k8s x86下离线部署kubernetes1.30(单主节点)

已于 2024-06-19 17:49:54 修改
阅读量957 收藏 23
点赞数 28
文章标签: kubernetes 容器
于 2024-05-29 22:23:52 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weimeilayer/article/details/139306959
版权

1、修改主机名/hosts文件

hostnamectl set-hostname k8s-master
hostnamectl set-hostname k8s-node01

2、修改hosts文件
每台机器上执行

cat >> /etc/hosts << EOF
172.16.17.203  k8s-master
172.16.17.204  k8s-node01
EOF

3、关闭防火墙
每台机器上执行:

systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl status firewalld.service

4、关闭SELINUX配置
每台机器上执行:

setenforce 0
sed -ri 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
sestatus

5、安装ipset、ipvsadm

yum -y install --downloadonly --downloaddir /data/software/ipset_ipvsadm ipset ipvsadm
rpm -ivh ipvsadm-1.27-8.el7.x86_64.rpm  --nodeps --force

6、关闭swap交换区
#临时关闭Swap分区

swapoff -a
#永久关闭Swap分区
sed -ri 's/.*swap.*/#&/' /etc/fstab
#查看下
grep swap /etc/fstab

7、配置ssh免密登录
ssh-keygen 一直回车

复制id_rsa.pub

cd /root/.ssh
cp id_rsa.pub authorized_keys

在其他机器创建/root/.ssh目录

mkdir -p /root/.ssh

将/root/.ssh拷贝到其他机器

scp -r /root/.ssh/* 172.16.17.204:/root/.ssh/

8、安装docker-ce/cri-dockerd

在一台有网的机器下载包(配置阿里云源)

cd /etc/yum.repos.d/

#备份默认的repo文件

mkdir bak && mv *.repo bak

#下载阿里云yum源文件

curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

#清理、更新缓存

yum clean all && yum makecache

如果存在docker,卸载

yum remove docker  docker-client docker-client-latest docker-common  docker-latest docker-latest-logrotate docker-logrotate docker-engine

建议重新安装epel源

rpm -qa | grep epel
yum remove epel-release
yum -y install epel-release

安装yum-utils

 yum install -y yum-utils

添加docker仓库

yum-config-manager  --add-repo  http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

更新软件包索引

yum makecache fast

下载RPM包

#查看docker版本,这里选择25.0.5

yum list docker-ce --showduplicates |sort –r

#查看containerd.io版本,这里选择1.6.31

yum list containerd.io --showduplicates |sort –r

#下载命令,下载后包在/data/docker下

mkdir -p /data/docker -p

yum install -y docker-ce-25.0.5 docker-ce-cli-25.0.5 containerd.io-1.6.31 --downloadonly --downloaddir=/data/docker

每台机器都安装
将下载好的安装包上传至各个虚拟机

rpm -ivh *.rpm   --nodeps --force

启动docker
#重载unit配置文件

systemctl daemon-reload

#启动Docker

systemctl start docker

#设置开机自启

systemctl enable docker.service

2 安装cri-docker

在一台有网的机器下载安装包
下载地址:https://github.com/Mirantis/cri-dockerd/releases
选择对应的架构和版本,这里下载:https://github.com/Mirantis/cri-dockerd/releases/download/v0.3.8/cri-dockerd-0.3.8-3.el7.x86_64.rpm

#安装

rpm -ivh cri-dockerd-0.3.8-3.el7.x86_64.rpm  --nodeps --force

#修改/usr/lib/systemd/system/cri-docker.service中ExecStart那一行,制定用作Pod的基础容器镜像(pause)

ExecStart=/usr/bin/cri-dockerd --pod-infra-container-image=registry.k8s.io/pause:3.9 --container-runtime-endpoint fd://

启动cri-dockerd

systemctl enable --now cri-docker
systemctl status cri-docker

安装kubernetes

1 下载 kubelet kubeadm kubectl
在一台有网的机器执行:

配置镜像源

k8s源镜像源准备(社区版yum源,注意区分版本)

cat <<EOF | tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://pkgs.k8s.io/core:/stable:/v1.30/rpm/
enabled=1
gpgcheck=1
gpgkey=https://pkgs.k8s.io/core:/stable:/v1.30/rpm/repodata/repomd.xml.key
EOF

#查看可安装的版本,选择合适的版本,这里选择1.30.0-150500.1.1

yum list kubeadm.x86_64 --showduplicates |sort -r
yum list kubelet.x86_64 --showduplicates |sort -r
yum list kubectl.x86_64 --showduplicates |sort -r

#yum下载(不安装)

yum -y install --downloadonly --downloaddir=/opt/software/k8s-package kubeadm-1.30.0-150500.1.1 kubelet-1.30.0-150500.1.1 kubectl-1.30.0-150500.1.1

2 安装kubelet kubeadm kubectl
每台机器都执行
将安装包上传至各个机器

安装

rpm -ivh *.rpm --nodeps --force

修改docker的cgroup-driver

vi /etc/docker/daemon.json

添加或修改内容

{
  "exec-opts": ["native.cgroupdriver=systemd"]
}

#重启docker

systemctl daemon-reload
systemctl restart docker
systemctl status docker

配置kublet的cgroup 驱动与docker一致
#备份原文件

cp /etc/sysconfig/kubelet{,.bak}

#修改kubelet文件

vi /etc/sysconfig/kubelet

#修改内容

KUBELET_EXTRA_ARGS="--cgroup-driver=systemd"

开启自启kubelet

systemctl enable kubelet

3 安装tab命令补全工具

yum install -y --downloadonly --downloaddir=/data/software/command-tab/ bash-completion

rpm -ivh bash-completion-2.1-8.el7.noarch.rpm  --nodeps --force

source /usr/share/bash-completion/bash_completion
echo "source <(kubectl completion bash)" >> ~/.bashrc
source  ~/.bashrc

4 下载K8S运行依赖的镜像

docker pull registry.aliyuncs.com/google_containers/kube-apiserver:v1.30.0
docker pull registry.aliyuncs.com/google_containers/kube-controller-manager:v1.30.0
docker pull registry.aliyuncs.com/google_containers/kube-scheduler:v1.30.0
docker pull registry.aliyuncs.com/google_containers/kube-proxy:v1.30.0
docker pull registry.aliyuncs.com/google_containers/coredns:1.11.1
docker pull registry.aliyuncs.com/google_containers/pause:3.9
docker pull registry.aliyuncs.com/google_containers/etcd:3.5.12-0

将docker镜像保存为tar包,并保存待离线使用

docker save -o kube-apiserver-v1.30.0.tar registry.aliyuncs.com/google_containers/kube-apiserver:v1.30.0
docker save -o kube-controller-manager-v1.30.0.tar registry.aliyuncs.com/google_containers/kube-controller-manager:v1.30.0
docker save -o kube-scheduler-v1.30.0.tar registry.aliyuncs.com/google_containers/kube-scheduler:v1.30.0
docker save -o kube-proxy-v1.30.0.tar registry.aliyuncs.com/google_containers/kube-proxy:v1.30.0
docker save -o coredns-1.11.1.tar registry.aliyuncs.com/google_containers/coredns:1.11.1
docker save -o pause-3.9.tar registry.aliyuncs.com/google_containers/pause:3.9
docker save -o etcd-3.5.12-0.tar registry.aliyuncs.com/google_containers/etcd:3.5.12-0

然后加载推送到镜像库

docker load -i kube-apiserver-v1.30.0.tar
docker load -i kube-controller-manager-v1.30.0.tar
docker load -i kube-scheduler-v1.30.0.tar
docker load -i kube-proxy-v1.30.0.tar
docker load -i coredns-1.11.1.tar
docker load -i pause-3.9.tar
docker load -i etcd-3.5.12-0.tar

vi /etc/docker/daemon.json

添加配置vi /etc/docker/daemon.json

{
  "data-root": "/data/docker",
  "exec-opts": ["native.cgroupdriver=systemd"],
  "insecure-registries":["172.16.17.203:81", "quay.io", "k8s.gcr.io", "gcr.io"]

}

systemctl daemon-reload
systemctl restart docker

修改cri-docker将pause镜像修改自己的

#vi /usr/lib/systemd/system/cri-docker.service
#修改--pod-infra-container-image=registry.k8s.io/pause:3.9 为--pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9
#重启cri-docker

systemctl daemon-reload
systemctl restart cri-docker

6.1 k8s-master安装
在主节点k8s-master操作 :

kubeadm init --kubernetes-version=v1.30.0 --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=172.16.17.203 --cri-socket unix:///var/run/cri-dockerd.sock --image-repository registry.aliyuncs.com/google_containers --upload-certs

kubectl get node

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

在其它节点

kubeadm join 172.16.17.203:6443 --token 2ml2ro.adrzs4t9zq1yc51e --discovery-token-ca-cert-hash sha256:984cba7d5ba30dedf3672db51cecc7b21eec744ac87edf706becb7ffe6d41c21 --cri-socket `unix:///var/run/cri-dockerd.sock`

安装网络组件calico

docker pull docker.io/calico/node:v3.27.3
docker pull docker.io/calico/kube-controllers:v3.27.3
docker pull docker.io/calico/cni:v3.27.3

docker save -o calico-node.tar docker.io/calico/node:v3.27.3
docker save -o calico-kube-controllers.tar docker.io/calico/kube-controllers:v3.27.3
docker save -o calico-cni.tar docker.io/calico/cni:v3.27.3

docker load -i calico-cni.tar
docker load -i calico-kube-controllers.tar
docker load -i calico-node.tar

#如果以上方式不好下载,从github下载:https://github.com/projectcalico/calico/releases/tag/v3.27.3,选择release-v3.27.3.tgz,下载后解压,从image中找到三个镜像

下载calico.yaml: https://github.com/projectcalico/calico/blob/v3.27.3/manifests/calico.yaml

将calico.yaml上传至主节点
由于国内镜像问题 image: docker.io/calico/xxxxx   只要是docker.io都换成自己的镜像地址
修改其中的镜像,都修改为172.16.17.203:81中的三个镜像:`172.16.17.203:81/calico/node:v3.27.3,172.16.17.203:81/calico/kube-controllers:v3.27.3,172.16.17.203:81/calico/cni:v3.27.3`
修改网络参数与init时的参数--pod-network-cidr一致

- name: CALICO_IPV4POOL_CIDR
  value: "172.16.17.0/16"

本文这里使用的是registry

docker pull registry.aliyuncs.com/google_containers/registry

也可以打包带走

docker save -o registry.tar registry.aliyuncs.com/google_containers/registry:latest
然后加载
docker load -i registry.tar

docker run -d --name registry --restart=always -v /data/registry-data:/var/lib/registry -p 81:5000 registry.aliyuncs.com/google_containers/registry

vi /usr/lib/systemd/system/cri-docker.service修改--pod-infra-container-image=registry.k8s.io/pause:3.9 为--pod-infra-container-image=172.16.17.xxx:81/pause:3.9

docker tag calico/node:v3.27.3 172.16.17.203:81/calico/node:v3.27.3
docker tag calico/kube-controllers:v3.27.3 172.16.17.203:81/calico/kube-controllers:v3.27.3
docker tag docker.io/calico/cni:v3.27.3 172.16.17.203:81/calico/cni:v3.27.3

docker tag registry.aliyuncs.com/google_containers/kube-apiserver:v1.30.0 172.16.17.203:81/kube-apiserver:v1.30.0
docker tag registry.aliyuncs.com/google_containers/kube-controller-manager:v1.30.0 172.16.17.203:81/kube-controller-manager:v1.30.0
docker tag registry.aliyuncs.com/google_containers/kube-scheduler:v1.30.0 172.16.17.203:81/kube-scheduler:v1.30.0
docker tag registry.aliyuncs.com/google_containers/kube-proxy:v1.30.0 172.16.17.203:81/kube-proxy:v1.30.0
docker tag registry.aliyuncs.com/google_containers/coredns:v1.11.1 172.16.17.203:81/coredns:v1.11.1
docker tag registry.aliyuncs.com/google_containers/pause:3.9 172.16.17.203:81/pause:3.9
docker tag registry.aliyuncs.com/google_containers/etcd:3.5.12-0 172.16.17.203:81/etcd:3.5.12-0

docker push 172.16.17.203:81/calico/node:v3.27.3
docker push 172.16.17.203:81/calico/kube-controllers:v3.27.3
docker push 172.16.17.203:81/calico/cni:v3.27.3

docker push 172.16.17.203:81/kube-apiserver:v1.30.0
docker push 172.16.17.203:81/kube-controller-manager:v1.30.0
docker push 172.16.17.203:81/kube-scheduler:v1.30.0
docker push 172.16.17.203:81/kube-proxy:v1.30.0
docker push 172.16.17.203:81/coredns:v1.11.1
docker push 172.16.17.203:81/pause:3.9
docker push 172.16.17.203:81/etcd:3.5.12-0

在子节点pull

docker pull 172.16.17.203:81/kube-apiserver:v1.30.0
docker pull 172.16.17.203:81/kube-controller-manager:v1.30.0
docker pull 172.16.17.203:81/kube-scheduler:v1.30.0
docker pull 172.16.17.203:81/kube-proxy:v1.30.0
docker pull 172.16.17.203:81/coredns:1.11.1
docker pull 172.16.17.203:81/pause:3.9
docker pull 172.16.17.203:81/etcd:3.5.12-0
docker pull 172.16.17.203:81/calico/node:v3.27.3
docker pull 172.16.17.203:81/calico/kube-controllers:v3.27.3
docker pull 172.16.17.203:81/calico/cni:v3.27.3

最好执行calico

kubectl apply -f calico.yaml

重启cri-docker

systemctl daemon-reload
systemctl restart cri-docker

查看pod

kubectl get node

延长证书有效期

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep Not
            Not Before: Apr 22 14:09:36 2024 GMT
            Not After : Apr 22 14:14:36 2025 GMT

openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt -noout -text |grep Not
            Not Before: Apr 22 14:09:36 2024 GMT
            Not After : Apr 22 14:14:36 2025 GMT

openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt -noout -text |grep Not
            Not Before: Apr 22 14:09:36 2024 GMT
            Not After : Apr 20 14:14:36 2034 GMT

将update-kubeadm-cert.sh上传至主节点,并执行

chmod +x update-kubeadm-cert.sh
./update-kubeadm-cert.sh all

#!/bin/bash

set -o errexit
set -o pipefail
# set -o xtrace

log::err() {
  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[31mERROR: \033[0m$@\n"
}

log::info() {
  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[32mINFO: \033[0m$@\n"
}

log::warning() {
  printf "[$(date +'%Y-%m-%dT%H:%M:%S.%N%z')]: \033[33mWARNING: \033[0m$@\n"
}

check_file() {
  if [[ ! -r  ${1} ]]; then
    log::err "can not find ${1}"
    exit 1
  fi
}

# get x509v3 subject alternative name from the old certificate
cert::get_subject_alt_name() {
  local cert=${1}.crt
  check_file "${cert}"
  local alt_name=$(openssl x509 -text -noout -in ${cert} | grep -A1 'Alternative' | tail -n1 | sed 's/[[:space:]]*Address//g')
  printf "${alt_name}\n"
}

# get subject from the old certificate
cert::get_subj() {
  local cert=${1}.crt
  check_file "${cert}"
  local subj=$(openssl x509 -text -noout -in ${cert}  | grep "Subject:" | sed 's/Subject:/\//g;s/\,/\//;s/[[:space:]]//g')
  printf "${subj}\n"
}

cert::backup_file() {
  local file=${1}
  if [[ ! -e ${file}.old-$(date +%Y%m%d) ]]; then
    cp -rp ${file} ${file}.old-$(date +%Y%m%d)
    log::info "backup ${file} to ${file}.old-$(date +%Y%m%d)"
  else
    log::warning "does not backup, ${file}.old-$(date +%Y%m%d) already exists"
  fi
}

# generate certificate whit client, server or peer
# Args:
#   $1 (the name of certificate)
#   $2 (the type of certificate, must be one of client, server, peer)
#   $3 (the subject of certificates)
#   $4 (the validity of certificates) (days)
#   $5 (the x509v3 subject alternative name of certificate when the type of certificate is server or peer)
cert::gen_cert() {
  local cert_name=${1}
  local cert_type=${2}
  local subj=${3}
  local cert_days=${4}
  local alt_name=${5}
  local cert=${cert_name}.crt
  local key=${cert_name}.key
  local csr=${cert_name}.csr
  local csr_conf="distinguished_name = dn\n[dn]\n[v3_ext]\nkeyUsage = critical, digitalSignature, keyEncipherment\n"

  check_file "${key}"
  check_file "${cert}"

  # backup certificate when certificate not in ${kubeconf_arr[@]}
  # kubeconf_arr=("controller-manager.crt" "scheduler.crt" "admin.crt" "kubelet.crt")
  # if [[ ! "${kubeconf_arr[@]}" =~ "${cert##*/}" ]]; then
  #   cert::backup_file "${cert}"
  # fi

  case "${cert_type}" in
    client)
      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \
        -config <(printf "${csr_conf} extendedKeyUsage = clientAuth\n") -out ${csr}
      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \
        -extfile <(printf "${csr_conf} extendedKeyUsage = clientAuth\n") -days ${cert_days} -out ${cert}
      log::info "generated ${cert}"
    ;;
    server)
      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \
        -config <(printf "${csr_conf} extendedKeyUsage = serverAuth\nsubjectAltName = ${alt_name}\n") -out ${csr}
      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \
        -extfile <(printf "${csr_conf} extendedKeyUsage = serverAuth\nsubjectAltName = ${alt_name}\n") -days ${cert_days} -out ${cert}
      log::info "generated ${cert}"
    ;;
    peer)
      openssl req -new  -key ${key} -subj "${subj}" -reqexts v3_ext \
        -config <(printf "${csr_conf} extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = ${alt_name}\n") -out ${csr}
      openssl x509 -in ${csr} -req -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -extensions v3_ext \
        -extfile <(printf "${csr_conf} extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = ${alt_name}\n") -days ${cert_days} -out ${cert}
      log::info "generated ${cert}"
    ;;
    *)
      log::err "unknow, unsupported etcd certs type: ${cert_type}, supported type: client, server, peer"
      exit 1
  esac

  rm -f ${csr}
}

cert::update_kubeconf() {
  local cert_name=${1}
  local kubeconf_file=${cert_name}.conf
  local cert=${cert_name}.crt
  local key=${cert_name}.key

  # generate  certificate
  check_file ${kubeconf_file}
  # get the key from the old kubeconf
  grep "client-key-data" ${kubeconf_file} | awk {'print$2'} | base64 -d > ${key}
  # get the old certificate from the old kubeconf
  grep "client-certificate-data" ${kubeconf_file} | awk {'print$2'} | base64 -d > ${cert}
  # get subject from the old certificate
  local subj=$(cert::get_subj ${cert_name})
  cert::gen_cert "${cert_name}" "client" "${subj}" "${CAER_DAYS}"
  # get certificate base64 code
  local cert_base64=$(base64 -w 0 ${cert})

  # backup kubeconf
  # cert::backup_file "${kubeconf_file}"

  # set certificate base64 code to kubeconf
  sed -i 's/client-certificate-data:.*/client-certificate-data: '${cert_base64}'/g' ${kubeconf_file}

  log::info "generated new ${kubeconf_file}"
  rm -f ${cert}
  rm -f ${key}

  # set config for kubectl
  if [[ ${cert_name##*/} == "admin" ]]; then
    mkdir -p ~/.kube
    cp -fp ${kubeconf_file} ~/.kube/config
    log::info "copy the admin.conf to ~/.kube/config for kubectl"
  fi
}

cert::update_etcd_cert() {
  PKI_PATH=${KUBE_PATH}/pki/etcd
  CA_CERT=${PKI_PATH}/ca.crt
  CA_KEY=${PKI_PATH}/ca.key

  check_file "${CA_CERT}"
  check_file "${CA_KEY}"

  # generate etcd server certificate
  # /etc/kubernetes/pki/etcd/server
  CART_NAME=${PKI_PATH}/server
  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})
  cert::gen_cert "${CART_NAME}" "peer" "/CN=etcd-server" "${CAER_DAYS}" "${subject_alt_name}"

  # generate etcd peer certificate
  # /etc/kubernetes/pki/etcd/peer
  CART_NAME=${PKI_PATH}/peer
  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})
  cert::gen_cert "${CART_NAME}" "peer" "/CN=etcd-peer" "${CAER_DAYS}" "${subject_alt_name}"

  # generate etcd healthcheck-client certificate
  # /etc/kubernetes/pki/etcd/healthcheck-client
  CART_NAME=${PKI_PATH}/healthcheck-client
  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-etcd-healthcheck-client" "${CAER_DAYS}"

  # generate apiserver-etcd-client certificate
  # /etc/kubernetes/pki/apiserver-etcd-client
  check_file "${CA_CERT}"
  check_file "${CA_KEY}"
  PKI_PATH=${KUBE_PATH}/pki
  CART_NAME=${PKI_PATH}/apiserver-etcd-client
  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-apiserver-etcd-client" "${CAER_DAYS}"

  # restart etcd
  docker ps | awk '/k8s_etcd/{print$1}' | xargs -r -I '{}' docker restart {} || true
  log::info "restarted etcd"
}

cert::update_master_cert() {
  PKI_PATH=${KUBE_PATH}/pki
  CA_CERT=${PKI_PATH}/ca.crt
  CA_KEY=${PKI_PATH}/ca.key

  check_file "${CA_CERT}"
  check_file "${CA_KEY}"

  # generate apiserver server certificate
  # /etc/kubernetes/pki/apiserver
  CART_NAME=${PKI_PATH}/apiserver
  subject_alt_name=$(cert::get_subject_alt_name ${CART_NAME})
  cert::gen_cert "${CART_NAME}" "server" "/CN=kube-apiserver" "${CAER_DAYS}" "${subject_alt_name}"

  # generate apiserver-kubelet-client certificate
  # /etc/kubernetes/pki/apiserver-kubelet-client
  CART_NAME=${PKI_PATH}/apiserver-kubelet-client
  cert::gen_cert "${CART_NAME}" "client" "/O=system:masters/CN=kube-apiserver-kubelet-client" "${CAER_DAYS}"

  # generate kubeconf for controller-manager,scheduler,kubectl and kubelet
  # /etc/kubernetes/controller-manager,scheduler,admin,kubelet.conf
  cert::update_kubeconf "${KUBE_PATH}/controller-manager"
  cert::update_kubeconf "${KUBE_PATH}/scheduler"
  cert::update_kubeconf "${KUBE_PATH}/admin"
  # check kubelet.conf
  # https://github.com/kubernetes/kubeadm/issues/1753
  set +e
  grep kubelet-client-current.pem /etc/kubernetes/kubelet.conf > /dev/null 2>&1
  kubelet_cert_auto_update=$?
  set -e
  if [[ "$kubelet_cert_auto_update" == "0" ]]; then
    log::warning "does not need to update kubelet.conf"
  else
    cert::update_kubeconf "${KUBE_PATH}/kubelet"
  fi

  # generate front-proxy-client certificate
  # use front-proxy-client ca
  CA_CERT=${PKI_PATH}/front-proxy-ca.crt
  CA_KEY=${PKI_PATH}/front-proxy-ca.key
  check_file "${CA_CERT}"
  check_file "${CA_KEY}"
  CART_NAME=${PKI_PATH}/front-proxy-client
  cert::gen_cert "${CART_NAME}" "client" "/CN=front-proxy-client" "${CAER_DAYS}"

  # restart apiserve, controller-manager, scheduler and kubelet
  docker ps | awk '/k8s_kube-apiserver/{print$1}' | xargs -r -I '{}' docker restart {} || true
  log::info "restarted kube-apiserver"
  docker ps | awk '/k8s_kube-controller-manager/{print$1}' | xargs -r -I '{}' docker restart {} || true
  log::info "restarted kube-controller-manager"
  docker ps | awk '/k8s_kube-scheduler/{print$1}' | xargs -r -I '{}' docker restart {} || true
  log::info "restarted kube-scheduler"
  systemctl restart kubelet
  log::info "restarted kubelet"
}

main() {
  local node_tpye=$1
  
  KUBE_PATH=/etc/kubernetes
  CAER_DAYS=3650

  # backup $KUBE_PATH to $KUBE_PATH.old-$(date +%Y%m%d)
  cert::backup_file "${KUBE_PATH}"

  case ${node_tpye} in
    etcd)
	  # update etcd certificates
      cert::update_etcd_cert
    ;;
    master)
	  # update master certificates and kubeconf
      cert::update_master_cert
    ;;
    all)
      # update etcd certificates
      cert::update_etcd_cert
      # update master certificates and kubeconf
      cert::update_master_cert
    ;;
    *)
      log::err "unknow, unsupported certs type: ${cert_type}, supported type: all, etcd, master"
      printf "Documentation: https://github.com/yuyicai/update-kube-cert
  example:
    '\033[32m./update-kubeadm-cert.sh all\033[0m' update all etcd certificates, master certificates and kubeconf
      /etc/kubernetes
      ├── admin.conf
      ├── controller-manager.conf
      ├── scheduler.conf
      ├── kubelet.conf
      └── pki
          ├── apiserver.crt
          ├── apiserver-etcd-client.crt
          ├── apiserver-kubelet-client.crt
          ├── front-proxy-client.crt
          └── etcd
              ├── healthcheck-client.crt
              ├── peer.crt
              └── server.crt

    '\033[32m./update-kubeadm-cert.sh etcd\033[0m' update only etcd certificates
      /etc/kubernetes
      └── pki
          ├── apiserver-etcd-client.crt
          └── etcd
              ├── healthcheck-client.crt
              ├── peer.crt
              └── server.crt

    '\033[32m./update-kubeadm-cert.sh master\033[0m' update only master certificates and kubeconf
      /etc/kubernetes
      ├── admin.conf
      ├── controller-manager.conf
      ├── scheduler.conf
      ├── kubelet.conf
      └── pki
          ├── apiserver.crt
          ├── apiserver-kubelet-client.crt
          └── front-proxy-client.crt
"
      exit 1
    esac
}

main "$@"

在主节点执行命令查看证书有效期

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep Not
            Not Before: Apr 22 15:05:11 2024 GMT
            Not After : Apr 20 15:05:11 2034 GMT

openssl x509 -in /etc/kubernetes/pki/apiserver-etcd-client.crt -noout -text |grep Not
            Not Before: Apr 22 15:05:11 2024 GMT
            Not After : Apr 20 15:05:11 2034 GMT

openssl x509 -in /etc/kubernetes/pki/front-proxy-ca.crt -noout -text |grep Not
            Not Before: Apr 22 14:09:36 2024 GMT
            Not After : Apr 20 14:14:36 2034 GMT

安装kuboard v3

docker pull registry.aliyuncs.com/google_containers/eipwork/kuboard:v3

运行kuboard

sudo docker run -d --restart=unless-stopped --name=kuboard -p 31000:80/tcp -p 10081:10081/tcp -e KUBOARD_ENDPOINT="http://172.16.17.xxx:31000" -e KUBOARD_AGENT_SERVER_TCP_PORT="10081" -v /root/kuboard-data:/data eipwork/kuboard:v3

在这里插入图片描述

复制粘贴 就完成了。

❀͜͡傀儡师
关注
  • 28
    点赞
  • 23
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
KubernetesKubernetes各大版本的最新版本下载地址
cnskylee的博客
06-21 5186
截至2022年6月21日,Kubernetes各大版本的最新版本下载地址:
k8s集群部署篇】在openEuler环境下部署多master高可用kubernetes集群详细教程(V1.30版本)
最新发布
jks212454的博客
08-06 723
k8s集群部署篇】在openEuler环境下部署多master高可用kubernetes集群详细教程(V1.30版本)
k8sKubernetes 1.29.4离线安装部署(总)
Qinghub‘博客
04-19 5781
Kubernetes 1.29.4 离线安装部署;脚本化快速部署容器运行时采用Containerd;逐步支持多平台部署
k8s v1.30 完整安装过程及CNI安装过程总结
从善若水的博客
07-21 1132
k8s v1.30 完整安装过程及CNI安装过程总结
k8s学习(三十七)centos下离线部署kubernetes1.30(高可用)
文若书生的专栏
04-27 1671
k8s-master01 init后提示的不带control-plane的命令后添加–cri-socket unix:///var/run/cri-dockerd.sock。在初始化k8s集群的使用,IP填写的vip,这样安装好k8s集群之后,kubectl客户端而言,访问的vip:16443端口,该端口是nginx监听的端口,nginx会进行反向代理到3个master节点上的6443端口。(6)添加controlPlaneEndpoint处配置,配置为VIP:16443。
搭建一个单节点k8s集群
qq_41527782的博客
09-23 892
首先安装kubectl 、kubeadm 、kubelet # 关闭文件交换 sudo swapoff -a # 创建单节点集群 kubeadm init --pod-network-cidr=192.168.0.0/16 --kubernetes-version=v1.16.3 --v=5 --control-plane-endpoint "127.0.0.1:6443" --upload-certs # 配置.kube,其中/etc/kubernetes/admin.conf具备整个集群管理员权限
OpenEuler系统下——k8s离线安装部署
JosenChina的博客
07-28 1396
K8S是目前已经是业界最为流行的开源技术框架,但是苦于其学习难度较大,并且初学者在开始的时候需要自己进行安装搭建部署,以供后续的学习使用,但是国内经常会出现无法访问外网的官方网站,导致很多镜像和依赖包无法自动安装部署。本博客主要讲解了如何在离线环境下安装搭建k8s集群,以及最终的验证效果。
官方文档k8s1.30安装部署高可用集群,kubeadm安装Kubernetes1.30最新版本
雪花凌落的盛夏
05-09 5273
或者你也可以使用默认端口, 把 API 服务器放到一个监听 443 端口的负载均衡器后面,并且路由所有请求到 API 服务器的默认端口。当你在一个有严格网络边界的环境里运行 Kubernetes,例如拥有物理网络防火墙或者拥有公有云中虚拟网络的自有数据中心, 了解 Kubernetes 组件使用了哪些端口和协议是非常有用的。标志用来将在所有控制平面实例之间的共享证书上传到集群。需要修改的地方为,如果上面初始化主节点时修改过POD的IP,去掉注释,替换为修改的pod的IP,我这里没有修改过,所以不用替换。
k8s集群部署篇】在openEuler环境下部署单master节点kubernetes集群详细教程(V1.30版本)
jks212454的博客
08-05 96
k8s集群部署篇】在openEuler环境下部署单master节点kubernetes集群详细教程(V1.30版本)
kubernetes1.30集群部署+dashboard+heapster
内德
01-23 1914
v2.1 1、系统配置 1.1、禁用防火墙、禁用selinux #防火墙禁用 systemctl stop firewalld systemctl disable firewalld #SELinux禁用 setenforce 0 sed -i '/^SE/s/enforcing/disabled/' /etc/selinux/config  1.2、创建修改内核文件/etc/sysc...
【云原生】kubernetes最新版本1.30.2,集群搭建部署全方位攻略
热门推荐
景天科技苑
06-24 2万+
目前k8s最新版本1.30.2集群搭建部署,保姆级教程,一文搞定搭建过程中的所有疑难杂症
安装k8s 1.28 所需的离线镜像包
03-19
部署k8s1.28集群所需离线镜像包,已经为大家准备好了,大家有需要可以自行下载下载部署的方法,在主页k8s专栏的文章中有详细说明,如果大家有疑问可以查看文章,或者私信我,我会尽快回复,谢谢大家 registry.aliyuncs.com/google_containers/kube-apiserver:v1.28.2 registry.aliyuncs.com/google_containers/kube-scheduler:v1.28.2 registry.aliyuncs.com/google_containers/kube-controller-manager:v1.28.2 registry.aliyuncs.com/google_containers/kube-proxy:v1.28.2 registry.aliyuncs.com/google_containers/coredns:v1.10.1 registry.aliyuncs.com/google_containers/pause:3.9 registry.aliyuncs.com/google_containe
Kubernetes系列】CentOS8下部署Kubernetes1.24
邓邓子的博客
06-13 4062
操作系统:CentOS 8.5.2111 2.禁用 SELinux (1)临时关闭 (2)永久关闭 将: 修改为: 3.关闭 firewalld 4.关闭 swap,注释 swap 分区 Kubernetes 1.8 开始要求关闭系统的 Swap,如果不关闭,默认配置下 kubelet 将无法启动。 使用如下命令关闭 Swap: 修改 /etc/fstab 文件,注释掉 swap 的自动挂载,使用 free -m 确认 swap 已经关闭: 调整 swappiness 参数,修改 /etc/sysc
kubeadm离线部署kubernetesv1.30.0
weixin_41489136的博客
07-06 455
背景:最近由于docker image获取镜像受限的问题,以及公司内部部署kubernetes受限于内部网络无法访问公网的问题,对于离线部署kubernetes成为不是十分方便。谨以此文仅供参考。
Kubernetes离线部署(Ubuntu)方法试验
weixin_33834910的博客
12-13 213
为了在内网上使用Kubernetes,有时候因为网络原因,需要离线进行部署。 裸机安装 我这里使用Ubuntu进行试验,需要解决几个问题: Ubuntu的离线安装。下载,安装时选择不联网可以正常完成,没有问题。 Ubuntu的包更新,应用系统包必须更新到较新版本,否则有的软件安装不上。 这个可以通过建立本地内网的Archive镜像来实现。 这...
银河麒麟V10 ARM64 kubernetes 1.30.0 基于Containerd 离线搭建
q1009020096的博客
04-29 1443
可以看到当前集群中已经一个节点,但是处于 NotReady状态,这是应为没有安装CNI的原因。在安装前请检查你的libseccomp版本 是否大于 2.5.0,若低于2.5.0 请升级。镜像拉取完成后生成证书和相关配置文件,之后启动control-plane。重新加载服务,设置开机启动,启动containerd服务。这个阶段启动的kubelet由于没有配置,将不断重启。再次查看节点状态时,可以发现节点状态已经变为。节点名称为当前节点的名称,注意这里是主节点。设置开机启动,并立刻启动kubelet。
kubernetes集群(k8s)之安装部署Calico 网络
2302_77582029的博客
08-14 1万+
kubernetes集群(k8s)之安装部署Calico 网络
centos7.9使用kubeadm部署k8s v1.30.3
qq_52634099的博客
08-02 1234
说明:这命令在master节点使用kubeadm token create --ttl 0 --print-join-command生成的,添加节点需要指定cri-dockerd接口–cri-socket ,这里是使用cri-dockerd,如果是containerd则使用–cri-socket unix:///run/containerd/containerd.sock。--pod-network-cidr Pod网络,与下面部署的CNI网络组件yaml中保持一致。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

❀͜͡傀儡师

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值