二、Kubernetes生产级高可用集群部署
角色 | IP | 组件 | 推荐配置 |
---|---|---|---|
master01 | 192.168.200.207 | kube-apiserver kube-controller-manager kube-scheduler etcd |
CPU:2C+内存:4G+ |
master02 | 192.168.200.208 | kube-apiserver kube-controller-manager kubescheduler etcd |
CPU:2C+内存 :4G+ |
node01 | 192.168.200.209 | kubelet kube-proxy docker flannel etcd |
CPU:2C+内存:4G+ |
node02 | 192.168.200.210 | kubelet kube-proxy docker flannel |
CPU:2C+内存:4G+ |
Load_Balancer_Master | 192.168.200.205 | Nginx L4 | CPU:1C+内存:2G+ |
Load_Balancer_Backup | 192.168.200.206 | Nginx L4 | CPU:1C+内存:2G+ |
Registry_Harbor | 192.168.200.211 | Harbor | CPU:1C+内存2G+ |
2.7 单Master集群-在Master节点部署组件
基本流程:
- 自签SSL证书
- 部署kube-apiserver
- 部署kube-controller-manager
- 部署kube-scheduler
在部署K8S之前一定要确保etcd,flannel,docker是正常工作的,否则先解决问题再继续
2.7.1 自签APIServer的SSL证书
#在master01查看事先准备好的k8s-cert.sh证书脚本
[root@master01 ~]# ls /opt/k8s/shell/
apiserver.sh k8s-cert.sh kube-proxy.sh
controller-manager.sh kubeconfig.sh scheduler.sh
k8s-admin.yaml kubelet.sh ssh_kubeconfig.sh
[root@master01 ~]# mv /opt/k8s/shell/k8s-cert.sh /server/scripts/
[root@master01 ~]# ls /server/scripts/
cfssl.sh etcd-cert etcd-cert.sh etcd.sh flannel.sh k8s-cert.sh
[root@master01 ~]# cat /server/scripts/k8s-cert.sh
#!/bin/bash
cat > ca-config.json <<FOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
FOF
cat > ca-csr.json <<FOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
FOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------------
cat > server-csr.json <<FOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.200.205", #LB-Master-1p,脚本里必须去掉#号后内容
"192.168.200.206", #LB-Backup-IP,脚本里必须去掉#号后内容
"192.168.200.207", #Master01-IP,脚本里必须去掉#号后内容
"192.168.200.208", #Master02-IP,脚本里必须去掉#号后内容
"192.168.200.100", #LB-VIP,脚本里必须去掉#号后内容
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
FOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
#--------------------------------------------
cat > admin-csr.json <<FOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
FOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
#------------------------------------------
cat > kube-proxy-csr.json <<FOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
FOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
#创建一个k8s认证文件的目录
[root@master01 ~]# mkdir /server/scripts/k8s-cert
[root@master01 ~]# ls /server/scripts/
cfssl.sh etcd-cert.sh flannel.sh k8s-cert.sh
etcd-cert etcd.sh k8s-cert
#将k8s-cert.sh脚本复制到k8s-cert目录下,并执行脚本生成证书文件
[root@master01 ~]# cd /server/scripts/
[root@master01 scripts]# cp k8s-cert.sh k8s-cert
[root@master01 scripts]# cd k8s-cert
[root@master01 k8s-cert]# chmod +x k8s-cert.sh
[root@master01 k8s-cert]# ll
总用量 4
-rwxr-xr-x 1 root root 2039 2月 25 00:22 k8s-cert.sh
[root@master01 k8s-cert]# ./k8s-cert.sh
2024/02/24 20:26:01 [INFO] generating a new CA key and certificate from CSR
2024/02/24 20:26:01 [INFO] generate received request
2024/02/24 20:26:01 [INFO] received CSR
2024/02/24 20:26:01 [INFO] generating key: rsa-2048
2024/02/24 20:26:01 [INFO] encoded CSR
2024/02/24 20:26:01 [INFO] signed certificate with serial number 579963031966121639765184673984091694303781827497
2024/02/24 20:26:01 [INFO] generate received request
2024/02/24 20:26:01 [INFO] received CSR
2024/02/24 20:26:01 [INFO] generating key: rsa-2048
2024/02/24 20:26:01 [INFO] encoded CSR
2024/02/24 20:26:01 [INFO] signed certificate with serial number 545296514949563930024545637159464706524439008510
2024/02/24 20:26:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
2024/02/24 20:26:01 [INFO] generate received request
2024/02/24 20:26:01 [INFO] received CSR
2024/02/24 20:26:01 [INFO] generating key: rsa-2048
2024/02/24 20:26:01 [INFO] encoded CSR
2024/02/24 20:26:01 [INFO] signed certificate with serial number 488815821813128349654092931503111967268645443695
2024/02/24 20:26:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
2024/02/24 20:26:01 [INFO] generate received request
2024/02/24 20:26:01 [INFO] received CSR
2024/02/24 20:26:01 [INFO] generating key: rsa-2048
2024/02/24 20:26:01 [INFO] encoded CSR
2024/02/24 20:26:01 [INFO] signed certificate with serial number 341163713476788237131043895894222111283220193032
2024/02/24 20:26:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@master01 k8s-cert]# ls
admin.csr ca.csr kube-proxy.csr server-csr.json
admin-csr.json ca-csr.json kube-proxy-csr.json server-key.pem
admin-key.pem ca-key.pem kube-proxy-key.pem server.pem
admin.pem ca.pem kube-proxy.pem
ca-config.json k8s-cert.sh server.csr
2.7.2 部署Master01组件(apiserver,controller,scheuler )
- Kube-apiserver
- kube-controller-manager
- kube-scheduler
配置文件–>systemd管理组件–>启动
从言网下载发行版的二进制包,手动部署每个组件,组成Kubernetes集群
https://github.com/kubernetes/kubernetes/releases
(1)部署kube-apiserver组件
#在master01上下载kubernetes二进制包版本号V1.12.1
[root@master01 ~]# wget https://dl.k8s.io/v1.12.1/kubernetes-server-linux-amd64.tar.gz --no-check-certificate
[root@master01 ~]# ls
anaconda-ks.cfg etcd-v3.3.12-linux-amd64.tar.gz
etcd-v3.3.12-linux-amd64 kubernetes-server-linux-amd64.tar.gz
#或者使用准备好的
[root@master01 ~]# ls /opt/k8s
bin flannel-v0.11.0-linux-amd64.tar.gz pause-amd64 YAML
etcd-v3.3.12-linux-amd64.tar.gz kubernetes-server-linux-amd64.tar.gz shell
[root@master01 ~]# cp /opt/k8s/kubernetes-server-linux-amd64.tar.gz ~
[root@master01 ~]# ls
anaconda-ks.cfg etcd-v3.3.12-linux-amd64.tar.gz p
etcd-v3.3.12-linux-amd64 kubernetes-server-linux-amd64.tar.gz
#创建kubernetes程序目录
[root@master01 ~]# mkdir -p /opt/kubernetes/{bin,cfg,ssl}
[root@master01 ~]# ls /opt/
etcd k8s k8s.tar.gz kubernetes
[root@master01 ~]# ls /opt/kubernetes/
bin cfg ssl
#将解压出来的kubernetes的二进制进制文件移动到/opt/kubernetes/bin目录下
[root@master01 ~]# ls kubernetes-server-linux-amd64.tar.gz
kubernetes-server-linux-amd64.tar.gz
[root@master01 ~]# tar xf kubernetes-server-linux-amd64.tar.gz
[root@master01 ~]# cd kubernetes
[root@master01 kubernetes]# ls
addons kubernetes-src.tar.gz LICENSES server
[root@master01 kubernetes]# cd server/bin/