都是3臺伺服器需要操作的
1.建立證書
mkdir -p /etc/ssl/kube-scheduler
cat > /etc/ssl/kube-scheduler/kube-scheduler-csr.json <<EOF
{
"CN": "system:kube-scheduler",
"hosts": [
"127.0.0.1",
"192.168.1.40",
"192.168.1.41",
"192.168.1.42"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "ChengDu",
"L": "ChengDu",
"O": "system:kube-scheduler",
"OU": "dessler"
}
]
}
EOF
複製程式碼cfssl gencert -ca=/etc/ssl/ca.pem \
-ca-key=/etc/ssl/ca-key.pem \
-config=/etc/ssl/ca-config.json \
-profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
複製程式碼ls
kube-scheduler.csr kube-scheduler-csr.json kube-scheduler-key.pem kube-scheduler.pem
複製程式碼- 說明:
- hosts 列表包含所有kube-scheduler 節點 IP
- CN 為 system:kube-scheduler、O 為 system:kube-scheduler,kubernetes 內建的 ClusterRoleBindings system:kube-scheduler 將賦予 kube-scheduler 工作所需的許可權
2.建立kubeconfig 檔案
kubectl config set-cluster kubernetes \
> --certificate-authority=/etc/ssl/ca.pem \
> --embed-certs=true \
> --server=https://192.168.1.43:8443 \
> --kubeconfig=kube-scheduler.kubeconfig
Cluster "kubernetes" set.
複製程式碼kubectl config set-credentials system:kube-scheduler \
> --client-certificate=/etc/ssl/kube-scheduler/kube-scheduler.pem \
> --client-key=/etc/ssl/kube-scheduler/kube-scheduler-key.pem \
> --embed-certs=true \
> --kubeconfig=kube-scheduler.kubeconfig
User "system:kube-scheduler" set.
複製程式碼kubectl config set-context system:kube-scheduler \
> --cluster=kubernetes \
> --user=system:kube-scheduler \
> --kubeconfig=kube-scheduler.kubeconfig
Context "system:kube-scheduler" created.
複製程式碼kubectl config use-context system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig
Switched to context "system:kube-scheduler".
複製程式碼3.分發配置檔案證書二進位制檔案
4.配置kube-scheduler服務
cat > /usr/lib/systemd/system/kube-scheduler.service <<EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/opt/kubernetes/bin/kube-scheduler \\
--address=127.0.0.1 \\
--kubeconfig=/opt/kubernetes/cfg/kube-scheduler.kubeconfig \\
--leader-elect=true \\
--alsologtostderr=true \\
--logtostderr=false \\
--log-dir=/var/log/kubernetes \\
--v=2
Restart=on-failure
RestartSec=5
#User=k8s
[Install]
WantedBy=multi-user.target
EOF
複製程式碼- 說明:
- --address:在0.0.1:10251 埠接收 http /metrics 請求;kube-scheduler 目前還不支援接收 https 請求
- --kubeconfig:指定 kubeconfig 檔案路徑,kube-scheduler 使用它連線和驗證 kube-apiserver
- --leader-elect=true:叢集執行模式,啟用選舉功能;被選為 leader 的節點負責處理工作,其它節點為阻塞狀態
- User=k8s:使用 k8s 賬戶執行
5.啟動服務
systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler
systemctl status kube-scheduler
複製程式碼6.檢查服務
curl -s http://127.0.0.1:10251/metrics |head
# HELP apiserver_audit_event_total Counter of audit events generated and sent to the audit backend.
# TYPE apiserver_audit_event_total counter
apiserver_audit_event_total 0
# HELP apiserver_audit_requests_rejected_total Counter of apiserver requests rejected due to an error in audit logging backend.
# TYPE apiserver_audit_requests_rejected_total counter
apiserver_audit_requests_rejected_total 0
# HELP apiserver_client_certificate_expiration_seconds Distribution of the remaining lifetime on the certificate used to authenticate a request.
# TYPE apiserver_client_certificate_expiration_seconds histogram
apiserver_client_certificate_expiration_seconds_bucket{le="0"} 0
apiserver_client_certificate_expiration_seconds_bucket{le="21600"} 0
複製程式碼 kubectl get endpoints kube-scheduler --namespace=kube-system -o yaml
apiVersion: v1
kind: Endpoints
metadata:
annotations:
control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"host22_11b7b315-2f42-11e9-b608-525400a73b99","leaseDurationSeconds":15,"acquireTime":"2019-02-13T05:39:32Z","renewTime":"2019-02-14T06:30:41Z","leaderTransitions":5}'
creationTimestamp: "2019-01-30T08:32:08Z"
name: kube-scheduler
namespace: kube-system
resourceVersion: "1737721"
selfLink: /api/v1/namespaces/kube-system/endpoints/kube-scheduler
uid: 87dbdef5-2469-11e9-a032-525400c6cc24
複製程式碼7.配置自動approve kubelet CSR 請求
cat > /opt/kubernetes/cfg/csr-crb.yaml <<EOF
# Approve all CSRs for the group "system:bootstrappers"
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: auto-approve-csrs-for-group
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
apiGroup: rbac.authorization.k8s.io
---
# To let a node of the group "system:nodes" renew its own credentials
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: node-client-cert-renewal
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
apiGroup: rbac.authorization.k8s.io
---
# A ClusterRole which instructs the CSR approver to approve a node requesting a
# serving cert matching its client cert.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: approve-node-server-renewal-csr
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests/selfnodeserver"]
verbs: ["create"]
---
# To let a node of the group "system:nodes" renew its own server credentials
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: node-server-cert-renewal
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: approve-node-server-renewal-csr
apiGroup: rbac.authorization.k8s.io
EOF
複製程式碼kubectl apply -f /opt/kubernetes/cfg/csr-crb.yaml
clusterrolebinding.rbac.authorization.k8s.io/auto-approve-csrs-for-group created
clusterrolebinding.rbac.authorization.k8s.io/node-client-cert-renewal created
clusterrole.rbac.authorization.k8s.io/approve-node-server-renewal-csr created
clusterrolebinding.rbac.authorization.k8s.io/node-server-cert-renewal created
複製程式碼- 說明:
- kubelet 啟動後使用 --bootstrap-kubeconfig 向 kube-apiserver 傳送 CSR 請求,當這個 CSR 被 approve 後,kube-controller-manager 為 kubelet 建立 TLS 客戶端證書、私鑰和 --kubeletconfig 檔案。
- 注意:kube-controller-manager 需要配置--cluster-signing-cert-file 和 --cluster-signing-key-file引數,才會為 TLS Bootstrap 建立證書和私鑰。