kubernetes 笔记:k8s 二进制部署集群

最新推荐文章于 2024-02-07 10:34:35 发布
最新推荐文章于 2024-02-07 10:34:35 发布
阅读量1.1k 收藏 2
点赞数 1
分类专栏: Kubernetes
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/guihuayu86/article/details/112686289
版权

一、系统环境配置

主机名

IP

角色

master001

172.31.0.112

API_Server Scheduler Controller_manager

flannel ntpd

node001

172.31.0.113

etd flannel ntpd kubelet kube-proxy

node002

172.31.0.114

etd flannel ntpd kubelet kube-proxy

node003

172.31.0.115

etd flannel ntpd kubelet kube-proxy

升级系统内核版本

升级 Kubernetes 集群各个节点的 CentOS 系统内核版本:

## 载入公钥 # rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org ## 安装 ELRepo 最新版本 # yum install -y https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm ## 列出可以使用的 kernel 包版本 # yum list available --disablerepo=* --enablerepo=elrepo-kernel Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

* elrepo-kernel: mirror-hk.koddos.net

Available Packages

kernel-lt-devel.x86_64 4.4.226-1.el7.elrepo elrepo-kernel

kernel-lt-doc.noarch 4.4.226-1.el7.elrepo elrepo-kernel

kernel-lt-headers.x86_64 4.4.226-1.el7.elrepo elrepo-kernel

kernel-lt-tools.x86_64 4.4.226-1.el7.elrepo elrepo-kernel

kernel-lt-tools-libs.x86_64 4.4.226-1.el7.elrepo elrepo-kernel

kernel-lt-tools-libs-devel.x86_64 4.4.226-1.el7.elrepo elrepo-kernel

kernel-ml.x86_64 5.7.1-1.el7.elrepo elrepo-kernel

kernel-ml-devel.x86_64 5.7.1-1.el7.elrepo elrepo-kernel

kernel-ml-doc.noarch 5.7.1-1.el7.elrepo elrepo-kernel

kernel-ml-headers.x86_64 5.7.1-1.el7.elrepo elrepo-kernel

kernel-ml-tools.x86_64 5.7.1-1.el7.elrepo elrepo-kernel

kernel-ml-tools-libs.x86_64 5.7.1-1.el7.elrepo elrepo-kernel

kernel-ml-tools-libs-devel.x86_64 5.7.1-1.el7.elrepo elrepo-kernel

perf.x86_64 5.7.1-1.el7.elrepo elrepo-kernel

python-perf.x86_64 5.7.1-1.el7.elrepo elrepo-kernel

## 安装指定的 kernel 版本: # yum install -y kernel-lt-4.4.226-1.el7.elrepo --enablerepo=elrepo-kernel ## 查看系统可用内核 # cat /boot/grub2/grub.cfg | grep menuentry menuentry 'CentOS Linux (4.4.226-1.el7.elrepo.x86_64) 7 (Core)' --class centos (略) menuentry 'CentOS Linux (3.10.0-862.el7.x86_64) 7 (Core)' --class centos ...(略) ## 设置开机从新内核启动 # grub2-set-default "CentOS Linux (4.4.226-1.el7.elrepo.x86_64) 7 (Core)" ## 查看内核启动项 # grub2-editenv list saved_entry=CentOS Linux (4.4.226-1.el7.elrepo.x86_64) 7 (Core)

 

重启机器!

备注:之所以升级内核 是因为 Kubernetes 版本到 1.18 之后使用的 IPVS 模块是比较新的,需要系统内核版本支持,本人使用的是 CentOS 系统,内核版本为 3.10,里面的 IPVS 模块比较老旧,缺少新版 Kubernetes IPVS 所需的依赖。

 

 

1、# 将 SELinux 设置为 disabled 模式(将其禁用) setenforce 0 sed -i 's/^SELINUX=enforcing$/SELINUX=disabled/' /etc/selinux/config

 

2、关闭系统 iptables firewalld.service 服务

# yum install -y ipvsadm ipset conntrack socat jq sysstat iptables iptables-services libseccomp

 

① 关闭服务,并设为开机不自启

systemctl stop firewalld

systemctl disable firewalld

systemctl stop iptables.service

systemctl disable iptables.service

② 清空防火墙规则

iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat

iptables -P FORWARD ACCEPT

 

3、关闭 sawp

vim /etc/fstab

#/dev/mapper/centos-swap swap swap defaults 0 0

注释掉 swap

或者: sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab

 

4、打开 ip6tables 内部的桥接功能;默认情况下系统以及打开的!

首先为所有节点 添加内核模块 同时支持 IPVS

# socat 命令用于支持 kubectl port-forward 命令

执行命: modprobe br_netfilter # 加载该模块

cat > /etc/sysconfig/modules/ipvs.modules <<EOF #!/bin/bash modprobe -- br_netfilter modprobe -- ip_vs modprobe -- ip_vs_rr modprobe -- ip_vs_wrr modprobe -- ip_vs_sh modprobe -- nf_conntrack_ipv4 EOF chmod 755 /etc/sysconfig/modules/ipvs.modules && \ bash /etc/sysconfig/modules/ipvs.modules && \ lsmod | grep -E "ip_vs|nf_conntrack_ipv4"

 

检测:

# ll -sh /proc/sys/net/bridge

total 0

0 -rw-r--r-- 1 root root 0 Mar 12 10:44 bridge-nf-call-arptables

0 -rw-r--r-- 1 root root 0 Mar 12 10:44 bridge-nf-call-ip6tables

0 -rw-r--r-- 1 root root 0 Mar 12 10:44 bridge-nf-call-iptables

0 -rw-r--r-- 1 root root 0 Mar 12 10:44 bridge-nf-filter-pppoe-tagged

0 -rw-r--r-- 1 root root 0 Mar 12 10:44 bridge-nf-filter-vlan-tagged

0 -rw-r--r-- 1 root root 0 Mar 12 10:44 bridge-nf-pass-vlan-input-dev

 

方法一:

echo "1" > /proc/sys/net/bridge/bridge-nf-call-ip6tables

echo "1" > /proc/sys/net/bridge/bridge-nf-call-iptables

方法二:

cat <<EOF > /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1

net.ipv4.ip_forward = 1 EOF sysctl --system

 

5、集群环境规划

因为测试 这里只做了本地hosts解析。就不添加dns服务了

172.31.0.112 master001

172.31.0.113 node001

172.31.0.114 node002

172.31.0.115 node003

172.31.0.113 etcd-node1

172.31.0.114 etcd-node2

172.31.0.115 etcd-node3

 

echo "* soft nofile 65536" >> /etc/security/limits.conf echo "* hard nofile 65536" >> /etc/security/limits.conf echo "* soft nproc 65536" >> /etc/security/limits.conf echo "* hard nproc 65536" >> /etc/security/limits.conf echo "* soft memlock unlimited" >> /etc/security/limits.conf echo "* hard memlock unlimited" >> /etc/security/limits.conf

 

 

关闭 dnsmasq (可选)

linux 系统开启了 dnsmasq 后(如 GUI 环境),将系统 DNS Server 设置为 127.0.0.1,这会导致 docker 容器无法解析域名,需要关闭它:

service dnsmasq stop

systemctl disable dnsmasq

 

 

6、ntp 服务 这里不做详细介绍了我们再node01 上部署了 ntpd_server

设置时区

cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

yum -y install ntp

配置ntp server

vim /etc/ntp.conf

restrict 172.31.0.0 mask 255.255.0.0 nomodify notrap

保存退出重新启动

systemctl restart ntpd.service

systemctl enable ntpd.service

 

配置 ntp client

vim /etc/ntp.conf

server 0.172.31.0.112 或者 server master

保存退出重新启动

systemctl restart ntpd.service

systemctl enable ntpd.service

或者

*/5 * * * * root ntpdate master001 > /dev/null 2>&1

 

 

 

二、镜像源配置

 

官方镜像源: yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

或者

阿里镜像源: yum-config-manager --add-repo

http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

 

执行 yum clean all 清理下本地Yum 缓存

检查 docker-ce 源是否添加

验证镜像源可用,同步到其它所有节点服务器

 

 

 

 

三、安装docker-ce

 

注意:所有节点均需要安装(master 节点,已经 node节点)!

1、安装

yum -y install docker-ce

 

2、启动服务

systemctl start docker.service

systemctl enable docker.service

 

3、查看版本

# docker version

Client: Docker Engine - Community

Version: 19.03.8

API version: 1.40

Go version: go1.12.17

Git commit: afacb8b

Built: Wed Mar 11 01:27:04 2020

OS/Arch: linux/amd64

Experimental: false

 

Server: Docker Engine - Community

Engine:

Version: 19.03.8

API version: 1.40 (minimum version 1.12)

Go version: go1.12.17

Git commit: afacb8b

Built: Wed Mar 11 01:25:42 2020

OS/Arch: linux/amd64

Experimental: false

containerd:

Version: 1.2.13

GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429

runc:

Version: 1.0.0-rc10

GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd

docker-init:

Version: 0.18.0

GitCommit: fec3683

 

 

 

四、准备部署目录和证书的创建。

 

1、创建相关应用程序归档目录:

[root@master001 opt]# mkdir -p /opt/kubernetes/{cfg,bin,ssl,log}

[root@node001 opt]# mkdir -p /opt/kubernetes/{cfg,bin,ssl,log}

[root@node002 opt]# mkdir -p /opt/kubernetes/{cfg,bin,ssl,log}

[root@node003 opt]# mkdir -p /opt/kubernetes/{cfg,bin,ssl,log}

 

[root@node003 opt]# ssh-copy-id node001

[root@node003 opt]# ssh-copy-id node002

[root@node003 opt]# ssh-copy-id node003

 

2、下载 kubernetes软件包:

我们选择 v1.18.2 版本

https://dl.k8s.io/v1.18.2/kubernetes-server-linux-amd64.tar.gz

 

# 解压的server、client、node都会解压到kubernetes目录下:

[root@master001 src]# tar -zxvf kubernetes-server-linux-amd64.tar.gz

[root@master001 kubernetes]# ls

addons kubernetes-src.tar.gz LICENSES server

 

 

# 各个节点增加kubernetes的环境变量

vim /etc/profile

export KUBERNETES_HOME=/opt/kubernetes

export PATH=$KUBERNETES_HOME/bin:$PATH

 

3、CA证书创建和分发

从k8s的1.8版本开始,K8S系统各组件需要使用TLS证书对通信进行加密。每一个K8S集群都需要独立的CA证书体系。CA证书有以下三种:easyrsa、openssl、cfssl。这里使用cfssl证书,也是目前使用最多的,相对来说配置简单一些,通过json的格式,把证书相关的东西配置进去即可。这里使用cfssl的版本为1.2版本。

(1)安装 CFSSL(只要在master 一台主机安装即可!)

curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl

curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson

curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo

chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo

 

(2)创建用来生成 CA 文件的 JSON 配置文件

[root@master001 src]# mkdir ssl

[root@master001 src]# cd ssl/

[root@master001 ssl]# pwd

/usr/local/src/ssl

 

# vim ca-config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } }

}

 

(3)创建用来生成 CA 证书签名请求(CSR)的 JSON 配置文件

vim ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Shanghai", "L": "Shanghai", "O": "k8s", "OU": "System" } ] }

 

(4)生成CA证书(ca.pem)和密钥(ca-key.pem)

# 生成证书和密钥

[root@master001 ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca

2020/05/06 17:22:29 [INFO] generating a new CA key and certificate from CSR

2020/05/06 17:22:29 [INFO] generate received request

2020/05/06 17:22:29 [INFO] received CSR

2020/05/06 17:22:29 [INFO] generating key: rsa-2048

2020/05/06 17:22:30 [INFO] encoded CSR

2020/05/06 17:22:30 [INFO] signed certificate with serial number 641010558117528867312481899616046442222031173099

 

[root@master001 ssl]# ll

total 20

-rw-r--r-- 1 root root 290 May 6 17:19 ca-config.json

-rw-r--r-- 1 root root 1005 May 6 17:22 ca.csr

-rw-r--r-- 1 root root 210 May 6 17:22 ca-csr.json

-rw------- 1 root root 1675 May 6 17:22 ca-key.pem

-rw-r--r-- 1 root root 1363 May 6 17:22 ca.pem

 

(5)分发证书

[root@master001 ssl]# cp ca.csr ca.pem ca-key.pem ca-config.json /opt/kubernetes/ssl

[root@master001 ssl]# scp ca.csr ca.pem ca-key.pem ca-config.json node001:/opt/kubernetes/ssl

[root@master001 ssl]# scp ca.csr ca.pem ca-key.pem ca-config.json node002:/opt/kubernetes/ssl

[root@master001 ssl]# scp ca.csr ca.pem ca-key.pem ca-config.json node003:/opt/kubernetes/ssl

 

 

 

五、安装 etcd

所有持久化的状态信息以KV的形式存储在ETCD中。类似zookeeper,提供分布式协调服务。之所以说kubenetes各个组件是无状态的,就是因为其中把数据都存放在ETCD中。由于ETCD支持集群,这里在三台主机上都部署上ETCD。

(1)准备etcd软件包

wget https://github.com/coreos/etcd/releases/download/v3.2.18/etcd-v3.2.18-linux-amd64.tar.gz

 

[root@master001 src]# tar -zxvf etcd-v3.3.10-linux-amd64.tar.gz

[root@master001 src]# cd etcd-v3.3.10-linux-amd64

[root@master001 etcd-v3.3.10-linux-amd64]# ls

Documentation etcd etcdctl README-etcdctl.md README.md READMEv2-etcdctl.md

# 有2个文件,etcdctl是操作etcd的命令

[root@master001 etcd-v3.3.10-linux-amd64]# cp etcd etcdctl /opt/kubernetes/bin/

[root@master001 etcd-v3.3.10-linux-amd64]# scp etcd etcdctl node001:/opt/kubernetes/bin/

[root@master001 etcd-v3.3.10-linux-amd64]# scp etcd etcdctl node002:/opt/kubernetes/bin/

 

(2)创建 etcd 证书签名请求

[root@master001 ]# cd /usr/local/src/ssl/

vim etcd-csr.json

{ "CN": "etcd", "hosts": [

# 此处的ip是etcd集群中各个节点的ip地址

"127.0.0.1", "172.31.0.113", "172.31.0.114", "172.31.0.115" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Shanghai", "L": "Shanghai", "O": "k8s", "OU": "System" } ] }

 

(3)生成 etcd 证书和私钥

[root@master001 ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \

-ca-key=/opt/kubernetes/ssl/ca-key.pem \

-config=/opt/kubernetes/ssl/ca-config.json \

-profile=kubernetes etcd-csr.json | cfssljson -bare etcd

2020/05/06 17:40:49 [INFO] generate received request

2020/05/06 17:40:49 [INFO] received CSR

2020/05/06 17:40:49 [INFO] generating key: rsa-2048

2020/05/06 17:40:50 [INFO] encoded CSR

2020/05/06 17:40:50 [INFO] signed certificate with serial number 100309427538013646669998055350817020207855832803

2020/05/06 17:40:50 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for

websites. For more information see the Baseline Requirements for the Issuance and Management

of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);

specifically, section 10.2.3 ("Information Requirements").

 

[root@master001 ssl]# ll -sh etcd*

4.0K -rw-r--r-- 1 root root 1.1K May 6 17:40 etcd.csr

4.0K -rw-r--r-- 1 root root 284 May 6 17:38 etcd-csr.json

4.0K -rw------- 1 root root 1.7K May 6 17:40 etcd-key.pem

4.0K -rw-r--r-- 1 root root 1.5K May 6 17:40 etcd.pem

 

(4)将证书拷贝到/opt/kubernetes/ssl目录下

[root@master001 ssl]# cp etcd*.pem /opt/kubernetes/ssl/

[root@master001 ssl]# scp etcd*.pem node001:/opt/kubernetes/ssl/

[root@master001 ssl]# scp etcd*.pem node002:/opt/kubernetes/ssl/

[root@master001 ssl]# scp etcd*.pem node003:/opt/kubernetes/ssl/

(5)配置ETCD配置文件

vim /opt/kubernetes/cfg/etcd.conf

#[member]

ETCD_NAME="etcd-node1" #ETCD节点名称修改,这个ETCD_NAME每个节点必须不同

ETCD_DATA_DIR="/var/lib/etcd/default.etcd" #ETCD数据目录

ETCD_LISTEN_PEER_URLS="https://172.31.0.113:2380" #ETCD监听的URL,每个节点不同需要修改

ETCD_LISTEN_CLIENT_URLS="https://172.31.0.113:2379,https://127.0.0.1:2379"

#外部通信监听URL修改,每个节点不同需要修改

#[cluster]

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.31.0.113:2380"

ETCD_INITIAL_CLUSTER="etcd-node1=https://172.31.0.113:2380,etcd-node2=https://172.31.0.114:2380,etcd-node3=https://172.31.0.115:2380" # 添加集群访问

ETCD_INITIAL_CLUSTER_STATE="new"

ETCD_INITIAL_CLUSTER_TOKEN="k8s-etcd-cluster"

ETCD_ADVERTISE_CLIENT_URLS="https://172.31.0.113:2379"

#[security]

CLIENT_CERT_AUTH="true"

ETCD_CA_FILE="/opt/kubernetes/ssl/ca.pem"

ETCD_CERT_FILE="/opt/kubernetes/ssl/etcd.pem"

ETCD_KEY_FILE="/opt/kubernetes/ssl/etcd-key.pem"

PEER_CLIENT_CERT_AUTH="true"

ETCD_PEER_CA_FILE="/opt/kubernetes/ssl/ca.pem"

ETCD_PEER_CERT_FILE="/opt/kubernetes/ssl/etcd.pem"

ETCD_PEER_KEY_FILE="/opt/kubernetes/ssl/etcd-key.pem"

 

 

备注:默认不会创建etcd的数据存储目录,这里在所有节点上创建etcd数据存储目录并启动etcd

[root@node001 src]# mkdir -p /var/lib/etcd/default.etcd

[root@node002 src]# mkdir -p /var/lib/etcd/default.etcd

[root@node003 src]# mkdir -p /var/lib/etcd/default.etcd

 

(6)创建ETCD系统服务

[root@node001 src]# vim /etc/systemd/system/etcd.service

[Unit]

Description=Etcd Server

After=network.target

 

[Service]

Type=simple

WorkingDirectory=/var/lib/etcd

EnvironmentFile=-/opt/kubernetes/cfg/etcd.conf

ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /opt/kubernetes/bin/etcd"

Type=notify

Restart=on-failure

LimitNOFILE=65536

 

[Install]

WantedBy=multi-user.target

 

etcd.service文件到其他2个节点

[root@node001 src]# scp /etc/systemd/system/etcd.service node003:/etc/systemd/system/

 

[root@node001 src]# scp /etc/systemd/system/etcd.service node003:/etc/systemd/system/

 

(7)重新加载系统服务

加载配置:systemctl daemon-reload

启动:systemctl start etcd

状态:systemctl status etcd

自启:systemctl enable etcd

 

(8)验证ETCD集群:

[root@node001 cfg]# netstat -tulnp |grep etcd #在各节点上查看是否监听了2379和2380端口

tcp 0 0 172.31.0.112:2379 0.0.0.0:* LISTEN 6122/etcd

tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 6122/etcd

tcp 0 0 172.31.0.112:2380 0.0.0.0:* LISTEN 6122/etcd

 

[root@master001 ssl]# etcdctl --endpoints=https://172.31.0.113:2379 \

--ca-file=/opt/kubernetes/ssl/ca.pem \

--cert-file=/opt/kubernetes/ssl/etcd.pem \

--key-file=/opt/kubernetes/ssl/etcd-key.pem cluster-health

member 66251b1fc2333a8a is healthy: got healthy result from https://172.31.0.114:2379

member 91f46226c0c40c66 is healthy: got healthy result from https://172.31.0.115:2379

member ff2f70247467ad9e is healthy: got healthy result from https://172.31.0.113:2379

cluster is healthy #表明ETCD集群是正常的!!!

 

注意事项:

flannel v0.11版本不支持etcd v3.4.3版本,支持etcd v3.3.10版本

因为etcd分v2和v3俩版本,不同版本使用的命令参数不同,得到的结果也不同

若flannel v0.11使用etcd v3.4.3版本,则(Falnnel要用etcd存储自身一个子网信息,所以要保证能成功连接Etcd,写入预定义子网段)使用的命令会有变化,然后结果是可以写进去的。但是在启动flannel的时候,会报错:Couldn't fetch network config: client: response is invalid json. The endpoint is probably not valid etcd cluster endpoint.

这就是使用flannel版本跟etcd版本不支持的结果

 

etcd 3.4注意事项:(故我们这里不能采用 3.4 以上版本)

  • ETCD3.4版本ETCDCTL_API=3 etcdctl 和 etcd --enable-v2=false 成为了默认配置,如要使用v2版本,执行etcdctl时候需要设置ETCDCTL_API环境变量,例如:ETCDCTL_API=2 etcdctl
  • ETCD3.4版本会自动读取环境变量的参数,所以EnvironmentFile文件中有的参数,不需要再次在ExecStart启动参数中添加,二选一,如同时配置,会触发以下类似报错“etcd: conflicting environment variable "ETCD_NAME" is shadowed by corresponding command-line flag (either unset environment variable or disable flag)”
  • flannel操作etcd使用的是v2的API,而kubernetes操作etcd使用的v3的API

 

 

 

六、Mater节点二进制部署。

 

1、部署Kubernetes API服务部署。

(1)准备软件包。

wget https://dl.k8s.io/v1.18.2/kubernetes-server-linux-amd64.tar.gz

[root@master001 kubernetes]# cp server/bin/kube-apiserver /opt/kubernetes/bin/

[root@master001 kubernetes]# cp server/bin/kube-controller-manager /opt/kubernetes/bin/

[root@master001 kubernetes]# cp server/bin/kube-scheduler /opt/kubernetes/bin/

备注:只需要在master001上拷贝

 

(2)创建生成CSR的 JSON 配置文件

[root@master001 cfg]# cd /usr/local/src/ssl/

[root@master001 ssl]# vim kubernetes-csr.json

{ "CN": "kubernetes", "hosts": [ "127.0.0.1", "172.31.0.112",  # Master的ip地址 "10.1.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Shanghai", "L": "Shanghai", "O": "k8s", "OU": "System" } ] }

 

(3)生成 kubernetes 证书和私钥

[root@master001 ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \

-ca-key=/opt/kubernetes/ssl/ca-key.pem \

-config=/opt/kubernetes/ssl/ca-config.json \

-profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes

2020/05/06 20:17:48 [INFO] generate received request

2020/05/06 20:17:48 [INFO] received CSR

2020/05/06 20:17:48 [INFO] generating key: rsa-2048

2020/05/06 20:17:49 [INFO] encoded CSR

2020/05/06 20:17:49 [INFO] signed certificate with serial number 685043223916614112359651660989710923919210347911

2020/05/06 20:17:49 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for

websites. For more information see the Baseline Requirements for the Issuance and Management

of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);

specifically, section 10.2.3 ("Information Requirements").

 

[root@master001 ssl]# cp kubernetes*.pem /opt/kubernetes/ssl/

[root@master001 ssl]# scp kubernetes*.pem node001:/opt/kubernetes/ssl/

[root@master001 ssl]# scp kubernetes*.pem node002:/opt/kubernetes/ssl/

[root@master001 ssl]# scp kubernetes*.pem node003:/opt/kubernetes/ssl/

 

(4) 创建 kube-apiserver 使用的客户端 token 文件

[root@master001 ssl]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '

898e7424a68e83a796c6a0f4188879d3

[root@master001 ssl]# vim /opt/kubernetes/ssl/bootstrap-token.csv

898e7424a68e83a796c6a0f4188879d3,kubelet-bootstrap,10001,"system:kubelet-bootstrap"

 

(5) 创建基础用户名/密码认证配置

[root@master001 ssl]# vim /opt/kubernetes/ssl/basic-auth.csv

admin,admin,1

readonly,readonly,2

 

(6) 部署Kubernetes API Server

[root@master001 ssl]# vim /usr/lib/systemd/system/kube-apiserver.service

[Unit]

Description=Kubernetes API Server

Documentation=https://github.com/GoogleCloudPlatform/kubernetes

After=network.target

After=etcd.service

 

[Service]

ExecStart=/opt/kubernetes/bin/kube-apiserver \

--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \

--bind-address=172.31.0.112 \

--insecure-bind-address=127.0.0.1 \

--authorization-mode=Node,RBAC \

--runtime-config=rbac.authorization.k8s.io/v1 \

--kubelet-https=true \

--anonymous-auth=false \

--basic-auth-file=/opt/kubernetes/ssl/basic-auth.csv \

--enable-bootstrap-token-auth \

--token-auth-file=/opt/kubernetes/ssl/bootstrap-token.csv \

--service-cluster-ip-range=10.1.0.0/16 \

--service-node-port-range=20000-40000 \

--tls-cert-file=/opt/kubernetes/ssl/kubernetes.pem \

--tls-private-key-file=/opt/kubernetes/ssl/kubernetes-key.pem \

--client-ca-file=/opt/kubernetes/ssl/ca.pem \

--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \

--etcd-cafile=/opt/kubernetes/ssl/ca.pem \

--etcd-certfile=/opt/kubernetes/ssl/kubernetes.pem \

--etcd-keyfile=/opt/kubernetes/ssl/kubernetes-key.pem \

--etcd-servers=https://172.31.0.113:2379,https://172.31.0.114:2379,https://172.31.0.115:2379 \

--enable-swagger-ui=true \

--allow-privileged=true \

--audit-log-maxage=30 \

--audit-log-maxbackup=3 \

--audit-log-maxsize=100 \

--audit-log-path=/opt/kubernetes/log/api-audit.log \

--event-ttl=1h \

--v=2 \

--logtostderr=false \

--log-dir=/opt/kubernetes/log

Restart=on-failure

RestartSec=5

Type=notify

LimitNOFILE=65536

 

[Install]

WantedBy=multi-user.target

保存退出!

 

(7) 启动API Server服务

[root@master001 ssl]# systemctl daemon-reload

[root@master001 ssl]# systemctl start kube-apiserver

[root@master001 ssl]# systemctl enable kube-apiserver

[root@master001 ssl]# netstat -nultp |grep "kube-apiserver"

tcp 0 0 172.31.0.112:6443 0.0.0.0:* LISTEN 7081/kube-apiserver

tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 7081/kube-apiserver

从监听端口可以看到api-server监听在6443端口,同时也监听了本地的8080端口,是提供kube-schduler和kube-controller使用。

 

 

2、部署Controller Manager服务部署。

controller-manager由一系列的控制器组成,它通过apiserver监控整个集群的状态,并确保集群处于预期的工作状态。

 

(1)部署Controller Manager服务

vim /usr/lib/systemd/system/kube-controller-manager.service

[Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/GoogleCloudPlatform/kubernetes [Service] ExecStart=/opt/kubernetes/bin/kube-controller-manager \ --address=127.0.0.1 \ --master=http://127.0.0.1:8080 \ --allocate-node-cidrs=true \ --service-cluster-ip-range=10.1.0.0/16 \ --cluster-cidr=10.2.0.0/16 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ --root-ca-file=/opt/kubernetes/ssl/ca.pem \ --leader-elect=true \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target

 

(2)启动Controller Manager

systemctl daemon-reload

systemctl enable kube-controller-manager

systemctl start kube-controller-manager

systemctl status kube-controller-manager

 

[root@master001 ssl]# netstat -tulnp |grep kube-controlle

tcp 0 0 127.0.0.1:10252 0.0.0.0:* LISTEN 7576/kube-controlle

tcp6 0 0 :::10257 :::* LISTEN 7576/kube-controlle

 

从监听端口上,可以看到kube-controller监听在本地的10252端口,外部是无法直接访问kube-controller,需要通过api-server才能进行访问。

 

 

3、部署Kubernetes Scheduler

  • scheduler负责分配调度Pod到集群内的node节点
  • 监听kube-apiserver,查询还未分配的Node的Pod
  • 根据调度策略为这些Pod分配节点

 

(1)部署 Scheduler 服务

vim /usr/lib/systemd/system/kube-scheduler.service

[Unit] Description=Kubernetes Scheduler Documentation=https://github.com/GoogleCloudPlatform/kubernetes [Service] ExecStart=/opt/kubernetes/bin/kube-scheduler \ --address=127.0.0.1 \ --master=http://127.0.0.1:8080 \ --leader-elect=true \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target

 

(2)启动 Scheduler 服务

systemctl daemon-reload

systemctl enable kube-scheduler

systemctl start kube-scheduler

systemctl status kube-scheduler

 

[root@master001 ssl]# netstat -tulnp |grep kube-scheduler

tcp 0 0 127.0.0.1:10251 0.0.0.0:* LISTEN 7637/kube-scheduler

tcp6 0 0 :::10259 :::* LISTEN 7637/kube-scheduler

 

从kube-scheduler的监听端口上,同样可以看到监听在本地的10251端口上,外部无法直接访问,同样是需要通过api-server进行访问。

 

 

4、部署kubectl 命令行工具

kubectl用于日常直接管理K8S集群,那么kubectl要进行管理k8s,就需要和k8s的组件进行通信,也就需要用到证书。此时kubectl需要单独部署,也是因为kubectl也是需要用到证书,而前面的kube-apiserver、kube-controller、kube-scheduler都是不需要用到证书,可以直接通过服务进行启动。

(1)准备二进制命令包

[root@master001 src]# cp kubernetes/server/bin/kubectl /opt/kubernetes/bin/

 

(2)创建 admin 证书签名请求

[root@master001 kubernetes]# cd /usr/local/src/ssl/

[root@master001 ssl]# vim admin-csr.json

{ "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Shanghai", "L": "Shanghai", "O": "system:masters", "OU": "System" } ] }

 

(3)生成 admin 证书和私钥

[root@master001 ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \

-ca-key=/opt/kubernetes/ssl/ca-key.pem \

-config=/opt/kubernetes/ssl/ca-config.json \

-profile=kubernetes admin-csr.json | cfssljson -bare admin

2020/05/07 10:41:15 [INFO] generate received request

2020/05/07 10:41:15 [INFO] received CSR

2020/05/07 10:41:15 [INFO] generating key: rsa-2048

2020/05/07 10:41:16 [INFO] encoded CSR

2020/05/07 10:41:16 [INFO] signed certificate with serial number 543502041881597444088255711460536075856227458945

2020/05/07 10:41:16 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for

websites. For more information see the Baseline Requirements for the Issuance and Management

of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);

specifically, section 10.2.3 ("Information Requirements").

 

[root@master01 ssl]# ll -sh admin*

4.0K -rw-r--r-- 1 root root 1013 May 7 10:41 admin.csr

4.0K -rw-r--r-- 1 root root 231 May 7 10:40 admin-csr.json

4.0K -rw------- 1 root root 1.7K May 7 10:41 admin-key.pem

4.0K -rw-r--r-- 1 root root 1.4K May 7 10:41 admin.pem

 

[root@master001 ssl]# cp admin*.pem /opt/kubernetes/ssl/

 

(4)设置集群参数

[root@master001 ssl]# kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://172.31.0.112:6443

Cluster "kubernetes" set.

 

(5)设置客户端认证参数

[root@master001 ssl]# kubectl config set-credentials admin \ --client-certificate=/opt/kubernetes/ssl/admin.pem \ --embed-certs=true \ --client-key=/opt/kubernetes/ssl/admin-key.pem

User "admin" set.

 

(6)设置上下文参数

[root@master001 ssl]# kubectl config set-context kubernetes \ --cluster=kubernetes \ --user=admin

Context "kubernetes" created.

 

(7)设置默认上下文

[root@master001 ssl]# kubectl config use-context kubernetes

Switched to context "kubernetes".

 

备注:上面(4)-->(7)的配置是为了在家目录下生成config文件,之后kubectl和api通信就需要用到该文件,这也就是说如果在其他节点上需要用到这个kubectl,就需要将该文件拷贝到其他节点。

 

[root@master01 ssl]# cat /root/.kube/config

apiVersion: v1

clusters:

- cluster:

certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR3akNDQXFxZ0F3SUJBZ0lVQS9DRjNCZFE3dFJ4clN1TW53YkpxSndISFdnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1p6RUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0ZOb1lXNW5hR0Zw

..................

server: https://172.31.0.112:6443

name: kubernetes

contexts:

- context:

cluster: kubernetes

user: admin

name: kubernetes

current-context: kubernetes

kind: Config

preferences: {}

..................

 

 

(8)验证使用kubectl工具

[root@master001 ssl]# kubectl get cs

NAME STATUS MESSAGE ERROR

scheduler Healthy ok

controller-manager Healthy ok

etcd-1 Healthy {"health":"true"}

etcd-0 Healthy {"health":"true"}

etcd-2 Healthy {"health":"true"}

 

 

 

 

七、Node节点二进制部署。

 

1、部署kubelet

(1)二进制包准备。

[root@master001 bin]# scp kubelet kube-proxy /opt/kubernetes/bin/

[root@master001 bin]# scp kubelet kube-proxy node001:/opt/kubernetes/bin/

[root@master001 bin]# scp kubelet kube-proxy node002:/opt/kubernetes/bin/

[root@master001 bin]# scp kubelet kube-proxy node003:/opt/kubernetes/bin/

备注:从master节点 kubernetes-server-linux-amd64.tar.gz 解压文件中拷贝到node节点。

 

(2)创建角色绑定。

注意:在master 节点上创建

kubelet启动时会向kube-apiserver发送tsl bootstrap请求,所以需要将bootstrap的token设置成对应的角色,这样kubectl才有权限创建该请求。

[root@master001 ~]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap

clusterrolebinding "kubelet-bootstrap" created

 

(3)创建 kubelet bootstrapping kubeconfig 文件 设置集群参数。

注意:在master 节点上创建

[root@master001 ~]# cd /usr/local/src/ssl/

[root@master001 ssl]# kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://172.31.0.112:6443 \ --kubeconfig=bootstrap.kubeconfig

Cluster "kubernetes" set.

 

(4)设置客户端认证参数。

注意:在master 节点上操作

在前面我们创建 kube-apiserver 使用的客户端 token 文件中查看: bootstrap-token

[root@master001 ssl]# cat /opt/kubernetes/ssl/bootstrap-token.csv

898e7424a68e83a796c6a0f4188879d3,kubelet-bootstrap,10001,"system:kubelet-bootstrap"

 

[root@master001 ssl]# kubectl config set-credentials kubelet-bootstrap \ --token=898e7424a68e83a796c6a0f4188879d3 \ --kubeconfig=bootstrap.kubeconfig

User "kubelet-bootstrap" set.

 

(5)设置上下文参数

注意:在master 节点上操作

[root@master001 ssl]# kubectl config set-context default \ --cluster=kubernetes \ --user=kubelet-bootstrap \ --kubeconfig=bootstrap.kubeconfig

Context "default" created.

备注:bootstrap.kubeconfig 就是我们在上面 (4)步骤中创建的 在当前文件夹 /usr/local/src/ssl 目录下!

 

(6)选择默认上下文

注意:在master 节点上操作

[root@master001 ssl]# kubectl config use-context default --kubeconfig=bootstrap.kubeconfig

Switched to context "default".

[root@master001 ssl]# cp bootstrap.kubeconfig /opt/kubernetes/cfg/

[root@master001 ssl]# scp bootstrap.kubeconfig node001:/opt/kubernetes/cfg/

[root@master001 ssl]# scp bootstrap.kubeconfig node002:/opt/kubernetes/cfg/

[root@master001 ssl]# scp bootstrap.kubeconfig node003:/opt/kubernetes/cfg/

 

 

 

2、部署kubelet 1.设置CNI支持

注意:以下所有操作均要在所有 Node 节点执行。

(1)配置CNI

[root@node001 ~]# mkdir -p /etc/cni/net.d

[root@node001 ~]# vim /etc/cni/net.d/10-flannel.conflist

{

"name": "cbr0",

"cniVersion": "0.3.1",

"plugins": [

{

"type": "flannel",

"delegate": {

"hairpinMode": true,

"isDefaultGateway": true

}

},

{

"type": "portmap",

"capabilities": {

"portMappings": true

}

}

]

}

保存退出!

 

(2)创建kubelet数据存储目录

[root@node001 ~]# mkdir /var/lib/kubelet

 

(3)创建kubelet服务配置

[root@node001 ~]# vim /usr/lib/systemd/system/kubelet.service

[Unit] Description=Kubernetes Kubelet Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=docker.service Requires=docker.service [Service] WorkingDirectory=/var/lib/kubelet ExecStart=/opt/kubernetes/bin/kubelet \ --address=172.31.0.113 \ # 这里还根据实际的node节点IP来修改 --hostname-override=172.31.0.113 \ # 这里还根据实际的node节点IP来修改 --pod-infra-container-image=mirrorgooglecontainers/pause-amd64:3.0 \ --experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \ --cert-dir=/opt/kubernetes/ssl \ --network-plugin=cni \ --cni-conf-dir=/etc/cni/net.d \ --cni-bin-dir=/opt/kubernetes/bin/cni \ --cluster-dns=10.1.0.2 \ --cluster-domain=cluster.local. \ --hairpin-mode hairpin-veth \ --fail-swap-on=false \ --logtostderr=true \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log \

--runtime-cgroups=/systemd/system.slice \

--kubelet-cgroups=/systemd/system.slice Restart=on-failure RestartSec=5

 

[Install]

WantedBy=multi-user.target

 

保存退出!

备注: kubelet.kubeconfig 这个会在服务启动成功后自动生成该配置文件。

阿里镜像源:registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.0

 

 

(4)启动Kubelet

systemctl daemon-reload systemctl enable kubelet systemctl start kubelet systemctl status kubelet

 

 

(5)查看csr请求 注意是在 master上执行。

注意是在 master上执行。

[root@master001 bin]# kubectl get csr

NAME AGE SIGNERNAME REQUESTOR CONDITION

node-csr-ETvvxync12zx8KOXR4C6hk5B-oDza3FrP86IMuzq9PM 69s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending

node-csr-exgyQM7l4bVV7IWd45_YHdcys5W_Rh-zWf19uPckjHU 2m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending

node-csr-u_gnS21i81yRkoMVafVWUJSAvaaPXGCSvbblYqdJRa4 3m59s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending

 

(6)批准kubelet 的 TLS 证书请求。

注意是在 master上执行。

[root@master001 bin]# kubectl get csr|grep 'Pending' | awk 'NR>0{print $1}'| xargs kubectl certificate approve

certificatesigningrequest.certificates.k8s.io/node-csr-ETvvxync12zx8KOXR4C6hk5B-oDza3FrP86IMuzq9PM approved

certificatesigningrequest.certificates.k8s.io/node-csr-exgyQM7l4bVV7IWd45_YHdcys5W_Rh-zWf19uPckjHU approved

certificatesigningrequest.certificates.k8s.io/node-csr-u_gnS21i81yRkoMVafVWUJSAvaaPXGCSvbblYqdJRa4 approved

 

[root@master001 bin]# kubectl get csr

NAME AGE SIGNERNAME REQUESTOR CONDITION

node-csr-ETvvxync12zx8KOXR4C6hk5B-oDza3FrP86IMuzq9PM 27m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued

node-csr-exgyQM7l4bVV7IWd45_YHdcys5W_Rh-zWf19uPckjHU 28m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued

node-csr-u_gnS21i81yRkoMVafVWUJSAvaaPXGCSvbblYqdJRa4 30m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued

 

[root@master001 bin]# kubectl get nodes

NAME STATUS ROLES AGE VERSION

172.31.0.113 NotReady <none> 8m7s v1.18.2

172.31.0.114 NotReady <none> 8m7s v1.18.2

172.31.0.115 NotReady <none> 8m7s v1.18.2

可以看到 所有的节点都已经成功加入集群

状态显示 NotReady(未就绪状态) 是因为没有配置网络插件 配置好网络插件就 Ready了

我们在 node 节点上执行 systemctl status kubelet

因为我们还没有部署网络插件 如:flannel!

 

 

3、部署Kubernetes Proxy

(1)配置kube-proxy使用LVS

注意是在各个 node 节点上执行。

[root@node001 ~]# yum install -y ipvsadm ipset conntrack

[root@node002 ~]# yum install -y ipvsadm ipset conntrack

[root@node003 ~]# yum install -y ipvsadm ipset conntrack

 

(2)创建 kube-proxy 证书请求

注意是在 master 节点上执行。

[root@master001 ~]# cd /usr/local/src/ssl/

[root@master001 ssl]# vim kube-proxy-csr.json

{ "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Shanghai", "L": "Shanghai", "O": "k8s", "OU": "System" } ] }

保存退出!

 

(3)生成证书

[root@master001 ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \

-ca-key=/opt/kubernetes/ssl/ca-key.pem \

-config=/opt/kubernetes/ssl/ca-config.json \

-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

2020/05/07 13:03:52 [INFO] generate received request

2020/05/07 13:03:52 [INFO] received CSR

2020/05/07 13:03:52 [INFO] generating key: rsa-2048

2020/05/07 13:03:52 [INFO] encoded CSR

2020/05/07 13:03:52 [INFO] signed certificate with serial number 688965016078159362647696629152821365848992245226

2020/05/07 13:03:52 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for

websites. For more information see the Baseline Requirements for the Issuance and Management

of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);

specifically, section 10.2.3 ("Information Requirements").

 

(4)分发证书到所有Node节点

[root@master001 ssl]# cp kube-proxy*.pem /opt/kubernetes/ssl/

[root@master001 ssl]# scp kube-proxy*.pem node001:/opt/kubernetes/ssl/

[root@master001 ssl]# scp kube-proxy*.pem node002:/opt/kubernetes/ssl/

[root@master001 ssl]# scp kube-proxy*.pem node003:/opt/kubernetes/ssl/

 

(5)创建kube-proxy配置文件

[root@master001 ssl]# kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://172.31.0.112:6443 \ --kubeconfig=kube-proxy.kubeconfig

Cluster "kubernetes" set.

 

[root@master001 ssl]# kubectl config set-credentials kube-proxy \ --client-certificate=/opt/kubernetes/ssl/kube-proxy.pem \ --client-key=/opt/kubernetes/ssl/kube-proxy-key.pem \ --embed-certs=true \ --kubeconfig=kube-proxy.kubeconfig

User "kube-proxy" set.

 

[root@master001 ssl]# kubectl config set-context default \ --cluster=kubernetes \ --user=kube-proxy \ --kubeconfig=kube-proxy.kubeconfig

Context "default" created.

 

[root@master001 ssl]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

Switched to context "default".

 

(6)分发kubeconfig配置文件

[root@master001 ssl]# cp kube-proxy.kubeconfig /opt/kubernetes/cfg/

[root@master001 ssl]# scp kube-proxy.kubeconfig node001:/opt/kubernetes/cfg/

[root@master001 ssl]# scp kube-proxy.kubeconfig node002:/opt/kubernetes/cfg/

[root@master001 ssl]# scp kube-proxy.kubeconfig node003:/opt/kubernetes/cfg/

 

(7)创建kube-proxy服务配置

所有节点都得创建 mkdir /var/lib/kube-proxy

[root@master001 ssl]# mkdir /var/lib/kube-proxy

[root@node001 ~]# mkdir /var/lib/kube-proxy

[root@node002 ~]# mkdir /var/lib/kube-proxy

[root@node003 ~]# mkdir /var/lib/kube-proxy

 

[root@master001 ssl]# vim /usr/lib/systemd/system/kube-proxy.service

[Unit] Description=Kubernetes Kube-Proxy Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] WorkingDirectory=/var/lib/kube-proxy ExecStart=/opt/kubernetes/bin/kube-proxy \ --bind-address=172.31.0.113 \ # 这里还根据实际的节点IP来修改 --hostname-override=172.31.0.113 \ # 这里还根据实际的节点IP来修改 --kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig \ --masquerade-all \ --feature-gates=SupportIPVSProxyMode=true \ --proxy-mode=ipvs \ --ipvs-min-sync-period=5s \ --ipvs-sync-period=5s \ --ipvs-scheduler=rr \ --logtostderr=true \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target

 

保存退出!

[root@master001 ssl]# scp /usr/lib/systemd/system/kube-proxy.service node001:/usr/lib/systemd/system/kube-proxy.service

[root@master001 ssl]# scp /usr/lib/systemd/system/kube-proxy.service node002:/usr/lib/systemd/system/kube-proxy.service

[root@master001 ssl]# scp /usr/lib/systemd/system/kube-proxy.service node003:/usr/lib/systemd/system/kube-proxy.service

切记:需要修改每个node节点的实际 IP

 

(8)启动Kubernetes Proxy

systemctl daemon-reload systemctl enable kube-proxy systemctl start kube-proxy systemctl status kube-proxy

上述报错也是因为这个问题是 kubernetes 1.18 版本才出现的,所以去 Kubernetes Github 查看相关 issues,发现有人在升级 Kubernetes 版本到 1.18 后,也遇见了相同的问题,经过 issue 中 Kubernetes 维护人员讨论,分析出原因可能为新版 Kubernetes 使用的 IPVS 模块是比较新的,需要系统内核版本支持,本人使用的是 CentOS 系统,内核版本为 3.10,里面的 IPVS 模块比较老旧,缺少新版 Kubernetes IPVS 所需的依赖。

 

最终无报错的状态如下:

 

检查LVS状态,可以看到已经创建了一个LVS集群,将来自10.1.0.1:443的请求转到172.31.0.112:6443,而6443就是api-server的端口

[root@node001 ~]# ipvsadm -Ln

IP Virtual Server version 1.2.1 (size=4096)

Prot LocalAddress:Port Scheduler Flags

-> RemoteAddress:Port Forward Weight ActiveConn InActConn

TCP 10.1.0.1:443 rr

-> 172.31.0.112:6443 Masq 1 0 0

 

 

 

 

八、Flannel网络部署

(1)为Flannel生成证书

注意是在 master 节点上执行。

[root@master001 ssl]# vim flanneld-csr.json

{ "CN": "flanneld", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Shanghai", "L": "Shanghai", "O": "k8s", "OU": "System" } ] }

 

(2)生成证书

[root@master001 ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \ -ca-key=/opt/kubernetes/ssl/ca-key.pem \ -config=/opt/kubernetes/ssl/ca-config.json \ -profile=kubernetes flanneld-csr.json | cfssljson -bare flanneld

2020/05/07 13:31:55 [INFO] generate received request

2020/05/07 13:31:55 [INFO] received CSR

2020/05/07 13:31:55 [INFO] generating key: rsa-2048

2020/05/07 13:31:56 [INFO] encoded CSR

2020/05/07 13:31:56 [INFO] signed certificate with serial number 568472282797363721493186255502425941110906425380

2020/05/07 13:31:56 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for

websites. For more information see the Baseline Requirements for the Issuance and Management

of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);

specifically, section 10.2.3 ("Information Requirements").

 

[root@master001 ssl]# ll -sh flannel*

4.0K -rw-r--r-- 1 root root 1001 May 7 13:31 flanneld.csr

4.0K -rw-r--r-- 1 root root 223 May 7 13:30 flanneld-csr.json

4.0K -rw------- 1 root root 1.7K May 7 13:31 flanneld-key.pem

4.0K -rw-r--r-- 1 root root 1.4K May 7 13:31 flanneld.pem

 

(3)分发证书

[root@master001 ssl]# cp flanneld*.pem /opt/kubernetes/ssl/

[root@master001 ssl]# scp flanneld*.pem node001:/opt/kubernetes/ssl/

[root@master001 ssl]# scp flanneld*.pem node002:/opt/kubernetes/ssl/

[root@master001 ssl]# scp flanneld*.pem node003:/opt/kubernetes/ssl/

 

 

(4)下载Flannel软件包

https://github.com/coreos/flannel/releases/download/v0.12.0/flannel-v0.12.0-linux-amd64.tar.gz

[root@master001 src]# tar -zxvf flannel-v0.12.0-linux-amd64.tar.gz

flanneld

mk-docker-opts.sh

README.md

解压后就三个文件!

[root@master001 src]# cp flanneld mk-docker-opts.sh /opt/kubernetes/bin/

[root@master001 src]# scp flanneld mk-docker-opts.sh node001:/opt/kubernetes/bin/

[root@master001 src]# scp flanneld mk-docker-opts.sh node002:/opt/kubernetes/bin/

[root@master001 src]# scp flanneld mk-docker-opts.sh node003:/opt/kubernetes/bin/

 

(5)配置Flannel

[root@master001 ~]# vim /opt/kubernetes/cfg/flannel

FLANNEL_ETCD="-etcd-endpoints=https://172.31.0.113:2379,https://172.31.0.114:2379,https://172.31.0.115:2379" FLANNEL_ETCD_KEY="-etcd-prefix=/kubernetes/network" FLANNEL_ETCD_CAFILE="--etcd-cafile=/opt/kubernetes/ssl/ca.pem" FLANNEL_ETCD_CERTFILE="--etcd-certfile=/opt/kubernetes/ssl/flanneld.pem" FLANNEL_ETCD_KEYFILE="--etcd-keyfile=/opt/kubernetes/ssl/flanneld-key.pem"

 

复制配置到其它节点上

[root@master001 ~]# scp /opt/kubernetes/cfg/flannel node001:/opt/kubernetes/cfg/

[root@master001 ~]# scp /opt/kubernetes/cfg/flannel node002:/opt/kubernetes/cfg/

[root@master001 ~]# scp /opt/kubernetes/cfg/flannel node003:/opt/kubernetes/cfg/

 

 

(6)设置Flannel系统服务

[root@master001 ~]# vim /usr/lib/systemd/system/flanneld.service

[Unit]

Description=Flanneld overlay address etcd agent

After=network.target

Before=docker.service

 

[Service]

EnvironmentFile=-/opt/kubernetes/cfg/flannel

ExecStart=/opt/kubernetes/bin/flanneld ${FLANNEL_ETCD} ${FLANNEL_ETCD_KEY} ${FLANNEL_ETCD_CAFILE} ${FLANNEL_ETCD_CERTFILE} ${FLANNEL_ETCD_KEYFILE}

ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/docker

 

Type=notify

 

[Install]

WantedBy=multi-user.target

RequiredBy=docker.service

保存退出!

 

备注:mk-docker-opts.sh:为本机创建一个flannel网络的工具

flanneld:flannel的启动脚本

复制系统服务脚本到其它节点上

[root@master001 ~]# scp /usr/lib/systemd/system/flanneld.service node001:/usr/lib/systemd/system/flanneld.service

[root@master001 ~]# scp /usr/lib/systemd/system/flanneld.service node002:/usr/lib/systemd/system/flanneld.service

[root@master001 ~]# scp /usr/lib/systemd/system/flanneld.service node003:/usr/lib/systemd/system/flanneld.service

 

 

Flannel CNI集成

(1)下载CNI插件

https://github.com/containernetworking/plugins/releases

 

https://github.com/containernetworking/plugins/releases/download/v0.8.5/cni-plugins-linux-amd64-v0.8.5.tgz

 

[root@master001 ~]# mkdir /opt/kubernetes/bin/cni

[root@node001 ~]# mkdir /opt/kubernetes/bin/cni

[root@node002 ~]# mkdir /opt/kubernetes/bin/cni

[root@node003 ~]# mkdir /opt/kubernetes/bin/cni

[root@master001 src]# tar zxf cni-plugins-linux-amd64-v0.8.5.tgz -C /opt/kubernetes/bin/cni/

[root@master001 src]# ls /opt/kubernetes/bin/cni/

bandwidth bridge dhcp firewall flannel host-device host-local ipvlan loopback macvlan portmap ptp sbr static tuning vlan

[root@master001 src]# scp -r /opt/kubernetes/bin/cni/* node001:/opt/kubernetes/bin/cni/

[root@master002 src]# scp -r /opt/kubernetes/bin/cni/* node002:/opt/kubernetes/bin/cni/

[root@master003 src]# scp -r /opt/kubernetes/bin/cni/* node003:/opt/kubernetes/bin/cni/

 

(2)创建Etcd的key

此步的操作是为了创建POD的网段,并在ETCD中存储,而后FLANNEL从ETCD中取出并进行分配。

 

[root@master001 src]# /opt/kubernetes/bin/etcdctl \

--ca-file /opt/kubernetes/ssl/ca.pem \

--cert-file /opt/kubernetes/ssl/flanneld.pem \

--key-file /opt/kubernetes/ssl/flanneld-key.pem \

--no-sync -C https://172.31.0.113:2379,https://172.31.0.114:2379,https://172.31.0.115:2379 \

set /kubernetes/network/config '{ "Network": "10.2.0.0/16", "Backend": { "Type": "vxlan", "Directrouting": true }}'

返回:

{ "Network": "10.2.0.0/16", "Backend": { "Type": "vxlan", "Directrouting": true }}

 

查看验证 :

[root@node001 src]# etcdctl --ca-file /opt/kubernetes/ssl/ca.pem --cert-file /opt/kubernetes/ssl/flanneld.pem --key-file /opt/kubernetes/ssl/flanneld-key.pem --endpoints="https://172.31.0.113:2379" get /kubernetes/network/config

返回:

{ "Network": "10.2.0.0/16", "Backend": { "Type": "vxlan", "Directrouting": true }}

 

(3)启动flannel

[root@master001~]# systemctl daemon-reload [root@master001 ~]# systemctl enable flanneld [root@master001 ~]# chmod +x /opt/kubernetes/bin/* [root@master001 ~]# systemctl start flanneld

 

 

(4)、创建pod 镜像机器测试

编辑 nginx-deployment.yaml

apiVersion: apps/v1

kind: Deployment

metadata:

name: nginx-deployment

labels:

app: nginx

spec:

replicas: 3

selector:

matchLabels:

app: nginx

template:

metadata:

labels:

app: nginx

spec:

containers:

- name: nginx

image: nginx:1.14.2

ports:

- containerPort: 80

---

apiVersion: v1

kind: Service

metadata:

name: nginx-svc

spec:

type: NodePort

selector:

app: nginx

ports:

- protocol: TCP

nodePort: 30000

port: 8080

targetPort: 80

保存退出!

 

创建:

[root@master01 yaml]# kubectl apply -f nginx-deployment.yaml

deployment.apps/nginx-deployment created

service/nginx-svc created

查看:

[root@master01 yaml]# kubectl get pods -o wide

NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES

nginx-deployment-6b474476c4-5szx2 1/1 Running 0 8m8s 10.2.66.4 172.31.0.114 <none> <none>

nginx-deployment-6b474476c4-nflkk 1/1 Running 0 8m8s 10.2.50.2 172.31.0.113 <none> <none>

nginx-deployment-6b474476c4-xqs5c 1/1 Running 0 8m8s 10.2.24.4 172.31.0.115 <none> <none>

 

测试:

[root@master01 yaml]# curl 10.2.66.4

<!DOCTYPE html>

<html>

<head>

<title>Welcome to nginx!</title>

<style>

body {

width: 35em;

margin: 0 auto;

font-family: Tahoma, Verdana, Arial, sans-serif;

}

</style>

</head>

<body>

<h1>Welcome to nginx!</h1>

<p>If you see this page, the nginx web server is successfully installed and

working. Further configuration is required.</p>

 

<p>For online documentation and support please refer to

<a href="http://nginx.org/">nginx.org</a>.<br/>

Commercial support is available at

<a href="http://nginx.com/">nginx.com</a>.</p>

 

<p><em>Thank you for using nginx.</em></p>

</body>

</html>

 

[root@node01 ~]# curl 10.1.67.165:8080

<!DOCTYPE html>

<html>

<head>

<title>Welcome to nginx!</title>

<style>

body {

width: 35em;

margin: 0 auto;

font-family: Tahoma, Verdana, Arial, sans-serif;

}

</style>

</head>

<body>

<h1>Welcome to nginx!</h1>

<p>If you see this page, the nginx web server is successfully installed and

working. Further configuration is required.</p>

 

<p>For online documentation and support please refer to

<a href="http://nginx.org/">nginx.org</a>.<br/>

Commercial support is available at

<a href="http://nginx.com/">nginx.com</a>.</p>

 

<p><em>Thank you for using nginx.</em></p>

</body>

</html>

测试集群功能正常!

 

九、CoreDNS部署

在 Cluster 中,除了可以通过 Cluster IP 访问 Service,Kubernetes 还提供了更为方便的 DNS 访问。

(1)编辑coredns.yaml文件

vim coredns.yaml

apiVersion: v1 kind: ServiceAccount metadata: name: coredns namespace: kube-system labels: kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: kubernetes.io/bootstrapping: rbac-defaults addonmanager.kubernetes.io/mode: Reconcile name: system:coredns rules: - apiGroups: - "" resources: - endpoints - services - pods - namespaces verbs: - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults addonmanager.kubernetes.io/mode: EnsureExists name: system:coredns roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:coredns subjects: - kind: ServiceAccount name: coredns namespace: kube-system --- apiVersion: v1 kind: ConfigMap metadata: name: coredns namespace: kube-system labels: addonmanager.kubernetes.io/mode: EnsureExists data: Corefile: | .:53 { errors health kubernetes cluster.local. in-addr.arpa ip6.arpa { pods insecure upstream fallthrough in-addr.arpa ip6.arpa } prometheus :9153 proxy . /etc/resolv.conf cache 30 } --- apiVersion: apps/v1 kind: Deployment metadata: name: coredns namespace: kube-system labels: k8s-app: coredns kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile kubernetes.io/name: "CoreDNS" spec: replicas: 2 strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 selector: matchLabels: k8s-app: coredns template: metadata: labels: k8s-app: coredns spec: serviceAccountName: coredns tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule - key: "CriticalAddonsOnly" operator: "Exists" containers: - name: coredns image: coredns/coredns:1.0.6 imagePullPolicy: IfNotPresent resources: limits: memory: 170Mi requests: cpu: 100m memory: 70Mi args: [ "-conf", "/etc/coredns/Corefile" ] volumeMounts: - name: config-volume mountPath: /etc/coredns ports: - containerPort: 53 name: dns protocol: UDP - containerPort: 53 name: dns-tcp protocol: TCP livenessProbe: httpGet: path: /health port: 8080 scheme: HTTP initialDelaySeconds: 60 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 dnsPolicy: Default volumes: - name: config-volume configMap: name: coredns items: - key: Corefile path: Corefile --- apiVersion: v1 kind: Service metadata: name: coredns namespace: kube-system labels: k8s-app: coredns kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile kubernetes.io/name: "CoreDNS" spec: selector: k8s-app: coredns clusterIP: 10.1.0.2 ports: - name: dns port: 53 protocol: UDP - name: dns-tcp port: 53 protocol: TCP

保存退出!

 

(2)创建coredns

[root@master001 coredns]# kubectl create -f coredns.yaml

serviceaccount/coredns created

clusterrole.rbac.authorization.k8s.io/system:coredns created

clusterrolebinding.rbac.authorization.k8s.io/system:coredns created

configmap/coredns created

deployment.apps/coredns created

service/coredns created

 

(3)查看coredns服务

[root@master001 coredns]# kubectl get deployment -n kube-system

NAME READY UP-TO-DATE AVAILABLE AGE

coredns 2/2 2 2 88s

 

[root@master001 coredns]# kubectl get svc -n kube-system

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

coredns ClusterIP 10.1.0.2 <none> 53/UDP,53/TCP 90s

 

[root@master001 coredns]# kubectl get pod -n kube-system

NAME READY STATUS RESTARTS AGE

coredns-8585c9f5dd-74mq4 1/1 Running 0 93s

coredns-8585c9f5dd-shnz7 1/1 Running 0 93s

 

(4)Pod容器中进行域名解析测试

[root@master001 CoreDNS]# kubectl run alpine --rm -ti --image=alpine -- /bin/sh

If you don't see a command prompt, try pressing enter.

/ # nslookup nginx-svc

Server: 10.1.0.2

Address: 10.1.0.2:53

 

Name: nginx-svc.default.svc.cluster.local

Address: 10.1.67.165

 

** server can't find nginx-svc.svc.cluster.local.: NXDOMAIN

** server can't find nginx-svc.cluster.local.: NXDOMAIN

** server can't find nginx-svc.svc.cluster.local.: NXDOMAIN

** server can't find nginx-svc.cluster.local.: NXDOMAIN

 

/ # wget nginx-svc:8080

Connecting to nginx-svc:8080 (10.1.255.217:8080)

saving to 'index.html'

index.html 100% |****************************************| 612 0:00:00 ETA

'index.html' saved

 

测试没问题可以正常解析!

 

 

徒行沙漠
关注
  • 1
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
很棒的kubernetes笔记:很棒的kubernetes笔记:party_popper:
01-30
为方便更多k8s爱好者更系统性的学习文档,利用sphinx将笔记整理生成程序在线文档,方便学习交流 本文 个人信息: awesome-kubernetes-notes: 演示 目录 1.1容器编排工具 1.2 kubernetes 1.3环境架构 1.4架构和组件...
重中之重-kubernetes集群部署(二进制方法)
weixin_55609833的博客
08-13 556
重中之重-kubernetes集群部署kubernetes二进制部署部署etcd集群签发证书环境 kubernetes二进制部署 部署etcd集群 etcd是CoreOS团队于2013年6月发起的开源项目,它的目标是构建一个高可用的分布式键值(key-value) 数据库。etcd内部采用raft协议作为一致性 算法,etcd是go语言编写的。 etcd作为服务发现系统,有以下的特点: 简单:安装配置简单,而且提供了HTTP API进行交互,使用也很简单 安全:支持SSL证书验证 快速:单实例支持每秒2k
CC00052.CloudKubernetes——|KuberNetes&二进制部署.V05|3台Server|——|证书生成|
yanqi_vip
03-29 375
一、生成证书: ### --- Master01下载生成证书工具(下载不成功可以去百度网盘)及创建资源目录 ~~~ etcd及kubernetes证书生成 ~~~ 二进制安装最关键步骤,一步错误全盘皆输,一定要注意每个步骤都要是正确的 ### ---下载证书生成工具 [root@k8s-master01 ~]# wget "https://pkg...
K8S二进制部署详解,一文教会你部署高可用K8S集群
最新发布
景天科技苑
02-07 2428
kubeadm方式搭建K8S比较简单,单对立面很多原理都不清楚的话,生产中使用功能可能不便于排查故障。 二进制方式搭建:在官网下载相关组件的二进制包,如果手动安装,对kubernetes理解也会更全面。 Kubeadm和二进制都适合生产环境,在生产环境运行都很稳定,具体如何选择,可以根据实际项目进行评估。
kubernetes——二进制多节点部署
weixin_42099301的博客
10-04 743
Kubernetes二进制部署 Kubernetes 是用于自动部署,扩展和管理容器化应用程序的开源系统。 Kubernetes 是一个可移植的、可扩展的开源平台,用于管理容器化的工作负载和服务,可促进声明式配置和自动化。Kubernetes 拥有一个庞大且快速增长的生态系统。Kubernetes 的服务、支持和工具广泛可用。名称 Kubernetes 源于希腊语,意为 "舵手"或 “飞行员”。Google 在 2014 年开源了 Kubernetes 项目。Kubernetes 建立在 Google
全手动搭建Kubernetes集群——Master管理节点和Node工作节点部署
Dorte_AZ的博客
04-22 4607
配置k8s集群Master管理节点和Node工作节点的组件
kubernetes证书过期处理
07-24 2090
一、过期信息 # kubectl get pod Unable to connect to the server: x509: certificate has expired or is not yet valid 二、处理etcd证书 2.1、查看过期信息 # cd /etc/etcd/s...
Kubernetes学习笔记K8S学习
02-01
为适应微服务价格学习的一些K8S基础原理及其组件的原理和介绍
自动部署k8s一主多从的集群
06-19
5. 本人在虚拟机中测试成功,且结合网上的yaml成功在集群中,部署Prometheus监控k8s集群 更新内容: 1. 新增kubeadm高可用部署的方式,当前版本未采用haproxy+keepalived作为APIserverde代理 2.新增多节点部署,后续...
Kubernetesk8s)2020版入门笔记和资料(尚).zip
07-28
Kubernetesk8s)2020版入门笔记和资料 尚
k8s二进制搭建,及ldap搭建.txt
11-02
这个主要是内网用,外网的话搭建方式很多。我也是参考了其他教程,但是有一些坑,卡了我好久,最后终于搞成了。这是我做的笔记,给初学者看看吧。
CC00007.CloudKubernetes——|Kubernetes&二进制部署.V03|——|部署ETCD集群|
yanqi_vip
03-28 142
一、部署Etcd集群 节点名称 IP etcd-1 10.10.10.11 etcd-2 10.10.10.12 etcd-3 10.10.10.13 ### --- 部署Etcd集群 ~~~ Etcd是一个分布式键值存储系统,kubernetes使用Etcd进行数据存储, ~~~ 所以先准备一个Etcd数据库,为解决...
CentOS 使用二进制部署 Kubernetes 1.13集群
rubbertree的专栏
06-21 1659
CentOS 使用二进制部署 Kubernetes 1.13集群 一、概述 kubernetes 1.13 已发布,这是 2018 年年内第四次也是最后一次发布新版本。Kubernetes 1.13 是迄今为止发布间隔最短的版本之一(与上一版本间隔十周),主要关注 Kubernetes 的稳定性与可扩展性,其中存储与集群生命周期相关的三项主要功能已逐步实现普遍可用性。 Kubernet...
Kubernetes 集群部署之Master部署(三)
abel_dwh的博客
05-11 681
目录 一、部署Master 创建证书存放目录 生成kube-apiserver证书 生成证书 使用自签ca证书办法kube-apiserver证书 生成证书 一、部署Master 创建证书存放目录 [root@master ssl]# mkdir /etc/k8s/ssl -p 生成kube-apiserver证书 [root@master ssl]# cat ca-config.json { "signing": { "default": .
K8s多节点部署详细步骤,附UI界面的搭建
CYQ419的博客
02-09 1547
K8s多节点部署 需要准备的环境: 6台centos7设备:192.168.1.11 master01192.168.1.12 node1192.168.1.13 node2192.168.1.14 master02192.168.1.15 lb1192.168.1.16 lb2VIP:192.168.1.100 实验步骤: 1:自签ETCD证书 2:E...
CentOS环境Docker flannel网络方案实验
lizy0327的博客
03-03 1084
测试环境 环境IP信息: master:192.168.66.40,启动etcd服务 node1: 192.168.66.41,启动flannel服务 node2: 192.168.66.42,启动flannel服务 flanneld -version v0.13.0 etcd --version etcd Version: 3.4.15 Git SHA: aa7126864 Go Version: go1.12.17 Go OS/Arch: linux/amd64 安装etcd etcd版本: ETCD_
k8s集群二进制安装--etcd集群部署
归来仍少年
09-28 318
2.etcd集群部署 2.1 cfssl工具安装 ##下载 wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 ##授权和命名 chmod a+x cffssl* mv cfssl_linux-amd64 /usr/local/bin/c
创建calico网络报错client response is invalid json
weixin_34234721的博客
06-14 2191
2019独角兽企业重金招聘Python工程师标准>>> ...
K8s - 札记 - node.kubernetes.io/disk-pressure:NoSchedule
个人纪录、总结!
03-12 2365
K8s - 目录 K8s - 札记 - node.kubernetes.io/disk-pressure:NoSchedule一、问题描述1. 现象2. 原因二、解决方案三、参考命令 一、问题描述 1. 现象 pod 一直处于 pending 状态; pod 提示:Warning FailedScheduling 4m10s default-scheduler 0/1 nodes are available: 1 node(s) had taint {node-role.kubernetes.io.
16G的windows笔记本电脑如何部署k8s集群
05-23
在16G的Windows笔记本电脑上部署Kubernetes集群是可能的,但是需要注意的是,由于资源受限,可能无法在上面运行大型应用程序。以下是一些步骤: 1. 安装Docker:在Windows操作系统上安装Docker Desktop...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值