kube-controller-manager 部署 ¶
创建 kube-controller-manager 证书请求文件 ¶
说明:
- hosts 列表包含所有 kube-controller-manager 节点 IP;
- CN 为 system:kube-controller-manager、O 为 system:kube-controller-manager,kubernetes 内置的 ClusterRoleBindings system:kube-controller-manager 赋予 kube-controller-manager 工作所需的权限
1. 创建证书目录
mkdir kube-controller-manager
说明:
- hosts 列表包含所有 kube-controller-manager 节点 IP;
- CN 为 system:kube-controller-manager、O 为 system:kube-controller-manager,kubernetes 内置的 ClusterRoleBindings system:kube-controller-manager 赋予 - - kube-controller-manager 工作所需的权限
2. 创建请求证书文件
cat > kube-controller-manager/kube-controller-manager.json << "EOF"
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [
"127.0.0.1",
"192.168.3.50",
"192.168.3.51",
"192.168.3.52"
],
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:kube-controller-manager",
"OU": "system"
}
]
}
EOF
创建 kube-controller-manager 的 kube-controller-manager.kubeconfig 文件 ¶
#!/bin/bash
# 定义变量
MODULE_NAME="kube-controller-manager"
KUBERNETES_SERVER="https://192.168.3.200:6443"
CA_DIR="ca"
FILE_EXT=".kubeconfig"
CLUSTER_NAME="kubernetes"
USER_NAME="system:${MODULE_NAME}"
# CA 文件路径
CA_CERT="${CA_DIR}/ca.pem"
CA_KEY="${CA_DIR}/ca-key.pem"
CA_CONFIG="${CA_DIR}/ca-config.json"
# 模块相关文件路径
MODULE_DIR="${MODULE_NAME}"
MODULE_CONFIG="${MODULE_DIR}/${MODULE_NAME}${FILE_EXT}"
MODULE_CERT="${MODULE_DIR}/${MODULE_NAME}.pem"
MODULE_KEY="${MODULE_DIR}/${MODULE_NAME}-key.pem"
MODULE_JSON="${MODULE_DIR}/${MODULE_NAME}.json"
# 检查目录是否存在,不存在则退出
if [ ! -d "${MODULE_DIR}" ]; then
echo "目录 ${MODULE_DIR} 不存在,脚本退出。"
exit 1
fi
# 生成组件证书文件
cfssl gencert -ca=${CA_CERT} -ca-key=${CA_KEY} -config=${CA_CONFIG} -profile=kubernetes ${MODULE_JSON} | cfssljson -bare ${MODULE_DIR}/${MODULE_NAME}
# 设置集群
kubectl config set-cluster ${CLUSTER_NAME} \
--certificate-authority=${CA_CERT} \
--embed-certs=true \
--server=${KUBERNETES_SERVER} \
--kubeconfig=${MODULE_CONFIG}
# 设置凭证
kubectl config set-credentials ${USER_NAME} \
--client-certificate=${MODULE_CERT} \
--client-key=${MODULE_KEY} \
--embed-certs=true \
--kubeconfig=${MODULE_CONFIG}
# 设置上下文
kubectl config set-context ${USER_NAME} \
--cluster=${CLUSTER_NAME} \
--user=${USER_NAME} \
--kubeconfig=${MODULE_CONFIG}
# 使用上下文
kubectl config use-context ${USER_NAME} \
--kubeconfig=${MODULE_CONFIG}
创建 kube-controller-manager 服务配置文件 ¶
1. 在 ca 节点执行
cat > kube-controller-manager/kube-controller-manager.conf << "EOF"
KUBE_CONTROLLER_MANAGER_OPTS=" \
--secure-port=10257 \
--bind-address=127.0.0.1 \
--kubeconfig=/etc/kubernetes/kube-controller-manager.kubeconfig \
--service-cluster-ip-range=10.96.0.0/16 \
--cluster-name=kubernetes \
--cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \
--allocate-node-cidrs=true \
--cluster-cidr=10.244.0.0/16 \
--root-ca-file=/etc/kubernetes/ssl/ca.pem \
--service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem \
--leader-elect=true \
--feature-gates=RotateKubeletServerCertificate=true \
--controllers=*,bootstrapsigner,tokencleaner \
--tls-cert-file=/etc/kubernetes/ssl/kube-controller-manager.pem \
--tls-private-key-file=/etc/kubernetes/ssl/kube-controller-manager-key.pem \
--use-service-account-credentials=true \
--v=2"
EOF
创建 kube-controller-manager 服务启动配置文件 ¶
1. ca 节点执行
cat > kube-controller-manager/kube-controller-manager.service << "EOF"
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/etc/kubernetes/kube-controller-manager.conf
ExecStart=/usr/local/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
同步 kube-controller-manager 证书文件到集群 master 节点 ¶
1. ca 节点执行
#!/bin/bash
TARGET_HOSTS=("k8s-master01" "k8s-master02" "k8s-master03")
DIRECTORY=kube-controller-manager/
# 通过循环执行 scp 命令
for host in "${TARGET_HOSTS[@]}"; do
echo "正在复制文件到 $host..."
# 复制证书和密钥文件到 /etc/kubernetes/ssl/ 目录
scp ${DIRECTORY}kube-controller-manager*.pem $host:/etc/kubernetes/ssl/
# 复制配置文件到 /etc/kubernetes/ 目录
scp ${DIRECTORY}kube-controller-manager.kubeconfig ${DIRECTORY}kube-controller-manager.conf $host:/etc/kubernetes/
# 复制 systemd 服务文件到 /usr/lib/systemd/system/ 目录
scp ${DIRECTORY}kube-controller-manager.service $host:/usr/lib/systemd/system/
done
# 在目标主机上执行 systemctl 命令
for host in "${TARGET_HOSTS[@]}"; do
echo "在 $host 上执行 systemctl 命令..."
ssh -t $host 'sudo systemctl daemon-reload'
ssh -t $host 'sudo systemctl enable --now kube-controller-manager'
ssh -t $host 'sudo systemctl status kube-controller-manager'
done
查看证书
openssl x509 -in /etc/kubernetes/ssl/kube-controller-manager.pem -noout -text
启动 kube-controller-manager 服务 ¶
1. k8s-master 节点执行
可以去每个主节点查看服务是否启动
systemctl status kube-controller-manager
2. k8s-master 节点查看状态
kubectl get cs
[root@k8s-master03 ~]# kubectl get cs
Warning: v1 ComponentStatus is deprecated in v1.19+
NAME STATUS MESSAGE ERROR
scheduler Unhealthy Get "https://127.0.0.1:10259/healthz": dial tcp 127.0.0.1:10259: connect: connection refused
controller-manager Healthy ok
etcd-0 Healthy ok