes/bin/
scp kubelet kube-proxy root@node02:/opt/kubernetes/bin/
如果觉得我的文章对您有用,请点赞。您的支持将鼓励我继续创作!
赞1
添加新评论0 条评论