來了,k8s!-----------------k8s叢集部署
k8s的叢集部署,官方提供了三種方式:
- minikube
Minikube是一個工具,可以在本地快速執行的一個單點的k8s,僅用於嘗試k8s或日常開發的使用者使用。部署地址:https://kubernetes.io/docs/setup/minikube/ - kubeadm
Kubeadm也是一個工具,提供kubeadm init和kubeadm join,用於快速部署k8s叢集。部署地址:https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm/ - 二進位制包
推薦,從官方下載發行版的二進位制包,手動部署每個元件,組成Kubernetes叢集。下載地址:https://github.com/kubernetes/kubernetes/releases
(其中minikube一般不用;kubeadm一般中小型公司喜歡用,因為方便、快捷,但如果出現問題,排障較困難;二進位制包的部署方式是比較推薦的,手動部署可以對每個元件進行配置,當出現故障時可以通過定位故障點進行排障,但需要對二進位制安裝熟悉)
單master叢集架構圖
多master叢集架構圖
自籤SSL證書
Etcd資料庫叢集部署
- 二進位制包下載地址
https://github.com/etcd-io/etcd/releases - 檢視叢集狀態
/opt/etcd/bin/etcd/etcdctl \
--ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem \
--endpoints=”https://192.168.0.x:2379,https://192.168.0.x:2379,https://192.168.0.x:2379” \
cluster-health
Flannel容器叢集網路部署
- Overlay Network:覆蓋網路,在基礎網路上疊加的一種虛擬網路技術模式,該網路中的主機通過虛擬鏈路連線起來。
- VXLAN:將源資料包封裝到UDP中,並使用基礎網路的IP/MAC作為外層報文頭進行封裝,然後在乙太網上傳輸,到達目的地後由隧道端點解封裝並將資料傳送給目標地址。
- Flannel:是Overlay網路的一種,也是將源資料包封裝在另一種網路包裡進行路由轉發和通訊,目前已經支援UDP、VXLAN、AWS VPC和GCE路由等資料轉發方式。
Flannel容器叢集網路部署
k8s二進位制部署
伺服器規劃:
| 伺服器 | IP |
|---|---|
| master1 | 20.0.0.31/24 |
| master2 | 20.0.0.34/24 |
| node1 | 20.0.0.32/24 |
| node2 | 20.0.0.33/24 |
| lb1 | 20.0.0.35/24 |
| lb2 | 20.0.0.36/ 24 |
| Harbor私有倉庫 | 20.0.0.37/24 |
下載官方構建好的二進位制包:
官網地址:https://github.com/kubernetes/kubernetes/releases?after=v1.13.1
//在master上操作
[root@localhost ~]# mkdir k8s
[root@localhost ~]# cd k8s/
[root@localhost ~]# vim etcd.sh
#!/bin/bash
# example: ./etcd.sh etcd01 192.168.1.10 etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380
ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3
WORK_DIR=/opt/etcd
cat <<EOF >$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd
[root@localhost ~]# vim etcd-cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"10.206.240.188",
"10.206.240.189",
"10.206.240.111"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
[root@localhost k8s]# ls
etcd.sh etcd-cert.sh
#下載證書製作工具
[root@localhost k8s]# vim cfssl.sh
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
#下載cfssl官方包
[root@localhost k8s]# bash cfssl.sh
[root@localhost k8s]# ls /usr/local/bin/
cfssl cfssl-certinfo cfssljson
#cfssl 生成證書工具
#cfssljson通過傳入json檔案生成證書
#cfssl-certinfo檢視證書資訊
#定義ca證書
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
#實現證書籤名
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
#生產證書,生成ca-key.pem ca.pem
[root@localhost etcd-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
(提示資訊)
2020/01/13 16:32:56 [INFO] generating a new CA key and certificate from CSR
2020/01/13 16:32:56 [INFO] generate received request
2020/01/13 16:32:56 [INFO] received CSR
2020/01/13 16:32:56 [INFO] generating key: rsa-2048
2020/01/13 16:32:56 [INFO] encoded CSR
2020/01/13 16:32:56 [INFO] signed certificate with serial number 595395605361409801445623232629543954602649157326
#指定etcd三個節點之間的通訊驗證(因為這裡先部署單節點,1個master+2個node,要將3個etcd部署在這3個節點,所以指定的是這3個伺服器的IP)
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"20.0.0.31",
"20.0.0.32",
"20.0.0.33"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
#生成ETCD證書 server-key.pem server.pem
[root@localhost etcd-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
(提示資訊)
2020/01/13 17:01:30 [INFO] generate received request
2020/01/13 17:01:30 [INFO] received CSR
2020/01/13 17:01:30 [INFO] generating key: rsa-2048
2020/01/13 17:01:30 [INFO] encoded CSR
2020/01/13 17:01:30 [INFO] signed certificate with serial number 202782620910318985225034109831178600652439985681
2020/01/13 17:01:30 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
#ETCD 二進位制包地址:https://github.com/etcd-io/etcd/releases
下載這些包:
etcd-v3.3.10-linux-amd64.tar.gz
flannel-v0.10.0-linux-amd64.tar.gz
kubernetes-server-linux-amd64.tar.gz
#將這三個包放到當前目錄下
[root@localhost etcd-cert]# ls
ca-config.json etcd-cert.sh server-csr.json
ca.csr etcd-v3.3.10-linux-amd64.tar.gz server-key.pem
ca-csr.json flannel-v0.10.0-linux-amd64.tar.gz server.pem
ca-key.pem kubernetes-server-linux-amd64.tar.gz
ca.pem server.cs cfssl.sh
(此時該目錄下的所有東西)
[root@localhost etcd-cert]# mv *.tar.gz ../
[root@localhost etcd-cert]# cd ..
[root@localhost k8s]# ls
cfssl.sh etcd.sh flannel-v0.10.0-linux-amd64.tar.gz
etcd-cert etcd-v3.3.10-linux-amd64.tar.gz kubernetes-server-linux-amd64.tar.gz
[root@localhost k8s]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz
[root@localhost k8s]# ls etcd-v3.3.10-linux-amd64
Documentation etcd etcdctl README-etcdctl.md README.md READMEv2-etcdctl.md
[root@localhost k8s]# mkdir /opt/etcd/{cfg,bin,ssl} -p //配置檔案,命令檔案,證書
[root@localhost k8s]# mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/
#證書拷貝
[root@localhost k8s]# cp etcd-cert/*.pem /opt/etcd/ssl/
#等待其他節點加入,這時會進入等待狀態,這時候輸入不了命令
[root@localhost k8s]# bash etcd.sh etcd01 20.0.0.31 etcd02=https://20.0.0.32:2380,etcd03=https://20.0.0.33:2380
#使用另外一個會話開啟,會發現etcd程式已經開啟
[root@localhost ~]# ps -ef | grep etcd
#拷貝證書到其他節點(node1、node2)
[root@localhost k8s]# scp /usr/lib/systemd/system/etcd.service root@20.0.0.32:/usr/lib/systemd/system/
[root@localhost k8s]# scp /usr/lib/systemd/system/etcd.service root@20.0.0.33:/usr/lib/systemd/system/
//在node1節點修改複製過來的etcd配置檔案
[root@localhost ~]# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd02" (這裡原本是etcd01,因為是複製過來的所以需要改一下,改為etcd02)
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://20.0.0.32:2380" (IP改為node1的IP)
ETCD_LISTEN_CLIENT_URLS="https://20.0.0.32:2379" (IP改為node1的IP)
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://20.0.0.32:2380" (IP改為node1的IP)
ETCD_ADVERTISE_CLIENT_URLS="https://20.0.0.32:2379" (IP改為node1的IP)
ETCD_INITIAL_CLUSTER="etcd01=https://20.0.0.31:2380,etcd02=https://20.0.0.32:2380,etcd03=https://20.0.0.33:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
#啟動etcd服務
[root@localhost ssl]# systemctl start etcd
[root@localhost ssl]# systemctl status etcd
//在node2節點修改
[root@localhost ~]# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd03" (這裡原本是etcd01,因為是複製過來的所以需要改一下,改為etcd03)
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://20.0.0.33:2380" (IP改為node2的IP)
ETCD_LISTEN_CLIENT_URLS="https://20.0.0.33:2379" (IP改為node2的IP)
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://20.0.0.33:2380" (IP改為node2的IP)
ETCD_ADVERTISE_CLIENT_URLS="https://20.0.0.33:2379" (IP改為node2的IP)
ETCD_INITIAL_CLUSTER="etcd01=https://20.0.0.31:2380,etcd02=https://20.0.0.32:2380,etcd03=https://20.0.0.33:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
#啟動etcd服務
[root@localhost ssl]# systemctl start etcd
[root@localhost ssl]# systemctl status etcd
//在master上檢查叢集狀態
[root@localhost etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://20.0.0.31:2379,https://20.0.0.32:2379,https://20.0.0.33:2379" cluster-health
(提示資訊)
member 3eae9a550e2e3ec is healthy: got healthy result from https://20.0.0.33:2379
member 26cd4dcf17bc5cbd is healthy: got healthy result from https://20.0.0.32:2379
member 2fcd2df8a9411750 is healthy: got healthy result from https://20.0.0.31:2379
cluster is healthy
(所有節點都有並且出現cluster is healthy就OK)
#在所有node節點部署docker引擎
1.安裝依賴包
yum install -y yum-utils device-mapper-persistent-data lvm2
2.設定阿里雲映象源
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
3.安裝Docker-CE
yum install -y docker-ce
4.開啟docker服務並設定開機自啟
systemctl start docker.service
systemctl enable docker.service
5.配置映象加速
配置映象加速器:
在阿里雲的自己的賬號裡找到加速地址,填入下方的中括號裡。
tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors":["https://xxxxxxxx.aliyuncs.com"]
}
EOF
(加速地址在阿里雲上可以通過自己的賬號看到,每個賬號都有個單獨的加速地址
systemctl daemon-reload
systemctl restart docker
6.網路優化
vim /etc/sysctl.conf
net.ipv4.ip_forward=1
sysctl -p
service network restart
systemctl restart docker
flannel網路配置
//寫入分配的子網段到ETCD中,供flannel使用
//在master操作
#寫入資訊
[root@localhost etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://20.0.0.31:2379,https://20.0.0.32:2379,https://20.0.0.33:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
(提示資訊)
{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}
#檢視寫入的資訊
[root@localhost etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://20.0.0.31:2379,https://20.0.0.32:2379,https://20.0.0.33:2379" get /coreos.com/network/config
(提示資訊)
{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}
#拷貝到所有node節點(只需要部署在node節點)
[root@localhost k8s]# scp flannel-v0.10.0-linux-amd64.tar.gz root@20.0.0.32:/root
[root@localhost k8s]# scp flannel-v0.10.0-linux-amd64.tar.gz root@20.0.0.33:/root
//在所有node節點操作,這裡是node1和node2
#將flannel安裝包傳到node節點伺服器上
[root@localhost ~]# tar zxvf flannel-v0.10.0-linux-amd64.tar.gz
flanneld
mk-docker-opts.sh
README.md
#建立一個k8s工作目錄
[root@localhost ~]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p
[root@localhost ~]# mv mk-docker-opts.sh flanneld /opt/kubernetes/bin/
#編寫flannel指令碼
#!/bin/bash
ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}
cat <<EOF >/opt/kubernetes/cfg/flanneld
FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF
cat <<EOF >/usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld
#開啟flannel網路功能
[root@localhost ~]# bash flannel.sh https://20.0.0.31:2379,https://20.0.0.32:2379,https://20.0.0.33:2379
(提示資訊)
Created symlink from /etc/systemd/system/multi-user.target.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.
#配置docker連線flannel
[root@localhost ~]# vim /usr/lib/systemd/system/docker.service
(在以下位置新增需要的配置)
EnvironmentFile=/run/flannel/subnet.env 及 $DOCKER_NETWORK_OPTIONS
新增的位置:
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
EnvironmentFile=/run/flannel/subnet.env(這個是新增上去的)
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS(這個是新增上去的) -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
[root@localhost ~]# cat /run/flannel/subnet.env
DOCKER_OPT_BIP="--bip=172.17.42.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=false"
DOCKER_OPT_MTU="--mtu=1450"
#說明:bip指定啟動時的子網
DOCKER_NETWORK_OPTIONS=" --bip=172.17.42.1/24 --ip-masq=false --mtu=1450"
#重啟docker服務
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
#檢視flannel網路(每個節點不一樣,根據自己看到的網段為準)
[root@localhost ~]# ifconfig
flannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.17.84.0 netmask 255.255.255.255 broadcast 0.0.0.0
inet6 fe80::fc7c:e1ff:fe1d:224 prefixlen 64 scopeid 0x20<link>
ether fe:7c:e1:1d:02:24 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 26 overruns 0 carrier 0 collisions 0
#測試ping通對方docker0網路卡驗證flannel起到路由作用
[root@localhost ~]# docker run -it centos:7 /bin/bash
[root@5f9a65565b53 /]# yum install net-tools -y
然後ping另一個節點的flannel地址
如果能夠ping通,就OK了
部署master元件
//在master上操作,api-server生成證書
#將master.zip傳到master節點伺服器上
[root@localhost k8s]# unzip master.zip
[root@localhost k8s]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p
[root@localhost k8s]# mkdir k8s-cert
[root@localhost k8s]# cd k8s-cert/
[root@localhost k8s-cert]# vim k8s-cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"20.0.0.31", //master1
"20.0.0.34", //master2
"20.0.0.100", //vip
"20.0.0.35", //lb (負載均衡master)
"20.0.0.36", //lb (負載均衡backup)
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
#-----------------------
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
#-----------------------
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
[root@localhost k8s-cert]# ls
k8s-cert.sh
#生成k8s證書
[root@localhost k8s-cert]# bash k8s-cert.sh
##檢視所有證書
[root@localhost k8s-cert]# ls *pem
admin-key.pem ca-key.pem kube-proxy-key.pem server-key.pem
admin.pem ca.pem kube-proxy.pem server.pem
##複製ca開頭的、server開頭的所有證書到 /opt/kubernetes/ssl下
[root@localhost k8s-cert]# cp ca*pem server*pem /opt/kubernetes/ssl/
#解壓kubernetes壓縮包
[root@localhost k8s-cert]# cd ..
[root@localhost k8s]# tar zxvf kubernetes-server-linux-amd64.tar.gz
[root@localhost k8s]# cd /root/k8s/kubernetes/server/bin
#複製關鍵命令檔案到/opt/kubernetes/bin/
[root@localhost bin]# cp kube-apiserver kubectl kube-controller-manager kube-scheduler /opt/kubernetes/bin/
#建立角色,用token.csv
[root@localhost k8s]# cd /root/k8s
[root@localhost k8s]# vim /opt/kubernetes/cfg/token.csv
0fb61c46f8991b718eb38d27b605b008,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
(序列號,使用者名稱,id,角色)
序列號每個都不一樣,在編輯之前用命令隨機生成序列號,命令如下
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
#二進位制檔案,token,證書都準備好後,開啟apiserver
[root@localhost k8s]# bash apiserver.sh 20.0.0.31 https://20.0.0.31:2379,https://20.0.0.32:2379,https://20.0.0.33:2379
(提示資訊)
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-apiserver.service to /usr/lib/systemd/system/kube-apiserver.service.
#檢查程式是否啟動成功
[root@localhost k8s]# ps aux | grep kube
#檢視配置檔案
[root@localhost k8s]# cat /opt/kubernetes/cfg/kube-apiserver
KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=https://20.0.0.31:2379,https://20.0.0.32:2379,https://20.0.0.33:2379 \
--bind-address=20.0.0.31 \
--secure-port=6443 \
--advertise-address=20.0.0.31 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--kubelet-https=true \
--enable-bootstrap-token-auth \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
#監聽的https埠
[root@localhost k8s]# netstat -ntap | grep 6443
tcp 0 0 192.168.195.149:6443 0.0.0.0:* LISTEN 46459/kube-apiserve
tcp 0 0 192.168.195.149:6443 20.0.0.31:36806 ESTABLISHED 46459/kube-apiserve
tcp 0 0 192.168.195.149:36806 20.0.0.31:6443 ESTABLISHED 46459/kube-apiserve
[root@localhost k8s]# netstat -ntap | grep 8080
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN
#啟動controller-manager
[root@localhost k8s]# chmod +x controller-manager.sh
[root@localhost k8s]# ./controller-manager.sh 127.0.0.1
(提示資訊)
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /usr/lib/systemd/system/kube-controller-manager.service.
#檢視master 節點狀態
[root@localhost k8s]# /opt/kubernetes/bin/kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}
node節點部署
//在master上操作
#把 kubelet、kube-proxy拷貝到node節點上去
[root@localhost bin]# scp kubelet kube-proxy root@20.0.0.32:/opt/kubernetes/bin/
[root@localhost bin]# scp kubelet kube-proxy root@20.0.0.33:/opt/kubernetes/bin/
//在nod01節點操作(將node.zip傳到/root目錄下解壓)
[root@localhost ~]# ls
anaconda-ks.cfg flannel-v0.10.0-linux-amd64.tar.gz node.zip 公共 視訊 文件 音樂
flannel.sh initial-setup-ks.cfg README.md 模板 圖片 下載 桌面
#解壓node.zip,獲得kubelet.sh proxy.sh
[root@localhost ~]# unzip node.zip
//在master上操作
[root@localhost k8s]# mkdir kubeconfig
[root@localhost k8s]# cd kubeconfig/
#拷貝kubeconfig.sh檔案進行重新命名
[root@localhost kubeconfig]# mv kubeconfig.sh kubeconfig
[root@localhost kubeconfig]# vim kubeconfig
刪除以下部分:
# 建立 TLS Bootstrapping Token
#BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008
cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
#獲取token資訊,在master上看
[root@localhost ~]# cat /opt/kubernetes/cfg/token.csv
6351d652249951f79c33acdab329e4c4,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
# 設定客戶端認證引數
kubectl config set-credentials kubelet-bootstrap \
--token=6351d652249951f79c33acdab329e4c4(這裡填入剛才檢視的序列號) \
--kubeconfig=bootstrap.kubeconfig
#設定環境變數(可以寫入到/etc/profile中)
[root@localhost kubeconfig]# vim kubeconfig
(將export PATH=$PATH:/opt/kubernetes/bin/新增到末尾行)
//[root@localhost kubeconfig]# export PATH=$PATH:/opt/kubernetes/bin/ (也可以直接寫入)
[root@localhost kubeconfig]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-1 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
#生成配置檔案
[root@localhost kubeconfig]# bash kubeconfig 20.0.0.31 /root/k8s/k8s-cert/
Cluster "kubernetes" set.
User "kubelet-bootstrap" set.
Context "default" created.
Switched to context "default".
Cluster "kubernetes" set.
User "kube-proxy" set.
Context "default" created.
Switched to context "default".
[root@localhost kubeconfig]# ls
bootstrap.kubeconfig kubeconfig kube-proxy.kubeconfig
#拷貝配置檔案到node節點
[root@localhost kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@20.0.0.32:/opt/kubernetes/cfg/
[root@localhost kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@20.0.0.33:/opt/kubernetes/cfg/
#建立bootstrap角色賦予許可權用於連線apiserver請求籤名(關鍵)
[root@localhost kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
(提示資訊)
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
//在node01節點上操作
[root@localhost ~]# bash kubelet.sh 20.0.0.32
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
#檢查kubelet服務啟動
[root@localhost ~]# ps aux | grep kube
root 106845 1.4 1.1 371744 44780 ? Ssl 00:34 0:01 /opt/kubernetes/bin/kubelet --logtostderr=true --v=4 --hostname-override=192.168.195.150 --kubeconfig=/opt/kubernetes/cfg/kubelet.kubconfig --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig --config=/opt/kubernetes/cfgkubelet.config --cert-dir=/opt/kubernetes/ssl --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0
root 106876 0.0 0.0 112676 984 pts/0 S+ 00:35 0:00 grep --color=auto kube
//在master上操作
[root@localhost kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-NOI-9vufTLIqJgMWq4fHPNPHKbjCXlDGHptj7FqTa8A 4m27s kubelet-bootstrap Pending(等待叢集給該節點頒發證書)
[root@localhost kubeconfig]# kubectl certificate approve node-csr-NOI-9vufTLIqJgMWq4fHPNPHKbjCXlDGHptj7FqTa8A
(後面的NAME每個都不一樣,要複製下來)
#繼續檢視證書狀態
[root@localhost kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-NOI-9vufTLIqJgMWq4fHPNPHKbjCXlDGHptj7FqTa8A 8m56s kubelet-bootstrap Approved,Issued(已經被允許加入群集)
#檢視叢集節點,成功加入node1節點
[root@localhost kubeconfig]# kubectl get node
NAME STATUS ROLES AGE VERSION
20.0.0.32 Ready <none> 118s v1.12.3
#在node1節點操作,啟動proxy服務
[root@localhost ~]# bash proxy.sh 20.0.0.32
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[root@localhost ~]# systemctl status kube-proxy.service
(runnning狀態)
node2節點部署
//在node1節點操作
#把現成的/opt/kubernetes目錄複製到node2節點進行修改
[root@localhost ~]# scp -r /opt/kubernetes/ root@20.0.0.33:/opt/
#把kubelet,kube-proxy的service檔案拷貝到node2中
[root@localhost ~]# scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@20.0.0.33:/usr/lib/systemd/system/
//在node2上操作,進行修改
#首先刪除複製過來的證書,等會node2會自行申請證書
[root@localhost ~]# cd /opt/kubernetes/ssl/
[root@localhost ssl]# rm -rf *
#修改配置檔案kubelet kubelet.config kube-proxy(三個配置檔案)
[root@localhost ssl]# cd ../cfg/
[root@localhost cfg]# vim kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=20.0.0.33 \ (原來是20.0.0.32,改成20.0.0.33)
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
[root@localhost cfg]# vim kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 20.0.0.33 (原來是20.0.0.32,改成20.0.0.33)
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
anonymous:
enabled: true
[root@localhost cfg]# vim kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=20.0.0.33 \ (原來是20.0.0.32,改成20.0.0.33)
--cluster-cidr=10.0.0.0/24 \
--proxy-mode=ipvs \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
#啟動服務
[root@localhost cfg]# systemctl start kubelet.service
[root@localhost cfg]# systemctl enable kubelet.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[root@localhost cfg]# systemctl start kube-proxy.service
[root@localhost cfg]# systemctl enable kube-proxy.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
//在master上操作檢視請求
[root@localhost k8s]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-OaH9HpIKh6AKlfdjEKm4C6aJ0UT_1YxNaa70yEAxnsU 15s kubelet-bootstrap Pending
node-csr-NOI-9vufTLIqJgMWq4fHPNPHKbjCXlDGHptj7FqTa8A 4m27s kubelet-bootstrap approve
(這裡又有一個Pending狀態的請求,跟剛才一樣授權許可加入叢集)
#授權許可加入群集
[root@localhost k8s]# kubectl certificate approve node-csr-OaH9HpIKh6AKlfdjEKm4C6aJ0UT_1YxNaa70yEAxnsU
#檢視群集中的節點
[root@localhost k8s]# kubectl get node
NAME STATUS ROLES AGE VERSION
20.0.0.32 Ready <none> 11h v1.12.3
20.0.0.33 Ready <none> 11h v1.12.3
至此,單節點部署完成。
部署master2節點
#關閉防火牆、核心
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
vim /etc/selinux/config
SELINUX=disabled
//在master1上操作
#複製kubernetes目錄到master2
[root@localhost k8s]# scp -r /opt/kubernetes/ root@20.0.0.34:/opt
#複製master中的三個元件啟動指令碼
kube-apiserver.service kube-controller-manager.service kube-scheduler.service
[root@localhost k8s]# scp /usr/lib/systemd/system/{kube-apiserver,kube-controller-manager,kube-scheduler}.service root@20.0.0.34:/usr/lib/systemd/system/
//在master2上操作
#修改配置檔案kube-apiserver中的IP
[root@localhost ~]# cd /opt/kubernetes/cfg/
[root@localhost cfg]# vim kube-apiserver
KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=https://20.0.0.31:2379,https://20.0.0.32:2379,https://20.0.0.33:2379 \
--bind-address=20.0.0.34 \ (原來是master1的IP,現在改成master2的IP)
--secure-port=6443 \
--advertise-address=20.0.0.34 \ (原來是master1的IP,現在改成master2的IP)
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--kubelet-https=true \
--enable-bootstrap-token-auth \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
#master2一定要有etcd證書,這裡拷貝master1上已有的etcd證書給master2使用
[root@localhost k8s]# scp -r /opt/etcd/ root@20.0.0.34:/opt/
#啟動master2中的三個元件服務
[root@localhost cfg]# systemctl start kube-apiserver.service
[root@localhost cfg]# systemctl start kube-controller-manager.service
[root@localhost cfg]# systemctl start kube-scheduler.service
#新增環境變數
[root@localhost cfg]# vim /etc/profile
在末尾新增:export PATH=$PATH:/opt/kubernetes/bin/
[root@localhost cfg]# source /etc/profile
[root@localhost cfg]# kubectl get node
NAME STATUS ROLES AGE VERSION
20.0.0.32 Ready <none> 2d12h v1.12.3
20.0.0.33 Ready <none> 38h v1.12.3
至此,多節點部署完成。
現在已經有兩個master,兩個node,三個etcd分別部署在master1、node1、node2上。
相關文章
- kubeadm部署K8S叢集K8S
- Ansible部署K8s叢集K8S
- k8s 部署生產vault叢集K8S
- K8S如何部署Redis(單機、叢集)K8SRedis
- 通過kubeadm工具部署k8s叢集K8S
- 【k8s】使用Terraform一鍵部署EKS叢集K8SORM
- 基於kubeasz部署高可用k8s叢集K8S
- AnolisOS7.9部署K8s叢集K8S
- 升級 kubeadm 部署的 k8s 叢集K8S
- k8s叢集部署K8S
- 基於Ubuntu部署企業級kubernetes叢集---k8s叢集容部署UbuntuK8S
- 日誌分析系統 - k8s部署ElasticSearch叢集K8SElasticsearch
- 純手工搭建k8s叢集-(2)核心模組部署K8S
- Kubernetes(k8s)部署redis-cluster叢集K8SRedis
- Apache SeaTunnel k8s 叢集模式 Zeta 引擎部署指南ApacheK8S模式
- Kubernetes(k8s)叢集部署(k8s企業級Docker容器集K8SDocker
- k8s之叢集管理K8S
- 多k8s叢集管理K8S
- k8s 叢集升級K8S
- 刪除k8s叢集K8S
- 【趙強老師】使用kubeadmin部署K8s叢集K8S
- Mac + Docker + K8S 本地搭建K8S叢集MacDockerK8S
- k8s單master叢集部署K8SAST
- Kubeadm叢集部署k8sK8S
- 使用Kubeadm建立k8s叢集之部署規劃(三十)K8S
- prometheus監控k8s叢集PrometheusK8S
- Ubuntu 安裝k8s叢集UbuntuK8S
- centos安裝k8s叢集CentOSK8S
- 教你如何搭建K8S叢集。K8S
- k8s——搭建叢集環境K8S
- python管理k8s叢集PythonK8S
- K8s叢集證書更新K8S
- k8s筆記6--使用kubeadm快速部署k8s叢集 v1.19.4K8S筆記
- 用 edgeadm 一鍵安裝邊緣 K8s 叢集和原生 K8s 叢集K8S
- kubeadm實現k8s高可用叢集環境部署與配置K8S
- 使用Kubeadm建立k8s叢集之節點部署(三十一)K8S
- [譯]單應用跨多k8s叢集的部署與管理K8S
- 容器化 | 在 K8s 上部署 RadonDB MySQL Operator 和叢集K8SMySql