Kubernetes部署方式与平台规划
- 官方提供三种部署方式
- minikubu(仅用于测试使用)
Minikube是一个工具,可以在本地快速运行一个单点
的Kubernetes,仅用于尝试Kubernetes或日常开发的用户使用
部署地址 - kubeadm
Kubeadm也是一个工具,提供kubeadm init和kubeadm join,用于快速部署Kubenetes集群
部署地址
不推荐:证书默认只分配一年;一键部署,内部运行机制不了解;目前是测试版本 - 二进制包
推荐,从官方下载发行版的二进制包,手动部署每个组件,组成Kubenetes集群
下载地址
- 平台环境规划
官方发布最新稳定版。
- 单节点master
- 多节点master
- 单节点master集群部署
- 自签SSL证书
etcd-cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h", # 过期时间,10年
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
#etcd域名证书
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.33.6",
"192.168.33.7",
"192.168.33.8"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
cfssl.sh
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
执行:bash cfssl.sh
bash etcd-cert.sh
- 部署etcd
- 三个节点均执行一下配置
mkdir /opt/etcd/{bin,cfg,ssl} -p
tar zxvf etcd-v3.2.12-linux-amd64.tar.gz
mv etcd-v3.2.12-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
- 创建etcd配置文件:
# vim /opt/etcd/cfg/etcd
#[Member]
# ETCD_NAME 节点名称
ETCD_NAME="etcd01"
# ETCD_DATA_DIR 数据目录
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
# ETCD_LISTEN_PEER_URLS 集群通信监听地址
ETCD_LISTEN_PEER_URLS="https://192.168.33.7:2380"
# ETCD_LISTEN_CLIENT_URLS 客户端访问监听地址
ETCD_LISTEN_CLIENT_URLS="https://192.168.33.7:2379"
#[Clustering]
# ETCD_INITIAL_ADVERTISE_PEER_URLS 集群通告地址
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.33.7:2380"
# ETCD_ADVERTISE_CLIENT_URLS 客户端通告地址
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.33.7:2379"
# ETCD_INITIAL_CLUSTER 集群所有节点地址
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.33.7:2380,etcd02=https://192.168.33.6:2380,etcd03=https://192.168.33.8:2380"
# ETCD_INITIAL_CLUSTER_TOKEN 集群Token
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
# ETCD_INITIAL_CLUSTER_STATE 加入集群的当前状态,new是新集群,existing表示加入已有集群
ETCD_INITIAL_CLUSTER_STATE="new"
- 使用systemd管理etcd,创建服务脚本
# vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd
ExecStart=/opt/etcd/bin/etcd --name=${ETCD_NAME} --data-dir=${ETCD_DATA_DIR} --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} --initial-cluster=${ETCD_INITIAL_CLUSTER} --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} --initial-cluster-state=new --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
- 将/opt/etcd目录和服务启动脚本拷贝至其他两个节点,修改cfg/etcd中的IP
scp -r /opt/etcd node1:/opt/ node2:/opt/
scp -r /usr/lib/systemd/system/etcd.service node1:/usr/lib/systemd/system/etcd.service node2:/usr/lib/systemd/system/etcd.service
- 启动etcd(启动失败的话检查IP是否配置正确,检查无误再重启多几次)
systemctl start etcd
systemctl enable etcd
- 检查集群健康状态
/opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.33.7:2379,https://192.168.33.6:2379,https://192.168.33.8:2379" cluster-health
# 正常输出
member 181e3b7279fd8ef6 is healthy: got healthy result from https://192.168.33.6:2379
member 9fb608799130aa7f is healthy: got healthy result from https://192.168.33.7:2379
member ff9d0db82e0b0c3f is healthy: got healthy result from https://192.168.33.8:2379
cluster is healthy
- 在Node安装Docker
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install docker-ce -y
curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://bc437cce.m.daocloud.io # 安装镜像加速
systemctl start docker
systemctl enable docker
-
部署Flannel网络
Flannel只需部署到node节点即可。
CNI(Container Network Interface):容器网络接口
Kubernetes网络模型设计基本要求:- 一个Pod一个IP
- 每个Pod独立IP,Pod内所有容器共享网络(同一个IP)
- 所有容器都可以与所有其他容器通信
- 所有节点都可以与所有容器通信
Overlay Network:覆盖网络,在基础网络上叠加的一种虚拟网络技术模式,该网络中的主机通过虚拟链路连接起来。
Flannel:是Overlay网络的一种,也是讲数据包封装在另一种网络包里面进行路由转发和通信,目前已经支持UDP、VXLAN、Host-GW、AWS VPC和GCE路由等数据转发方式。
Falnnel要用etcd存储自身一个子网信息,所以要保证能成功连接Etcd- 写入预定义子网段:在master执行
/opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.33.7:2379,https://192.168.33.6:2379,https://192.168.33.8:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}' # 正常输出 { "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}} # 查看是否正确配置 /opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.33.7:2379,https://192.168.33.6:2379,https://192.168.33.8:2379" get /coreos.com/network/config
- 每个node节点操作:
下载二进制包
wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz tar zxvf flannel-v0.9.1-linux-amd64.tar.gz mkdir /opt/kubernetes/{bin,cfg,ssl} -p mv flanneld mk-docker-opts.sh /opt/kubernetes/bin
配置Flannel
# vim /opt/kubernetes/cfg/flanneld FLANNEL_OPTIONS="--etcd- endpoints=https://192.168.33.7:2379,https://192.168.33.8:2379,https://192.168.33.9:2379 -etcd-cafile=/opt/etcd/ssl/ca.pem -etcd-certfile=/opt/etcd/ssl/server.pem -etcd- keyfile=/opt/etcd/ssl/server-key.pem"
systemd管理Flannel:
# vim /usr/lib/systemd/system/flanneld.service [Unit] Description=Flanneld overlay address etcd agent After=network-online.target network.target Before=docker.service [Service] Type=notify EnvironmentFile=/opt/kubernetes/cfg/flanneld ExecStart=/opt/kubernetes/bin/flanneld --ip-masq $FLANNEL_OPTIONS ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env Restart=on-failure [Install] WantedBy=multi-user.target
配置Docker启动指定子网段:
# vim /usr/lib/systemd/system/docker.service [Unit] ... ... [Service] Type=notify EnvironmentFile=/run/flannel/subnet.env ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS ... ...
重启flannel和docker:
# systemctl daemon-reload # systemctl start flanneld # systemctl enable flanneld # systemctl restart docker # 验证 # ps -ef |grep docker root 11425 1 2 15:15 ? 00:00:00 /usr/bin/dockerd --bip=172.17.87.1/24 --ip-masq=false --mtu=1450 15:15 pts/0 00:00:00 grep --color=auto docker # ip a ... ... 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN link/ether 02:42:02:e5:d8:2f brd ff:ff:ff:ff:ff:ff inet 172.17.87.1/24 brd 172.17.87.255 scope global docker0 valid_lft forever preferred_lft forever 5: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN link/ether 86:1a:b9:ea:35:d1 brd ff:ff:ff:ff:ff:ff inet 172.17.87.0/32 scope global flannel.1 valid_lft forever preferred_lft forever # 确保docker0与flannel.1在同一网段。 测试不同节点互通,在当前节点访问另一个Node节点docker0 IP # ping 172.17.87.1
-
在Master节点部署组件
在部署Kubernetes之前一定要确保etcd、flannel、docker是正常工作的,否则先解决问题再继续。
4.1 创建CA证书:
# vim k8s-cert.sh cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #----------------------- cat > server-csr.json <<EOF { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "192.168.33.7", "192.168.33.8", "192.168.33.9", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server #----------------------- cat > admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin #----------------------- cat > kube-proxy-csr.json <<EOF { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
生成证书:
# sh k8s-cert.sh # mkdir -p /opt/kubernetes/{ssl,cfg,bin} # cp ca-key.pem ca.pem server-key.pem server.pem /opt/kubernetes/ssl/
4.2 部署apiserver组件
下载二进制包kubernetes-server-linux-amd64.tar.gz,包含了所需的所有组件。
github下载k8s二进制包kubernetes-server-linux-amd64.tar.gz
解压,提取可执行文件kube-apiserver、kube-controller-manager 、kube-scheduler# tar zxvf kubernetes-server-linux-amd64.tar.gz # cd kubernetes/server/bin # cp kube-apiserver kube-scheduler kube-controller-manager kubectl /opt/kubernetes/bin
创建token文件,用途后面会讲到:
# cd /opt/kubernetes/cfg # BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008 # cat > token.csv <<EOF ${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap" EOF
创建apiserver配置文件:
# cat /opt/kubernetes/cfg/kube-apiserver KUBE_APISERVER_OPTS="--logtostderr=false \ --log-dir=/opt/kubernetes/logs \ --v=4 \ --etcd-servers=https://192.168.33.7:2379,https://192.168.33.9:2379,https://192.168.33.8:2379 \ --bind-address=192.168.33.7 \ --secure-port=6443 \ --advertise-address=192.168.33.7 \ --allow-privileged=true \ --service-cluster-ip-range=10.0.0.0/24 \ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \ --authorization-mode=RBAC,Node \ --kubelet-https=true \ --enable-bootstrap-token-auth \ --token-auth-file=/opt/kubernetes/cfg/token.csv \ --service-node-port-range=30000-50000 \ --tls-cert-file=/opt/kubernetes/ssl/server.pem \ --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \ --client-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \ --etcd-cafile=/opt/etcd/ssl/ca.pem \ --etcd-certfile=/opt/etcd/ssl/server.pem \ --etcd-keyfile=/opt/etcd/ssl/server-key.pem"
参数说明:
–logtostderr 启用日志
—v 日志等级
–etcd-servers etcd集群地址
–bind-address 监听地址
–secure-port https安全端口
–advertise-address 集群通告地址
–allow-privileged 启用授权
–service-cluster-ip-range Service虚拟IP地址段
–enable-admission-plugins 准入控制模块
–authorization-mode 认证授权,启用RBAC授权和节点自管理
–enable-bootstrap-token-auth 启用TLS bootstrap功能,后面会讲到
–token-auth-file token文件
–service-node-port-range Service Node类型默认分配端口范围配置systemd管理apiserver
# cat /usr/lib/systemd/system/kube-apiserver.service [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target
启动:
# systemctl daemon-reload # systemctl enable kube-apiserver # systemctl restart kube-apiserver # 检查端口监听情况 # ss -antpu |grep 8080 # ss -antpu |grep 6443
4.3 部署scheduler组件
创建schduler配置文件:# cat /opt/kubernetes/cfg/kube-scheduler KUBE_SCHEDULER_OPTS="--logtostderr=true \ --v=4 \ --master=127.0.0.1:8080 \ --leader-elect"
参数说明:
–master 连接本地apiserver
–leader-elect 当该组件启动多个时,自动选举(HA)systemd管理schduler组件:
# cat /usr/lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target
启动:
# systemctl daemon-reload # systemctl enable kube-apiserver # systemctl restart kube-apiserver
4.4 部署controller-manager组件
创建controller-manager配置文件和systemd管理组件并启动:# cat /opt/kubernetes/cfg/kube-controller-manager KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \ --v=4 \ --master=127.0.0.1:8080 \ --leader-elect=true \ --address=127.0.0.1 \ --service-cluster-ip-range=10.0.0.0/24 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \ --root-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ --experimental-cluster-signing-duration=87600h0m0s" # cat /usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target # systemctl daemon-reload # systemctl enable kube-controller-manager # systemctl restart kube-controller-manager
所有组件都已经启动成功,通过kubectl工具查看当前集群组件状态:
# /opt/kubernetes/bin/kubectl get cs # 正常输出:组件正常 NAME STATUS MESSAGE ERROR controller-manager Healthy ok scheduler Healthy ok etcd-1 Healthy {"health":"true"} etcd-2 Healthy {"health":"true"} etcd-0 Healthy {"health":"true"}
-
在Node节点部署组件
Master apiserver启用TLS认证后,Node节点kubelet组件想要加入集群,必须使用CA签发的有效证书才能与
apiserver通信,当Node节点很多时,签署证书是一件很繁琐的事情,因此有了TLS Bootstrapping机制,kubelet
会以一个低权限用户自动向apiserver申请证书,kubelet的证书由apiserver动态签署。
认证大致工作流程如图所示:
5.1 将kubelet-bootstrap用户绑定到系统集群角色
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
# cat kubeconfig.sh # 创建 TLS Bootstrapping Token #BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ') BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008 #cat > token.csv <<EOF #${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap" #EOF #---------------------- APISERVER=$1 SSL_DIR=$2 # 创建kubelet bootstrapping kubeconfig export KUBE_APISERVER="https://$APISERVER:6443" # 设置集群参数 kubectl config set-cluster kubernetes \ --certificate-authority=$SSL_DIR/ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=bootstrap.kubeconfig # 设置客户端认证参数 kubectl config set-credentials kubelet-bootstrap \ --token=${BOOTSTRAP_TOKEN} \ --kubeconfig=bootstrap.kubeconfig # 设置上下文参数 kubectl config set-context default \ --cluster=kubernetes \ --user=kubelet-bootstrap \ --kubeconfig=bootstrap.kubeconfig # 设置默认上下文 kubectl config use-context default --kubeconfig=bootstrap.kubeconfig #---------------------- # 创建kube-proxy kubeconfig文件 kubectl config set-cluster kubernetes \ --certificate-authority=$SSL_DIR/ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-credentials kube-proxy \ --client-certificate=$SSL_DIR/kube-proxy.pem \ --client-key=$SSL_DIR/kube-proxy-key.pem \ --embed-certs=true \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-context default \ --cluster=kubernetes \ --user=kube-proxy \ --kubeconfig=kube-proxy.kubeconfig kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
执行:
sh kubeconfig.sh 192.168.33.7 /data/k8s/k8s-cert/
将bootstrap.kubeconfig、kube-proxy.kubeconfig拷贝到Node节点/opt/kubernetes/cfg目录下。# scp bootstrap.kubeconfig kube-proxy.kubeconfig slave2:/opt/kubernetes/cfg/ # scp bootstrap.kubeconfig kube-proxy.kubeconfig slave3:/opt/kubernetes/cfg/
5.2 部署kubelet组件
将前面下载的二进制包中的kubelet和kube-proxy拷贝到/opt/kubernetes/bin目录下。
scp kubelet kube-proxy slave2:/opt/kubernetes/bin/
scp kubelet kube-proxy slave3:/opt/kubernetes/bin/
执行创建kubelet配置文件脚本:sh kubelet.sh 192.168.33.8# vim kubelet.sh #!/bin/bash NODE_ADDRESS=$1 DNS_SERVER_IP=${2:-"10.0.0.2"} cat <<EOF >/opt/kubernetes/cfg/kubelet KUBELET_OPTS="--logtostderr=true \\ --v=4 \\ --hostname-override=${NODE_ADDRESS} \\ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\ --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\ --config=/opt/kubernetes/cfg/kubelet.config \\ --cert-dir=/opt/kubernetes/ssl \\ --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0" EOF cat <<EOF >/opt/kubernetes/cfg/kubelet.config kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: ${NODE_ADDRESS} port: 10250 readOnlyPort: 10255 cgroupDriver: cgroupfs clusterDNS: - ${DNS_SERVER_IP} clusterDomain: cluster.local. failSwapOn: false authentication: anonymous: enabled: true EOF cat <<EOF >/usr/lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet After=docker.service Requires=docker.service [Service] EnvironmentFile=/opt/kubernetes/cfg/kubelet ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS Restart=on-failure KillMode=process [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kubelet systemctl restart kubelet
# cat /opt/kubernetes/cfg/kubelet KUBELET_OPTS="--logtostderr=false \ --log-dir=/opt/kubernetes/logs \ --v=4 \ --hostname-override=192.168.33.8 \ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \ --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \ --config=/opt/kubernetes/cfg/kubelet.config \ --cert-dir=/opt/kubernetes/ssl \ --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
参数说明:
–hostname-override 在集群中显示的主机名
–kubeconfig 指定kubeconfig文件位置,会自动生成
–bootstrap-kubeconfig 指定刚才生成的bootstrap.kubeconfig文件
–cert-dir 颁发证书存放位置
–pod-infra-container-image 管理Pod网络的镜像# cat /opt/kubernetes/cfg/kubelet.config kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: 192.168.33.8 port: 10250 readOnlyPort: 10255 cgroupDriver: cgroupfs clusterDNS: - 10.0.0.2 clusterDomain: cluster.local. failSwapOn: false authentication: anonymous: enabled: true
# cat /usr/lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet After=docker.service Requires=docker.service [Service] EnvironmentFile=/opt/kubernetes/cfg/kubelet ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS Restart=on-failure KillMode=process [Install] WantedBy=multi-user.target
启动:
# systemctl daemon-reload # systemctl enable kubelet # systemctl restart kubelet # ps -ef | grep kubelet
5.3 部署kube-proxy组件
执行创建kube-proxy配置文件脚本:sh proxy.sh 192.168.33.8# vim proxy.sh #!/bin/bash NODE_ADDRESS=$1 cat <<EOF >/opt/kubernetes/cfg/kube-proxy KUBE_PROXY_OPTS="--logtostderr=true \\ --v=4 \\ --hostname-override=${NODE_ADDRESS} \\ --cluster-cidr=10.0.0.0/24 \\ --proxy-mode=ipvs \\ --kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig" EOF cat <<EOF >/usr/lib/systemd/system/kube-proxy.service [Unit] Description=Kubernetes Proxy After=network.target [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-proxy systemctl restart kube-proxy
检查是否正常启动:
ps aux | grep proxy
在Master审批Node加入集群:
启动后还没加入到集群中,需要手动允许该节点才可以。 在Master节点查看请求签名的Node:[root@Fone7 bin]# kubectl get csr NAME AGE REQUESTOR CONDITION node-csr-7w1OwWM2l_mbkRz7AIK_KquZcYkeqQYYFjmsUqUHEDg 108s kubelet-bootstrap Pending node-csr-ACzd6QlSRWU6ouFznLCmU-saHoFR8boKwJwrxudRhMM 3m11s kubelet-bootstrap Pending [root@Fone7 bin]# kubectl certificate approve node-csr-7w1OwWM2l_mbkRz7AIK_KquZcYkeqQYYFjmsUqUHEDg certificatesigningrequest.certificates.k8s.io/node-csr-7w1OwWM2l_mbkRz7AIK_KquZcYkeqQYYFjmsUqUHEDg approved [root@Fone7 bin]# kubectl certificate approve node-csr-ACzd6QlSRWU6ouFznLCmU-saHoFR8boKwJwrxudRhMM certificatesigningrequest.certificates.k8s.io/node-csr-ACzd6QlSRWU6ouFznLCmU-saHoFR8boKwJwrxudRhMM approved [root@Fone7 bin]# kubectl get node NAME STATUS ROLES AGE VERSION 192.168.33.8 Ready <none> 8s v1.12.3 192.168.33.9 Ready <none> 45s v1.12.3 [root@Fone7 bin]# kubectl get cs NAME STATUS MESSAGE ERROR etcd-0 Healthy {"health":"true"} etcd-2 Healthy {"health":"true"} scheduler Healthy ok controller-manager Healthy ok etcd-1 Healthy {"health":"true"}
-
运行一个测试示例
创建一个Nginx Web,测试集群是否正常工作:# kubectl run nginx --image=nginx --replicas=3 # kubectl expose deployment nginx --port=88 --target-port=80 --type=NodePort
查看Pod,Service:
# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 3h31m nginx NodePort 10.0.0.186 <none> 88:37361/TCP 14m [root@Fone7 bin]# kubectl get pods NAME READY STATUS RESTARTS AGE nginx-dbddb74b8-78jfp 1/1 Running 1 13m nginx-dbddb74b8-rglmf 1/1 Running 1 13m nginx-dbddb74b8-z4fwb 1/1 Running 0 13m [root@Fone7 bin]# kubectl get pods -o wide # 查看具体运行在哪个节点 NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE nginx-dbddb74b8-78jfp 1/1 Running 1 14m 172.17.87.3 192.168.33.9 <none> nginx-dbddb74b8-rglmf 1/1 Running 1 14m 172.17.87.2 192.168.33.9 <none> nginx-dbddb74b8-z4fwb 1/1 Running 0 14m 172.17.87.2 192.168.33.8 <none>
在node节点访问
curl 10.0.0.186:88
外部访问集群中部署的Nginx,打开浏览器输入node IP:端口:http://192.168.33.8:37361
- 在master授权用户,用以查看日志
# kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous
clusterrolebinding.rbac.authorization.k8s.io/cluster-system-anonymous created
# 动态查看打印日志,刷新浏览器,查看日志输出
# kubectl logs nginx-dbddb74b8-z4fwb -f
-
生产环境建议集群规划:
-
杂七杂八
- Kubernetes集群组件启动顺序:
- master:[keepalived] -> etcd -> kube-scheduler -> kube-controller-manager -> kube-apiserver
验证:kubectl get cs - node:flanneld -> docker -> kubelet -> kube-proxy
验证:kubectl 启动一个pod
- master:[keepalived] -> etcd -> kube-scheduler -> kube-controller-manager -> kube-apiserver
- 注意时间同步
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime - 有问题先查日志(运行日志,系统日志/var/log/messages等),无法解决再baidu谷歌
- Kubernetes中文文档
- kubernetes应用
- kubernetes 二进制文件离线手动安装搭建
- Kubernetes集群组件启动顺序: