kube-apiserver 部署
API Server 是集群的核心网关,所有组件通过它与 etcd 通信。需要最先部署。
生成 K8s CA 证书
mkdir -p ~/ssl
cd ~/ssl
# CA 证书配置
cat > ca-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "Kubernetes",
"OU": "Kubernetes-manual"
}
],
"ca": {
"expiry": "876000h"
}
}
EOF
# 生成 CA 证书
cfssl gencert -initca ca-csr.json | cfssljson -bare /etc/kubernetes/pki/ca
bash
生成 API Server 证书
cat > apiserver-csr.json << EOF
{
"CN": "kube-apiserver",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "Kubernetes",
"OU": "Kubernetes-manual"
}
]
}
EOF
# 生成证书(hostname 包含所有 Master IP、VIP、Service CIDR 首地址)
cfssl gencert \
-ca=/etc/kubernetes/pki/ca.pem \
-ca-key=/etc/kubernetes/pki/ca-key.pem \
-config=ca-config.json \
-hostname=10.96.0.1,192.168.4.213,127.0.0.1,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,192.168.4.205,192.168.4.206,192.168.4.207,192.168.4.208,192.168.4.209,192.168.4.210 \
-profile=kubernetes \
apiserver-csr.json | cfssljson -bare /etc/kubernetes/pki/apiserver
bash
-hostname 说明:
10.96.0.1是 Service 网段的第一个地址192.168.4.213是高可用 VIP 地址- 包含所有 Master 和 Worker 节点的 IP
创建 TLS Bootstrap Token
TLS Bootstrap 允许 Worker 节点使用临时 Token 自动申请证书,无需手动签发。
cd /etc/kubernetes
cat > token.csv << EOF
$(head -c 16 /dev/urandom | od -An -t x1 | tr -d ' '),kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
cat token.csv
# 输出:<随机令牌>,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
bash
创建 ServiceAccount Key
openssl genrsa -out /etc/kubernetes/pki/sa.key 2048
openssl rsa -in /etc/kubernetes/pki/sa.key -pubout -out /etc/kubernetes/pki/sa.pub
bash
配置文件
cat > /etc/kubernetes/kube-apiserver.conf << EOF
KUBE_APISERVER_OPTS="--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota \
--anonymous-auth=false \
--bind-address=0.0.0.0 \
--secure-port=6443 \
--advertise-address=192.168.4.205 \
--authorization-mode=Node,RBAC \
--runtime-config=api/all=true \
--enable-bootstrap-token-auth \
--service-cluster-ip-range=10.96.0.0/16 \
--token-auth-file=/etc/kubernetes/token.csv \
--service-node-port-range=30000-32767 \
--tls-cert-file=/etc/kubernetes/pki/apiserver.pem \
--tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem \
--client-ca-file=/etc/kubernetes/pki/ca.pem \
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver.pem \
--kubelet-client-key=/etc/kubernetes/pki/apiserver-key.pem \
--service-account-key-file=/etc/kubernetes/pki/sa.pub \
--service-account-signing-key-file=/etc/kubernetes/pki/sa.key \
--service-account-issuer=https://kubernetes.default.svc.cluster.local \
--etcd-cafile=/etc/etcd/ssl/etcd-ca.pem \
--etcd-certfile=/etc/etcd/ssl/etcd.pem \
--etcd-keyfile=/etc/etcd/ssl/etcd-key.pem \
--etcd-servers=https://192.168.4.205:2379,https://192.168.4.206:2379,https://192.168.4.207:2379 \
--allow-privileged=true \
--apiserver-count=3 \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/var/log/kubernetes/kube-apiserver-audit.log \
--event-ttl=1h \
--v=4"
EOF
bash
关键参数说明:
--enable-bootstrap-token-auth:启用 TLS Bootstrap--advertise-address:当前节点 IP(每个 Master 节点不同)--etcd-servers:etcd 集群地址--authorization-mode=Node,RBAC:使用 Node 和 RBAC 授权
systemd 服务文件
# /etc/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
After=etcd.service
Wants=etcd.service
[Service]
EnvironmentFile=/etc/kubernetes/kube-apiserver.conf
ExecStart=/usr/local/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
ini
复制证书到其他 Master
scp -r /etc/kubernetes/pki master2:/etc/kubernetes/pki
scp -r /etc/kubernetes/pki master3:/etc/kubernetes/pki
# 同时同步 token.csv 和 kube-apiserver.conf
bash
其他 Master 节点需修改 kube-apiserver.conf 中的 --advertise-address 为本节点 IP。
启动和验证
systemctl daemon-reload
systemctl enable --now kube-apiserver
systemctl status kube-apiserver
# 验证 API Server 可访问
curl -k https://localhost:6443/healthz
bash
↑