目标任务:
1、Kubernetes集群部署架构规划
2、部署Etcd数据库集群
3、在Node节点安装Docker
4、部署Flannel网络插件
5、在Master节点部署组件(api-server,schduler,controller-manager)
6、在Node节点部署组件(kubelet,kube-proxy)
7、查看集群状态
8、运行⼀个测试示例
9、部署Dashboard(Web UI) 可选
准备环境
三台机器,所有机器相互做解析 centos7.6
关闭防⽕墙和selinux
关闭交换空间
临时关闭:swapoff -a
永久关闭:
vi /etc/fstab
找到如下内容:注释或删除
#/dev/sdX none swap sw 0 0
192.168.145.11 master1
kube-apiserver,kube-controller-manager,kube-scheduler,etcd
192.168.145.12 node1
kubelet,kube-proxy,docker,flannel,etcd
192.168.145.13 node2
kubelet,kube-proxy,docker,flannel
三台机器都做域名解析
$ vim /etc/hosts
192.168.145.11 master1
192.168.145.12 node1
192.168.145.13 node2
通过ping做连通测试
部署Etcd集群
上面三台服务器已经搭建完成,但是彼此是独立的,没有互联。接下来,要把三台服务器关联起来,按照我们设计的,一台做master,两台做node。首先把etcd数据库部署在三台服务器上,他们彼此之间需要通信通过https协议,所以需要安装证书。
生成cfssl证书
下载cfssl⼯具:下载的这些是可执行的二进制命令直接用就可以了
[root@master1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@master1 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@master1 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@master1 ~]# ls
cfssl-certinfo_linux-amd64 cfssljson_linux-amd64 cfssl_linux-amd64
[root@master1 ~]# chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
放在usr/local/bin下面,方便直接使用命令
[root@master1 ~]# mv cfssl_linux-amd64 /usr/local/bin/cfssl
[root@master1 ~]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
[root@master1 ~]# mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
生成Etcd证书:
创建以下三个文件:
[root@master1 ~]# mkdir cert
[root@master1 ~]# cd cert/
[root@master1 cert]# vim ca-config.json #生成ca中⼼的
[root@master1 cert]# cat ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
[root@master1 cert]# vim ca-csr.json #生成ca中⼼的证书请求文件
[root@master1 cert]# cat ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
[root@master1 cert]# vim server-csr.json #生成服务器的证书(向ca发送请求)请求文件
[root@master1 cert]# cat server-csr.json
{
"CN": "etcd",
"hosts": [
"192.168.145.11",
"192.168.145.12",
"192.168.145.13"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
生成ca认证证书:
[root@master1 cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
通过认证文件去签发证书
[root@master1 cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
[root@master1 cert]# ls *pem
ca-key.pem ca.pem server-key.pem server.pem
server.pem 要用的证书
server-key.pem 要用的私钥
安装Etcd:
二进制包下载地址:
https://github.com/coreos/etcd/releases/tag/v3.2.12
以下部署步骤在规划的三个etcd节点操作⼀样,唯⼀不同的是etcd配置文件中的服务器IP要写当前的:
解压二进制包:
以下步骤三台机器都操作:
源码安装etcd:
# wget https://github.com/etcd-io/etcd/releases/download/v3.2.12/etcd-v3.2.12-linux-amd64.tar.gz
// bin目录执行文件 cfg存启动命令 ssl存证书,刚才生成的cert/ .pem证书
# mkdir /opt/etcd/{bin,cfg,ssl} -p
# tar zxvf etcd-v3.2.12-linux-amd64.tar.gz
# mv etcd-v3.2.12-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
编写etcd配置文件:
三台都操作
创建etcd配置文件:
# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd01" #节点名称,各个节点不能相同
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.246.162:2380" #写每个节点自己的ip
ETCD_LISTEN_CLIENT_URLS="https://192.168.246.162:2379" #写每个节点自己的ip
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.246.162:2380" #写每个节点的ip
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.246.162:2379" #写每个节点的ip
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.246.162:2380,etcd02=https://
192.168.246.164:2380,etcd03=https://192.168.246.165:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
具体如下:
master:创建etcd配置文件:
# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.145.11:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.145.11:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.145.11:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.145.11:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.145.11:2380,etcd02=https://192.168.145.12:2380,etcd03=https://192.168.145.13:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
node1:创建etcd配置文件:
# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.145.12:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.145.12:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.145.12:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.145.12:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.145.11:2380,etcd02=https://192.168.145.12:2380,etcd03=https://192.168.145.13:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
node2:创建etcd配置文件:
# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.145.12:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.145.12:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.145.12:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.145.12:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.145.11:2380,etcd02=https://192.168.145.12:2380,etcd03=https://192.168.145.13:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
node3:创建etcd配置文件:
# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd03"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.145.13:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.145.13:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.145.13:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.145.13:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.145.11:2380,etcd02=https://192.168.145.12:2380,etcd03=https://192.168.145.13:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
参数解释:
* ETCD_NAME 节点名称,每个节点名称不⼀样
* ETCD_DATA_DIR 存储数据⽬录(他是⼀个数据库,不是存在内存的,存在硬盘中的,所有和k8s
有关的信息都会存到etcd⾥面的)
* ETCD_LISTEN_PEER_URLS 集群通信监听地址
* ETCD_LISTEN_CLIENT_URLS 客户端访问监听地址
* ETCD_INITIAL_ADVERTISE_PEER_URLS 集群通告地址
* ETCD_ADVERTISE_CLIENT_URLS 客户端通告地址
* ETCD_INITIAL_CLUSTER 集群节点地址
* ETCD_INITIAL_CLUSTER_TOKEN 集群Token
* ETCD_INITIAL_CLUSTER_STATE 加⼊集群的当前状态,new是新集群,existing表示加⼊已有集群
配置systemd管理etcd:
因为etcd是通过二进制安装的,不能直接通过systemctl操作
需要编写定义和管理 etcd 服务的启动、停止和其他操作
# vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd
ExecStart=/opt/etcd/bin/etcd \
--name=${ETCD_NAME} \
--data-dir=${ETCD_DATA_DIR} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
把/usr/lib/systemd/system/etcd.service通过master传给其他两台机器
master下操作:
如果多重执行了 就无需传递了
# scp /usr/lib/systemd/system/etcd.service node1:/usr/lib/systemd/system/
# scp /usr/lib/systemd/system/etcd.service node2:/usr/lib/systemd/system/
传输证书:
把刚才生成的证书拷贝到配置文件中的位置:(将master上面生成的证书scp到剩余两台机器上面)
# cd /root/cert/
# cp ca*pem server*pem /opt/etcd/ssl
直接拷贝到剩余两台etcd机器:
[root@master1 cert]# scp ca*pem server*pem node1:/opt/etcd/ssl
[root@master1 cert]# scp ca*pem server*pem node2:/opt/etcd/ssl
全部启动并设置开启启动
全部启动并设置开启启动:
# systemctl daemon-reload
# systemctl start etcd
# systemctl enable etcd
检查etcd的状态
都部署完成后,三台机器都检查etcd集群状态:
# /opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.145.11:2379,https://192.168.145.12:2379,https://192.168.145.13:2379" cluster-health
若出现如下结果,说明健康,成功:
member 7bf5e8410987571e is healthy: got healthy result from https://192.168.145.13:2379
member b9b1e4107f37b0bc is healthy: got healthy result from https://192.168.145.12:2379
member b9e4274e43b72901 is healthy: got healthy result from https://192.168.145.11:2379
cluster is healthy
在Node节点安装Docker
在Node节点安装Docker
若之前安装过,先卸载
# yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-selinux \
docker-engine-selinux \
docker-engine
# step 1: 安装必要的一些系统工具
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
# Step 2: 添加软件源信息
sudo yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# Step 3
sudo sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
# Step 4: 更新并安装Docker-CE
sudo yum makecache fast
sudo yum -y install docker-ce
# Step 4: 开启Docker服务
sudo service docker start
部署Flannel网络插件
Flannel网络插件在 Kubernetes 中主要用于提供 Pod 之间的网络连接、管理 IP 地址、实施网络策略和增强网络安全
Flannel要用etcd存储自身⼀个⼦网信息,所以要保证能成功连接Etcd,写⼊预定义⼦网段:
在node节点部署,如果没有在master部署应用,那就不要在master部署flannel,他是用来给所有
的容器用来通信的。
[root@master1 ~]# scp -r /root/cert/ node1:/root/ #将生成的证书copy到剩下的机器上面
[root@master1 ~]# scp -r /root/cert/ node2:/root/
[root@master1 ~]# cd cert
使用 etcdctl 命令用于设置 flannel 的网络配置在 etcd 中
# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.145.11:2379,https://192.168.145.12:2379,https://192.168.145.13:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": { "Type": "vxlan" } }'
下载Flannel插件安装包
注:以下部署步骤在规划的每个node节点都操作。
下载二进制包:
# wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz
# tar zxvf flannel-v0.10.0-linux-amd64.tar.gz
# mkdir -pv /opt/kubernetes/bin
# mv flanneld mk-docker-opts.sh /opt/kubernetes/bin
配置Flannel:
每个node节点中操作
配置Flannel:
# mkdir -p /opt/kubernetes/cfg/
# vim /opt/kubernetes/cfg/flanneld
# cat /opt/kubernetes/cfg/flanneld
FLANNEL_OPTIONS="--etcd-endpoints=https://192.168.145.11:2379,https://192.168.145.12:2379,https://192.168.145.13:2379 -etcd-cafile=/opt/etcd/ssl/ca.pem -etcd-certfile=/opt/etcd/ssl/server.pem -etcd-keyfile=/opt/etcd/ssl/server-key.pem"
配置systemctl启动Flannel
每个node中操作:
systemd管理Flannel:
# vim /usr/lib/systemd/system/flanneld.service
# cat /usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq $FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure
[Install]
WantedBy=multi-user.target
配置Docker的启动项
每个node操作
配置Docker启动指定⼦网段:可以将源文件直接覆盖掉
# vim /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
重启flannel和docker:
重启flannel和docker:
# systemctl daemon-reload
# systemctl start flanneld
# systemctl enable flanneld etcd docker
# systemctl restart docker
测试:
node1 :
$ ip -a
找到docker的地址,去node2 ping
node2 :
$ ip -a
找到docker 地址 去node1 ping
在Master节点部署组件
在部署Kubernetes之前⼀定要确保etcd、flannel、docker是正常工作的,否则先解决问题再继续。
检查etcd
# /opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.145.11:2379,https://192.168.145.12:2379,https://192.168.145.13:2379" cluster-health
生成证书
master节点操作–给api-server创建的证书。
别的服务访问api-server的时候需要通过证书认证
[root@master11 ~]# mkdir -p /opt/crt/
[root@master11 ~]# cd /opt/crt/
# vim ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
# vim ca-csr.json 定义生产签名所需要的信息参数
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
生产ca证书和私钥
[root@master11 crt]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
生成apiserver证书:
[root@master11 crt]# vim server-csr.json
# cat server-csr.json
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1", //这是后⾯dns要使用的虚拟网络的网关,不用改,就用这个切忌
"127.0.0.1",
"192.168.145.11", // master的IP地址。
"192.168.145.12",
"192.168.145.13",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
[root@master11 crt]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
生成kube-proxy证书:
生成kube-proxy证书:
[root@master11 crt]# vim kube-proxy-csr.json
# cat kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
[root@master11 crt]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
最终生成以下证书文件:
[root@master crt]# ls *.pem
ca-key.pem ca.pem kube-proxy-key.pem kube-proxy.pem server-key.pem server.pem
部署apiserver组件
在master节点进行
下载二进制包:https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.11.md
下载这个包(kubernetes-server-linux-amd64.tar.gz)就够了,包含了所需的所有组件。
# wget https://dl.k8s.io/v1.11.10/kubernetes-server-linux-amd64.tar.gz
# mkdir /opt/kubernetes/{bin,cfg,ssl} -pv
# tar zxvf kubernetes-server-linux-amd64.tar.gz
# cd kubernetes/server/bin
# cp kube-apiserver kube-scheduler kube-controller-manager kubectl /opt/kubernetes/bin
因为在本机生成的证书 直接拷贝即可
# cp /opt/crt/*.pem /opt/kubernetes/ssl/
或者:
如下操作:
[root@master11 bin]# cd /opt/crt/
# cp server.pem server-key.pem ca.pem ca-key.pem /opt/kubernetes/ssl/
创建token文件:
[root@master11 crt]# cd /opt/kubernetes/cfg/
# vim token.csv
# cat /opt/kubernetes/cfg/token.csv
674c457d4dcf2eefe4920d7dbb6b0ddc,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
第⼀列:随机字符串,自⼰可生成
第二列:用户名
第三列:UID
第四列:用户组
创建apiserver配置文件:
[root@master11 cfg]# pwd
/opt/kubernetes/cfg
[root@master11 cfg]# vim kube-apiserver
如下内容:一定不要有多余空格换行等
KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=https://192.168.145.11:2379,https://192.168.145.12:2379,https://192.168.145.13:2379 \
--bind-address=192.168.145.11 \#master的ip地址,就是安装api-server的机器地址
--secure-port=6443 \
--advertise-address=192.168.145.11 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \ #这里就用这个网段切记不要修改
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
配置好前面生成的证书,确保能连接etcd。
参数说明:
参数说明:
* --logtostderr 启用⽇志
* --v ⽇志等级
* --etcd-servers etcd集群地址
* --bind-address 监听地址
* --secure-port https安全端⼝
* --advertise-address 集群通告地址
* --allow-privileged 启用授权
* --service-cluster-ip-range Service虚拟IP地址段
* --enable-admission-plugins 准⼊控制模块
* --authorization-mode 认证授权,启用RBAC授权和节点自管理
* --enable-bootstrap-token-auth 启用TLS bootstrap功能,后面会讲到
* --token-auth-file token文件
* --service-node-port-range Service Node类型默认分配端⼝范围
systemd管理apiserver:
[root@master11 cfg]# cd /usr/lib/systemd/system
# vim kube-apiserver.service
# cat /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
启动:
# systemctl daemon-reload
# systemctl enable kube-apiserver
# systemctl start kube-apiserver
# systemctl status kube-apiserver
部署schduler组件—master节点
调度器的配置
创建schduler配置文件:
[root@master11 cfg]# vim /opt/kubernetes/cfg/kube-scheduler
# cat /opt/kubernetes/cfg/kube-scheduler
KUBE_SCHEDULER_OPTS="--logtostderr=true \
--v=4 \
--master=127.0.0.1:8080 \
--leader-elect"
参数说明:
* --master 连接本地apiserver
* --leader-elect 当该组件启动多个时,自动选举(HA)
systemd管理schduler组件:
[root@master11 cfg]# cd /usr/lib/systemd/system/
# vim kube-scheduler.service
# cat /usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler
ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
启动
启动:
# systemctl daemon-reload
# systemctl enable kube-scheduler
# systemctl start kube-scheduler
# systemctl status kube-scheduler
部署controller-manager组件–控制管理组件
master节点操作:创建controller-manager配置文件:
[root@master11 ~]# cd /opt/kubernetes/cfg/
[root@master11 cfg]# vim kube-controller-manager
# cat /opt/kubernetes/cfg/kube-controller-manager
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \
--v=4 \
--master=127.0.0.1:8080 \
--leader-elect=true \
--address=127.0.0.1 \
--service-cluster-ip-range=10.0.0.0/24 \ //这是后⾯dns要使用的虚拟网络,不用改,就用这个 切忌
--cluster-name=kubernetes \
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \
--root-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem"
systemd管理controller-manager组件:
[root@master11 cfg]# cd /usr/lib/systemd/system/
[root@master11 system]# vim kube-controller-manager.service
# cat /usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
启动:
启动:
# systemctl daemon-reload
# systemctl enable kube-controller-manager
# systemctl start kube-controller-manager
# systemctl status kube-controller-manager.service
所有组件都已经启动成功,通过kubectl⼯具查看当前集群组件状态:
[root@master system]# /opt/kubernetes/bin/kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-1 Healthy {"health": "true"}
etcd-0 Healthy {"health": "true"}
etcd-2 Healthy {"health": "true"}
如上输出说明组件都正常。
配置Master负载均衡
所谓的Master HA,其实就是APIServer的HA,Master的其他组件controller-manager、sch
eduler都是可以通过etcd做选举(–leader-elect),⽽APIServer设计的就是可扩展性,所
以做到APIServer很容易,只要前面加⼀个负载均衡轮询转发请求即可。
在私有云平台添加⼀个内网四层LB,不对外提供服务,只做apiserver负载均衡,配置如下:
其他公有云LB配置大同⼩异,只要理解了数据流程就好配置了。
在Node节点部署组件
Master apiserver启用TLS认证后,Node节点kubelet组件想要加⼊集群,必须使用CA签发的有效证书才能与apiserver通信,当Node节点很多时,签署证书是⼀件很繁琐的事情,因此有了TLS Bootstrapping机制,kubelet会以⼀个低权限用户自动向apiserver申请证书,kubelet的证书由apiserver动态签署。
认证大致工作流程如图所示:
----------------------下面这些操作在master节点完成:-------------------------
将kubelet-bootstrap用户绑定到系统集群⻆⾊
clusterrolebinding 集群角色绑定规则
[root@master system]# ln -s /opt/kubernetes/bin/kubectl /usr/bin/kubectl
[root@master11 ~]# /opt/kubernetes/bin/kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
创建kubeconfig文件:
kubeconfig 文件是 Kubernetes 中用于配置和访问集群的配置文件。
它存储了与 Kubernetes API 服务器交互所需信息,包括集群的地址、认证信息、用户凭证以及当前使用的上下文。
在生成kubernetes证书的⽬录下执行以下命令生成kubeconfig文件:
[root@master11 ~]# cd /opt/crt/
指定apiserver 内网负载均衡地址
[root@master11 crt]# KUBE_APISERVER="https://192.168.145.11:6443" #写你master的ip地址,集群中就写负载均衡的ip地址
[root@master11 crt]# BOOTSTRAP_TOKEN=674c457d4dcf2eefe4920d7dbb6b0ddc
# 设置集群参数
[root@master11 crt]# /opt/kubernetes/bin/kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=bootstrap.kubeconfig
# 设置客户端认证参数
[root@master1 crt]# /opt/kubernetes/bin/kubectl config set-credentials kubelet-bootstrap --token=${BOOTSTRAP_TOKEN} --kubeconfig=bootstrap.kubeconfig
# 设置上下文参数
[root@master1 crt]# /opt/kubernetes/bin/kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=bootstrap.kubeconfig
# 设置默认上下文
[root@master1 crt]# /opt/kubernetes/bin/kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
# 创建kube-proxy kubeconfig文件
[root@master11 crt]# /opt/kubernetes/bin/kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=kube-proxy.kubeconfig
[root@master11 crt]# /opt/kubernetes/bin/kubectl config set-credentials kube-proxy --client-certificate=kube-proxy.pem --client-key=kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig
[root@master11 crt]# /opt/kubernetes/bin/kubectl config set-context default --cluster=kubernetes --user=kube-proxy --kubeconfig=kube-proxy.kubeconfig
[root@master11 crt]# /opt/kubernetes/bin/kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
[root@master11 crt]# ls *.kubeconfig
bootstrap.kubeconfig kube-proxy.kubeconfig
#必看:将这两个文件拷贝到Node节点/opt/kubernetes/cfg⽬录下。
[root@master11 crt]# scp *.kubeconfig node1:/opt/kubernetes/cfg/
[root@master11 crt]# scp *.kubeconfig node2:/opt/kubernetes/cfg/
部署kubelet组件
部署kubelet组件
#将前面下载的二进制包中的kubelet和kube-proxy拷贝到/opt/kubernetes/bin⽬录下。
将master上面的包拷贝过去
[root@master ~]# cd /root/kubernetes/server/bin/
[root@master bin]# scp kubelet kube-proxy node1:/opt/kubernetes/bin/
[root@master bin]# scp kubelet kube-proxy node2:/opt/kubernetes/bin/
----------------------下面这些操作在node节点完成:---------------------------
在两个node节点创建kubelet配置文件:
[root@node1 ~]# vim /opt/kubernetes/cfg/kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.145.12 \ #每个节点自⼰的ip地址
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0" #这个镜像需要提前下载
下载镜像:
[root@node1 ~]# docker pull registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0
[root@node2 ~]# docker pull registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0
参数说明:
* --hostname-override 在集群中显示的主机名
* --kubeconfig 指定kubeconfig文件位置,会自动生成
* --bootstrap-kubeconfig 指定刚才生成的bootstrap.kubeconfig文件
* --cert-dir 颁发证书存放位置
* --pod-infra-container-image 管理Pod网络的镜像
kubelet.config配置(node1和node2都要做)
其中/opt/kubernetes/cfg/kubelet.config配置文件如下:
[root@node1 ~]# vim /opt/kubernetes/cfg/kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.145.12 #写你机器的ip地址
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS: ["10.0.0.2"] #不要改,就是这个ip地址
clusterDomain: cluster.local.
failSwapOn: false
authentication:
anonymous:
enabled: true
webhook:
enabled: false
systemd管理kubelet组件:
systemd管理kubelet组件:
# vim /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
启动kubelet:
启动:
# systemctl daemon-reload
# systemctl enable kubelet
# systemctl start kubelet
node2和上面的操作一样,注意修改对应该的ip
查看申请加入集群的节点:
查看申请加入集群的节点:
[root@master bin]# /opt/kubernetes/bin/kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-3Qm5ndW4_aKjhhWSKhLhSfGw_tq04C6pkTG0gEDLpJ0 11s kubelet-bootstrap Pending
node-csr-ldXf2ozPyVVGz8Hs5ND8njKmbQ7kFO5nvVitVPgAKIA 7m kubelet-bootstrap Pending
master审批通过允许加入集群
在Master审批Node加⼊集群:
启动后还没加⼊到集群中,需要手动允许该节点才可以。在Master节点查看请求签名的Node:
[root@master11 ~]# /opt/kubernetes/bin/kubectl certificate approve XXXXID
注意:xxxid 指的是上面的NAME这⼀列
再次检查证书签名状态
[root@master bin]# /opt/kubernetes/bin/kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-3Qm5ndW4_aKjhhWSKhLhSfGw_tq04C6pkTG0gEDLpJ0 3m kubelet-bootstrap Approved,Issued
node-csr-ldXf2ozPyVVGz8Hs5ND8njKmbQ7kFO5nvVitVPgAKIA 10m kubelet-bootstrap Approved,Issued
输出中可以看到,两个证书签名请求(CSR)的状态都已经变为 Approved,Issued。这意味着这些 CSR 不仅已经被批准,而且相应的证书也已经被签发并可以供节点使用。
现在,可以检查相应的节点是否已经成功加入到 Kubernetes 集群中,并且状态是否为 Ready。使用以下命令来查看集群中的节点状态:
查看集群节点信息:
[root@master bin]# /opt/kubernetes/bin/kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.145.12 Ready <none> 3m v1.11.10
192.168.145.13 Ready <none> 3m v1.11.10
部署kube-proxy组件
在所有node节点进行
创建kube-proxy配置文件
创建kube-proxy配置文件:还是在所有node节点
[root@node1 ~]# vim /opt/kubernetes/cfg/kube-proxy
# cat /opt/kubernetes/cfg/kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.145.12 \ #写每个node节点ip
--cluster-cidr=10.0.0.0/24 \ //不要改,就是这个ip
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
systemd管理kube-proxy组件:
systemd管理kube-proxy组件:
[root@node1 ~]# cd /usr/lib/systemd/system
# vim /usr/lib/systemd/system/kube-proxy.service
# cat /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
ExecStart=/opt/kubernetes/bin/kube-proxy $KUBE_PROXY_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
启动
启动:
# systemctl daemon-reload
# systemctl enable kube-proxy
# systemctl start kube-proxy
在master查看集群状态
[root@master11 ~]# /opt/kubernetes/bin/kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.145.12 Ready <none> 5h v1.11.10
192.168.145.13 Ready <none> 5h v1.11.10
查看集群组件的状态
[root@master11 ~]# /opt/kubernetes/bin/kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-1 Healthy {"health": "true"}
etcd-2 Healthy {"health": "true"}
etcd-0 Healthy {"health": "true"}
扫一扫
779
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
