文章目录
一:单master节点用二进制部署k8s集群
1.1:环境需求
| 节点 | IP |
|---|---|
| master | 20.0.0.111 |
| node01 | 20.0.0.113 |
| node02 | 20.0.0.114 |
- 防火墙规则(三个节点都需要设置,这里以master节点为例)
[root@master ~]# systemctl stop firewalld && systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@master ~]# setenforce 0 && sed -i "s/SELINUX=enforcing/SELNIUX=disabled/g" /etc/selinux/config
1.2:ETCD集群部署
- master节点创建k8s文件夹上传etcd脚本,下载cffssl官方证书生成工具
[root@master ~]# mkdir -p k8s/etcd-cert
[root@master ~]# cd k8s/
[root@master k8s]# rz -E ###上传etcd脚本'
rz waiting to receive.
[root@master k8s]# ls
etcd-cert etcd-cert.sh etcd.sh
[root@master k8s]# mv etcd-cert.sh etcd-cert ###移动到相应目录'
[root@master k8s]# vim cfssl.sh
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
[root@master k8s]# bash cfssl.sh ###运行下载工具的脚本'
[root@master k8s]# ls /usr/local/bin/
cfssl cfssl-certinfo cfssljson ###cfssl:生成证书工具、cfssljson:通过传入json文件生成证书、cfssl-certinfo查看证书信息'
- 创建证书
[root@master k8s]# cd etcd-cert/
[root@master etcd-cert]# ls
etcd-cert.sh
[root@master etcd-cert]# vim etcd-cert.sh
[root@master etcd-cert]# cat > ca-config.json <<EOF '//定义ca证书配置文件'
> {
> "signing": {
> "default": {
> "expiry": "87600h" '//有效期10年'
> },
> "profiles": {
> "www": {
> "expiry": "87600h",
> "usages": [
> "signing",
> "key encipherment",
> "server auth",
> "client auth"
> ]
> }
> }
> }
> }
> EOF
[root@master etcd-cert]# ls
ca-config.json etcd-cert.sh
[root@master etcd-cert]# cat > ca-csr.json <<EOF '//实现证书签名'
> {
> "CN": "etcd CA",
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "Beijing",
> "ST": "Beijing"
> }
> ]
> }
> EOF
[root@master etcd-cert]# ls
ca-config.json ca-csr.json etcd-cert.sh
[root@master etcd-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - '//生成证书:ca-key.pem、ca.pem'
2020/11/23 16:30:10 [INFO] generating a new CA key and certificate from CSR
2020/11/23 16:30:10 [INFO] generate received request
2020/11/23 16:30:10 [INFO] received CSR
2020/11/23 16:30:10 [INFO] generating key: rsa-2048
2020/11/23 16:30:10 [INFO] encoded CSR
2020/11/23 16:30:10 [INFO] signed certificate with serial number 627688569501939751033650268553951663355426596234
[root@master etcd-cert]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem etcd-cert.sh
- 指定etcd三个节点之间的通信验证
[root@master etcd-cert]# cat > server-csr.json <<EOF ###配置服务器端的签名文件'
> {
> "CN": "etcd",
> "hosts": [
> "20.0.0.111",
> "20.0.0.113",
> "20.0.0.114"
> ],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "BeiJing",
> "ST": "BeiJing"
> }
> ]
> }
> EOF
[root@master etcd-cert]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem etcd-cert.sh server-csr.json
[root@master etcd-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server ###服务器端使用签名文件生成ETCD证书,生成server-key.pem和server.pem证书'
2020/11/23 16:35:11 [INFO] generate received request
2020/11/23 16:35:11 [INFO] received CSR
2020/11/23 16:35:11 [INFO] generating key: rsa-2048
2020/11/23 16:35:11 [INFO] encoded CSR
2020/11/23 16:35:11 [INFO] signed certificate with serial number 104231949478288171020459643652243317335608475999
2020/11/23 16:35:11 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@master etcd-cert]# ls
ca-config.json ca-csr.json ca.pem server.csr server-key.pem
ca.csr ca-key.pem etcd-cert.sh server-csr.json server.pem
- 下载并解压ETCD二进制包,地址:https://github.com/etcd-io/etcd/releases
[root@master k8s]# rz -E ###下载较费时,之前以下载好直接上传,还有flannel和kubernetes-server的软件也一起上传
rz waiting to receive.
[root@master k8s]# ls
cfssl.sh etcd.sh flannel-v0.10.0-linux-amd64.tar.gz
etcd-cert etcd-v3.3.10-linux-amd64.tar.gz kubernetes-server-linux-amd64.tar.gz
[root@master k8s]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz ###解压软件
- 创建命令、配置文件和证书的文件夹,并移动到其管理目录下,方便调用
[root@master k8s]# mkdir -p /opt/etcd/{cfg,bin,ssl}
[root@master k8s]# ls /opt/etcd/
bin cfg ssl
[root@master k8s]# ls etcd-v3.3.10-linux-amd64
Documentation etcd etcdctl README-etcdctl.md README.md READMEv2-etcdctl.md
[root@master k8s]# mv etcd-v3.3.10-linux-amd64/etcd* /opt/etcd/bin ###移动命令到刚刚创建的 bin目录'
[root@master k8s]# ls /opt/etcd/bin/
etcd etcdctl
[root@master k8s]# cp etcd-cert/*.pem /opt/etcd/ssl ###将证书文件复制到刚刚创建的ssl目录'
[root@master k8s]# ls /opt/etcd/ssl
ca-key.pem ca.pem server-key.pem server.pem
[root@master k8s]# vim etcd.sh '//查看配置文件'
...省略内容
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380" ###2380端口是etcd内部通信端口'
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379" ###2379是单个etcd对外提供的端口'
...省略内容
- 进入卡住状态等待其他节点加入
[root@localhost k8s]# bash etcd.sh etcd01 20.0.0.111 etcd02=https://20.0.0.113:2380,etcd03=https://20.0.0.114:2380
//使用另外一个会话打开,会发现etcd进程已经开启
[root@localhost ~]# ps -ef | grep etcd
- 拷贝证书和启动脚本到两个node节点
[root@master k8s]# scp -r /opt/etcd/ root@20.0.0.113:/opt/
[root@master k8s]# scp -r /opt/etcd/ root@20.0.0.114:/opt
[root@master k8s]# scp /usr/lib/systemd/system/etcd.service root@20.0.0.113:/usr/lib/systemd/system/
[root@master k8s]# scp /usr/lib/systemd/system/etcd.service root@20.0.0.114:/usr/lib/systemd/system/
- node01和node02节点修改etcd配置文件,修改相应的名称和IP地址
- node01节点操作,node02也要做相应操作,此处以node01为例
[root@node1 ~]# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd02" ###节点名称
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://20.0.0.113:2380"
ETCD_LISTEN_CLIENT_URLS="https://20.0.0.113:2379" ###修改为node节点对应的地址
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://20.0.0.113:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://20.0.0.113:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://20.0.0.111:2380,etcd02=https://20.0.0.113:2380,etcd03=https
://20.0.0.114:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
- 先开启master节点的集群脚本,然后开启两个node节点的etcd
[root@master k8s]# bash etcd.sh etcd01 20.0.0.111 etcd02=https://20.0.0.113:2380,etcd03=https://20.0.0.114:2380 ###master节点开启集群脚本'
[root@node01 ~]# systemctl start etcd ###然后两个节点启动etcd'
[root@node01 ~]# systemctl status etcd
[root@node02 ~]# systemctl starts etcd
[root@node02 ~]# systemctl status etcd
- 检查集群状态
[root@master etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://20.0.0.111:2379,https://20.0.0.113:2379,https://20.0.0.114:2379" cluster-health
member 3eae9a550e2e3ec is healthy: got healthy result from https://20.0.0.114:2379
member 26cd4dcf17bc5cbd is healthy: got healthy result from https://20.0.0.113:2379
member 2fcd2df8a9411750 is healthy: got healthy result from https://20.0.0.111:2379
cluster is healthy ###集群状态健康,etcd集群部署成功
1.3:所有node节点部署docker环境
- 此处以node01节点为例,node02节点做相同的操作
[root@node1 ~]# vim docker.sh
#!/bin/bash
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
systemctl restart network
yum -y install yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum -y install docker-ce
service docker start
cd /etc/docker
tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://yu1vx79j.mirror.aliyuncs.com"]
}
EOF
systemctl daemon-reload
systemctl restart docker
[root@node1 ~]#chmod +x docker.sh ###给脚本执行权限
[root@node1 ~]#./docker.sh ###执行脚本
14:flannel网络配置
- 写入分配的子网段到ETCD中,供flannel使用
//master操作
[root@master etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://20.0.0.111:2379,https://20.0.0.113:2379,https://20.0.0.114:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}
- 查看写入的信息
[root@master etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://20.0.0.111:2379,https://20.0.0.113:2379,https://20.0.0.114:2379" get /coreos.com/network/config
{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}
- 在两个node节点部署flannel
[root@master k8s]# scp flannel-v0.10.0-linux-amd64.tar.gz root@20.0.0.113:/root
[root@master k8s]# scp flannel-v0.10.0-linux-amd64.tar.gz root@20.0.0.114:/root
- 所有node节点进行解压
[root@node01 ~]# tar zxvf flannel-v0.10.0-linux-amd64.tar.gz
flanneld
mk-docker-opts.sh
README.md
- node节点创建k8s工作目录,将两个脚本拷贝到相应工作目录
[root@node01 opt]# mkdir -p /opt/k8s/{cfg,bin,ssl} ###创建对应配置文件,命令和证书目录'
[root@node01 opt]# mv mk-docker-opts.sh flanneld ./k8s/bin/ ###移动flannel脚本命令到相应目录'
[root@node01 opt]# ls k8s/bin/
mk-docker-opts.sh
- 两个node节点都编辑flannel.sh脚本:创建配置文件与启动脚本,定义的端口是2379,节点对外提供的端口
[root@node01 opt]# vim flannel.sh
#!/bin/bash
ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}
cat <<EOF >/opt/k8s/cfg/flanneld
FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem \"
EOF
cat <<EOF >/usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network.target
After=network-online.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/opt/k8s/cfg/flanneld
ExecStart=/opt/k8s/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/k8s/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld
- 开启flannel网络功能
[root@node01 opt]# bash flannel.sh https://20.0.0.111:2379,https://20.0.0.113:2379,https://20.0.0.114:2379
Created symlink from /etc/systemd/system/multi-user.target.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.
- 配置docker连接flannel网络
[root@localhost ~]# vim /usr/lib/systemd/system/docker.service
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID ###找到此段,并插入标红的两项
TimeoutSec=0
RestartSec=2
Restart=always
- 查看flannel分配给docker的IP地址
[root@localhost ~]# cat /run/flannel/subnet.env
DOCKER_OPT_BIP="--bip=172.17.65.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=false"
DOCKER_OPT_MTU="--mtu=1450"
//说明:bip指定启动时的子网
DOCKER_NETWORK_OPTIONS=" --bip=172.17.65.1/24 --ip-masq=false --mtu=1450"
- 重启Docker服务,查看flannel网络变化
[root@node01 opt]# systemctl daemon-reload
[root@node01 opt]# systemctl restart docker
[root@node01 opt]# ifconfig '//两个节点应该能查看到各自对应的flannel网络的网段'
10 创建容器测试两个node节点是否互联
[root@node01 opt]# docker run -it centos:7 /bin/bash '//两个节点都创建并运行容器'
[root@8ffe415fb35e /]# yum -y install net-tools '//两个容器中都安装网络工具'
[root@8ffe415fb35e /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.17.65.2 netmask 255.255.255.0 broadcast 172.17.65.255
...省略内容 '//经过查看,node01节点容器的IP地址是172.17.65.2,node02节点容器的IP地址是172.17.5.2 '
[root@8ffe415fb35e /]# ping 172.17.5.2 ###node01节点的容器ping node02节点的容器成功'
PING 172.17.5.2 (172.17.4.2) 56(84) bytes of data.
64 bytes from 172.17.4.2: icmp_seq=1 ttl=62 time=0.477 ms
64 bytes from 172.17.4.2: icmp_seq=2 ttl=62 time=0.697 ms
64 bytes from 172.17.4.2: icmp_seq=3 ttl=62 time=0.705 ms
^C
--- 172.17.5.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.477/0.626/0.705/0.107 ms
[root@e8e969f37720 /]# ping 172.17.65.2 ###node02 ping node01容器'
PING 172.17.65.2 (172.17.65.2) 56(84) bytes of data.
64 bytes from 172.17.65.2: icmp_seq=1 ttl=62 time=0.813 ms
64 bytes from 172.17.65.2: icmp_seq=2 ttl=62 time=1.02 ms
64 bytes from 172.17.65.2: icmp_seq=3 ttl=62 time=0.513 ms
^C
--- 172.17.65.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 0.513/0.785/1.029/0.211 ms
###证明flannel网络部署成功'
1.5:部署master组件
- master节点操作,api-server生成证书
[root@master k8s]# mkdir -p /opt/kubernetes/{cfg,bin,ssl} '//创建k8s工作目录'
[root@master k8s]# mkdir k8s-cert '//创建k8s证书目录'
[root@master k8s]# unzip master.zip -d /opt/kubernetes/ '//解压 maste.zip'
[root@master k8s]# ls /opt/k8s/
apiserver.sh bin cfg controller-manager.sh scheduler.sh ssl '//发现controller-manager.sh 没有执行权限'
[root@master k8s]# chmod +x /opt/kubernetes/controller-manager.sh '//给执行权限'
[root@master k8s]# cd k8s-cert/
[root@master k8s-cert]# vim k8s-cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"20.0.0.111", '//master1,配置文件中要删除此类注释'
"20.0.0.112", '//master2'
"20.0.0.200", '//VIP'
"20.0.0.115", '//nginx代理master'
"20.0.0.116", '//nginx代理backup'
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
#-----------------------
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
#-----------------------
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
- 生成证书
[root@master k8s-cert]# bash k8s-cert.sh ###生成证书'
[root@master k8s-cert]# ls
admin.csr admin.pem ca-csr.json k8s-cert.sh kube-proxy-key.pem server-csr.json
admin-csr.json ca-config.json ca-key.pem kube-proxy.csr kube-proxy.pem server-key.pem
admin-key.pem ca.csr ca.pem kube-proxy-csr.json server.csr server.pem
[root@master k8s-cert]# ls *.pem
admin-key.pem ca-key.pem kube-proxy-key.pem server-key.pem
admin.pem ca.pem kube-proxy.pem server.pem
[root@master k8s-cert]# cp ca*.pem server*.pem /opt/kubernets/ssl/ ###复制证书到工作目录'
[root@master k8s-cert]# ls /opt/kubernets/ssl/
ca-key.pem ca.pem server-key.pem server.pem
- 解压k8s压缩包
[root@master k8s]# ls
cfssl.sh etcd-v3.3.10-linux-amd64 k8s-cert
etcd-cert etcd-v3.3.10-linux-amd64.tar.gz kubernetes-server-linux-amd64.tar.gz
etcd.sh flannel-v0.10.0-linux-amd64.tar.gz master.zip
[root@master k8s]# tar zxvf kubernetes-server-linux-amd64.tar.gz
- 复制master端关键命令到k8s工作目录中
[root@master k8s]# cd kubernetes/server/bin/
[root@master bin]# cp kube-controller-manager kube-scheduler kubectl kube-apiserver /opt/kubernets/bin/
[root@master bin]# ls /opt/kubernetes/bin/
kube-apiserver kube-controller-manager kubectl kube-scheduler
- 编辑令牌并绑定角色kubelet-bootstrap
[root@master bin]# cd /root/k8s/
[root@master k8s]# head -c 16 /dev/urandom | od -An -t x | tr -d '' '//随机生成序列号'
7ea8f86b157225fd4b9273765e88a3ca
[root@master k8s]# vim /opt/kubernets/cfg/token.csv
7ea8f86b157225fd4b9273765e88a3ca,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
###序列号,用户名,id,角色,这个用户是master用来管理node节点的'
- 开启apiserver,将数据存放在etcd集群中并检查kube状态
[root@master kubernetes]# bash apiserver.sh 20.0.0.111 https://20.0.0.111:2379,https://20.0.0.113:2379,https://20.0.0.114:2379
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-apiserver.service to /usr/lib/systemd/system/kube-apiserver.service.
[root@master kubernetes]# ps aux | grep kube ###检查进程是否启动成功
[root@master kubernetes]# cat /opt/kubernetes/cfg/kube-apiserver ###查看配置文件
KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=https://20.0.0.111:2379,https://20.0.0.113:2379,https://20.0.0.114:2379 \
--bind-address=20.0.0.111 \
--secure-port=6443 \
--advertise-address=20.0.0.111 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--kubelet-https=true \
--enable-bootstrap-token-auth \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
- 启动scheduler服务
[root@master kubernetes]# ./scheduler.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-scheduler.service to /usr/lib/systemd/system/kube-scheduler.service.
[root@master kubernetes]# systemctl status kube-scheduler
- 启动controller-anager
[root@master kubernetes]# ./controller-manager.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /usr/lib/systemd/system/kube-controller-manager.service.
[root@master kubernetes]# systemctl status kube-controller-manager
- 查看master节点状态
[root@master kubernetes]# /opt/kubernetes/bin/kubectl get cs ###状态健康
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}
1.6:node01节点部署
- master节点上将kubelet和kube-proxy拷贝到node节点
[root@master kubernetes]# cd /root/k8s/kubernetes/server/bin/
[root@master bin]# ls
apiextensions-apiserver kube-apiserver.docker_tag kube-proxy
cloud-controller-manager kube-apiserver.tar kube-proxy.docker_tag
cloud-controller-manager.docker_tag kube-controller-manager kube-proxy.tar
cloud-controller-manager.tar kube-controller-manager.docker_tag kube-scheduler
hyperkube kube-controller-manager.tar kube-scheduler.docker_tag
kubeadm kubectl kube-scheduler.tar
kube-apiserver kubelet
[root@master bin]# scp kubelet kube-proxy root@20.0.0.113:/opt/kubernetes/bin/
root@20.0.0.113's password:
kubelet 100% 168MB 27.9MB/s 00:06
kube-proxy 100% 48MB 31.5MB/s 00:01
[root@master bin]# scp kubelet kube-proxy root@20.0.0.114:/opt/kubernetes/bin/
root@20.0.0.114's password:
kubelet 100% 168MB 56.1MB/s 00:03
kube-proxy 100% 48MB
- node节点解压node.zip
[root@node01 ~]# rz -E
rz waiting to receive.
[root@node01 ~]# ls
anaconda-ks.cfg flannel-v0.10.0-linux-amd64.tar.gz node.zip
[root@node01 ~]# unzip node.zip
[root@node01 ~]# ls
anaconda-ks.cfg flannel-v0.10.0-linux-amd64.tar.gz kubelet.sh node.zip proxy.sh
- master节点创建kubeconfig目录
[root@master bin]# cd /root/k8s/
[root@master k8s]# mkdir kubeconfig
[root@master k8s]# cd kubeconfig/
[root@master kubeconfig]# vim kubeconfig
APISERVER=$1
SSL_DIR=$2
# 创建kubelet bootstrapping kubeconfig
export KUBE_APISERVER="https://$APISERVER:6443"
# 设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=$SSL_DIR/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=bootstrap.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
--token=7ea8f86b157225fd4b9273765e88a3ca \ '//此token序列号就是toten.csv里面的序列号
--kubeconfig=bootstrap.kubeconfig
# 设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=bootstrap.kubeconfig
# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
#----------------------
# 创建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=$SSL_DIR/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=$SSL_DIR/kube-proxy.pem \
--client-key=$SSL_DIR/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
[root@master kubeconfig]# export PATH=$PATH://opt/kubernetes/bin ###设置环境变量
- 生成配置文件并拷贝到node节点
[root@master kubeconfig]# bash kubeconfig 20.0.0.111 /root/k8s/k8s-cert/
Cluster "kubernetes" set.
User "kubelet-bootstrap" set.
Context "default" created.
Switched to context "default".
Cluster "kubernetes" set.
User "kube-proxy" set.
Context "default" created.
Switched to context "default".
[root@master kubeconfig]# ls
bootstrap.kubeconfig kubeconfig kube-proxy.kubeconfig
//拷贝配置文件到node节点
[root@master kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@20.0.0.113:/opt/kubernetes/cfg/
root@20.0.0.113's password:
bootstrap.kubeconfig 100% 2169 2.1MB/s 00:00
kube-proxy.kubeconfig 100% 6275 4.2MB/s 00:00
[root@master kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@20.0.0.114:/opt/kubernetes/cfg/
root@20.0.0.114's password:
bootstrap.kubeconfig 100% 2169 1.8MB/s 00:00
kube-proxy.kubeconfig 100% 6275 5.3MB/s 00:00
- 创建bootstrap角色并赋予权限用于连接apiserver请求签名
[root@master kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
- node01节点操作生成kubelet kubelet.config配置文件
[root@node01 ~]# bash kubelet.sh 20.0.0.113
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[root@node01 ~]# ls /opt/k8s/cfg/
bootstrap.kubeconfig flanneld kubelet kubelet.config kube-proxy.kubeconfig
[root@node01 ~]# systemctl status kubelet
- master节点上检查到node01节点的申请,查看证书状态
[root@master kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-xmi9gQiUIFuyZ9KAIKFIyf4JiQOuPN1tACjVzu_SH6s 71s kubelet-bootstrap Pending
###pending:等待集群给该节点办法证书'
- 颁发证书,再次查看证书状态
[root@master kubeconfig]# kubectl certificate approve node-csr-xmi9gQiUIFuyZ9KAIKFIyf4JiQOuPN1tACjVzu_SH6s
certificatesigningrequest.certificates.k8s.io/node-csr-xmi9gQiUIFuyZ9KAIKFIyf4JiQOuPN1tACjVzu_SH6s approved
[root@master kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-xmi9gQiUIFuyZ9KAIKFIyf4JiQOuPN1tACjVzu_SH6s 3m9s kubelet-bootstrap Approved,Issued ###已经被允许加入集群'
- 查看集群状态并启动proxy服务
[root@master kubeconfig]# kubectl get node ###如果有一个节点noready,检查kubelet,如果很多节点noready,那就检查apiserver,如果没问题再检查VIP地址,keepalived'
NAME STATUS ROLES AGE VERSION
20.0.0.113 Ready <none> 69s v1.12.3
[root@node01 ~]# vim proxy.sh ###修改配置文件
[root@node01 ~]# bash proxy.sh 20.0.0.113
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[root@node01 ~]# systemctl status kube-proxy.service ###发现服务是running状态'
1.7:node02节点部署
- 将node01之前生成的配置文件直接复制到node02节点
[root@node01 ~]# scp -r /opt/kubernetes/ root@20.0.0.114:/opt/
[root@node01 ~]# scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@20.0.0.114:/usr/lib/systemd/system/
- 修改三个配置文件的IP地址
[root@node02 ~]# cd /opt/k8s/cfg/
[root@node02 cfg]# vim kubelet
--hostname-override=20.0.0.114 \ ###修改为自己的IP地址'
[root@node02 cfg]# vim kubelet.config
address: 20.0.0.114
[root@node02 cfg]# vim kube-proxy
--hostname-override=20.0.0.114 \
- 删除从node01复制过来的证书文件,自己生成
[root@node02 ~]# cd /opt/kubernetes/ssl/
[root@node02 ssl]# rm -rf *
- 启动服务并查看状态
[root@node02 cfg]# systemctl start kubelet
[root@node02 cfg]# systemctl enable kubelet
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[root@node02 cfg]# systemctl status kubelet
[root@node02 cfg]# systemctl start kube-proxy
[root@node02 cfg]# systemctl enable kube-proxy
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[root@node02 cfg]# systemctl status kube-proxy
- master节点上操作查看请求并同意node02证书
[root@master kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-A8BX2W67HKODPGvn0Q0dZ8Lr5Q8_2fXFt1O0STzZdis 74s kubelet-bootstrap Pending
node-csr-xmi9gQiUIFuyZ9KAIKFIyf4JiQOuPN1tACjVzu_SH6s 21m kubelet-bootstrap Approved,Issued
[root@master kubeconfig]# kubectl certificate approve node-csr-A8BX2W67HKODPGvn0Q0dZ8Lr5Q8_2fXFt1O0STzZdis ###同意证书'
certificatesigningrequest.certificates.k8s.io/node-csr-A8BX2W67HKODPGvn0Q0dZ8Lr5Q8_2fXFt1O0STzZdis approved
[root@master kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-A8BX2W67HKODPGvn0Q0dZ8Lr5Q8_2fXFt1O0STzZdis 99s kubelet-bootstrap Approved,Issued
node-csr-xmi9gQiUIFuyZ9KAIKFIyf4JiQOuPN1tACjVzu_SH6s 21m kubelet-bootstrap Approved,Issued
[root@master kubeconfig]# kubectl get node ##查看集群node节点状态,单节点部署成功
NAME STATUS ROLES AGE VERSION
20.0.0.113 Ready <none> 19m v1.12.3
20.0.0.114 Ready <none> 44s v1.12.3
740
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
