文章目录
找到的一个报错博客,挺好的,先放个链接吧~
点这!!!
直接展示!
三台虚拟机,三台机器均为 CentOS 7.6
Master机器:20.0.0.3,安装软件:kube-apiserver、kube-controller-manager、kube-scheduler、etcd
node01机器:20.0.0.4,安装软件:kubelet、kube-proxy、docker、flannel、etcd
node01机器:20.0.0.5,安装软件:kubelet、kube-proxy、docker、flannel、etcd
Master组件介绍:
- kube-apiserver:是集群的统一入口,各个组件的协调者,所有对象资源的增删改查和监听操作都交给APIserver处理,再提交给etcd存储。
- kube-controller-manager:处理群集中常规的后台任务,一个资源对应一个控制器,而controller-manager就是负责管理这些控制器。
- kube-scheduler:根据调度算法为新创建的pod选择一个node节点,可以任意部署,可以部署同一个节点上,也可以部署在不同节点上
node组件介绍:
- kubelet:kube是master在node节点上的Agent,管理本机运行容器的生命周期,比如创建容器、Pod挂载数据卷、下载secret、获取容器和节点状态等工作。kubelet将每个pod转换成一组容器
- kube-proxy:在node节点上实现pod网络代理,维护网络规划和四层负载均衡的工作
- docker:Docker引擎
- flannel:flannel网络
etcd集群介绍:etcd集群在这里分布的部署到了三个节点上
etcd是CoreOS团队于2013年6月发起的开源项目,基于go语言开发,目标是构建一个高可用的分布式键值(key-value)数据库。etcd内部采用raft协议作为一致性算法。
etcd集群数据无中心化集群,有如下特点:
1、简单:安装配置简单,而且提供了HTTP进行交互,使用也很简单
2、安全:支持SSL证书验证
3、快速:根据官方提供的benchmark数据,单实例支持每秒2k+读操作
4、可靠:采用raft算法,实现分布式数据的可用性和一致性
[root@localhost ~]# hostnamectl set-hostname master
[root@localhost ~]# su
[root@master ~]#
[root@master k8s]# setenforce 0 ##三台都要
[root@master k8s]# iptables -F
[root@localhost ~]# hostnamectl set-hostname node01
[root@localhost ~]# su
[root@node01 ~]#
[root@5centos ~]# hostnamectl set-hostname node02
[root@5centos ~]# su
[root@node02 ~]#
制作证书
[root@master ~]# mkdir k8s
[root@master ~]# cd k8s/
[root@master k8s]# rz -E
rz waiting to receive.
[root@master k8s]# rz -E
rz waiting to receive.
[root@master k8s]# ls ##刚刚拖进来的两个脚本文件
etcd-cert.sh etcd.sh
[root@master k8s]# vim etcd.sh
#!/bin/bash
ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3
WORK_DIR=/opt/etcd
cat <<EOF >$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd
[root@master k8s]# mkdir etcd-cert
[root@master k8s]# mv etcd-cert.sh etcd-cert
[root@master k8s]# cd etcd-cert/
[root@master etcd-cert]# vim etcd-cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"10.206.240.111"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
[root@master etcd-cert]# cd ..
[root@master k8s]# ls
cfssl cfssl-certinfo cfssljson etcd-cert etcd.sh
[root@master k8s]# vim cfssl.sh
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
[root@master k8s]# bash cfssl.sh ##下载证书制作工具 cfssl
[root@master k8s]# ls
cfssl cfssl-certinfo cfssljson cfssl.sh etcd-cert etcd.sh
开始制作证书
[root@master k8s]# cat > ca-config.json <<EOF
> {
> "signing": {
> "default": {
> "expiry": "87600h"
> },
> "profiles": {
> "www": {
> "expiry": "87600h",
> "usages": [
> "signing",
> "key encipherment",
> "server auth",
> "client auth"
> ]
> }
> }
> }
> }
> EOF
实现证书签名
[root@master k8s]# cat > ca-csr.json <<EOF
> {
> "CN": "etcd CA",
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "Beijing",
> "ST": "Beijing"
> }
> ]
> }
> EOF
生成证书,产出 ca-key.pem以及ca.pem
[root@master k8s]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2020/09/28 18:49:45 [INFO] generating a new CA key and certificate from CSR
2020/09/28 18:49:45 [INFO] generate received request
2020/09/28 18:49:45 [INFO] received CSR
2020/09/28 18:49:45 [INFO] generating key: rsa-2048
2020/09/28 18:49:45 [INFO] encoded CSR
2020/09/28 18:49:45 [INFO] signed certificate with serial number 169762611650761687997043852103407847801640183478
[root@master k8s]# ls
ca-config.json ca-csr.json ca.pem cfssl-certinfo cfssl.sh etcd.sh
ca.csr ca-key.pem cfssl cfssljson etcd-cert
指定你的三个节点进行通信
[root@master k8s]# cat > server-csr.json <<EOF
> {
> "CN": "etcd",
> "hosts": [
> "20.0.0.3",
> "20.0.0.4",
> "20.0.0.5"
> ],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "BeiJing",
> "ST": "BeiJing"
> }
> ]
> }
> EOF
生成 ETCD 证书 server-key.pem以及server.pem
[root@master k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
[root@master k8s]# ls
ca-config.json ca-key.pem cfssl-certinfo etcd-cert server-csr.json
ca.csr ca.pem cfssljson etcd.sh server-key.pem
ca-csr.json cfssl cfssl.sh server.csr server.pem
ETCD安装
ETCD 二进制包地址
添加链接描述
但是,我有下载好的!哈哈哈哈哈哈嗝!
[root@master k8s]# rz -E
rz waiting to receive.
[root@master k8s]# ls
ca-config.json etcd-cert
ca.csr etcd.sh
ca-csr.json etcd-v3.3.10-linux-amd64.tar.gz
ca-key.pem flannel-v0.10.0-linux-amd64.tar.gz
ca.pem kubernetes-server-linux-amd64.tar.gz
cfssl server.csr
cfssl-certinfo server-csr.json
cfssljson server-key.pem
cfssl.sh server.pem
[root@master k8s]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz
[root@master etcd-v3.3.10-linux-amd64]# ls
Documentation etcd etcdctl README-etcdctl.md README.md READMEv2-etcdctl.md
[root@master etcd-v3.3.10-linux-amd64]# mkdir -p /opt/etcd/{bin,ssl,cfg}
[root@master etcd-v3.3.10-linux-amd64]# mv etcd /opt/etcd/bin/
[root@master etcd-v3.3.10-linux-amd64]# mv etcdctl /opt/etcd/bin/
[root@master etcd-v3.3.10-linux-amd64]# chmod +x /opt/etcd/bin/*
[root@master k8s]# cp *.pem /opt/etcd/ssl/ ##把证书考进去
验证服务
[root@master k8s]# bash etcd.sh etcd01 20.0.0.3 etcd02=https://20.0.0.4:2380,etcd03=https://20.0.0.5:2380
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
##等一会看看是不是报连接失败的错误,如果瞬间连接失败,那就真失败了
在另一个终端可以看到他的进程
拷贝证书和启动脚本给 node 节点
[root@master k8s]# scp -r /opt/etcd/ root@20.0.0.4:/opt
[root@master k8s]# scp -r /opt/etcd/ root@20.0.0.5:/opt
[root@master k8s]# scp /usr/lib/systemd/system/etcd.service root@20.0.0.4:/usr/lib/systemd/system/
[root@master k8s]# scp /usr/lib/systemd/system/etcd.service root@20.0.0.5:/usr/lib/systemd/system/
node01/2节点操作
node01
[root@node01 opt]# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://20.0.0.4:2380"
ETCD_LISTEN_CLIENT_URLS="https://20.0.0.4:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://20.0.0.4:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://20.0.0.4:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://20.0.0.3:2380,etcd02=https://20.0.0.4:2380,etcd03=https://20.0.0.5:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
node02
[root@node02 ~]# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd03"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://20.0.0.5:2380"
ETCD_LISTEN_CLIENT_URLS="https://20.0.0.5:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://20.0.0.5:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://20.0.0.5:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://20.0.0.3:2380,etcd02=https://20.0.0.4:2380,etcd03=https://20.0.0.5:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
两个节点都启动服务
[root@node01 opt]# systemctl start etcd
[root@node01 opt]# systemctl enable etcd
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
群集状态检查
[root@master ssl]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://20.0.0.3:2379,https://20.0.0.4:2379,https://20.0.0.5:2379" cluster-health
member 515a8fe56f5cb602 is healthy: got healthy result from https://20.0.0.3:2379
member 62e58ffe43df0262 is healthy: got healthy result from https://20.0.0.5:2379
member fab85487b0167e5f is healthy: got healthy result from https://20.0.0.4:2379
cluster is healthy
Docker部署
所有节点安装docker
[root@master /]# vim /etc/sysctl.conf
……末行插入
net.ipv4.ip_forward = 1
[root@master /]# sysctl -p
net.ipv4.ip_forward = 1
[root@master /]# yum -y install yum-utils device-mapper-persistent-data lvm2
[root@master /]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@master /]# yum -y install docker-ce
[root@master /]# systemctl start docker
[root@master /]# systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
Flannel配置
写入分配的子网段到ETCD中,供flannel使用
[root@master /]# cd /opt/etcd/ssl/
[root@master ssl]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://20.0.0.3:2379,https://20.0.0.4:2379,https://20.0.0.5:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}
查看写入的信息
[root@master ssl]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://20.0.0.3:2379,https://20.0.0.4:2379,https://20.0.0.5:2379" get /coreos.com/network/config
{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}
拷贝安装包到节点
[root@master ssl]# cd ~/k8s/
[root@master k8s]# scp flannel-v0.10.0-linux-amd64.tar.gz root@20.0.0.4:/root
root@20.0.0.4's password:
Permission denied, please try again.
root@20.0.0.4's password:
flannel-v0.10.0-linux-amd64.tar.gz 100% 9479KB 96.3MB/s 00:00
[root@master k8s]# scp flannel-v0.10.0-linux-amd64.tar.gz root@20.0.0.5:/root
root@20.0.0.5's password:
flannel-v0.10.0-linux-amd64.tar.gz 100% 9479KB 107.0MB/s 00:00
节点解压
[root@node01 opt]# cd ~
[root@node01 ~]# tar zxvf flannel-v0.10.0-linux-amd64.tar.gz
flanneld
mk-docker-opts.sh
README.md
[root@node01 ~]# mkdir -p /opt/kubernetes/{cfg,bin,ssl}
[root@node01 ~]# mv flanneld /opt/kubernetes/bin
[root@node01 ~]# mv mk-docker-opts.sh /opt/kubernetes/bin/
[root@node01 ~]# vim flannel.sh
#!/bin/bash
ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}
cat <<EOF >/opt/kubernetes/cfg/flanneld
FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF
cat <<EOF >/usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld
开启flannel网络功能
[root@node01 ~]# bash flannel.sh https://20.0.0.3:2379,https://20.0.0.4:2379,https://20.0.0.5:2379
Created symlink from /etc/systemd/system/multi-user.target.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.
配置docker连接flannel
[root@node01 ~]# vim /usr/lib/systemd/system/docker.service
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS -H fd:// --containerd=/run/containerd/containerd.sock
[root@node01 ~]# cat /run/flannel/subnet.env
DOCKER_OPT_BIP="--bip=172.17.87.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=false"
DOCKER_OPT_MTU="--mtu=1450"
DOCKER_NETWORK_OPTIONS=" --bip=172.17.87.1/24 --ip-masq=false --mtu=1450"
重启docker服务
[root@node01 ~]# systemctl daemon-reload
[root@node01 ~]# systemctl restart docker
查看flanner网络
##保证docker0和flannel在同一网段,差不多就可以了
[root@node01 ~]# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.87.1
flannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.17.87.0
[root@node02 ~]# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.95.1
flannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.17.95.0
[root@node01 ~]# ping 172.17.87.1
PING 172.17.87.1 (172.17.87.1) 56(84) bytes of data.
64 bytes from 172.17.87.1: icmp_seq=1 ttl=64 time=0.050 ms
64 bytes from 172.17.87.1: icmp_seq=2 ttl=64 time=0.042 ms
64 bytes from 172.17.87.1: icmp_seq=3 ttl=64 time=0.067 ms
64 bytes from 172.17.87.1: icmp_seq=4 ttl=64 time=0.038 ms
64 bytes from 172.17.87.1: icmp_seq=5 ttl=64 time=0.043 ms
^C
--- 172.17.87.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.038/0.048/0.067/0.010 ms
进入容器,容器ping容器
[root@node01 ~]# docker run -itd centos:7 /bin/bash
[root@node01 ~]# docker exec -it suspicious_wing /bin/bash
[root@8d56f6d1eda4 /]# yum -y install net-tools
[root@8d56f6d1eda4 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.17.87.2
[root@node02 ~]# docker run -it --name zeroone centos:7 /bin/bash
[root@ad6198c9d0fa /]# yum -y install net-tools
[root@ad6198c9d0fa /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.17.95.2
[root@ad6198c9d0fa /]# ping 172.17.87.2
PING 172.17.87.2 (172.17.87.2) 56(84) bytes of data.
64 bytes from 172.17.87.2: icmp_seq=1 ttl=62 time=0.550 ms
64 bytes from 172.17.87.2: icmp_seq=2 ttl=62 time=0.504 ms
64 bytes from 172.17.87.2: icmp_seq=3 ttl=62 time=0.497 ms
64 bytes from 172.17.87.2: icmp_seq=4 ttl=62 time=0.994 ms
^C
--- 172.17.87.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 0.497/0.636/0.994/0.208 ms
flanner网络构建完成
Master组件部署
证书制作
[root@master k8s]# rz -E ##上传master压缩包
rz waiting to receive.
[root@master k8s]# ls
etcd-cert etcd-v3.3.10-linux-amd64.tar.gz
etcd-cert.sh flannel-v0.10.0-linux-amd64.tar.gz
etcd.sh kubernetes-server-linux-amd64.tar.gz
etcd-v3.3.10-linux-amd64 master.zip
[root@master k8s]# unzip master.zip
Archive: master.zip
inflating: apiserver.sh
inflating: controller-manager.sh
inflating: scheduler.sh
[root@master k8s]# mkdir k8s-cset
[root@master k8s]# cd k8s-cset/
[root@master k8s-cset]# vim k8s-cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"20.0.0.3", ##master1
"20.0.0.6", ##master2,后面做多节点时候用到的,备用
"20.0.0.150", //vip
"20.0.0.7", //nginx反向代理以及keepalivedIP,备用
"20.0.0.8", //同上
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
#-----------------------
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
#-----------------------
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
[root@master k8s-cset]# bash k8s-cert.sh ##生成证书
[root@master k8s-cset]# ls *pem
admin-key.pem ca-key.pem kube-proxy-key.pem server-key.pem
admin.pem ca.pem kube-proxy.pem server.pem
[root@master k8s-cset]# mkdir -p /opt/kubernetes/{cfg,ssl,bin}
[root@master k8s-cset]# cp ca*pem server*pem /opt/kubernetes/ssl/
[root@master k8s-cset]# cd ..
开始部署
[root@master k8s]# tar zxvf kubernetes-server-linux-amd64.tar.gz
[root@master k8s]# cd kubernetes/server/bin/
[root@master bin]# cp kubectl kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/
[root@master bin]# cd ~/k8s/
[root@master k8s]# head -c 16 /dev/urandom |od -An -t x |tr -d ''
111ef09d 2e56c654 fc830492 30a8690f
[root@master k8s]# vim /opt/kubernetes/cfg/token.csv
111ef09d2e56c654fc83049230a8690f,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
[root@master k8s]# vim apiserver.sh
#!/bin/bash
MASTER_ADDRESS=$1
ETCD_SERVERS=$2
cat <<EOF >/opt/kubernetes/cfg/kube-apiserver
KUBE_APISERVER_OPTS="--logtostderr=true \\
--v=4 \\
--etcd-servers=${ETCD_SERVERS} \\
--bind-address=${MASTER_ADDRESS} \\
--secure-port=6443 \\
--advertise-address=${MASTER_ADDRESS} \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
--authorization-mode=RBAC,Node \\
--kubelet-https=true \\
--enable-bootstrap-token-auth \\
--token-auth-file=/opt/kubernetes/cfg/token.csv \\
--service-node-port-range=30000-50000 \\
--tls-cert-file=/opt/kubernetes/ssl/server.pem \\
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF
cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl restart kube-apiserver
[root@master k8s]# bash apiserver.sh 20.0.0.3 https://20.0.0.3:2379,https://20.0.0.4:2379,https://20.0.0.5:2379
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-apiserver.service to /usr/lib/systemd/system/kube-apiserver.service.
[root@master k8s]# ps -aux |grep kube ##出来一堆就差不多了
[root@master k8s]# cat /opt/kubernetes/cfg/kube-apiserver
KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=https://20.0.0.3:2379,https://20.0.0.4:2379,https://20.0.0.5:2379 \
--bind-address=20.0.0.3 \
--secure-port=6443 \
--advertise-address=20.0.0.3 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--kubelet-https=true \
--enable-bootstrap-token-auth \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
[root@master k8s]# netstat -natp |grep 6443
tcp 0 0 20.0.0.3:6443 0.0.0.0:* LISTEN 65276/kube-apiserve
tcp 0 0 20.0.0.3:38426 20.0.0.3:6443 ESTABLISHED 65276/kube-apiserve
tcp 0 0 20.0.0.3:6443 20.0.0.3:38426 ESTABLISHED 65276/kube-apiserve
[root@master k8s]# netstat -natp |grep 8080
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 65276/kube-apiserve
[root@master k8s]# ./scheduler.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-scheduler.service to /usr/lib/systemd/system/kube-scheduler.service.
[root@master k8s]# ps aux |grep ku
[root@master k8s]# ./controller-manager.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /usr/lib/systemd/system/kube-controller-manager.service.
master节点检查
[root@master bin]# /opt/kubernetes/bin/kubectl get cs
NAME STATUS MESSAGE ERROR
etcd-1 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
controller-manager Healthy ok
scheduler Healthy ok
etcd-0 Healthy {"health":"true"}
Node节点部署
控制文件
master上操作
[root@master bin]# scp kubectl kube-proxy root@20.0.0.4:/opt/kubernetes/bin
[root@master bin]# scp kubectl kube-proxy root@20.0.0.5:/opt/kubernetes/bin
node01操作
[root@node01 ~]# rz -E ##上传脚本文件,并解压
rz waiting to receive.
[root@node01 ~]# unzip node.zip
master操作
[root@master k8s]# mkdir kubeconfig
[root@master k8s]# cd kubeconfig/
[root@master kubeconfig]# rz -E ##上传脚本文件
rz waiting to receive.
[root@master kubeconfig]# mv kubeconfig.sh kubeconfig
[root@master kubeconfig]# cat /opt/kubernetes/cfg/token.csv
111ef09d2e56c654fc83049230a8690f,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
[root@master kubeconfig]# vim kubeconfig
APISERVER=$1
SSL_DIR=$2
# 创建kubelet bootstrapping kubeconfig
export KUBE_APISERVER="https://$APISERVER:6443"
# 设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=$SSL_DIR/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=bootstrap.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
--token=111ef09d2e56c654fc83049230a8690f \
--kubeconfig=bootstrap.kubeconfig
# 设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=bootstrap.kubeconfig
# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
#----------------------
# 创建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=$SSL_DIR/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=$SSL_DIR/kube-proxy.pem \
--client-key=$SSL_DIR/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
设置环境变量
还是在matser上
[root@master kubeconfig]# vim /etc/profile
export PATH=$PATH:/opt/kubernetes/bin/ ##末行插入
[root@master kubeconfig]# source /etc/profile
[root@master kubeconfig]# kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}
生成配置文件
同master
[root@master kubeconfig]# bash kubeconfig 20.0.0.3 ~/k8s/k8s-cest/
Cluster "kubernetes" set.
User "kubelet-bootstrap" set.
Context "default" created.
Switched to context "default".
Cluster "kubernetes" set.
User "kube-proxy" set.
Context "default" created.
Switched to context "default".
[root@master kubeconfig]# ls
bootstrap.kubeconfig kubeconfig kube-proxy.kubeconfig
将配置文件复制给到node节点
[root@master kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@20.0.0.4:/opt/kubernetes/cfg/
root@20.0.0.4's password:
bootstrap.kubeconfig 100% 2162 1.1MB/s 00:00
kube-proxy.kubeconfig 100% 6268 5.7MB/s 00:00
[root@master kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@20.0.0.5:/opt/kubernetes/cfg/
root@20.0.0.5's password:
bootstrap.kubeconfig 100% 2162 956.9KB/s 00:00
kube-proxy.kubeconfig 100% 6268 6.4MB/s 00:00
创建bootstrap角色赋予权限用于连接apiserver请求签名
[root@master kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
node1操作
[root@node01 ~]# bash kubelet.sh 20.0.0.4
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[root@node01 ~]# ps aux |grep kube
root 75320 0.0 0.8 325908 15384 ? Ssl 22:22 0:03 /opt/kubernetes/bin/flanneld --ip-masq --etcd-endpoints=https://20.0.0.3:2379,https://20.0.0.4:2379,https://20.0.0.5:2379 -etcd-cafile=/opt/etcd/ssl/ca.pem -etcd-certfile=/opt/etcd/ssl/server.pem -etcd-keyfile=/opt/etcd/ssl/server-key.pem
root 84962 0.0 0.0 112724 988 pts/2 S+ 23:37 0:00 grep --color=auto kube
回到master,查看node1的请求
[root@localhost cfg]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-3vLGIhLm3piZ-y5NiVPetotUq8iP-BEvymbkzrUpKfw 10s kubelet-bootstrap Pending ##等待集群给该节点颁发证书
[root@localhost cfg]# kubectl certificate approve node-csr-3vLGIhLm3piZ-y5NiVPetotUq8iP-BEvymbkzrUpKfw
certificatesigningrequest.certificates.k8s.io/node-csr-3vLGIhLm3piZ-y5NiVPetotUq8iP-BEvymbkzrUpKfw approved
[root@localhost cfg]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-3vLGIhLm3piZ-y5NiVPetotUq8iP-BEvymbkzrUpKfw 4m31s kubelet-bootstrap Approved,Issued ##已经被允许加入群集
[root@localhost cfg]# kubectl get node
NAME STATUS ROLES AGE VERSION
20.0.0.4 Ready <none> 87s v1.12.3
启动proxy服务
[root@localhost ~]# bash proxy.sh 20.0.0.4
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[root@localhost ~]# systemctl status kube-proxy
● kube-proxy.service - Kubernetes Proxy
Loaded: loaded (/usr/lib/systemd/system/kube-proxy.service; enabled; vendor preset: disabled)
Active: active (running) since 三 2020-09-30 12:03:37 CST; 45s ago
Main PID: 87249 (kube-proxy)
node02节点部署
node1节点复制给node2
[root@localhost ~]# scp -r /opt/kubernetes/ root@20.0.0.5:/opt/
[root@localhost ~]# scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@20.0.0.5:/usr/lib/systemd/system/
root@20.0.0.5's password:
kubelet.service 100% 264 111.4KB/s 00:00
kube-proxy.service 100% 231 282.9KB/s 00:00
node2操作
[root@5centos ~]# cd /opt/kubernetes/ssl/
[root@5centos ssl]# ls
kubelet-client-2020-09-30-12-01-11.pem kubelet.crt
kubelet-client-current.pem kubelet.key
[root@5centos ssl]# rm -rf * ##删除node1的证书
[root@5centos ssl]# ls
[root@5centos ssl]# cd ../cfg/
[root@5centos cfg]# vim kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=20.0.0.5 \ ##改成自己
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
[root@5centos cfg]# vim kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 20.0.0.5
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
anonymous:
enabled: true
~
[root@5centos cfg]# vim kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=20.0.0.5 \
--cluster-cidr=10.0.0.0/24 \
--proxy-mode=ipvs \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
[root@5centos cfg]# systemctl start kubelet
[root@5centos cfg]# systemctl enable kubelet
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[root@5centos cfg]# systemctl start kube-proxy.service
[root@5centos cfg]# systemctl enable kube-proxy.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
master查看请求,并授权加入
[root@localhost cfg]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-3vLGIhLm3piZ-y5NiVPetotUq8iP-BEvymbkzrUpKfw 16m kubelet-bootstrap Approved,Issued
node-csr-mNFGgZl6rxXCJlGK19lS83tIHc4WU9bhKXUpXZgtlrs 41s kubelet-bootstrap Pending
[root@localhost cfg]# kubectl certificate approve node-csr-mNFGgZl6rxXCJlGK19lS83tIHc4WU9bhKXUpXZgtlrs
certificatesigningrequest.certificates.k8s.io/node-csr-mNFGgZl6rxXCJlGK19lS83tIHc4WU9bhKXUpXZgtlrs approved
[root@localhost cfg]# kubectl get node
NAME STATUS ROLES AGE VERSION
20.0.0.4 Ready <none> 12m v1.12.3
20.0.0.5 Ready <none> 14s v1.12.3
问题!如果不行就检查证书!!!
气死我了气死我了!!!!
258
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
