k8s容器云平台入门（中）

北京少女的梦

已于 2024-06-29 12:00:48 修改

阅读量1k

点赞数 15

文章标签： kubernetes 容器云原生

于 2024-06-29 10:38:54 首次发布

本文链接：https://blog.csdn.net/weixin_69389570/article/details/140060064

版权

二、Kubernetes生产级高可用集群部署

角色	IP	组件	推荐配置
master01	192.168.200.207	kube-apiserver kube-controller-manager kube-scheduler etcd	CPU:2C+内存:4G+
master02	192.168.200.208	kube-apiserver kube-controller-manager kubescheduler etcd	CPU:2C+内存 :4G+
node01	192.168.200.209	kubelet kube-proxy docker flannel etcd	CPU:2C+内存:4G+
node02	192.168.200.210	kubelet kube-proxy docker flannel	CPU:2C+内存:4G+
Load_Balancer_Master	192.168.200.205	Nginx L4	CPU:1C+内存:2G+
Load_Balancer_Backup	192.168.200.206	Nginx L4	CPU:1C+内存:2G+
Registry_Harbor	192.168.200.211	Harbor	CPU:1C+内存2G+

2.7 单Master集群-在Master节点部署组件

基本流程:

自签SSL证书
部署kube-apiserver
部署kube-controller-manager
部署kube-scheduler

在部署K8S之前一定要确保etcd，flannel，docker是正常工作的，否则先解决问题再继续

2.7.1 自签APIServer的SSL证书

#在master01查看事先准备好的k8s-cert.sh证书脚本
[root@master01 ~]# ls /opt/k8s/shell/
apiserver.sh           k8s-cert.sh    kube-proxy.sh
controller-manager.sh  kubeconfig.sh  scheduler.sh
k8s-admin.yaml         kubelet.sh     ssh_kubeconfig.sh
[root@master01 ~]# mv /opt/k8s/shell/k8s-cert.sh /server/scripts/
[root@master01 ~]# ls /server/scripts/
cfssl.sh  etcd-cert  etcd-cert.sh  etcd.sh  flannel.sh  k8s-cert.sh
[root@master01 ~]# cat /server/scripts/k8s-cert.sh 
#!/bin/bash

cat > ca-config.json <<FOF
{
        "signing": {
                "default": {
                        "expiry": "87600h"
                },
                "profiles": {
                        "kubernetes": {
                                "expiry": "87600h",
                                "usages": [
                                        "signing",
                                        "key encipherment",
                                        "server auth",
                                        "client auth"
                                ]
                        }
                }
        }
}
FOF

cat > ca-csr.json <<FOF
{
        "CN": "kubernetes",
        "key": {
                "algo": "rsa",
                "size": 2048
        },
        "names": [
                {
                        "C": "CN",
                        "L": "Beijing",
                        "ST": "Beijing",
                        "O": "k8s",
                        "OU": "System"
                }
        ]
}
FOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------------

cat > server-csr.json <<FOF
{
        "CN": "kubernetes",
        "hosts": [
                "10.0.0.1",
                "127.0.0.1",
                "192.168.200.205",			#LB-Master-1p，脚本里必须去掉#号后内容
                "192.168.200.206",			#LB-Backup-IP，脚本里必须去掉#号后内容
                "192.168.200.207",			#Master01-IP，脚本里必须去掉#号后内容
                "192.168.200.208",			#Master02-IP，脚本里必须去掉#号后内容
                "192.168.200.100",			#LB-VIP，脚本里必须去掉#号后内容
                "kubernetes",
                "kubernetes.default",
                "kubernetes.default.svc",
                "kubernetes.default.svc.cluster",
                "kubernetes.default.svc.cluster.local"
        ],
        "key": {
                "algo": "rsa",
                "size": 2048
        },
        "names": [
                {
                        "C": "CN",
                        "L": "BeiJing",
                        "ST": "BeiJing",
                        "O": "k8s",
                        "OU": "System"
                }
        ]
}
FOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

#--------------------------------------------

cat > admin-csr.json <<FOF
{
        "CN": "admin",
        "hosts": [],
        "key": {
                "algo": "rsa",
                "size": 2048
        },
        "names": [
                {
                        "C": "CN",
                        "L": "BeiJing",
                        "ST": "BeiJing",
                        "O": "system:masters",
                        "OU": "System"
                }
        ]
}
FOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

#------------------------------------------

cat > kube-proxy-csr.json <<FOF
{
        "CN": "system:kube-proxy",
        "hosts": [],
        "key": {
                "algo": "rsa",
                "size": 2048
        },
        "names": [
                {
                        "C": "CN",
                        "L": "BeiJing",
                        "ST": "BeiJing",
                        "O": "k8s",
                        "OU": "System"
                }
        ]
}
FOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

#创建一个k8s认证文件的目录
[root@master01 ~]# mkdir /server/scripts/k8s-cert
[root@master01 ~]# ls /server/scripts/
cfssl.sh   etcd-cert.sh  flannel.sh  k8s-cert.sh
etcd-cert  etcd.sh       k8s-cert

#将k8s-cert.sh脚本复制到k8s-cert目录下，并执行脚本生成证书文件
[root@master01 ~]# cd /server/scripts/
[root@master01 scripts]# cp k8s-cert.sh k8s-cert
[root@master01 scripts]# cd k8s-cert
[root@master01 k8s-cert]# chmod +x k8s-cert.sh 
[root@master01 k8s-cert]# ll
总用量 4
-rwxr-xr-x 1 root root 2039 2月  25 00:22 k8s-cert.sh
[root@master01 k8s-cert]# ./k8s-cert.sh 
2024/02/24 20:26:01 [INFO] generating a new CA key and certificate from CSR
2024/02/24 20:26:01 [INFO] generate received request
2024/02/24 20:26:01 [INFO] received CSR
2024/02/24 20:26:01 [INFO] generating key: rsa-2048
2024/02/24 20:26:01 [INFO] encoded CSR
2024/02/24 20:26:01 [INFO] signed certificate with serial number 579963031966121639765184673984091694303781827497
2024/02/24 20:26:01 [INFO] generate received request
2024/02/24 20:26:01 [INFO] received CSR
2024/02/24 20:26:01 [INFO] generating key: rsa-2048
2024/02/24 20:26:01 [INFO] encoded CSR
2024/02/24 20:26:01 [INFO] signed certificate with serial number 545296514949563930024545637159464706524439008510
2024/02/24 20:26:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
2024/02/24 20:26:01 [INFO] generate received request
2024/02/24 20:26:01 [INFO] received CSR
2024/02/24 20:26:01 [INFO] generating key: rsa-2048
2024/02/24 20:26:01 [INFO] encoded CSR
2024/02/24 20:26:01 [INFO] signed certificate with serial number 488815821813128349654092931503111967268645443695
2024/02/24 20:26:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
2024/02/24 20:26:01 [INFO] generate received request
2024/02/24 20:26:01 [INFO] received CSR
2024/02/24 20:26:01 [INFO] generating key: rsa-2048
2024/02/24 20:26:01 [INFO] encoded CSR
2024/02/24 20:26:01 [INFO] signed certificate with serial number 341163713476788237131043895894222111283220193032
2024/02/24 20:26:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@master01 k8s-cert]# ls
admin.csr       ca.csr       kube-proxy.csr       server-csr.json
admin-csr.json  ca-csr.json  kube-proxy-csr.json  server-key.pem
admin-key.pem   ca-key.pem   kube-proxy-key.pem   server.pem
admin.pem       ca.pem       kube-proxy.pem
ca-config.json  k8s-cert.sh  server.csr

2.7.2 部署Master01组件(apiserver,controller，scheuler )

Kube-apiserver
kube-controller-manager
kube-scheduler

配置文件–>systemd管理组件–>启动
从言网下载发行版的二进制包，手动部署每个组件，组成Kubernetes集群
https://github.com/kubernetes/kubernetes/releases

(1)部署kube-apiserver组件

#在master01上下载kubernetes二进制包版本号V1.12.1
[root@master01 ~]# wget https://dl.k8s.io/v1.12.1/kubernetes-server-linux-amd64.tar.gz --no-check-certificate
[root@master01 ~]# ls
anaconda-ks.cfg           etcd-v3.3.12-linux-amd64.tar.gz
etcd-v3.3.12-linux-amd64  kubernetes-server-linux-amd64.tar.gz

#或者使用准备好的
[root@master01 ~]# ls /opt/k8s
bin                              flannel-v0.11.0-linux-amd64.tar.gz    pause-amd64  YAML
etcd-v3.3.12-linux-amd64.tar.gz  kubernetes-server-linux-amd64.tar.gz  shell
[root@master01 ~]# cp /opt/k8s/kubernetes-server-linux-amd64.tar.gz ~
[root@master01 ~]# ls
anaconda-ks.cfg           etcd-v3.3.12-linux-amd64.tar.gz       p
etcd-v3.3.12-linux-amd64  kubernetes-server-linux-amd64.tar.gz

#创建kubernetes程序目录
[root@master01 ~]# mkdir -p /opt/kubernetes/{bin,cfg,ssl}
[root@master01 ~]# ls /opt/
etcd  k8s  k8s.tar.gz  kubernetes
[root@master01 ~]# ls /opt/kubernetes/
bin  cfg  ssl

#将解压出来的kubernetes的二进制进制文件移动到/opt/kubernetes/bin目录下
[root@master01 ~]# ls kubernetes-server-linux-amd64.tar.gz 
kubernetes-server-linux-amd64.tar.gz
[root@master01 ~]# tar xf kubernetes-server-linux-amd64.tar.gz 
[root@master01 ~]# cd kubernetes
[root@master01 kubernetes]# ls
addons  kubernetes-src.tar.gz  LICENSES  server
[root@master01 kubernetes]# cd server/bin/