您的位置: 首页  >  IT文章  >  [k8s]k8s api-server启动systemd参数分析

[k8s]k8s api-server启动systemd参数分析

分类: IT文章 2022-08-11 10:40:33

默认2个参数就可以启动(必需)

kube-apiserver 
    --service-cluster-ip-range=10.254.0.0/16 
    --etcd-servers=http://192.168.14.132:2379

默认http是127.0.0.1:8080 https://0.0.0.0:6443

设置insecure-bind-address(默认127.0.0.1)

kube-apiserver 
    --service-cluster-ip-range=10.254.0.0/16 
    --etcd-servers=http://192.168.14.132:2379 
    --insecure-bind-address=0.0.0.0

设置访问api的日志

kube-apiserver 
    --service-cluster-ip-range=10.254.0.0/16 
    --etcd-servers=http://192.168.14.132:2379 
    --audit-log-path=/root/apiserver.log

开启记录juneral日志(修改非安全ip)

kube-apiserver 
    --service-cluster-ip-range=10.254.0.0/16 
    --etcd-servers=http://127.0.0.1:2379 
    --insecure-bind-address=0.0.0.0 
    --logtostderr=false                      #log to standard error instead of files (default true) 默认是true
    --v=2
--v=0的时候日志很少,--v2日志较多

将juneral日志记录到文件

kube-apiserver 
  --service-cluster-ip-range=10.254.0.0/16 
  --etcd-servers=http://192.168.14.132:2379 
  --insecure-bind-address=0.0.0.0 
  --logtostderr=false 
  --log-dir=/root/logs 
  --v=2
  --audit-log-path=/root/apiserver.log

这里如果--v2时候,感觉audit日志也被juneral日志包含了.
audit和logtostderr分别都不设置,则啥都不记录.

设置swagger(默认关闭)

kube-apiserver 
  --service-cluster-ip-range=10.254.0.0/16 
  --etcd-servers=http://192.168.14.132:2379 
  --insecure-bind-address=0.0.0.0 
  --enable-swagger-ui=true 
  --audit-log-path=/root/apiserver.log

http://192.168.14.132:8080/swagger-ui/

稍微完善点的写法

kube-apiserver 
  --service-cluster-ip-range=10.254.0.0/16 
  --etcd-servers=http://192.168.14.132:2379 
  --enable-swagger-ui=true 
  --audit-log-path=/var/log/kubernetes/apiserver.log 
  --audit-log-maxsize=100 
  --audit-log-maxbackup=3 
  --audit-log-maxage=30 
  --event-ttl=1h  
  --logtostderr=true 
  --v=2

kube-apiserver 
  --service-cluster-ip-range=10.254.0.0/16 
  --etcd-servers=http://192.168.14.132:2379 
  --enable-swagger-ui=true 
  --audit-log-path=/var/log/kubernetes/apiserver.log 
  --audit-log-maxsize=100 
  --audit-log-maxbackup=3 
  --audit-log-maxage=30 
  --event-ttl=1h  
  --logtostderr=false 
  --log-dir=/root/logs 
  --v=2

kube-apiserver参数解析

参考: https://kubernetes.io/docs/reference/generated/kube-apiserver/
https://kubernetes.io/docs/tasks/debug-application-cluster/audit/

cat  > kube-apiserver.service <<EOF
...
[Service]
ExecStart=/usr/local/bin/kube-apiserver \
#++++++++++++++++++++++++++++++++++++++++++
#必需区
#++++++++++++++++++++++++++++++++++++++++++
    --service-cluster-ip-range=10.254.0.0/16 \
    --etcd-servers=http://192.168.14.132:2379


#++++++++++++++++++++++++++++++++++++++++++
# 监听ip区---http https 监听的ip+port
#++++++++++++++++++++++++++++++++++++++++++
  --apiserver-count=3 \(default 1)
  --advertise-address=192.168.14.132 \ #告诉别人在我是谁[ members of the cluster][默认 --bind-address]

  --insecure-bind-address=192.168.14.132 \ #非安全端口监听的ip(default 127.0.0.1)
  --insecure-port=8080 \ # 非安全端口监听的端口(默认8080)
  --bind-address=0.0.0.0 \ # 安全端口监听的ip(default 0.0.0.0)
  --secure-port=6443 \     # 安全端口(默认6443)


  --service-node-port-range=30000-65535 \(default 30000-32767)
  --runtime-config=rbac.authorization.k8s.io/v1alpha1 \ # 打开或关闭针对某个api版本支持
#++++++++++++++++++++++++++++++++++++++++++
# 授权区----授权模式 准入插件 是否允许容器特权 
#++++++++++++++++++++++++++++++++++++++++++
    --authorization-mode=RBAC \ # 授权模式(default "AlwaysAllow")
    --admission-control=ServiceAccount,DefaultStorageClass,ResourceQuota(基于pod和容器的配额),LimitRanger(基于ns的配额),NamespaceLifecycle(随着ns被删其包含的资源也被删除) \ 值得注意的是他还有 AlwaysPullImages这个控制参数


    --allow-privileged=true \   # docker run --privileged [default=false]
    --enable-swagger-ui=true \
  
    #Enable to allow secrets of type 'bootstrap.kubernetes.io/token' in the 'kube-system' namespace to be used for TLS bootstrapping authentication.
    --experimental-bootstrap-token-auth \
    #(If set, the file that will be used to secure the secure port of the API server via token authentication.)
    --token-auth-file=/etc/kubernetes/token.csv \ 


#++++++++++++++++++++++++++++++++++++++++++
# 证书区
#++++++++++++++++++++++++++++++++++++++++++
    --client-ca-file=/etc/kubernetes/ssl/ca.crt \
    --service-account-key-file=/etc/kubernetes/ssl/ca.key \
    --tls-cert-file=/etc/kubernetes/ssl/server.crt \
    --tls-private-key-file=/etc/kubernetes/ssl/server.key \

    --etcd-cafile=/etc/kubernetes/ssl/ca.pem \
    --etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem \
    --etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem \
    --etcd-servers=https://192.168.14.132:2379,https://192.168.14.133:2379,https://192.168.14.134:2379  \


#++++++++++++++++++++++++++++++++++++++++++
# 日志区
#++++++++++++++++++++++++++++++++++++++++++
    --audit-log-path=/var/log/kubernetes/apiserver.log \ #审计日志路径
    --audit-log-maxsize=100 \#日志文件最大大小(单位MB),超过后自动做轮转(默认为100MB)
    --audit-log-maxbackup=3 \#旧日志文件最多保留个数
    --audit-log-maxage=30 \  #旧日志最长保留天数
    --event-ttl=1h \ 
    --logtostderr=false \ #不输出到
    ----log-dir=/root/logs \ 输出到文件夹
    --v=2 #级别0比级别2输出的日志少

相关推荐