目录
1.集群规划
序号 | IP | 角色 | Hostname | 安装组件 |
---|---|---|---|---|
1 | 192.168.10.11 | Master,Node | vm01 | Apiserver,ControllerManager,Scheduler,Kubelet,Proxy,Etcd |
2 | 192.168.10.12 | Node | vm02 | Kubelet,Proxy,Etcd |
3 | 192.168.10.13 | Node | vm03 | Kubelet,Proxy,Etcd |
2.软件版本
序号 | 软件名称 | 版本 |
---|---|---|
1 | Centos | 7.9.2009,内核升级到5.17.1-1.el7.elrepo.x86_64 |
2 | Docker-ce | v20.10.9 |
3 | Etcd | v3.4.9 |
4 | Kubernetes | v1.20.14 |
5 | cfssl | v1.6.1 |
3.下载地址
4.初始化虚拟机
4.1安装虚拟机
在所有虚拟机上进行以下操作
4.2升级内核
#在所有虚拟机上进行操作 #更新yum源仓库 yum update -y #导入ELRepo仓库的公共密钥 rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org #安装ELRepo仓库的yum源 rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm #查看可用的系统内核包 [root@vm01 ~]# yum --disablerepo="*" --enablerepo="elrepo-kernel" list available Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * elrepo-kernel: ftp.yz.yamagata-u.ac.jp Available Packages elrepo-release.noarch 7.0-5.el7.elrepo elrepo-kernel kernel-lt.x86_64 5.4.188-1.el7.elrepo elrepo-kernel kernel-lt-devel.x86_64 5.4.188-1.el7.elrepo elrepo-kernel kernel-lt-doc.noarch 5.4.188-1.el7.elrepo elrepo-kernel kernel-lt-headers.x86_64 5.4.188-1.el7.elrepo elrepo-kernel kernel-lt-tools.x86_64 5.4.188-1.el7.elrepo elrepo-kernel kernel-lt-tools-libs.x86_64 5.4.188-1.el7.elrepo elrepo-kernel kernel-lt-tools-libs-devel.x86_64 5.4.188-1.el7.elrepo elrepo-kernel kernel-ml-devel.x86_64 5.17.1-1.el7.elrepo elrepo-kernel kernel-ml-doc.noarch 5.17.1-1.el7.elrepo elrepo-kernel kernel-ml-headers.x86_64 5.17.1-1.el7.elrepo elrepo-kernel kernel-ml-tools.x86_64 5.17.1-1.el7.elrepo elrepo-kernel kernel-ml-tools-libs.x86_64 5.17.1-1.el7.elrepo elrepo-kernel kernel-ml-tools-libs-devel.x86_64 5.17.1-1.el7.elrepo elrepo-kernel perf.x86_64 5.17.1-1.el7.elrepo elrepo-kernel python-perf.x86_64 5.17.1-1.el7.elrepo elrepo-kernel #安装最新版本内核 yum --enablerepo=elrepo-kernel install -y kernel-ml #查看系统上的所有可用内核 sudo awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg #设置默认版本,其中 0 是上面查询出来的可用内核 grub2-set-default 0 #生成 grub 配置文件 grub2-mkconfig -o /boot/grub2/grub.cfg #重启 reboot #删除旧内核(可选) #查看系统中全部的内核 rpm -qa | grep kernel #删除旧内核的 RPM 包,具体内容视上述命令的返回结果而定 yum remove kernel-3.10.0-514.el7.x86_64 \ kernel-tools-libs-3.10.0-862.11.6.el7.x86_64 \ kernel-tools-3.10.0-862.11.6.el7.x86_64 \ kernel-3.10.0-862.11.6.el7.x86_64
4.3安装模块
#在所有虚拟机上操作 [root@vm01 ~]# modprobe -- ip_vs [root@vm01 ~]# modprobe -- ip_vs_rr [root@vm01 ~]# modprobe -- ip_vs_wrr [root@vm01 ~]# modprobe -- ip_vs_sh [root@vm01 ~]# modprobe -- nf_conntrack_ipv4 modprobe: FATAL: Module nf_conntrack_ipv4 not found. [root@vm01 ~]# lsmod | grep ip_vs ip_vs_sh 16384 0 ip_vs_wrr 16384 0 ip_vs_rr 16384 0 ip_vs 159744 6 ip_vs_rr,ip_vs_sh,ip_vs_wrr nf_conntrack 159744 1 ip_vs nf_defrag_ipv6 24576 2 nf_conntrack,ip_vs libcrc32c 16384 3 nf_conntrack,xfs,ip_vs [root@vm01 ~]# lsmod | grep nf_conntrack_ipv4
4.4系统设置
#关闭并停止防火墙, systemctl stop firewalld && systemctl disable firewalld #禁用SELinux,让容器可以顺利地读取主机文件系统 sed -i 's/enforcing/disabled/' /etc/selinux/config setenforce 0 #关闭swap swapoff -a sed -ri 's/.*swap.*/#&/' /etc/fstab
4.5设置hoss
cat >> /etc/hosts << EOF 192.168.10.11 vm01 192.168.10.12 vm02 192.168.10.13 vm03 EOF
4.6设置IPv4转发
cat > /etc/sysctl.d/k8s.conf << EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF sysctl --system
4.7时间同步
yum -y install chrony vi /etc/chrony.conf server ntp.aliyun.com iburst server ntp1.aliyun.com iburst server ntp2.aliyun.com iburst server ntp3.aliyun.com iburst systemctl restart chronyd [root@vm01 ~]# chronyc -a makestep 200 OK [root@vm01 ~]# chronyc sourcestats 210 Number of sources = 2 Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev ============================================================================== 203.107.6.88 26 13 35m -0.792 1.898 -24us 1486us 120.25.115.20 23 16 36m +0.055 0.709 -251us 545us [root@vm01 ~]# chronyc sources -v 210 Number of sources = 2 .-- Source mode '^' = server, '=' = peer, '#' = local clock. / .- Source state '*' = current synced, '+' = combined , '-' = not combined, | / '?' = unreachable, 'x' = time may be in error, '~' = time too variable. || .- xxxx [ yyyy ] +/- zzzz || Reachability register (octal) -. | xxxx = adjusted offset, || Log2(Polling interval) --. | | yyyy = measured offset, || \ | | zzzz = estimated error. || | | \ MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* 203.107.6.88 2 8 377 150 +1569us[+1671us] +/- 22ms ^+ 120.25.115.20 2 8 377 86 -772us[ -772us] +/- 25ms
4.8安装依赖软件包
yum install -y ipvsadm ipset sysstat conntrack libseccomp wget git
5.SSH免密登录
#此步操作在Master主机上进行 [root@vm01 ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:nmsw1JMs6U2M+TE0fh+ZmQrI2doLV5kbpO7X0gutmE4 root@vm01 The key's randomart image is: +---[RSA 2048]----+ | | | o . | | . & = o = | | X # * * | | o OSB = . | | *.*.o.. | | *E..o. | | .++ooo | | o=..... | +----[SHA256]-----+ #配置公钥到其他节点,输入对方密码即可完成从master到vm02的免密访问 [root@vm01 ~]# ssh-copy-id vm02 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host 'vm02 (192.168.10.12)' can't be established. ECDSA key fingerprint is SHA256:pFfmADyl1dFq2Uadp/YwSEe+yW29sxkfzoQD/y6jvts. ECDSA key fingerprint is MD5:27:53:f0:aa:b8:6c:2c:2e:b7:e5:ef:c7:fb:32:10:6f. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@vm02's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'vm02'" and check to make sure that only the key(s) you wanted were added. [root@vm01 ~]# ssh-copy-id vm03 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host 'vm03 (192.168.10.13)' can't be established. ECDSA key fingerprint is SHA256:pFfmADyl1dFq2Uadp/YwSEe+yW29sxkfzoQD/y6jvts. ECDSA key fingerprint is MD5:27:53:f0:aa:b8:6c:2c:2e:b7:e5:ef:c7:fb:32:10:6f. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@vm03's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'vm03'" and check to make sure that only the key(s) you wanted were added.
6.创建相关目录
#在所有虚拟机上进行操作 mkdir -p /opt/TLS/{download,etcd,k8s} mkdir -p /opt/TLS/etcd/{cfg,bin,ssl} mkdir -p /opt/TLS/k8s/{cfg,bin,ssl}
7.下载软件
#以下操作只在master上进行 #进入到下载目录 cd /opt/TLS/download #下载并解压cfssl wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl-certinfo_1.6.1_linux_amd64 chmod +x cfssl* [root@vm03 download]# ll total 40232 -rwxr-xr-x 1 root root 16659824 Dec 7 15:36 cfssl_1.6.1_linux_amd64 -rwxr-xr-x 1 root root 13502544 Dec 7 15:35 cfssl-certinfo_1.6.1_linux_amd64 -rwxr-xr-x 1 root root 11029744 Dec 7 15:35 cfssljson_1.6.1_linux_amd64 #下载并解压etcd wget https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz tar -xvf etcd-v3.4.9-linux-amd64.tar.gz chmod +x etcd-v3.4.9-linux-amd64/etcd* [root@vm03 download]# ll etcd-v3.4.9-linux-amd64/ total 40540 drwxr-xr-x 14 630384594 600260513 4096 May 22 2020 Documentation -rwxr-xr-x 1 630384594 600260513 23827424 May 22 2020 etcd -rwxr-xr-x 1 630384594 600260513 17612384 May 22 2020 etcdctl -rw-r--r-- 1 630384594 600260513 43094 May 22 2020 README-etcdctl.md -rw-r--r-- 1 630384594 600260513 8431 May 22 2020 README.md -rw-r--r-- 1 630384594 600260513 7855 May 22 2020 READMEv2-etcdctl.md #下载并解压kubernetes wget https://dl.k8s.io/v1.20.14/kubernetes-server-linux-amd64.tar.gz tar zxvf kubernetes-server-linux-amd64.tar.gz chmod +x kubernetes/server/bin/{kubectl,kubelet,kube-apiserver,kube-controller-manager,kube-scheduler,kube-proxy} [root@vm03 download]# ll kubernetes/server/bin/ total 1134068 -rwxr-xr-x 1 root root 57724928 Feb 16 20:49 apiextensions-apiserver -rwxr-xr-x 1 root root 45211648 Feb 16 20:49 kubeadm -rwxr-xr-x 1 root root 51773440 Feb 16 20:49 kube-aggregator -rwxr-xr-x 1 root root 131301376 Feb 16 20:49 kube-apiserver -rw-r--r-- 1 root root 8 Feb 16 20:48 kube-apiserver.docker_tag -rw------- 1 root root 136526848 Feb 16 20:48 kube-apiserver.tar -rwxr-xr-x 1 root root 121110528 Feb 16 20:49 kube-controller-manager -rw-r--r-- 1 root root 8 Feb 16 20:48 kube-controller-manager.docker_tag -rw------- 1 root root 126336000 Feb 16 20:48 kube-controller-manager.tar -rwxr-xr-x 1 root root 46592000 Feb 16 20:49 kubectl -rwxr-xr-x 1 root root 54333584 Feb 16 20:49 kubectl-convert -rwxr-xr-x 1 root root 124521440 Feb 16 20:49 kubelet -rwxr-xr-x 1 root root 1507328 Feb 16 20:49 kube-log-runner -rwxr-xr-x 1 root root 44163072 Feb 16 20:49 kube-proxy -rw-r--r-- 1 root root 8 Feb 16 20:48 kube-proxy.docker_tag -rw------- 1 root root 114255872 Feb 16 20:48 kube-proxy.tar -rwxr-xr-x 1 root root 49618944 Feb 16 20:49 kube-scheduler -rw-r--r-- 1 root root 8 Feb 16 20:48 kube-scheduler.docker_tag -rw------- 1 root root 54844416 Feb 16 20:48 kube-scheduler.tar -rwxr-xr-x 1 root root 1437696 Feb 16 20:49 mounter #下载并解压docker-ce wget https://download.docker.com/linux/static/stable/x86_64/docker-20.10.9.tgz tar -xvf docker-20.10.9.tgz chmod +x docker/* [root@vm03 download]# ll docker total 200840 -rwxr-xr-x 1 1000 1000 33908392 Oct 5 00:08 containerd -rwxr-xr-x 1 1000 1000 6508544 Oct 5 00:08 containerd-shim -rwxr-xr-x 1 1000 1000 8609792 Oct 5 00:08 containerd-shim-runc-v2 -rwxr-xr-x 1 1000 1000 21131264 Oct 5 00:08 ctr -rwxr-xr-x 1 1000 1000 52883616 Oct 5 00:08 docker -rwxr-xr-x 1 1000 1000 64758736 Oct 5 00:08 dockerd -rwxr-xr-x 1 1000 1000 708616 Oct 5 00:08 docker-init -rwxr-xr-x 1 1000 1000 2784145 Oct 5 00:08 docker-proxy -rwxr-xr-x 1 1000 1000 14352296 Oct 5 00:08 runc
8.准备cfss工具
cfssl是一个开源的证书管理工具,使用json文件生成证书,相比openssl更方便使用。
#只在master上操作 cd /opt/TLS/download cp cfssl_1.6.1_linux_amd64 /usr/local/bin/cfssl cp cfssljson_1.6.1_linux_amd64 /usr/local/bin/cfssljson cp cfssl-certinfo_1.6.1_linux_amd64 /usr/local/bin/cfssl-certinfo [root@vm03 download]# ll /usr/local/bin/cfssl* -rwxr-xr-x 1 root root 16659824 Apr 4 08:46 /usr/local/bin/cfssl -rwxr-xr-x 1 root root 13502544 Apr 4 08:46 /usr/local/bin/cfssl-certinfo -rwxr-xr-x 1 root root 11029744 Apr 4 08:46 /usr/local/bin/cfssljson
9.生成etcd证书
9.1自签CA申请文件
cd /opt/TLS/etcd/ssl cat > ca-config.json << EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "www": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json << EOF { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF
9.2生成自签CA证书
[root@vm03 ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 2022/04/04 08:51:25 [INFO] generating a new CA key and certificate from CSR 2022/04/04 08:51:25 [INFO] generate received request 2022/04/04 08:51:25 [INFO] received CSR 2022/04/04 08:51:25 [INFO] generating key: rsa-2048 2022/04/04 08:51:26 [INFO] encoded CSR 2022/04/04 08:51:26 [INFO] signed certificate with serial number 464748957865402020542542705181876295838207954582 [root@vm03 ssl]# ll total 20 -rw-r--r-- 1 root root 287 Apr 4 08:51 ca-config.json -rw-r--r-- 1 root root 956 Apr 4 08:51 ca.csr -rw-r--r-- 1 root root 209 Apr 4 08:51 ca-csr.json -rw------- 1 root root 1679 Apr 4 08:51 ca-key.pem -rw-r--r-- 1 root root 1216 Apr 4 08:51 ca.pem #上述操作,会生成ca.pem和ca-key.pem两个文件
9.3创建etcd证书申请文件
cat > server-csr.json << EOF { "CN": "etcd", "hosts": [ "192.168.10.11", "192.168.10.12", "192.168.10.13" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF #上述文件hosts字段中IP为所有etcd节点的集群内部通信IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP。
9.4签发Etcd HTTPS证书
[root@vm03 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server 2022/04/04 08:55:55 [INFO] generate received request 2022/04/04 08:55:55 [INFO] received CSR 2022/04/04 08:55:55 [INFO] generating key: rsa-2048 2022/04/04 08:55:55 [INFO] encoded CSR 2022/04/04 08:55:55 [INFO] signed certificate with serial number 177379691802225269854687255587397345225756828558 [root@vm03 ssl]# ll total 36 -rw-r--r-- 1 root root 287 Apr 4 08:51 ca-config.json -rw-r--r-- 1 root root 956 Apr 4 08:51 ca.csr -rw-r--r-- 1 root root 209 Apr 4 08:51 ca-csr.json -rw------- 1 root root 1679 Apr 4 08:51 ca-key.pem -rw-r--r-- 1 root root 1216 Apr 4 08:51 ca.pem -rw-r--r-- 1 root root 1013 Apr 4 08:55 server.csr -rw-r--r-- 1 root root 290 Apr 4 08:55 server-csr.json -rw------- 1 root root 1675 Apr 4 08:55 server-key.pem -rw-r--r-- 1 root root 1338 Apr 4 08:55 server.pem #上述操作会生成server.pem和server-key.pem两个文件
10.部署Etcd集群
10.1生成配置文件
#这里为了方便操作,同时生成了3个etcd虚拟机上的配置文件,然后将各自的配置文件分发至不同的虚拟机,减少了修改的操作。 cd /opt/TLS/etcd/cfg #------------------------------------- #生成vm01虚拟机上对应的配置文件 #------------------------------------- cat > etcd01.conf << EOF #[Member] ETCD_NAME="etcd-1" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.10.11:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.10.11:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.10.11:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.10.11:2379" ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.10.11:2380,etcd-2=https://192.168.10.12:2380,etcd-3=https://192.168.10.13:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" EOF #------------------------------------- #生成vm02虚拟机上对应的配置文件 #------------------------------------- cat > etcd02.conf << EOF #[Member] ETCD_NAME="etcd-2" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.10.12:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.10.12:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.10.12:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.10.12:2379" ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.10.11:2380,etcd-2=https://192.168.10.12:2380,etcd-3=https://192.168.10.13:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" EOF #------------------------------------- #生成vm03虚拟机上对应的配置文件 #------------------------------------- cat > etcd03.conf << EOF #[Member] ETCD_NAME="etcd-3" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.10.13:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.10.13:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.10.13:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.10.13:2379" ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.10.11:2380,etcd-2=https://192.168.10.12:2380,etcd-3=https://192.168.10.13:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" EOF #查看已生成的配置文件清单列表 [root@vm03 cfg]# ll total 16 -rw-r--r-- 1 root root 509 Apr 4 09:05 etcd01.conf -rw-r--r-- 1 root root 509 Apr 4 09:05 etcd02.conf -rw-r--r-- 1 root root 509 Apr 4 09:05 etcd03.conf #---------------------------备注说明------------------------------- # • ETCD_NAME:节点名称,集群中唯一 # • ETCD_DATA_DIR:数据目录 # • ETCD_LISTEN_PEER_URLS:集群通信监听地址 # • ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址 # • ETCD_INITIAL_ADVERTISE_PEERURLS:集群通告地址 # • ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址 # • ETCD_INITIAL_CLUSTER:集群节点地址 # • ETCD_INITIALCLUSTER_TOKEN:集群Token # • ETCD_INITIALCLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群 #-----------------------------------------------------------------
10.2生成etcd管理文件
cd /opt/TLS/etcd/cfg cat > etcd.service << EOF [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=/opt/etcd/cfg/etcd.conf ExecStart=/opt/etcd/bin/etcd \ --cert-file=/opt/etcd/ssl/server.pem \ --key-file=/opt/etcd/ssl/server-key.pem \ --peer-cert-file=/opt/etcd/ssl/server.pem \ --peer-key-file=/opt/etcd/ssl/server-key.pem \ --trusted-ca-file=/opt/etcd/ssl/ca.pem \ --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \ --logger=zap Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF #查看已生成的文件列表清单 [root@vm03 cfg]# ll total 16 -rw-r--r-- 1 root root 509 Apr 4 09:05 etcd01.conf -rw-r--r-- 1 root root 509 Apr 4 09:05 etcd02.conf -rw-r--r-- 1 root root 509 Apr 4 09:05 etcd03.conf -rw-r--r-- 1 root root 535 Apr 4 09:05 etcd.service
10.3分发文件
#创建etcd运行时所需的目录 mkdir -p /var/lib/etcd/default.etcd ssh vm02 "mkdir -p /var/lib/etcd/default.etcd" ssh vm03 "mkdir -p /var/lib/etcd/default.etcd" #创建ecd配置文件目录 mkdir -p /opt/etcd/{bin,cfg,ssl} ssh vm02 "mkdir -p /opt/etcd/{bin,cfg,ssl}" ssh vm03 "mkdir -p /opt/etcd/{bin,cfg,ssl}" #分发etcd可执行文件 scp -r /opt/TLS/download/etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/ scp -r /opt/TLS/download/etcd-v3.4.9-linux-amd64/{etcd,etcdctl} vm02:/opt/etcd/bin/ scp -r /opt/TLS/download/etcd-v3.4.9-linux-amd64/{etcd,etcdctl} vm03:/opt/etcd/bin/ #分发etcd配置文件 scp -r /opt/TLS/etcd/cfg/etcd01.conf /opt/etcd/cfg/etcd.conf scp -r /opt/TLS/etcd/cfg/etcd02.conf vm02:/opt/etcd/cfg/etcd.conf scp -r /opt/TLS/etcd/cfg/etcd03.conf vm03:/opt/etcd/cfg/etcd.conf #分发etcd管理文件 scp -r /opt/TLS/etcd/cfg/etcd.service /usr/lib/systemd/system/etcd.service scp -r /opt/TLS/etcd/cfg/etcd.service vm02:/usr/lib/systemd/system/etcd.service scp -r /opt/TLS/etcd/cfg/etcd.service vm03:/usr/lib/systemd/system/etcd.service #分发etcd证书文件 scp -r /opt/TLS/etcd/ssl/*pem /opt/etcd/ssl scp -r /opt/TLS/etcd/ssl/*pem vm02:/opt/etcd/ssl scp -r /opt/TLS/etcd/ssl/*pem vm03:/opt/etcd/ssl
10.4核对文件
#核对etcd可执行文件 [root@vm01 cfg]# ls -l /opt/etcd/bin/ total 40472 -rwxr-xr-x 1 root root 23827424 Apr 3 12:38 etcd -rwxr-xr-x 1 root root 17612384 Apr 3 12:38 etcdctl [root@vm01 cfg]# ssh vm02 "ls -l /opt/etcd/bin/" total 40472 -rwxr-xr-x 1 root root 23827424 Apr 3 12:38 etcd -rwxr-xr-x 1 root root 17612384 Apr 3 12:38 etcdctl [root@vm01 cfg]# ssh vm03 "ls -l /opt/etcd/bin/" total 40472 -rwxr-xr-x 1 root root 23827424 Apr 3 12:38 etcd -rwxr-xr-x 1 root root 17612384 Apr 3 12:38 etcdctl #核对etcd配置文件 [root@vm01 cfg]# ls -l /opt/etcd/cfg/ total 4 -rw-r--r-- 1 root root 509 Apr 3 12:38 etcd.conf [root@vm01 cfg]# ssh vm02 "ls -l /opt/etcd/cfg/" total 4 -rw-r--r-- 1 root root 509 Apr 3 12:38 etcd.conf [root@vm01 cfg]# ssh vm03 "ls -l /opt/etcd/cfg/" total 4 -rw-r--r-- 1 root root 509 Apr 4 09:16 etcd.conf #核对etcd管理文件 [root@vm01 cfg]# ls -l /usr/lib/systemd/system/etcd* -rw-r--r-- 1 root root 535 Apr 3 12:39 /usr/lib/systemd/system/etcd.service [root@vm01 cfg]# ssh vm02 "ls -l /usr/lib/systemd/system/etcd*" -rw-r--r-- 1 root root 535 Apr 3 12:39 /usr/lib/systemd/system/etcd.service [root@vm01 cfg]# ssh vm03 "ls -l /usr/lib/systemd/system/etcd*" -rw-r--r-- 1 root root 535 Apr 4 09:17 /usr/lib/systemd/system/etcd.service #核对etcd证书文件 [root@vm01 cfg]# ls -l /opt/etcd/ssl total 16 -rw------- 1 root root 1679 Apr 3 12:39 ca-key.pem -rw-r--r-- 1 root root 1216 Apr 3 12:39 ca.pem -rw------- 1 root root 1675 Apr 3 12:39 server-key.pem -rw-r--r-- 1 root root 1338 Apr 3 12:39 server.pem [root@vm01 cfg]# ssh vm02 "ls -l /opt/etcd/ssl" total 16 -rw------- 1 root root 1679 Apr 3 12:39 ca-key.pem -rw-r--r-- 1 root root 1216 Apr 3 12:39 ca.pem -rw------- 1 root root 1675 Apr 3 12:39 server-key.pem -rw-r--r-- 1 root root 1338 Apr 3 12:39 server.pem [root@vm01 cfg]# ssh vm03 "ls -l /opt/etcd/ssl" total 16 -rw------- 1 root root 1679 Apr 4 09:17 ca-key.pem -rw-r--r-- 1 root root 1216 Apr 4 09:17 ca.pem -rw------- 1 root root 1675 Apr 4 09:17 server-key.pem -rw-r--r-- 1 root root 1338 Apr 4 09:17 server.pem
10.5启动etcd集群
#按顺序分别在vm01、vm02和vm03这3台虚拟机上执行以下命令,其中在vm01上执行命令时会有等待现象,主要是等待其他机器的状态 #在vm01上执行启动命令,并设置开机启动,同时查看etcd状态 [root@vm01 cfg]# systemctl daemon-reload && systemctl start etcd && systemctl enable etcd && systemctl status etcd Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service. ● etcd.service - Etcd Server Loaded: loaded (/usr/lib/systemd/system/etcd.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2022-04-03 12:52:39 CST; 83ms ago Main PID: 1281 (etcd) CGroup: /system.slice/etcd.service └─1281 /opt/etcd/bin/etcd --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem -... Apr 03 12:52:39 vm01 etcd[1281]: {"level":"info","ts":"2022-04-03T12:52:39.282+0800","caller":"raft/node.go:325","msg":"raft.node: 6571fb7574e87dba elected leader 6571fb7574e87dba at term 4"} Apr 03 12:52:39 vm01 etcd[1281]: {"level":"info","ts":"2022-04-03T12:52:39.290+0800","caller":"etcdserver/server.go:2036","msg":"published local member to cluster through raft","local-member-id":"6571fb... Apr 03 12:52:39 vm01 systemd[1]: Started Etcd Server. Apr 03 12:52:39 vm01 etcd[1281]: {"level":"info","ts":"2022-04-03T12:52:39.299+0800","caller":"embed/serve.go:191","msg":"serving client traffic securely","address":"192.168.10.11:2379"} Apr 03 12:52:39 vm01 etcd[1281]: {"level":"warn","ts":"2022-04-03T12:52:39.338+0800","caller":"etcdserver/cluster_util.go:315","msg":"failed to reach the peer URL","address":"https://192.168.10.13:2380/... Apr 03 12:52:39 vm01 etcd[1281]: {"level":"warn","ts":"2022-04-03T12:52:39.338+0800","caller":"etcdserver/cluster_util.go:168","msg":"failed to get version","remote-member-id":"d1fbb74bc6...ction refused"} Apr 03 12:52:39 vm01 etcd[1281]: {"level":"info","ts":"2022-04-03T12:52:39.338+0800","caller":"etcdserver/server.go:2527","msg":"setting up initial cluster version","cluster-version":"3.0"} Apr 03 12:52:39 vm01 etcd[1281]: {"level":"info","ts":"2022-04-03T12:52:39.341+0800","caller":"membership/cluster.go:558","msg":"set initial cluster version","cluster-id":"a967fee455377b3...version":"3.0"} Apr 03 12:52:39 vm01 etcd[1281]: {"level":"info","ts":"2022-04-03T12:52:39.341+0800","caller":"api/capability.go:76","msg":"enabled capabilities for version","cluster-version":"3.0"} Apr 03 12:52:39 vm01 etcd[1281]: {"level":"info","ts":"2022-04-03T12:52:39.341+0800","caller":"etcdserver/server.go:2559","msg":"cluster version is updated","cluster-version":"3.0"} Hint: Some lines were ellipsized, use -l to show in full. #在vm02上执行启动命令,并设置开机启动,同时查看etcd状态 [root@vm02 ~]# systemctl daemon-reload && systemctl start etcd && systemctl enable etcd && systemctl status etcd Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service. ● etcd.service - Etcd Server Loaded: loaded (/usr/lib/systemd/system/etcd.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2022-04-03 12:52:41 CST; 76ms ago Main PID: 1188 (etcd) CGroup: /system.slice/etcd.service └─1188 /opt/etcd/bin/etcd --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem -... Apr 03 12:52:41 vm02 etcd[1188]: {"level":"info","ts":"2022-04-03T12:52:41.311+0800","caller":"raft/raft.go:811","msg":"9b449b0ff1d4c375 [logterm: 1, index: 3] sent MsgVote request to d1f...e5c at term 2"} Apr 03 12:52:41 vm02 etcd[1188]: {"level":"info","ts":"2022-04-03T12:52:41.582+0800","caller":"raft/raft.go:859","msg":"9b449b0ff1d4c375 [term: 2] received a MsgVote message with higher t...dba [term: 4]"} Apr 03 12:52:41 vm02 etcd[1188]: {"level":"info","ts":"2022-04-03T12:52:41.582+0800","caller":"raft/raft.go:700","msg":"9b449b0ff1d4c375 became follower at term 4"} Apr 03 12:52:41 vm02 etcd[1188]: {"level":"info","ts":"2022-04-03T12:52:41.583+0800","caller":"raft/raft.go:960","msg":"9b449b0ff1d4c375 [logterm: 1, index: 3, vote: 0] cast MsgVote for 6... 3] at term 4"} Apr 03 12:52:41 vm02 etcd[1188]: {"level":"info","ts":"2022-04-03T12:52:41.588+0800","caller":"raft/node.go:325","msg":"raft.node: 9b449b0ff1d4c375 elected leader 6571fb7574e87dba at term 4"} Apr 03 12:52:41 vm02 etcd[1188]: {"level":"info","ts":"2022-04-03T12:52:41.601+0800","caller":"etcdserver/server.go:2036","msg":"published local member to cluster through raft","local-member-id":"9b449b... Apr 03 12:52:41 vm02 systemd[1]: Started Etcd Server. Apr 03 12:52:41 vm02 etcd[1188]: {"level":"info","ts":"2022-04-03T12:52:41.610+0800","caller":"embed/serve.go:191","msg":"serving client traffic securely","address":"192.168.10.12:2379"} Apr 03 12:52:41 vm02 etcd[1188]: {"level":"info","ts":"2022-04-03T12:52:41.644+0800","caller":"membership/cluster.go:558","msg":"set initial cluster version","cluster-id":"a967fee455377b3...version":"3.0"} Apr 03 12:52:41 vm02 etcd[1188]: {"level":"info","ts":"2022-04-03T12:52:41.645+0800","caller":"api/capability.go:76","msg":"enabled capabilities for version","cluster-version":"3.0"} Hint: Some lines were ellipsized, use -l to show in full. #在vm03上执行启动命令,并设置开机启动,同时查看etcd状态 [root@vm03 ~]# systemctl daemon-reload && systemctl start etcd && systemctl enable etcd && systemctl status etcd Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service. ● etcd.service - Etcd Server Loaded: loaded (/usr/lib/systemd/system/etcd.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2022-04-04 09:29:12 CST; 90ms ago Main PID: 1160 (etcd) CGroup: /system.slice/etcd.service └─1160 /opt/etcd/bin/etcd --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem -... Apr 04 09:29:12 vm03 etcd[1160]: {"level":"info","ts":"2022-04-04T09:29:12.907+0800","caller":"membership/cluster.go:558","msg":"set initial cluster version","cluster-id":"a967fee455377b3...version":"3.0"} Apr 04 09:29:12 vm03 etcd[1160]: {"level":"info","ts":"2022-04-04T09:29:12.907+0800","caller":"api/capability.go:76","msg":"enabled capabilities for version","cluster-version":"3.0"} Apr 04 09:29:12 vm03 etcd[1160]: {"level":"info","ts":"2022-04-04T09:29:12.907+0800","caller":"etcdserver/server.go:2036","msg":"published local member to cluster through raft","local-member-id":"d1fbb7... Apr 04 09:29:12 vm03 systemd[1]: Started Etcd Server. Apr 04 09:29:12 vm03 etcd[1160]: {"level":"info","ts":"2022-04-04T09:29:12.915+0800","caller":"embed/serve.go:191","msg":"serving client traffic securely","address":"192.168.10.13:2379"} Apr 04 09:29:12 vm03 etcd[1160]: {"level":"info","ts":"2022-04-04T09:29:12.916+0800","caller":"etcdserver/server.go:715","msg":"initialized peer connections; fast-forwarding election ticks","local-membe... Apr 04 09:29:12 vm03 etcd[1160]: {"level":"info","ts":"2022-04-04T09:29:12.932+0800","caller":"rafthttp/stream.go:250","msg":"set message encoder","from":"d1fbb74bc6a61e5c","to":"d1fbb74b...tream Message"} Apr 04 09:29:12 vm03 etcd[1160]: {"level":"warn","ts":"2022-04-04T09:29:12.933+0800","caller":"rafthttp/stream.go:277","msg":"established TCP streaming connection with remote peer","strea...1fb7574e87dba"} Apr 04 09:29:12 vm03 etcd[1160]: {"level":"info","ts":"2022-04-04T09:29:12.967+0800","caller":"rafthttp/stream.go:250","msg":"set message encoder","from":"d1fbb74bc6a61e5c","to":"d1fbb74b...eam MsgApp v2"} Apr 04 09:29:12 vm03 etcd[1160]: {"level":"warn","ts":"2022-04-04T09:29:12.967+0800","caller":"rafthttp/stream.go:277","msg":"established TCP streaming connection with remote peer","strea...1fb7574e87dba"} Hint: Some lines were ellipsized, use -l to show in full.
10.6查看etcd集群状态
#在任意一台集群上执行以下命令,这里选中了vm01 ETCDCTL_API=3 /opt/etcd/bin/etcdctl \ --cacert=/opt/etcd/ssl/ca.pem \ --cert=/opt/etcd/ssl/server.pem \ --key=/opt/etcd/ssl/server-key.pem \ --write-out=table \ --endpoints="https://192.168.10.11:2379,https://192.168.10.12:2379,https://192.168.10.13:2379" endpoint health #返回结果 +----------------------------+--------+-------------+-------+ | ENDPOINT | HEALTH | TOOK | ERROR | +----------------------------+--------+-------------+-------+ | https://192.168.10.11:2379 | true | 10.702229ms | | | https://192.168.10.13:2379 | true | 18.81801ms | | | https://192.168.10.12:2379 | true | 18.017598ms | | +----------------------------+--------+-------------+-------+ ETCDCTL_API=3 /opt/etcd/bin/etcdctl \ --cacert=/opt/etcd/ssl/ca.pem \ --cert=/opt/etcd/ssl/server.pem \ --key=/opt/etcd/ssl/server-key.pem \ --write-out=table \ --endpoints="https://192.168.10.11:2379,https://192.168.10.12:2379,https://192.168.10.13:2379" endpoint status #返回结果 +----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+ | ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS | +----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+ | https://192.168.10.11:2379 | 6571fb7574e87dba | 3.4.9 | 20 kB | true | false | 4 | 9 | 9 | | | https://192.168.10.12:2379 | 9b449b0ff1d4c375 | 3.4.9 | 25 kB | false | false | 4 | 9 | 9 | | | https://192.168.10.13:2379 | d1fbb74bc6a61e5c | 3.4.9 | 25 kB | false | false | 4 | 9 | 9 | | +----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
至此,etcd集群已搭建完成,从上述表格来看,vm01(192.168.10.11)作为了主节点。如有问题请使用“tail -fn 500 /var/log/message”来查看系统日志进行分析。
11.安装docker-ce
11.1创建docker管理文件
#在vm01上进行操作,为了方便操作,将可执行文件和配置文件进行了分离 #可执行文件放在/opt/TLS/download/docker/bin下 #配置文件放在/opt/TLS/download/docker/cfg下 cd /opt/TLS/download mkdir -p bin mv docker/* bin mv bin docker mkdir -p docker/cfg cd /opt/TLS/download/docker/cfg #创建配置文件 cd /opt/TLS/download/docker/cfg cat > docker.service << EOF [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com After=network-online.target firewalld.service Wants=network-online.target [Service] Type=notify ExecStart=/usr/local/bin/dockerd ExecReload=/bin/kill -s HUP $MAINPID LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity TimeoutStartSec=0 Delegate=yes KillMode=process Restart=on-failure StartLimitBurst=3 StartLimitInterval=60s [Install] WantedBy=multi-user.target EOF tee daemon.json << 'EOF' { "registry-mirrors": ["https://ung2thfc.mirror.aliyuncs.com"], "exec-opts": ["native.cgroupdriver=systemd"], "log-driver": "json-file", "log-opts": { "max-size": "50m" }, "storage-driver": "overlay2" } EOF #查看文件目录结构 [root@vm01 docker]# cd /opt/TLS/download/docker/ [root@vm01 docker]# tree ./ ./ ├── bin │ ├── containerd │ ├── containerd-shim │ ├── containerd-shim-runc-v2 │ ├── ctr │ ├── docker │ ├── dockerd │ ├── docker-init │ ├── docker-proxy │ └── runc └── cfg ├── daemon.json └── docker.service
11.2分发文件
#创建docker目录 mkdir -p /etc/docker ssh vm02 "mkdir -p /etc/docker" ssh vm03 "mkdir -p /etc/docker" #分发docker管理文件 scp /opt/TLS/download/docker/cfg/docker.service /usr/lib/systemd/system/docker.service scp /opt/TLS/download/docker/cfg/docker.service vm02:/usr/lib/systemd/system/docker.service scp /opt/TLS/download/docker/cfg/docker.service vm03:/usr/lib/systemd/system/docker.service #分发docker配置文件 scp /opt/TLS/download/docker/cfg/daemon.json /etc/docker/daemon.json scp /opt/TLS/download/docker/cfg/daemon.json vm02:/etc/docker/daemon.json scp /opt/TLS/download/docker/cfg/daemon.json vm03:/etc/docker/daemon.json #分发docker可执行文件 scp /opt/TLS/download/docker/bin/* /usr/local/bin scp /opt/TLS/download/docker/bin/* vm02:/usr/local/bin scp /opt/TLS/download/docker/bin/* vm03:/usr/local/bin
11.3核对文件
#核对docker管理文件 [root@vm01 docker]# ls -l /usr/lib/systemd/system/docker.service -rw-r--r-- 1 root root 456 Apr 3 13:17 /usr/lib/systemd/system/docker.service [root@vm01 docker]# ssh vm02 "ls -l /usr/lib/systemd/system/docker.service" -rw-r--r-- 1 root root 456 Apr 3 13:17 /usr/lib/systemd/system/docker.service [root@vm01 docker]# ssh vm03 "ls -l /usr/lib/systemd/system/docker.service" -rw-r--r-- 1 root root 456 Apr 4 09:52 /usr/lib/systemd/system/docker.service #核对docker配置文件 [root@vm01 docker]# ls -l /etc/docker/daemon.json -rw-r--r-- 1 root root 219 Apr 3 13:17 /etc/docker/daemon.json [root@vm01 docker]# ssh vm02 "ls -l /etc/docker/daemon.json" -rw-r--r-- 1 root root 219 Apr 3 13:18 /etc/docker/daemon.json [root@vm01 docker]# ssh vm03 "ls -l /etc/docker/daemon.json" -rw-r--r-- 1 root root 219 Apr 4 09:52 /etc/docker/daemon.json #核对docker可执行文件 [root@vm01 docker]# ls -l /usr/local/bin/ total 241072 -rwxr-xr-x 1 root root 16659824 Apr 3 12:34 cfssl -rwxr-xr-x 1 root root 13502544 Apr 3 12:34 cfssl-certinfo -rwxr-xr-x 1 root root 11029744 Apr 3 12:34 cfssljson -rwxr-xr-x 1 root root 33908392 Apr 3 13:19 containerd -rwxr-xr-x 1 root root 6508544 Apr 3 13:19 containerd-shim -rwxr-xr-x 1 root root 8609792 Apr 3 13:19 containerd-shim-runc-v2 -rwxr-xr-x 1 root root 21131264 Apr 3 13:19 ctr -rwxr-xr-x 1 root root 52883616 Apr 3 13:19 docker -rwxr-xr-x 1 root root 64758736 Apr 3 13:19 dockerd -rwxr-xr-x 1 root root 708616 Apr 3 13:19 docker-init -rwxr-xr-x 1 root root 2784145 Apr 3 13:19 docker-proxy -rwxr-xr-x 1 root root 14352296 Apr 3 13:19 runc [root@vm01 docker]# ssh vm02 "ls -l /usr/local/bin/" total 200840 -rwxr-xr-x 1 root root 33908392 Apr 3 13:19 containerd -rwxr-xr-x 1 root root 6508544 Apr 3 13:19 containerd-shim -rwxr-xr-x 1 root root 8609792 Apr 3 13:19 containerd-shim-runc-v2 -rwxr-xr-x 1 root root 21131264 Apr 3 13:19 ctr -rwxr-xr-x 1 root root 52883616 Apr 3 13:19 docker -rwxr-xr-x 1 root root 64758736 Apr 3 13:19 dockerd -rwxr-xr-x 1 root root 708616 Apr 3 13:19 docker-init -rwxr-xr-x 1 root root 2784145 Apr 3 13:19 docker-proxy -rwxr-xr-x 1 root root 14352296 Apr 3 13:19 runc [root@vm01 docker]# ssh vm03 "ls -l /usr/local/bin/" total 200840 -rwxr-xr-x 1 root root 33908392 Apr 4 09:54 containerd -rwxr-xr-x 1 root root 6508544 Apr 4 09:54 containerd-shim -rwxr-xr-x 1 root root 8609792 Apr 4 09:54 containerd-shim-runc-v2 -rwxr-xr-x 1 root root 21131264 Apr 4 09:54 ctr -rwxr-xr-x 1 root root 52883616 Apr 4 09:54 docker -rwxr-xr-x 1 root root 64758736 Apr 4 09:54 dockerd -rwxr-xr-x 1 root root 708616 Apr 4 09:54 docker-init -rwxr-xr-x 1 root root 2784145 Apr 4 09:54 docker-proxy -rwxr-xr-x 1 root root 14352296 Apr 4 09:54 runc
11.4启动docker
#在vm01上执行启动命令,设置开启启动,并查看状态 [root@vm01 docker]# systemctl daemon-reload && systemctl start docker && systemctl enable docker && systemctl status docker Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service. ● docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2022-04-03 13:26:46 CST; 72ms ago Docs: https://docs.docker.com Main PID: 1466 (dockerd) CGroup: /system.slice/docker.service ├─1466 /usr/local/bin/dockerd └─1471 containerd --config /var/run/docker/containerd/containerd.toml --log-level info Apr 03 13:26:46 vm01 dockerd[1466]: time="2022-04-03T13:26:46.552291845+08:00" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc Apr 03 13:26:46 vm01 dockerd[1466]: time="2022-04-03T13:26:46.577035980+08:00" level=warning msg="Your kernel does not support cgroup blkio weight" Apr 03 13:26:46 vm01 dockerd[1466]: time="2022-04-03T13:26:46.577384262+08:00" level=warning msg="Your kernel does not support cgroup blkio weight_device" Apr 03 13:26:46 vm01 dockerd[1466]: time="2022-04-03T13:26:46.577753307+08:00" level=info msg="Loading containers: start." Apr 03 13:26:46 vm01 dockerd[1466]: time="2022-04-03T13:26:46.654683641+08:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip ca...ed IP address" Apr 03 13:26:46 vm01 dockerd[1466]: time="2022-04-03T13:26:46.696405877+08:00" level=info msg="Loading containers: done." Apr 03 13:26:46 vm01 dockerd[1466]: time="2022-04-03T13:26:46.705318380+08:00" level=info msg="Docker daemon" commit=79ea9d3 graphdriver(s)=overlay2 version=20.10.9 Apr 03 13:26:46 vm01 dockerd[1466]: time="2022-04-03T13:26:46.705785575+08:00" level=info msg="Daemon has completed initialization" Apr 03 13:26:46 vm01 systemd[1]: Started Docker Application Container Engine. Apr 03 13:26:46 vm01 dockerd[1466]: time="2022-04-03T13:26:46.739607525+08:00" level=info msg="API listen on /var/run/docker.sock" Hint: Some lines were ellipsized, use -l to show in full. #在vm02上执行启动命令,设置开启启动,并查看状态 [root@vm02 ~]# systemctl daemon-reload && systemctl start docker && systemctl enable docker && systemctl status docker Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service. ● docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2022-04-03 13:26:53 CST; 84ms ago Docs: https://docs.docker.com Main PID: 1301 (dockerd) CGroup: /system.slice/docker.service ├─1301 /usr/local/bin/dockerd └─1307 containerd --config /var/run/docker/containerd/containerd.toml --log-level info Apr 03 13:26:53 vm02 dockerd[1301]: time="2022-04-03T13:26:53.245105288+08:00" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc Apr 03 13:26:53 vm02 dockerd[1301]: time="2022-04-03T13:26:53.267932539+08:00" level=warning msg="Your kernel does not support cgroup blkio weight" Apr 03 13:26:53 vm02 dockerd[1301]: time="2022-04-03T13:26:53.268280419+08:00" level=warning msg="Your kernel does not support cgroup blkio weight_device" Apr 03 13:26:53 vm02 dockerd[1301]: time="2022-04-03T13:26:53.268627605+08:00" level=info msg="Loading containers: start." Apr 03 13:26:53 vm02 dockerd[1301]: time="2022-04-03T13:26:53.356983369+08:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip ca...ed IP address" Apr 03 13:26:53 vm02 dockerd[1301]: time="2022-04-03T13:26:53.402881653+08:00" level=info msg="Loading containers: done." Apr 03 13:26:53 vm02 dockerd[1301]: time="2022-04-03T13:26:53.417527585+08:00" level=info msg="Docker daemon" commit=79ea9d3 graphdriver(s)=overlay2 version=20.10.9 Apr 03 13:26:53 vm02 dockerd[1301]: time="2022-04-03T13:26:53.417931806+08:00" level=info msg="Daemon has completed initialization" Apr 03 13:26:53 vm02 systemd[1]: Started Docker Application Container Engine. Apr 03 13:26:53 vm02 dockerd[1301]: time="2022-04-03T13:26:53.482157061+08:00" level=info msg="API listen on /var/run/docker.sock" Hint: Some lines were ellipsized, use -l to show in full. #在vm03上执行启动命令,设置开启启动,并查看状态 [root@vm03 ~]# systemctl daemon-reload && systemctl start docker && systemctl enable docker && systemctl status docker Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service. ● docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2022-04-04 10:00:48 CST; 79ms ago Docs: https://docs.docker.com Main PID: 1260 (dockerd) CGroup: /system.slice/docker.service ├─1260 /usr/local/bin/dockerd └─1266 containerd --config /var/run/docker/containerd/containerd.toml --log-level info Apr 04 10:00:48 vm03 dockerd[1260]: time="2022-04-04T10:00:48.741931283+08:00" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc Apr 04 10:00:48 vm03 dockerd[1260]: time="2022-04-04T10:00:48.762734549+08:00" level=warning msg="Your kernel does not support cgroup blkio weight" Apr 04 10:00:48 vm03 dockerd[1260]: time="2022-04-04T10:00:48.763052152+08:00" level=warning msg="Your kernel does not support cgroup blkio weight_device" Apr 04 10:00:48 vm03 dockerd[1260]: time="2022-04-04T10:00:48.763369435+08:00" level=info msg="Loading containers: start." Apr 04 10:00:48 vm03 dockerd[1260]: time="2022-04-04T10:00:48.843920653+08:00" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip ca...ed IP address" Apr 04 10:00:48 vm03 dockerd[1260]: time="2022-04-04T10:00:48.896461096+08:00" level=info msg="Loading containers: done." Apr 04 10:00:48 vm03 dockerd[1260]: time="2022-04-04T10:00:48.910089764+08:00" level=info msg="Docker daemon" commit=79ea9d3 graphdriver(s)=overlay2 version=20.10.9 Apr 04 10:00:48 vm03 dockerd[1260]: time="2022-04-04T10:00:48.910487468+08:00" level=info msg="Daemon has completed initialization" Apr 04 10:00:48 vm03 systemd[1]: Started Docker Application Container Engine. Apr 04 10:00:48 vm03 dockerd[1260]: time="2022-04-04T10:00:48.942539314+08:00" level=info msg="API listen on /var/run/docker.sock" Hint: Some lines were ellipsized, use -l to show in full. #在vm01、vm02、vm03上执行“docker info”命令,看到如下信息即可 Client: Context: default Debug Mode: false Server: Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 0 Server Version: 20.10.9 Storage Driver: overlay2 Backing Filesystem: xfs Supports d_type: true Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 1 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2 Default Runtime: runc Init Binary: docker-init containerd version: 5b46e404f6b9f661a205e28d59c982d3634148f8 runc version: v1.0.2-0-g52b36a2d init version: de40ad0 Security Options: seccomp Profile: default Kernel Version: 5.17.1-1.el7.elrepo.x86_64 Operating System: CentOS Linux 7 (Core) OSType: linux Architecture: x86_64 CPUs: 1 Total Memory: 1.907GiB Name: vm01 ID: 3WPS:FK3T:D5HX:ZSNS:D6NE:NGNQ:TWTO:OE6B:HQYG:SXAQ:6J2V:PA6K Docker Root Dir: /var/lib/docker Debug Mode: false Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Registry Mirrors: https://ung2thfc.mirror.aliyuncs.com/ Live Restore Enabled: false Product License: Community Engine
至此,所有节点上的docker已部署完成。
12.部署Master
12.1自签CA证书
12.1.1生成CA证书配置
cd /opt/TLS/k8s/ssl cat > ca-config.json << EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json << EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF
12.1.2生成CA证书
#生成CA证书文件 [root@vm01 ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 2022/04/03 13:38:51 [INFO] generating a new CA key and certificate from CSR 2022/04/03 13:38:51 [INFO] generate received request 2022/04/03 13:38:51 [INFO] received CSR 2022/04/03 13:38:51 [INFO] generating key: rsa-2048 2022/04/03 13:38:51 [INFO] encoded CSR 2022/04/03 13:38:51 [INFO] signed certificate with serial number 652185253661746806409242928399719456314448070149 #查看已生成的证书文件 [root@vm01 ssl]# ll total 20 -rw-r--r-- 1 root root 294 Apr 3 13:37 ca-config.json -rw-r--r-- 1 root root 1001 Apr 3 13:38 ca.csr -rw-r--r-- 1 root root 264 Apr 3 13:37 ca-csr.json -rw------- 1 root root 1675 Apr 3 13:38 ca-key.pem -rw-r--r-- 1 root root 1310 Apr 3 13:38 ca.pem #这里生成了ca.pem和ca-key.pem两个文件
12.2部署Apiserver
12.2.1创建证书申请文件
cd /opt/TLS/k8s/ssl cat > server-csr.json << EOF { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "192.168.10.11", "192.168.10.12", "192.168.10.13", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF #上述文件hosts字段中IP为所有Master IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP
12.2.2签发apiserver 证书
[root@vm01 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server 2022/04/03 13:55:17 [INFO] generate received request 2022/04/03 13:55:17 [INFO] received CSR 2022/04/03 13:55:17 [INFO] generating key: rsa-2048 2022/04/03 13:55:17 [INFO] encoded CSR 2022/04/03 13:55:17 [INFO] signed certificate with serial number 427283511171072372380793803662853692846755378337 #查看已生成的证书文件 [root@vm01 ssl]# ll total 36 -rw-r--r-- 1 root root 294 Apr 3 13:37 ca-config.json -rw-r--r-- 1 root root 1001 Apr 3 13:38 ca.csr -rw-r--r-- 1 root root 264 Apr 3 13:37 ca-csr.json -rw------- 1 root root 1675 Apr 3 13:38 ca-key.pem -rw-r--r-- 1 root root 1310 Apr 3 13:38 ca.pem -rw-r--r-- 1 root root 1261 Apr 3 13:55 server.csr -rw-r--r-- 1 root root 557 Apr 3 13:55 server-csr.json -rw------- 1 root root 1675 Apr 3 13:55 server-key.pem -rw-r--r-- 1 root root 1627 Apr 3 13:55 server.pem #这里生成了server.pem和server-key.pem两个文件
12.2.3创建配置文件
cd /opt/TLS/k8s/cfg cat > kube-apiserver.conf << EOF KUBE_APISERVER_OPTS="--logtostderr=false \\ --v=2 \\ --log-dir=/opt/kubernetes/logs \\ --insecure-port=0 \\ --etcd-servers=https://192.168.10.11:2379,https://192.168.10.12:2379,https://192.168.10.13:2379 \\ --bind-address=192.168.10.11 \\ --secure-port=6443 \\ --advertise-address=192.168.10.11 \\ --allow-privileged=true \\ --service-cluster-ip-range=10.0.0.0/24 \\ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\ --authorization-mode=RBAC,Node \\ --enable-bootstrap-token-auth=true \\ --token-auth-file=/opt/kubernetes/cfg/token.csv \\ --service-node-port-range=30000-32767 \\ --kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \\ --kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \\ --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS \\ --tls-cert-file=/opt/kubernetes/ssl/server.pem \\ --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\ --client-ca-file=/opt/kubernetes/ssl/ca.pem \\ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\ --service-account-issuer=api \\ --service-account-signing-key-file=/opt/kubernetes/ssl/server-key.pem \\ --etcd-cafile=/opt/etcd/ssl/ca.pem \\ --etcd-certfile=/opt/etcd/ssl/server.pem \\ --etcd-keyfile=/opt/etcd/ssl/server-key.pem \\ --requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \\ --proxy-client-cert-file=/opt/kubernetes/ssl/server.pem \\ --proxy-client-key-file=/opt/kubernetes/ssl/server-key.pem \\ --requestheader-allowed-names=kubernetes \\ --requestheader-extra-headers-prefix=X-Remote-Extra- \\ --requestheader-group-headers=X-Remote-Group \\ --requestheader-username-headers=X-Remote-User \\ --enable-aggregator-routing=true \\ --audit-log-maxage=30 \\ --audit-log-maxbackup=3 \\ --audit-log-maxsize=100 \\ --audit-log-path=/opt/kubernetes/logs/k8s-audit.log" EOF # 上面两个\\ 第一个是转义符,第二个是换行符,使用转义符是为了使用EOF保留换行符。 # • --logtostderr:启用日志 # • ---v:日志等级 # • --log-dir:日志目录 # • --etcd-servers:etcd集群地址 # • --bind-address:监听地址 # • --secure-port:https安全端口 # • --advertise-address:集群通告地址 # • --allow-privileged:启用授权 # • --service-cluster-ip-range:Service虚拟IP地址段 # • --enable-admission-plugins:准入控制模块 # • --authorization-mode:认证授权,启用RBAC授权和节点自管理 # • --enable-bootstrap-token-auth:启用TLS bootstrap机制 # • --token-auth-file:bootstrap token文件 # • --service-node-port-range:Service nodeport类型默认分配端口范围 # • --kubelet-client-xxx:apiserver访问kubelet客户端证书 # • --tls-xxx-file:apiserver https证书 # • 1.20以上版本必须加的参数:--service-account-issuer,--service-account-signing-key-file # • --etcd-xxxfile:连接Etcd集群证书 # • --audit-log-xxx:审计日志 # • 启动聚合层相关配置: # • --requestheader-client-ca-file,--proxy-client-cert-file,--proxy-client-key-file, # • --requestheader-allowed-names,--requestheader-extra-headers-prefix, # • --requestheader-group-headers,--requestheader-username-headers, # • --enable-aggregator-routing
12.2.4启用 TLS Bootstrapping 机制
TLS Bootstraping:Master apiserver启用TLS认证后,Node节点kubelet和kube-proxy要与kube-apiserver进行通信,必须使用CA签发的有效证书才可以,当Node节点很多时,这种客户端证书颁发需要大量工作,同样也会增加集群扩展复杂度。为了简化流程,Kubernetes引入了TLS bootstraping机制来自动颁发客户端证书,kubelet会以一个低权限用户自动向apiserver申请证书,kubelet的证书由apiserver动态签署。所以强烈建议在Node上使用这种方式,目前主要用于kubelet,kube-proxy还是由我们统一颁发一个证书。
#创建token文件 cat > token.csv << EOF c47ffb939f5ca36231d9e3121a252940,kubelet-bootstrap,10001,"system:node-bootstrapper" EOF # 格式:token,用户名,UID,用户组 # token也可自行生成替换: # head -c 16 /dev/urandom | od -An -t x | tr -d ' '
12.2.5创建管理文件
cat > kube-apiserver.service << EOF [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF #查看上述命令生成的相关文件 [root@vm01 cfg]# ll total 12 -rw-r--r-- 1 root root 1815 Apr 3 13:57 kube-apiserver.conf -rw-r--r-- 1 root root 286 Apr 3 14:06 kube-apiserver.service -rw-r--r-- 1 root root 84 Apr 3 13:57 token.csv
12.2.7分发文件
#创建kubernetes目录 mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs} #拷贝证书文件 scp -r /opt/TLS/k8s/ssl/*pem /opt/kubernetes/ssl/ #拷贝配置文件 scp -r /opt/TLS/k8s/cfg/token.csv /opt/kubernetes/cfg/ scp /opt/TLS/k8s/cfg/kube-apiserver.conf /opt/kubernetes/cfg/kube-apiserver.conf #拷贝管理文件 scp /opt/TLS/k8s/cfg/kube-apiserver.service /usr/lib/systemd/system/kube-apiserver.service #拷贝可执行文件 scp /opt/TLS/download/kubernetes/server/bin/{kube-apiserver,kube-scheduler,kube-controller-manager} /opt/kubernetes/bin scp /opt/TLS/download/kubernetes/server/bin/kubectl /usr/local/bin/
12.2.8核对文件
#核对证书文件 [root@vm01 cfg]# ll /opt/kubernetes/ssl/ total 16 -rw------- 1 root root 1675 Apr 3 14:11 ca-key.pem -rw-r--r-- 1 root root 1310 Apr 3 14:11 ca.pem -rw------- 1 root root 1675 Apr 3 14:11 server-key.pem -rw-r--r-- 1 root root 1627 Apr 3 14:11 server.pem #核对配置文件 [root@vm01 cfg]# ll /opt/kubernetes/cfg/token.csv -rw-r--r-- 1 root root 84 Apr 3 14:11 /opt/kubernetes/cfg/token.csv [root@vm01 cfg]# ll /opt/kubernetes/cfg/kube-apiserver.conf -rw-r--r-- 1 root root 1815 Apr 3 14:12 /opt/kubernetes/cfg/kube-apiserver.conf #核对管理文件 [root@vm01 cfg]# ll /usr/lib/systemd/system/kube-apiserver.service -rw-r--r-- 1 root root 286 Apr 3 14:11 /usr/lib/systemd/system/kube-apiserver.service #核对可执行文件 [root@vm01 cfg]# ll /opt/kubernetes/bin/{kube-apiserver,kube-scheduler,kube-controller-manager} -rwxr-xr-x 1 root root 131301376 Apr 3 14:12 /opt/kubernetes/bin/kube-apiserver -rwxr-xr-x 1 root root 121110528 Apr 3 14:12 /opt/kubernetes/bin/kube-controller-manager -rwxr-xr-x 1 root root 49618944 Apr 3 14:12 /opt/kubernetes/bin/kube-scheduler [root@vm01 cfg]# ll /usr/local/bin/kubectl -rwxr-xr-x 1 root root 46592000 Apr 3 14:12 /usr/local/bin/kubectl
12.2.9启动kube-apiserver
[root@vm01 cfg]# systemctl daemon-reload && systemctl start kube-apiserver && systemctl enable kube-apiserver && systemctl status kube-apiserver Created symlink from /etc/systemd/system/multi-user.target.wants/kube-apiserver.service to /usr/lib/systemd/system/kube-apiserver.service. ● kube-apiserver.service - Kubernetes API Server Loaded: loaded (/usr/lib/systemd/system/kube-apiserver.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2022-04-03 14:14:54 CST; 111ms ago Docs: https://github.com/kubernetes/kubernetes Main PID: 11765 (kube-apiserver) CGroup: /system.slice/kube-apiserver.service └─11765 /opt/kubernetes/bin/kube-apiserver --logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --insecure-port=0 --etcd-servers=https://192.168.10.11:2379,https://192.168.10.12:2379,http... Apr 03 14:14:54 vm01 systemd[1]: Started Kubernetes API Server.
12.3部署ControllerManager
12.3.1创建配置文件
cd /opt/TLS/k8s/cfg cat > kube-controller-manager.conf << EOF KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \\ --v=2 \\ --log-dir=/opt/kubernetes/logs \\ --leader-elect=true \\ --kubeconfig=/opt/kubernetes/cfg/kube-controller-manager.kubeconfig \\ --bind-address=127.0.0.1 \\ --allocate-node-cidrs=true \\ --cluster-cidr=10.244.0.0/16 \\ --service-cluster-ip-range=10.0.0.0/24 \\ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\ --root-ca-file=/opt/kubernetes/ssl/ca.pem \\ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\ --cluster-signing-duration=87600h0m0s" EOF # • --kubeconfig:连接apiserver配置文件 # • --leader-elect:当该组件启动多个时,自动选举(HA) # • --cluster-signing-cert-file/--cluster-signing-key-file:自动为kubelet颁发证书的CA,与apiserver保持一致
12.3.2生成证书配置文件
cd /opt/TLS/k8s/ssl cat > kube-controller-manager-csr.json << EOF { "CN": "system:kube-controller-manager", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF
12.3.3生成证书文件
[root@vm01 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager 2022/04/03 14:19:13 [INFO] generate received request 2022/04/03 14:19:13 [INFO] received CSR 2022/04/03 14:19:13 [INFO] generating key: rsa-2048 2022/04/03 14:19:13 [INFO] encoded CSR 2022/04/03 14:19:13 [INFO] signed certificate with serial number 207379066893533311974100622812990123367796996104 2022/04/03 14:19:13 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). [root@vm01 ssl]# ll kube-controller-manager* -rw-r--r-- 1 root root 1045 Apr 3 14:19 kube-controller-manager.csr -rw-r--r-- 1 root root 255 Apr 3 14:18 kube-controller-manager-csr.json -rw------- 1 root root 1679 Apr 3 14:19 kube-controller-manager-key.pem -rw-r--r-- 1 root root 1436 Apr 3 14:19 kube-controller-manager.pem #这里生成了kube-controller-manager.pem和kube-controller-manager-key.pem文件
12.3.4生成kubeconfig文件
# 设置集群参数 kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://192.168.10.11:6443 \ --kubeconfig=/opt/TLS/k8s/cfg/kube-controller-manager.kubeconfig # 设置客户端认证参数 kubectl config set-credentials kube-controller-manager \ --client-certificate=./kube-controller-manager.pem \ --client-key=./kube-controller-manager-key.pem \ --embed-certs=true \ --kubeconfig=/opt/TLS/k8s/cfg/kube-controller-manager.kubeconfig # 设置上下文参数 kubectl config set-context default \ --cluster=kubernetes \ --user=kube-controller-manager \ --kubeconfig=/opt/TLS/k8s/cfg/kube-controller-manager.kubeconfig # 设置默认上下文 kubectl config use-context default --kubeconfig=/opt/TLS/k8s/cfg/kube-controller-manager.kubeconfig
12.3.5生成管理文件
cd /opt/TLS/k8s/cfg cat > kube-controller-manager.service << EOF [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF
12.3.6分发文件
#分发证书文件 scp -r /opt/TLS/k8s/ssl/kube-controller-manager*.pem /opt/kubernetes/ssl/ #分发配置文件 scp -r /opt/TLS/k8s/cfg/kube-controller-manager.conf /opt/kubernetes/cfg/ #分发管理文件 scp /opt/TLS/k8s/cfg/kube-controller-manager.service /usr/lib/systemd/system/kube-controller-manager.service #分发kubeconfig文件 scp /opt/TLS/k8s/cfg/kube-controller-manager.kubeconfig /opt/kubernetes/cfg/kube-controller-manager.kubeconfig
12.3.7核对文件
#核对证书文件 [root@vm01 cfg]# ll /opt/kubernetes/ssl/kube-controller-manager*.pem -rw------- 1 root root 1679 Apr 3 14:30 /opt/kubernetes/ssl/kube-controller-manager-key.pem -rw-r--r-- 1 root root 1436 Apr 3 14:30 /opt/kubernetes/ssl/kube-controller-manager.pem #核对配置文件 [root@vm01 cfg]# ll /opt/kubernetes/cfg/kube-controller-manager.conf -rw-r--r-- 1 root root 582 Apr 3 14:30 /opt/kubernetes/cfg/kube-controller-manager.conf #核对管理文件 [root@vm01 cfg]# ll /usr/lib/systemd/system/kube-controller-manager.service -rw-r--r-- 1 root root 321 Apr 3 14:30 /usr/lib/systemd/system/kube-controller-manager.service #核对kubeconfig文件 [root@vm01 cfg]# ll /opt/kubernetes/cfg/kube-controller-manager.kubeconfig -rw------- 1 root root 6279 Apr 3 14:30 /opt/kubernetes/cfg/kube-controller-manager.kubeconfig
12.3.8启动ControllerManager
[root@vm01 cfg]# systemctl daemon-reload && systemctl start kube-controller-manager && systemctl enable kube-controller-manager && systemctl status kube-controller-manager Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /usr/lib/systemd/system/kube-controller-manager.service. ● kube-controller-manager.service - Kubernetes Controller Manager Loaded: loaded (/usr/lib/systemd/system/kube-controller-manager.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2022-04-03 14:33:09 CST; 111ms ago Docs: https://github.com/kubernetes/kubernetes Main PID: 11872 (kube-controller) CGroup: /system.slice/kube-controller-manager.service └─11872 /opt/kubernetes/bin/kube-controller-manager --logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --leader-elect=true --kubeconfig=/opt/kubernetes/cfg/kube-controller-manager.kubec... Apr 03 14:33:09 vm01 systemd[1]: Started Kubernetes Controller Manager.
12.4部署Scheduler
12.4.1生成配置文件
cd /opt/TLS/k8s/cfg/ cat > kube-scheduler.conf << EOF KUBE_SCHEDULER_OPTS="--logtostderr=false \\ --v=2 \\ --log-dir=/opt/kubernetes/logs \\ --leader-elect \\ --kubeconfig=/opt/kubernetes/cfg/kube-scheduler.kubeconfig \\ --bind-address=127.0.0.1" EOF
12.4.2生成证书配置文件
cd /opt/TLS/k8s/ssl cat > kube-scheduler-csr.json << EOF { "CN": "system:kube-scheduler", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF
12.4.3生成证书文件
[root@vm01 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler 2022/04/03 14:37:29 [INFO] generate received request 2022/04/03 14:37:29 [INFO] received CSR 2022/04/03 14:37:29 [INFO] generating key: rsa-2048 2022/04/03 14:37:29 [INFO] encoded CSR 2022/04/03 14:37:29 [INFO] signed certificate with serial number 270861181620040490080757616258059917703352589307 2022/04/03 14:37:29 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). #查看已生成的证书文件 [root@vm01 ssl]# ll kube-scheduler* -rw-r--r-- 1 root root 1029 Apr 3 14:37 kube-scheduler.csr -rw-r--r-- 1 root root 245 Apr 3 14:37 kube-scheduler-csr.json -rw------- 1 root root 1675 Apr 3 14:37 kube-scheduler-key.pem -rw-r--r-- 1 root root 1424 Apr 3 14:37 kube-scheduler.pem #这里生成了kube-scheduler.pem和kube-scheduler-key.pem文件
12.4.4生成kubeconfig文件
# 设置集群参数 kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://192.168.10.11:6443 \ --kubeconfig=/opt/TLS/k8s/cfg/kube-scheduler.kubeconfig # 设置客户端认证参数 kubectl config set-credentials kube-scheduler \ --client-certificate=./kube-scheduler.pem \ --client-key=./kube-scheduler-key.pem \ --embed-certs=true \ --kubeconfig=/opt/TLS/k8s/cfg/kube-scheduler.kubeconfig # 设置上下文参数 kubectl config set-context default \ --cluster=kubernetes \ --user=kube-scheduler \ --kubeconfig=/opt/TLS/k8s/cfg/kube-scheduler.kubeconfig # 设置默认上下文 kubectl config use-context default --kubeconfig=/opt/TLS/k8s/cfg/kube-scheduler.kubeconfig
12.4.5生成管理文件
cd /opt/TLS/k8s/cfg cat > kube-scheduler.service << EOF [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF
12.4.6分发文件
#分发配置文件 scp /opt/TLS/k8s/cfg/kube-scheduler.conf /opt/kubernetes/cfg/kube-scheduler.conf #分发证书文件 scp /opt/TLS/k8s/ssl/kube-scheduler*.pem /opt/kubernetes/ssl/ #分发kubeconfig文件 scp /opt/TLS/k8s/cfg/kube-scheduler.kubeconfig /opt/kubernetes/cfg/kube-scheduler.kubeconfig #分发管理文件 scp /opt/TLS/k8s/cfg/kube-scheduler.service /usr/lib/systemd/system/kube-scheduler.service
12.4.7核对文件
#核对配置文件 [root@vm01 cfg]# ll /opt/kubernetes/cfg/kube-scheduler.conf -rw-r--r-- 1 root root 188 Apr 3 14:44 /opt/kubernetes/cfg/kube-scheduler.conf #核对证书文件 [root@vm01 cfg]# ll /opt/kubernetes/ssl/kube-scheduler*.pem -rw------- 1 root root 1675 Apr 3 14:45 /opt/kubernetes/ssl/kube-scheduler-key.pem -rw-r--r-- 1 root root 1424 Apr 3 14:45 /opt/kubernetes/ssl/kube-scheduler.pem #核对kubeconfig文件 [root@vm01 cfg]# ll /opt/kubernetes/cfg/kube-scheduler.kubeconfig -rw------- 1 root root 6241 Apr 3 14:45 /opt/kubernetes/cfg/kube-scheduler.kubeconfig #核对管理文件 [root@vm01 cfg]# ll /usr/lib/systemd/system/kube-scheduler.service -rw-r--r-- 1 root root 285 Apr 3 14:45 /usr/lib/systemd/system/kube-scheduler.service
12.4.8启动scheduler
[root@vm01 cfg]# systemctl daemon-reload && systemctl start kube-scheduler && systemctl enable kube-scheduler && systemctl status kube-scheduler Created symlink from /etc/systemd/system/multi-user.target.wants/kube-scheduler.service to /usr/lib/systemd/system/kube-scheduler.service. ● kube-scheduler.service - Kubernetes Scheduler Loaded: loaded (/usr/lib/systemd/system/kube-scheduler.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2022-04-03 14:48:19 CST; 113ms ago Docs: https://github.com/kubernetes/kubernetes Main PID: 11972 (kube-scheduler) CGroup: /system.slice/kube-scheduler.service └─11972 /opt/kubernetes/bin/kube-scheduler --logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --leader-elect --kubeconfig=/opt/kubernetes/cfg/kube-scheduler.kubeconfig --bind-address=12... Apr 03 14:48:19 vm01 systemd[1]: Started Kubernetes Scheduler. Apr 03 14:48:19 vm01 kube-scheduler[11972]: Flag --logtostderr has been deprecated, will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig...k8s-components Apr 03 14:48:19 vm01 kube-scheduler[11972]: Flag --log-dir has been deprecated, will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-ins...k8s-components Hint: Some lines were ellipsized, use -l to show in full.
至此,Master节点上的三个组件(Apiserver、ControllerManager、Scheduler)已部署并启动成功,下面来检查一下所有组件的状态吧。
13.检查集群组件状态
13.1生成连接集群证书配置
cd /opt/TLS/k8s/ssl cat > admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF
13.2生成连接证书
[root@vm01 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin 2022/04/03 14:52:53 [INFO] generate received request 2022/04/03 14:52:53 [INFO] received CSR 2022/04/03 14:52:53 [INFO] generating key: rsa-2048 2022/04/03 14:52:53 [INFO] encoded CSR 2022/04/03 14:52:53 [INFO] signed certificate with serial number 544157816284296715610790502652620056833806648888 2022/04/03 14:52:53 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). #查看已生成的证书 [root@vm01 ssl]# ll admin* -rw-r--r-- 1 root root 1009 Apr 3 14:52 admin.csr -rw-r--r-- 1 root root 229 Apr 3 14:52 admin-csr.json -rw------- 1 root root 1679 Apr 3 14:52 admin-key.pem -rw-r--r-- 1 root root 1399 Apr 3 14:52 admin.pem
13.3生成kubeconfig文件
cd /opt/TLS/k8s/cfg # 设置集群参数 kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://192.168.10.11:6443 \ --kubeconfig=/opt/TLS/k8s/cfg/config # 设置客户端认证参数 kubectl config set-credentials cluster-admin \ --client-certificate=/opt/TLS/k8s/ssl/admin.pem \ --client-key=/opt/TLS/k8s/ssl/admin-key.pem \ --embed-certs=true \ --kubeconfig=/opt/TLS/k8s/cfg/config #设置上下文参数 kubectl config set-context default \ --cluster=kubernetes \ --user=cluster-admin \ --kubeconfig=/opt/TLS/k8s/cfg/config #设置默认上下文 kubectl config use-context default --kubeconfig=/opt/TLS/k8s/cfg/config
13.4分发文件
mkdir /root/.kube scp /opt/TLS/k8s/cfg/config /root/.kube/config
13.5查看集群组件状态
#通过kubectl工具查看当前集群组件状态 [root@vm01 cfg]# kubectl get cs Warning: v1 ComponentStatus is deprecated in v1.19+ NAME STATUS MESSAGE ERROR scheduler Healthy ok etcd-0 Healthy {"health":"true"} controller-manager Healthy ok etcd-2 Healthy {"health":"true"} etcd-1 Healthy {"health":"true"} #输出以上信息说明Master节点组件运行正常
14.授权用户允许请求证书
kubectl create clusterrolebinding kubelet-bootstrap \ --clusterrole=system:node-bootstrapper \ --user=kubelet-bootstrap clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
15.部署WorkNode节点
因为本机资源的限制,我们可以让Master Node上兼任Worker Node角色
15.1创建工作目录
mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs} ssh vm02 "mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}" ssh vm03 "mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}"
15.2分发文件
scp -r /opt/TLS/download/kubernetes/server/bin/{kubelet,kube-proxy} /opt/kubernetes/bin scp /opt/TLS/download/kubernetes/server/bin/kubelet /usr/local/bin
15.3核对文件
[root@vm01 cfg]# ll /opt/kubernetes/bin/{kubelet,kube-proxy} -rwxr-xr-x 1 root root 124521440 Apr 3 15:09 /opt/kubernetes/bin/kubelet -rwxr-xr-x 1 root root 44163072 Apr 3 15:09 /opt/kubernetes/bin/kube-proxy [root@vm01 cfg]# ll /usr/local/bin/kubelet -rwxr-xr-x 1 root root 124521440 Apr 3 15:10 /usr/local/bin/kubelet
15.4部署kubelet
15.4.1创建配置文件
这里为了方便,一次性创建了3台虚拟机上的kubelet配置文件,然后将对应的配置文件分发至不同的机器即可
cd /opt/TLS/k8s/cfg/ cat > kubelet01.conf << EOF KUBELET_OPTS="--logtostderr=false \\ --v=2 \\ --log-dir=/opt/kubernetes/logs \\ --hostname-override=vm01 \\ --network-plugin=cni \\ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\ --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\ --config=/opt/kubernetes/cfg/kubelet-config.yml \\ --cert-dir=/opt/kubernetes/ssl \\ --pod-infra-container-image=ibmcom/pause-amd64:3.1" EOF cat > kubelet02.conf << EOF KUBELET_OPTS="--logtostderr=false \\ --v=2 \\ --log-dir=/opt/kubernetes/logs \\ --hostname-override=vm02 \\ --network-plugin=cni \\ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\ --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\ --config=/opt/kubernetes/cfg/kubelet-config.yml \\ --cert-dir=/opt/kubernetes/ssl \\ --pod-infra-container-image=ibmcom/pause-amd64:3.1" EOF cat > kubelet03.conf << EOF KUBELET_OPTS="--logtostderr=false \\ --v=2 \\ --log-dir=/opt/kubernetes/logs \\ --hostname-override=vm03 \\ --network-plugin=cni \\ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\ --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\ --config=/opt/kubernetes/cfg/kubelet-config.yml \\ --cert-dir=/opt/kubernetes/ssl \\ --pod-infra-container-image=ibmcom/pause-amd64:3.1" EOF # • --hostname-override:显示名称,集群中唯一 # • --network-plugin:启用CNI # • --kubeconfig:空路径,会自动生成,后面用于连接apiserver # • --bootstrap-kubeconfig:首次启动向apiserver申请证书 # • --config:配置参数文件 # • --cert-dir:kubelet证书生成目录 # • --pod-infra-container-image:管理Pod网络容器的镜像
15.4.2配置参数文件
cat > kubelet-config.yml << EOF kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: 0.0.0.0 port: 10250 readOnlyPort: 10255 cgroupDriver: systemd clusterDNS: - 10.0.0.2 clusterDomain: cluster.local failSwapOn: false authentication: anonymous: enabled: false webhook: cacheTTL: 2m0s enabled: true x509: clientCAFile: /opt/kubernetes/ssl/ca.pem authorization: mode: Webhook webhook: cacheAuthorizedTTL: 5m0s cacheUnauthorizedTTL: 30s evictionHard: imagefs.available: 15% memory.available: 100Mi nodefs.available: 10% nodefs.inodesFree: 5% maxOpenFiles: 1000000 maxPods: 110 EOF
15.4.3创建管理文件
cat > kubelet.service << EOF [Unit] Description=Kubernetes Kubelet After=docker.service [Service] EnvironmentFile=/opt/kubernetes/cfg/kubelet.conf ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
15.4.4创建kubeconfig文件
# 设置集群参数 kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://192.168.10.11:6443 \ --kubeconfig=/opt/TLS/k8s/cfg/bootstrap.kubeconfig # 设置客户端认证参数 kubectl config set-credentials "kubelet-bootstrap" \ --token=c47ffb939f5ca36231d9e3121a252940 \ --kubeconfig=/opt/TLS/k8s/cfg/bootstrap.kubeconfig # 设置上下文参数 kubectl config set-context default \ --cluster=kubernetes \ --user="kubelet-bootstrap" \ --kubeconfig=/opt/TLS/k8s/cfg/bootstrap.kubeconfig # 设置默认上下文 kubectl config use-context default --kubeconfig=/opt/TLS/k8s/cfg/bootstrap.kubeconfig
15.4.5分发文件
#分发配置文件 scp /opt/TLS/k8s/cfg/kubelet01.conf /opt/kubernetes/cfg/kubelet.conf #分发参数文件 scp /opt/TLS/k8s/cfg/kubelet-config.yml /opt/kubernetes/cfg/kubelet-config.yml #分发kubeconfig文件 scp /opt/TLS/k8s/cfg/bootstrap.kubeconfig /opt/kubernetes/cfg/bootstrap.kubeconfig #分发管理文件 scp /opt/TLS/k8s/cfg/kubelet.service /usr/lib/systemd/system/kubelet.service
15.4.6核对文件
#核对配置文件 [root@vm01 cfg]# ll /opt/kubernetes/cfg/kubelet.conf -rw-r--r-- 1 root root 382 Apr 3 15:19 /opt/kubernetes/cfg/kubelet.conf #核对参数文件 [root@vm01 cfg]# ll /opt/kubernetes/cfg/kubelet-config.yml -rw-r--r-- 1 root root 610 Apr 3 15:19 /opt/kubernetes/cfg/kubelet-config.yml #核对kubeconfig文件 [root@vm01 cfg]# ll /opt/kubernetes/cfg/bootstrap.kubeconfig -rw------- 1 root root 2103 Apr 3 15:19 /opt/kubernetes/cfg/bootstrap.kubeconfig #核对管理文件 [root@vm01 cfg]# ll /usr/lib/systemd/system/kubelet.service -rw-r--r-- 1 root root 246 Apr 3 15:19 /usr/lib/systemd/system/kubelet.service
15.4.7启动kubelet
[root@vm01 cfg]# systemctl daemon-reload && systemctl start kubelet && systemctl enable kubelet && systemctl status kubelet Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service. ● kubelet.service - Kubernetes Kubelet Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2022-04-03 15:22:33 CST; 113ms ago Main PID: 12121 (kubelet) CGroup: /system.slice/kubelet.service └─12121 /opt/kubernetes/bin/kubelet --logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --hostname-override=vm01 --network-plugin=cni --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig ... Apr 03 15:22:33 vm01 systemd[1]: Started Kubernetes Kubelet.
15.4.8批准kubelet证书申请
#查看kubelet证书请求 [root@vm01 cfg]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION node-csr-6mDDHTg4HuOsVY_7oJRUqtS-6YQFe7JytpYdbRs9kek 57s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap <none> Pending #批准申请 [root@vm01 cfg]# kubectl certificate approve node-csr-6mDDHTg4HuOsVY_7oJRUqtS-6YQFe7JytpYdbRs9kek certificatesigningrequest.certificates.k8s.io/node-csr-6mDDHTg4HuOsVY_7oJRUqtS-6YQFe7JytpYdbRs9kek approved #查看证书请求状态 [root@vm01 cfg]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION node-csr-6mDDHTg4HuOsVY_7oJRUqtS-6YQFe7JytpYdbRs9kek 111s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap <none> Approved,Issued #查看集群节点 [root@vm01 cfg]# kubectl get nodes NAME STATUS ROLES AGE VERSION vm01 NotReady <none> 32s v1.23.4 # 由于网络插件还没有部署,节点会没有准备就绪 NotReady
15.5部署kube-proxy
15.5.1创建配置文件
cd /opt/TLS/k8s/cfg/ cat > kube-proxy.conf << EOF KUBE_PROXY_OPTS="--logtostderr=false \\ --v=2 \\ --log-dir=/opt/kubernetes/logs \\ --config=/opt/kubernetes/cfg/kube-proxy-config.yml" EOF
15.5.2创建参数文件
cat > kube-proxy-config01.yml << EOF kind: KubeProxyConfiguration apiVersion: kubeproxy.config.k8s.io/v1alpha1 bindAddress: 0.0.0.0 metricsBindAddress: 0.0.0.0:10249 clientConnection: kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig hostnameOverride: vm01 clusterCIDR: 10.244.0.0/16 mode: ipvs ipvs: scheduler: "rr" iptables: masqueradeAll: true EOF cat > kube-proxy-config02.yml << EOF kind: KubeProxyConfiguration apiVersion: kubeproxy.config.k8s.io/v1alpha1 bindAddress: 0.0.0.0 metricsBindAddress: 0.0.0.0:10249 clientConnection: kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig hostnameOverride: vm02 clusterCIDR: 10.244.0.0/16 mode: ipvs ipvs: scheduler: "rr" iptables: masqueradeAll: true EOF cat > kube-proxy-config03.yml << EOF kind: KubeProxyConfiguration apiVersion: kubeproxy.config.k8s.io/v1alpha1 bindAddress: 0.0.0.0 metricsBindAddress: 0.0.0.0:10249 clientConnection: kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig hostnameOverride: vm03 clusterCIDR: 10.244.0.0/16 mode: ipvs ipvs: scheduler: "rr" iptables: masqueradeAll: true EOF
15.5.3生成证书配置文件
cd /opt/TLS/k8s/ssl cat > kube-proxy-csr.json << EOF { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF
15.5.4生成证书文件
[root@vm01 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy 2022/04/03 15:30:38 [INFO] generate received request 2022/04/03 15:30:38 [INFO] received CSR 2022/04/03 15:30:38 [INFO] generating key: rsa-2048 2022/04/03 15:30:38 [INFO] encoded CSR 2022/04/03 15:30:38 [INFO] signed certificate with serial number 117156627576808648708142496682355499174590336333 2022/04/03 15:30:38 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). #查看已生成的证书 [root@vm01 ssl]# ll kube-proxy* -rw-r--r-- 1 root root 1009 Apr 3 15:30 kube-proxy.csr -rw-r--r-- 1 root root 230 Apr 3 15:30 kube-proxy-csr.json -rw------- 1 root root 1679 Apr 3 15:30 kube-proxy-key.pem -rw-r--r-- 1 root root 1403 Apr 3 15:30 kube-proxy.pem
15.5.5生成kubeconfig文件
# 设置集群参数 kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://192.168.10.11:6443 \ --kubeconfig=/opt/TLS/k8s/cfg/kube-proxy.kubeconfig # 设置客户端认证参数 kubectl config set-credentials kube-proxy \ --client-certificate=./kube-proxy.pem \ --client-key=/opt/TLS/k8s/ssl/kube-proxy-key.pem \ --embed-certs=true \ --kubeconfig=/opt/TLS/k8s/cfg/kube-proxy.kubeconfig # 设置上下文参数 kubectl config set-context default \ --cluster=kubernetes \ --user=kube-proxy \ --kubeconfig=/opt/TLS/k8s/cfg/kube-proxy.kubeconfig # 设置默认上下文 kubectl config use-context default --kubeconfig=/opt/TLS/k8s/cfg/kube-proxy.kubeconfig
15.5.6生成管理文件
cd /opt/TLS/k8s/cfg cat > kube-proxy.service << EOF [Unit] Description=Kubernetes Proxy After=network.target [Service] EnvironmentFile=/opt/kubernetes/cfg/kube-proxy.conf ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
15.5.7分发文件
scp /opt/TLS/k8s/ssl/kube-proxy*.pem /opt/kubernetes/ssl scp /opt/TLS/k8s/cfg/kube-proxy.conf /opt/kubernetes/cfg/kube-proxy.conf scp /opt/TLS/k8s/cfg/kube-proxy-config01.yml /opt/kubernetes/cfg/kube-proxy-config.yml scp /opt/TLS/k8s/cfg/kube-proxy.kubeconfig /opt/kubernetes/cfg/kube-proxy.kubeconfig scp /opt/TLS/k8s/cfg/kube-proxy.service /usr/lib/systemd/system/kube-proxy.service
15.5.8核对文件
[root@vm01 cfg]# ll /opt/kubernetes/ssl/kube-proxy*.pem -rw------- 1 root root 1679 Apr 3 15:35 /opt/kubernetes/ssl/kube-proxy-key.pem -rw-r--r-- 1 root root 1403 Apr 3 15:35 /opt/kubernetes/ssl/kube-proxy.pem [root@vm01 cfg]# ll /opt/kubernetes/cfg/kube-proxy.conf -rw-r--r-- 1 root root 132 Apr 3 15:35 /opt/kubernetes/cfg/kube-proxy.conf [root@vm01 cfg]# ll /opt/kubernetes/cfg/kube-proxy-config.yml -rw-r--r-- 1 root root 320 Apr 3 15:35 /opt/kubernetes/cfg/kube-proxy-config.yml [root@vm01 cfg]# ll /opt/kubernetes/cfg/kube-proxy.kubeconfig -rw------- 1 root root 6209 Apr 3 15:35 /opt/kubernetes/cfg/kube-proxy.kubeconfig [root@vm01 cfg]# ll /usr/lib/systemd/system/kube-proxy.service -rw-r--r-- 1 root root 253 Apr 3 15:35 /usr/lib/systemd/system/kube-proxy.service
15.5.9启动kube-proxy
[root@vm01 cfg]# systemctl daemon-reload && systemctl start kube-proxy && systemctl enable kube-proxy && systemctl status kube-proxy Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service. ● kube-proxy.service - Kubernetes Proxy Loaded: loaded (/usr/lib/systemd/system/kube-proxy.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2022-04-03 15:36:32 CST; 118ms ago Main PID: 13681 (kube-proxy) CGroup: /system.slice/kube-proxy.service ├─13681 /opt/kubernetes/bin/kube-proxy --logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --config=/opt/kubernetes/cfg/kube-proxy-config.yml └─13708 modprobe -- ip_vs_sh Apr 03 15:36:32 vm01 systemd[1]: Started Kubernetes Proxy. Apr 03 15:36:32 vm01 kube-proxy[13681]: Flag --logtostderr has been deprecated, will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-ins...k8s-components Apr 03 15:36:32 vm01 kube-proxy[13681]: Flag --log-dir has been deprecated, will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrum...k8s-components Hint: Some lines were ellipsized, use -l to show in full.
16.新增其他WorkNode
16.2新增vm02
16.2.1分发文件
#此操作在Master(vm01)上进行 #分发kubernetes工作目录 scp -r /opt/kubernetes root@192.168.10.12:/opt/ #分发kubelet,kube-proxy的管理文件 scp -r /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@192.168.10.12:/usr/lib/systemd/system #分发证书文件 scp /opt/kubernetes/ssl/ca.pem root@192.168.10.12:/opt/kubernetes/ssl #替换kubelet.conf文件 scp /opt/TLS/k8s/cfg/kubelet02.conf vm02:/opt/kubernetes/cfg/kubelet.conf #替换kube-proxy-config.yml scp /opt/TLS/k8s/cfg/kube-proxy-config02.yml vm02:/opt/kubernetes/cfg/kube-proxy-config.yml #删除kubelet证书和kubeconfig文件 ssh vm02 "rm -f /opt/kubernetes/cfg/kubelet.kubeconfig" ssh vm02 "rm -f /opt/kubernetes/ssl/kubelet*"
16.2.2核对文件
#此操作在vm02上进行 [root@vm02 ~]# ll /opt/kubernetes total 12 drwxr-xr-x 2 root root 114 Apr 3 15:47 bin drwxr-xr-x 2 root root 4096 Apr 3 15:48 cfg drwxr-xr-x 2 root root 4096 Apr 3 15:47 logs drwxr-xr-x 2 root root 4096 Apr 3 15:48 ssl [root@vm02 ~]# ll /usr/lib/systemd/system/{kubelet,kube-proxy}.service -rw-r--r-- 1 root root 246 Apr 3 15:47 /usr/lib/systemd/system/kubelet.service -rw-r--r-- 1 root root 253 Apr 3 15:47 /usr/lib/systemd/system/kube-proxy.service [root@vm02 ~]# ll /opt/kubernetes/ssl/ca.pem -rw-r--r-- 1 root root 1310 Apr 3 15:47 /opt/kubernetes/ssl/ca.pem [root@vm02 ~]# ll /opt/kubernetes/cfg/kubelet.conf -rw-r--r-- 1 root root 382 Apr 3 15:48 /opt/kubernetes/cfg/kubelet.conf [root@vm02 ~]# cat /opt/kubernetes/cfg/kubelet.conf KUBELET_OPTS="--logtostderr=false \ --v=2 \ --log-dir=/opt/kubernetes/logs \ --hostname-override=vm02 \ --network-plugin=cni \ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \ --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \ --config=/opt/kubernetes/cfg/kubelet-config.yml \ --cert-dir=/opt/kubernetes/ssl \ --pod-infra-container-image=ibmcom/pause-amd64:3.1" [root@vm02 ~]# ll /opt/kubernetes/cfg/kube-proxy-config.yml -rw-r--r-- 1 root root 320 Apr 3 15:48 /opt/kubernetes/cfg/kube-proxy-config.yml [root@vm02 ~]# cat /opt/kubernetes/cfg/kubelet.conf KUBELET_OPTS="--logtostderr=false \ --v=2 \ --log-dir=/opt/kubernetes/logs \ --hostname-override=vm02 \ --network-plugin=cni \ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \ --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \ --config=/opt/kubernetes/cfg/kubelet-config.yml \ --cert-dir=/opt/kubernetes/ssl \ --pod-infra-container-image=ibmcom/pause-amd64:3.1" [root@vm02 ~]# cat /opt/kubernetes/cfg/kube-proxy-config.yml kind: KubeProxyConfiguration apiVersion: kubeproxy.config.k8s.io/v1alpha1 bindAddress: 0.0.0.0 metricsBindAddress: 0.0.0.0:10249 clientConnection: kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig hostnameOverride: vm02 clusterCIDR: 10.244.0.0/16 mode: ipvs ipvs: scheduler: "rr" iptables: masqueradeAll: true [root@vm02 ~]# ll /opt/kubernetes/cfg/kubelet.kubeconfig ls: cannot access /opt/kubernetes/cfg/kubelet.kubeconfig: No such file or directory [root@vm02 ~]# ll /opt/kubernetes/ssl/kubelet* ls: cannot access /opt/kubernetes/ssl/kubelet*: No such file or directory
16.2.3启动kubelet
#此操作在vm02上进行 [root@vm02 ~]# systemctl daemon-reload && systemctl start kubelet && systemctl enable kubelet && systemctl status kubelet Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service. ● kubelet.service - Kubernetes Kubelet Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2022-04-03 15:52:53 CST; 109ms ago Main PID: 11629 (kubelet) CGroup: /system.slice/kubelet.service └─11629 /opt/kubernetes/bin/kubelet --logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --hostname-override=vm02 --network-plugin=cni --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig ... Apr 03 15:52:53 vm02 systemd[1]: Started Kubernetes Kubelet.
16.2.3批准新Node证书申请
#此操作在Master(vm01)上进行 #查看新的证书请求,状态为Pending [root@vm01 cfg]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION node-csr-6mDDHTg4HuOsVY_7oJRUqtS-6YQFe7JytpYdbRs9kek 31m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap <none> Approved,Issued node-csr-ktjmR4VegWx92ELE3IskISfkdatpXBTKBrq8ZOCVObc 56s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap <none> Pending #批准新的请求,并加入集群 [root@vm01 cfg]# kubectl certificate approve node-csr-ktjmR4VegWx92ELE3IskISfkdatpXBTKBrq8ZOCVObc certificatesigningrequest.certificates.k8s.io/node-csr-ktjmR4VegWx92ELE3IskISfkdatpXBTKBrq8ZOCVObc approved #查看证书批准状态 [root@vm01 cfg]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION node-csr-6mDDHTg4HuOsVY_7oJRUqtS-6YQFe7JytpYdbRs9kek 31m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap <none> Approved,Issued node-csr-ktjmR4VegWx92ELE3IskISfkdatpXBTKBrq8ZOCVObc 75s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap <none> Approved,Issued #查看集群节点 [root@vm01 cfg]# kubectl get nodes NAME STATUS ROLES AGE VERSION vm01 NotReady <none> 30m v1.23.4 vm02 NotReady <none> 14s v1.23.4 # 由于网络插件还没有部署,节点会没有准备就绪 NotReady
16.2.4启动kube-proxy
#此操作在vm02上进行 [root@vm02 ~]# systemctl daemon-reload && systemctl start kube-proxy && systemctl enable kube-proxy && systemctl status kube-proxy Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service. ● kube-proxy.service - Kubernetes Proxy Loaded: loaded (/usr/lib/systemd/system/kube-proxy.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2022-04-03 15:57:40 CST; 143ms ago Main PID: 12241 (kube-proxy) CGroup: /system.slice/kube-proxy.service ├─12241 /opt/kubernetes/bin/kube-proxy --logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --config=/opt/kubernetes/cfg/kube-proxy-config.yml └─12269 modprobe -- ip_vs_wrr Apr 03 15:57:40 vm02 systemd[1]: Started Kubernetes Proxy. Apr 03 15:57:40 vm02 kube-proxy[12241]: Flag --logtostderr has been deprecated, will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-ins...k8s-components Apr 03 15:57:40 vm02 kube-proxy[12241]: Flag --log-dir has been deprecated, will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrum...k8s-components Hint: Some lines were ellipsized, use -l to show in full.
16.3新增vm03
16.3.1分发文件
#此操作在Master(vm01)上进行 #分发kubernetes工作目录 scp -r /opt/kubernetes root@192.168.10.13:/opt/ #分发kubelet,kube-proxy的管理文件 scp -r /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@192.168.10.13:/usr/lib/systemd/system #分发证书文件 scp /opt/kubernetes/ssl/ca.pem root@192.168.10.13:/opt/kubernetes/ssl #替换kubelet.conf文件 scp /opt/TLS/k8s/cfg/kubelet03.conf vm03:/opt/kubernetes/cfg/kubelet.conf #替换kube-proxy-config.yml scp /opt/TLS/k8s/cfg/kube-proxy-config03.yml vm03:/opt/kubernetes/cfg/kube-proxy-config.yml #删除kubelet证书和kubeconfig文件 ssh vm03 "rm -f /opt/kubernetes/cfg/kubelet.kubeconfig" ssh vm03 "rm -f /opt/kubernetes/ssl/kubelet*"
16.3.2核对文件
#此操作在vm02上进行 [root@vm03 ~]# ll /opt/kubernetes total 12 drwxr-xr-x 2 root root 114 Apr 4 12:21 bin drwxr-xr-x 2 root root 4096 Apr 4 12:22 cfg drwxr-xr-x 2 root root 4096 Apr 4 12:21 logs drwxr-xr-x 2 root root 4096 Apr 4 12:22 ssl [root@vm03 ~]# ll /usr/lib/systemd/system/{kubelet,kube-proxy}.service -rw-r--r-- 1 root root 246 Apr 4 12:21 /usr/lib/systemd/system/kubelet.service -rw-r--r-- 1 root root 253 Apr 4 12:21 /usr/lib/systemd/system/kube-proxy.service [root@vm03 ~]# ll /opt/kubernetes/ssl/ca.pem -rw-r--r-- 1 root root 1310 Apr 4 12:22 /opt/kubernetes/ssl/ca.pem [root@vm03 ~]# ll /opt/kubernetes/cfg/kubelet.conf -rw-r--r-- 1 root root 382 Apr 4 12:22 /opt/kubernetes/cfg/kubelet.conf [root@vm03 ~]# cat /opt/kubernetes/cfg/kubelet.conf KUBELET_OPTS="--logtostderr=false \ --v=2 \ --log-dir=/opt/kubernetes/logs \ --hostname-override=vm03 \ --network-plugin=cni \ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \ --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \ --config=/opt/kubernetes/cfg/kubelet-config.yml \ --cert-dir=/opt/kubernetes/ssl \ --pod-infra-container-image=ibmcom/pause-amd64:3.1" [root@vm03 ~]# ll /opt/kubernetes/cfg/kube-proxy-config.yml -rw-r--r-- 1 root root 320 Apr 4 12:22 /opt/kubernetes/cfg/kube-proxy-config.yml [root@vm03 ~]# cat /opt/kubernetes/cfg/kubelet.conf KUBELET_OPTS="--logtostderr=false \ --v=2 \ --log-dir=/opt/kubernetes/logs \ --hostname-override=vm03 \ --network-plugin=cni \ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \ --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \ --config=/opt/kubernetes/cfg/kubelet-config.yml \ --cert-dir=/opt/kubernetes/ssl \ --pod-infra-container-image=ibmcom/pause-amd64:3.1" [root@vm03 ~]# cat /opt/kubernetes/cfg/kube-proxy-config.yml kind: KubeProxyConfiguration apiVersion: kubeproxy.config.k8s.io/v1alpha1 bindAddress: 0.0.0.0 metricsBindAddress: 0.0.0.0:10249 clientConnection: kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig hostnameOverride: vm03 clusterCIDR: 10.244.0.0/16 mode: ipvs ipvs: scheduler: "rr" iptables: masqueradeAll: true [root@vm03 ~]# ll /opt/kubernetes/cfg/kubelet.kubeconfig ls: cannot access /opt/kubernetes/cfg/kubelet.kubeconfig: No such file or directory [root@vm03 ~]# ll /opt/kubernetes/ssl/kubelet* ls: cannot access /opt/kubernetes/ssl/kubelet*: No such file or directory
16.3.3启动kubelet
#此操作在vm03上进行 [root@vm03 ~]# systemctl daemon-reload && systemctl start kubelet && systemctl enable kubelet && systemctl status kubelet Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service. ● kubelet.service - Kubernetes Kubelet Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2022-04-04 12:26:34 CST; 100ms ago Main PID: 11597 (kubelet) CGroup: /system.slice/kubelet.service └─11597 /opt/kubernetes/bin/kubelet --logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --hostname-override=vm03 --network-plugin=cni --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig ... Apr 04 12:26:34 vm03 systemd[1]: Started Kubernetes Kubelet.
16.3.4批准新Node证书请求
#此操作在Master(vm01)上进行 #查看新的证书请求,状态为Pending [root@vm01 cfg]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION node-csr-6mDDHTg4HuOsVY_7oJRUqtS-6YQFe7JytpYdbRs9kek 43m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap <none> Approved,Issued node-csr-imMAz2WtkeUWNSfVh_qFxax0V3U6fNcIrXgGWS-VRpk 50s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap <none> Pending node-csr-ktjmR4VegWx92ELE3IskISfkdatpXBTKBrq8ZOCVObc 12m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap <none> Approved,Issued #授权请求 [root@vm01 cfg]# kubectl certificate approve node-csr-imMAz2WtkeUWNSfVh_qFxax0V3U6fNcIrXgGWS-VRpk certificatesigningrequest.certificates.k8s.io/node-csr-imMAz2WtkeUWNSfVh_qFxax0V3U6fNcIrXgGWS-VRpk approved #查看证书请求状态 [root@vm01 cfg]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION node-csr-6mDDHTg4HuOsVY_7oJRUqtS-6YQFe7JytpYdbRs9kek 43m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap <none> Approved,Issued node-csr-imMAz2WtkeUWNSfVh_qFxax0V3U6fNcIrXgGWS-VRpk 73s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap <none> Approved,Issued node-csr-ktjmR4VegWx92ELE3IskISfkdatpXBTKBrq8ZOCVObc 13m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap <none> Approved,Issued 查看集群节点 [root@vm01 cfg]# kubectl get nodes NAME STATUS ROLES AGE VERSION vm01 NotReady <none> 42m v1.23.4 vm02 NotReady <none> 12m v1.23.4 vm03 NotReady <none> 9s v1.23.4 # 由于网络插件还没有部署,节点会没有准备就绪 NotReady
16.3.51启动kube-proxy
#此操作在vm03上进行 [root@vm03 ~]# systemctl daemon-reload && systemctl start kube-proxy && systemctl enable kube-proxy && systemctl status kube-proxy Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service. ● kube-proxy.service - Kubernetes Proxy Loaded: loaded (/usr/lib/systemd/system/kube-proxy.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2022-04-04 12:30:37 CST; 122ms ago Main PID: 12152 (kube-proxy) CGroup: /system.slice/kube-proxy.service └─12152 /opt/kubernetes/bin/kube-proxy --logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --config=/opt/kubernetes/cfg/kube-proxy-config.yml Apr 04 12:30:37 vm03 systemd[1]: Started Kubernetes Proxy. Apr 04 12:30:37 vm03 kube-proxy[12152]: Flag --logtostderr has been deprecated, will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-ins...k8s-components Apr 04 12:30:37 vm03 kube-proxy[12152]: Flag --log-dir has been deprecated, will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrum...k8s-components Hint: Some lines were ellipsized, use -l to show in full.
17.部署calico网络组件
Calico是一个纯三层的数据中心网络方案,是目前Kubernetes主流的网络方案。
17.1calico网络架构
17.2部署calico
#此操作在master(vm01)上进行 [root@vm01 cfg]# kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml configmap/calico-config created customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/caliconodestatuses.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/ipreservations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/kubecontrollersconfigurations.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created clusterrole.rbac.authorization.k8s.io/calico-node created clusterrolebinding.rbac.authorization.k8s.io/calico-node created daemonset.apps/calico-node created serviceaccount/calico-node created deployment.apps/calico-kube-controllers created serviceaccount/calico-kube-controllers created poddisruptionbudget.policy/calico-kube-controllers created
17.3查看网络组件状态
Every 2.0s: kubectl get pods -n kube-system Sun Apr 3 13:01:58 2022 NAME READY STATUS RESTARTS AGE calico-kube-controllers-858c9597c8-m4bvk 1/1 Running 0 14m calico-node-j92d2 1/1 Running 0 3m26s calico-node-mwv5h 1/1 Running 0 8m20s calico-node-sb6hg 1/1 Running 0 14m
当出现上面的信息之后,集群的网络插件已经部署完成。
18.部署coredns组件
18.1创建yaml组件
cd /opt/TLS/k8s/yml vi coredns.yaml apiVersion: v1 kind: ServiceAccount metadata: name: coredns namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: kubernetes.io/bootstrapping: rbac-defaults name: system:coredns rules: - apiGroups: - "" resources: - endpoints - services - pods - namespaces verbs: - list - watch - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults name: system:coredns roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:coredns subjects: - kind: ServiceAccount name: coredns namespace: kube-system --- apiVersion: v1 kind: ConfigMap metadata: name: coredns namespace: kube-system data: Corefile: | .:53 { errors health { lameduck 5s } ready kubernetes cluster.local in-addr.arpa ip6.arpa { fallthrough in-addr.arpa ip6.arpa } prometheus :9153 forward . /etc/resolv.conf { max_concurrent 1000 } cache 30 loop reload loadbalance } --- apiVersion: apps/v1 kind: Deployment metadata: name: coredns namespace: kube-system labels: k8s-app: kube-dns kubernetes.io/name: "CoreDNS" spec: # replicas: not specified here: # 1. Default is 1. # 2. Will be tuned in real time if DNS horizontal auto-scaling is turned on. strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 selector: matchLabels: k8s-app: kube-dns template: metadata: labels: k8s-app: kube-dns spec: priorityClassName: system-cluster-critical serviceAccountName: coredns tolerations: - key: "CriticalAddonsOnly" operator: "Exists" nodeSelector: kubernetes.io/os: linux affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: k8s-app operator: In values: ["kube-dns"] topologyKey: kubernetes.io/hostname containers: - name: coredns image: registry.cn-beijing.aliyuncs.com/dotbalo/coredns:1.8.6 imagePullPolicy: IfNotPresent resources: limits: memory: 170Mi requests: cpu: 100m memory: 70Mi args: [ "-conf", "/etc/coredns/Corefile" ] volumeMounts: - name: config-volume mountPath: /etc/coredns readOnly: true ports: - containerPort: 53 name: dns protocol: UDP - containerPort: 53 name: dns-tcp protocol: TCP - containerPort: 9153 name: metrics protocol: TCP securityContext: allowPrivilegeEscalation: false capabilities: add: - NET_BIND_SERVICE drop: - all readOnlyRootFilesystem: true livenessProbe: httpGet: path: /health port: 8080 scheme: HTTP initialDelaySeconds: 60 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 readinessProbe: httpGet: path: /ready port: 8181 scheme: HTTP dnsPolicy: Default volumes: - name: config-volume configMap: name: coredns items: - key: Corefile path: Corefile --- apiVersion: v1 kind: Service metadata: name: kube-dns namespace: kube-system annotations: prometheus.io/port: "9153" prometheus.io/scrape: "true" labels: k8s-app: kube-dns kubernetes.io/cluster-service: "true" kubernetes.io/name: "CoreDNS" spec: selector: k8s-app: kube-dns clusterIP: 10.0.0.10 #注意此处的内容要和PODS网络的地址在一个网段 ports: - name: dns port: 53 protocol: UDP - name: dns-tcp port: 53 protocol: TCP - name: metrics port: 9153 protocol: TCP
18.2部署coredns组件
[root@vm01 yml]# kubectl apply -f coredns.yaml serviceaccount/coredns created clusterrole.rbac.authorization.k8s.io/system:coredns created clusterrolebinding.rbac.authorization.k8s.io/system:coredns created configmap/coredns created deployment.apps/coredns created service/kube-dns created [root@vm01 yml]# kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE kube-system calico-kube-controllers-858c9597c8-m4bvk 1/1 Running 0 22m kube-system calico-node-j92d2 1/1 Running 0 11m kube-system calico-node-mwv5h 1/1 Running 0 16m kube-system calico-node-sb6hg 1/1 Running 0 22m kube-system coredns-75c59cb869-znpk8 1/1 Running 0 16s
19.部署dashboard
19.1创建yaml文件
cd /opt/TLS/k8s/yml vi dashboard.yaml # Copyright 2017 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: Namespace metadata: name: kubernetes-dashboard --- apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard --- kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard spec: ports: - port: 443 targetPort: 8443 selector: k8s-app: kubernetes-dashboard --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-certs namespace: kubernetes-dashboard type: Opaque --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-csrf namespace: kubernetes-dashboard type: Opaque data: csrf: "" --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-key-holder namespace: kubernetes-dashboard type: Opaque --- kind: ConfigMap apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-settings namespace: kubernetes-dashboard --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard rules: # Allow Dashboard to get, update and delete Dashboard exclusive secrets. - apiGroups: [""] resources: ["secrets"] resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] verbs: ["get", "update", "delete"] # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. - apiGroups: [""] resources: ["configmaps"] resourceNames: ["kubernetes-dashboard-settings"] verbs: ["get", "update"] # Allow Dashboard to get metrics. - apiGroups: [""] resources: ["services"] resourceNames: ["heapster", "dashboard-metrics-scraper"] verbs: ["proxy"] - apiGroups: [""] resources: ["services/proxy"] resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] verbs: ["get"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard rules: # Allow Metrics Scraper to get metrics from the Metrics server - apiGroups: ["metrics.k8s.io"] resources: ["pods", "nodes"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kubernetes-dashboard subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubernetes-dashboard subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kubernetes-dashboard --- kind: Deployment apiVersion: apps/v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: k8s-app: kubernetes-dashboard template: metadata: labels: k8s-app: kubernetes-dashboard spec: securityContext: seccompProfile: type: RuntimeDefault containers: - name: kubernetes-dashboard image: kubernetesui/dashboard:v2.5.1 imagePullPolicy: Always ports: - containerPort: 8443 protocol: TCP args: - --auto-generate-certificates - --namespace=kubernetes-dashboard # Uncomment the following line to manually specify Kubernetes API server Host # If not specified, Dashboard will attempt to auto discover the API server and connect # to it. Uncomment only if the default does not work. # - --apiserver-host=http://my-address:port volumeMounts: - name: kubernetes-dashboard-certs mountPath: /certs # Create on-disk volume to store exec logs - mountPath: /tmp name: tmp-volume livenessProbe: httpGet: scheme: HTTPS path: / port: 8443 initialDelaySeconds: 30 timeoutSeconds: 30 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 2001 volumes: - name: kubernetes-dashboard-certs secret: secretName: kubernetes-dashboard-certs - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard nodeSelector: "kubernetes.io/os": linux # Comment the following tolerations if Dashboard must not be deployed on master tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule --- kind: Service apiVersion: v1 metadata: labels: k8s-app: dashboard-metrics-scraper name: dashboard-metrics-scraper namespace: kubernetes-dashboard spec: ports: - port: 8000 targetPort: 8000 selector: k8s-app: dashboard-metrics-scraper --- kind: Deployment apiVersion: apps/v1 metadata: labels: k8s-app: dashboard-metrics-scraper name: dashboard-metrics-scraper namespace: kubernetes-dashboard spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: k8s-app: dashboard-metrics-scraper template: metadata: labels: k8s-app: dashboard-metrics-scraper spec: securityContext: seccompProfile: type: RuntimeDefault containers: - name: dashboard-metrics-scraper image: kubernetesui/metrics-scraper:v1.0.7 ports: - containerPort: 8000 protocol: TCP livenessProbe: httpGet: scheme: HTTP path: / port: 8000 initialDelaySeconds: 30 timeoutSeconds: 30 volumeMounts: - mountPath: /tmp name: tmp-volume securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 2001 serviceAccountName: kubernetes-dashboard nodeSelector: "kubernetes.io/os": linux # Comment the following tolerations if Dashboard must not be deployed on master tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule volumes: - name: tmp-volume emptyDir: {}
19.2创建dashboard组件
[root@vm01 yml]# kubectl apply -f dashboard.yaml namespace/kubernetes-dashboard created serviceaccount/kubernetes-dashboard created service/kubernetes-dashboard created secret/kubernetes-dashboard-certs created secret/kubernetes-dashboard-csrf created secret/kubernetes-dashboard-key-holder created configmap/kubernetes-dashboard-settings created role.rbac.authorization.k8s.io/kubernetes-dashboard created clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created deployment.apps/kubernetes-dashboard created service/dashboard-metrics-scraper created deployment.apps/dashboard-metrics-scraper created
19.3查看组件状态
[root@vm01 yml]# kubectl get pods,svc -n kubernetes-dashboard NAME READY STATUS RESTARTS AGE pod/dashboard-metrics-scraper-5b8896d7fc-62t5g 1/1 Running 0 61s pod/kubernetes-dashboard-7b5d774449-np99c 1/1 Running 0 61s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/dashboard-metrics-scraper ClusterIP 10.0.0.206 <none> 8000/TCP 61s service/kubernetes-dashboard ClusterIP 10.0.0.128 <none> 443/TCP 62s
通过状态来看,组件已成功创建,但是还不能从外部进行访问,为了能一见dashboard的芳容,我们需要改造一下svc的类型。
19.4修改svc类型
[root@vm01 yml]# kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kubernetes-dashboard service/kubernetes-dashboard patched [root@vm01 yml]# kubectl get pods,svc -n kubernetes-dashboard NAME READY STATUS RESTARTS AGE pod/dashboard-metrics-scraper-5b8896d7fc-62t5g 1/1 Running 0 4m23s pod/kubernetes-dashboard-7b5d774449-np99c 1/1 Running 0 4m23s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/dashboard-metrics-scraper ClusterIP 10.0.0.206 <none> 8000/TCP 4m23s service/kubernetes-dashboard NodePort 10.0.0.128 <none> 443:31054/TCP 4m24s #此时svc中已经出现了对外可访问的端口31054
19.5访问web页面
在浏览器中访问https://192.168.10.11:31054
出现了以上界面,点击“继续访问 192.168.10.11(不安全)”即可。
这里需要我们输入token的值,怎么找呢?请按照下面的步骤进行操作即可。
19.6生成token
#创建service account [root@vm01 yml]# kubectl create serviceaccount dashboard-admin -n kube-system serviceaccount/dashboard-admin created #绑定默认cluster-admin管理员集群角色 [root@vm01 yml]# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created #查看token值,最长的那一串字符就是token值了 [root@vm01 yml]# kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}') Name: dashboard-admin-token-jldjt Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: dashboard-admin kubernetes.io/service-account.uid: 65f21379-a38b-4e4a-b8a0-2bf8bc056faa Type: kubernetes.io/service-account-token Data ==== ca.crt: 1310 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6InJsRnVoZ1VtSWdMQ1U3VmxJMzRFVVI3T1VrdDU4REhiSVFQUl9naDUzdEEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tamxkanQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNjVmMjEzNzktYTM4Yi00ZTRhLWI4YTAtMmJmOGJjMDU2ZmFhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.j7nKBfiDUFuVTDhy9Nyjw3kp0w_CKvh9ec94j7VLZz6v5RupdlIZIQqqtyhcFPLj7ADIwqXcWG3kpuFT_u5-cg5j95D88-7bt0rAtqwtn0FeBpWhT8dX_WZm7efSnw2c3xciFMYfTo9Iffx9GF7O9UKyOoh-Sg4MDeQLD2f-1jN3hqz-zuebQcnOlpeS-ateaRQvcb9Lhac5quST8G10IOFXz0itFpuypbXdOxCbRmqxIiHR_7PGOq_0_NGOPRsn5n4d68-cK34dM-HNQUZxSGPpxo39wvnWmyZNnYx3jW_KVXl5Dt-w4xsBhxcXwlvPvGuwZlbiR0PZEXYgOGq2hw
19.7登录web
输入上面生成的token值后,就可以进入到dashboard界面了
此时,用户最亲切的dashboard界面也一览无余了。
20.部署MetricsServer
从 v1.8 开始,资源使用情况的监控可以通过 Metrics API的形式获取,具体的组件为Metrics Server,用来替换之前的heapster,heapster从1.11开始逐渐被废弃。
Metrics-Server是集群核心监控数据的聚合器,从 Kubernetes1.8 开始,它作为一个 Deployment对象默认部署在由kube-up.sh脚本创建的集群中,如果是其他部署方式需要单独安装,或者咨询对应的云厂商。
20.1创建yaml文件
cd /opt/TLS/k8s/yml vi metrics-server.yml apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: k8s-app: metrics-server rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-view: "true" name: system:aggregated-metrics-reader rules: - apiGroups: - metrics.k8s.io resources: - pods - nodes verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: k8s-app: metrics-server name: system:metrics-server rules: - apiGroups: - "" resources: - pods - nodes - nodes/stats - namespaces - configmaps verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: k8s-app: metrics-server name: metrics-server-auth-reader namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: k8s-app: metrics-server name: metrics-server:system:auth-delegator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: k8s-app: metrics-server name: system:metrics-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:metrics-server subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: v1 kind: Service metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system spec: ports: - name: https port: 443 protocol: TCP targetPort: https selector: k8s-app: metrics-server --- apiVersion: apps/v1 kind: Deployment metadata: labels: k8s-app: metrics-server name: metrics-server namespace: kube-system spec: selector: matchLabels: k8s-app: metrics-server strategy: rollingUpdate: maxUnavailable: 0 template: metadata: labels: k8s-app: metrics-server spec: containers: - args: - --cert-dir=/tmp - --secure-port=4443 - --kubelet-insecure-tls - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --kubelet-use-node-status-port image: bitnami/metrics-server:0.4.1 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /livez port: https scheme: HTTPS periodSeconds: 10 name: metrics-server ports: - containerPort: 4443 name: https protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /readyz port: https scheme: HTTPS periodSeconds: 10 securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 volumeMounts: - mountPath: /tmp name: tmp-dir nodeSelector: kubernetes.io/os: linux priorityClassName: system-cluster-critical serviceAccountName: metrics-server volumes: - emptyDir: {} name: tmp-dir --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: labels: k8s-app: metrics-server name: v1beta1.metrics.k8s.io spec: group: metrics.k8s.io groupPriorityMinimum: 100 insecureSkipTLSVerify: true service: name: metrics-server namespace: kube-system version: v1beta1 versionPriority: 100
20.2部署MetricsServer组件
[root@vm01 yml]# kubectl apply -f metrics-server.yml serviceaccount/metrics-server created clusterrole.rbac.authorization.k8s.io/system:aggregated-metrics-reader created clusterrole.rbac.authorization.k8s.io/system:metrics-server created rolebinding.rbac.authorization.k8s.io/metrics-server-auth-reader created clusterrolebinding.rbac.authorization.k8s.io/metrics-server:system:auth-delegator created clusterrolebinding.rbac.authorization.k8s.io/system:metrics-server created service/metrics-server created deployment.apps/metrics-server created apiservice.apiregistration.k8s.io/v1beta1.metrics.k8s.io created
20.3查看组件状态
[root@vm01 yml]# kubectl get pods -n kube-system |grep metrics-server metrics-server-68cf7d657c-9rfg4 1/1 Running 0 93s
20.4查看资源使用情况
#经过上述的操作之后,我们就可以按一定的排序规则来查看k8s集群的资源使用情况了 [root@vm01 yml]# kubectl top nodes NAME CPU(cores) CPU% MEMORY(bytes) MEMORY% vm01 113m 11% 1223Mi 66% vm02 71m 7% 720Mi 38% vm03 83m 8% 816Mi 44% [root@vm01 yml]# kubectl top pods -n kube-system NAME CPU(cores) MEMORY(bytes) calico-kube-controllers-858c9597c8-m4bvk 2m 27Mi calico-node-j92d2 15m 160Mi calico-node-mwv5h 20m 162Mi calico-node-sb6hg 19m 177Mi coredns-75c59cb869-znpk8 1m 18Mi metrics-server-68cf7d657c-9rfg4 2m 15Mi
再来看dashboard界面,多了一些资源使用情况的可视化展示,对于分析问题来讲,是个不错的手段。
21.安装kuboard
给搭建推荐一款非常不错的k8s管理工具,个人还是非常喜欢的。
21.1部署kuboard
[root@vm01 yml]# kubectl apply -f https://addons.kuboard.cn/kuboard/kuboard-v3.yaml namespace/kuboard created configmap/kuboard-v3-config created serviceaccount/kuboard-boostrap created clusterrolebinding.rbac.authorization.k8s.io/kuboard-boostrap-crb created daemonset.apps/kuboard-etcd created deployment.apps/kuboard-v3 created service/kuboard-v3 created
21.2查看组件状态
执行指令 watch kubectl get pods -n kuboard,等待 kuboard 名称空间中所有的 Pod 就绪,如下所示,
Every 2.0s: kubectl get pods -n kuboard Sun Apr 3 14:15:07 2022 NAME READY STATUS RESTARTS AGE kuboard-etcd-jltwh 1/1 Running 0 3m29s kuboard-etcd-rsmd9 1/1 Running 0 3m3s kuboard-etcd-wdtgl 1/1 Running 0 3m2s kuboard-questdb-8497b87d9f-82466 1/1 Running 0 2m12s kuboard-v3-59ccddb94c-5g5v6 1/1 Running 1 4m49s
如果结果中没有出现 kuboard-etcd-xxxxx 的容器,请查看 中关于 缺少 Master Role 的描述。
解决办法如下:
kubectl label nodes vm01 k8s.kuboard.cn/role=etcd kubectl label nodes vm02 k8s.kuboard.cn/role=etcd kubectl label nodes vm03 k8s.kuboard.cn/role=etcd # 参考:https://www.kuboard.cn/install/v3/install-in-k8s.html#%E5%AE%89%E8%A3%85