kubernetes集群安装指南:kube-controller-manager组件集群部署
kube-controller-manager属于master节点组件,kube-controller-manager集群包含 3 个节点,启动后将通过竞争选举机制产生一个 leader 节点,其它节点为阻塞状态。当 leader 节点不可用后,剩余节点将再次进行选举产生新的 leader 节点,从而保证服务的高可用性。
1 安装准备
特别说明:这里所有的操作都是在devops这台机器上通过ansible工具执行;kube-controller-manager 在如下两种情况下使用证书:
- 与 kube-apiserver 的安全端口通信使用;
- 在安全端口(https,10257) 输出 prometheus 格式的 metrics;
1.1 环境变量定义
#################### Variable parameter setting ######################KUBE_NAME=kube-controller-managerK8S_INSTALL_PATH=/data/apps/k8s/kubernetesK8S_BIN_PATH=${K8S_INSTALL_PATH}/sbinK8S_LOG_DIR=${K8S_INSTALL_PATH}/logsK8S_CONF_PATH=/etc/k8s/kubernetesKUBE_CONFIG_PATH=/etc/k8s/kubeconfigCA_DIR=/etc/k8s/sslSOFTWARE=/root/softwareVERSION=v1.14.2PACKAGE="kubernetes-server-${VERSION}-linux-amd64.tar.gz"DOWNLOAD_URL=""https://github.com/devops-apps/download/raw/master/kubernetes/${PACKAGE}"ETH_INTERFACE=eth2LISTEN_IP=$(ifconfig | grep -A 1 ${ETH_INTERFACE} |grep inet |awk '{print $2}')USER=k8sSERVICE_CIDR=10.254.0.0/22
1.2 下载和分发 kubernetes 二进制文件
访问kubernetes github 官方地址下载稳定的 realease 包至本机;
wget $DOWNLOAD_URL -P $SOFTWARE
将kubernetes 软件包分发到各个master节点服务器;
sudo ansible master_k8s_vgs -m copy -a "src=${SOFTWARE}/$PACKAGE dest=${SOFTWARE}/" -b
2 部署kube-controller-manager集群
2.1 安装kube-controller-manager二进制文件
### 1.Check if the install directory exists.if [ ! -d "$K8S_BIN_PATH" ]; then mkdir -p $K8S_BIN_PATHfiif [ ! -d "$K8S_LOG_DIR/$KUBE_NAME" ]; then mkdir -p $K8S_LOG_DIR/$KUBE_NAMEfiif [ ! -d "$K8S_CONF_PATH" ]; then mkdir -p $K8S_CONF_PATHfiif [ ! -d "$KUBE_CONFIG_PATH" ]; then mkdir -p $KUBE_CONFIG_PATHfi### 2.Install kube-apiserver binary of kubernetes.if [ ! -f "$SOFTWARE/kubernetes-server-${VERSION}-linux-amd64.tar.gz" ]; then wget $DOWNLOAD_URL -P $SOFTWARE >>/tmp/install.log 2>&1ficd $SOFTWARE && tar -xzf kubernetes-server-${VERSION}-linux-amd64.tar.gz -C ./cp -fp kubernetes/server/bin/$KUBE_NAME $K8S_BIN_PATHln -sf $K8S_BIN_PATH/$KUBE_NAM /usr/local/binchown -R $USER:$USER $K8S_INSTALL_PATHchmod -R 755 $K8S_INSTALL_PATH
2.2 分发 kubeconfig 文件和证书
分发证书
cd ${CA_DIR}sudo ansible master_k8s_vgs -m copy -a "src=ca.pem dest=${CA_DIR}/" -bsudo ansible master_k8s_vgs -m copy -a "src=ca-key.pem dest=${CA_DIR}/" -bsudo ansible master_k8s_vgs -m copy -a \ "src=kubecontroller-manager.pem dest=${CA_DIR}/" -bsudo ansible master_k8s_vgs -m copy -a \ "src=kubecontroller-manager-key.pem dest=${CA_DIR}/" -b
分发kubeconfig认证文件
kube-controller-manager使用 kubeconfig文件连接访问 apiserver服务,该文件提供了 apiserver 地址、嵌入的 CA 证书和 kube-scheduler证书:
cd $KUBE_CONFIG_PATHsudo ansible master_k8s_vgs -m copy -a \ "src=kube-controller-manager.kubeconfig dest=$KUBE_CONFIG_PATH/" -b
备注: 如果在前面小节已经同步过各组件kubeconfig和证书文件,此处可以不必执行此操作;
2.3 创建kube-controller-manager启动服务
cat >/usr/lib/systemd/system/${KUBE_NAME}.service<
- --port=0:关闭监听非安全端口(http),同时 --address 参数无效,--bind-address 参数有效;
- --secure-port=10252、--bind-address=0.0.0.0: 在所有网络接口监听 10252 端口的 https /metrics 请求;
- --kubeconfig:指定 kubeconfig 文件路径,kube-controller-manager 使用它连接和验证 kube-apiserver;
- --authentication-kubeconfig 和 --authorization-kubeconfig:kube-controller-manager 使用它连接 apiserver,对 client 的请求进行认证和授权。kube-controller-manager 不再使用 --tls-ca-file 对请求 https metrics 的 Client 证书进行校验。如果没有配置这两个 kubeconfig 参数,则 client 连接 kube-controller-manager https 端口的请求会被拒绝(提示权限不足)。
- --cluster-signing-*-file:签名 TLS Bootstrap 创建的证书;
- --experimental-cluster-signing-duration:指定 TLS Bootstrap 证书的有效期;
- --root-ca-file:放置到容器 ServiceAccount 中的 CA 证书,用来对 kube-apiserver 的证书进行校验;
- --service-account-private-key-file:签名 ServiceAccount 中 Token 的私钥文件,必须和 kube-apiserver 的 --service-account-key-file 指定的公钥文件配对使用;
- --service-cluster-ip-range :指定 Service Cluster IP 网段,必须和 kube-apiserver 中的同名参数一致;
- --leader-elect=true:集群运行模式,启用选举功能;被选为 leader 的节点负责处理工作,其它节点为阻塞状态;
- --controllers=*,bootstrapsigner,tokencleaner:启用的控制器列表,tokencleaner 用于自动清理过期的 Bootstrap token;
- --horizontal-pod-autoscaler-*:custom metrics 相关参数,支持 autoscaling/v2alpha1;
- --tls-cert-file、--tls-private-key-file:使用 https 输出 metrics 时使用的 Server 证书和秘钥;
- --use-service-account-credentials=true: kube-controller-manager 中各 controller 使用 serviceaccount 访问 kube-apiserver;
2.4 检查服务运行状态
kube-controller-manager监听10252和10257端口,两个接口都对外提供 /metrics 和 /healthz 的访问。
- 10252:接收 http 请求访问,非安全端口,不需要认证授权,为了安全建议侦听地址为127.0.0.1;
- 10257:接收 https 请求访问,安全端口,需要认证授权,可以侦听任何地址;
sudo netstat -ntlp | grep kube-contcp 0 0 127.0.0.1:10252 0.0.0.0:* LISTEN 2450/kube-controlle tcp 0 0 10.10.10.22:10257 0.0.0.0:* LISTEN 2450/kube-controlle
注意:很多安装文档都是关闭了非安全端口,将安全端口改为10250,这会导致查看集群状态是报如下错误,执行 kubectl get cs命令时,apiserver 默认向 127.0.0.1 发送请求。当controller-manager、scheduler以集群模式运行时,有可能和kube-apiserver不在一台机器上,且访问方式为https,则 controller-manager或scheduler 的状态为 Unhealthy,但实际上它们工作正常。则会导致上述error,但实际集群是安全状态;
kubectl get componentstatusesNAME STATUS MESSAGE ERRORcontroller-manager Unhealthy dial tcp 127.0.0.1:10252: connect: connection refusedscheduler Unhealthy dial tcp 127.0.0.1:10251: connect: connection refusedetcd-0 Healthy {"health":"true"}etcd-2 Healthy {"health":"true"}etcd-1 Healthy {"health":"true"}正常输出应该为:NAME STATUS MESSAGE ERRORscheduler Healthy ok controller-manager Healthy ok etcd-2 Healthy {"health":"true"} etcd-1 Healthy {"health":"true"} etcd-0 Healthy {"health":"true"}
查看服务是否运行
systemctl status kube-controller-manager|grep Active
确保状态为 active (running),否则查看日志,确认原因:
sudo journalctl -u kube-controller-manager
2.5 查看输出的 metrics
注意:以下命令在 kube-controller-manager 节点上执行。
https方式访问curl -s --cacert /opt/k8s/work/ca.pem \ --cert /opt/k8s/work/admin.pem \ --key /opt/k8s/work/admin-key.pem \ https://10.10.10.22:10257/metrics |headhttp方式访问curl -s http://127.0.0.1:10252/metrics |head
2.6 kube-controller-manager 的权限设置
ClusteRole system:kube-controller-manager 的权限很小,只能创建 secret、serviceaccount 等资源对象,各 controller 的权限分散到 ClusterRole system:controller:XXX 中:
$ kubectl describe clusterrole system:kube-controller-managerName: system:kube-controller-managerLabels: kubernetes.io/bootstrapping=rbac-defaultsAnnotations: rbac.authorization.kubernetes.io/autoupdate=truePolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- secrets [] [] [create delete get update] endpoints [] [] [create get update] serviceaccounts [] [] [create get update] events [] [] [create patch update] tokenreviews.authentication.k8s.io [] [] [create] subjectacce***eviews.authorization.k8s.io [] [] [create] configmaps [] [] [get] namespaces [] [] [get] *.* [] [] [list watch]
需要在kube-controller-manager的启动参数中添加"--use-service-account-credentials=true"参数,这样main controller将会为各controller创建对应的ServiceAccount XXX-controller。然后内置的 ClusterRoleBinding system:controller:XXX则将赋予各XXX-controller ServiceAccount对应的ClusterRole system:controller:XXX 权限。
$ kubectl get clusterrole|grep controllersystem:controller:attachdetach-controller 17dsystem:controller:certificate-controller 17dsystem:controller:clusterrole-aggregation-controller 17dsystem:controller:cronjob-controller 17dsystem:controller:daemon-set-controller 17dsystem:controller:deployment-controller 17dsystem:controller:disruption-controller 17dsystem:controller:endpoint-controller 17dsystem:controller:expand-controller 17dsystem:controller:generic-garbage-collector 17dsystem:controller:horizontal-pod-autoscaler 17dsystem:controller:job-controller 17dsystem:controller:namespace-controller 17dsystem:controller:node-controller 17dsystem:controller:persistent-volume-binder 17dsystem:controller:pod-garbage-collector 17dsystem:controller:pv-protection-controller 17dsystem:controller:pvc-protection-controller 17dsystem:controller:replicaset-controller 17dsystem:controller:replication-controller 17dsystem:controller:resourcequota-controller 17dsystem:controller:route-controller 17dsystem:controller:service-account-controller 17dsystem:controller:service-controller 17dsystem:controller:statefulset-controller 17dsystem:controller:ttl-controller 17dsystem:kube-controller-manager 17d
以 deployment controller 为例:
$ kubectl describe clusterrole system:controller:deployment-controllerName: system:controller:deployment-controllerLabels: kubernetes.io/bootstrapping=rbac-defaultsAnnotations: rbac.authorization.kubernetes.io/autoupdate=truePolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- replicasets.apps [] [] [create delete get list patch update watch] replicasets.extensions [] [] [create delete get list patch update watch] events [] [] [create patch update] pods [] [] [get list update watch] deployments.apps [] [] [get list update watch] deployments.extensions [] [] [get list update watch] deployments.apps/finalizers [] [] [update] deployments.apps/status [] [] [update] deployments.extensions/finalizers[] [] [update] deployments.extensions/status [] [] [update]
2.7 查看当前的 leader
kubectl get endpoints kube-controller-manager --namespace=kube-system -o yaml
2.8 测试kube-controller-manager集群的高可用
随机找一个或两个 master 节点,停掉kube-controller-manager服务,看其它节点是否获取了 leader 权限.
参考
关于 controller 权限和 use-service-account-credentials 参数:
https://github.com/kubernetes/kubernetes/issues/48208
kubelet 认证和授权:
https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authorization
安装完成kube-controller-manager后,还需要安装kube-scheduler,请参考:kubernetes集群安装指南:kube-scheduler组件集群部署。关于kube-controller-manager脚本请此处获取