一、安裝Docker
配置docker的yum源地址
yum -y install wget
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
yum provides docker-ce
安裝指定的docker版本
yum install -y docker-ce-20.10.7 docker-ce-cli-20.10.7 containerd.io-1.4.6
# 啟動&開機啟動docker
systemctl enable docker --now
# docker加速配置
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://82m9ar63.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2"
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
二、基礎環境準備
#設定每個機器自己的hostname
hostnamectl set-hostname xxx
hostnamectl set-hostname master1 && bash
hostnamectl set-hostname master2 && bash
hostnamectl set-hostname master3 && bash
hostnamectl set-hostname node1 && bash
hostnamectl set-hostname node2 && bash
hostnamectl set-hostname node3 && bash
新增hosts解析(所有節點操作)
cat >> /etc/hosts << EOF
10.0.0.6 k8s-master1
10.0.0.7 k8s-master2
10.0.0.8 k8s-master3
10.0.0.9 k8s-node1
10.0.0.10 k8s-node2
10.0.0.11 k8s-node3
EOF
# 將 SELinux 設定為 permissive 模式(相當於將其禁用)
sudo setenforce 0
sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
#關閉swap
swapoff -a
sed -ri 's/.*swap.*/#&/' /etc/fstab
# 在 master1 上生成 SSH 金鑰對
ssh-keygen -t rsa
# 將公鑰複製到其他的 Kubernetes 節點上(除了 master1)
for i in master2 master3 node1 node2 node3; do
ssh-copy-id -i ~/.ssh/id_rsa.pub $i
done
#時間同步:
yum install ntpdate -y
ntpdate time.windows.com
#安裝工具
yum install -y device-mapper-persistent-data jq psmisc net-tools git lvm2 yum-utils
#修改limit
ulimit -SHn 65535 #設定或 shell 會話的檔案描述符數量限制
vim /etc/security/limits.conf
新增如下內容:
soft nofile 655360 #為所有使用者設定軟檔案描述符限制
hard nofile 131072 #為所有使用者設定硬檔案描述符限制
soft nproc 655350 #為所有使用者設定軟程序數限制
hard nproc 655350 #為所有使用者設定硬程序數限制
oft memlock unlimited #所有使用者設定軟記憶體鎖定限制為無限制
hard memlock unlimited #為所有使用者設定硬記憶體鎖定限制為無限制
# 安裝ipvs工具
yum -y install ipset ipvsadm conntrack sysstat libseccomp
# 然後在所有節點配置ipvs模組,執行以下命令:
modprobe ip_vs
modprobe ip_vs_rr
modprobe ip_vs_wrr
modprobe ip_vs_sh
modprobe nf_conntrack #這裡需要注意核心4.18下改為nf_conntrack_ipv4;核心4.19上改為nf_conntrack,血的教訓
# 修改ipvs配置
vim/etc/modules-load.d/ipvs.conf
新增一下內容:
# IPVS 模組
ip_vs
ip_vs_lc
ip_vs_wlc
ip_vs_rr
ip_vs_wrr
ip_vs_lblc
ip_vs_lblcr
ip_vs_dh
ip_vs_sh
ip_vs_fo
ip_vs_nq
ip_vs_sed
ip_vs_ftp
# Conntrack 模組
nf_conntrack
# IPTables 和 IPSet 模組
ip_tables
ip_set
xt_set
ipt_set
# 其他網路模組
ipt_rpfilter
ipt_REJECT
ipip
# 執行命令
systemctl enable --now systemd-modules-load.service #--now = enable+start
lsmod | grep -e ip_vs -e nf_conntrack 檢視是否載入
## 將橋接的IPv4流量傳遞到iptables的鏈(所有節點需要執行)
vim etc/sysctl.d/k8s.conf
新增:
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
fs.may_detach_mounts = 1
vm.overcommit_memory=1
net.ipv4.conf.all.route_localnet = 1
vm.panic_on_oom=0
fs.inotify.max_user_watches=89100
fs.file-max=52706963
fs.nr_open=52706963
net.netfilter.nf_conntrack_max=2310720
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl =15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 327680
net.ipv4.tcp_orphan_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16768
net.ipv4.ip_conntrack_max = 65536
net.ipv4.tcp_timestamps = 0
net.core.somaxconn = 16768
執行:sysctl --system(重新載入 sysctl 設定)
# 所有節點需要重啟伺服器
reboot
lsmod | grep -e ip_vs -e nf_conntrack 驗證重啟後核心是否載入
三、配置證書
**1、下載cfssl核心元件**
wget https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl-certinfo_1.5.0_linux_amd64
#授予執行許可權
chmod +x cfssl*
#批次重新命名
for name in `ls cfssl*`; do mv $name ${name%_1.5.0_linux_amd64}; done
#移動到檔案
mv cfssl* /usr/bin
2、ca根配置
命令:mkdir -p /etc/kubernetes/pki
命令:cd /etc/kubernetes/pki
命令:vim ca-config.json
新增:
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"server": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
},
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
},
"etcd": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
3、配置證書籤名請求檔案
命令:vim /etc/kubernetes/pki/ca-csr.json
{
"CN": "kubernetes", #公用名,如網站域
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN", #國家名稱,如:中國是CN
"ST": "Hubei", #申請單位所在的省份
"L": "Wuhan", #申請單位所在的城市
"O": "Kubernetes", #組織名,需要和營業執照上的名稱完全一致
"OU": "Kubernetes" #單位部門,一般沒有太多限制。
}
],
"ca": {
"expiry": "87600h"
}
}
5、生成證書和私鑰
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
# ca.csr ca.pem(ca公鑰) ca-key.pem(ca私鑰)
四、搭建etcd
1、下載etcd
# 給所有master的節點,傳送etcd包,用於部署etcd(高可用)
在master1上執行命令:wget https://github.com/etcd-io/etcd/releases/download/v3.4.16/etcd-v3.4.16-linux-amd64.tar.gz
## 複製到其他節點
for i in master2 master3;do scp etcd-* root@$i:/root/;done
## 解壓到 /usr/local/bin
tar -zxvf etcd-v3.4.16-linux-amd64.tar.gz --strip-components=1 -C /usr/local/bin etcd-v3.4.16-linux-amd64/etcd{,ctl}
##驗證
etcdctl #只要有列印就沒問題
2、生成etcd證書
vim etcd-ca-csr.json
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "etcd",
"OU": "etcd"
}
],
"ca": {
"expiry": "87600h"
}
}
命令:cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare /etc/kubernetes/pki/etcd/ca - #生成etcd根ca證書
vim etcd-itdachang-csr.json
{
"CN": "etcd-itdachang",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [
"master1",
"master2",
"master3",
"10.0.0.6",
"10.0.0.7",
"10.0.0.8"
],
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "etcd",
"OU": "etcd"
}
]
}
# 使用 cfssl gencert 命令來簽發itdachang的etcd證書
cfssl gencert \
-ca=/etc/kubernetes/pki/etcd/ca.pem \
-ca-key=/etc/kubernetes/pki/etcd/ca-key.pem \
-config=/etc/kubernetes/pki/ca-config.json \
-profile=etcd \
etcd-itdachang-csr.json | cfssljson -bare /etc/kubernetes/pki/etcd/etcd
# 把生成的證書,複製給其他機器
for i in master2 master3;do scp -r /etc/kubernetes/pki/etcd root@$i:/etc/kubernetes/pki;done
3、安裝etcd
編寫etcd配置檔案,在三個master節點上執行命令:mkdir -p /etc/etcd
vim /etc/etcd/etcd.yaml
name: 'etcd-master1' #每個機器寫自己的名
data-dir: /var/lib/etcd
wal-dir: /var/lib/etcd/wal
snapshot-count: 5000
heartbeat-interval: 100
election-timeout: 1000
quota-backend-bytes: 0
listen-peer-urls: 'https://10.0.0.8:2380' # 本機ip+2380埠,和叢集通訊
listen-client-urls: 'https://10.0.0.8:2379,http://10.0.0.8:2379' #改為自己的ip
max-snapshots: 3
max-wals: 5
cors:
initial-advertise-peer-urls: 'https://10.0.0.8:2380' #自己的ip
advertise-client-urls: 'https://10.0.0.8:2379' #自己的ip
discovery:
discovery-fallback: 'proxy'
discovery-proxy:
discovery-srv:
initial-cluster: 'etcd-master1=https://110.0.0.6:2380,etcd-master2=https://10.0.0.7:2380,etcd-master3=https://10.0.0.8:2380'
initial-cluster-token: 'etcd-k8s-cluster'
initial-cluster-state: 'new'
strict-reconfig-check: false
enable-v2: true
enable-pprof: true
proxy: 'off'
proxy-failure-wait: 5000
proxy-refresh-interval: 30000
proxy-dial-timeout: 1000
proxy-write-timeout: 5000
proxy-read-timeout: 0
client-transport-security:
cert-file: '/etc/kubernetes/pki/etcd/etcd.pem'
key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem'
client-cert-auth: true
trusted-ca-file: '/etc/kubernetes/pki/etcd/ca.pem'
auto-tls: true
peer-transport-security:
cert-file: '/etc/kubernetes/pki/etcd/etcd.pem'
key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem'
peer-client-cert-auth: true
trusted-ca-file: '/etc/kubernetes/pki/etcd/ca.pem'
auto-tls: true
debug: false
log-package-levels:
log-outputs: [default]
force-new-cluster: false
配置開機自啟
vim /usr/lib/systemd/system/etcd.service
新增:
[Unit]
Description=Etcd Service
Documentation=https://etcd.io/docs/v3.4/op-guide/clustering/
After=network.target
[Service]
Type=notify
ExecStart=/usr/local/bin/etcd --config-file=/etc/etcd/etcd.yaml
Restart=on-failure
RestartSec=10
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
Alias=etcd3.service
# 開機啟動
systemctl daemon-reload
systemctl enable --now etcd
測試訪問
# 檢視etcd叢集狀態
etcdctl --endpoints="10.0.0.6:2379,10.0.0.7 :2379,10.0.0.8:2379" --cacert=/etc/kubernetes/pki/etcd/ca.pem --cert=/etc/kubernetes/pki/etcd/etcd.pem --key=/etc/kubernetes/pki/etcd/etcd-key.pem endpoint status --write-out=table
# 測試命令
export ETCDCTL_API=3
HOST_1=10.0.0.6
HOST_2=10.0.0.7
HOST_3=10.0.0.8
ENDPOINTS=$HOST_1:2379,$HOST_2:2379,$HOST_3:2379
# 如果沒有環境變數的話,呼叫方式:
etcdctl --endpoints=$ENDPOINTS --cacert=/etc/kubernetes/pki/etcd/ca.pem --cert=/etc/kubernetes/pki/etcd/etcd.pem --key=/etc/kubernetes/pki/etcd/etcd-key.pem member list --write-out=table
#如果有,匯出環境變數
export ETCDCTL_DIAL_TIMEOUT=3s
export ETCDCTL_CACERT=/etc/kubernetes/pki/etcd/ca.pem
export ETCDCTL_CERT=/etc/kubernetes/pki/etcd/etcd.pem
export ETCDCTL_KEY=/etc/kubernetes/pki/etcd/etcd-key.pem
export ETCDCTL_ENDPOINTS=$HOST_1:2379,$HOST_2:2379,$HOST_3:2379
# 自動用環境變數定義的證書位置
etcdctl member list --write-out=table
五、k8s元件與證書
1、下載安裝包
k8s git地址:https://github.com/kubernetes/kubernetes
命令:wget https://dl.k8s.io/v1.30.1/kubernetes-server-linux-amd64.tar.gz
建議配置下網路,不然如上圖下載到會讓你懷疑人生
# 將kubernetes安裝包把複製給所有節點
命令:for i in master2 master3 node1 node2 node3;do scp kubernetes-server-linux-amd64.tar.gz root@$i:/root/;done
# 所有master節點解壓kubelet,kubectl等到 /usr/local/bin。
命令:tar -xvf kubernetes-server-linux-amd64.tar.gz --strip-components=3 -C /usr/local/bin kubernetes/server/bin/kube{let,ctl,-apiserver,-controller-manager,-scheduler,-proxy}
# master需要全部元件,node節點只需要 /usr/local/bin kubelet、kube-proxy
2、生成apiserver 證書
vim apiserver-csr.json
{
"CN": "kube-apiserver",
"hosts": [
"66.66.0.1", #service網段,可以自定義
"127.0.0.1", #本機
"10.0.0.250", #負載均衡器
"10.0.0.6",
"10.0.0.7",
"10.0.0.8",
"10.0.0.9",
"10.0.0.10",
"10.0.0.11",
"10.0.0.12",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "Kubernetes",
"OU": "Kubernetes"
}
]
}
3、生成apiserver證書
vim ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "Kubernetes",
"OU": "Kubernetes"
}
],
"ca": {
"expiry": "87600h"
}
}
生成證書命令:cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
生成API伺服器證書命令:cfssl gencert -ca=/etc/kubernetes/pki/ca.pem -ca-key=/etc/kubernetes/pki/ca-key.pem -config=/etc/kubernetes/pki/ca-config.json -profile=kubernetes apiserver-csr.json | cfssljson -bare /etc/kubernetes/pki/apiserver
3、1、front-proxy根ca
vim front-proxy-ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
}
}
生成ront-proxy根ca命令:cfssl gencert -initca front-proxy-ca-csr.json | cfssljson -bare /etc/kubernetes/pki/front-proxy-ca
3、2、證書front-proxy-client
vi front-proxy-client-csr.json
{
"CN": "front-proxy-client",
"key": {
"algo": "rsa",
"size": 2048
}
}
#生成front-proxy-client 證書:
命令:cfssl gencert -ca=/etc/kubernetes/pki/front-proxy-ca.pem -ca-key=/etc/kubernetes/pki/front-proxy-ca-key.pem -config=ca-config.json -profile=kubernetes front-proxy-client-csr.json | cfssljson -bare /etc/kubernetes/pki/front-proxy-client
警告忽略
4、controller-manage證書生成與配置
vim controller-manager-csr.json
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "system:kube-controller-manager",
"OU": "Kubernetes"
}
]
}
生成證書
cfssl gencert \
-ca=/etc/kubernetes/pki/ca.pem \
-ca-key=/etc/kubernetes/pki/ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
controller-manager-csr.json | cfssljson -bare /etc/kubernetes/pki/controller-manager
生成配置
# set-cluster:設定一個叢集項,
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://10.0.0.250:6443 \
--kubeconfig=/etc/kubernetes/controller-manager.conf
# 設定一個環境項,一個上下文
kubectl config set-context system:kube-controller-manager@kubernetes \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=/etc/kubernetes/controller-manager.conf
# set-credentials 設定一個使用者項
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=/etc/kubernetes/pki/controller-manager.pem \
--client-key=/etc/kubernetes/pki/controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/controller-manager.conf
# 使用某個環境當做預設環境
kubectl config use-context system:kube-controller-manager@kubernetes \
--kubeconfig=/etc/kubernetes/controller-manager.conf
# 後來也用來自動批覆kubelet證書
5、scheduler證書生成與配置
vi scheduler-csr.json
{
"CN": "system:kube-scheduler",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "system:kube-scheduler",
"OU": "Kubernetes"
}
]
}
5、1、簽發證書
cfssl gencert \
-ca=/etc/kubernetes/pki/ca.pem \
-ca-key=/etc/kubernetes/pki/ca-key.pem \
-config=/etc/kubernetes/pki/ca-config.json \
-profile=kubernetes \
scheduler-csr.json | cfssljson -bare /etc/kubernetes/pki/scheduler
5、2、生成配置
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://10.0.0.250:6443 \
--kubeconfig=/etc/kubernetes/scheduler.conf
kubectl config set-credentials system:kube-scheduler \
--client-certificate=/etc/kubernetes/pki/scheduler.pem \
--client-key=/etc/kubernetes/pki/scheduler-key.pem \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/scheduler.conf
kubectl config set-context system:kube-scheduler@kubernetes \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=/etc/kubernetes/scheduler.conf
kubectl config use-context system:kube-scheduler@kubernetes \
--kubeconfig=/etc/kubernetes/scheduler.conf
6、admin證書生成與配置
vim admin-csr.json
{
"CN": "admin",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "system:masters",
"OU": "Kubernetes"
}
]
}
6、1、生成證書
cfssl gencert \
-ca=/etc/kubernetes/pki/ca.pem \
-ca-key=/etc/kubernetes/pki/ca-key.pem \
-config=/etc/kubernetes/pki/ca-config.json \
-profile=kubernetes \
admin-csr.json | cfssljson -bare /etc/kubernetes/pki/admin
6、2、生成配置
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://10.0.0.250:6443 \
--kubeconfig=/etc/kubernetes/admin.conf
kubectl config set-credentials kubernetes-admin \
--client-certificate=/etc/kubernetes/pki/admin.pem \
--client-key=/etc/kubernetes/pki/admin-key.pem \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/admin.conf
kubectl config set-context kubernetes-admin@kubernetes \
--cluster=kubernetes \
--user=kubernetes-admin \
--kubeconfig=/etc/kubernetes/admin.conf
kubectl config use-context kubernetes-admin@kubernetes \
--kubeconfig=/etc/kubernetes/admin.conf
7、ServiceAccount Key生成
每建立一個ServiceAccount,都會分配一個Secret,而Secret裡面有秘鑰,秘鑰是由sa生成的,所以需要提前建立出sa資訊。
openssl genrsa -out /etc/kubernetes/pki/sa.key 2048
openssl rsa -in /etc/kubernetes/pki/sa.key -pubout -out /etc/kubernetes/pki/sa.pub
8、傳送證書到其他節點
在master1上執行:
for NODE in master2 master3
do
for FILE in admin.conf controller-manager.conf scheduler.conf
do
scp /etc/kubernetes/${FILE} $NODE:/etc/kubernetes/${FILE}
done
done
六、啟動各元件
1、所有的master節點上執行:
mkdir -p /etc/kubernetes/manifests/ /etc/systemd/system/kubelet.service.d /var/lib/kubelet /var/log/kubernetes
三個master節點kube-xx相關的程式都在 /usr/local/bin
for NODE in master2 master3
do
scp -r /etc/kubernetes/* root@$NODE:/etc/kubernetes/
done
2、配置apiserver服務
2、1、所有Master節點建立kube-apiserver.service
# 每個master節點執行以下內容:
vim /usr/lib/systemd/system/kube-apiserver.service
新增:
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
ExecStart=/usr/local/bin/kube-apiserver \
--v=2 \
--logtostderr=true \
--allow-privileged=true \
--bind-address=0.0.0.0 \
--secure-port=6443 \
--insecure-port=0 \
--advertise-address=10.0.0.6 \
--service-cluster-ip-range=10.96.0.0/16 \
--service-node-port-range=30000-32767 \
--etcd-servers=https://10.0.0.6:2379,https://10.0.0.7:2379,https://10.0.0.8:2379 \
--etcd-cafile=/etc/kubernetes/pki/etcd/ca.pem \
--etcd-certfile=/etc/kubernetes/pki/etcd/etcd.pem \
--etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-key.pem \
--client-ca-file=/etc/kubernetes/pki/ca.pem \
--tls-cert-file=/etc/kubernetes/pki/apiserver.pem \
--tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem \
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver.pem \
--kubelet-client-key=/etc/kubernetes/pki/apiserver-key.pem \
--service-account-key-file=/etc/kubernetes/pki/sa.pub \
--service-account-signing-key-file=/etc/kubernetes/pki/sa.key \
--service-account-issuer=https://kubernetes.default.svc.cluster.local \
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota \
--authorization-mode=Node,RBAC \
--enable-bootstrap-token-auth=true \
--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.pem \
--proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.pem \
--proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client-key.pem \
--requestheader-allowed-names=aggregator,front-proxy-client \
--requestheader-group-headers=X-Remote-Group \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-username-headers=X-Remote-User
# --token-auth-file=/etc/kubernetes/token.csv
Restart=on-failure
RestartSec=10s
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
2.2、啟動apiserver
啟動命令:systemctl daemon-reload && systemctl enable --now kube-apiserver
檢視狀態命令:systemctl status kube-apiserver
3、配置controller-manager服務
3.1、所有Master節點配置kube-controller-manager.service
# 所有節點執行:
vim /usr/lib/systemd/system/kube-controller-manager.service
新增:
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
ExecStart=/usr/local/bin/kube-controller-manager \
--v=2 \
--logtostderr=true \
--address=127.0.0.1 \
--root-ca-file=/etc/kubernetes/pki/ca.pem \
--cluster-signing-cert-file=/etc/kubernetes/pki/ca.pem \
--cluster-signing-key-file=/etc/kubernetes/pki/ca-key.pem \
--service-account-private-key-file=/etc/kubernetes/pki/sa.key \
--kubeconfig=/etc/kubernetes/controller-manager.conf \
--leader-elect=true \
--use-service-account-credentials=true \
--node-monitor-grace-period=40s \
--node-monitor-period=5s \
--pod-eviction-timeout=2m0s \
--controllers=*,bootstrapsigner,tokencleaner \
--allocate-node-cidrs=true \
--cluster-cidr=196.168.0.0/16 \
--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.pem \
--node-cidr-mask-size=24
Restart=always
RestartSec=10s
[Install]
WantedBy=multi-user.target
## --cluster-cidr=196.168.0.0/16 : 為Pod的網段。可以修改成自己規劃的網段
3.2、啟動
# 所有master節點執行:
systemctl daemon-reload
systemctl daemon-reload && systemctl enable --now kube-controller-manager
systemctl status kube-controller-manager
4、所有Master節點配置kube-scheduler.service
vim /usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
ExecStart=/usr/local/bin/kube-scheduler \
--v=2 \
--logtostderr=true \
--address=127.0.0.1 \
--leader-elect=true \
--kubeconfig=/etc/kubernetes/scheduler.conf
Restart=always
RestartSec=10s
[Install]
WantedBy=multi-user.target
4.2、啟動
執行以下命令:
systemctl daemon-reload
systemctl daemon-reload && systemctl enable --now kube-scheduler
systemctl status kube-scheduler
七、TLS和Kubernetes的引導啟動
1、master1配置bootstrap
#準備一個token
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
# 值如下: 1ff64c60de40a57b5d30d8c40a14e354
# 生成16個字元的
head -c 8 /dev/urandom | od -An -t x | tr -d ' '
# 84d107288bc64d51
設定叢集
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://10.0.0.250:6443 \
--kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf
#設定秘鑰
kubectl config set-credentials tls-bootstrap-token-user \
--token=l6fy8c.d683399b7a553977 \
--kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf
#設定上下文
kubectl config set-context tls-bootstrap-token-user@kubernetes \
--cluster=kubernetes \
--user=tls-bootstrap-token-user \
--kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf
#使用設定
kubectl config use-context tls-bootstrap-token-user@kubernetes \
--kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf
2、master1設定kubectl執行許可權
命令:mkdir -p /root/.kube ;
命令:cp /etc/kubernetes/admin.conf /root/.kube/confi
# 只在master1生成,只讓一臺機器具有操作叢集的許可權,便於控制
#驗證
命令:kubectl get nodes
[root@master1 ~]# kubectl get nodes
No resources found
#說明已經可以連線apiserver並獲取資源
3、建立叢集引導許可權檔案
# master準備這個檔案
vi /etc/kubernetes/bootstrap.secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: bootstrap-token-l6fy8c
namespace: kube-system
type: bootstrap.kubernetes.io/token
stringData:
description: "The default bootstrap token generated by 'kubelet '."
token-id: l6fy8c
token-secret: 84d107288bc64d51
usage-bootstrap-authentication: "true"
usage-bootstrap-signing: "true"
auth-extra-groups: system:bootstrappers:default-node-token,system:bootstrappers:worker,system:bootstrappers:ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubelet-bootstrap
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node-bootstrapper
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:bootstrappers:default-node-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: node-autoapprove-bootstrap
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:bootstrappers:default-node-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: node-autoapprove-certificate-rotation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:nodes
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-apiserver-to-kubelet
rules:
- apiGroups:
- ""
resources:
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
- nodes/metrics
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:kube-apiserver
namespace: ""
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-apiserver-to-kubelet
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kube-apiserver
# 建立資源
kubectl create -f /etc/kubernetes/bootstrap.secret.yaml
八、引導Node節點啟動
1、master1節點將核心證書傳送給其他節點
命令:cd /etc/kubernetes/
#執行復制所有令牌操作
for NODE in master2 master3 node1 ode2; do
ssh $NODE mkdir -p /etc/kubernetes/pki/etcd
for FILE in ca.pem etcd.pem etcd-key.pem; do
scp /etc/kubernetes/pki/etcd/$FILE $NODE:/etc/kubernetes/pki/etcd/
done
for FILE in pki/ca.pem pki/ca-key.pem pki/front-proxy-ca.pem bootstrap-kubelet.conf; do
scp /etc/kubernetes/$FILE $NODE:/etc/kubernetes/${FILE}
done
done
2、所有節點配置kubelet
# 所有節點建立相關目錄
mkdir -p /var/lib/kubelet /var/log/kubernetes /etc/systemd/system/kubelet.service.d /etc/kubernetes/manifests/
## 所有node節點必須有 kubelet kube-proxy
for NODE in master2 master3 node3 node1 node2; do
scp -r /etc/kubernetes/* root@$NODE:/etc/kubernetes/
done
2.1、建立kubelet.service
所有節點,配置kubelet服務
vim /usr/lib/systemd/system/kubelet.service
新增:
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
After=docker.service
Requires=docker.service
[Service]
ExecStart=/usr/local/bin/kubelet
Restart=always
StartLimitInterval=0
RestartSec=10
[Install]
WantedBy=multi-user.target
# 所有節點配置kubelet service配置檔案
vim /etc/systemd/system/kubelet.service.d/10-kubelet.conf
新增:
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBELET_SYSTEM_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
Environment="KUBELET_CONFIG_ARGS=--config=/etc/kubernetes/kubelet-conf.yml --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/pause:3.4.1"
Environment="KUBELET_EXTRA_ARGS=--node-labels=node.kubernetes.io/node='' "
ExecStart=
ExecStart=/usr/local/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_SYSTEM_ARGS $KUBELET_EXTRA_ARGS
2.2、建立kubelet-conf.yml檔案
#所有節點,配置kubelet-conf檔案
vi /etc/kubernetes/kubelet-conf.yml
# clusterDNS 為service網路的第10個ip值,改成自己的ip,如10.96.0.8
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 2m0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.pem
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 5m0s
cacheUnauthorizedTTL: 30s
cgroupDriver: systemd
cgroupsPerQOS: true
clusterDNS:
- 10.96.0.8
clusterDomain: cluster.local
containerLogMaxFiles: 5
containerLogMaxSize: 10Mi
contentType: application/vnd.kubernetes.protobuf
cpuCFSQuota: true
cpuManagerPolicy: none
cpuManagerReconcilePeriod: 10s
enableControllerAttachDetach: true
enableDebuggingHandlers: true
enforceNodeAllocatable:
- pods
eventBurst: 10
eventRecordQPS: 5
evictionHard:
imagefs.available: 15%
memory.available: 100Mi
nodefs.available: 10%
nodefs.inodesFree: 5%
evictionPressureTransitionPeriod: 5m0s #縮小相應的配置
failSwapOn: true
fileCheckFrequency: 20s
hairpinMode: promiscuous-bridge
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 20s
imageGCHighThresholdPercent: 85
imageGCLowThresholdPercent: 80
imageMinimumGCAge: 2m0s
iptablesDropBit: 15
iptablesMasqueradeBit: 14
kubeAPIBurst: 10
kubeAPIQPS: 5
makeIPTablesUtilChains: true
maxOpenFiles: 1000000
maxPods: 110
nodeStatusUpdateFrequency: 10s
oomScoreAdj: -999
podPidsLimit: -1
registryBurst: 10
registryPullQPS: 5
resolvConf: /etc/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 2m0s
serializeImagePulls: true
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 4h0m0s
syncFrequency: 1m0s
volumeStatsAggPeriod: 1m0s
2、3、所有節點啟動kubelet
systemctl daemon-reload && systemctl enable --now kubelet
systemctl status kubelet
#提示 "Unable to update cni config"
3、配置kube-proxy
3.1、生成kube-proxy.conf
在master1執行:
#建立kube-proxy的sa
kubectl -n kube-system create serviceaccount kube-proxy
#建立角色繫結
kubectl create clusterrolebinding system:kube-proxy \
--clusterrole system:node-proxier \
--serviceaccount kube-system:kube-proxy
#匯出變數,方便後面使用
SECRET=$(kubectl -n kube-system get sa/kube-proxy --output=jsonpath='{.secrets[0].name}')
JWT_TOKEN=$(kubectl -n kube-system get secret/$SECRET --output=jsonpath='{.data.token}' | base64 -d)
PKI_DIR=/etc/kubernetes/pki
K8S_DIR=/etc/kubernetes
# 生成kube-proxy配置
# --server: 指定自己的apiserver地址或者lb地址
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://10.0.0.250:6443 \
--kubeconfig=${K8S_DIR}/kube-proxy.conf
# kube-proxy秘鑰設定
kubectl config set-credentials kubernetes \
--token=${JWT_TOKEN} \
--kubeconfig=/etc/kubernetes/kube-proxy.conf
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=kubernetes \
--kubeconfig=/etc/kubernetes/kube-proxy.conf
kubectl config use-context kubernetes \
--kubeconfig=/etc/kubernetes/kube-proxy.conf
#將生成的 kube-proxy.conf 傳給每個節點
for NODE in master2 master3 node1 node2 node3; do
scp /etc/kubernetes/kube-proxy.conf $NODE:/etc/kubernetes/
done
3.2、配置kube-proxy.service
# 所有節點配置 kube-proxy.service 服務,設定開機自啟
vim /usr/lib/systemd/system/kube-proxy.service
新增:
[Unit]
Description=Kubernetes Kube Proxy
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
ExecStart=/usr/local/bin/kube-proxy \
--config=/etc/kubernetes/kube-proxy.yaml \
--v=2
Restart=always
RestartSec=10s
[Install]
WantedBy=multi-user.target
3.3、準備kube-proxy.yaml
# 所有機器執行
vi /etc/kubernetes/kube-proxy.yaml
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
clientConnection:
acceptContentTypes: ""
burst: 10
contentType: application/vnd.kubernetes.protobuf
kubeconfig: /etc/kubernetes/kube-proxy.conf #kube-proxy引導檔案
qps: 5
clusterCIDR: 196.168.0.0/16 #修改成自己的Pod-CIDR
configSyncPeriod: 15m0s
conntrack:
max: null
maxPerCore: 32768
min: 131072
tcpCloseWaitTimeout: 1h0m0s
tcpEstablishedTimeout: 24h0m0s
enableProfiling: false
healthzBindAddress: 0.0.0.0:10256
hostnameOverride: ""
iptables:
masqueradeAll: false
masqueradeBit: 14
minSyncPeriod: 0s
syncPeriod: 30s
ipvs:
masqueradeAll: true
minSyncPeriod: 5s
scheduler: "rr"
syncPeriod: 30s
kind: KubeProxyConfiguration
metricsBindAddress: 127.0.0.1:10249
mode: "ipvs"
nodePortAddresses: null
oomScoreAdj: -999
portRange: ""
udpIdleTimeout: 250ms
3.4、所有節點啟動kube-proxy
systemctl daemon-reload && systemctl enable --now kube-proxy
systemctl status kube-proxy
九、calico部署
# 下載官網calico
curl https://docs.projectcalico.org/manifests/calico-etcd.yaml -o calico.yaml
## 把這個映象修改成國內映象
# 修改一些我們自定義的. 修改etcd叢集地址
sed -i 's#etcd_endpoints: "http://<ETCD_IP>:<ETCD_PORT>"#etcd_endpoints: "https://10.0.0.6:2379,https://10.0.0.7:2379,https://10.0.0.8:2379"#g' calico.yaml
# etcd的證書內容,需要base64編碼設定到yaml中
ETCD_CA=`cat /etc/kubernetes/pki/etcd/ca.pem | base64 -w 0 `
ETCD_CERT=`cat /etc/kubernetes/pki/etcd/etcd.pem | base64 -w 0 `
ETCD_KEY=`cat /etc/kubernetes/pki/etcd/etcd-key.pem | base64 -w 0 `
# 替換etcd中的證書base64編碼後的內容
sed -i "s@# etcd-key: null@etcd-key: ${ETCD_KEY}@g; s@# etcd-cert: null@etcd-cert: ${ETCD_CERT}@g; s@# etcd-ca: null@etcd-ca: ${ETCD_CA}@g" calico.yaml
#開啟 etcd_ca 等預設設定(calico啟動後自己生成)。
sed -i 's#etcd_ca: ""#etcd_ca: "/calico-secrets/etcd-ca"#g; s#etcd_cert: ""#etcd_cert: "/calico-secrets/etcd-cert"#g; s#etcd_key: "" #etcd_key: "/calico-secrets/etcd-key" #g' calico.yaml
# 修改Pod網段 196.168.0.0/16
POD_SUBNET="196.168.0.0/16"
sed -i "s@# *- name: CALICO_IPV4POOL_CIDR@ - name: CALICO_IPV4POOL_CIDR@g; s@# *value: *\"[0-9.]*\/[0-9]*\"@ value: \"${POD_SUBNET}\"@g" calico.yaml
# 一定確定是否修改好了
#確認calico是否修改好
grep "CALICO_IPV4POOL_CIDR" calico.yaml -A 1
# 應用calico配置
kubectl apply -f calico.yaml
十、部署coreDNS
git clone https://github.com/coredns/deployment.git
cd deployment/kubernetes
#10.96.0.8 改為 service 網段的 第 10 個ip
./deploy.sh -s -i 10.96.0.8 | kubectl apply -f -
十一、給機器打上標籤
kubectl label node master1 node-role.kubernetes.io/master=''
kubectl label node master2 node-role.kubernetes.io/master=''
kubectl label node master3 node-role.kubernetes.io/master=''
kubectl taints node master1
十二、叢集驗證
① 驗證Pod網路可訪問性:同名稱空間,不同名稱空間可以使用 ip 互相訪問;跨機器部署的Pod也可以互相訪問
② 驗證Service網路可訪問性:叢集機器使用serviceIp可以負載均衡訪問;pod內部可以訪問service域名 serviceName.namespace;pod可以訪問跨名稱空間的service
# 部署以下Deployment用了進行測試
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-1
namespace: default
labels:
app: nginx-1
spec:
selector:
matchLabels:
app: nginx-1
replicas: 1
template:
metadata:
labels:
app: nginx-1
spec:
containers:
- name: nginx-1
image: nginx
---
apiVersion: v1
kind: Service
metadata:
name: nginx-svc
namespace: default
spec:
selector:
app: nginx-1
type: ClusterIP
ports:
- name: nginx-svc
port: 80
targetPort: 80
protocol: TCP
---
apiVersion: v1
kind: Namespace
metadata:
name: hello
spec: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-hello
namespace: hello
labels:
app: nginx-hello
spec:
selector:
matchLabels:
app: nginx-hello
replicas: 1
template:
metadata:
labels:
app: nginx-hello
spec:
containers:
- name: nginx-hello
image: nginx
---
apiVersion: v1
kind: Service
metadata:
name: nginx-svc-hello
namespace: hello
spec:
selector:
app: nginx-hello
type: ClusterIP
ports:
- name: nginx-svc-hello
port: 80
targetPort: 80
protocol: TCP
# 給工作節點打上 worker 標籤:
kubectl label nodes node3 node-role.kubernetes.io/worker=''
kubectl label nodes node1 node-role.kubernetes.io/worker=''
kubectl label nodes node2 node-role.kubernetes.io/worker=''
# 給master3節點新增一個為 master 角色的標籤,並給名為 master1 的節點新增一個自定義汙點,以確保新的 Pod 不會被排程到 master1 節點上,除非明確宣告瞭容忍這個汙點
kubectl label nodes master3 node-role.kubernetes.io/master=""
kubectl taint nodes master1 master-node.example.com/dedicated=:NoSchedule