第三步 Master節點部署
Master 是 Kubernetes 的大總管,主要建立apiserver、Controller manager與Scheduler來元件管理所有 Node。本步驟將下載 Kubernetes 並安裝至 master1上,然後產生相關 TLS Cert 與 CA 金鑰,提供給叢集元件認證使用。
下載 Kubernetes 元件
1.下載所有需要的執行檔案並解壓:
$ cd && wget https://dl.k8s.io/v1.10.1/kubernetes.tar.gz
$ wget https://dl.k8s.io/v1.10.1/kubernetes-server-linux-amd64.tar.gz
$ wget https://dl.k8s.io/v1.10.1/kubernetes-client-linux-amd64.tar.gz
$ wget https://dl.k8s.io/v1.10.1/kubernetes-node-linux-amd64.tar.gz
$ tar -zxvf kubernetes.tar.gz
$ tar -zxvf kubernetes-server-linux-amd64.tar.gz
$ tar -zxvf kubernetes-client-linux-amd64.tar.gz
$ tar -zxvf kubernetes-node-linux-amd64.tar.gz
$ cp kubernetes/server/bin/kube-apiserver /usr/local/bin/
$ cp kubernetes/server/bin/kube-controller-manager /usr/local/bin/
$ cp kubernetes/server/bin/kube-scheduler /usr/local/bin/
$ mkdir -p /usr/local/bin/cni/ && cd /usr/local/bin/cni/
$ wget https://github.com/containernetworking/plugins/releases/download/v0.6.0/cni-plugins-amd64-v0.6.0.tgz
$ tar -zxvf cni-plugins-amd64-v0.6.0.tgz && rm -rf cni-plugins-amd64-v0.6.0.tgz2.建立叢集 CA 與 Certificates
在這部分,將會需要生成 client 與 server 的各元件 certificates,並且替 Kubernetes admin user 生成 client 證照。
- 建立生成CSR的 JSON 配置檔案:
$ cd /etc/etcd/ssl_tmp/
$ cat > /etc/etcd/ssl_tmp/kubernetes-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.184.28",
"10.1.0.1",
"10.254.0.2",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF- 建立生成CSR的 JSON 配置檔案:
$ cfssl gencert -ca=/etc/etcd/ssl/ca.pem -ca-key=/etc/etcd/ssl/ca-key.pem -config=/etc/etcd/ssl/ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes- 生成 kubernetes 證照和私鑰,並分發到所以節點
$ cp kubernetes* /etc/etcd/ssl/
$ scp kubernetes* 192.168.184.29:/etc/etcd/ssl/
$ scp kubernetes* 192.168.184.30:/etc/etcd/ssl/- 建立 kube-apiserver 使用的客戶端 token 檔案
$ head -c 16 /dev/urandom | od -An -t x | tr -d ' '
$ vim /etc/etcd/ssl/bootstrap-token.csv
$ 05c645cec943aef73c8b1f54464120c0,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
- 建立基礎使用者名稱/密碼認證配置(密碼、使用者名稱、uid為後面建立dashborad後使用者認證)
$ vim /etc/etcd/ssl/basic-auth.csv
$ admin,admin,1
readonly,readonly,2
- 部署Kubernetes API Server
$ cat > /usr/lib/systemd/system/kube-apiserver.service <<EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
ExecStart=/usr/local/bin/kube-apiserver \
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \
--bind-address=192.168.184.28 \
--insecure-bind-address=127.0.0.1 \
--authorization-mode=Node,RBAC \
--runtime-config=rbac.authorization.k8s.io/v1 \
--kubelet-https=true \
--anonymous-auth=false \
--basic-auth-file=/etc/etcd/ssl/basic-auth.csv \
--enable-bootstrap-token-auth \
--token-auth-file=/etc/etcd/ssl/bootstrap-token.csv \
--service-cluster-ip-range=10.1.0.0/16 \
--service-node-port-range=20000-40000 \
--tls-cert-file=/etc/etcd/ssl/kubernetes.pem \
--tls-private-key-file=/etc/etcd/ssl/kubernetes-key.pem \
--client-ca-file=/etc/etcd/ssl/ca.pem \
--service-account-key-file=/etc/etcd/ssl/ca-key.pem \
--etcd-cafile=/etc/etcd/ssl/ca.pem \
--etcd-certfile=/etc/etcd/ssl/kubernetes.pem \
--etcd-keyfile=/etc/etcd/ssl/kubernetes-key.pem \
--etcd-servers=https://192.168.184.28:2379,https://192.168.184.29:2379,https://192.168.184.30:2379 \
--enable-swagger-ui=true \
--allow-privileged=true \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/etc/etcd/log/api-audit.log \
--event-ttl=1h \
--v=2 \
--logtostderr=false \
--log-dir=/etc/etcd/log
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF- 啟動
$ systemctl daemon-reload
$ systemctl enable kube-apiserver.service && systemctl start kube-apiserver.service
$ systemctl status kube-apiserver.service- 部署Controller Manager服務
$ cat > /usr/lib/systemd/system/kube-controller-manager.service <<EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/usr/local/bin/kube-controller-manager \
--address=127.0.0.1 \
--master=http://127.0.0.1:8080 \
--allocate-node-cidrs=true \
--service-cluster-ip-range=10.1.0.0/16 \
--cluster-cidr=10.2.0.0/16 \
--cluster-name=kubernetes \
--cluster-signing-cert-file=/etc/etcd/ssl/ca.pem \
--cluster-signing-key-file=/etc/etcd/ssl/ca-key.pem \
--service-account-private-key-file=/etc/etcd/ssl/ca-key.pem \
--root-ca-file=/etc/etcd/ssl/ca.pem \
--leader-elect=true \
--v=2 \
--logtostderr=false \
--log-dir=/o/etc/etcd/log
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF- 啟動
$ systemctl daemon-reload
$ systemctl enable kube-controller-manager.service && systemctl start kube-controller-manager.service
$ systemctl status kube-apiserver.service- 部署Kubernetes Scheduler:
$ cat > /usr/lib/systemd/system/kube-scheduler.service <<EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/usr/local/bin/kube-scheduler \
--address=127.0.0.1 \
--master=http://127.0.0.1:8080 \
--leader-elect=true \
--v=2 \
--logtostderr=false \
--log-dir=/etc/etcd/log
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF $ systemctl daemon-reload
$ systemctl enable kube-scheduler.service && systemctl start kube-scheduler.service
$ systemctl status kube-scheduler.service
$ netstat -nlpt
3、部署kubectl 命令列工具
- 準備二進位制命令包
$ cd && export KUBE_URL="https://storage.googleapis.com/kubernetes-release/release/v1.8.2/bin/linux/amd64"
$ wget "${KUBE_URL}/kubelet" -O /usr/local/bin/kubelet
$ wget "${KUBE_URL}/kubectl" -O /usr/local/bin/kubectl
$ chmod +x /usr/local/bin/kubelet /usr/local/bin/kubectl
$ scp /usr/local/bin/kubelet 192.168.184.29:/usr/local/bin/kubelet
$ scp /usr/local/bin/kubectl 192.168.184.29:/usr/local/bin/kubectl
$ scp /usr/local/bin/kubelet 192.168.184.30:/usr/local/bin/kubelet
$ scp /usr/local/bin/kubectl 192.168.184.30:/usr/local/bin/kubectl
$ scp -r /usr/local/bin/cni/* 192.168.184.29:/usr/local/bin/cni/
$ scp -r /usr/local/bin/cni/* 192.168.184.30:/usr/local/bin/cni/- 建立 admin 證照籤名請求
$ cd /etc/etcd/ssl_tmp
$ cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF- 生成 admin 證照和私鑰:
$ cfssl gencert -ca=/etc/etcd/ssl/ca.pem -ca-key=/etc/etcd/ssl/ca-key.pem -config=/etc/etcd/ssl/ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
$ cp admin*.pem /etc/etcd/ssl/- 設定叢集引數
$ kubectl config set-cluster kubernetes --certificate-authority=/etc/etcd/ssl/ca.pem --embed-certs=true --server=https://192.168.184.28:6443 - 設定客戶端認證引數
$ kubectl config set-credentials admin --client-certificate=/etc/etcd/ssl/admin.pem --embed-certs=true --client-key=/etc/etcd/ssl/admin-key.pem- 設定上下文引數
$ kubectl config set-context kubernetes --cluster=kubernetes --user=admin- 設定預設上下文
$ kubectl config use-context kubernetes- 使用kubectl工具
$ kubectl get cs
- 驗證master節點功能:
$ kubectl get componentstatuses
本作品採用《CC 協議》,轉載必須註明作者和本文連結