前言
上期我们简单的介绍了k8s的组成部分以及他的用处,都是按照我的理解去阐述的,如果有说漏的,大家可以积极的补充,也可以直接去官网去看他的介绍。本期带着大家去部署我们的k8s中的期中一环。
API service集群部署
步骤一
准备工作:准备好三台服务器,master,node1 ,node2
(1)关闭防火墙
#三台服务器都关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
(2)关闭selinux
sed -i 's/enforcing/disabled/' /etc/selinux/config # 永久
(3)关闭swap
sed -ri 's/.*swap.*/#&/' /etc/fstab # 永久
(4)根据规划设置主机名
hostnamectl set-hostname k8s-master1
hostnamectl set-hostname k8s-node1
hostnamectl set-hostname k8s-node2
(5)在master中host设置
cat >> /etc/hosts << EOF
192.168.1.113 k8s-master1
192.168.1.120 k8s-node1
192.168.1.115 k8s-node2
EOF
(6)将桥接的IPv4流量传递到iptables的链
cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system # 生效
(7)同步时间
yum install ntpdate -y
ntpdate time.windows.com
总结:这样前期工作就都准备好了,注意除了第五步以外,其他的操作都在node1和node2节点都要执行。前期工作一定要做好,不然在后面部署任务时会出现很多问题。
步骤二
开始搭建etcd集群
节点名称 | IP |
etcd-1 | 192.168.1.113 |
etcd-2 | 192.168.1.120 |
etcd-3 | 192.168.1.115 |
(1)准备好cfssl证书生成工具
※因为api servier一定要具备安全性的,这也是k8s中的一个特性,所以需要制作证书加密
这里选择用master节点 下载cfssl工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
※注意这里名字尽量修改的跟我一样,因为后面会利用这个名字去办法证书
(2)利用cfssl工具给etcd生成证书
(2.1)创建目录存放证书
mkdir -p ~/TLS/{etcd,k8s}
cd ~/TLS/etcd
自签CA:
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
生成证书:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
※会生成ca.pem和ca-key.pem文件。
(3)使用自签CA签发Etcd HTTPS证书
cat > server-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"192.168.1.113",
"192.168.1.120",
"192.168.1.115"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
※里面的ip是你集群的ip,你可以提前再写两个方便后期扩容,我这里就不写了
生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
步骤三
(1)开始下载安装etcd
※注意点,目前到这里都是在master上操作,先建立好master的etcd再去做node节点。
下载地址:https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz
(2)创建工作目录并解压
mkdir /opt/etcd/{bin,cfg,ssl} -p
tar zxvf etcd-v3.4.9-linux-amd64.tar.gz
mv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
(3)创建etcd配置文件
cat > /opt/etcd/cfg/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.1.113:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.1.113:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.113:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.113:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.1.113:2380,etcd-2=https://192.168.1.120:2380,etcd-3=https://192.168.1.115:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
ETCD_INITIAL_CLUSTER:集群节点地址,其他的是master地址
根据你自己的集群去填相应的地址,
(4)创建systemctl启动
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
(5)拷贝刚才生成的证书
cp ~/TLS/etcd/ca*pem ~/TLS/etcd/server*pem /opt/etcd/ssl/
(6)设置开机自启动
设置开机自启动
systemctl daemon-reload
systemctl start etcd
systemctl enable etcd