前言:集百家之言......
环境规划:
操作系统:centos7.3
Kubernetes :1.10.7
Docker: 18.06.0-ce
Etcd: 3.0
CPU 1核+ 2G内存+
master
192.168.1.6 kube-apiserver kube-controller-manager kube-scheduler flannel etcd
node01
192.168.1.7 kubelet kube-proxy docker flannel etcd
node02
192.168.1.8 kubelet kube-proxy docker flannel etcd
注意有iptables的注意添加规则内网互通:
iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT
基础环境:
关闭防火墙:
[root@k8s-master ~]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[root@k8s-master ~]#
[root@k8s-master ~]#
[root@k8s-master ~]# systemctl stop firewalld
[root@k8s-master ~]#
[root@k8s-master ~]# systemctl disable firewalld
关闭selinux:
[root@k8s-master ~]# sed -i 's/enforcing/disabled/' /etc/selinux/config
[root@k8s-master ~]# setenforce 0
setenforce: SELinux is disabled
[root@k8s-master ~]#
[root@k8s-master ~]#
关闭swap:
[root@k8s-master ~]# swapoff -a
[root@k8s-master ~]# free -m
total used free shared buff/cache available
Mem: 1838 1288 76 17 474 366
Swap: 0 0 0
[root@k8s-master ~]#
设置k8s集群主机名(你自己的集群节点ip)(可有可无):
# echo '47.95.7.67 k8s-master
47.95.7.67 etcd
120.783.212 k8s-node-212
39.1.201.0 k8s-node-0' >> /etc/hosts
同步时间:
[root@k8s-master ~]# yum install ntpdate -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
base | 3.6 kB 00:00:00
docker-ce-stable | 2.9 kB 00:00:00
epel | 3.2 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/3): epel/x86_64/updateinfo | 933 kB 00:00:00
(2/3): updates/7/x86_64/primary_db | 6.0 MB 00:00:00
(3/3): epel/x86_64/primary | 3.6 MB 00:00:00
epel 12756/12756
Package ntpdate-4.2.6p5-28.el7.centos.x86_64 already installed and latest version
Nothing to do
[root@k8s-master ~]# ntpdate ntp.api.bz
1 Nov 12:22:26 ntpdate[27967]: the NTP socket is in use, exiting
[root@k8s-master ~]#
安装Docker 方案一:
# yum install -y yum-utils device-mapper-persistent-data lvm2
如果提示container-selinux依赖问题,先安装ce-17.03匹配版本:
# yum localinstall https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-ce-selinux-17.03.3.ce-1.e17.noarch.rpm
如果已安装docker-ce 18, 先卸载:
# yum remove docker container-selinux
# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
查看当前所有docker 版本
# yum list docker-ce.x86_64 --showduplicates |sort -r
目前docker 最大支持docker-ce-17.03, 所以要指定版本安装
# yum install -y docker-ce
# systemctl enable docker & systemctl start docker
# vi /lib/systemd/system/docker.service
#找到ExecStart=xxx,在这行上面加入一行,内容如下:(k8s的网络需要)
ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
启动服务
# systemctl daemon-reload
# service docker start
安装docker 方案二:
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install docker-ce
cat << EOF > /etc/docker/daemon.json
{
"registry-mirrors": [ "https://registry.docker-cn.com"]
}
EOF
systemctl start docker
systemctl enable docker
创建k8s的目录:
mkdir -p /opt/kubernetes/{bin,cfg,ssl}
自签TLS证书:
在master上面操作,即192.168.1.6
安装证书生成工具cfssl:
cd /opt/ssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x *
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
不知道如何创建证书可以根据提示 生成模板然后修改:
cfssl print-defaults config >config.json
cfssl print-defaults csr >csr.json
生成我们需要的证书脚本:
[root@localhost ssl]# cat certificate.sh
#证书根机构
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
#生成根证书的具体信息
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "hangzhou",
"ST": "hangzhou",
"O": "k8s",
"OU": "System"
}
]
}
EOF
#用cfssl生成证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
#用于api http通信的证书信息 尾数:6 7 8 这三个ip 改成你的。
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.1.6",
"192.168.1.7",
"192.168.1.8",
"10.10.10.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",