k8syaml

kube-apiserver

# cat /soyuan/k8s/cfg/kube-apiserver-env

KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=http://172.16.100.92:2379 \
--bind-address=172.16.100.92 \
--secure-port=6443 \
--advertise-address=172.16.100.92 \
--allow-privileged=true \
--service-cluster-ip-range=10.254.0.0/16 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth \
--token-auth-file=/soyuan/k8s/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/soyuan/k8s/ssl/server.pem  \
--tls-private-key-file=/soyuan/k8s/ssl/server-key.pem \
--client-ca-file=/soyuan/k8s/ssl/ca.pem \
--service-account-key-file=/soyuan/k8s/ssl/ca-key.pem "

# cat /usr/lib/systemd/system/kube-apiserver.service 

[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/soyuan/k8s/cfg/kube-apiserver-env
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target

kube-controller-manager

kube-controller-manager-env

# cat /soyuan/k8s/cfg/kube-controller-manager-env

KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \
--v=4 \
--master=127.0.0.1:8080 \
--leader-elect=true \
--address=127.0.0.1 \
--service-cluster-ip-range=10.254.0.0/16 \
--cluster-name=kubernetes \
--cluster-signing-cert-file=/soyuan/k8s/ssl/ca.pem \
--cluster-signing-key-file=/soyuan/k8s/ssl/ca-key.pem  \
--root-ca-file=/soyuan/k8s/ssl/ca.pem \
--service-account-private-key-file=/soyuan/k8s/ssl/ca-key.pem"

# cat /usr/lib/systemd/system/kube-controller-manager.service

[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/soyuan/k8s/cfg/kube-controller-manager-env
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target

kube-scheduler

kube-scheduler-env

# cat /soyuan/k8s/cfg/kube-scheduler-env

KUBE_SCHEDULER_OPTS="--logtostderr=true \
--v=4 \
--master=127.0.0.1:8080 \
--leader-elect"

# cat /usr/lib/systemd/system/kube-scheduler.service 
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/soyuan/k8s/cfg/kube-scheduler-env
ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target

kubelet

kubelet-env

# cat /soyuan/k8s/cfg/kubelet-env

 KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=172.16.100.63 \
--kubeconfig=/opt/k8s/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/k8s/cfg/bootstrap.kubeconfig \
--config=/opt/k8s/cfg/kubelet.config \
--cert-dir=/opt/k8s/ssl "

--bootstrap-kubeconfig 自动生成文件

kubelet.config

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 172.16.100.63
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS: ["10.254.0.2"]
clusterDomain: cluster.local.
failSwapOn: false
authentication:
  anonymous:
    enabled: true

token.csv

$ head -c 16 /dev/urandom | od -An -t x | tr -d ' '



$ echo 538d66be23b7d8e87ca8e0cf7b4191ae,kubelet-bootstrap,10001,"system:kubelet-bootstrap" > token.csv


# 创建角色
kubectl create clusterrolebinding kubelet-bootstrap \
  --clusterrole=system:node-bootstrapper \
  --user=kubelet-bootstrap
  
  
  
BOOTSTRAP_TOKEN=538d66be23b7d8e87ca8e0cf7b4191ae
KUBE_APISERVER="https://172.16.100.92:6443"

# 创建kubelet bootstrapping kubeconfig 

# 设置集群参数
kubectl config set-cluster kubernetes \
  --certificate-authority=/soyuan/k8s/ssl/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=bootstrap.kubeconfig

# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
  --token=${BOOTSTRAP_TOKEN} \
  --kubeconfig=bootstrap.kubeconfig

# 设置上下文参数
kubectl config set-context default \
  --cluster=kubernetes \
  --user=kubelet-bootstrap \
  --kubeconfig=bootstrap.kubeconfig

# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig




# 创建kube-proxy kubeconfig文件

kubectl config set-cluster kubernetes \
  --certificate-authority=/soyuan/k8s/ssl/ca.crt \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=kube-proxy.kubeconfig

kubectl config set-credentials kube-proxy \
  --client-certificate=/soyuan/k8s/ssl/server.crt \
  --client-key=/soyuan/k8s/ssl/server.key \
  --embed-certs=true \
  --kubeconfig=kube-proxy.kubeconfig

kubectl config set-context default \
  --cluster=kubernetes \
  --user=kube-proxy \
  --kubeconfig=kube-proxy.kubeconfig

kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig