关闭swap 如果开启了swap k8s启动会失效
swapoff -a
关闭防火墙和SElinux
cat kubernetes.conf
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
vm.swappiness=0
vm.overcommit_memory=1
vm.panic_on_oom=0
fs.inotify.max_user_watches=89100
fs.file-max=52706963
fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max=2310720
cp kubernetes.conf /etc/sysctl.d/kubernetes.conf
sysctl -p /etc/sysctl.d/kubernetes.conf
mount -t cgroup -o cpu,cpuacct none /sys/fs/cgroup/cpu,cpuacc
创建文件夹
mkdir -p /data/k8s/bin
mkdir -p /data/k8s/etcd/cert
mkdir -p /data/k8s/kubernetes/cert
安装cffssl工具(确保k8s个组件之间通信安全 进行加密认证)
mkdir -p /data/cfssl/cert && chown -R k8s /data/cfssl/ && cd /data/cfssl/
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /data/k8s/bin/cfssl
mv cfssljson_linux-amd64 /data/k8s/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /data/k8s/bin/cfssl-cdrtinfo
chmod +x /data/k8s/bin/*
cat > ca-config.json <<EOF
{"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"}}}}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "4Paradigm"
}]}
EOF
生成CA证书和私钥
cfssl gencert -initca ca-csr.json | cfssljson -bare ca(在你的json 文件目录执行)
分发到所有的节点