[root@k8s-master1 cfg]# cat kube-apiserver.conf
KUBE_APISERVER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/logs \
--etcd-servers=https://192.168.17.32:2379,https://192.168.17.33:2379,https://192.168.17.34:2379 \
--bind-address=192.168.17.32 \
--secure-port=6443 \
--advertise-address=192.168.17.32 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth=true \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-32767 \
--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \
--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--service-account-issuer=api \
--service-account-signing-key-file=/opt/kubernetes/ssl/server-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem \
--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \
--proxy-client-cert-file=/opt/kubernetes/ssl/server.pem \
--proxy-client-key-file=/opt/kubernetes/ssl/server-key.pem \
--requestheader-allowed-names=kubernetes \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-group-headers=X-Remote-Group \
--requestheader-username-headers=X-Remote-User \
--enable-aggregator-routing=true \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
kube-apiserver配置釋義(二進制)
創建配置文件:
註釋:上面的 \ 是換行符。不見換行符的話會在一行上面。
kube-apiserver.conf 配置文件釋義:
--logtostderr
:啓用日誌
---v
:日誌等級
--log-dir
:日誌目錄
--etcd-servers
:etcd集羣地址
--bind-address
:監聽地址
--secure-port
:https安全端口
--advertise-address
:集羣通告地址
--allow-privileged
:啓用授權
--service-cluster-ip-range
:Service虛擬IP地址段
--enable-admission-plugins
:准入控制模塊
--authorization-mode
:認證授權,啓用RBAC授權和節點自管理
--enable-bootstrap-token-auth
:啓用TLS bootstrap機制
--token-auth-file
:bootstrap token文件
--service-node-port-range
:Service nodeport類型默認分配端口範圍
--kubelet-client-xxx
:apiserver訪問kubelet客戶端證書
--tls-xxx-file
:apiserver https證書
1.20版本必須加的參數:--service-account-issuer,--service-account-signing-key-file
--etcd-xxxfile
:連接Etcd集羣證書
--audit-log-xxx
:審計日誌
啓動聚合層相關配置
:--requestheader-client-ca-file,--proxy-client-cert-file,--proxy-client-key-file,--requestheader-allowed-names,--requestheader-extra-headers-prefix,--requestheader-group-headers,--requestheader-username-headers,--enable-aggregator-routing
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.