千家信息网

kubernetes集群安装指南:kube-controller-manager组件集群部署

发表于:2024-11-18 作者:千家信息网编辑
千家信息网最后更新 2024年11月18日,kube-controller-manager属于master节点组件,kube-controller-manager集群包含 3 个节点,启动后将通过竞争选举机制产生一个 leader 节点,其它节
千家信息网最后更新 2024年11月18日kubernetes集群安装指南:kube-controller-manager组件集群部署

kube-controller-manager属于master节点组件,kube-controller-manager集群包含 3 个节点,启动后将通过竞争选举机制产生一个 leader 节点,其它节点为阻塞状态。当 leader 节点不可用后,剩余节点将再次进行选举产生新的 leader 节点,从而保证服务的高可用性。

1 安装准备

特别说明:这里所有的操作都是在devops这台机器上通过ansible工具执行;kube-controller-manager 在如下两种情况下使用证书:

  • 与 kube-apiserver 的安全端口通信使用;
  • 在安全端口(https,10257) 输出 prometheus 格式的 metrics;
1.1 环境变量定义
#################### Variable parameter setting ######################KUBE_NAME=kube-controller-managerK8S_INSTALL_PATH=/data/apps/k8s/kubernetesK8S_BIN_PATH=${K8S_INSTALL_PATH}/sbinK8S_LOG_DIR=${K8S_INSTALL_PATH}/logsK8S_CONF_PATH=/etc/k8s/kubernetesKUBE_CONFIG_PATH=/etc/k8s/kubeconfigCA_DIR=/etc/k8s/sslSOFTWARE=/root/softwareVERSION=v1.14.2PACKAGE="kubernetes-server-${VERSION}-linux-amd64.tar.gz"DOWNLOAD_URL=""https://github.com/devops-apps/download/raw/master/kubernetes/${PACKAGE}"ETH_INTERFACE=eth2LISTEN_IP=$(ifconfig | grep -A 1 ${ETH_INTERFACE} |grep inet |awk '{print $2}')USER=k8sSERVICE_CIDR=10.254.0.0/22
1.2 下载和分发 kubernetes 二进制文件

访问kubernetes github 官方地址下载稳定的 realease 包至本机;

wget  $DOWNLOAD_URL -P $SOFTWARE

将kubernetes 软件包分发到各个master节点服务器;

sudo ansible master_k8s_vgs -m copy -a "src=${SOFTWARE}/$PACKAGE dest=${SOFTWARE}/" -b

2 部署kube-controller-manager集群

2.1 安装kube-controller-manager二进制文件
### 1.Check if the install directory exists.if [ ! -d "$K8S_BIN_PATH" ]; then     mkdir -p $K8S_BIN_PATHfiif [ ! -d "$K8S_LOG_DIR/$KUBE_NAME" ]; then     mkdir -p $K8S_LOG_DIR/$KUBE_NAMEfiif [ ! -d "$K8S_CONF_PATH" ]; then     mkdir -p $K8S_CONF_PATHfiif [ ! -d "$KUBE_CONFIG_PATH" ]; then     mkdir -p $KUBE_CONFIG_PATHfi### 2.Install kube-apiserver binary of kubernetes.if [ ! -f "$SOFTWARE/kubernetes-server-${VERSION}-linux-amd64.tar.gz" ]; then     wget $DOWNLOAD_URL -P $SOFTWARE >>/tmp/install.log  2>&1ficd $SOFTWARE && tar -xzf kubernetes-server-${VERSION}-linux-amd64.tar.gz -C ./cp -fp kubernetes/server/bin/$KUBE_NAME $K8S_BIN_PATHln -sf  $K8S_BIN_PATH/$KUBE_NAM /usr/local/binchown -R $USER:$USER $K8S_INSTALL_PATHchmod -R 755 $K8S_INSTALL_PATH
2.2 分发 kubeconfig 文件和证书
分发证书
cd ${CA_DIR}sudo ansible master_k8s_vgs -m  copy -a "src=ca.pem dest=${CA_DIR}/" -bsudo ansible master_k8s_vgs -m  copy -a "src=ca-key.pem dest=${CA_DIR}/" -bsudo ansible master_k8s_vgs -m  copy -a \  "src=kubecontroller-manager.pem dest=${CA_DIR}/" -bsudo ansible master_k8s_vgs -m  copy -a \  "src=kubecontroller-manager-key.pem dest=${CA_DIR}/" -b
分发kubeconfig认证文件

kube-controller-manager使用 kubeconfig文件连接访问 apiserver服务,该文件提供了 apiserver 地址、嵌入的 CA 证书和 kube-scheduler证书:

cd $KUBE_CONFIG_PATHsudo ansible master_k8s_vgs -m  copy -a \     "src=kube-controller-manager.kubeconfig dest=$KUBE_CONFIG_PATH/" -b

备注: 如果在前面小节已经同步过各组件kubeconfig和证书文件,此处可以不必执行此操作;

2.3 创建kube-controller-manager启动服务
cat >/usr/lib/systemd/system/${KUBE_NAME}.service<
  • --port=0:关闭监听非安全端口(http),同时 --address 参数无效,--bind-address 参数有效;
  • --secure-port=10252、--bind-address=0.0.0.0: 在所有网络接口监听 10252 端口的 https /metrics 请求;
  • --kubeconfig:指定 kubeconfig 文件路径,kube-controller-manager 使用它连接和验证 kube-apiserver;
  • --authentication-kubeconfig 和 --authorization-kubeconfig:kube-controller-manager 使用它连接 apiserver,对 client 的请求进行认证和授权。kube-controller-manager 不再使用 --tls-ca-file 对请求 https metrics 的 Client 证书进行校验。如果没有配置这两个 kubeconfig 参数,则 client 连接 kube-controller-manager https 端口的请求会被拒绝(提示权限不足)。
  • --cluster-signing-*-file:签名 TLS Bootstrap 创建的证书;
  • --experimental-cluster-signing-duration:指定 TLS Bootstrap 证书的有效期;
  • --root-ca-file:放置到容器 ServiceAccount 中的 CA 证书,用来对 kube-apiserver 的证书进行校验;
  • --service-account-private-key-file:签名 ServiceAccount 中 Token 的私钥文件,必须和 kube-apiserver 的 --service-account-key-file 指定的公钥文件配对使用;
  • --service-cluster-ip-range :指定 Service Cluster IP 网段,必须和 kube-apiserver 中的同名参数一致;
  • --leader-elect=true:集群运行模式,启用选举功能;被选为 leader 的节点负责处理工作,其它节点为阻塞状态;
  • --controllers=*,bootstrapsigner,tokencleaner:启用的控制器列表,tokencleaner 用于自动清理过期的 Bootstrap token;
  • --horizontal-pod-autoscaler-*:custom metrics 相关参数,支持 autoscaling/v2alpha1;
  • --tls-cert-file、--tls-private-key-file:使用 https 输出 metrics 时使用的 Server 证书和秘钥;
  • --use-service-account-credentials=true: kube-controller-manager 中各 controller 使用 serviceaccount 访问 kube-apiserver;
2.4 检查服务运行状态

kube-controller-manager监听10252和10257端口,两个接口都对外提供 /metrics 和 /healthz 的访问。

  • 10252:接收 http 请求访问,非安全端口,不需要认证授权,为了安全建议侦听地址为127.0.0.1;
  • 10257:接收 https 请求访问,安全端口,需要认证授权,可以侦听任何地址;
    sudo netstat -ntlp | grep kube-contcp  0      0 127.0.0.1:10252         0.0.0.0:*      LISTEN      2450/kube-controlle tcp  0      0 10.10.10.22:10257       0.0.0.0:*      LISTEN      2450/kube-controlle 

注意:很多安装文档都是关闭了非安全端口,将安全端口改为10250,这会导致查看集群状态是报如下错误,执行 kubectl get cs命令时,apiserver 默认向 127.0.0.1 发送请求。当controller-manager、scheduler以集群模式运行时,有可能和kube-apiserver不在一台机器上,且访问方式为https,则 controller-manager或scheduler 的状态为 Unhealthy,但实际上它们工作正常。则会导致上述error,但实际集群是安全状态;

kubectl get componentstatusesNAME                 STATUS      MESSAGE    ERRORcontroller-manager  Unhealthy  dial tcp  127.0.0.1:10252: connect: connection refusedscheduler          Unhealthy  dial tcp  127.0.0.1:10251: connect: connection refusedetcd-0               Healthy     {"health":"true"}etcd-2               Healthy     {"health":"true"}etcd-1               Healthy     {"health":"true"}正常输出应该为:NAME                 STATUS    MESSAGE             ERRORscheduler            Healthy   ok                  controller-manager   Healthy   ok                  etcd-2               Healthy   {"health":"true"}   etcd-1               Healthy   {"health":"true"}   etcd-0               Healthy   {"health":"true"}   

查看服务是否运行

systemctl status kube-controller-manager|grep Active

确保状态为 active (running),否则查看日志,确认原因:

sudo journalctl -u kube-controller-manager
2.5 查看输出的 metrics

注意:以下命令在 kube-controller-manager 节点上执行。

https方式访问curl -s --cacert /opt/k8s/work/ca.pem \  --cert /opt/k8s/work/admin.pem \  --key /opt/k8s/work/admin-key.pem \  https://10.10.10.22:10257/metrics |headhttp方式访问curl -s http://127.0.0.1:10252/metrics |head
2.6 kube-controller-manager 的权限设置

ClusteRole system:kube-controller-manager 的权限很小,只能创建 secret、serviceaccount 等资源对象,各 controller 的权限分散到 ClusterRole system:controller:XXX 中:

 $ kubectl describe clusterrole system:kube-controller-managerName:         system:kube-controller-managerLabels:       kubernetes.io/bootstrapping=rbac-defaultsAnnotations:  rbac.authorization.kubernetes.io/autoupdate=truePolicyRule:  Resources                  Non-Resource URLs  Resource Names  Verbs  ---------                  -----------------  --------------  -----  secrets                                   []   []    [create delete get update]  endpoints                                 []   []    [create get update]  serviceaccounts                           []   []    [create get update]  events                                    []   []    [create patch update]  tokenreviews.authentication.k8s.io        []   []    [create]  subjectacce***eviews.authorization.k8s.io []   []    [create]  configmaps                                []   []    [get]  namespaces                                []   []    [get]  *.*                                       []   []    [list watch]

需要在kube-controller-manager的启动参数中添加"--use-service-account-credentials=true"参数,这样main controller将会为各controller创建对应的ServiceAccount XXX-controller。然后内置的 ClusterRoleBinding system:controller:XXX则将赋予各XXX-controller ServiceAccount对应的ClusterRole system:controller:XXX 权限。

 $ kubectl get clusterrole|grep controllersystem:controller:attachdetach-controller                              17dsystem:controller:certificate-controller                               17dsystem:controller:clusterrole-aggregation-controller                   17dsystem:controller:cronjob-controller                                   17dsystem:controller:daemon-set-controller                                17dsystem:controller:deployment-controller                                17dsystem:controller:disruption-controller                                17dsystem:controller:endpoint-controller                                  17dsystem:controller:expand-controller                                    17dsystem:controller:generic-garbage-collector                            17dsystem:controller:horizontal-pod-autoscaler                            17dsystem:controller:job-controller                                       17dsystem:controller:namespace-controller                                 17dsystem:controller:node-controller                                      17dsystem:controller:persistent-volume-binder                             17dsystem:controller:pod-garbage-collector                                17dsystem:controller:pv-protection-controller                             17dsystem:controller:pvc-protection-controller                            17dsystem:controller:replicaset-controller                                17dsystem:controller:replication-controller                               17dsystem:controller:resourcequota-controller                             17dsystem:controller:route-controller                                     17dsystem:controller:service-account-controller                           17dsystem:controller:service-controller                                   17dsystem:controller:statefulset-controller                               17dsystem:controller:ttl-controller                                       17dsystem:kube-controller-manager                                         17d

以 deployment controller 为例:

$ kubectl describe clusterrole system:controller:deployment-controllerName:         system:controller:deployment-controllerLabels:       kubernetes.io/bootstrapping=rbac-defaultsAnnotations:  rbac.authorization.kubernetes.io/autoupdate=truePolicyRule:  Resources                        Non-Resource URLs  Resource Names  Verbs  ---------                        -----------------  --------------  -----  replicasets.apps                 []   []  [create delete get list patch update watch]  replicasets.extensions           []   []  [create delete get list patch update watch]  events                           []   []  [create patch update]  pods                             []   []  [get list update watch]  deployments.apps                 []   []  [get list update watch]  deployments.extensions           []   []  [get list update watch]  deployments.apps/finalizers      []   []  [update]  deployments.apps/status          []   []  [update]  deployments.extensions/finalizers[]   []  [update]  deployments.extensions/status    []   []  [update]
2.7 查看当前的 leader
kubectl get endpoints kube-controller-manager --namespace=kube-system -o yaml
2.8 测试kube-controller-manager集群的高可用

随机找一个或两个 master 节点,停掉kube-controller-manager服务,看其它节点是否获取了 leader 权限.

参考

关于 controller 权限和 use-service-account-credentials 参数:
https://github.com/kubernetes/kubernetes/issues/48208
kubelet 认证和授权:
https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authorization


安装完成kube-controller-manager后,还需要安装kube-scheduler,请参考:kubernetes集群安装指南:kube-scheduler组件集群部署。关于kube-controller-manager脚本请此处获取

0