Kubernetes API服务器深度解析核心组件与运维实践Kubernetes API服务器概述Kubernetes API服务器是Kubernetes集群的核心组件之一它是集群的控制平面入口负责处理所有的API请求。API服务器是Kubernetes的大脑管理着集群的所有资源和状态。API服务器的核心功能1. 资源管理API服务器负责管理Kubernetes中的所有资源类型func (s *APIServer) HandleRequest(req *http.Request) (interface{}, error) { // 解析请求路径 path : req.URL.Path // 提取资源类型和名称 resourceType, resourceName : parsePath(path) // 根据HTTP方法执行相应操作 switch req.Method { case GET: return s.getResource(resourceType, resourceName) case POST: return s.createResource(resourceType, req.Body) case PUT: return s.updateResource(resourceType, resourceName, req.Body) case DELETE: return s.deleteResource(resourceType, resourceName) default: return nil, fmt.Errorf(unsupported method: %s, req.Method) } }2. 认证与授权API服务器负责对所有请求进行认证和授权# API服务器认证配置 apiVersion: v1 kind: ConfigMap metadata: name: kube-apiserver-config namespace: kube-system data: config.yaml: | apiServer: extraArgs: authentication-token-webhook-config-file: /etc/kubernetes/webhook-config.yaml authorization-mode: Node,RBAC3. 准入控制API服务器通过准入控制器对请求进行校验和修改# API服务器准入控制配置 apiVersion: v1 kind: Pod metadata: name: kube-apiserver namespace: kube-system spec: containers: - name: kube-apiserver command: - kube-apiserver - --enable-admission-pluginsNamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuotaAPI服务器的架构架构图┌─────────────────────────────────────────────────────────────────┐ │ API Server │ ├─────────────────────────────────────────────────────────────────┤ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ 认证层 │───│ 授权层 │───│ 准入控制 │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │ │ │ │ │ ▼ ▼ │ │ ┌─────────────┐ ┌─────────────┐ │ │ │ API路由 │ │ 存储层 │ │ │ └─────────────┘ └─────────────┘ │ │ │ │ │ │ └───────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘ │ ▼ ┌───────────────────┐ │ etcd │ └───────────────────┘请求处理流程接收请求API服务器接收HTTP请求认证验证请求的身份授权检查请求是否有权限执行准入控制对请求进行校验和修改路由将请求路由到相应的处理函数存储读取或写入etcdAPI服务器的配置配置文件apiVersion: v1 kind: Pod metadata: name: kube-apiserver namespace: kube-system spec: containers: - name: kube-apiserver image: k8s.gcr.io/kube-apiserver:v1.26.0 command: - kube-apiserver - --advertise-address192.168.1.100 - --allow-privilegedtrue - --authorization-modeNode,RBAC - --client-ca-file/etc/kubernetes/pki/ca.crt - --enable-admission-pluginsNamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota - --enable-bootstrap-token-authtrue - --etcd-cafile/etc/kubernetes/pki/etcd/ca.crt - --etcd-certfile/etc/kubernetes/pki/apiserver-etcd-client.crt - --etcd-keyfile/etc/kubernetes/pki/apiserver-etcd-client.key - --etcd-servershttps://127.0.0.1:2379 - --insecure-port0 - --kubelet-client-certificate/etc/kubernetes/pki/apiserver-kubelet-client.crt - --kubelet-client-key/etc/kubernetes/pki/apiserver-kubelet-client.key - --kubelet-preferred-address-typesInternalIP,ExternalIP,Hostname - --proxy-client-cert-file/etc/kubernetes/pki/front-proxy-client.crt - --proxy-client-key-file/etc/kubernetes/pki/front-proxy-client.key - --requestheader-allowed-namesfront-proxy-client - --requestheader-client-ca-file/etc/kubernetes/pki/front-proxy-ca.crt - --requestheader-extra-headers-prefixX-Remote-Extra- - --requestheader-group-headersX-Remote-Group - --requestheader-username-headersX-Remote-User - --secure-port6443 - --service-account-key-file/etc/kubernetes/pki/sa.pub - --service-cluster-ip-range10.96.0.0/12 - --tls-cert-file/etc/kubernetes/pki/apiserver.crt - --tls-private-key-file/etc/kubernetes/pki/apiserver.key volumeMounts: - name: k8s-certs mountPath: /etc/kubernetes/pki readOnly: true - name: kubeconfig mountPath: /etc/kubernetes readOnly: true volumes: - name: k8s-certs hostPath: path: /etc/kubernetes/pki type: DirectoryOrCreate - name: kubeconfig hostPath: path: /etc/kubernetes type: DirectoryOrCreate重要配置参数参数说明--advertise-addressAPI服务器的广告地址--authorization-mode授权模式--client-ca-file客户端CA证书文件--etcd-serversetcd服务器地址--secure-port安全端口--tls-cert-fileTLS证书文件--tls-private-key-fileTLS私钥文件API服务器的认证机制1. TLS认证apiVersion: v1 kind: Secret metadata: name: apiserver-tls namespace: kube-system data: tls.crt: base64-encoded-cert tls.key: base64-encoded-key2. 客户端证书认证# 使用客户端证书访问API服务器 curl --cert /path/to/client.crt --key /path/to/client.key \ https://api-server:6443/api/v1/pods3. Token认证# 使用Token访问API服务器 curl -H Authorization: Bearer token \ https://api-server:6443/api/v1/pods4. ServiceAccount认证apiVersion: v1 kind: ServiceAccount metadata: name: my-service-account namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: my-service-account-binding namespace: default subjects: - kind: ServiceAccount name: my-service-account namespace: default roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.ioAPI服务器的授权机制RBAC授权apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pod-reader namespace: default rules: - apiGroups: [] resources: [pods] verbs: [get, watch, list] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: pod-reader-binding namespace: default subjects: - kind: User name: jane apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: pod-reader apiGroup: rbac.authorization.k8s.ioClusterRole授权apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-admin rules: - apiGroups: [*] resources: [*] verbs: [*] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-admin-binding subjects: - kind: User name: admin apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.ioAPI服务器的准入控制内置准入控制器apiVersion: v1 kind: Pod metadata: name: kube-apiserver namespace: kube-system spec: containers: - name: kube-apiserver command: - kube-apiserver - --enable-admission-pluginsNamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota自定义准入WebhookapiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: my-mutating-webhook webhooks: - name: my-webhook.example.com clientConfig: service: name: my-webhook-service namespace: default path: /mutate rules: - apiGroups: [] apiVersions: [v1] resources: [pods] operations: [CREATE] sideEffects: None timeoutSeconds: 10API服务器的监控与调优监控API服务器apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: kube-apiserver namespace: monitoring spec: endpoints: - port: https scheme: https tlsConfig: insecureSkipVerify: true interval: 30s selector: matchLabels: component: apiserver namespaceSelector: matchNames: - kube-systemAPI服务器指标指标说明apiserver_request_total总请求数apiserver_request_latencies_summary请求延迟汇总apiserver_request_duration_seconds_bucket请求延迟直方图apiserver_current_inflight_requests当前并发请求数性能调优apiVersion: v1 kind: Pod metadata: name: kube-apiserver namespace: kube-system spec: containers: - name: kube-apiserver resources: requests: memory: 2Gi cpu: 1 limits: memory: 4Gi cpu: 2 command: - kube-apiserver - --max-requests-inflight500 - --max-mutating-requests-inflight200 - --request-timeout60sAPI服务器的高可用性多Master部署apiVersion: v1 kind: Service metadata: name: kubernetes namespace: default spec: type: ClusterIP clusterIP: 10.96.0.1 ports: - port: 443 targetPort: 6443 selector: component: apiserver负载均衡配置# HAProxy配置 frontend kubernetes bind *:6443 mode tcp option tcplog default_backend kubernetes-master-nodes backend kubernetes-master-nodes mode tcp balance roundrobin option tcp-check server master1 192.168.1.10:6443 check fall 3 rise 2 server master2 192.168.1.11:6443 check fall 3 rise 2 server master3 192.168.1.12:6443 check fall 3 rise 2API服务器的安全最佳实践1. 使用TLS加密apiVersion: v1 kind: Pod metadata: name: kube-apiserver namespace: kube-system spec: containers: - name: kube-apiserver command: - kube-apiserver - --secure-port6443 - --tls-cert-file/etc/kubernetes/pki/apiserver.crt - --tls-private-key-file/etc/kubernetes/pki/apiserver.key2. 限制访问权限apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: limited-access namespace: default rules: - apiGroups: [] resources: [pods] verbs: [get, list]3. 启用审计日志apiVersion: v1 kind: Pod metadata: name: kube-apiserver namespace: kube-system spec: containers: - name: kube-apiserver command: - kube-apiserver - --audit-log-path/var/log/kubernetes/audit.log - --audit-log-maxbackup10 - --audit-log-maxsize100 - --audit-policy-file/etc/kubernetes/audit-policy.yaml4. 定期轮换证书# 生成新证书 kubeadm certs renew all # 重启API服务器 kubectl rollout restart deployment/kube-apiserver -n kube-systemAPI服务器的常见问题及解决方案问题1API服务器无法启动原因证书过期、etcd连接失败、配置错误解决方案# 检查API服务器日志 kubectl logs kube-apiserver -n kube-system # 检查etcd连接 etcdctl endpoint health # 检查证书有效期 openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout问题2API服务器性能问题原因资源不足、请求过多、etcd性能问题解决方案apiVersion: v1 kind: Pod metadata: name: kube-apiserver namespace: kube-system spec: containers: - name: kube-apiserver resources: requests: memory: 4Gi cpu: 2 limits: memory: 8Gi cpu: 4问题3认证失败原因证书无效、Token过期、RBAC配置错误解决方案# 检查证书 kubectl config view # 检查RBAC配置 kubectl get roles kubectl get rolebindings总结Kubernetes API服务器是集群的核心组件负责处理所有API请求、管理资源、认证授权和准入控制。通过合理配置和运维API服务器可以确保集群的稳定运行和安全。在实际应用中需要关注API服务器的性能、安全性和高可用性定期监控和优化确保集群的正常运行。掌握API服务器的配置和运维对于构建和管理Kubernetes集群至关重要。