基于Vagrant搭建异构Kubernetes集群

首席IT民工

已于 2022-05-19 10:17:00 修改

阅读量1k

点赞数

分类专栏：容器及编排文章标签： Vagrant Kubernetes

于 2022-04-28 08:53:41 首次发布

本文链接：https://blog.csdn.net/kamputer/article/details/124452960

版权

容器及编排专栏收录该内容

59 篇文章 1 订阅

订阅专栏

准备工作

为节约时间,相关文件可以提前下载好,当然也可以在master搭建好后在master上下载

网络规划

vip.kamputer.online=192.168.1.100
master.kamputer.online=192.168.1.101
ubuntu.kamputer.online=192.168.1.102
centos.kamputer.online=192.168.1.103
node.kamputer.online=192.168.1.111
service网段：10.96.0.0/12
pod网段：172.16.0.1/12

# 网卡的名字,配置keepalived时需要
NET_INTERFACE=eth1
# 根据上面的网络规划确定Service网段起始地址
SERVICE_ADDRESS=10.96.0.1
# 初始化服务器节点地址,存有各种预下载文件及证书
INITER_ADDRESS="master.kamputer.online"
# 确定ETCD节点地址
ETCD_NODES="master.kamputer.online,ubuntu.kamputer.online,centos.kamputer.onilne"
# kubernetes master地址
KUBERNETES_MASTERS="master.kamputer.online,ubuntu.kamputer.online,centos.kamputer.onilne"
# 根据上面的网络规范确定vip地址,确定ApiServer在vip中的端口,这个其实是HAProxy端口,然后代理到后面ApiServer的6443端口
VIP_HOSTNAME=vip.kamputer.online
VIP_IP=$(nslookup $VIP_HOSTNAME|tail -2|head -1|awk '{print $2}')
VIP_PORT=8443
#如果是单master模式,使用下面配置
# VIP_ADDRESS=master.kamputer.online
# VIP_PORT=6443

# 获取自己的对外IP
LOCAL_IP=$(ip a|grep $NET_INTERFACE|grep inet|awk '{print $2}'|awk -F '/' '{print $1}')

下载好软件

repo
centos使用国内源,需要repo文件

 wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

haproxy
centos是自带haproxy的,但是版本是1.5,已经过期了.ubuntu需要使用apt下载,我使用的ubuntu2204,自带的是2.0,既然要安装,索性两个都安装最新LTS
去官网找一个合适的版本,下载源代码.我选的是2.4,过期时间是2026-Q2 (LTS),使用下面指令下载.

wget https://www.haproxy.org/download/2.4/src/haproxy-2.4.16.tar.gz

Kubernetes

wget https://storage.googleapis.com/kubernetes-release/release/v1.19.0/kubernetes-server-linux-amd64.tar.gz

etcd
etcd的版本需要和Kubernetes匹配

wget https://github.com/etcd-io/etcd/releases/download/v3.4.13/etcd-v3.4.13-linux-amd64.tar.gz

cfssl
在cfssl的github可以看到最新版本,我使用的是v1.6.1

wget "https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64" -O /usr/local/bin/cfssl
wget "https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64" -O /usr/local/bin/cfssljson

操作系统安装

下载box

安装vagrant
下载box文件到本地

	vmware	virtualbox
centos7	883cf9e5-6e65-437c-acfa-fd1e7b3d9b8f	10b58d3b-00ae-4146-86d4-5b06e8aaa9c2
ubuntu20.04	a3d12620-a14f-427f-b4c9-7e3d19ed47b4	fd8e3d47-f8d1-4db5-979e-d85294bb1563

导入box

进入box所在目录执行下面命令

vagrant box add --name generic/ubuntu2004 .\a3d12620-a14f-427f-b4c9-7e3d19ed47b4
vagrant box add --name generic/ubuntu2004 .\fd8e3d47-f8d1-4db5-979e-d85294bb1563
vagrant box add --name generic/centos7 .\10b58d3b-00ae-4146-86d4-5b06e8aaa9c2
vagrant box add --name generic/centos7 .\883cf9e5-6e65-437c-acfa-fd1e7b3d9b8f

启动虚拟机（单机版）

初始化

vagrant init generic/centos7
vagrant init generic/ubuntu2004

修改配置文件

# 使用静态ip
config.vm.network "public_network", ip: "192.168.1.101"
# 修改CPU和内存
config.vm.provider "virtualbox" do |vb|
# Customize the amount of memory on the VM:
  vb.memory = "4096"
  vb.cpus =  2
end

启动

vagrant up
# 需要选择一个合适的网卡

启动虚拟机（集群版）

Vagrantfile

# -*- mode: ruby -*-
# vi: set ft=ruby :

# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
  config.vm.provision "shell",inline: "echo kubernetes"
  
  config.vm.define "master" do |master|
    master.vm.provision "shell",inline: "echo master"
    master.vm.box = "generic/centos7"
    master.vm.network "public_network", ip: "192.168.1.101"
    master.vm.provider "virtualbox" do |vb|
      vb.memory = "4096"
      vb.cpus =  2
    end
  end

  config.vm.define "ubuntu" do |ubuntu|
    ubuntu.vm.provision "shell",inline: "echo ubuntu"
    ubuntu.vm.box = "generic/ubuntu2004"
    ubuntu.vm.network "public_network", ip: "192.168.1.102"
    ubuntu.vm.provider "virtualbox" do |vb|
      vb.memory = "4096"
      vb.cpus =  2
    end
  end

  config.vm.define "centos" do |centos|
    centos.vm.provision "shell",inline: "echo centos"
    centos.vm.box = "generic/centos7"
    centos.vm.network "public_network", ip: "192.168.1.103"
    centos.vm.provider "virtualbox" do |vb|
      vb.memory = "4096"
      vb.cpus =  2
    end
  end  

  config.vm.define "node" do |node|
    node.vm.provision "shell",inline: "echo node"
    node.vm.box = "generic/ubuntu2004"
    node.vm.network "public_network", ip: "192.168.1.111"
    node.vm.provider "virtualbox" do |vb|
      vb.memory = "8196"
      vb.cpus =  2
    end
  end

end

使用vagrant up可以一起启动所有虚拟机（对于virtualbox而言无法并行）
后面使用vagrant ssh指令时需要加上虚拟机名字

配置操作系统

vagrant ssh

保存操作记录

echo "HISTFILESIZE=99999" >> ~/.bashrc 
echo "HISTSIZE=99999" >> ~/.bashrc 
echo 'HISTTIMEFORMAT="%F %T "'>> ~/.bashrc  
# 命令立刻写入而不是退出时写入
echo 'PROMPT_COMMAND="history -a"' >> ~/.bashrc
exit

允许远程登录

# 允许root账号登录
sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config
# 允许密码登录
sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config
# 让配置生效
systemctl restart sshd
# 修改密码
passwd

配置源

CentOS

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo && \
yum clean all && \
yum makecache && \
yum update

Ubuntu

# 备份源文件
cp /etc/apt/sources.list{,.backup} && \
# 使用清华源
echo '
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal main restricted universe multiverse
deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-updates main restricted universe multiverse
deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-backports main restricted universe multiverse
deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-backports main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-security main restricted universe multiverse
deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ focal-security main restricted universe multiverse multiverse
' > sources.list && \
cp ./sources.list /etc/apt/sources.list && \
apt update && \
apt upgrade -y

其他设置

设置时间

timedatectl set-timezone 'Asia/Shanghai'

更复杂的方式可以参见https://www.linuxprobe.com/linux-time.html

时间同步

CentOS

无需安装

Ubuntu

apt install chrony -y

解除资源限制

下面指令的具体含义可以参见ulimit和/etc/security/limits.conf详解

ulimit -SHn 65535 && \
echo '
* soft nofile 655360
* hard nofile 131072
* soft nproc 655350
* hard nproc 655350
* seft memlock unlimited
* hard memlock unlimited
'>>/etc/security/limits.conf

haproxy & keepalived

签发证书

安装工具

etcd证书

# 创建CA根证书
echo '
{
  "CN": "etcd",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L":"Shanghai",
      "O":"etcd",
      "OU":"Etcd Security"
    }
  ],
  "ca": {
    "expiry": "8760h"
  }
}'>etcd-ca-csr.json && \
cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare /etc/etcd/ssl/etcd-ca && \

# 设置CA配置
echo '
 {
   "signing": {
     "default": {
       "expiry": "8760h"
     },
     "profiles": {
       "kubernetes": {
         "usages": [
             "signing",
             "key encipherment",
             "server auth",
             "client auth"
         ],
         "expiry": "8760h"
       }
     }
   }
 }
 '>ca-config.json && \

# 生成etcd证书的配置
echo '{
  "CN": "etcd",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "etcd",
      "OU": "Etcd Security"
    }
  ]
}'>etcd-ca-csr.json && \

cfssl gencert \
   -ca=/etc/etcd/ssl/etcd-ca.pem \
   -ca-key=/etc/etcd/ssl/etcd-ca-key.pem \
   -config=ca-config.json \
   -hostname=127.0.0.1,$ETCD_NODES \
   -profile=kubernetes \
   etcd-csr.json | cfssljson -bare /etc/etcd/ssl/etcd && \

#其他节点复制证书
for FILE in etcd-ca-key.pem  etcd-ca.pem  etcd-key.pem  etcd.pem; do
   scp $INITER_ADDRESS:/etc/etcd/ssl/${FILE} /etc/etcd/ssl/${FILE}
done

验证

可以使用下面命令来验证ca.pem

 openssl x509 -noout -text -in /etc/etcd/ssl/etcd-ca.pem

输出如下
其中Issuer和申请信息是一致的

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            02:76:b1:68:b9:66:37:57:46:16:d3:07:df:3e:9b:6d:f0:02:33:f1
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=Shanghai, L=Shanghai, O=etcd, OU=Etcd Security, CN=etcd
        Validity
            Not Before: May 14 07:14:00 2022 GMT
            Not After : May 14 07:14:00 2023 GMT
        Subject: C=CN, ST=Shanghai, L=Shanghai, O=etcd, OU=Etcd Security, CN=etcd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c4:8b:f9:d1:a8:68:ad:f3:ed:c3:57:db:0c:aa:
                    37:04:81:a0:18:6a:fb:f9:f4:8e:24:b9:1d:b4:f6:
                    50:56:47:c8:c6:3e:8c:be:16:9b:fa:bf:2a:29:c3:
                    14:ca:e5:0d:9b:23:28:08:ca:de:47:b7:67:d6:ab:
                    3e:56:5e:25:82:bc:02:87:13:55:47:c8:a8:53:23:
                    af:ff:82:a1:98:80:bc:e8:3f:0c:f1:83:c5:d6:ac:
                    27:a3:40:5d:d0:be:2f:71:cb:a8:e7:2b:ec:70:45:
                    9c:fa:c7:13:9d:7a:41:f2:5a:35:a5:3e:84:2a:73:
                    0e:8e:5c:3d:88:13:46:55:3f:dd:1b:1b:a9:97:68:
                    5d:d0:84:bf:d1:fd:8b:e5:c6:d9:a2:96:3f:7b:4f:
                    86:b8:b1:e2:7f:fd:f5:8f:03:8f:25:14:39:d1:51:
                    82:94:d9:4e:f7:f8:a9:2d:34:1d:91:90:1e:f9:2e:
                    77:14:da:0a:f4:55:d4:99:b1:a7:bd:9b:eb:fa:94:
                    55:56:d8:ec:b1:50:48:1c:fc:45:65:ce:28:17:69:
                    6e:bf:ca:c3:d9:69:35:da:ea:3a:50:e0:5e:8b:1b:
                    8f:d7:a5:97:93:25:b3:1d:20:55:44:da:b6:3f:91:
                    a9:6a:6f:31:3b:2c:7a:95:42:c6:24:98:6a:79:88:
                    9a:5b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                B9:D9:F5:9C:95:AA:CB:F6:A1:E4:C3:61:DA:74:3D:36:A2:61:57:10
    Signature Algorithm: sha256WithRSAEncryption
         35:c0:57:37:48:23:78:92:e3:c5:22:07:3f:0b:02:33:03:29:
         e0:1a:8a:c4:b1:ac:69:da:70:39:09:9f:80:d0:c4:6f:78:36:
         96:c6:37:5f:a1:8c:8c:0e:0e:61:d5:ad:44:fb:33:84:98:1e:
         84:d3:db:9b:a0:28:28:78:64:9d:53:9a:04:a7:23:52:6f:dd:
         90:ab:fd:e0:5c:4b:56:1d:95:09:4d:af:f8:b7:fc:5b:75:ef:
         d5:ba:40:51:92:23:e5:df:6e:ae:fe:93:46:75:54:53:a5:b4:
         01:a7:55:cf:e5:3f:b6:84:b6:c9:14:41:21:fc:25:d4:8b:7f:
         04:d6:d1:74:04:d2:d6:b5:a3:c7:f8:e7:93:eb:1b:82:d1:8d:
         44:06:e6:9b:7b:20:63:36:8a:9d:03:41:c6:ff:37:a9:e0:ab:
         53:75:e6:ce:f0:91:54:e7:ae:90:fe:13:40:48:39:00:df:b9:
         e8:c8:0d:5a:0d:f7:b2:35:8f:3c:1f:a3:fc:00:e2:07:a1:4e:
         4f:e0:5f:0b:21:6e:15:3b:4f:aa:b4:0f:48:73:93:7b:69:b6:
         2e:fd:a4:75:1d:dc:97:47:9c:3b:94:a6:68:af:30:6a:73:90:
         f1:ae:b3:77:93:1d:d8:8b:42:90:2c:21:35:85:a0:db:e0:8b:
         25:15:e4:00

Kubernetes证书

# 生成CA证书
echo '{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "Kubernetes",
      "OU": "Kubernetes-manual"
    }
  ],
  "ca": {
    "expiry": "8760h"
  }
}
'>ca-csr.json && \
cfssl gencert -initca ca-csr.json | cfssljson -bare /etc/kubernetes/pki/ca && \

# ca配置文件
echo '{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "8760h"
      }
    }
  }
}
'>ca-config.json && \

# 签发apiserver证书,这里直接使用管道符,就不用给cfssl指定参数了
echo '{
  "CN": "kube-apiserver",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "Kubernetes",
      "OU": "Kubernetes-manual"
    }
  ]
}'|cfssl gencert  \
-ca=/etc/kubernetes/pki/ca.pem   \
-ca-key=/etc/kubernetes/pki/ca-key.pem   \
-config=ca-config.json   \
-hostname=$SERVICE_ADDRESS,$VIP_ADDRESS,127.0.0.1,$KUBERNETES_MASTERS,\
	kubernetes,kubernetes.default,kubernetes.default.svc,\
	kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local  \
-profile=kubernetes | cfssljson -bare /etc/kubernetes/pki/apiserver

# 签发admin证书
echo '{
  "CN": "admin",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "system:masters",
      "OU": "Kubernetes-manual"
    }
  ]
}'|cfssl gencert \
   -ca=/etc/kubernetes/pki/ca.pem \
   -ca-key=/etc/kubernetes/pki/ca-key.pem \
   -config=ca-config.json \
   -profile=kubernetes | cfssljson -bare /etc/kubernetes/pki/admin

# 签发proxy证书
for module in 'kube-proxy' 'kube-controller-manager' 'apiserver'
do
echo "{
  'CN': 'system:$module',
  'key': {
    'algo': 'rsa',
    'size': 2048
  },
  'names': [
    {
      'C': 'CN',
      'ST': 'Shanghai',
      'L': 'Shanghai',
      'O': 'system:$module',
      'OU': 'Kubernetes-manual'
    }
  ]
}"|cfssl gencert \
   -ca=/etc/kubernetes/pki/ca.pem \
   -ca-key=/etc/kubernetes/pki/ca-key.pem \
   -config=ca-config.json \
   -profile=kubernetes | cfssljson -bare /etc/kubernetes/pki/$module
done