4. master安装keepalived
#master01
yum install -y keepalived
cat >/etc/keepalived/keepalived.conf <<EOF
global_defs {
route_id KUB_LVS
}
vrrp_script CheckMaster{
script "curl -k https://192.168.68.1:6443"
interval 3
timeout 9
fall 2
rise 2
}
vrrp_instance VI_1 {
state MASTER
interface ens160
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 111111
}
virtual_ipaddress {
192.168.68.1/24 dev ens160
}
track_script{
CheckMaster
}
}
EOF
#master02/03
yum install -y keepalived
cat >/etc/keepalived/keepalived.conf <<EOF
global_defs {
route_id KUB_LVS
}
vrrp_script CheckMaster{
script "curl -k https://192.168.68.1:6443"
interval 3
timeout 9
fall 2
rise 2
}
vrrp_instance VI_1 {
state SLAVE
interface ens160
virtual_router_id 51
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 111111
}
virtual_ipaddress {
192.168.68.1/24 dev ens160
}
track_script{
CheckMaster
}
}
EOF
systemctl enable keepalived && systemctl restart keepalived
5. 配置证书
5.1 下载自签名证书生成工具
在分发机器master01上操作
可以使用openssl或者cfssl工具生成
本次使用cfssl生成字签证书。
脚本cfssl.sh下载cfssl工具
mkdir cfssl && cd cfssl
cat >> cfssl.sh<<EOF
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl*
mv cfssl_linux-amd64 /usr/bin/cfssl
mv cfssljson_linux-amd64 /usr/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
EOF
chmod +x cfssl.sh
sh cfssl.sh
5.2 生成Etcd证书
创建目录
mkdir -p /root/etcd && cd /root/etcd
证书配置
Etcd证书配置
#CA证书配置
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "89600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
#创建CA证书请求文件
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
#创建ETCD证书请求文件,可以把所有master IP加入csr文件中
cat > service-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"master01",
"master02",
"master03",
"192.168.68.146",
"192.168.68.147",
"192.168.68.148"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
#生成CA证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#生成Etcd证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www service-csr.json | cfssljson -bare server
[root@master01 etcd]# ll
total 36
-rw-r--r-- 1 root root 315 Aug 8 01:25 ca-config.json
-rw-r--r-- 1 root root 956 Aug 8 01:31 ca.csr
-rw-r--r-- 1 root root 213 Aug 8 01:26 ca-csr.json
-rw------- 1 root root 1679 Aug 8 01:31 ca-key.pem
-rw-r--r-- 1 root root 1265 Aug 8 01:31 ca.pem
-rw-r--r-- 1 root root 1054 Aug 8 01:40 server.csr
-rw------- 1 root root 1675 Aug 8 01:40 server-key.pem #etcd 客户端使用
-rw-r--r-- 1 root root 1379 Aug 8 01:40 server.pem
-rw-r--r-- 1 root root 323 Aug 8 01:29 service-csr.json
kubernetes 证书配置
mkdir -p /root/kubernetes && cd /root/kubernetes
#CA证书配置
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "89600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
#创建CA证书请求文件
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
#创建API-SERVER证书请求文件,可以把所有master IP加入csr文件中
cat > service-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"master01",
"master02",
"master03",
"node01",
"node02",
"192.168.68.146",
"192.168.68.147",
"192.168.68.148",
"192.168.68.149",
"192.168.68.151",
"192.168.68.1",
"10.0.0.1",
"10.0.0.2",
"127.0.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
#创建kubernetes proxy证书申请
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
#生成CA证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#生成api-server证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes service-csr.json | cfssljson -bare server
#生成kube-proxy证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
[root@master01 kubernetes]# ll
total 52
-rw-r--r-- 1 root root 322 Aug 8 01:43 ca-config.json
-rw-r--r-- 1 root root 1001 Aug 8 01:55 ca.csr
-rw-r--r-- 1 root root 268 Aug 8 01:53 ca-csr.json
-rw------- 1 root root 1675 Aug 8 01:55 ca-key.pem
-rw-r--r-- 1 root root 1359 Aug 8 01:55 ca.pem
-rw-r--r-- 1 root root 1009 Aug 8 01:57 kube-proxy.csr
-rw-r--r-- 1 root root 292 Aug 8 01:54 kube-proxy-csr.json
-rw------- 1 root root 1675 Aug 8 01:57 kube-proxy-key.pem
-rw-r--r-- 1 root root 1403 Aug 8 01:57 kube-proxy.pem
-rw-r--r-- 1 root root 1358 Aug 8 01:56 server.csr
-rw------- 1 root root 1675 Aug 8 01:56 server-key.pem
-rw-r--r-- 1 root root 1724 Aug 8 01:56 server.pem
-rw-r--r-- 1 root root 670 Aug 8 01:51 service-csr.json
6.安装Etcd
下载etcd二进制文件
mkdir /root/soft && cd /root/soft
wget https://github.com/etcd-io/etcd/releases/download/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz
tar zxvf etcd-v3.3.10-linux-amd64.tar.gz
cd etcd-v3.3.10-linux-amd64
cp etcd etcdctl /usr/local/bin/
6.1 编辑etcd配置文件
#master01
mkdir -p /etc/etcd/{cfg,ssl}
cat >/etc/etcd/cfg/etcd.conf<<EOF
#{Member}
ETCD_NAME="master01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.68.146:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.68.146:2379,http://192.168.68.146:2390"
#{Clustering}
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.68.146:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.68.146:2379"
ETCD_INITIAL_CLUSTER="master01=https://192.168.68.146:2380,master02=https://192.168.68.147:2380,master03=https://192.168.68.148:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
#master02
mkdir -p /etc/etcd/{cfg,ssl}
cat >/etc/etcd/cfg/etcd.conf<<EOF
#{Member}
ETCD_NAME="master02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.68.147:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.68.147:2379,http://192.168.68.147:2390"
#{Clustering}
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.68.147:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.68.147:2379"
ETCD_INITIAL_CLUSTER="master01=https://192.168.68.146:2380,master02=https://192.168.68.147:2380,master03=https://192.168.68.148:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
#master03
mkdir -p /etc/etcd/{cfg,ssl}
cat >/etc/etcd/cfg/etcd.conf<<EOF
#{Member}
ETCD_NAME="master03"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.68.148:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.68.148:2379,http://192.168.68.148:2390"
#{Clustering}
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.68.148:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.68.148:2379"
ETCD_INITIAL_CLUSTER="master01=https://192.168.68.146:2380,master02=https://192.168.68.147:2380,master03=https://192.168.68.148:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
参数说明:
| 字段名 | 说明 |
|---|---|
| ETCD_NAME | 节点名称,如果有多个节点,那么每个节点都要修改为本节点的名称。 |
| ETCD_DATA_DIR | 数据目录。 |
| ETCD_LISTEN_PEER_URLS | 集群通信监听地址。 |
| ETCD_LISTEN_CLIENT_URLS | 客户端访问监听地址。 |
| ETCD_INITIAL_ADVERTISE_PEER_URLS | 集群通告地址。 |
| ETCD_ADVERTISE_CLIENT_URLS | 客户端通告地址。 |
| ETCD_INITIAL_CLUSTER | 集群节点地址,如果多个节点那么逗号分隔。 |
| ETCD_INITIAL_CLUSTER_TOKEN | 集群token。 |
| ETCD_INITIAL_CLUSTER_STATE | 加入集群的当前状态,new是新集群,existing表示加入已有集群。 |
6.2 创建etcd的系统启动服务
分别在master01/02/03上创建etcd系统启动文件
cat >/usr/lib/systemd/system/etcd.service<<EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/etc/etcd/cfg/etcd.conf
ExecStart=/usr/local/bin/etcd
--name=${ETCD_NAME}
--data-dir=${ETCD_DATA_DIR}
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS}
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS}
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS}
--initial-cluster=${ETCD_INITIAL_CLUSTER}
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN}
--initial-cluster-state=new
--cert-file=/etc/etcd/ssl/server.pem
--key-file=/etc/etcd/ssl/server-key.pem
--peer-cert-file=/etc/etcd/ssl/server.pem
--peer-key-file=/etc/etcd/ssl/server-key.pem
--trusted-ca-file=/etc/etcd/ssl/ca.pem
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
6.3 复制etcd证书到制定目录
此目录与之前的etcd启动目录一致
如果有多个master节点,那么需要复制到每个master
mkdir -p /etc/etcd/ssl
cp /root/etcd/*pem /etc/etcd/ssl/ -rf
#复制etcd证书到每个etcd节点(本次为3个master节点)
for i in master02 master03;do ssh $i mkdir -p /etc/etcd/{cfg,ssl};done
for i in master02 master03;do scp /etc/etcd/ssl/* $i:/etc/etcd/ssl/;done
6.4 启动etcd
systemctl enable etcd
systemctl start etcd
systemctl status etcd
6.5 检查etcd集群是否运行正常
[root@master01 system]# etcdctl
-ca-file=/etc/etcd/ssl/ca.pem
--cert-file=/etc/etcd/ssl/server.pem
--key-file=/etc/etcd/ssl/server-key.pem
--endpoint="https://192.168.68.146:2379"
cluster-health
member 518905a4e1408b4a is healthy: got healthy result from https://192.168.68.148:2379
member 9affe5eacb47bb95 is healthy: got healthy result from https://192.168.68.147:2379
member d040d1696a38da95 is healthy: got healthy result from https://192.168.68.146:2379
cluster is healthy
6.6 创建docker所需分配POD网段
向etcd写入集群pod网段信息
172.17.0.0/16 为kubernetes pod的IP地址段
网段必须与kube-controller-manager的--cluster-cidr参数一致
etcdctl --endpoint="https://192.168.68.146:2379,https://192.168.68.147:2379,https://192.168.68.148:2379"
-ca-file=/etc/etcd/ssl/ca.pem
--cert-file=/etc/etcd/ssl/server.pem
--key-file=/etc/etcd/ssl/server-key.pem
set /coreos.com/network/config
'{"Network":"172.17.0.0/16","Backend":{"Type":"vxlan"}}'
检查是否建立网段
etcdctl --endpoint="https://192.168.68.146:2379,https://192.168.68.147:2379,https://192.168.68.148:2379"
-ca-file=/etc/etcd/ssl/ca.pem
--cert-file=/etc/etcd/ssl/server.pem
--key-file=/etc/etcd/ssl/server-key.pem
get /coreos.com/network/config
{"Network":"172.17.0.0/16","Backend":{"Type":"vxlan"}}
7. 安装docker
在所有node节点安装docker
运行前面的系统初始化脚本部署docker
注意:docker启动文件配置如下:
[root@node02 ~]# more /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd --data-root=/data/docker $DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP
TimeoutSec=0
RestartSec=2
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
8. 安装flannel
8.1 下载flannel二进制包
所有的节点
mkdir soft && cd soft
#下载链接: https://pan.baidu.com/s/1M-3tgKkA0Pl0qMtlyT3G8Q 提取码: drtr
tar zxvf flannel-v0.10.0-linux-amd64.tar.gz
mv flanneld mk-docker-opts.sh /usr/local/bin/
#复制到其他节点
for i in master02 master03 node01 node02;do scp /usr/local/bin/flanneld $i:/usr/local/bin/;done
for i in master02 master03 node01 node02;do scp /usr/local/bin/mk-docker-opts.sh $i:/usr/local/bin/;done
8.2 配置flannel
mkdir -p /etc/flannel
cat >/etc/flannel/flannel.cfg<<EOF
FLANNEL_OPTIONS="-etcd-endpoints=https://192.168.68.146:2379,https://192.168.68.147:2379,https://192.168.68.148:2379 -etcd-cafile=/etc/etcd/ssl/ca.pem -etcd-certfile=/etc/etcd/ssl/server.pem -etcd-keyfile=/etc/etcd/ssl/server-key.pem"
EOF
8.3 配置flanneld系统启动文件
cat >/usr/lib/systemd/system/flanneld.service<<EOF
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/etc/flannel/flannel.cfg
ExecStart=/usr/local/bin/flanneld --ip-masq $FLANNEL_OPTIONS
ExecStartPost=/usr/local/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
for i in master02 master03 node01 node01;do scp /usr/lib/systemd/system/flanneld.service $i:/usr/lib/systemd/system/;done
启动脚本说明
mk-docker-opts.sh 脚本将分配给flannel的Pod子网网段信息写入/run/flannel/docker文件,后续docker启动时使用这个文件中的环境变量配置docker0网桥。
flanneld使用系统缺省路由所在的接口与其他节点通信,对于有多个网络接口(如公网和内网)的节点,可以使用-iface参数指定通信接口,如eth0,ens160等。
8.4 启动flanneld并检查状态
systemctl enable flanneld
systemctl start flanneld
所有节点都需要有172.17.0.0/16的网段IP
4: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
link/ether 26:c8:e8:41:78:d4 brd ff:ff:ff:ff:ff:ff
inet 172.17.39.0/32 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::24c8:e8ff:fe41:78d4/64 scope link
valid_lft forever preferred_lft forever
node节点停止flanneld
systemctl stop flanneld
8.5 在node01,node02修改docker启动文件
cat >/usr/lib/systemd/system/docker.service<<EOF
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/run/flannel/subnet.env #docker使用flannel的地址文件
ExecStart=/usr/bin/dockerd --data-root=/data/docker $DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
EOF
8.6 重启docker
systemctl daemon-reload
systemctl restart docker
检查,docker0和flannel的IP是在同一个网段
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:22:f5:c8:4a brd ff:ff:ff:ff:ff:ff
inet 172.17.49.1/24 brd 172.17.49.255 scope global docker0
valid_lft forever preferred_lft forever
4: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
link/ether e2:18:c3:93:cb:92 brd ff:ff:ff:ff:ff:ff
inet 172.17.49.0/32 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::e018:c3ff:fe93:cb92/64 scope link
valid_lft forever preferred_lft forever
8.7 node节点验证是否可以访问其他节点docker0
在每个node节点ping其他节点,网段都是通得
#node02 docker0 ip 172.17.49.1,在node01上ping该IP是通的
[root@node01 soft]# ping 172.17.49.1
PING 172.17.49.1 (172.17.49.1) 56(84) bytes of data.
64 bytes from 172.17.49.1: icmp_seq=1 ttl=64 time=0.299 ms
64 bytes from 172.17.49.1: icmp_seq=2 ttl=64 time=0.234 ms
^C
--- 172.17.49.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.234/0.266/0.299/0.036 ms
9 安装master组件
Master端需要安装的组件如下:
kube-apiserver
kube-scheduler
kube-controller-manager
9.1 安装Api Server服务 (所有的master节点)
9.1.1 下载kubernetes二进制包
cd /root/soft
tar zxvf kubernetes-server-linux-amd64.tar.gz
cd kubernetes/server/bin
cp kube-scheduler kube-apiserver kube-controller-manager kubectl /usr/local/bin/
#复制执行文件到其他master节点
for i in master02 master03;do scp /usr/local/bin/kube* $i:/usr/local/bin/;done
9.1.2 配置kubernetes证书
kubernetes各个组件之间通信需要证书,需要复制给每个master节点
mkdir -p /etc/kubernetes/{cfg,ssl}
cp /root/kubernetes/*.pem /etc/kubernetes/ssl/
#复制到所有节点
for i in master02 master03 node01 node02;do ssh $i mkdir -p /etc/kubernetes/{cfg,ssl};done
for i in master02 master03 node01 node02;do scp /root/kubernetes/*.pem $i:/etc/kubernetes/ssl/;done
9.1.3 创建TLS Bootstrapping Token
TLS Bootstrapping 的作用是让kubelet先使用一个预定的低权限用户连接到apiserver,然后想apiserver申请证书,kubelet的证书由apiserver动态签署。
Token可以是任意的包含128bit的字符串,可以使用安全的随机数发生器生成
[root@master01 ~]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
a37e9d743248a4589728d60cd35c159c
9.1.4 编辑Token文件
msater01操作
a37e9d743248a4589728d60cd35c159c :随机字符串,自定义生成。
kubelet-bootstrap:用户名
10001 UID
system kubelet-bootstrap 用户组
cat >/etc/kubernetes/cfg/token.csv<<EOF
a37e9d743248a4589728d60cd35c159c,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
#将token文件传到master02和master03上。
for i in master02 master03;do scp /etc/kubernetes/cfg/token.csv $i:/etc/kubernetes/cfg;done
9.1.5 创建apiserver配置文件
配置文件内容基本相同,如果有多个master节点,修改IP地址即可。
master01
cat >/etc/kubernetes/cfg/kube-apiserver.cfg<<EOF
KUBE_APISERVER_OPTS="--logtostderr=true
--v=4
--insecure-bind-address=0.0.0.0
--etcd-servers=https://192.168.68.146:2379,https://192.168.68.147:2379,https://192.168.68.148:2379
--bind-address=0.0.0.0
--secure-port=6443
--advertise-address=0.0.0.0
--allow-privileged=true
--service-cluster-ip-range=10.0.0.0/24
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction
--authorization-mode=RBAC,Node
--enable-bootstrap-token-auth
--token-auth-file=/etc/kubernetes/cfg/token.csv
--service-node-port-range=30000-50000
--tls-cert-file=/etc/kubernetes/ssl/server.pem
--tls-private-key-file=/etc/kubernetes/ssl/server-key.pem
--client-ca-file=/etc/kubernetes/ssl/ca.pem
--service-account-key-file=/etc/kubernetes/ssl/ca-key.pem
--etcd-cafile=/etc/etcd/ssl/ca.pem
--etcd-certfile=/etc/etcd/ssl/server.pem
--etcd-keyfile=/etc/etcd/ssl/server-key.pem"
EOF
master02和master03将配置文件中的bind-address和advertise-address分别改成0.0.0.0和0.0.0.0即可。
master02
cat >/etc/kubernetes/cfg/kube-apiserver.cfg<<EOF
KUBE_APISERVER_OPTS="--logtostderr=true
--v=4
--insecure-bind-address=0.0.0.0
--etcd-servers=https://192.168.68.146:2379,https://192.168.68.147:2379,https://192.168.68.148:2379
#--bind-address=192.168.68.147
--bind-address=0.0.0.0
--secure-port=6443
#--advertise-address=192.168.68.147
--advertise-address=0.0.0.0
--allow-privileged=true
--service-cluster-ip-range=10.0.0.0/24
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction
--authorization-mode=RBAC,Node
--enable-bootstrap-token-auth
--token-auth-file=/etc/kubernetes/cfg/token.csv
--service-node-port-range=30000-50000
--tls-cert-file=/etc/kubernetes/ssl/server.pem
--tls-private-key-file=/etc/kubernetes/ssl/server-key.pem
--client-ca-file=/etc/kubernetes/ssl/ca.pem
--service-account-key-file=/etc/kubernetes/ssl/ca-key.pem
--etcd-cafile=/etc/etcd/ssl/ca.pem
--etcd-certfile=/etc/etcd/ssl/server.pem
--etcd-keyfile=/etc/etcd/ssl/server-key.pem"
EOF
master03
cat >/etc/kubernetes/cfg/kube-apiserver.cfg<<EOF
KUBE_APISERVER_OPTS="--logtostderr=true
--v=4
--insecure-bind-address=0.0.0.0
--etcd-servers=https://192.168.68.146:2379,https://192.168.68.147:2379,https://192.168.68.148:2379
--bind-address=0.0.0.0
--secure-port=6443
--advertise-address=0.0.0.0
--allow-privileged=true
--service-cluster-ip-range=10.0.0.0/24
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction
--authorization-mode=RBAC,Node
--enable-bootstrap-token-auth
--token-auth-file=/etc/kubernetes/cfg/token.csv
--service-node-port-range=30000-50000
--tls-cert-file=/etc/kubernetes/ssl/server.pem
--tls-private-key-file=/etc/kubernetes/ssl/server-key.pem
--client-ca-file=/etc/kubernetes/ssl/ca.pem
--service-account-key-file=/etc/kubernetes/ssl/ca-key.pem
--etcd-cafile=/etc/etcd/ssl/ca.pem
--etcd-certfile=/etc/etcd/ssl/server.pem
--etcd-keyfile=/etc/etcd/ssl/server-key.pem"
EOF
9.1.6 创建kube-apiserver启动文件
cat >/usr/lib/systemd/system/kube-apiserver.service<<EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/etc/kubernetes/cfg/kube-apiserver.cfg
ExecStart=/usr/local/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
9.1.7 启动kube-apiserver服务
systemctl start kube-apiserver
systemctl status kube-apiserver
systemctl enable kube-apiserver
查看加密端口6443是否已经启用
[root@master01 ~]# netstat -lntup | grep 6443
tcp 0 0 192.168.68.146:6443 0.0.0.0:* LISTEN 32470/kube-apiserve
9.2 部署kube-scheduler服务
创建kube-scheduler配置文件(所有的master节点)
cat >/etc/kubernetes/cfg/kube-scheduler.cfg<<EOF
KUBE_SCHEDULER_OPTS="--logtostderr=true --v=4 --bind-address=0.0.0.0 --master=127.0.0.1:8080 --leader-elect"
EOF
参数说明:
--bind-address=0.0.0.0 启动绑定地址
--master 连接本地apiserver(非加密端口)
--leader-elect=true 集群运行模式,启用选举功能,被选为leader的节点负责处理工作,其他节点为阻塞状态。
9.2.1 创建kube-scheduler启动文件
创建kube-scheduler systemd unit 文件
cat >/usr/lib/systemd/system/kube-scheduler.service<<EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/etc/kubernetes/cfg/kube-scheduler.cfg
ExecStart=/usr/local/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
9.2.2 启动kube-scheduler服务
systemctl start kube-scheduler
systemctl status kube-scheduler
systemctl enable kube-scheduler
9.2.3 查看master组件状态
[root@master01 ~]# kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Unhealthy Get http://127.0.0.1:10252/healthz: dial tcp 127.0.0.1:10252: connect: connection refused
scheduler Healthy ok
etcd-0 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
9.3 部署kube-controller-manager
9.3.1 创建kube-contaoller-manager配置文件
cat >/etc/kubernetes/cfg/kube-controller-manager.cfg<<EOF
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true
--v=4
--master=127.0.0.1:8080
--leader-elect=true
--address=0.0.0.0
--service-cluster-ip-range=10.0.0.0/24
--cluster-name=kubernetes
--cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem
--cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem
--root-ca-file=/etc/kubernetes/ssl/ca.pem
--service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem"
EOF
参数说明:
--master=127.0.0.1:8080 指定master地址
--leader-elect 竞争选举机制产生一个lead节点,其他节点为阻塞状态
--service-cluster-ip-range kubernetes service 指定的IP地址范围。
9.3.2创建kube-controller-manager启动文件
cat >/usr/lib/systemd/system/kube-controller-manager.service<<EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/etc/kubernetes/cfg/kube-controller-manager.cfg
ExecStart=/usr/local/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
9.3.3 启动kube-controller-manager服务
systemctl start kube-controller-manager
systemctl status kube-controller-manager
systemctl enable kube-controller-manager
[root@master01 ~]# systemctl status kube-controller-manager
● kube-controller-manager.service - Kubernetes Controller Manager
Loaded: loaded (/usr/lib/systemd/system/kube-controller-manager.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2020-08-10 10:31:05 CST; 50s ago
Docs: https://github.com/kubernetes/kubernetes
Main PID: 8635 (kube-controller)
CGroup: /system.slice/kube-controller-manager.service
└─8635 /usr/local/bin/kube-controller-manager --logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect=true --address=0.0.0.0 --service-cluster-ip-range=10.0.0.0/24 --c...
9.3.4 查看master组件状态
[root@master01 ~]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
10 Node节点组件
Node节点需要部署的组件
kubelet
kube-proxy
flannel
docker
10.1 部署kubelet组件
kubelet运行在每个node节点上,接收kube-apiserver发送的请求,管理pod容器,执行交互式命令,如exec,run,log等
kubelet启动时自动向kube-apiserver注册节点信息,内置的cadvisor统计和监控节点的资源使用情况。
10.1.1 从master节点复制kubernetes文件到node
从master01上把kubelet和kube-proxy二进制文件复制到node01和node02上
cd /root/soft
scp kubernetes/server/bin/kubelet kubernetes/server/bin/kube-proxy node01:/usr/local/bin/
scp kubernetes/server/bin/kubelet kubernetes/server/bin/kube-proxy node02:/usr/local/bin/
10.1.2 创建kubelet bootstrap.kubeconfig文件
kubernetes中kubeconfig配置文件用于访问集群信息,在开启了TLS的集群中,每次与集群交互都需要身份认证,生产环境一般用证书进行认证,其认证所需要的信息会放在kubeconfig文件中。
master01节点
mkdir /root/config && cd /root/config
cat >environment.sh<<EOF
#创建kubelet bootstrapping kubeconfig
BOOTSTRAP_TOKEN=a37e9d743248a4589728d60cd35c159c #前面创建的token
KUBE_APISERVER="https://192.168.68.1:6443" #VIP地址
#设置集群参数
kubectl config set-cluster kubernetes
--certificate-authority=/etc/kubernetes/ssl/ca.pem
--embed-certs=true
--server=${KUBE_APISERVER}
--kubeconfig=bootstrap.kubeconfig
#设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap
--token=${BOOTSTRAP_TOKEN}
--kubeconfig=bootstrap.kubeconfig
#设置上下文参数
kubectl config set-context default
--cluster=kubernetes
--user=kubelet-bootstrap
--kubeconfig=bootstrap.kubeconfig
#设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
#通过bash environment.sh 获取bootstrap.kubeconfig配置文件
EOF
执行脚本
sh environment.sh
[root@master01 config]# sh environment.sh
Cluster "kubernetes" set.
User "kubelet-bootstrap" set.
Context "default" created.
Switched to context "default".
10.1.3 创建kube-proxy kubeconfig文件
cat >env_proxy.sh<<EOF
#创建kube-proxy kubeconfig文件
BOOTSTRAP_TOKEN=a37e9d743248a4589728d60cd35c159c
KUBE_APISERVER="https://192.168.68.1:6443"
kubectl config set-cluster kubernetes
--certificate-authority=/etc/kubernetes/ssl/ca.pem
--embed-certs=true
--server=${KUBE_APISERVER}
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy
--client-certificate=/etc/kubernetes/ssl/kube-proxy.pem
--client-key=/etc/kubernetes/ssl/kube-proxy-key.pem
--embed-certs=true
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default
--cluster=kubernetes
--user=kube-proxy
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
EOF
执行脚本
[root@master01 config]# sh env_proxy.sh
Cluster "kubernetes" set.
User "kube-proxy" set.
Context "default" created.
Switched to context "default".
10.1.4 复制kubeconfig文件和证书到所有node节点
将bootstrap kubeconfig kube-proxy.kubeconfig文件复制到所有node节点
ssh node01 "mkdir -p /etc/kubernetes/{cfg,ssl}"
ssh node02 "mkdir -p /etc/kubernetes/{cfg,ssl}"
复制证书文件
scp /etc/kubernetes/ssl/* node01:/etc/kubernetes/ssl/
scp /etc/kubernetes/ssl/* node02:/etc/kubernetes/ssl/
复制kubeconfig文件
cd /root/config
scp -rp bootstrap.kubeconfig kube-proxy.kubeconfig node01:/etc/kubernetes/cfg/
scp -rp bootstrap.kubeconfig kube-proxy.kubeconfig node02:/etc/kubernetes/cfg/
[root@master01 config]# scp /etc/kubernetes/ssl/* node01:/etc/kubernetes/ssl/
ca-key.pem 100% 1675 3.5MB/s 00:00
ca.pem 100% 1359 3.0MB/s 00:00
kube-proxy-key.pem 100% 1675 4.2MB/s 00:00
kube-proxy.pem 100% 1403 3.9MB/s 00:00
server-key.pem 100% 1675 4.2MB/s 00:00
server.pem 100% 1724 4.4MB/s 00:00
[root@master01 config]# scp /etc/kubernetes/ssl/* node02:/etc/kubernetes/ssl/
ca-key.pem 100% 1675 2.7MB/s 00:00
ca.pem 100% 1359 2.9MB/s 00:00
kube-proxy-key.pem 100% 1675 4.0MB/s 00:00
kube-proxy.pem 100% 1403 3.0MB/s 00:00
server-key.pem 100% 1675 4.4MB/s 00:00
server.pem 100% 1724 4.0MB/s 00:00
[root@master01 config]# cd /root/config/
[root@master01 config]# scp -rp bootstrap.kubeconfig kube-proxy.kubeconfig node01:/etc/kubernetes/cfg/
bootstrap.kubeconfig 100% 2166 1.6MB/s 00:00
kube-proxy.kubeconfig 100% 6268 4.8MB/s 00:00
[root@master01 config]# scp -rp bootstrap.kubeconfig kube-proxy.kubeconfig node02:/etc/kubernetes/cfg/
bootstrap.kubeconfig 100% 2166 1.6MB/s 00:00
kube-proxy.kubeconfig 100% 6268 5.2MB/s 00:00
[root@master01 config]#
10.1.5 创建kubelet参数文件
不同NODE节点,需要修改IP地址 (Node节点操作)
node01
cat >/etc/kubernetes/cfg/kubelet.config<<EOF
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.68.149
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS: ["10.0.0.2"]
clusterDomain: cluster.local
failSwapOn: false
authentication:
anonymous:
enabled: true
EOF
node02
cat >/etc/kubernetes/cfg/kubelet.config<<EOF
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.68.151
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS: ["10.0.0.2"]
clusterDomain: cluster.local
failSwapOn: false
authentication:
anonymous:
enabled: true
EOF
10.1.6 创建kubelet配置文件
不同的node节点,需要修改IP地址
/etc/kubernetes/cfg/kubelet.kubeconfig文件自动生成
cat >/etc/kubernetes/cfg/kubelet<<EOF
KUBELET_OPTS="--logtostderr=true
--v=4
--hostname-override=192.168.68.149
--kubeconfig=/etc/kubernetes/cfg/kubelet.kubeconfig
--bootstrap-kubeconfig=/etc/kubernetes/cfg/bootstrap.kubeconfig
--config=/etc/kubernetes/cfg/kubelet.config
--cert-dir=/etc/kubernetes/ssl
--pod-infra-container-image=docker.io/kubernetes/pause:latest"
EOF
cat >/etc/kubernetes/cfg/kubelet<<EOF
KUBELET_OPTS="--logtostderr=true
--v=4
--hostname-override=192.168.68.151
--kubeconfig=/etc/kubernetes/cfg/kubelet.kubeconfig
--bootstrap-kubeconfig=/etc/kubernetes/cfg/bootstrap.kubeconfig
--config=/etc/kubernetes/cfg/kubelet.config
--cert-dir=/etc/kubernetes/ssl
--pod-infra-container-image=docker.io/kubernetes/pause:latest"
EOF
10.1.7 创建kubelet系统启动文件
cat >/usr/lib/systemd/system/kubelet.service<<EOF
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/etc/kubernetes/cfg/kubelet
ExecStart=/usr/local/bin/kubelet $KUBELET_OPTS
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
EOF
10.1.8 将kubelet-bootstrap用户绑定到系统集群角色
Master01节点操作
kubectl create clusterrolebinding kubelet-bootstrap
--clusterrole=system:node-bootstrapper
--user=kubelet-bootstrap
10.1.9 启动kubelet服务(node节点)
systemctl start kubelet
systemctl status kubelet
systemctl enable kubelet
10.2 服务端批准与查看csr请求
查看csr请求
msater01节点操作
[root@master01 config]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-EIYu6J_7noPLUQc28Z3kEUQPlD0SdVOdexxFQqclQyQ 5m26s kubelet-bootstrap Pending
node-csr-k6HGdR3UQ0cpvFKot2it_YsUN8uHWlsFq0fFiA5bnzU 12m kubelet-bootstrap Pending
10.2.1 批准请求
master01节点操作
kubectl certificate approve node-csr-EIYu6J_7noPLUQc28Z3kEUQPlD0SdVOdexxFQqclQyQ
kubectl certificate approve node-csr-k6HGdR3UQ0cpvFKot2it_YsUN8uHWlsFq0fFiA5bnzU
[root@master01 config]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-EIYu6J_7noPLUQc28Z3kEUQPlD0SdVOdexxFQqclQyQ 8m46s kubelet-bootstrap Approved,Issued
node-csr-k6HGdR3UQ0cpvFKot2it_YsUN8uHWlsFq0fFiA5bnzU 16m kubelet-bootstrap Approved,Issued
10.3 节点重名处理方法
如果出现在编写新的节点的/etc/kubernetes/cfg/kubelet文件未修改--hostname-override=192.168.68.151字段导致出现节点重名,可以先删除证书,然后重新申请
master节点操作
kubectl delete csr node-csr-EIYu6J_7noPLUQc28Z3kEUQPlD0SdVOdexxFQqclQyQ
node节点删除kubelet.kubeconfig
客户端重启kubelet服务,再重新申请证书
rm -rf /etc/kubernetes/cfg/kubelet.kubeconfig
10.4 查看节点状态
所有node节点状态必须为Ready
[root@master01 config]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
192.168.68.149 Ready <none> 6m24s v1.15.1
192.168.68.151 Ready <none> 6m38s v1.15.1
10.5 部署kube-proxy组件
kube-proxy运行在node节点上,监听apiserver中service和endpoint的变化情况,创建路由规则来进行服务负载均衡。
10.5.1 创建kube-proxy配置文件
注意修改hostname-override地址,不同的node IP不相同。
node01
cat >/etc/kubernetes/cfg/kube-proxy<<EOF
KUBE_PROXY_OPTS="--logtostderr=true
--v=4
--metrics-bind-address=0.0.0.0
--hostname-override=192.168.68.149
--cluster-cidr=10.0.0.0/24
--kubeconfig=/etc/kubernetes/cfg/kube-proxy.kubeconfig"
EOF
node02
cat >/etc/kubernetes/cfg/kube-proxy<<EOF
KUBE_PROXY_OPTS="--logtostderr=true
--v=4
--metrics-bind-address=0.0.0.0
--hostname-override=192.168.68.151
--cluster-cidr=10.0.0.0/24
--kubeconfig=/etc/kubernetes/cfg/kube-proxy.kubeconfig"
EOF
10.5.2 创建kube-proxy启动文件
cat >/usr/lib/systemd/system/kube-proxy.service<<EOF
[Unit]
Description=Kubernetes Proxy
After=network.target
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/etc/kubernetes/cfg/kube-proxy
ExecStart=/usr/local/bin/kube-proxy $KUBE_PROXY_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
10.5.3 启动服务
systemctl start kube-proxy
systemctl status kube-proxy
systemctl enable kube-proxy
11. 运行Demo项目
kubectl run nginx --image=nginx --replicas=2
[root@master01 config]# kubectl run nginx --image=nginx --replicas=2
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
kubectl expose deployment nginx --port 88 --target-port=80 --type=NodePort
11.1 查看pod
kubectl get pods
[root@master01 config]# kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-7bb7cd8db5-577pp 0/1 ContainerCreating 0 27s
nginx-7bb7cd8db5-lqpzd 0/1 ContainerCreating 0 27s
[root@master01 config]# kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-7bb7cd8db5-577pp 1/1 Running 0 108s
nginx-7bb7cd8db5-lqpzd 1/1 Running 0 108s
11.2 查看svc
[root@master01 config]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 6h58m
nginx NodePort 10.0.0.61 <none> 88:42780/TCP 39s
11.3 访问web
[root@master01 config]# curl http://192.168.68.149:42780
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
11.4 删除项目
kubectl delete deployment nginx
kubectl delete pods nginx
kubectl delete svc -l run=nginx
kubectl delete deployment.apps/nginx
[root@master01 config]# kubectl delete deployment nginx
deployment.extensions "nginx" deleted
[root@master01 config]# kubectl delete pods nginx
Error from server (NotFound): pods "nginx" not found
[root@master01 config]# kubectl delete svc -l run=nginx
service "nginx" deleted
[root@master01 config]# kubectl delete deployment.apps/nginx
Error from server (NotFound): deployments.apps "nginx" not found
11.5 服务启动顺序
11.5.1 启动master节点
systemctl start keepalived
systemctl start etcd
systemctl start kube-apiserver
systemctl start kube-scheduler
systemctl start kube-controller-manager
systemctl start flanneld
#查看k8s集群状态
kubectl get cs
kubectl get nodes
kubectl get pods -A
11.5.2 启动node节点
systemctl start flanneld
systemctl start docker
systemctl start kubelet
systemctl start kube-proxy
11.5.3 停止node节点
systemctl stop kube-proxy
systemctl stop kubelet
systemctl stop docker
systemctl stop flanneld