标签:required ocr none http lang password text setuid inux
集群规划
主机名 角色 ip
HDSS7-21.host.com kube-apiserver 192.168.12.13
HDSS7-22.host.com kube-apiserver 192.168.12.14
HDSS7-11.host.com 4层负载均衡 192.168.12.11
HDSS7-12.host.com 4层负载均衡 192.168.12.12
注意:这里192.168.12.11和192.168.12.12使用nginx做4层负载均衡器,用keepalive跑一个vip:192.168.12.10,代理两个kube-apiserver,实现高可用
[root@hdss7-21 certs]# cd /opt/src/
[root@hdss7-21 src]# rz
[root@hdss7-21 src]# tar xf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/
[root@hdss7-21 src]# cd ..
[root@hdss7-21 opt]# mv kubernetes/ kubernetes-v1.15.2
[root@hdss7-21 opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes
[root@hdss7-21 opt]# cd kubernetes
[root@hdss7-21 kubernetes]# rm -rf kubernetes-src.tar.gz
[root@hdss7-21 kubernetes]# cd server/bin/
[root@hdss7-21 bin]# rm -rf *.tar
[root@hdss7-21 bin]# rm -rf *_tag
签发apiserver-client证书:apiserver与etc通信用的证书。apiserver是客户端,etcd是服务端
运维主机HDSS-200.host.com上
[root@hdss7-21 bin]# cd /opt/kubernetes/server/bin/
[root@hdss7-21 bin]# mkdir cert
[root@hdss7-21 bin]# cd cert/
[root@hdss7-21 cert]# ls
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/ca.pem .
root@hdss7-200‘s password:
ca.pem 100% 1334 505.1KB/s 00:00
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/apiserver.pem ./
root@hdss7-200‘s password:
apiserver.pem 100% 1586 913.6KB/s 00:00
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/apiserver-key.pem ./
root@hdss7-200‘s password:
apiserver-key.pem 100% 1675 711.1KB/s 00:00
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/ca-key.pem ./
root@hdss7-200‘s password:
ca-key.pem 100% 1679 1.3MB/s 00:00
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/client-key.pem ./
root@hdss7-200‘s password:
client-key.pem 100% 1679 749.7KB/s 00:00
[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/client.pem ./
root@hdss7-200‘s password:
client.pem
[root@hdss7-21 bin]# mkdir conf
[root@hdss7-21 bin]# cd /opt/kubernetes/server/bin/conf
[root@hdss7-21 conf]# vi audit.yaml
[root@hdss7-21 conf]# cat audit.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don‘t generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn‘t match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don‘t log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don‘t log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don‘t log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.