Kubernetes集群构建指导
内容表单
设置环境变量
设置k8s需要的环境变量,根据各个服务器节点设置不同的值。
# TLS Bootstrapping 使用的 Token,可以使用命令
# head -c 16 /dev/urandom | od -An -t x | tr -d ' ' 生成
export BOOTSTRAP_TOKEN="49541889958fea20d2ab0559c22356c1"
# 建议用 未用的网段 来定义服务网段和 Pod 网段
# 服务网段 (Service CIDR),部署前路由不可达,部署后集群内使用 IP:Port可达
export SERVICE_CIDR="10.254.0.0/16"
# POD 网段 (Cluster CIDR),部署前路由不可达,**部署后**路由可达 (flanneld 保证)
CLUSTER_CIDR="172.30.0.0/16"
# 服务端口范围 (NodePort Range)
NODE_PORT_RANGE="8400-9000"
# etcd 集群服务地址列表
ETCD_ENDPOINTS="https://10.50.101.122:2379,https://10.50.101.74:2379,https://10.50.101.41:2379"
# flanneld 网络配置前缀
FLANNEL_ETCD_PREFIX="/kubernetes/network"
# kubernetes 服务 IP (预分配,一般是 SERVICE_CIDR 中第一个IP)
CLUSTER_KUBERNETES_SVC_IP="10.254.0.1"
# 集群 DNS 服务 IP (从 SERVICE_CIDR 中预分配)
CLUSTER_DNS_SVC_IP="10.254.0.2"
# 集群 DNS 域名
CLUSTER_DNS_DOMAIN="cluster.local."
CA证书和秘钥
kubernetes 系统各组件需要使用 TLS 证书对通信进行加密,本文档使用 CloudFlare 的 PKI 工具集 cfssl 来生成 Certificate Authority (CA) 证书和秘钥文件,CA 是自签名的证书,用来签名后续创建的其它 TLS 证书。
安装CFSSL
$ wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
$ chmod +x cfssl_linux-amd64
$ sudo mv cfssl_linux-amd64 /usr/local/bin/cfssl
$ wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
$ chmod +x cfssljson_linux-amd64
$ sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
$ wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
$ chmod +x cfssl-certinfo_linux-amd64
$ sudo mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
$ mkdir ssl
$ cd ssl
$ cfssl print-defaults config > config.json
$ cfssl print-defaults csr > csr.json
$
创建CA
创建 CA(Certificate Authority) 配置文件:
$ cat ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
ca-config.json:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中CA=TRUE;server auth:表示 client 可以用该 CA 对 server 提供的证书进行验证;client auth:表示 server 可以用该 CA 对 client 提供的证书进行验证;
创建CA证书签名请求:
$ cat ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}- “CN”:
Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法; - “O”:
Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);
生成 CA 证书和私钥:
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
$ ls ca*
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
$分发证书
将生成的 CA 证书、秘钥文件、配置文件拷贝到所有机器的 /etc/kubernetes/ssl 目录下
$ sudo mkdir -p /etc/kubernetes/ssl
$ sudo cp ca* /etc/kubernetes/ssl
$校验证书
以校验 ca 证书为例:
使用 openssl 命令
$ openssl x509 -noout -text -in /etc/kubernetes/ssl/ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
76:00:0a:99:e6:01:bb:60:95:96:6c:83:7e:4f:d0:e5:c2:ab:ca:a1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
Validity
Not Before: Oct 8 13:38:00 2017 GMT
Not After : Oct 7 13:38:00 2022 GMT
Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:fa:21:06:ce:3f:81:67:94:5e:b2:ae:7a:46:94:
bb:d0:9a:b4:fe:03:e2:e5:dc:2c:6e:f6:0e:71:31:
cd:5a:d0:88:60:d3:fe:a2:20:59:4d:f5:45:f3:a2:
52:e2:0c:af:70:bf:50:62:4c:1d:45:da:a4:10:c8:
12:71:52:a2:40:c8:53:62:86:21:0d:1b:f0:c4:ea:
ab:8a:2c:7f:53:b4:b8:26:76:21:6f:b1:88:be:54:
b8:95:ff:6e:65:bf:93:e1:0c:20:46:df:bd:de:8c:
b8:8d:02:c7:3f:0b:6d:28:23:a2:b3:11:c8:86:8a:
45:2e:71:43:b6:a7:a0:14:c7:01:21:98:f4:06:45:
e4:1d:c8:c5:66:cc:7e:fa:10:79:c6:ae:30:72:b5:
72:7b:9d:98:b1:9c:6c:c7:ef:f2:49:f5:28:19:df:
4c:cb:76:5a:51:c6:a9:ae:40:9f:20:65:3c:f9:90:
32:27:00:03:72:20:f7:02:8e:52:f9:75:8b:1c:65:
b6:bc:4e:1b:d7:d6:9d:2f:95:1a:fe:5b:e5:9d:b8:
b9:88:9c:fe:bf:34:bc:c4:99:a5:df:c5:d8:ab:e2:
ba:bb:0e:82:8f:55:6d:83:9f:33:22:67:47:b0:f9:
fa:57:72:d3:7f:4a:88:ae:6f:23:4a:e4:b6:c1:cc:
83:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:2
X509v3 Subject Key Identifier:
B7:EE:E5:F4:04:24:E2:BD:8B:6D:B6:09:A0:38:A5:97:16:D3:2E:C1
X509v3 Authority Key Identifier:
keyid:B7:EE:E5:F4:04:24:E2:BD:8B:6D:B6:09:A0:38:A5:97:16:D3:2E:C1
Signature Algorithm: sha256WithRSAEncryption
20:de:1b:90:1c:ae:08:02:d9:9e:46:86:89:13:68:fe:d2:75:
ad:a9:d7:ad:da:91:d3:43:43:96:21:ac:69:04:f3:c9:e8:b1:
f6:3e:8f:16:32:f0:5a:98:f8:f8:c0:9c:a3:98:f8:9c:3a:74:
a7:ce:8b:9b:44:33:b2:96:51:9c:95:86:55:2e:0f:30:ac:69:
4c:c3:99:a3:43:b0:a3:38:2d:76:87:d5:1a:c3:33:cb:c7:1a:
91:d1:cb:7d:f7:c4:af:74:51:07:40:55:54:8b:0d:2e:83:44:
91:91:d6:95:32:e7:84:92:03:a9:c1:b7:e3:f2:31:ec:cb:92:
e0:f4:65:23:ab:16:ae:c6:26:6e:4a:8d:72:11:8b:7d:ad:69:
48:30:06:d0:6f:a7:70:ab:6a:93:cc:92:7c:1d:c9:a1:91:80:
71:a6:77:ba:ad:b7:58:2c:f9:be:b7:b9:0c:be:06:d4:7b:c2:
1f:93:82:9d:51:a2:ed:ea:e3:2b:08:bb:c7:6f:04:3b:d3:c3:
70:5f:f8:b5:9e:32:32:60:c1:8f:0f:12:bd:51:1b:2b:17:2d:
bb:eb:3e:21:79:e2:3b:54:93:a7:e2:1d:96:00:fd:73:24:20:
59:86:c5:9b:ba:96:4e:94:70:5f:0b:76:87:da:d2:aa:59:8f:
a3:e6:3a:dc
- 确认
Issuer字段的内容和ca-csr.json一致; - 确认
Subject字段的内容和kubernetes-csr.json一致; - 确认
X509v3 Subject Alternative Name字段的内容和kubernetes-csr.json一致; - 确认
X509v3 Key Usage、Extended Key Usage字段的内容和ca-config.json中kubernetesprofile 一致;
使用cfssl-certinfo
$ cfssl-certinfo -cert /etc/kubernetes/ssl/ca.pem
{
"subject": {
"common_name": "kubernetes",
"country": "CN",
"organization": "k8s",
"organizational_unit": "System",
"locality": "BeiJing",
"province": "BeiJing",
"names": [
"CN",
"BeiJing",
"BeiJing",
"k8s",
"System",
"kubernetes"
]
},
"issuer": {
"common_name": "kubernetes",
"country": "CN",
"organization": "k8s",
"organizational_unit": "System",
"locality": "BeiJing",
"province": "BeiJing",
"names": [
"CN",
"BeiJing",
"BeiJing",
"k8s",
"System",
"kubernetes"
]
},
"serial_number": "673661834449005952155746141320249464487836109473",
"not_before": "2017-10-08T13:38:00Z",
"not_after": "2022-10-07T13:38:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "B7:EE:E5:F4:4:24:E2:BD:8B:6D:B6:9:A0:38:A5:97:16:D3:2E:C1",
"subject_key_id": "B7:EE:E5:F4:4:24:E2:BD:8B:6D:B6:9:A0:38:A5:97:16:D3:2E:C1",
"pem": "-----BEGIN CERTIFICATE-----\nMIIDvjCCAqagAwIBAgIUdgAKmeYBu2CVlmyDfk/Q5cKryqEwDQYJKoZIhvcNAQEL\nBQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0Jl\naUppbmcxDDAKBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwpr\ndWJlcm5ldGVzMB4XDTE3MTAwODEzMzgwMFoXDTIyMTAwNzEzMzgwMFowZTELMAkG\nA1UEBhMCQ04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxDDAK\nBgNVBAoTA2s4czEPMA0GA1UECxMGU3lzdGVtMRMwEQYDVQQDEwprdWJlcm5ldGVz\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+iEGzj+BZ5Resq56RpS7\n0Jq0/gPi5dwsbvYOcTHNWtCIYNP+oiBZTfVF86JS4gyvcL9QYkwdRdqkEMgScVKi\nQMhTYoYhDRvwxOqriix/U7S4JnYhb7GIvlS4lf9uZb+T4QwgRt+93oy4jQLHPwtt\nKCOisxHIhopFLnFDtqegFMcBIZj0BkXkHcjFZsx++hB5xq4wcrVye52YsZxsx+/y\nSfUoGd9My3ZaUcaprkCfIGU8+ZAyJwADciD3Ao5S+XWLHGW2vE4b19adL5Ua/lvl\nnbi5iJz+vzS8xJml38XYq+K6uw6Cj1Vtg58zImdHsPn6V3LTf0qIrm8jSuS2wcyD\nywIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAd\nBgNVHQ4EFgQUt+7l9AQk4r2LbbYJoDillxbTLsEwHwYDVR0jBBgwFoAUt+7l9AQk\n4r2LbbYJoDillxbTLsEwDQYJKoZIhvcNAQELBQADggEBACDeG5AcrggC2Z5GhokT\naP7Sda2p163akdNDQ5YhrGkE88nosfY+jxYy8FqY+PjAnKOY+Jw6dKfOi5tEM7KW\nUZyVhlUuDzCsaUzDmaNDsKM4LXaH1RrDM8vHGpHRy333xK90UQdAVVSLDS6DRJGR\n1pUy54SSA6nBt+PyMezLkuD0ZSOrFq7GJm5KjXIRi32taUgwBtBvp3CrapPMknwd\nyaGRgHGmd7qtt1gs+b63uQy+BtR7wh+Tgp1Rou3q4ysIu8dvBDvTw3Bf+LWeMjJg\nwY8PEr1RGysXLbvrPiF54jtUk6fiHZYA/XMkIFmGxZu6lk6UcF8Ldofa0qpZj6Pm\nOtw=\n-----END CERTIFICATE-----\n"
网络参考资料
- Generate self-signed certificates
- Setting up a Certificate Authority and Creating TLS Certificates
- Client Certificates V/s Server Certificates
部署高可用etcd集群
kuberntes 系统使用 etcd 存储所有数据,本文档介绍部署一个三节点高可用 etcd 集群的步骤,这三个节点复用 kubernetes master 机器,分别命名为etcd-host0、etcd-host1、etcd-host2:
- etcd-host0:10.50.101.74
- etcd-host1:10.50.101.41
- etcd-host2:10.50.101.122
设置环境变量
本文档用到的变量定义(加入到/etc/environment 文件中,如果已经设置可以忽略此步骤):
$ export NODE_NAME=etcd-host0 # 当前部署的机器名称(随便定义,只要能区分不同机器即可)
$ export NODE_IP=10.50.101.41 # 当前部署的机器 IP
$ export NODE_IPS="10.50.101.122 10.50.101.41 10.50.101.74" # etcd 集群所有机器 IP
$ # etcd 集群间通信的IP和端口
$ export ETCD_NODES=etcd-host0=https://10.50.101.122:2380,etcd-host1=https://10.50.101.41:2380,etcd-host2=https://10.50.101.74:2380
$ # 导入用到的其它全局变量:ETCD_ENDPOINTS、FLANNEL_ETCD_PREFIX、CLUSTER_CIDR
$
下载最新etcd
可以到 https://github.com/coreos/etcd/releases 页面下载最新版本的二进制文件,例如下面的命令。
$ wget https://github.com/coreos/etcd/releases/download/v3.1.6/etcd-v3.1.6-linux-amd64.tar.gz
$ tar -xvf etcd-v3.1.6-linux-amd64.tar.gz
$ sudo mv etcd-v3.1.6-linux-amd64/etcd* /usr/local/bin
$
创建TLS秘钥和证书
为了保证通信安全,客户端(如 etcdctl) 与 etcd 集群、etcd 集群之间的通信需要使用 TLS 加密,本节创建 etcd TLS 加密所需的证书和私钥。
创建 etcd 证书签名请求:
$ cat > etcd-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"${NODE_IP}"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
- hosts 字段指定授权使用该证书的 etcd 节点 IP;
生成etcd证书和私钥:
#修改可以执行权限,如果还是权限不够,设置为chown ${group}:${USER} /etc/kubernetes/ssl
$ sudo chmod a+x /etc/kubernetes/ssl/*
$ cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/etc/kubernetes/ssl/ca-config.json \
-profile=kubernetes etcd-csr.json | cfssljson -bare etcd
$ ls etcd*
etcd.csr etcd-csr.json etcd-key.pem etcd.pem
$ sudo mkdir -p /etc/etcd/ssl
$ sudo mv etcd*.pem /etc/etcd/ssl
$ rm etcd.csr etcd-csr.json
创建etcd的systemd单元文件
# 必须先创建工作目录
$ sudo mkdir -p /var/lib/etcd
$ cat > etcd.service <<EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
ExecStart=/usr/local/bin/etcd \\
--name=${NODE_NAME} \\
--cert-file=/etc/etcd/ssl/etcd.pem \\
--key-file=/etc/etcd/ssl/etcd-key.pem \\
--peer-cert-file=/etc/etcd/ssl/etcd.pem \\
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \\
--trusted-ca-file=/etc/kubernetes/ssl/ca.pem \\
--peer-trusted-ca-file=/etc/kubernetes/ssl/ca.pem \\
--initial-advertise-peer-urls=https://${NODE_IP}:2380 \\
--listen-peer-urls=https://${NODE_IP}:2380 \\
--listen-client-urls=https://${NODE_IP}:2379,http://127.0.0.1:2379 \\
--advertise-client-urls=https://${NODE_IP}:2379 \\
--initial-cluster-token=etcd-cluster-0 \\
--initial-cluster=${ETCD_NODES} \\
--initial-cluster-state=new \\
--data-dir=/var/lib/etcd
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
指定
etcd的工作目录和数据目录为/var/lib/etcd,需在启动服务前创建这个目录。为了保证通信安全,需要指定 etcd 的公私钥(cert-file和key-file)、Peers 通信的公私钥和 CA 证书(peer-cert-file、peer-key-file、peer-trusted-ca-file)、客户端的CA证书(trusted-ca-file)。
--initial-cluster-state值为new时,--name的参数值必须位于--initial-cluster列表中。
设置etcd服务
$ sudo mv etcd.service /etc/systemd/system/
$ sudo systemctl daemon-reload
$ sudo systemctl enable etcd
$ sudo systemctl start etcd
$ sudo systemctl status etcd -l
$
最先启动的 etcd 进程会卡住一段时间,等待其它节点上的 etcd进程加入集群,为正常现象。
在所有的 etcd节点重复上面的步骤,直到所有机器的 etcd服务都已启动。
验证服务
部署完etcd集群后,在任一 etcd 集群节点上执行如下命令:
$ for ip in ${NODE_IPS}; do
ETCDCTL_API=3 /usr/local/bin/etcdctl \
--endpoints=https://${ip}:2379 \
--cacert=/etc/kubernetes/ssl/ca.pem \
--cert=/etc/etcd/ssl/etcd.pem \
--key=/etc/etcd/ssl/etcd-key.pem \
endpoint health; done
预期结果:
2017-04-10 14:50:50.011317 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated
https://10.64.3.7:2379 is healthy: successfully committed proposal: took = 1.687897ms
2017-04-10 14:50:50.061577 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated
https://10.64.3.8:2379 is healthy: successfully committed proposal: took = 1.246915ms
2017-04-10 14:50:50.104718 I | warning: ignoring ServerName for user-provided CA for backwards compatibility is deprecated
https://10.66.3.86:2379 is healthy: successfully committed proposal: took = 1.509229ms
三台 etcd 的输出均为 healthy 时表示集群服务正常(忽略 warning 信息)。
部署kubectl命令行工具
kubectl 默认从 ~/.kube/config 配置文件获取访问 kube-apiserver 地址、证书、用户名等信息,如果没有配置该文件,执行命令时出错:
$ kubectl get pods
The connection to the server localhost:8080 was refused - did you specify the right host or port?
本文档介绍下载和配置 kubernetes 集群命令行工具 kubectl 的步骤。
需要将下载的 kubectl 二进制程序和生成的 ~/.kube/config 配置文件拷贝到所有使用 kubectl 命令的机器。
设置kubectl环境变量
本文档用到的变量定义如下:
$ export MASTER_IP=10.50.101.41 # 替换为 kubernetes master 集群任一机器 IP
$ export KUBE_APISERVER="https://${MASTER_IP}:6443"
$- 变量 KUBE_APISERVER 指定 kubelet 访问的 kube-apiserver 的地址,后续被写入
~/.kube/config配置文件;
下载kubectl
$ wget https://dl.k8s.io/v1.6.2/kubernetes-client-linux-amd64.tar.gz
$ tar -xzvf kubernetes-client-linux-amd64.tar.gz
$ sudo cp kubernetes/client/bin/kube* /usr/local/bin/
$ sudo chmod a+x /usr/local/bin/kube*
$创建admin证书
kubectl 与 kube-apiserver 的安全端口通信,需要为安全通信提供 TLS 证书和秘钥。
创建 admin 证书签名请求
$ cat admin-csr.json
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}后续
kube-apiserver使用RBAC对客户端(如kubelet、kube-proxy、Pod)请求进行授权。kube-apiserver预定义了一些RBAC使用的RoleBindings,如cluster-admin将 Groupsystem:masters与 Rolecluster-admin绑定,该 Role 授予了调用kube-apiserver所有 API的权限。O 指定该证书的 Group 为
system:masters,kubelet使用该证书访问kube-apiserver时 ,由于证书被 CA 签名,所以认证通过,同时由于证书用户组为经过预授权的system:masters,所以被授予访问所有 API 的权限。hosts 属性值为空列表。
生成 admin 证书和私钥:
$ cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/etc/kubernetes/ssl/ca-config.json \
-profile=kubernetes admin-csr.json | cfssljson -bare admin
$ ls admin*
admin.csr admin-csr.json admin-key.pem admin.pem
$ sudo mv admin*.pem /etc/kubernetes/ssl/
$ rm admin.csr admin-csr.json
$创建kubeconfig文件
$ # 设置集群参数
$ kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER}
$ # 设置客户端认证参数
$ kubectl config set-credentials admin \
--client-certificate=/etc/kubernetes/ssl/admin.pem \
--embed-certs=true \
--client-key=/etc/kubernetes/ssl/admin-key.pem
$ # 设置上下文参数
$ kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin
$ # 设置默认上下文
$ kubectl config use-context kubernetesadmin.pem证书 O 字段值为system:masters,kube-apiserver预定义的 RoleBindingcluster-admin将 Groupsystem:masters与 Rolecluster-admin绑定,该 Role 授予了调用kube-apiserver相关 API 的权限。生成的 kubeconfig 被保存到
~/.kube/config文件。
分发kubeconfig文件
将 ~/.kube/config 文件拷贝到各个需要运行 kubelet 命令的机器的 ~/.kube/ 目录下。
部署Flannel网络
kubernetes 要求集群内各节点能通过 Pod 网段互联互通,本文档介绍使用 Flannel 在所有节点 (Master、Node) 上创建互联互通的 Pod 网段的步骤。
设置Flannel环境变量
本文档用到的变量定义如下:
$ export NODE_IP=10.64.3.7 # 当前部署节点的 IP
$ # 导入用到的其它全局变量:ETCD_ENDPOINTS、FLANNEL_ETCD_PREFIX、CLUSTER_CIDR
$ source /usr/local/bin/environment.sh
$创建FlannelTLS秘钥和证书
etcd 集群启用了双向 TLS 认证,所以需要为 flanneld 指定与 etcd 集群通信的 CA 和秘钥。
创建 flanneld 证书签名请求:
$ cat > flanneld-csr.json <<EOF
{
"CN": "flanneld",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF- hosts 字段为空;
生成 flanneld 证书和私钥:
$ cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/etc/kubernetes/ssl/ca-config.json \
-profile=kubernetes flanneld-csr.json | cfssljson -bare flanneld
$ ls flanneld*
flanneld.csr flanneld-csr.json flanneld-key.pem flanneld.pem
$ sudo mkdir -p /etc/flanneld/ssl
$ sudo mv flanneld*.pem /etc/flanneld/ssl
$ rm flanneld.csr flanneld-csr.json向etcd写入集群Pod网段信息
注意:本步骤只需在第一次部署 Flannel 网络时执行,后续在其它节点上部署 Flannel 时无需再写入该信息!
$ /usr/local/bin/etcdctl \
--endpoints=${ETCD_ENDPOINTS} \
--ca-file=/etc/kubernetes/ssl/ca.pem \
--cert-file=/etc/flanneld/ssl/flanneld.pem \
--key-file=/etc/flanneld/ssl/flanneld-key.pem \
set ${FLANNEL_ETCD_PREFIX}/config '{"Network":"'${CLUSTER_CIDR}'", "SubnetLen": 24, "Backend": {"Type": "vxlan"}}'- flanneld 目前版本 (v0.7.1) 不支持 etcd v3,故使用 etcd v2 API 写入配置 key 和网段数据;
- 写入的 Pod 网段(${CLUSTER_CIDR},172.30.0.0/16) 必须与 kube-controller-manager 的
--cluster-cidr选项值一致;
安装和配置 flanneld
下载 flanneld
$ mkdir flannel
$ wget https://github.com/coreos/flannel/releases/download/v0.7.1/flannel-v0.7.1-linux-amd64.tar.gz
$ tar -xzvf flannel-v0.7.1-linux-amd64.tar.gz -C flannel
$ sudo cp flannel/{flanneld,mk-docker-opts.sh} /usr/local/bin
$创建 flanneld 的 systemd unit 文件
$ cat > flanneld.service << EOF
[Unit]
Description=Flanneld overlay address etcd agent
After=network.target
After=network-online.target
Wants=network-online.target
After=etcd.service
Before=docker.service
[Service]
Type=notify
ExecStart=/usr/local/bin/flanneld \\
-etcd-cafile=/etc/kubernetes/ssl/ca.pem \\
-etcd-certfile=/etc/flanneld/ssl/flanneld.pem \\
-etcd-keyfile=/etc/flanneld/ssl/flanneld-key.pem \\
-etcd-endpoints=${ETCD_ENDPOINTS} \\
-etcd-prefix=${FLANNEL_ETCD_PREFIX}
ExecStartPost=/usr/local/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/docker
Restart=on-failure
[Install]
WantedBy=multi-user.target
RequiredBy=docker.service
EOF- mk-docker-opts.sh 脚本将分配给 flanneld 的 Pod 子网网段信息写入到
/run/flannel/docker文件中,后续 docker 启动时使用这个文件中参数值设置 docker0 网桥; - flanneld 使用系统缺省路由所在的接口和其它节点通信,对于有多个网络接口的机器(如,内网和公网),可以用
--iface选项值指定通信接口(上面的 systemd unit 文件没指定这个选项),如本着 Vagrant + Virtualbox,就要指定--iface=enp0s8;
完整 unit 见 flanneld.service
启动 flanneld
$ sudo cp flanneld.service /etc/systemd/system/
$ sudo systemctl daemon-reload
$ sudo systemctl enable flanneld
$ sudo systemctl start flanneld
$ sudo systemctl status flanneld
$检查 flanneld 服务
$ journalctl -u flanneld |grep 'Lease acquired'
$ ifconfig flannel.1
$检查分配给各 flanneld 的 Pod 网段信息
$ # 查看集群 Pod 网段(/16)
$ sudo /usr/local/bin/etcdctl \
--endpoints=${ETCD_ENDPOINTS} \
--ca-file=/etc/kubernetes/ssl/ca.pem \
--cert-file=/etc/flanneld/ssl/flanneld.pem \
--key-file=/etc/flanneld/ssl/flanneld-key.pem \
get ${FLANNEL_ETCD_PREFIX}/config
{ "Network": "172.30.0.0/16", "SubnetLen": 24, "Backend": { "Type": "vxlan" } }
$ # 查看已分配的 Pod 子网段列表(/24)
$ sudo /usr/local/bin/etcdctl \
--endpoints=${ETCD_ENDPOINTS} \
--ca-file=/etc/kubernetes/ssl/ca.pem \
--cert-file=/etc/flanneld/ssl/flanneld.pem \
--key-file=/etc/flanneld/ssl/flanneld-key.pem \
ls ${FLANNEL_ETCD_PREFIX}/subnets
/kubernetes/network/subnets/172.30.19.0-24
$ # 查看某一 Pod 网段对应的 flanneld 进程监听的 IP 和网络参数
$ sudo /usr/local/bin/etcdctl \
--endpoints=${ETCD_ENDPOINTS} \
--ca-file=/etc/kubernetes/ssl/ca.pem \
--cert-file=/etc/flanneld/ssl/flanneld.pem \
--key-file=/etc/flanneld/ssl/flanneld-key.pem \
get ${FLANNEL_ETCD_PREFIX}/subnets/172.30.19.0-24
{"PublicIP":"10.64.3.7","BackendType":"vxlan","BackendData":{"VtepMAC":"d6:51:2e:80:5c:69"}}确保各节点间 Pod 网段能互联互通
在各节点上部署完 Flannel 后,查看已分配的 Pod 子网段列表(/24)
$ /usr/local/bin/etcdctl \
--endpoints=${ETCD_ENDPOINTS} \
--ca-file=/etc/kubernetes/ssl/ca.pem \
--cert-file=/etc/flanneld/ssl/flanneld.pem \
--key-file=/etc/flanneld/ssl/flanneld-key.pem \
ls ${FLANNEL_ETCD_PREFIX}/subnets
/kubernetes/network/subnets/172.30.19.0-24
/kubernetes/network/subnets/172.30.20.0-24
/kubernetes/network/subnets/172.30.21.0-24当前三个节点分配的 Pod 网段分别是:172.30.19.0-24、172.30.20.0-24、172.30.21.0-24。
在各节点上分配 ping 这三个网段的网关地址,确保能通:
$ ping 172.30.19.1
$ ping 172.30.20.2
$ ping 172.30.21.3
$欢迎订阅微信公众号
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
