目 录
一、Kubernetes二进制部署之master组件部署
①master组件介绍
master:主控节点
- API Server:集群统一入口,以restful风格进行操作,同时交给etcd存储
- 提供认证、授权、访问控制、API注册和发现等机制
- scheduler:节点的调度,选择node节点应用部署
- controller-manager:处理集群中常规后台任务,一个资源对应一个控制器
- etcd:存储系统,用于保存集群中的相关数据
②master组件部署之api-server
#在master上操作,api-server生成证书
[root@localhost k8s]# unzip master.zip
[root@localhost k8s]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p
[root@localhost k8s]# mkdir k8s-cert
[root@localhost k8s]# cd k8s-cert/
[root@localhost k8s-cert]# ls
[root@localhost k8s-cert]# vim k8s-cert.sh
#!/bin/bash
#配置证书生成策略,让 CA 软件知道颁发有什么功能的证书,生成用来签发其他组件证书的根证书
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
#生成CA证书和私钥(根证书和私钥)
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
#生成 apiserver 的证书和私钥(apiserver和其它k8s组件通信使用)
#hosts中将所有可能作为 apiserver 的 ip 添加进去,后面 keepalived 使用的 VIP 也要加入
cat > apiserver-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.17.33",
"192.168.17.133",
"192.168.17.100",
"192.168.17.166",
"192.168.17.199",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
#-----------------------
#生成 kubectl 的证书和私钥,具有admin权限
cat > admin-csr.json <<EOF
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
#-----------------------
#生成 kube-proxy 的证书和私钥
cat > kube-proxy-csr.json <<EOF
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
//生成k8s证书
[root@localhost k8s-cert]# bash k8s-cert.sh
##以下为提示信息
2021/08/12 15:22:55 [INFO] generating a new CA key and certificate from CSR
2021/08/12 15:22:55 [INFO] generate received request
2021/08/12 15:22:55 [INFO] received CSR
2021/08/12 15:22:55 [INFO] generating key: rsa-2048
2021/08/12 15:22:55 [INFO] encoded CSR
2021/08/12 15:22:55 [INFO] signed certificate with serial number 608528451684046926466150786938809600652198766056
2021/08/12 15:22:55 [INFO] generate received request
2021/08/12 15:22:55 [INFO] received CSR
2021/08/12 15:22:55 [INFO] generating key: rsa-2048
2021/08/12 15:22:56 [INFO] encoded CSR
2021/08/12 15:22:56 [INFO] signed certificate with serial number 629948084244607721196736257118385634435529329704
2021/08/12 15:22:56 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
2021/08/12 15:22:56 [INFO] generate received request
2021/08/12 15:22:56 [INFO] received CSR
2021/08/12 15:22:56 [INFO] generating key: rsa-2048
2021/08/12 15:22:56 [INFO] encoded CSR
2021/08/12 15:22:56 [INFO] signed certificate with serial number 16087301261459009712814066341008233387464434682
2021/08/12 15:22:56 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
2021/08/12 15:22:56 [INFO] generate received request
2021/08/12 15:22:56 [INFO] received CSR
2021/08/12 15:22:56 [INFO] generating key: rsa-2048
2021/08/12 15:22:56 [INFO] encoded CSR
2021/08/12 15:22:56 [INFO] signed certificate with serial number 269567596053275781645616929930983971365033380020
2021/08/12 15:22:56 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@localhost k8s-cert]# ls *pem
admin-key.pem ca-key.pem kube-proxy-key.pem server-key.pem
admin.pem ca.pem kube-proxy.pem server.pem
注释:此处为每个没个IP地址代表的意思
③master组件部署之启动服务
[root@localhost k8s-cert]# cp ca*pem apiserver*pem /opt/kubernetes/ssl/
[root@localhost k8s-cert]# cd ..
#解压kubernetes压缩包
[root@localhost k8s]# tar zxvf kubernetes-server-linux-amd64.tar.gz
[root@localhost k8s]# cd /root/k8s/kubernetes/server/bin
#复制关键命令文件
[root@localhost bin]# cp kube-apiserver kubectl kube-controller-manager kube-scheduler /opt/kubernetes/bin/
[root@localhost k8s]# cd /root/k8s
[root@localhost k8s]# vim /opt/kubernetes/cfg/token.csv
0fa22baf7b92984433ffc86aec3ad829,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
序列号,用户名,id,角色
//使用 head -c 16 /dev/urandom | od -An -t x | tr -d ' ' 可以随机生成序列号
//二进制文件,token,证书都准备好,开启apiserver
[root@localhost k8s]# bash apiserver.sh 192.168.17.33 https://192.168.17.33:2379,https://192.168.17.66:2379,https://192.168.17.99:2379
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-apiserver.service to /usr/lib/systemd/system/kube-apiserver.service.
#检查进程是否启动成功
[root@localhost k8s]# ps aux | grep kube
#查看配置文件
[root@localhost k8s]# cat /opt/kubernetes/cfg/kube-apiserver
KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=https://192.168.17.33:2379,https://192.168.17.66:2379,https://192.168.17.99:2379 \
--bind-address=192.168.17.33 \
--secure-port=6443 \
--advertise-address=192.168.17.33 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--kubelet-https=true \
--enable-bootstrap-token-auth \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/opt/kubernetes/ssl/apiserver.pem \
--tls-private-key-file=/opt/kubernetes/ssl/apiserver-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
#查看监听的https端口
[root@localhost k8s]# netstat -ntap | grep 6443
tcp 0 0 192.168.195.149:6443 0.0.0.0:* LISTEN 46459/kube-apiserve
tcp 0 0 192.168.195.149:6443 192.168.195.149:36806 ESTABLISHED 46459/kube-apiserve
tcp 0 0 192.168.195.149:36806 192.168.195.149:6443 ESTABLISHED 46459/kube-apiserve
[root@localhost k8s]# netstat -ntap | grep 8080
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 46459/kube-apiserve
#启动scheduler服务
[root@localhost k8s]# ./scheduler.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-scheduler.service to /usr/lib/systemd/system/kube-scheduler.service.
[root@localhost k8s]# ps aux | grep ku
[root@localhost k8s]# chmod +x controller-manager.sh
#启动controller-manager
[root@localhost k8s]# ./controller-manager.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /usr/lib/systemd/system/kube-controller-manager.service.
#查看master 节点状态
[root@localhost k8s]# /opt/kubernetes/bin/kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}
④master组件部署总图解
二、Kubernetes二进制部署之master和node混合操作部署
以下按照序号一一操作!!!!!!!!!!!
①在master节点上操作
#master上操作
#把 kubelet、kube-proxy拷贝到node节点上去
[root@localhost bin]# scp kubelet kube-proxy root@192.168.17.66:/opt/kubernetes/bin/
[root@localhost bin]# scp kubelet kube-proxy root@192.168.17.99:/opt/kubernetes/bin/
②在node1节点上操作
#nod01节点操作(复制node.zip到/root目录下再解压)
[root@localhost ~]# ls
anaconda-ks.cfg flannel-v0.10.0-linux-amd64.tar.gz node.zip 公共 视频 文档 音乐
flannel.sh initial-setup-ks.cfg README.md 模板 图片 下载 桌面
#解压node.zip,获得kubelet.sh proxy.sh
[root@localhost ~]# unzip node.zip
③在master节点上操作
#在master上操作
[root@localhost k8s]# mkdir kubeconfig
[root@localhost k8s]# cd kubeconfig/
#拷贝kubeconfig.sh文件进行重命名
[root@k8s-master-01 ~/k8s/kubeconfig]# ls
kubeconfig.sh
[root@k8s-master-01 ~/k8s/kubeconfig]# chmod +x kubeconfig.sh
#获取token信息(红色部分)
[root@localhost ~]# cat /opt/kubernetes/cfg/token.csv
6351d652249951f79c33acdab329e4c4,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
#配置文件修改为tokenID
# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
--token=6351d652249951f79c33acdab329e4c4 \
--kubeconfig=bootstrap.kubeconfig
#设置环境变量(可以写入到/etc/profile中)
[root@localhost kubeconfig]# export PATH=$PATH:/opt/kubernetes/bin/
[root@localhost kubeconfig]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-1 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
#生成配置文件
[root@localhost kubeconfig]# ./kubeconfig 192.168.17.33 /root/k8s/k8s-cert/
Cluster "kubernetes" set.
User "kubelet-bootstrap" set.
Context "default" created.
Switched to context "default".
Cluster "kubernetes" set.
User "kube-proxy" set.
Context "default" created.
Switched to context "default".
[root@localhost kubeconfig]# ls
bootstrap.kubeconfig kubeconfig kube-proxy.kubeconfig
#拷贝配置文件到node节点
[root@localhost kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.17.66:/opt/kubernetes/cfg/
[root@localhost kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.17.99:/opt/kubernetes/cfg/
#创建bootstrap角色赋予权限用于连接apiserver请求签名(关键)
[root@localhost kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
④在node1节点上操作
#在node01节点上操作
[root@localhost ~]# bash kubelet.sh 192.168.17.66
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
#检查kubelet服务启动
[root@localhost ~]# ps aux | grep kube
root 106845 1.4 1.1 371744 44780 ? Ssl 00:34 0:01 /opt/kubernetes/bin/kubelet --logtostderr=true --v=4 --hostname-override=192.168.195.150 --kubeconfig=/opt/kubernetes/cfg/kubelet.kubconfig --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig --config=/opt/kubernetes/cfgkubelet.config --cert-dir=/opt/kubernetes/ssl --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0
root 106876 0.0 0.0 112676 984 pts/0 S+ 00:35 0:00 grep --color=auto kube
⑤在master节点上操作
#master上操作
#检查到node01节点的请求
[root@localhost kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-6lzVWeMnISMwhbacHIVq51-UjGtKXDSD8phG00Dpf7I 87s kubelet-bootstrap Pending(等待集群给该节点颁发证书)
[root@localhost kubeconfig]# kubectl certificate approve node-csr-6lzVWeMnISMwhbacHIVq51-UjGtKXDSD8phG00Dpf7I
certificatesigningrequest.certificates.k8s.io/node-csr-6lzVWeMnISMwhbacHIVq51-UjGtKXDSD8phG00Dpf7I approved
#继续查看证书状态
[root@localhost kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-6lzVWeMnISMwhbacHIVq51-UjGtKXDSD8phG00Dpf7I 2m42s kubelet-bootstrap Approved,Issued
(已经被允许加入群集)
#查看群集节点,成功加入node01节点
[root@localhost kubeconfig]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.17.66 Ready <none> 47s v1.12.3
⑥在node1节点上操作
#在node01节点操作,启动proxy服务
[root@localhost ~]# bash proxy.sh 192.168.17.66
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
#查看运行状态
[root@localhost ~]# systemctl status kube-proxy.service
#在node01节点操作
#把现成的/opt/kubernetes目录复制到其他节点进行修改即可
[root@localhost ~]# scp -r /opt/kubernetes/ root@192.168.17.99:/opt/
#把kubelet,kube-proxy的service文件拷贝到node2中
[root@localhost ~]# scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@192.168.17.99:/usr/lib/systemd/system/
⑦在node2节点上操作
#在node02上操作,进行修改
#首先删除复制过来的证书,等会node02会自行申请证书
[root@localhost ~]# cd /opt/kubernetes/ssl/
[root@localhost ssl]# rm -rf *
#修改配置文件kubelet kubelet.config kube-proxy(三个配置文件)
[root@localhost ssl]# cd ../cfg/
[root@localhost cfg]# vim kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.17.99 \
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
[root@localhost cfg]# vim kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.17.99
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
anonymous:
enabled: true
[root@localhost cfg]# vim kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.17.99 \
--cluster-cidr=172.17.0.0/16 \
--proxy-mode=ipvs \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
#启动服务
[root@localhost cfg]# systemctl start kubelet.service
[root@localhost cfg]# systemctl enable kubelet.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[root@localhost cfg]# systemctl start kube-proxy.service
[root@localhost cfg]# systemctl enable kube-proxy.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
⑧在master节点上操作
#在master上操作查看请求
[root@localhost k8s]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-6lzVWeMnISMwhbacHIVq51-UjGtKXDSD8phG00Dpf7I 18m kubelet-bootstrap Approved,Issued
node-csr-mk39NI5tD-Pis93QvYxwY-ywtQhrMY15eqoaobsXkCk 2m6s kubelet-bootstrap Pending
#授权许可加入群集
[root@localhost k8s]# kubectl certificate approve node-csr-mk39NI5tD-Pis93QvYxwY-ywtQhrMY15eqoaobsXkCk
certificatesigningrequest.certificates.k8s.io/node-csr-mk39NI5tD-Pis93QvYxwY-ywtQhrMY15eqoaobsXkCk approved
#查看群集中的节点
[root@localhost k8s]# kubectl get node
NAME STATUS ROLES AGE VERSION
NAME STATUS ROLES AGE VERSION
192.168.17.66 Ready <none> 17m v1.12.3
192.168.17.99 Ready <none> 27s v1.12.3