文章目录
一、环境及软件包
接博客:Kubernetes集群二进制部署(一)——Etcd数据库群集功能部署、flannel网络组建
节点规划
服务器 | IP | 安装软件 |
---|---|---|
Master01 | 192.168.11.11 | kube-apiserver、kube-controller-manager、kube-scheduler、etcd |
Master02 | 192.168.11.12 | kube-apiserver、kube-controller-manager、kube-scheduler |
负载均衡LB01 | 192.168.11.13 | nginx、keepalived |
负载均衡LB02 | 192.168.11.14 | nginx、keepalived |
Node01 | 192.168.11.16 | kubelet、kube-proxy、docker 、flannel 、etcd |
Node02 | 192.168.11.17 | kubelet、kube-proxy、docker 、flannel 、etcd |
二、部署master组件
master节点负责为用户和客户端暴露API、追踪集群节点的健康状态、调度工作负载、以及编排其他组件之间的通信等。
master主要组件:
① Kube-apiserver
② Kube-controller-manager
③ kube-scheduler
配置文件——>systemctl管理组件——>启动
以下mastr组件部署均在在master节点上操作
1、api-server
1) api-server生成证书
#将脚本拷贝至k8s目录中,解压(脚本先前已编写好)
[root@master k8s]# unzip master.zip
解压后有三个脚本,后面会用到,注意:三个脚本都要有执行权限
① 创建/opt/k8s/工作目录(cfg配置文件目录,bin命令文件目录,ssl证书文件目录)
[root@master k8s]# mkdir -p /opt/kubernetes/{cfg,ssl,bin}
② 制作api-server证书
#创建k8s证书目录
[root@master k8s]# mkdir k8s-cert
[root@master k8s]# cd k8s-cert/
#编写生成证书脚本
[root@master k8s-cert]# vim k8s-cert.sh
#生成ca证书的配置文件
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
#生成ca签名文件
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#生成apiserver服务端的签名证书
#注意:master02节点和LB节点的IP地址是为了部署之后的多master集群
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.11.11", #master01节点
"192.168.11.12", #master02节点
"192.168.11.100", #VIP地址
"192.168.11.13", #负载调度器(master节点)
"192.168.11.14", #负载调度器(backup节点)
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
#生成服务器管理员证书
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
# 生成kube-proxy 代理端证书
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
#执行脚本
[root@master k8s-cert]# bash k8s-cert.sh
一共生成8个证书。ca、server服务端、管理员、proxy 代理端各2个证书
#将ca证书及server证书复制到ssl证书文件目录中
[root@master k8s-cert]# cp ca*pem server*pem /opt/kubernetes/ssl/