二进制安装k8s源代码的好处:
(1)遇到看不懂的代码,通过增加打印日志,编译运行,可以更加输出来理解原理
(2)对k8s的工作原理会有更深的认识
### 1. 集群规划
这里使用了百度云的两条主机作为集群搭建。配置如下:
两台机器都是:2核,4GB,40GB, 1M 计算型C3
主机1 | 主机2
---|---
192.168.0.4 | kmaster & dnode
192.168.0.5 | dnode
其中etcd集群:部署在 192.168.0.4,192.168.0.5中
192.168.0.4 节点又当kmaster又当dnode
192.168.0.5 节点又当dnode
### 2.准备工作
#### 2.1 修改主机名
默认的云机器名都是一个字符串,这里我进行了修改
(1) 在192.168.0.4 使用如下的命令,将主机名修改为 k8s-master
```
hostname k8s-master
```
(2)在192.168.0.5 使用如下的命令,将主机名修改为 k8s-node
```
hostname k8s-node
```
#### 2.1 关闭 SElinux 和防火墙
debian 可能下面的配置,没有就跳过
```
[root@k8s-master ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# disabled - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of disabled.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@k8s-master ~]#
[root@k8s-master ~]# systemctl stop firewalld
```
#### 2.3 同步机器时间
一般云主机时间都是对的,像虚拟机一般都要同步一下时间
```
ntpdate time.windows.com
```
<br>
### 3. etcd集群部署
#### 2.1 etcd部署前的准备工作
##### 2.1.1 准备cfssl证书生成工具
cfssl是一个开源的证书管理工具,使用json文件生成证书,相比openssl更方便使用。
找任意一台服务器操作,这里用Master节点。
```
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
```
##### 2.1.2 自签证书颁发机构(CA)
(1) 创建工作目录:
```
mkdir -p ~/TLS/{etcd,k8s}
cd TLS/etcd
```
(2) 自签CA:
```
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
```
(3) 生成证书:
```
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
```
查看是否成功,只要有ca-key.pem ca.pem就是成功了
```
ls *pem
ca-key.pem ca.pem
```
##### 2.1.3 使用自签CA签发Etcd HTTPS证书
(1)创建证书申请文件:
```
cat > server-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"192.168.0.4",
"192.168.0.5"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
```
上述文件hosts字段中IP为所有etcd节点的集群内部通信IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP。
(2)生成证书:
```
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
```
查看是否成功,只要有server-key.pem server.pem就是成功了
```
ls server*pem
server-key.pem server.pem
```
#### 2.2 下载etcd
不同的k8s版本对应不同的etcd版本,这个可以在官网的changelog里面看到。这里下载的是3.4.3版本
下载地址:https://github.com/etcd-io/etcd/releases
#### 2.3 安装etcd
(1)确定二进制文件和配置文件路径
/opt/etcd/bin 是存放二进制文件的,主要是 ectd, etcdctl
/opt/etcd/cfg 是存放etcd 配置的
/opt/etcd/ssl 是存放ectd 证书的
```
root@k8s-master:~# mkdir /opt/etcd/{bin,cfg,ssl} -p
[root@k8s-master ]# cd /opt/etcd/
[root@k8s-master etcd]# ls
bin cfg ssl
// bin目录
tar zxvf etcd-v3.4.3-linux-amd64.tar.gz
cp etcd etcdctl /opt/etcd/bin/
[root@k8s-master bin]# ls
etcd etcdctl
// ssl目录 这里的证书就是,上面第二步生成的etcd证书
cp ~/TLS/etcd/ca*pem ~/TLS/etcd/server*pem /opt/etcd/ssl/
[root@k8s-master etcd-cert]# cd /opt/etcd/ssl/
[root@k8s-master ssl]# ls
ca-key.pem ca.pem server-key.pem server.pem
// config目录
etcd会监听俩个接口,2380是集群之间进行通信的,2379是数据接口,get,put等数据的接口
cat > /opt/etcd/cfg/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.0.4:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.0.4:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.0.4:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.0.4:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.0.4:2380,etcd02=https://192.168.0.5:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
ETCD_NAME:节点名称,集群中唯一
ETCD_DATA_DIR:数据目录
ETCD_LISTEN_PEER_URLS:集群通信监听地址
ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址
ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
ETCD_INITIAL_CLUSTER:集群节点地址
ETCD_INITIAL_CLUSTER_TOKEN:集群Token
ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群
```
(2) systemd管理etcd
```
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
```
(3) 启动并设置开机启动
```
systemctl daemon-reload
systemctl start etcd
systemctl enable etcd
```
第一次启动都是会失败的,因为第二个节点还没有启动etcd
查看关于et