kube-scheduler 部署 ¶
创建 kube-scheduler 证书请求文件 ¶
说明:
- hosts 列表包含所有 kube-scheduler 节点 IP;
- CN 为 system:kube-scheduler、O 为 system:kube-scheduler,kubernetes 内置的 ClusterRoleBindings system:kube-scheduler 赋予 kube-scheduler 工作所需的权限
1. 创建证书目录
mkdir kube-scheduler
2. 创建请求证书文件
cat > kube-scheduler/kube-scheduler.json << "EOF"
{
"CN": "system:kube-scheduler",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [
"127.0.0.1",
"192.168.3.50",
"192.168.3.51",
"192.168.3.52"
],
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:kube-scheduler",
"OU": "system"
}
]
}
EOF
创建 kube-scheduler 证书文件 ¶
创建 kube-scheduler 的 kube-scheduler.kubeconfig 文件 ¶
#!/bin/bash
# 定义变量
MODULE_NAME="kube-scheduler"
KUBERNETES_SERVER="https://192.168.3.200:6443"
CA_DIR="ca"
FILE_EXT=".kubeconfig"
CLUSTER_NAME="kubernetes"
USER_NAME="system:${MODULE_NAME}"
# CA 文件路径
CA_CERT="${CA_DIR}/ca.pem"
CA_KEY="${CA_DIR}/ca-key.pem"
CA_CONFIG="${CA_DIR}/ca-config.json"
# 模块相关文件路径
MODULE_DIR="${MODULE_NAME}"
MODULE_CONFIG="${MODULE_DIR}/${MODULE_NAME}${FILE_EXT}"
MODULE_CERT="${MODULE_DIR}/${MODULE_NAME}.pem"
MODULE_KEY="${MODULE_DIR}/${MODULE_NAME}-key.pem"
MODULE_JSON="${MODULE_DIR}/${MODULE_NAME}.json"
# 检查目录是否存在,不存在则退出
if [ ! -d "${MODULE_DIR}" ]; then
echo "目录 ${MODULE_DIR} 不存在,脚本退出。"
exit 1
fi
# 生成组件证书文件
cfssl gencert -ca=${CA_CERT} -ca-key=${CA_KEY} -config=${CA_CONFIG} -profile=kubernetes ${MODULE_JSON} | cfssljson -bare ${MODULE_DIR}/${MODULE_NAME}
# 设置集群
kubectl config set-cluster ${CLUSTER_NAME} \
--certificate-authority=${CA_CERT} \
--embed-certs=true \
--server=${KUBERNETES_SERVER} \
--kubeconfig=${MODULE_CONFIG}
# 设置凭证
kubectl config set-credentials ${USER_NAME} \
--client-certificate=${MODULE_CERT} \
--client-key=${MODULE_KEY} \
--embed-certs=true \
--kubeconfig=${MODULE_CONFIG}
# 设置上下文
kubectl config set-context ${USER_NAME} \
--cluster=${CLUSTER_NAME} \
--user=${USER_NAME} \
--kubeconfig=${MODULE_CONFIG}
# 使用上下文
kubectl config use-context ${USER_NAME} \
--kubeconfig=${MODULE_CONFIG}
创建 kube-scheduler 服务配置文件 ¶
1. 在 ca 节点执行
cat > kube-scheduler/kube-scheduler.conf << "EOF"
KUBE_SCHEDULER_OPTS=" \
--kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \
--leader-elect=true \
--v=2"
EOF
创建 kube-scheduler 服务启动配置文件 ¶
1. ca 节点执行
cat > kube-scheduler/kube-scheduler.service << "EOF"
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/etc/kubernetes/kube-scheduler.conf
ExecStart=/usr/local/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
同步 kube-scheduler 证书文件到集群 master 节点 ¶
1. ca 节点执行
#!/bin/bash
TARGET_HOSTS=("k8s-master01" "k8s-master02" "k8s-master03")
DIRECTORY=kube-scheduler/
# 通过循环执行 scp 命令
for host in "${TARGET_HOSTS[@]}"; do
echo "正在复制文件到 $host..."
# 复制证书和密钥文件到 /etc/kubernetes/ssl/ 目录
scp ${DIRECTORY}kube-scheduler*.pem $host:/etc/kubernetes/ssl/
# 复制配置文件到 /etc/kubernetes/ 目录
scp ${DIRECTORY}kube-scheduler.kubeconfig ${DIRECTORY}kube-scheduler.conf $host:/etc/kubernetes/
# 复制 systemd 服务文件到 /usr/lib/systemd/system/ 目录
scp ${DIRECTORY}kube-scheduler.service $host:/usr/lib/systemd/system/
done
# 在目标主机上执行 systemctl 命令
for host in "${TARGET_HOSTS[@]}"; do
echo "在 $host 上执行 systemctl 命令..."
ssh -t $host 'sudo systemctl daemon-reload'
ssh -t $host 'sudo systemctl enable --now kube-scheduler'
ssh -t $host 'sudo systemctl status kube-scheduler'
done
查看证书
openssl x509 -in /etc/kubernetes/ssl/kube-scheduler.pem -noout -text
启动 kube-scheduler 服务 ¶
1. k8s-master 节点执行
可以去每个主节点查看服务是否启动
systemctl status kube-scheduler
2. k8s-master 节点查看状态
[root@k8s-master03 ~]# kubectl get cs
Warning: v1 ComponentStatus is deprecated in v1.19+
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy ok