kube-controller-manager 部署
Controller Manager 负责运行各种控制器(Deployment、ReplicaSet、Node 等),维护集群的期望状态。它监控集群状态并通过 API Server 执行必要的操作来实现期望状态。
部署流程
所有 Master 组件的部署流程类似:
- 签发证书
- 创建 kubeconfig 文件
- 同步证书到其他 Master 节点
- 创建配置文件和 systemd 服务
- 启动服务
证书生成
cat > manager-csr.json << EOF
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [],
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:kube-controller-manager",
"OU": "Kubernetes-manual"
}
]
}
EOF
# 生成证书
cfssl gencert \
-ca=/etc/kubernetes/pki/ca.pem \
-ca-key=/etc/kubernetes/pki/ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
manager-csr.json | cfssljson -bare /etc/kubernetes/pki/controller-manager
bash
创建 kubeconfig
# 设置集群信息
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://192.168.4.213:6443 \
--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig
# 设置用户凭证
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=/etc/kubernetes/pki/controller-manager.pem \
--client-key=/etc/kubernetes/pki/controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig
# 设置上下文
kubectl config set-context system:kube-controller-manager@kubernetes \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig
# 使用上下文
kubectl config use-context system:kube-controller-manager@kubernetes \
--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig
bash
配置文件
cat > /etc/kubernetes/kube-controller-manager.conf << "EOF"
KUBE_CONTROLLER_MANAGER_OPTS=" \
--bind-address=0.0.0.0 \
--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig \
--cluster-name=kubernetes \
--allocate-node-cidrs=true \
--service-cluster-ip-range=10.96.0.0/16 \
--cluster-cidr=10.244.0.0/16 \
--root-ca-file=/etc/kubernetes/pki/ca.pem \
--service-account-private-key-file=/etc/kubernetes/pki/sa.key \
--leader-elect=true \
--cluster-signing-cert-file=/etc/kubernetes/pki/ca.pem \
--cluster-signing-key-file=/etc/kubernetes/pki/ca-key.pem \
--controllers=*,bootstrapsigner,tokencleaner \
--feature-gates=RotateKubeletServerCertificate=true \
--tls-cert-file=/etc/kubernetes/pki/controller-manager.pem \
--tls-private-key-file=/etc/kubernetes/pki/controller-manager-key.pem \
--use-service-account-credentials=true \
--v=2"
EOF
bash
systemd 服务文件
# /usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/etc/kubernetes/kube-controller-manager.conf
ExecStart=/usr/local/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
ini
关键参数
| 参数 | 说明 |
|---|---|
--leader-elect=true | 多实例选举主节点 |
--cluster-signing-cert-file | TLS Bootstrap 签发证书的 CA |
--cluster-signing-key-file | 对应的 CA 私钥 |
--allocate-node-cidrs=true | 为 Node 分配 CIDR |
--cluster-cidr | Pod 网络网段 |
--service-cluster-ip-range | Service 网络网段 |
启动
# 启动前确保配置文件已同步(kubeconfig、pki/manager*.pem)
systemctl daemon-reload
systemctl enable --now kube-controller-manager
systemctl status kube-controller-manager
bash
将证书和配置文件同步到其他 Master 节点后,在各节点启动服务。
↑