• 二进制搭建kubernetes多master集群【二、配置flannel网络】


    上一篇我们已经搭建etcd高可用集群,参考:二进制搭建kubernetes多master集群【一、使用TLS证书搭建etcd集群】

    此文将搭建flannel网络,目的使跨主机的docker能够互相通信,也是保障kubernetes集群的网络基础和保障,下面正式开始配置。

    一、生成Flannel网络TLS证书

    所有集群节点都安装Flannel下面的操作在k8s-master1上进行,其他节点重复执行即可。(证书生成一次就行)

    1、创建证书签名请求

    cat > flanneld-csr.json <<EOF
    {
      "CN": "flanneld",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "ST": "BeiJing",
          "L": "BeiJing",
          "O": "k8s",
          "OU": "4Paradigm"
        }
      ]
    }
    EOF
    • 该证书只会被 kubectl 当做 client 证书使用,所以 hosts 字段为空;

    生成证书和私钥:

    cfssl gencert -ca=/etc/kubernetes/cert/ca.pem 
      -ca-key=/etc/kubernetes/cert/ca-key.pem 
      -config=/etc/kubernetes/cert/ca-config.json 
      -profile=kubernetes flanneld-csr.json | cfssljson -bare flanneld

    2、将证书分发到所有集群节点/etc/kubernetes/cert/目录下

    scp flanneld*.pem k8s-master1:/etc/kubernetes/cert/
    scp flanneld*.pem k8s-master2:/etc/kubernetes/cert/
    scp flanneld*.pem k8s-master3:/etc/kubernetes/cert/
    scp flanneld*.pem k8s-node1:/etc/kubernetes/cert/
    scp flanneld*.pem k8s-node2:/etc/kubernetes/cert/
    scp flanneld*.pem k8s-node3:/etc/kubernetes/cert/

    二、部署 Flannel

    1、下载安装Flannel

    wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz
    tar -xzvf flannel-v0.10.0-linux-amd64.tar.gz
    cp {flanneld,mk-docker-opts.sh} /usr/local/bin

    2、向 etcd 写入网段信息

    下面2条命令在etcd集群中任意一台执行一次即可,也是是创建一个flannel网段供docker分配使用

    [root@etcd1 cert]# etcdctl --ca-file=/etc/kubernetes/cert/ca.pem --cert-file=/etc/kubernetes/cert/etcd.pem --key-file=/etc/kubernetes/cert/etcd-key.pem mkdir /kubernetes/network
    [root@etcd1 cert]# etcdctl --ca-file=/etc/kubernetes/cert/ca.pem --cert-file=/etc/kubernetes/cert/etcd.pem --key-file=/etc/kubernetes/cert/etcd-key.pem mk /kubernetes/network/config '{"Network":"172.30.0.0/16","SubnetLen":24,"Backend":{"Type":"vxlan"}}'

    3、创建system unit文件

    [root@k8s-master1 ssl]# cat > /etc/systemd/system/flanneld.service << EOF
    [Unit]
    Description=Flanneld overlay address etcd agent
    After=network.target
    After=network-online.target
    Wants=network-online.target
    After=etcd.service
    Before=docker.service
    
    [Service]
    Type=notify
    ExecStart=/usr/local/bin/flanneld 
      -etcd-cafile=/etc/kubernetes/cert/ca.pem 
      -etcd-certfile=/etc/kubernetes/cert/flanneld.pem 
      -etcd-keyfile=/etc/kubernetes/cert/flanneld-key.pem 
      -etcd-endpoints=https://192.168.80.4:2379,https://192.168.80.5:2379,https://192.168.80.6:2379 
      -etcd-prefix=/kubernetes/network
    ExecStartPost=/usr/local/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/docker
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    RequiredBy=docker.service
    EOF

    mk-docker-opts.sh 脚本将分配给 flanneld 的 Pod 子网网段信息写入到 /run/flannel/docker 文件中,后续 docker 启动时使用这个文件中参数值设置 docker0 网桥。

    flanneld 使用系统缺省路由所在的接口和其它节点通信,对于有多个网络接口的机器(如,内网和公网),可以用 -iface=enpxx 选项值指定通信接口。

    4、启动flannel并且设置开机自启动
    systemctl daemon-reload
    systemctl enable flanneld
    systemctl start flanneld

    5、查看flannel分配的子网信息

    [root@k8s-master1 ~]# cat /run/flannel/docker 
    DOCKER_OPT_BIP="--bip=172.30.94.1/24"
    DOCKER_OPT_IPMASQ="--ip-masq=true"
    DOCKER_OPT_MTU="--mtu=1450"
    DOCKER_NETWORK_OPTIONS=" --bip=172.30.94.1/24 --ip-masq=true --mtu=1450"
    
    [root@k8s-master1 ~]# cat /run/flannel/subnet.env 
    FLANNEL_NETWORK=172.30.0.0/16
    FLANNEL_SUBNET=172.30.94.1/24
    FLANNEL_MTU=1450
    FLANNEL_IPMASQ=false
    /run/flannel/docker是flannel分配给docker的子网信息,/run/flannel/subnet.env包含了flannel整个大网段以及在此节点上的子网段。

    6、查看flannel网络是否生效

    [root@k8s-master1 ~]# ifconfig 
    docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
            inet 172.30.94.1  netmask 255.255.255.0  broadcast 172.30.94.255
            inet6 fe80::42:1aff:fed2:a4b4  prefixlen 64  scopeid 0x20<link>
            ether 02:42:1a:d2:a4:b4  txqueuelen 0  (Ethernet)
            RX packets 0  bytes 0 (0.0 B)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 8  bytes 648 (648.0 B)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 192.168.20.210  netmask 255.255.254.0  broadcast 192.168.21.255
            inet6 fe80::ff2:187b:66fc:621b  prefixlen 64  scopeid 0x20<link>
            ether 00:0c:29:c3:dc:a5  txqueuelen 1000  (Ethernet)
            RX packets 3965867  bytes 619350597 (590.6 MiB)
            RX errors 0  dropped 583  overruns 0  frame 0
            TX packets 3159970  bytes 390102190 (372.0 MiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    flannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
            inet 172.30.94.0  netmask 255.255.255.255  broadcast 0.0.0.0
            inet6 fe80::7827:fcff:fe4e:b5ff  prefixlen 64  scopeid 0x20<link>
            ether 7a:27:fc:4e:b5:ff  txqueuelen 0  (Ethernet)
            RX packets 0  bytes 0 (0.0 B)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 0  bytes 0 (0.0 B)
            TX errors 0  dropped 8 overruns 0  carrier 0  collisions 0

    可以明显看到flannel1.1的网络信息,说明flannel网络已经正常。

    三、配置docker支持flannel网络

    1、所有node安装docker

    关于安装docker,请参考:安装指定版本的docker

    2、配置docker支持flannel网络,所有docker节点都操作

    [root@k8s-master1 ~]# vi /etc/systemd/system/multi-user.target.wants/docker.service
    [Unit]
    Description=Docker Application Container Engine
    Documentation=https://docs.docker.com
    After=network-online.target firewalld.service
    Wants=network-online.target
    
    [Service]
    Type=notify
    # the default is not to use systemd for cgroups because the delegate issues still
    # exists and systemd currently does not support the cgroup feature set required
    # for containers run by docker
    EnvironmentFile=/run/flannel/docker
    ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS
    ExecReload=/bin/kill -s HUP $MAINPID
    # Having non-zero Limit*s causes performance problems due to accounting overhead
    # in the kernel. We recommend using cgroups to do container-local accounting.
    LimitNOFILE=infinity
    LimitNPROC=infinity
    LimitCORE=infinity
    # Uncomment TasksMax if your systemd version supports it.
    # Only systemd 226 and above support this version.
    #TasksMax=infinity
    TimeoutStartSec=0
    # set delegate yes so that systemd does not reset the cgroups of docker containers
    Delegate=yes
    # kill only the docker process, not all processes in the cgroup
    KillMode=process
    # restart the docker process if it exits prematurely
    Restart=on-failure
    StartLimitBurst=3
    StartLimitInterval=60s
    
    [Install]
    WantedBy=multi-user.target

    如上红色即为新增加支持flannel网络的配置

    3、重启docker,使配置生效

    systemctl daemon-reload
    systemctl restart docker

    4、查看docker网络是否生效

    i、启动一个容器(如有现有容器可以不run一个新的)
    [root@k8s-master1 ~]# docker run -itd centos
    d63ee9c72b5023fgfg36ld93j6723hd72jd1hsp2303kf7
    ii、查看ip地址是否是flannel网络分配的网段
    [root@k8s-master1 ~]# docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' d63
    172.30.94.2

    5、查看所有集群主机的网络情况

    [root@etcd1 cert]# etcdctl --ca-file=/etc/kubernetes/cert/ca.pem --cert-file=/etc/kubernetes/cert/etcd.pem --key-file=/etc/kubernetes/cert/etcd-key.pem ls /kubernetes/network/subnets
    /kubernetes/network/subnets/172.30.94.0-24
    /kubernetes/network/subnets/172.30.51.0-24
    /kubernetes/network/subnets/172.30.10.0-24
    /kubernetes/network/subnets/172.30.92.0-24
    /kubernetes/network/subnets/172.30.85.0-24
    /kubernetes/network/subnets/172.30.89.0-24

    发现容器使用了172.30.94.0/24网段。属于flannel,配置完成。

    下一篇将部署二进制搭建kubernetes多master集群【三、配置k8s master及高可用】

  • 相关阅读:
    第一次系统实践作业
    第03组 Beta版本演示
    第03组 Beta冲刺(4/4)
    第03组 Beta冲刺(3/4)
    第03组 Beta冲刺(2/4)
    第03组 Beta冲刺(1/4)
    Java程序(文件操作)
    Java程序(事件监听与计算机界面)
    Java(个人信息显示界面)
    Java(学生成绩管理)
  • 原文地址:https://www.cnblogs.com/harlanzhang/p/10118214.html
Copyright © 2020-2023  润新知