利用
kube-controller-manager-csr.json请求文件,创建 kube-controller-manager 证书和私钥
[root@FNSHB109 k8s]# cat kube-controller-manager-csr.json
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [
"127.0.0.1",
"135.251.205.109",
"135.251.205.75",
"135.251.205.73",
"135.251.205.76"
],
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:kube-controller-manager",
"OU": "system"
}
]
}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kube.NETes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
[root@FNSHB109 k8s]# ls -la kube-con*.pem
-rw------- 1 root root 1679 5月 12 15:37
kube-controller-manager-key.pem
-rw-r--r-- 1 root root 1517 5月 12 15:37
kube-controller-manager.pem
配置kubeconfig文件,kubeconfig 文件包含访问 apiserver 的所有信息,如 apiserver 地址、CA 证书和自身使用的证书;
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true --server=https://135.251.205.109:6443 --kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager --client-certificate=/etc/kubernetes/ssl/kube-controller-manager.pem --client-key=/etc/kubernetes/ssl/kube-controller-manager-key.pem --embed-certs=true --kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-context system:kube-controller-manager --cluster=kubernetes --user=system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig
kubectl config use-context system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig
[root@FNSHB109 k8s]# cat /etc/kubernetes/kube-controller-manager.conf
KUBE_CONTROLLER_MANAGER_OPTS="--port=10252
--secure-port=10257
--bind-address=127.0.0.1
--kubeconfig=/etc/kubernetes/kube-controller-manager.kubeconfig
--service-cluster-ip-range=10.96.0.0/16
--cluster-name=kubernetes
--cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem
--cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem
--allocate-node-cidrs=true
--cluster-cidr=10.244.0.0/16
--experimental-cluster-signing-duration=1752000h
--root-ca-file=/etc/kubernetes/ssl/ca.pem
--service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem
--leader-elect=true
--feature-gates=RotateKubeletServerCertificate=true
--controllers=*,bootstrapsigner,tokencleaner
--horizontal-pod-autoscaler-use-rest-clients=true
--horizontal-pod-autoscaler-sync-period=10s
--tls-cert-file=/etc/kubernetes/ssl/kube-controller-manager.pem
--tls-private-key-file=/etc/kubernetes/ssl/kube-controller-manager-key.pem
--use-service-account-credentials=true
--alsologtostderr=true
--logtostderr=false
--log-dir=/opt/kubernetes/logs
--v=2"
[root@FNSHB109 k8s]# cat /etc/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/etc/kubernetes/kube-controller-manager.conf
ExecStart=/usr/local/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
systemctl daemon-reload && systemctl start kube-controller-manager
debug:
kube-controller-manager: W0512 19:32:06.800799 45390 client_config.go:620] error creating inClusterConfig, falling back to default config: unable to load in-cluster configuration, KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT must be defined
这个错误竟然是
/etc/systemd/system/kube-controller-manager.service里面的配置少写了$KUBE_CONTROLLER_MANAGER_OPTS
