前言:在之前,已经部署好了Etcd以及Flannel实现了集群中的不同节点主机创建的Docker容器都具有全集群唯一的虚拟IP地址,下面将部署Master以及Node实现单master的二进制群集
一、部署Master组件
- 需要部署的组件
- 部署APIServer组件(token,csv)
- 部署controller-manager(指定apiserver证书)和scheduler组件
- 在master上生成api-server证书
[root@master01 k8s]# rz -E
rz waiting to receive.
[root@master01 k8s]# unzip master.zip //包含三个组件的脚本
Archive: master.zip
inflating: apiserver.sh
inflating: controller-manager.sh
inflating: scheduler.sh
[root@master01 k8s]# ls
apiserver.sh etcd-sert etcd-v3.3.10-linux-amd64.tar.gz master.zip
cfssl.sh etcd.sh flannel-v0.10.0-linux-amd64.tar.gz scheduler.sh
controller-manager.sh etcd-v3.3.10-linux-amd64 kubernetes-server-linux-amd64.tar.gz
[root@master01 k8s]# chmod +x controller-manager.sh
[root@master01 k8s]# mkdir k8s-sert //创建k8s证书目录
[root@master01 k8s]# cd k8s-sert/
[root@master01 k8s-sert]# rz -E
rz waiting to receive.
[root@master01 k8s-sert]# ls
k8s-cert.sh //生成证书的脚本
- 脚本的内容如下
[root@master01 k8s-sert]# vim k8s-cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"192.168.170.129",
"192.168.170.100",
"192.168.170.134",
"192.168.170.131",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
#-----------------------
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
#-----------------------
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
- 需要修改的地方
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"127.0.0.1",
"192.168.170.128", //master01
"192.168.170.129", //master02
"192.168.170.100", //vip 公共访问入口
"192.168.170.134", //lb (master)
"192.168.170.131", //lb (backup)
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
- 执行脚本,产生8张证书
[root@master01 k8s-sert]# bash k8s-cert.sh
[root@master01 k8s-sert]# ls *pem //8张证书
admin-key.pem admin.pem ca-key.pem ca.pem kube-proxy-key.pem kube-proxy.pem server-key.pem server.pem
[root@master01 k8s]# mkdir -p /opt/kubernetes/{cfg,bin,ssl} //创建命令、配置和证