(6)kube-controller-manager部署

创建相关目录

# 三台master
mkdir /k8s/kube-controller-manager

生成证书

创建配置文件

cd /opt/k8s-playbook/ssl
vi kube-controller-manager-csr.json
#######################################
{
    "CN": "system:kube-controller-manager",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "hosts": [
      "127.0.0.1",
      "192.168.104.61",
      "192.168.104.62",
      "192.168.104.63"
    ],
    "names": [
      {
        "C": "CN",
        "ST": "Shenzhen",
        "L": "Shenzhen",
        "O": "system:kube-controller-manager",
        "OU": "magina"
      }
    ]
}
######################################

生成

cfssl gencert -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager

分发

cp kube-controller-manager*.pem /etc/k8s/cert/
  
scp kube-controller-manager*.pem root@master-02:/etc/k8s/cert/
scp kube-controller-manager*.pem root@master-03:/etc/k8s/cert/

创建kube-controller-manager.kubeconfig

生成

kubectl config set-cluster kubernetes \
  --certificate-authority=ca.pem \
  --embed-certs=true \
  --server="https://192.168.104.61:6443" \
  --kubeconfig=kube-controller-manager.kubeconfig

kubectl config set-credentials system:kube-controller-manager \
  --client-certificate=kube-controller-manager.pem \
  --client-key=kube-controller-manager-key.pem \
  --embed-certs=true \
  --kubeconfig=kube-controller-manager.kubeconfig

kubectl config set-context system:kube-controller-manager \
  --cluster=kubernetes \
  --user=system:kube-controller-manager \
  --kubeconfig=kube-controller-manager.kubeconfig

kubectl config use-context system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig

分发

cp kube-controller-manager.kubeconfig /etc/k8s/

scp kube-controller-manager.kubeconfig root@master-02:/etc/k8s/
scp kube-controller-manager.kubeconfig root@master-03:/etc/k8s/

分别进入另外两台, 修改/etc/k8s/kube-controller-manager.kubeconfig中的IP

创建kube-controller-manager.service

vi /etc/systemd/system/kube-controller-manager.service
#################################################
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes

[Service]
WorkingDirectory=/k8s/kube-controller-manager
ExecStart=/opt/k8s/bin/kube-controller-manager \
  --profiling \
  --cluster-name=kubernetes \
  --controllers=*,bootstrapsigner,tokencleaner \
  --kube-api-qps=1000 \
  --kube-api-burst=2000 \
  --leader-elect \
  --use-service-account-credentials\
  --concurrent-service-syncs=2 \
  --bind-address=192.168.104.61 \
  --secure-port=10252 \
  --tls-cert-file=/etc/k8s/cert/kube-controller-manager.pem \
  --tls-private-key-file=/etc/k8s/cert/kube-controller-manager-key.pem \
  --port=0 \
  --authentication-kubeconfig=/etc/k8s/kube-controller-manager.kubeconfig \
  --client-ca-file=/etc/k8s/cert/ca.pem \
  --requestheader-allowed-names="aggregator" \
  --requestheader-client-ca-file=/etc/k8s/cert/ca.pem \
  --requestheader-extra-headers-prefix="X-Remote-Extra-" \
  --requestheader-group-headers=X-Remote-Group \
  --requestheader-username-headers=X-Remote-User \
  --authorization-kubeconfig=/etc/k8s/kube-controller-manager.kubeconfig \
  --cluster-signing-cert-file=/etc/k8s/cert/ca.pem \
  --cluster-signing-key-file=/etc/k8s/cert/ca-key.pem \
  --experimental-cluster-signing-duration=876000h \
  --horizontal-pod-autoscaler-sync-period=10s \
  --concurrent-deployment-syncs=10 \
  --concurrent-gc-syncs=30 \
  --node-cidr-mask-size=24 \
  --service-cluster-ip-range=10.254.0.0/16 \
  --pod-eviction-timeout=6m \
  --terminated-pod-gc-threshold=10000 \
  --root-ca-file=/etc/k8s/cert/ca.pem \
  --service-account-private-key-file=/etc/k8s/cert/ca-key.pem \
  --kubeconfig=/etc/k8s/kube-controller-manager.kubeconfig \
  --logtostderr=true \
  --v=2
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target
#################################################

--bind-address: 每台master修改成自己的ip

复制二进制文件并启动

cd /opt/k8s-playbook/
cp kubernetes/server/bin/kube-controller-manager /opt/k8s/bin/

前提是已将相关组件解压到/opt/k8s-playbook/

scp /opt/k8s/bin/kube-controller-manager root@master-02:/opt/k8s/bin/
scp /opt/k8s/bin/kube-controller-manager root@master-03:/opt/k8s/bin/

# 三台master分别执行
chmod +x /opt/k8s/bin/kube-controller-manager

systemctl enable kube-controller-manager
systemctl start kube-controller-manager

验证

查看metrics接口

curl -s --cacert /etc/k8s/cert/ca.pem \
    --cert /opt/k8s-playbook/ssl/admin.pem \
    --key /opt/k8s-playbook/ssl/admin-key.pem \
    https://192.168.104.61:10252/metrics | head

查看当前leader

kubectl get endpoints kube-controller-manager --namespace=kube-system -o yaml

展示评论