Kubernetes 1.10.0 HA install
机器准备 更多请访问http://iis3.com/server/
主机名 |
IP |
备注 |
instance-2.c.slzcc-178908.internal |
10.140.0.2,35.229.197.59 |
etcd,kube-apiserver,kube-controller-manager,kubelet,kube-proxy,kube-scheduler,kube-dns |
instance-3.c.slzcc-178908.internal |
10.140.0.3,35.194.142.199 |
etcd,kube-apiserver,kube-controller-manager,kubelet,kube-proxy,kube-scheduler |
instance-4.c.slzcc-178908.internal |
10.140.0.4,35.194.196.149 |
etcd,kube-apiserver,kube-controller-manager,kubelet,kube-proxy,kube-scheduler |
instance-5.c.slzcc-178908.internal |
10.140.0.5 |
kubelet,kube-proxy |
instance-6.c.slzcc-178908.internal |
10.140.0.6 |
kubelet,kube-proxy |
instance-7.c.slzcc-178908.internal |
10.140.0.7 |
kubelet,kube-proxy |
环境准备
SSH
配置 SSH 免秘钥登入(使用 Google Cloud 服务时配置如下)
$ ssh -keygen -t rsa Generating public /private rsa key pair. Enter file in which to save the key ( /root/ . ssh /id_rsa ): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/ . ssh /id_rsa . Your public key has been saved in /root/ . ssh /id_rsa .pub. The key fingerprint is: SHA256:FgpTgF1qnUPd0ojEg5Hvt7nk /yHZn6BsHg7Z4neiObc root@instance-2 The key's randomart image is: +---[RSA 2048]----+ | ooO=o + | | . +=+.+ o | | =.+... | | . o.o . | | .. S | | ...o o | | .=o= + | | ++*=+.+ . | | *XE=. o | +----[SHA256]-----+ |
然后把三个节点下的 SSH 公钥 .ssh/id_rsa.pub 的内容放在 .ssh/authorized_keys,如下,三台机器分别添加三个公钥凭证:
.ssh/authorized_keys 展开源码
Docker
所有节点 Docker 安装:
# docker $ apt-get update && apt-get install -y curl apt-transport-https $ curl -fsSL https: //download .docker.com /linux/ubuntu/gpg | apt-key add - $ cat <<EOF > /etc/apt/sources .list.d /docker .list deb https: //download .docker.com /linux/ $(lsb_release -si | tr '[:upper:]' '[:lower:]' ) $(lsb_release -cs) stable EOF $ apt-get update && apt-get install -y docker-ce=$(apt-cache madison docker-ce | grep 17.03 | head -1 | awk '{print $3}' ) |
修改 Dockerd 配置:
/etc/docker/daemon.json
{
"storage-driver" : "overlay2" , "storage-opts" : [ "overlay2.override_kernel_check=true" ] } |
重启 Docker:
$ systemctl restart docker |
Kernel 属性
所有节点 配置内核属性
$ cat <<EOF > /etc/sysctl .d /k8s .conf net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF $ sysctl -p /etc/sysctl .d /k8s .conf |
关闭 Swap
所有节点 Kubernetes v1.8+ 要求关闭 Swap,否则 kubelet 无法正常启动
$ swapoff -a && sysctl -w vm.swappiness=0 |
Kubernetes 二进制文件
所有 MASTER 节点 Master 下载安装 Kubernetes 二进制文件:
$ wget https: //dl .k8s.io /v1 .10.0 /kubernetes-server-linux-amd64 . tar .gz $ tar zxf kubernetes-server-linux-amd64. tar .gz && cp kubernetes /server/bin/ {kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kube-proxy,kubelet} /usr/local/bin/ |
所有 NODE 节点 Node 节点下载安装 Kubernetes 二进制文件:
$ wget https: //dl .k8s.io /v1 .10.0 /kubernetes-node-linux-amd64 . tar .gz $ tar zxf kubernetes-node-linux-amd64. tar .gz && cp kubernetes /node/bin/ {kubelet,kube-proxy} /usr/local/bin/ |
Kubernetes CNI 二进制文件
所有节点 下载安装 Kubernetes CNI 二进制文件:
Cfssl
单个 MASTER 节点 安装 Cfssl:
$ curl -o /usr/local/bin/cfssl https: //pkg .cfssl.org /R1 .2 /cfssl_linux-amd64 $ curl -o /usr/local/bin/cfssljson https: //pkg .cfssl.org /R1 .2 /cfssljson_linux-amd64 $ chmod +x /usr/local/bin/cfssl * |
Etcd CA
单个 MASTER 节点 创建 cfssl 配置文件:
下载 ca-config.json 和
etcd-ca-csr.json 文件,并生成 Certificate:
$ wget "${PKI_URL}/ca-config.json" "${PKI_URL}/etcd-ca-csr.json" $ cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare etcd-ca $ ls etcd-ca* etcd-ca.csr etcd-ca-csr.json etcd-ca-key.pem etcd-ca.pem |
下载 etcd-csr.json 生成 etcd 证书
$ wget "${PKI_URL}/etcd-csr.json" $ cfssl gencert \ -ca=etcd-ca.pem \ -ca-key=etcd-ca-key.pem \ -config=ca-config.json \ - hostname =127.0.0.1,10.140.0.2,10.140.0.3,10.140.0.4 \ -profile=kubernetes \ etcd-csr.json | cfssljson -bare etcd $ ls etcd.* etcd.csr etcd.pem |
Hostname 为所有的 Etcd Master 节点。
删除不需要的文件:
$ rm -rf *.json *.csr $ ls /etc/etcd/ssl etcd-ca-key.pem etcd-ca.pem etcd-key.pem etcd.pem |
拷贝文件到其他 Etcd Master 节点:
$ for NODE in instance-3 instance-4; do echo "--- $NODE ---" ssh ${NODE} "mkdir -p /etc/etcd/ssl" for FILE in etcd-ca-key.pem etcd-ca.pem etcd-key.pem etcd.pem; do scp /etc/etcd/ssl/ ${FILE} ${NODE}: /etc/etcd/ssl/ ${FILE} done done |
Kubernetes CA
单个 MASTER 节点 创建 pki 配置文件目录:
下载 ca-config.json 和
ca-csr.json 文件,生成 CA 证书:
$ wget "${PKI_URL}/ca-config.json" "${PKI_URL}/ca-csr.json" $ cfssl gencert -initca ca-csr.json | cfssljson -bare ca $ ls ca*.pem ca-key.pem ca.pem |
API Server Certificate
下载 apiserver-csr.json,生成 CA 证书:
$ wget "${PKI_URL}/apiserver-csr.json" $ cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ - hostname =10.96.0.1,192.168.35.10,127.0.0.1,10.140.0.2,10.140.0.3,10.140.0.4,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster. local \ -profile=kubernetes \ apiserver-csr.json | cfssljson -bare apiserver $ ls apiserver*.pem apiserver-key.pem apiserver.pem |
- Hostname 中的 10.96.0.1 是 Cluster IP ,为 Kubernetes SVC 地址;
- 192.168.35.10 为虚拟 VIP。(这里定义的 VIP 有可能在云服务器上不能实现,所有这里可能会出现某些问题,最好使用物理机等常见进行测试,或者可以使用负载均衡器进行测试,这样就可以不使用 keepalived了)
- Kubernetes.default 为 Kubernetes DN。
Front Proxy Certificate
下载 front-proxy-ca-csr.json 并生成 CA 证书,Front Proxy 主要是用在 API aggregator 上:
$ wget "${PKI_URL}/front-proxy-ca-csr.json" $ cfssl gencert \ -initca front-proxy-ca-csr.json | cfssljson -bare front-proxy-ca $ ls front-proxy-ca*.pem front-proxy-ca-key.pem front-proxy-ca.pem |
下载 front-proxy-client-csr.json 并生成 CA 证书:
$ wget "${PKI_URL}/front-proxy-client-csr.json" $ cfssl gencert \ -ca=front-proxy-ca.pem \ -ca-key=front-proxy-ca-key.pem \ -config=ca-config.json \ -profile=kubernetes \ front-proxy-client-csr.json | cfssljson -bare front-proxy-client $ ls front-proxy-client*.pem front-proxy-client-key.pem front-proxy-client.pem |
Admin Certificate
下载 admin-csr.json 并生成 CA 证书:
$ wget "${PKI_URL}/admin-csr.json" $ cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=kubernetes \ admin-csr.json | cfssljson -bare admin $ ls admin*.pem admin-key.pem admin.pem |
通过下面的命令,生成 admin 的 Kubeconfig 配置:
# admin set cluster $ kubectl config set -cluster kubernetes \ --certificate-authority=ca.pem \ --embed-certs= true \ --server=${KUBE_APISERVER} \ --kubeconfig=.. /admin .conf # admin set credentials $ kubectl config set -credentials kubernetes-admin \ --client-certificate=admin.pem \ --client-key=admin-key.pem \ --embed-certs= true \ --kubeconfig=.. /admin .conf # admin set context $ kubectl config set -context kubernetes-admin@kubernetes \ --cluster=kubernetes \ --user=kubernetes-admin \ --kubeconfig=.. /admin .conf # admin set default context $
|