• 全部二进制脚本高可用--只有docker启动未成功


    [root@test1 script]# cat k8s-docker-binary-py 
    #!/usr/bin/python
    # -*- coding: utf-8 -*-
    
    from __future__ import print_function
    import os, sys, stat
    import shutil
    import tarfile
    import subprocess
    
    # 定义环境变量
    
    # 定义主机名
    NODE_NAME = subprocess.check_output(["hostname"], shell=True)
    NODE_NAME = str(NODE_NAME.decode('utf8').strip()).strip('b')
    
    # 定义主机ip
    NODE_IP = subprocess.check_output(["hostname -i | awk '{print $NF}'"], shell=True)
    NODE_IP = str(NODE_IP.decode('utf8').strip()).strip('b')
    
    #定义key
    ENCRYPTION_KEY = subprocess.check_output(["head -c 32 /dev/urandom | base64"], shell=True)
    ENCRYPTION_KEY = str(ENCRYPTION_KEY.decode('utf8').strip()).strip('b')
    
    SERVICE_CIDR = "10.254.0.0/16"
    CLUSTER_CIDR = "172.30.0.0/16"
    NODE_PORT_RANGE = "8000-30000"
    NODE_IPS = ['192.168.0.91', '192.168.0.92', '192.168.0.93']
    NODE_NAMES = ['test1', 'test2', 'test3','test4']
    MASTER_VIP = "192.168.0.235"
    KUBE_APISERVER = "https://192.168.0.235:8443"
    VIP_IF = "ens33"
    ETCD_ENDPOINTS = "https://192.168.0.91:2379,https://192.168.0.92:2379,https://192.168.0.93:2379"
    ETCD_NODES = "test1=https://192.168.0.91:2380,test2=https://192.168.0.92:2380,test3=https://192.168.0.93:2380"
    FLANNEL_ETCD_PREFIX = "/kubernetes/network/"
    CLUSTER_KUBERNETES_SVC_IP = "10.254.0.1"
    CLUSTER_DNS_SVC_IP = "10.254.0.2"
    CLUSTER_DNS_DOMAIN = "cluster.local."
    IFACE="ens33"
    
    
    
    def create_dir_kernel_parameters():
        print("创建目录、配置内核参数、安装依赖包")
        #所有节点创建目录
        subprocess.call(["time ansible k8s -m file -a 'path=/k8s/profile/ state=directory mode=0777'"], shell=True)
        subprocess.call(["time ansible k8s -m file -a 'path=/server/software/k8s/ state=directory mode=0777'"], shell=True)
        subprocess.call(["time ansible k8s -m file -a 'path=/root/ssl/ state=directory mode=0777'"], shell=True)
        subprocess.call(["time ansible k8s -m file -a 'path=/script/ state=directory mode=0777'"], shell=True)
        #配置内核参数
        subprocess.call(["ansible k8s -m shell -a 'iptables -P FORWARD ACCEPT'"], shell=True)
        subprocess.call(["time ansible k8s -m copy -a 'src=/k8s/profile/k8s.conf dest=/etc/sysctl.d/k8s.conf force=yes'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'sysctl --system'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'modprobe ip_vs'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'modprobe ip_vs_rr'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'modprobe ip_vs_wrr'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'modprobe ip_vs_sh'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'modprobe nf_conntrack_ipv4'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'lsmod | grep ip_vs'"], shell=True)
        #安装依赖包,  其实这一步只是配置node节点的kube-proxy步骤需要用到
        subprocess.call(["ansible k8s -m shell -a 'yum install -y conntrack ipvsadm ipset jq sysstat curl iptables libseccomp'"], shell=True)
    
    def install_cfssl():
        print("安装 cfssl 工具集")
        subprocess.call(["ansible k8s -m file -a 'path=/server/software/k8s/ state=directory mode=0777'"], shell=True)
        os.chdir('/server/software/k8s/')
        subprocess.call(["ansible test1 -m copy -a 'src=/server/software/k8s/cfssl-certinfo_linux-amd64  dest=/usr/local/bin/cfssl-certinfo force=yes'"], shell=True)
        subprocess.call(["ansible test1 -m copy -a 'src=/server/software/k8s/cfssl_linux-amd64  dest=/usr/local/bin/cfssl'"], shell=True)
        subprocess.call(["ansible test1 -m copy -a 'src=/server/software/k8s/cfssljson_linux-amd64  dest=/usr/local/bin/cfssljson'"], shell=True)
        os.chdir('/usr/local/bin/')
        os.chmod("cfssl-certinfo", stat.S_IXOTH)
        os.chmod("cfssl", stat.S_IXOTH)
        os.chmod("cfssljson", stat.S_IXOTH)
        print("successful")
    
    
    def create_root_ca():
        print("创建CA根证书")
        os.chdir('/root/ssl/')
        subprocess.call(["time ansible k8s -m file -a 'path=/root/ssl/ state=directory mode=0777'"], shell=True)
        subprocess.call(["cfssl gencert -initca ca-csr.json | cfssljson -bare ca"], shell=True)
        #创建用户
        subprocess.call(["time ansible k8s -m shell -a 'useradd k8s'"],shell=True)
        #创建目录
        subprocess.call(["time ansible k8s -m shell -a 'mkdir -p /etc/kubernetes/cert/ && chown -R k8s /etc/kubernetes'"],shell=True)
        subprocess.call(["time ansible k8s -m copy -a 'src=/root/ssl/ dest=/etc/kubernetes/cert/ force=yes'"], shell=True)
        print("successful")
    
    
    def distribute_kubectl():
        print("分发 所有 二进制文件、安装kubectl ")
        os.chdir('/server/software/k8s/')
        shutil.unpack_archive('kubernetes-server-linux-amd64.tar.gz')
        subprocess.call(["time ansible k8s -m file -a 'path=/opt/k8s/bin/ state=directory mode=0777'"], shell=True)
        subprocess.call(["time ansible k8s -m copy -a 'src=/server/software/k8s/kubernetes/server/bin/ dest=/opt/k8s/bin/ force=yes'"],shell=True)
        subprocess.call(["chmod +x /opt/k8s/bin/*"], shell=True)
        subprocess.call(["time ansible k8s -m copy -a 'src=/opt/k8s/bin/kubectl dest=/usr/local/bin/ force=yes'"], shell=True)
        subprocess.call(["time ansible k8s -m shell -a 'chmod +x /usr/local/bin/kubectl'"], shell=True)
        print("successful")
    
    def create_admin_ca():
        print("创建 admin 证书和私钥 ")
        os.chdir('/root/ssl/')
        subprocess.call(["ansible k8s -m shell -a 'chmod +x /etc/kubernetes/cert/*'"], shell=True)
        subprocess.call(["cfssl gencert -ca=/etc/kubernetes/cert/ca.pem -ca-key=/etc/kubernetes/cert/ca-key.pem -config=/etc/kubernetes/cert/ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin"],shell=True)
        subprocess.call(["ansible k8s -m copy -a 'src=/root/ssl/admin.pem dest=/etc/kubernetes/cert/ force=yes'"], shell=True)
        subprocess.call(["ansible k8s -m copy -a 'src=/root/ssl/admin-key.pem dest=/etc/kubernetes/cert/ force=yes'"], shell=True)
        #给证书授权
        subprocess.call(["ansible k8s -m shell -a 'chmod +x /etc/kubernetes/cert/*'"], shell=True)
        print("successful")
    
    def create_admin_kubeconfig():
        print("创建admin kubeconfig 文件")
        os.chdir('/root/ssl/')
        subprocess.call(["kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=https://192.168.0.235:8443 --kubeconfig=admin.conf"],shell=True)
        subprocess.call(["kubectl config set-credentials admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true --kubeconfig=admin.conf"],shell=True)
        subprocess.call(["kubectl config set-context kubernetes --cluster=kubernetes --user=admin --kubeconfig=admin.conf"],shell=True)
        subprocess.call(["kubectl config use-context kubernetes --kubeconfig=admin.conf"],shell=True)
        subprocess.call(["ansible k8s -m file -a 'path=/root/.kube/ state=directory mode=0777'"], shell=True)
        subprocess.call(["ansible k8s -m copy -a 'src=/root/ssl/admin.conf dest=/root/.kube/config force=yes'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'chmod +x /root/.kube/*'"], shell=True)
        print("创建admin kubeconfig 文件完成")
    
    def install_etcd_cluster():
        print("部署 etcd 集群")
        # 解压和分发 etcd 二进制文件
        os.chdir('/server/software/k8s/')
        shutil.unpack_archive('etcd-v3.3.9-linux-amd64.tar.gz')
        subprocess.call(["time ansible k8s -m copy -a 'src=/server/software/k8s/etcd-v3.3.9-linux-amd64/ dest=/opt/k8s/bin/ force=yes'"],shell=True)
        subprocess.call(["time ansible k8s -m shell -a 'chmod +x /opt/k8s/bin/*'"],shell=True)
        #创建etcd连接,直接使用etcdctl命令操作
        subprocess.call(["time ansible k8s -m shell -a 'ln -s /opt/k8s/bin/etcdctl /usr/bin/etcdctl'"],shell=True)
        # 创建 etcd 证书和私钥
        os.chdir('/root/ssl/')
        subprocess.call(["cfssl gencert -ca=/etc/kubernetes/cert/ca.pem -ca-key=/etc/kubernetes/cert/ca-key.pem -config=/etc/kubernetes/cert/ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd"],shell=True)
        subprocess.call(["time ansible k8s -m file -a 'path=/etc/etcd/cert/ state=directory mode=0777'"], shell=True)
        subprocess.call(["time ansible k8s -m copy -a 'src=/root/ssl/ dest=/etc/etcd/cert/ force=yes'"], shell=True)
        # 创建 etcd.service文件
        subprocess.call(["time ansible k8s -m file -a 'path=/k8s/profile/ state=directory mode=0777'"], shell=True)
        subprocess.call(["time ansible k8s -m copy -a 'src=/k8s/profile/ dest=/k8s/profile/ force=yes'"], shell=True)
        subprocess.call(["time ansible k8s -m shell -a 'python /k8s/profile/etcd.service.py'"],shell=True)
        #创建 etcd 数据目录
        subprocess.call(["time ansible k8s -m file -a 'path=/var/lib/etcd/ state=directory mode=0777'"], shell=True)
        subprocess.call(["time ansible k8s -m shell -a 'chmod +x /var/lib/etcd'"],shell=True)
        #启动 etcd 服务
        subprocess.call(["time ansible k8s -m shell -a 'systemctl daemon-reload'"],shell=True)
        subprocess.call(["time ansible k8s -m service -a 'name=etcd state=started'"],shell=True)
        subprocess.call(["ansible k8s -m service -a 'name=etcd enabled=yes'"],shell=True)
        #检查启动结果
        subprocess.call(["time ansible k8s -m shell -a 'systemctl status etcd'"],shell=True)
        #验证服务状态
        subprocess.call(["/opt/k8s/bin/etcdctl --ca-file=/etc/kubernetes/cert/ca.pem --cert-file /etc/etcd/cert/etcd.pem --key-file /etc/etcd/cert/etcd-key.pem cluster-health"],shell=True)
        #说明:如果启动失败就把所有节点关机重启就即可解决
    
    def install_haproxy():
        print("安装haproxy")
        #安装软件
        subprocess.call(["ansible k8s -m shell -a 'yum install -y haproxy'"],shell=True)
        #配置和下发 haproxy 配置文件
        subprocess.call(["ansible k8s -m copy -a 'src=/k8s/profile/haproxy.cfg dest=/etc/haproxy force=yes'"], shell=True)
        #启动haproxy
        subprocess.call(["ansible k8s -m shell -a 'systemctl daemon-reload'"],shell=True)
        subprocess.call(["ansible k8s -m service -a 'name=haproxy state=started'"],shell=True)
        subprocess.call(["ansible k8s -m service -a 'name=haproxy enabled=yes'"],shell=True)
        #检查启动结果
        subprocess.call(["time ansible k8s -m shell -a 'systemctl status haproxy'"],shell=True)
    
    def install_keepalived():
        print("安装keepalived")
        #安装软件
        subprocess.call(["ansible k8s -m shell -a 'yum install -y keepalived'"],shell=True)
        #配置和下发 keepalived 配置文件
        subprocess.call(["ansible k8s -m copy -a 'src=/k8s/profile/ dest=/k8s/profile/ force=yes'"], shell=True)
        subprocess.call(["ansible test1 -m shell -a 'python /k8s/profile/keepalived-master.py'"],shell=True)
        subprocess.call(["ansible test0 -m shell -a 'python /k8s/profile/keepalived-back.py'"],shell=True)
        #起动keepalived 服务
        subprocess.call(["ansible k8s -m shell -a 'systemctl daemon-reload'"],shell=True)
        subprocess.call(["ansible k8s -m service -a 'name=keepalived state=started'"],shell=True)
        subprocess.call(["ansible k8s -m service -a 'name=keepalived enabled=yes'"],shell=True)
        #检查启动结果
        subprocess.call(["time ansible k8s -m shell -a 'systemctl status keepalived'"],shell=True)
        #测试是否能ping通vip
        subprocess.call(["time ansible k8s -m shell -a 'ping -c 1 192.168.0.235'"],shell=True)
        #查看 haproxy 状态页面 http://192.168.0.235:10080/status;账号密码:admin/123456
    
    def kube_apiserver():
        print("部署 kube-apiserver 组件")
        #创建 kubernetes 证书和私钥
        os.chdir('/root/ssl/')
        subprocess.call(["cfssl gencert -ca=/etc/kubernetes/cert/ca.pem -ca-key=/etc/kubernetes/cert/ca-key.pem -config=/etc/kubernetes/cert/ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes"], shell=True)
        #生产service account key
        subprocess.call(["ansible test1 -m shell -a 'openssl genrsa -out /root/ssl/sa.key 2048'"], shell=True)
        subprocess.call(["ansible test1 -m shell -a 'openssl rsa -in /root/ssl/sa.key -pubout -out /root/ssl/sa.pub'"], shell=True)
        #将生成的证书、私钥、ervice account key 分发到所有节点
        subprocess.call(["ansible k8s -m copy -a 'src=/root/ssl/ dest=/etc/kubernetes/cert/ force=yes'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'chmod +x /etc/kubernetes/cert/'"], shell=True)
        #创建、分发加密配置文件
        subprocess.call(["ansible test1 -m shell -a 'python /k8s/profile/encryption-config.py'"],shell=True)
        subprocess.call(["ansible k8s -m copy -a 'src=/etc/kubernetes/encryption-config.yaml dest=/etc/kubernetes force=yes'"], shell=True)
        #创建、分发kube-apiserver文件
        subprocess.call(["ansible k8s -m copy -a 'src=/k8s/profile/kube-apiserver.service.py dest=/k8s/profile/ force=yes'"], shell=True)
        subprocess.call(["ansible k8s -m copy -a 'src=/k8s/profile/kube-apiserver.service.template.py dest=/k8s/profile/ force=yes'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'python /k8s/profile/kube-apiserver.service.py'"],shell=True)
        #起动kube-apiserver 服务
        subprocess.call(["ansible k8s -m shell -a 'systemctl daemon-reload'"],shell=True)
        subprocess.call(["ansible k8s -m service -a 'name=kube-apiserver state=started'"],shell=True)
        subprocess.call(["ansible k8s -m service -a 'name=kube-apiserver enabled=yes'"],shell=True)
        #检查 kube-apiserver服务 运行状态
        subprocess.call(["time ansible k8s -m shell -a 'systemctl status kube-apiserver'"],shell=True)
        #检查集群运行状态
        subprocess.call(["ansible k8s -m shell -a 'kubectl cluster-info'"],shell=True)
        subprocess.call(["ansible k8s -m shell -a 'kubectl get componentstatuses'"],shell=True)
        #检查 kube-apiserver 监听的端口
        subprocess.call(["ansible k8s -m shell -a 'netstat -lnpt|grep kube'"],shell=True)
        #授予 kubernetes 证书访问 kubelet API 的权限;在执行 kubectl exec、run、logs 等命令时,apiserver 会转发到 kubelet。这里定义 RBAC 规则,授权 apiserver 调用 kubelet API
        subprocess.call(["ansible k8s -m shell -a 'kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernete'"],shell=True)
    
    def kube_controller_manager():
        print("部署高可用 kube-controller-manager 集群")
        #创建 kubernetes 证书和私钥
        os.chdir('/root/ssl/')
        subprocess.call(["cfssl gencert -ca=/etc/kubernetes/cert/ca.pem -ca-key=/etc/kubernetes/cert/ca-key.pem -config=/etc/kubernetes/cert/ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager"], shell=True)
        #将生成的证书和私钥分发到所有节点
        subprocess.call(["ansible k8s -m copy -a 'src=/root/ssl/ dest=/etc/kubernetes/cert/ force=yes'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'chmod +x /etc/kubernetes/cert/'"], shell=True)
        #创建和分发 kubeconfig 文件
        subprocess.call(["kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=https://192.168.0.235:8443 --kubeconfig=kube-controller-manager.kubeconfig"], shell=True)
        subprocess.call(["kubectl config set-credentials system:kube-controller-manager --client-certificate=kube-controller-manager.pem --client-key=kube-controller-manager-key.pem --embed-certs=true --kubeconfig=kube-controller-manager.kubeconfig"], shell=True)
        subprocess.call(["kubectl config set-context system:kube-controller-manager --cluster=kubernetes --user=system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig"], shell=True)
        subprocess.call(["kubectl config use-context system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig"], shell=True)
        subprocess.call(["ansible k8s -m copy -a 'src=/root/ssl/kube-controller-manager.kubeconfig dest=/etc/kubernetes/ force=yes'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'chmod +x /etc/kubernetes/*'"], shell=True)
        #创建、分发kube-controller-manager.service
        subprocess.call(["ansible k8s -m copy -a 'src=/k8s/profile/kube-controller-manager.service.template.py  dest=/k8s/profile/ force=yes'"], shell=True)
        subprocess.call(["ansible k8s -m copy -a 'src=/k8s/profile/kube-controller-manager.service.py dest=/k8s/profile/ force=yes'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'python /k8s/profile/kube-controller-manager.service.py'"],shell=True)
        #创建日志目录
        subprocess.call(["ansible k8s -m file -a 'path=/var/log/kubernetes/ state=directory mode=0777'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'chmod +x /var/log/kubernetes/'"], shell=True)
        #启动 kube-controller-manager 服务
        subprocess.call(["ansible k8s -m shell -a 'systemctl daemon-reload'"],shell=True)
        subprocess.call(["ansible k8s -m service -a 'name=kube-controller-manager state=started'"],shell=True)
        subprocess.call(["ansible k8s -m service -a 'name=kube-controller-manager enabled=yes'"],shell=True)
        #检查 kube-controller-manager 运行状态
        subprocess.call(["time ansible k8s -m shell -a 'systemctl status kube-controller-manager'"],shell=True)
        #查看leader节点
        subprocess.call(["kubectl get endpoints kube-controller-manager --namespace=kube-system  -o yaml"],shell=True)
    
    def install_kube_scheduler():
        print("部署高可用 kube-scheduler 集群")
        #创建 kube-scheduler 证书和私钥
        os.chdir('/root/ssl/')
        subprocess.call(["cfssl gencert -ca=/etc/kubernetes/cert/ca.pem -ca-key=/etc/kubernetes/cert/ca-key.pem -config=/etc/kubernetes/cert/ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler"], shell=True)
        #将生成的证书和私钥分发到所有节点
        subprocess.call(["ansible k8s -m copy -a 'src=/root/ssl/kube-scheduler.pem dest=/etc/kubernetes/cert/ force=yes'"], shell=True)
        subprocess.call(["ansible k8s -m copy -a 'src=/root/ssl/kube-scheduler-key.pem dest=/etc/kubernetes/cert/ force=yes'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'chmod +x /etc/kubernetes/cert/'"], shell=True)
        #创建和分发 kubeconfig 文件
        subprocess.call(["kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=https://192.168.0.235:8443 --kubeconfig=kube-scheduler.kubeconfig"], shell=True)
        subprocess.call(["kubectl config set-credentials system:kube-scheduler --client-certificate=kube-scheduler.pem --client-key=kube-scheduler-key.pem --embed-certs=true --kubeconfig=kube-scheduler.kubeconfig"], shell=True)
        subprocess.call(["kubectl config set-context system:kube-scheduler --cluster=kubernetes --user=system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig"], shell=True)
        subprocess.call(["kubectl config use-context system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig"], shell=True)
        subprocess.call(["ansible k8s -m copy -a 'src=/root/ssl/kube-scheduler.kubeconfig dest=/etc/kubernetes/ force=yes'"], shell=True)
        subprocess.call(["ansible k8s -m shell -a 'chmod +x /etc/kubernetes/*'"], shell=True)
        #创建和分发kube-scheduler.service
        subprocess.call(["ansible k8s -m copy -a 'src=/k8s/profile/kube-scheduler.service dest=/etc/systemd/system/ force=yes'"], shell=True)
        #启动kube-scheduler 服务
        subprocess.call(["ansible k8s -m shell -a 'systemctl daemon-reload'"],shell=True)
        subprocess.call(["ansible k8s -m service -a 'name=kube-scheduler state=started'"],shell=True)
        subprocess.call(["ansible k8s -m service -a 'name=kube-scheduler enabled=yes'"],shell=True)
        #检查 kube-scheduler 运行状态
        subprocess.call(["time ansible k8s -m shell -a 'systemctl status kube-scheduler'"],shell=True)
        #查看leader节点
        subprocess.call(["kubectl get endpoints kube-scheduler --namespace=kube-system -o yaml"],shell=True)
    
    def environmental_configuration():
        print("下面开始单独安装worker节点,worker节点主机名:test4")
        print("配置环境")
        #所有节点创建目录
        subprocess.call(["time ansible test4 -m file -a 'path=/k8s/profile/ state=directory mode=0777'"], shell=True)
        subprocess.call(["time ansible test4 -m file -a 'path=/server/software/k8s/ state=directory mode=0777'"], shell=True)
        subprocess.call(["time ansible test4 -m file -a 'path=/root/ssl/ state=directory mode=0777'"], shell=True)
        subprocess.call(["time ansible test4 -m file -a 'path=/script/ state=directory mode=0777'"], shell=True)
        #加载ipvs内核参数,其实这一步在安装kube-proxy那一步时执行即可
        subprocess.call(["ansible test4 -m shell -a 'iptables -P FORWARD ACCEPT'"], shell=True)
        subprocess.call(["time ansible test4 -m copy -a 'src=/k8s/profile/k8s.conf dest=/etc/sysctl.d/k8s.conf force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'sysctl --system'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'modprobe ip_vs'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'modprobe ip_vs_rr'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'modprobe ip_vs_wrr'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'modprobe ip_vs_sh'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'modprobe nf_conntrack_ipv4'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'lsmod | grep ip_vs'"], shell=True)
        #安装依赖包,  其实这一步只是配置node节点的kube-proxy步骤需要用到
        subprocess.call(["ansible test4 -m shell -a 'yum install -y conntrack ipvsadm ipset jq sysstat curl iptables libseccomp'"], shell=True)
        #创建k8s群组
        subprocess.call(["ansible test4 -m group -a 'name=k8s state=present'"], shell=True)
        #创建k8s用户
        subprocess.call(["ansible test4 -m user -a 'name=k8s group=k8s'"], shell=True)
    
    def install_docker():
        print("安装docker")
        #创建目录
        subprocess.call(["ansible test4 -m file -a 'path=/etc/docker/ state=directory mode=0777'"], shell=True)
        #安装依赖包
        subprocess.call(["ansible test4 -m shell -a 'yum install -y conntrack ipvsadm ipset jq iptables curl sysstat libseccomp && /usr/sbin/modprobe ip_vs'"],shell=True)
        #解压、分发docker二进制文件
        subprocess.call(["time ansible test4 -m unarchive -a 'src=/server/software/k8s/docker-18.03.1-ce.tgz dest=/usr/local/'"],shell=True)
        subprocess.call(["ansible test4 -m shell -a 'cp /usr/local/docker/dockerd /opt/k8s/bin/'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'chmod +x /opt/k8s/bin/*'"], shell=True)
        #设置防火墙策略
        subprocess.call(["ansible test4 -m shell -a '/usr/sbin/iptables -P FORWARD ACCEPT'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'echo /usr/sbin/iptables -P FORWARD ACCEPT > /etc/profile'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'source /etc/profile'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'systemctl stop firewalld && systemctl disable firewalld'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a '/usr/sbin/iptables -F && /usr/sbin/iptables -X && /usr/sbin/iptables -F -t nat'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a '/usr/sbin/iptables -X -t nat'"], shell=True)
        #创建和分发docker.service
        subprocess.call(["ansible test4 -m copy -a 'src=/k8s/profile/docker.service dest=/etc/systemd/system/docker.service force=yes'"], shell=True)
        #配置docker加速
        subprocess.call(["ansible test4 -m copy -a 'src=/k8s/profile/daemon.json dest=/etc/docker/daemon.json force=yes'"], shell=True)
        #启动docker
        subprocess.call(["ansible test4 -m shell -a 'systemctl daemon-reload'"],shell=True)
        subprocess.call(["ansible test4 -m service -a 'name=docker state=started'"],shell=True)
        subprocess.call(["ansible test4 -m service -a 'name=docker enabled=yes'"],shell=True)
        #设置hairpin_mode
        subprocess.call(["ansible test4 -m shell -a 'for intf in /sys/devices/virtual/net/docker0/brif/*; do echo 1 > $intf/hairpin_mode; done'"],shell=True)
        #分发内核参数。
        subprocess.call(["ansible test4 -m copy -a 'src=/k8s/profile/kubernetes.conf dest=/etc/sysctl.d/kubernetes.conf force=yes'"], shell=True)
        #加载内核参数
        subprocess.call(["ansible test4 -m shell -a 'sysctl -p /etc/sysctl.d/kubernetes.conf'"],shell=True)
        #检查启动结果
        subprocess.call(["ansible test4 -m shell -a 'systemctl status docker'"],shell=True)
    
    def install_flanneld():
        print("部署 flannel 网络")
        #创建目录
        subprocess.call(["ansible test4 -m file -a 'path=/k8s/profile/ state=directory mode=0777'"], shell=True)
        subprocess.call(["ansible test4 -m file -a 'path=/opt/k8s/bin/ state=directory mode=0777'"], shell=True)
        subprocess.call(["ansible test4 -m file -a 'path=/etc/flanneld/cert/ state=directory mode=0777'"], shell=True)
        subprocess.call(["ansible test4 -m file -a 'path=/etc/kubernetes/cert/ state=directory mode=0777'"], shell=True)
        #解压、分发 flanneld 二进制文件
        subprocess.call(["ansible test4 -m unarchive -a 'src=/server/software/k8s/flannel-v0.10.0-linux-amd64.tar.gz dest=/opt/k8s/bin/'"],shell=True)
        subprocess.call(["ansible test4 -m shell -a 'chmod +x /opt/k8s/bin/*'"], shell=True)
        #将生成的证书和私钥分发到k8s4节点
        subprocess.call(["ansible test4 -m copy -a 'src=/root/ssl/flanneld.pem dest=/etc/flanneld/cert/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m copy -a 'src=/root/ssl/flanneld-key.pem dest=/etc/flanneld/cert/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m copy -a 'src=/root/ssl/ca.pem dest=/etc/kubernetes/cert/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m copy -a 'src=/root/ssl/ca-key.pem dest=/etc/kubernetes/cert/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'chmod +x /etc/flanneld/cert/*'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'chmod +x /etc/kubernetes/cert/*'"], shell=True)
        #向 etcd 写入集群 Pod 网段信息    注意:本步骤只需执行一次, 需要在test1节点操作
        subprocess.call(["ansible test1 -m shell -a 'chmod +x /k8s/profile/flannel_to_etcd.sh'"], shell=True)
        subprocess.call(["ansible test1 -m shell -a 'sh /k8s/profile/flannel_to_etcd.sh'"], shell=True)
        #分发flanneld.service
        subprocess.call(["ansible test4 -m copy -a 'src=/k8s/profile/flanneld.service.template.py dest=/k8s/profile/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m copy -a 'src=/k8s/profile/flanneld.service.py dest=/k8s/profile/flanneld.service.py force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'python /k8s/profile/flanneld.service.py'"],shell=True)
        #启动flanneld
        subprocess.call(["ansible test4 -m shell -a 'systemctl daemon-reload'"],shell=True)
        subprocess.call(["ansible test4 -m service -a 'name=flanneld state=started'"],shell=True)
        subprocess.call(["ansible test4 -m service -a 'name=flanneld enabled=yes'"],shell=True)
        #检查启动结果
        subprocess.call(["ansible test4 -m shell -a 'systemctl status flanneld'"],shell=True)
    
    
    def install_kubelet():
        print("部署 kubelet 组件")
        os.chdir('/root/ssl/')
        #创建工作目录和日志目录
        subprocess.call(["ansible test4 -m file -a 'path=/var/lib/kubelet/ state=directory mode=0777'"], shell=True)
        subprocess.call(["ansible test4 -m file -a 'path=/var/log/kubernetes/ state=directory mode=0777'"], shell=True)
        #安装cni网络插件
        subprocess.call(["ansible test4 -m file -a 'path=/opt/cni/bin/ state=directory mode=0777'"], shell=True)
        subprocess.call(["ansible test4 -m file -a 'path=/etc/cni/net.d/ state=directory mode=0777'"], shell=True)
        subprocess.call(["ansible test4 -m unarchive -a 'src=/server/software/k8s/cni-plugins-amd64-v0.7.1.tgz dest=/opt/cni/bin/'"],shell=True)
        #配置admin-config
        subprocess.call(["ansible test4 -m file -a 'path=/root/.kube/ state=directory mode=0777'"], shell=True)
        subprocess.call(["ansible test4 -m copy -a 'src=/root/ssl/admin.conf dest=/root/.kube/config force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'chmod +x /root/.kube/*'"], shell=True)
        #配置kubectl工具
        subprocess.call(["ansible test4 -m copy -a 'src=/opt/k8s/bin/kubectl dest=/usr/local/bin/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'chmod +x /usr/local/bin/kubectl'"], shell=True)
        #配置kubeadm工具, 注意:在test1上操作
        subprocess.call(["ansible test1 -m copy -a 'src=/opt/k8s/bin/kubeadm dest=/usr/local/bin/ force=yes'"], shell=True)
        subprocess.call(["ansible test1 -m shell -a 'chmod +x /usr/local/bin/kubeadm'"], shell=True)
        #配置 bootstrap RBAC 权限
        subprocess.call(["kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --group=system:bootstrappers"],shell=True)
        #创建 kubelet bootstrap kubeconfig 文件,包含创建token
        subprocess.call(["ansible test1 -m shell -a 'chmod +x /k8s/profile/bootstrap-kubeconfig.sh'"], shell=True)
        subprocess.call(["ansible test1 -m shell -a 'sh /k8s/profile/bootstrap-kubeconfig.sh'"], shell=True)
        #分发kubelet bootstrap kubeconfig 文件到所有节点
        subprocess.call(["ansible test1 -m shell -a 'chmod +x /k8s/profile/bootstrap-copy.sh'"], shell=True)
        subprocess.call(["ansible test1 -m shell -a 'sh /k8s/profile/bootstrap-copy.sh'"], shell=True)
        #查看 kubeadm 为各节点创建的 token;之前好好的,后来查看报错
        #subprocess.call(["ansible test1 -m shell -a 'kubeadm token list --kubeconfig ~/.kube/config'"], shell=True)
        #分发ca证书到worker 节点
        subprocess.call(["ansible test4 -m copy -a 'src=/root/ssl/ca.pem dest=/etc/kubernetes/cert/ force=yes'"], shell=True)
        #创建 kubelet 参数配置文件
        subprocess.call(["ansible test4 -m copy -a 'src=/k8s/profile/kubelet.config.json.template.py dest=/k8s/profile/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m copy -a 'src=/k8s/profile/kubelet.config.json.py dest=/k8s/profile/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'python /k8s/profile/kubelet.config.json.py'"],shell=True)
        #分发kubelet二进制文件
        subprocess.call(["time ansible test4 -m copy -a 'src=/opt/k8s/bin/kubelet dest=/opt/k8s/bin/ force=yes'"], shell=True)
        subprocess.call(["time ansible test4 -m shell -a 'chmod +x /opt/k8s/bin/kubelet'"], shell=True)
        #创建和分发kubelet启动文件
        subprocess.call(["ansible test4 -m copy -a 'src=/k8s/profile/kubelet.service.template.py dest=/k8s/profile/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m copy -a 'src=/k8s/profile/kubelet.service.py dest=/k8s/profile/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'python /k8s/profile/kubelet.service.py'"],shell=True)
        #启动 kubelet 服务
        subprocess.call(["ansible test4 -m shell -a 'systemctl daemon-reload'"],shell=True)
        subprocess.call(["ansible test4 -m service -a 'name=kubelet state=started'"],shell=True)
        subprocess.call(["ansible test4 -m service -a 'name=kubelet enabled=yes'"],shell=True)
        #检查启动结果
        subprocess.call(["ansible test4 -m shell -a 'systemctl status kubelet'"],shell=True)
        #创建apiserver到kubelet的权限,就是给kubernetes用户rbac授权,其实安装apiserver时候做过这一步了
        #subprocess.call(["ansible test4 -m copy -a 'src=/k8s/profile/apiserver-to-kubelet.yaml dest=/k8s/profile/apiserver-to-kubelet.yaml force=yes'"], shell=True)
        #subprocess.call(["ansible test4 -m shell -a 'kubectl create /k8s/profile/apiserver-to-kubelet.yaml'"],shell=True)
    
    def approve_csr():
        print("自动 approve CSR 请求")
        subprocess.call(["time ansible test4 -m copy -a 'src=/k8s/profile/csr-crb.yaml dest=/k8s/profile/csr-crb.yaml force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'kubectl apply -f /k8s/profile/csr-crb.yaml'"],shell=True)
        #等待一段时间(1-10 分钟),所有节点的 CSR 都被自动 approve;看了下时间,这次刚好等了10分钟
        subprocess.call(["ansible test4 -m shell -a 'sleep 300s'"],shell=True)
        #查看csr
        subprocess.call(["ansible test4 -m shell -a 'kubectl get csr'"],shell=True)
        #所有节点均 ready
        subprocess.call(["ansible test4 -m shell -a 'kubectl get nodes'"],shell=True)
        #设置集群角色
        test4=subprocess.check_output(["kubectl get nodes | grep test4 | awk '{print $1}'"], shell=True)
        test4=test4.decode('utf8').strip()
        subprocess.call(['kubectl','label','nodes',test4,'node-role.kubernetes.io/node='])
        #查看kube-controller-manager 为各 node 生成了 kubeconfig 文件和公私钥
        subprocess.call(["ansible test4 -m shell -a 'ls -l /etc/kubernetes/kubelet.kubeconfig'"],shell=True)
        subprocess.call(["ansible test4 -m shell -a 'ls -l /etc/kubernetes/cert/|grep kubelet'"],shell=True)
        #查看kubelet 提供的 API 接口
        subprocess.call(["ansible test4 -m shell -a 'yum install net-tools -y'"],shell=True)
        subprocess.call(["ansible test4 -m shell -a 'netstat -lnpt|grep kubelet'"],shell=True)
    
    def install_kube_proxy():
        print("部署 kube-proxy 组件")
        #创建工作目录和日志目录
        subprocess.call(["ansible test4 -m file -a 'path=/var/lib/kube-proxy/ state=directory mode=0777'"], shell=True)
        subprocess.call(["ansible test4 -m file -a 'path=/var/log/kubernetes/ state=directory mode=0777'"], shell=True)
        subprocess.call(["ansible test4 -m file -a 'path=/var/log/kubernetes/ owner=k8s group=k8s mode=0777'"], shell=True)
        #安装依赖包
        subprocess.call(["ansible test4 -m shell -a 'yum install -y conntrack ipvsadm ipset jq sysstat curl iptables libseccomp'"], shell=True)
        #加载 ip_vs 内核模块
        subprocess.call(["ansible test4 -m shell -a 'iptables -P FORWARD ACCEPT'"], shell=True)
        subprocess.call(["time ansible test4 -m copy -a 'src=/k8s/profile/k8s.conf dest=/etc/sysctl.d/k8s.conf force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'sysctl --system'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'modprobe ip_vs'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'modprobe ip_vs_rr'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'modprobe ip_vs_wrr'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'modprobe ip_vs_sh'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'modprobe nf_conntrack_ipv4'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'lsmod | grep ip_vs'"], shell=True)
        #创建 kube-proxy 证书和私钥
        os.chdir('/root/ssl/')
        subprocess.call(["cfssl gencert -ca=/etc/kubernetes/cert/ca.pem -ca-key=/etc/kubernetes/cert/ca-key.pem -config=/etc/kubernetes/cert/ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy"], shell=True)
        #将生成的证书和私钥分发到test4节点
        subprocess.call(["ansible test4 -m copy -a 'src=/root/ssl/kube-proxy.pem dest=/etc/kubernetes/cert/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m copy -a 'src=/root/ssl/kube-proxy-key.pem dest=/etc/kubernetes/cert/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'chmod +x /etc/kubernetes/cert/'"], shell=True)
        #创建和分发 kubeconfig 文件
        subprocess.call(["kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=https://192.168.0.235:8443 --kubeconfig=kube-proxy.kubeconfig"], shell=True)
        subprocess.call(["kubectl config set-credentials system:kube-proxy --client-certificate=kube-proxy.pem --client-key=kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig"], shell=True)
        subprocess.call(["kubectl config set-context system:kube-proxy --cluster=kubernetes --user=system:kube-proxy --kubeconfig=kube-proxy.kubeconfig"], shell=True)
        subprocess.call(["kubectl config use-context system:kube-proxy --kubeconfig=kube-proxy.kubeconfig"], shell=True)
        subprocess.call(["ansible test4 -m copy -a 'src=/root/ssl/kube-proxy.kubeconfig dest=/etc/kubernetes/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'chmod +x /etc/kubernetes/*'"], shell=True)
        #创建 kube-proxy 配置文件
        subprocess.call(["ansible test4 -m copy -a 'src=/k8s/profile/kube-proxy.config.yaml.template.py dest=/k8s/profile/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m copy -a 'src=/k8s/profile/kube-proxy.config.yaml.py dest=/k8s/profile/ force=yes'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'python /k8s/profile/kube-proxy.config.yaml.py'"],shell=True)
        #分发kube-proxy二进制文件
        subprocess.call(["time ansible test4 -m copy -a 'src=/opt/k8s/bin/kube-proxy dest=/opt/k8s/bin/ force=yes'"], shell=True)
        subprocess.call(["time ansible test4 -m shell -a 'chmod +x /opt/k8s/bin/kube-proxy'"], shell=True)
        #创建和分发kube-proxy.service
        subprocess.call(["ansible test4 -m copy -a 'src=/k8s/profile/kube-proxy.service dest=/etc/systemd/system/kube-proxy.service force=yes'"], shell=True)
        #启动kube-proxy 服务
        subprocess.call(["ansible test4 -m shell -a 'systemctl daemon-reload'"],shell=True)
        subprocess.call(["ansible test4 -m service -a 'name=kube-proxy state=started'"],shell=True)
        subprocess.call(["ansible test4 -m service -a 'name=kube-proxy enabled=yes'"],shell=True)
        #检查 kube-proxy 运行状态
        subprocess.call(["time ansible test4 -m shell -a 'systemctl status kube-proxy'"],shell=True)
    
    def install_coredns():
        print("安装coredns")
        subprocess.call(["ansible test4 -m shell -a 'yum install -y jq'"], shell=True)
        #通过playbook安装coredns,在playbook中定义了通过kubectl安装coredns;playbook中定义了安装在test4节点上
        subprocess.call(["ansible-playbook /k8s/profile/deploy_coredns.yaml"], shell=True)
        #等(1-10)分钟查看coredns pod
        subprocess.call(["ansible test4 -m shell -a 'sleep 60s'"], shell=True)
        subprocess.call(["ansible test4 -m shell -a 'kubectl get pod -n kube-system'"], shell=True)
        #测试coredns请参照https://www.cnblogs.com/effortsing/p/10312081.html 最后部分
    
    def func_list():
        #install_cfssl()
        #create_root_ca()
        #distribute_kubectl()
        #create_admin_ca()
        #create_admin_kubeconfig()
        #install_etcd_cluster()
        #install_haproxy()
        #install_keepalived()
        #kube_apiserver()
        #kube_controller_manager()
        #install_kube_scheduler()
        #下面开始单独安装worker节点,worker节点地址:192.168.0.94
        #environmental_configuration()
        install_docker()
        #install_flanneld()
        #install_kubelet()
        #approve_csr()
        #install_kube_proxy()
        #install_coredns()
    def main():
        func_list()
    if __name__ == '__main__':
        main()
  • 相关阅读:
    ArcGIS 10与ArcEngine 10安装及破解
    SQL Server:触发器详解
    sql事务(Transaction)用法介绍及回滚实例
    Brief Tour of the Standard Library
    Python Scopes and Namespaces
    Saving structured data with json
    Packages
    “Compiled” Python files
    Executing modules as scripts
    More on Conditions
  • 原文地址:https://www.cnblogs.com/effortsing/p/10360285.html
Copyright © 2020-2023  润新知