From dce81055a96e64eb700caa9fc14a280a91f5c019 Mon Sep 17 00:00:00 2001 From: Emily_LiuLiu Date: Fri, 18 Apr 2025 12:41:46 +0000 Subject: [PATCH] =?UTF-8?q?=E6=8E=A7=E5=88=B6=E5=B9=B3=E9=9D=A2=E7=BB=84?= =?UTF-8?q?=E4=BB=B6=E5=BA=94=E8=AF=A5=E4=BD=BF=E8=83=BDkube-apiserver?= =?UTF-8?q?=E6=9C=8D=E5=8A=A1=EF=BC=8C=E8=80=8C=E9=9D=9Ekube-proxy?= =?UTF-8?q?=E6=9C=8D=E5=8A=A1=EF=BC=8C=E5=B9=B6=E4=B8=94=E8=AF=A5=E6=9C=8D?= =?UTF-8?q?=E5=8A=A1=E5=9C=A8=E8=AF=A5=E9=A1=B5=E6=96=87=E6=A1=A3=E4=B8=AD?= =?UTF-8?q?=E5=B9=B6=E6=B2=A1=E6=9C=89=E9=85=8D=E7=BD=AE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Emily_LiuLiu --- ...66\351\235\242\347\273\204\344\273\266.md" | 158 +++++++++--------- 1 file changed, 81 insertions(+), 77 deletions(-) diff --git "a/docs/zh/docs/Kubernetes/\351\203\250\347\275\262\346\216\247\345\210\266\351\235\242\347\273\204\344\273\266.md" "b/docs/zh/docs/Kubernetes/\351\203\250\347\275\262\346\216\247\345\210\266\351\235\242\347\273\204\344\273\266.md" index 91ae3a2b9..c46f3c1e0 100644 --- "a/docs/zh/docs/Kubernetes/\351\203\250\347\275\262\346\216\247\345\210\266\351\235\242\347\273\204\344\273\266.md" +++ "b/docs/zh/docs/Kubernetes/\351\203\250\347\275\262\346\216\247\345\210\266\351\235\242\347\273\204\344\273\266.md" @@ -1,42 +1,41 @@ # 部署控制面组件 - ## 准备所有组件的 kubeconfig ### kube-proxy ```bash -$ kubectl config set-cluster openeuler-k8s --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=https://192.168.122.154:6443 --kubeconfig=kube-proxy.kubeconfig -$ kubectl config set-credentials system:kube-proxy --client-certificate=/etc/kubernetes/pki/kube-proxy.pem --client-key=/etc/kubernetes/pki/kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig -$ kubectl config set-context default --cluster=openeuler-k8s --user=system:kube-proxy --kubeconfig=kube-proxy.kubeconfig -$ kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig +kubectl config set-cluster openeuler-k8s --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=https://192.168.122.154:6443 --kubeconfig=kube-proxy.kubeconfig +kubectl config set-credentials system:kube-proxy --client-certificate=/etc/kubernetes/pki/kube-proxy.pem --client-key=/etc/kubernetes/pki/kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig +kubectl config set-context default --cluster=openeuler-k8s --user=system:kube-proxy --kubeconfig=kube-proxy.kubeconfig +kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig ``` ### kube-controller-manager ```bash -$ kubectl config set-cluster openeuler-k8s --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=kube-controller-manager.kubeconfig -$ kubectl config set-credentials system:kube-controller-manager --client-certificate=/etc/kubernetes/pki/kube-controller-manager.pem --client-key=/etc/kubernetes/pki/kube-controller-manager-key.pem --embed-certs=true --kubeconfig=kube-controller-manager.kubeconfig -$ kubectl config set-context default --cluster=openeuler-k8s --user=system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig -$ kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig +kubectl config set-cluster openeuler-k8s --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=kube-controller-manager.kubeconfig +kubectl config set-credentials system:kube-controller-manager --client-certificate=/etc/kubernetes/pki/kube-controller-manager.pem --client-key=/etc/kubernetes/pki/kube-controller-manager-key.pem --embed-certs=true --kubeconfig=kube-controller-manager.kubeconfig +kubectl config set-context default --cluster=openeuler-k8s --user=system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig +kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig ``` ### kube-scheduler ```bash -$ kubectl config set-cluster openeuler-k8s --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=kube-scheduler.kubeconfig -$ kubectl config set-credentials system:kube-scheduler --client-certificate=/etc/kubernetes/pki/kube-scheduler.pem --client-key=/etc/kubernetes/pki/kube-scheduler-key.pem --embed-certs=true --kubeconfig=kube-scheduler.kubeconfig -$ kubectl config set-context default --cluster=openeuler-k8s --user=system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig -$ kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig +kubectl config set-cluster openeuler-k8s --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=kube-scheduler.kubeconfig +kubectl config set-credentials system:kube-scheduler --client-certificate=/etc/kubernetes/pki/kube-scheduler.pem --client-key=/etc/kubernetes/pki/kube-scheduler-key.pem --embed-certs=true --kubeconfig=kube-scheduler.kubeconfig +kubectl config set-context default --cluster=openeuler-k8s --user=system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig +kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig ``` ### admin ```bash -$ kubectl config set-cluster openeuler-k8s --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=admin.kubeconfig -$ kubectl config set-credentials admin --client-certificate=/etc/kubernetes/pki/admin.pem --client-key=/etc/kubernetes/pki/admin-key.pem --embed-certs=true --kubeconfig=admin.kubeconfig -$ kubectl config set-context default --cluster=openeuler-k8s --user=admin --kubeconfig=admin.kubeconfig -$ kubectl config use-context default --kubeconfig=admin.kubeconfig +kubectl config set-cluster openeuler-k8s --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=https://127.0.0.1:6443 --kubeconfig=admin.kubeconfig +kubectl config set-credentials admin --client-certificate=/etc/kubernetes/pki/admin.pem --client-key=/etc/kubernetes/pki/admin-key.pem --embed-certs=true --kubeconfig=admin.kubeconfig +kubectl config set-context default --cluster=openeuler-k8s --user=admin --kubeconfig=admin.kubeconfig +kubectl config use-context default --kubeconfig=admin.kubeconfig ``` ### 获得相关 kubeconfig 配置文件 @@ -88,6 +87,7 @@ ca.pem kube-controller-manager.pem kubernetes-key.pem kube-s ## 部署 admin 角色的 RBAC 使能 admin role + ```bash $ cat admin_cluster_role.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -115,6 +115,7 @@ $ kubectl apply --kubeconfig admin.kubeconfig -f admin_cluster_role.yaml ``` 绑定 admin role + ```bash $ cat admin_cluster_rolebind.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -138,6 +139,7 @@ $ kubectl apply --kubeconfig admin.kubeconfig -f admin_cluster_rolebind.yaml ## 部署 api server 服务 修改 apiserver 的 etc 配置文件: + ```bash $ cat /etc/kubernetes/apiserver KUBE_ADVERTIS_ADDRESS="--advertise-address=192.168.122.154" @@ -192,42 +194,42 @@ After=etcd.service EnvironmentFile=-/etc/kubernetes/config EnvironmentFile=-/etc/kubernetes/apiserver ExecStart=/usr/bin/kube-apiserver \ - $KUBE_ADVERTIS_ADDRESS \ - $KUBE_ALLOW_PRIVILEGED \ - $KUBE_AUTHORIZATION_MODE \ - $KUBE_ENABLE_ADMISSION_PLUGINS \ - $KUBE_SECURE_PORT \ - $KUBE_ENABLE_BOOTSTRAP_TOKEN_AUTH \ - $KUBE_ETCD_CAFILE \ - $KUBE_ETCD_CERTFILE \ - $KUBE_ETCD_KEYFILE \ - $KUBE_ETCD_SERVERS \ - $KUBE_CLIENT_CA_FILE \ - $KUBE_KUBELET_CERT_AUTH \ - $KUBE_KUBELET_CLIENT_CERT \ - $KUBE_KUBELET_CLIENT_KEY \ - $KUBE_PROXY_CLIENT_CERT_FILE \ - $KUBE_PROXY_CLIENT_KEY_FILE \ - $KUBE_TLS_CERT_FILE \ - $KUBE_TLS_PRIVATE_KEY_FILE \ - $KUBE_SERVICE_CLUSTER_IP_RANGE \ - $KUBE_SERVICE_ACCOUNT_ISSUER \ - $KUBE_SERVICE_ACCOUNT_KEY_FILE \ - $KUBE_SERVICE_ACCOUNT_SIGN_KEY_FILE \ - $KUBE_SERVICE_NODE_PORT_RANGE \ - $KUBE_LOGTOSTDERR \ - $KUBE_LOG_LEVEL \ - $KUBE_API_PORT \ - $KUBELET_PORT \ - $KUBE_ALLOW_PRIV \ - $KUBE_SERVICE_ADDRESSES \ - $KUBE_ADMISSION_CONTROL \ - $KUB_ENCRYPTION_PROVIDER_CONF \ - $KUBE_REQUEST_HEADER_ALLOWED_NAME \ - $KUBE_REQUEST_HEADER_EXTRA_HEADER_PREF \ - $KUBE_REQUEST_HEADER_GROUP_HEADER \ - $KUBE_REQUEST_HEADER_USERNAME_HEADER \ - $KUBE_API_ARGS + $KUBE_ADVERTIS_ADDRESS \ + $KUBE_ALLOW_PRIVILEGED \ + $KUBE_AUTHORIZATION_MODE \ + $KUBE_ENABLE_ADMISSION_PLUGINS \ + $KUBE_SECURE_PORT \ + $KUBE_ENABLE_BOOTSTRAP_TOKEN_AUTH \ + $KUBE_ETCD_CAFILE \ + $KUBE_ETCD_CERTFILE \ + $KUBE_ETCD_KEYFILE \ + $KUBE_ETCD_SERVERS \ + $KUBE_CLIENT_CA_FILE \ + $KUBE_KUBELET_CERT_AUTH \ + $KUBE_KUBELET_CLIENT_CERT \ + $KUBE_KUBELET_CLIENT_KEY \ + $KUBE_PROXY_CLIENT_CERT_FILE \ + $KUBE_PROXY_CLIENT_KEY_FILE \ + $KUBE_TLS_CERT_FILE \ + $KUBE_TLS_PRIVATE_KEY_FILE \ + $KUBE_SERVICE_CLUSTER_IP_RANGE \ + $KUBE_SERVICE_ACCOUNT_ISSUER \ + $KUBE_SERVICE_ACCOUNT_KEY_FILE \ + $KUBE_SERVICE_ACCOUNT_SIGN_KEY_FILE \ + $KUBE_SERVICE_NODE_PORT_RANGE \ + $KUBE_LOGTOSTDERR \ + $KUBE_LOG_LEVEL \ + $KUBE_API_PORT \ + $KUBELET_PORT \ + $KUBE_ALLOW_PRIV \ + $KUBE_SERVICE_ADDRESSES \ + $KUBE_ADMISSION_CONTROL \ + $KUB_ENCRYPTION_PROVIDER_CONF \ + $KUBE_REQUEST_HEADER_ALLOWED_NAME \ + $KUBE_REQUEST_HEADER_EXTRA_HEADER_PREF \ + $KUBE_REQUEST_HEADER_GROUP_HEADER \ + $KUBE_REQUEST_HEADER_USERNAME_HEADER \ + $KUBE_API_ARGS Restart=on-failure Type=notify LimitNOFILE=65536 @@ -239,6 +241,7 @@ WantedBy=multi-user.target ## 部署 controller-manager 服务 修改 controller-manager 配置文件: + ```bash $ cat /etc/kubernetes/controller-manager KUBE_BIND_ADDRESS="--bind-address=127.0.0.1" @@ -267,20 +270,20 @@ Documentation=https://kubernetes.io/docs/reference/generated/kube-controller-man EnvironmentFile=-/etc/kubernetes/config EnvironmentFile=-/etc/kubernetes/controller-manager ExecStart=/usr/bin/kube-controller-manager \ - $KUBE_BIND_ADDRESS \ - $KUBE_LOGTOSTDERR \ - $KUBE_LOG_LEVEL \ - $KUBE_CLUSTER_CIDR \ - $KUBE_CLUSTER_NAME \ - $KUBE_CLUSTER_SIGNING_CERT_FILE \ - $KUBE_CLUSTER_SIGNING_KEY_FILE \ - $KUBE_KUBECONFIG \ - $KUBE_LEADER_ELECT \ - $KUBE_ROOT_CA_FILE \ - $KUBE_SERVICE_ACCOUNT_PRIVATE_KEY_FILE \ - $KUBE_SERVICE_CLUSTER_IP_RANGE \ - $KUBE_USE_SERVICE_ACCOUNT_CRED \ - $KUBE_CONTROLLER_MANAGER_ARGS + $KUBE_BIND_ADDRESS \ + $KUBE_LOGTOSTDERR \ + $KUBE_LOG_LEVEL \ + $KUBE_CLUSTER_CIDR \ + $KUBE_CLUSTER_NAME \ + $KUBE_CLUSTER_SIGNING_CERT_FILE \ + $KUBE_CLUSTER_SIGNING_KEY_FILE \ + $KUBE_KUBECONFIG \ + $KUBE_LEADER_ELECT \ + $KUBE_ROOT_CA_FILE \ + $KUBE_SERVICE_ACCOUNT_PRIVATE_KEY_FILE \ + $KUBE_SERVICE_CLUSTER_IP_RANGE \ + $KUBE_USE_SERVICE_ACCOUNT_CRED \ + $KUBE_CONTROLLER_MANAGER_ARGS Restart=on-failure LimitNOFILE=65536 @@ -291,6 +294,7 @@ WantedBy=multi-user.target ## 部署 scheduler 服务 修改 scheduler 配置文件: + ```bash $ cat /etc/kubernetes/scheduler KUBE_CONFIG="--kubeconfig=/etc/kubernetes/pki/kube-scheduler.kubeconfig" @@ -313,14 +317,14 @@ Documentation=https://kubernetes.io/docs/reference/generated/kube-scheduler/ EnvironmentFile=-/etc/kubernetes/config EnvironmentFile=-/etc/kubernetes/scheduler ExecStart=/usr/bin/kube-scheduler \ - $KUBE_LOGTOSTDERR \ - $KUBE_LOG_LEVEL \ - $KUBE_CONFIG \ - $KUBE_AUTHENTICATION_KUBE_CONF \ - $KUBE_AUTHORIZATION_KUBE_CONF \ - $KUBE_BIND_ADDR \ - $KUBE_LEADER_ELECT \ - $KUBE_SCHEDULER_ARGS + $KUBE_LOGTOSTDERR \ + $KUBE_LOG_LEVEL \ + $KUBE_CONFIG \ + $KUBE_AUTHENTICATION_KUBE_CONF \ + $KUBE_AUTHORIZATION_KUBE_CONF \ + $KUBE_BIND_ADDR \ + $KUBE_LEADER_ELECT \ + $KUBE_SCHEDULER_ARGS Restart=on-failure LimitNOFILE=65536 @@ -331,8 +335,8 @@ WantedBy=multi-user.target ## 使能各组件 ```bash -$ systemctl enable kube-controller-manager kube-scheduler kube-proxy -$ systemctl restart kube-controller-manager kube-scheduler kube-proxy +systemctl enable kube-controller-manager kube-scheduler kube-apiserver +systemctl restart kube-controller-manager kube-scheduler kube-apiserver ``` ## 基本功能验证 -- Gitee