K8s——完整单节点二进制部署
相关软件包及文档:
链接:https://pan.baidu.com/s/1l4vVCkZ03la-VpIFXSz1dA
提取码:rg99
实验步骤
-------etcd群集部署-------
1:自签ETCD证书
2:ETCD部署
3:Node安装docker
4:Flannel部署(先写入子网到etcd)
---------master----------
5:自签APIServer证书
6:部署APIServer组件(token,csv)
7:部署controller-manager(指定apiserver证书)和scheduler组件
----------node----------
8:生成kubeconfig(bootstrap,kubeconfig和kube-proxy.kubeconfig)
9:部署kubelet组件
10:部署kube-proxy组件
----------加入群集----------
11:kubectl get csr && kubectl certificate approve 允许办法证书,加入群集
12:添加一个node节点
13:查看kubectl get node 节点
环境准备
master节点:
CentOS 7-1:192.168.217.130
node节点:
CentOS 7-3:192.168.217.132 docker
CentOS 7-4:192.168.217.133 docker
etcd群集部署
master节点操作
关闭防火墙和安全功能
[root@localhost k8s]# systemctl stop firewalld.service
[root@localhost k8s]# setenforce 0
[root@localhost ~]# mkdir k8s
[root@localhost ~]# cd k8s
[root@localhost k8s]# mkdir etcd-cert
[root@localhost k8s]# mv etcd-cert.sh etcd-cert
[root@localhost k8s]# ls
etcd-cert etcd.sh
[root@localhost k8s]# vim cfssl.sh
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
//下载cfssl官方包
[root@localhost k8s]# bash cfssl.sh
[root@localhost k8s]# ls /usr/local/bin/
cfssl cfssl-certinfo cfssljson
//cfssl 生成证书工具 cfssljson通过传入json文件生成证书
cfssl-certinfo查看证书信息
[root@localhost k8s]# cd etcd-cert/
//定义CA证书
[root@localhost etcd-cert]# cat > ca-config.json <<EOF
{
"signing":{
"default":{
"expiry":"87600h"
},
"profiles":{
"www":{
"expiry":"87600h",
"usages":[
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
[root@localhost etcd-cert]# ls
ca-config.json etcd-cert.sh
//实现证书签名
[root@localhost etcd-cert]# cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
[root@localhost etcd-cert]# ls
ca-config.json ca-csr.json etcd-cert.sh
//生成证书,生成ca-key.pem ca.pem
[root@localhost etcd-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2020/02/09 12:02:25 [INFO] generating a new CA key and certificate from CSR
2020/02/09 12:02:25 [INFO] generate received request
2020/02/09 12:02:25 [INFO] received CSR
2020/02/09 12:02:25 [INFO] generating key: rsa-2048
2020/02/09 12:02:25 [INFO] encoded CSR
2020/02/09 12:02:25 [INFO] signed certificate with serial number 414178568497244453573198793884960056974675134689
//指定etcd三个节点之间的通信验证
[root@localhost etcd-cert]# cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.217.130",
"192.168.217.132",
"192.168.217.133"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
//生成ETCD证书 server-key.pem server.pem
[root@localhost etcd-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2020/02/09 12:04:11 [INFO] generate received request
2020/02/09 12:04:11 [INFO] received CSR
2020/02/09 12:04:11 [INFO] generating key: rsa-2048
2020/02/09 12:04:11 [INFO] encoded CSR
2020/02/09 12:04:11 [INFO] signed certificate with serial number 39681540923464063462555913584059096025181981744
2020/02/09 12:04:11 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
上传下列三个压缩包
继续在master节点上操作
[root@localhost etcd-cert]# ls
ca-config.json etcd-cert.sh server-csr.json
ca.csr etcd-v3.3.10-linux-amd64.tar.gz server-key.pem
ca-csr.json flannel-v0.10.0-linux-amd64.tar.gz server.pem
ca-key.pem kubernetes-server-linux-amd64.tar.gz
ca.pem server.csr
[root@localhost etcd-cert]# mv *.tar.gz ../
[root@localhost etcd-cert]# cd ../
[root@localhost k8s]# ls
etcd-cert flannel-v0.10.0-linux-amd64.tar.gz
etcd.sh kubernetes-server-linux-amd64.tar.gz
etcd-v3.3.10-linux-amd64.tar.gz
[root@localhost k8s]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz
[root@localhost k8s]# ls etcd-v3.3.10-linux-amd64
Documentation etcdctl README.md
etcd README-etcdctl.md READMEv2-etcdctl.md
[root@localhost k8s]# mkdir /opt/etcd/{cfg,bin,ssl} -p
[root@localhost k8s]# mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/
//证书拷贝
[root@localhost k8s]# cp etcd-cert/*.pem /opt/etcd/ssl/
//进入卡住状态等待其他节点加入
[root@localhost k8s]# bash etcd.sh etcd01 192.168.217.130 etcd02=https://192.168.217.132:2380,etcd03=https://192.168.217.133:2380
//使用另外一个会话打开,会发现etcd进程已经开启
[root@master ~]# ps -ef | grep etcd
root 3479 1780 0 11:48 pts/0 00:00:00 bash etcd.sh etcd01 192.168.18.128 etcd02=https://192.168.195.148:2380,etcd03=https://192.168.217.130:2380
root 3530 3479 0 11:48 pts/0 00:00:00 systemctl restart etcd
root 3540 1 1 11:48 ? 00:00:00 /opt/etcd/bin/etcd
//拷贝证书去其他节点
[root@localhost k8s]# scp -r /opt/etcd/ root@192.168.217.132:/opt/
[root@localhost k8s]# scp -r /opt/etcd/ root@192.168.217.133:/opt/
[root@localhost ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.217.132:/usr/lib/systemd/system/
[root&#