k8s 之apiserver部署(六)

JustHaveTry

2020-06-06

关注关注

集群规划

主机名角色 ip

HDSS7-21.host.com kube-apiserver 192.168.12.13

HDSS7-22.host.com kube-apiserver 192.168.12.14

HDSS7-11.host.com 4层负载均衡 192.168.12.11

HDSS7-12.host.com 4层负载均衡 192.168.12.12

注意：这里192.168.12.11和192.168.12.12使用nginx做4层负载均衡器，用keepalive跑一个vip：192.168.12.10，代理两个kube-apiserver，实现高可用

1. hdss7-21安装apiserver

[ certs]# cd /opt/src/
[ src]# rz
[ src]# tar xf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/
[ src]# cd ..
[ opt]# mv kubernetes/ kubernetes-v1.15.2
[ opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes
[ opt]# cd kubernetes
[ kubernetes]# rm -rf kubernetes-src.tar.gz 
[ kubernetes]# cd server/bin/
[ bin]# rm -rf *.tar
[ bin]# rm -rf *_tag
签发apiserver-client证书：apiserver与etc通信用的证书。apiserver是客户端，etcd是服务端
运维主机HDSS-200.host.com上
[ bin]#  cd /opt/kubernetes/server/bin/
[ bin]# mkdir cert
[ bin]# cd cert/
[ cert]# ls
[ cert]# scp hdss7-200:/opt/certs/ca.pem . 
‘s password: 
ca.pem                                                          100% 1334   505.1KB/s   00:00    
[ cert]# scp hdss7-200:/opt/certs/apiserver.pem ./
‘s password: 
apiserver.pem                                                   100% 1586   913.6KB/s   00:00    
[ cert]# scp hdss7-200:/opt/certs/apiserver-key.pem ./
‘s password: 
apiserver-key.pem                                               100% 1675   711.1KB/s   00:00    
[ cert]# scp hdss7-200:/opt/certs/ca-key.pem ./
‘s password: 
ca-key.pem                                                      100% 1679     1.3MB/s   00:00    
[ cert]# scp hdss7-200:/opt/certs/client-key.pem ./
‘s password: 
client-key.pem                                                  100% 1679   749.7KB/s   00:00    
[hdss7-21 cert]#  scp hdss7-200:/opt/certs/client.pem ./
‘s password: 
client.pem
[ bin]#  mkdir conf
[ bin]# cd /opt/kubernetes/server/bin/conf
[ conf]#  vi audit.yaml
[ conf]# cat audit.yaml 
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don‘t generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      # Resource "pods" doesn‘t match requests to any subresource of pods,
      # which is consistent with the RBAC policy.
      resources: ["pods"]
  # Log "pods/log", "pods/status" at Metadata level
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]

  # Don‘t log requests to a configmap called "controller-leader"
  - level: None
    resources:
    - group: ""
      resources: ["configmaps"]
      resourceNames: ["controller-leader"]

  # Don‘t log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # core API group
      resources: ["endpoints", "services"]

  # Don‘t log authenticated requests to certain non-resource URL paths.
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*" # Wildcard matching.
    - "/version"

  # Log the request body of configmap changes in kube-system.

kubernetes k8s