kubernetes集群安装指南:kube-controller-manager组件集群部署

发布时间:2020-06-10 19:11:03 作者:清白之年
来源:网络 阅读:1521

kube-controller-manager属于master节点组件,kube-controller-manager集群包含 3 个节点,启动后将通过竞争选举机制产生一个 leader 节点,其它节点为阻塞状态。当 leader 节点不可用后,剩余节点将再次进行选举产生新的 leader 节点,从而保证服务的高可用性。

1 安装准备

特别说明:这里所有的操作都是在devops这台机器上通过ansible工具执行;kube-controller-manager 在如下两种情况下使用证书:

1.1 环境变量定义
#################### Variable parameter setting ######################
KUBE_NAME=kube-controller-manager
K8S_INSTALL_PATH=/data/apps/k8s/kubernetes
K8S_BIN_PATH=${K8S_INSTALL_PATH}/sbin
K8S_LOG_DIR=${K8S_INSTALL_PATH}/logs
K8S_CONF_PATH=/etc/k8s/kubernetes
KUBE_CONFIG_PATH=/etc/k8s/kubeconfig
CA_DIR=/etc/k8s/ssl
SOFTWARE=/root/software
VERSION=v1.14.2
PACKAGE="kubernetes-server-${VERSION}-linux-amd64.tar.gz"
DOWNLOAD_URL=“”https://github.com/devops-apps/download/raw/master/kubernetes/${PACKAGE}"
ETH_INTERFACE=eth2
LISTEN_IP=$(ifconfig | grep -A 1 ${ETH_INTERFACE} |grep inet |awk '{print $2}')
USER=k8s
SERVICE_CIDR=10.254.0.0/22
1.2 下载和分发 kubernetes 二进制文件

访问kubernetes github 官方地址下载稳定的 realease 包至本机;

wget  $DOWNLOAD_URL -P $SOFTWARE

将kubernetes 软件包分发到各个master节点服务器

sudo ansible master_k8s_vgs -m copy -a "src=${SOFTWARE}/$PACKAGE dest=${SOFTWARE}/" -b

2 部署kube-controller-manager集群

2.1 安装kube-controller-manager二进制文件
### 1.Check if the install directory exists.
if [ ! -d "$K8S_BIN_PATH" ]; then
     mkdir -p $K8S_BIN_PATH
fi

if [ ! -d "$K8S_LOG_DIR/$KUBE_NAME" ]; then
     mkdir -p $K8S_LOG_DIR/$KUBE_NAME
fi

if [ ! -d "$K8S_CONF_PATH" ]; then
     mkdir -p $K8S_CONF_PATH
fi

if [ ! -d "$KUBE_CONFIG_PATH" ]; then
     mkdir -p $KUBE_CONFIG_PATH
fi

### 2.Install kube-apiserver binary of kubernetes.
if [ ! -f "$SOFTWARE/kubernetes-server-${VERSION}-linux-amd64.tar.gz" ]; then
     wget $DOWNLOAD_URL -P $SOFTWARE >>/tmp/install.log  2>&1
fi
cd $SOFTWARE && tar -xzf kubernetes-server-${VERSION}-linux-amd64.tar.gz -C ./
cp -fp kubernetes/server/bin/$KUBE_NAME $K8S_BIN_PATH
ln -sf  $K8S_BIN_PATH/$KUBE_NAM /usr/local/bin
chown -R $USER:$USER $K8S_INSTALL_PATH
chmod -R 755 $K8S_INSTALL_PATH
2.2 分发 kubeconfig 文件和证书
分发证书
cd ${CA_DIR}
sudo ansible master_k8s_vgs -m  copy -a "src=ca.pem dest=${CA_DIR}/" -b
sudo ansible master_k8s_vgs -m  copy -a "src=ca-key.pem dest=${CA_DIR}/" -b
sudo ansible master_k8s_vgs -m  copy -a \
  "src=kubecontroller-manager.pem dest=${CA_DIR}/" -b
sudo ansible master_k8s_vgs -m  copy -a \
  "src=kubecontroller-manager-key.pem dest=${CA_DIR}/" -b
分发kubeconfig认证文件

kube-controller-manager使用 kubeconfig文件连接访问 apiserver服务,该文件提供了 apiserver 地址、嵌入的 CA 证书和 kube-scheduler证书:

cd $KUBE_CONFIG_PATH
sudo ansible master_k8s_vgs -m  copy -a \
     "src=kube-controller-manager.kubeconfig dest=$KUBE_CONFIG_PATH/" -b

备注: 如果在前面小节已经同步过各组件kubeconfig和证书文件,此处可以不必执行此操作;

2.3 创建kube-controller-manager启动服务
cat >/usr/lib/systemd/system/${KUBE_NAME}.service<<EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
User=${USER}
WorkingDirectory=${K8S_INSTALL_PATH}
ExecStart=${K8S_BIN_PATH}/${KUBE_NAME} \\
  --port=10252 \\
  --secure-port=10257 \\
  --bind-address=${LISTEN_IP} \\
  --address=127.0.0.1 \\
  --kubeconfig=${KUBE_CONFIG_PATH}/${KUBE_NAME}.kubeconfig \\
  --authentication-kubeconfig=${KUBE_CONFIG_PATH}/${KUBE_NAME}.kubeconfig \\
  --authorization-kubeconfig=${KUBE_CONFIG_PATH}/${KUBE_NAME}.kubeconfig \\
  --client-ca-file=${CA_DIR}/ca.pem \\
  --service-cluster-ip-range=${SERVICE_CIDR} \\
  --cluster-name=kubernetes \\
  --cluster-signing-cert-file=${CA_DIR}/ca.pem \\
  --cluster-signing-key-file=${CA_DIR}/ca-key.pem \\
  --root-ca-file=${CA_DIR}/ca.pem \\
  --service-account-private-key-file=${CA_DIR}/ca-key.pem \\
  --leader-elect=true \\
  --feature-gates=RotateKubeletServerCertificate=true \\
  --horizontal-pod-autoscaler-use-rest-clients=true \\
  --horizontal-pod-autoscaler-sync-period=10s \\
  --concurrent-service-syncs=2 \\
  --kube-api-qps=1000 \\
  --kube-api-burst=2000 \\
  --concurrent-gc-syncs=30 \\
  --concurrent-deployment-syncs=10 \\
  --terminated-pod-gc-threshold=10000 \\
  --controllers=*,bootstrapsigner,tokencleaner \\
  --requestheader-allowed-names="" \\
  --requestheader-client-ca-file=${CA_DIR}/ca.pem \\
  --requestheader-extra-headers-prefix="X-Remote-Extra-" \\
  --requestheader-group-headers=X-Remote-Group \\
  --requestheader-username-headers=X-Remote-User \\
  --tls-cert-file=${CA_DIR}/kube-controller-manager.pem \\
  --tls-private-key-file=${CA_DIR}/kube-controller-manager-key.pem \\
  --use-service-account-credentials=true \\
  --alsologtostderr=true \\
  --logtostderr=false \\
  --log-dir=${K8S_LOG_DIR}/${KUBE_NAME} \\
  --flex-volume-plugin-dir=${K8S_INSTALL_PATH}/libexec/kubernetes \\
  --v=2
Restart=on
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
2.4 检查服务运行状态

kube-controller-manager监听10252和10257端口,两个接口都对外提供 /metrics 和 /healthz 的访问。

注意:很多安装文档都是关闭了非安全端口,将安全端口改为10250,这会导致查看集群状态是报如下错误,执行 kubectl get cs命令时,apiserver 默认向 127.0.0.1 发送请求。当controller-manager、scheduler以集群模式运行时,有可能和kube-apiserver不在一台机器上,且访问方式为https,则 controller-manager或scheduler 的状态为 Unhealthy,但实际上它们工作正常。则会导致上述error,但实际集群是安全状态;

kubectl get componentstatuses
NAME                 STATUS      MESSAGE    ERROR
controller-manager  Unhealthy  dial tcp  127.0.0.1:10252: connect: connection refused
scheduler          Unhealthy  dial tcp  127.0.0.1:10251: connect: connection refused
etcd-0               Healthy     {"health":"true"}
etcd-2               Healthy     {"health":"true"}
etcd-1               Healthy     {"health":"true"}

正常输出应该为:
NAME                 STATUS    MESSAGE             ERROR
scheduler            Healthy   ok                  
controller-manager   Healthy   ok                  
etcd-2               Healthy   {"health":"true"}   
etcd-1               Healthy   {"health":"true"}   
etcd-0               Healthy   {"health":"true"}   

查看服务是否运行

systemctl status kube-controller-manager|grep Active

确保状态为 active (running),否则查看日志,确认原因:

sudo journalctl -u kube-controller-manager
2.5 查看输出的 metrics

注意:以下命令在 kube-controller-manager 节点上执行。

https方式访问
curl -s --cacert /opt/k8s/work/ca.pem \
  --cert /opt/k8s/work/admin.pem \
  --key /opt/k8s/work/admin-key.pem \
  https://10.10.10.22:10257/metrics |head

http方式访问
curl -s http://127.0.0.1:10252/metrics |head
2.6 kube-controller-manager 的权限设置

ClusteRole system:kube-controller-manager 的权限很小,只能创建 secret、serviceaccount 等资源对象,各 controller 的权限分散到 ClusterRole system:controller:XXX 中:

 $ kubectl describe clusterrole system:kube-controller-manager
Name:         system:kube-controller-manager
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
  Resources                  Non-Resource URLs  Resource Names  Verbs
  ---------                  -----------------  --------------  -----
  secrets                                   []   []    [create delete get update]
  endpoints                                 []   []    [create get update]
  serviceaccounts                           []   []    [create get update]
  events                                    []   []    [create patch update]
  tokenreviews.authentication.k8s.io        []   []    [create]
  subjectacce***eviews.authorization.k8s.io []   []    [create]
  configmaps                                []   []    [get]
  namespaces                                []   []    [get]
  *.*                                       []   []    [list watch]

需要在kube-controller-manager的启动参数中添加"--use-service-account-credentials=true"参数,这样main controller将会为各controller创建对应的ServiceAccount XXX-controller。然后内置的 ClusterRoleBinding system:controller:XXX则将赋予各XXX-controller ServiceAccount对应的ClusterRole system:controller:XXX 权限。

 $ kubectl get clusterrole|grep controller
system:controller:attachdetach-controller                              17d
system:controller:certificate-controller                               17d
system:controller:clusterrole-aggregation-controller                   17d
system:controller:cronjob-controller                                   17d
system:controller:daemon-set-controller                                17d
system:controller:deployment-controller                                17d
system:controller:disruption-controller                                17d
system:controller:endpoint-controller                                  17d
system:controller:expand-controller                                    17d
system:controller:generic-garbage-collector                            17d
system:controller:horizontal-pod-autoscaler                            17d
system:controller:job-controller                                       17d
system:controller:namespace-controller                                 17d
system:controller:node-controller                                      17d
system:controller:persistent-volume-binder                             17d
system:controller:pod-garbage-collector                                17d
system:controller:pv-protection-controller                             17d
system:controller:pvc-protection-controller                            17d
system:controller:replicaset-controller                                17d
system:controller:replication-controller                               17d
system:controller:resourcequota-controller                             17d
system:controller:route-controller                                     17d
system:controller:service-account-controller                           17d
system:controller:service-controller                                   17d
system:controller:statefulset-controller                               17d
system:controller:ttl-controller                                       17d
system:kube-controller-manager                                         17d

以 deployment controller 为例:

$ kubectl describe clusterrole system:controller:deployment-controller
Name:         system:controller:deployment-controller
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
  Resources                        Non-Resource URLs  Resource Names  Verbs
  ---------                        -----------------  --------------  -----
  replicasets.apps                 []   []  [create delete get list patch update watch]
  replicasets.extensions           []   []  [create delete get list patch update watch]
  events                           []   []  [create patch update]
  pods                             []   []  [get list update watch]
  deployments.apps                 []   []  [get list update watch]
  deployments.extensions           []   []  [get list update watch]
  deployments.apps/finalizers      []   []  [update]
  deployments.apps/status          []   []  [update]
  deployments.extensions/finalizers[]   []  [update]
  deployments.extensions/status    []   []  [update]
2.7 查看当前的 leader
kubectl get endpoints kube-controller-manager --namespace=kube-system -o yaml
2.8 测试kube-controller-manager集群的高可用

随机找一个或两个 master 节点,停掉kube-controller-manager服务,看其它节点是否获取了 leader 权限.

参考

关于 controller 权限和 use-service-account-credentials 参数:
https://github.com/kubernetes/kubernetes/issues/48208
kubelet 认证和授权:
https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authorization


安装完成kube-controller-manager后,还需要安装kube-scheduler,请参考:kubernetes集群安装指南:kube-scheduler组件集群部署。关于kube-controller-manager脚本请此处获取

推荐阅读:
  1. Kubernetes集群部署的方式有哪些?
  2. kubernetes集群部署Flannel组件

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

kubernetes controller-manager master节点

上一篇:java封装类的方法

下一篇:golang中设置时间的基本用法

相关阅读

您好,登录后才能下订单哦!

密码登录
登录注册
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》