• k8s之二进制部署


    一、安装环境

    角色  服务器地址   组件
    master 192.168.174.140

    kube-apiserver,kube-controller-manager,kube-scheduler

    etcd

    node 192.168.174.151 kube-proxy,flannel,kubelet,docker,etcd
    node 192.168.174.190 kube-proxy,flannel,kubelet,docker,etcd

    二、安装步骤

    1、安装cfssl工具

      在其中一台安装即可,用来生成签署各组件的证书。

      

    wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
    wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
    wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
    chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
    mv cfssl_linux-amd64 /usr/local/bin/cfssl
    mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
    mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

    2、部署etcd集群

    生成三个文件:ca-config.json, ca-csr.json, server-csr.json

    # cat ca-config.json
    {
      "signing": {
        "default": {
          "expiry": "87600h"
        },
        "profiles": {
          "www": {
             "expiry": "87600h",
             "usages": [
                "signing",
                "key encipherment",
                "server auth",
                "client auth"
            ]
          }
        }
      }
    }
    
    
    # cat ca-csr.json
    {
        "CN": "etcd CA",
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "L": "Beijing",
                "ST": "Beijing"
            }
        ]
    }
    
    # cat server-csr.json
    {
        "CN": "etcd",
        "hosts": [
        "192.168.174.140",
        "192.168.174.151,
        "192.168.174.190"
        ],
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "L": "BeiJing",
                "ST": "BeiJing"
            }
        ]
    }
    

     生成证书文件:

    cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
    # ls *pem
    ca-key.pem  ca.pem  server-key.pem  server.pem
    

     下载etcd:

      二进制包下载地址:https://github.com/coreos/etcd/releases/tag/v3.2.12

    mkdir /opt/etcd/{bin,cfg,ssl} -p
    tar zxvf etcd-v3.2.12-linux-amd64.tar.gz
    mv etcd-v3.2.12-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/

     创建etcd配置文件:

      这里的配置文件,除了节点名,服务器当前IP不同,其他都相同,在其他节点进行相同的操作。

    # cat /opt/etcd/cfg/etcd   
    #[Member]
    ETCD_NAME="etcd01"
    ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
    ETCD_LISTEN_PEER_URLS="https://192.168.174.140:2380"
    ETCD_LISTEN_CLIENT_URLS="https://192.168.174.140:2379"
    
    #[Clustering]
    ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.174.140:2380"
    ETCD_ADVERTISE_CLIENT_URLS="https://192.168.174.140:2379"
    ETCD_INITIAL_CLUSTER="etcd01=https://192.168.174.140:2380,etcd02=https://192.168.174.151:2380,etcd03=https://192.168.174.190:2380"
    ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
    ETCD_INITIAL_CLUSTER_STATE="new"

    以下是各选项的说明:

    ETCD_NAME 节点名称
    ETCD_DATA_DIR 数据目录
    ETCD_LISTEN_PEER_URLS 集群通信监听地址
    ETCD_LISTEN_CLIENT_URLS 客户端访问监听地址
    ETCD_INITIAL_ADVERTISE_PEER_URLS 集群通告地址
    ETCD_ADVERTISE_CLIENT_URLS 客户端通告地址
    ETCD_INITIAL_CLUSTER 集群节点地址
    ETCD_INITIAL_CLUSTER_TOKEN 集群Token
    ETCD_INITIAL_CLUSTER_STATE 加入集群的当前状态,new是新集群,existing表示加入已有集群

     

      配置etcd启动文件:

    [Unit]
    Description=Etcd Server
    After=network.target
    After=network-online.target
    Wants=network-online.target
    
    [Service]
    Type=notify
    EnvironmentFile=/opt/etcd/cfg/etcd
    ExecStart=/opt/etcd/bin/etcd 
    --name=${ETCD_NAME} 
    --data-dir=${ETCD_DATA_DIR} 
    --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} 
    --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 
    --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} 
    --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} 
    --initial-cluster=${ETCD_INITIAL_CLUSTER} 
    --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} 
    --initial-cluster-state=new 
    --cert-file=/opt/etcd/ssl/server.pem 
    --key-file=/opt/etcd/ssl/server-key.pem 
    --peer-cert-file=/opt/etcd/ssl/server.pem 
    --peer-key-file=/opt/etcd/ssl/server-key.pem 
    --trusted-ca-file=/opt/etcd/ssl/ca.pem 
    --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
    Restart=on-failure
    LimitNOFILE=65536
    
    [Install]
    WantedBy=multi-user.target
    View Code

     把刚才证书移动到ssl目录下:

    cp ca*pem server*pem /opt/etcd/ssl
    

     在3个节点都进行以上部署etcd集群的操作。

     启动etcd集群。

    # systemctl start etcd
    # systemctl enable etcd
    

      集群健康状态检查。

     /opt/etcd/bin/etcdctl 
    --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem 
    --endpoints="https://192.168.174.140:2379,https://192.168.174.151:2379,https://192.168.174.190:2379" 
    cluster-health

      出现以下输出就说明集群是健康的。

     至此,etcd集群安装成功。

    3、在node节点安装docker组件

    # yum install -y yum-utils device-mapper-persistent-data lvm2
    # yum-config-manager 
        --add-repo 
        https://download.docker.com/linux/centos/docker-ce.repo
    # yum install docker-ce -y
    # curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://bc437cce.m.daocloud.io
    # systemctl start docker
    # systemctl enable docker
    

     4、安装flannel组件 

     Falnnel要用etcd存储自身一个子网信息,所以要保证能成功连接Etcd,写入预定义子网段:

    /opt/etcd/bin/etcdctl 
    --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem 
    --endpoints="https://192.168.174.140:2379,https://192.168.174.151:2379,https://192.168.174.190:2379" 
    set /coreos.com/network/config  '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'

     以下操作在所有的node节点上运行:

    # wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz
    # tar zxvf flannel-v0.9.1-linux-amd64.tar.gz
    # cp flanneld mk-docker-opts.sh /usr/bin
    # cp flanneld mk-docker-opts.sh /opt/kubernetes/bin/

     flannel配置文件:

     cat /opt/kubernetes/cfg/flanneld:

    FLANNEL_OPTIONS="--etcd-endpoints=https://192.168.174.140:2379,https://192.168.174.151:2379,https://192.168.174.190:2379 -etcd-cafile=/opt/etcd/ssl/ca.pem -etcd-certfile=/opt/etcd/ssl/server.pem -etcd-keyfile=/opt/etcd/ssl/server-key.pem"

     配置flannel启动文件:

    # cat /usr/lib/systemd/system/flanneld.service
    [Unit]
    Description=Flanneld overlay address etcd agent
    After=network-online.target network.target
    Before=docker.service
    
    [Service]
    Type=notify
    EnvironmentFile=/opt/kubernetes/cfg/flanneld
    ExecStart=/opt/kubernetes/bin/flanneld --ip-masq $FLANNEL_OPTIONS
    ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target

     配置docker启动文件,用来指定和flannel同网段:

    # cat /usr/lib/systemd/system/docker.service 
    
    [Unit]
    Description=Docker Application Container Engine
    Documentation=https://docs.docker.com
    After=network-online.target firewalld.service
    Wants=network-online.target
    
    [Service]
    Type=notify
    EnvironmentFile=/run/flannel/subnet.env
    ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS
    ExecReload=/bin/kill -s HUP $MAINPID
    LimitNOFILE=infinity
    LimitNPROC=infinity
    LimitCORE=infinity
    TimeoutStartSec=0
    Delegate=yes
    KillMode=process
    Restart=on-failure
    StartLimitBurst=3
    StartLimitInterval=60s
    
    [Install]
    WantedBy=multi-user.target

     重启服务:

    # systemctl daemon-reload
    # systemctl start flanneld
    # systemctl enable flanneld
    # systemctl restart docker

    确保docker0与flannel.1在同一网段。 测试不同节点互通,在当前节点访问另一个Node节点docker0 IP,确保能通信。

    部署master节点组件

    # cat ca-config.json
    {
      "signing": {
        "default": {
          "expiry": "87600h"
        },
        "profiles": {
          "kubernetes": {
             "expiry": "87600h",
             "usages": [
                "signing",
                "key encipherment",
                "server auth",
                "client auth"
            ]
          }
        }
      }
    }
    
    # cat ca-csr.json
    {
        "CN": "kubernetes",
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "L": "Beijing",
                "ST": "Beijing",
                "O": "k8s",
                "OU": "System"
            }
        ]
    }

    生成CA证书:cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

    配置apiserver证书json文件

    ca server-csr.json
    {
    "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "192.168.174.140","kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] }

    生成apiserver证书:cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

    并把证书复制到/opt/kubernetes/ssl/目录下:

    mv *pem /opt/kubernetes/ssl/

    下载kubernetes组件地址:https://github.com/kubernetes/kubernetes/releases

    # mkdir /opt/kubernetes/{bin,cfg,ssl} -p
    # tar zxvf kubernetes-server-linux-amd64.tar.gz
    # cd kubernetes/server/bin
    # cp kube-apiserver kube-scheduler kube-controller-manager kubectl /opt/kubernetes/bin

    创建token:

    # cat /opt/kubernetes/cfg/token.csv
    674c457d4dcf2eefe4920d7dbb6b0ddc,kubelet-bootstrap,10001,"system:kubelet-bootstrap"

    第一列:随机字符串,自己可生成 第二列:用户名 第三列:UID 第四列:用户组

    api-server配置文件:

    KUBE_APISERVER_OPTS="--logtostderr=true 
    --v=4 
    --etcd-servers=https://192.168.174.140:2379,https://192.168.174.151:2379,https://192.168.174.190:2379 
    --bind-address=192.168.174.140 
    --secure-port=6443 
    --advertise-address=192.168.174.140 
    --allow-privileged=true 
    --service-cluster-ip-range=10.0.0.0/24 
    --enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,NodeRestriction 
    --authorization-mode=RBAC,Node 
    --enable-bootstrap-token-auth 
    --token-auth-file=/opt/kubernetes/cfg/token.csv 
    --service-node-port-range=30000-50000 
    --tls-cert-file=/opt/kubernetes/ssl/server.pem  
    --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem 
    --client-ca-file=/opt/kubernetes/ssl/ca.pem 
    --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem 
    --etcd-cafile=/opt/etcd/ssl/ca.pem 
    --etcd-certfile=/opt/etcd/ssl/server.pem 
    --etcd-keyfile=/opt/etcd/ssl/server-key.pem"
    
    
    参数说明:
    --logtostderr 启用日志
    ---v 日志等级
    --etcd-servers etcd集群地址
    --bind-address 监听地址
    --secure-port https安全端口
    --advertise-address 集群通告地址
    --allow-privileged 启用授权
    --service-cluster-ip-range Service虚拟IP地址段
    --enable-admission-plugins 准入控制模块
    --authorization-mode 认证授权,启用RBAC授权和节点自管理
    --enable-bootstrap-token-auth 启用TLS bootstrap功能,后面会讲到
    --token-auth-file token文件
    --service-node-port-range Service Node类型默认分配端口范围

    配置apiserver启动文件:

    # cat /usr/lib/systemd/system/kube-apiserver.service
    [Unit]
    Description=Kubernetes API Server
    Documentation=https://github.com/kubernetes/kubernetes
    
    [Service]
    EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
    ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target

    启动aip-server服务:

    # systemctl daemon-reload
    # systemctl enable kube-apiserver
    # systemctl restart kube-apiserver

    创建schduler配置文件:

    # cat /opt/kubernetes/cfg/kube-scheduler 
    
    KUBE_SCHEDULER_OPTS="--logtostderr=true 
    --v=4 
    --master=127.0.0.1:8080 
    --leader-elect"
    参数说明:
    
    --master 连接本地apiserver
    --leader-elect 当该组件启动多个时,自动选举(HA)

    schduler启动文件:

    # cat /usr/lib/systemd/system/kube-scheduler.service 
    [Unit]
    Description=Kubernetes Scheduler
    Documentation=https://github.com/kubernetes/kubernetes
    
    [Service]
    EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
    ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target

    启动schduler服务:

    # systemctl daemon-reload
    # systemctl enable kube-apiserver
    # systemctl restart kube-apiserver

    创建kube-controller-manager文件:

    # cat /opt/kubernetes/cfg/kube-controller-manager 
    KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true 
    --v=4 
    --master=127.0.0.1:8080 
    --leader-elect=true 
    --address=127.0.0.1 
    --service-cluster-ip-range=10.0.0.0/24 
    --cluster-name=kubernetes 
    --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem 
    --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem  
    --root-ca-file=/opt/kubernetes/ssl/ca.pem 
    --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem"

    创建kube-controller-manage启动文件:

    # cat /usr/lib/systemd/system/kube-controller-manager.service 
    [Unit]
    Description=Kubernetes Controller Manager
    Documentation=https://github.com/kubernetes/kubernetes
    
    [Service]
    EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
    ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target

    启动kube-controller-manager服务:

    # systemctl daemon-reload
    # systemctl enable kube-controller-manager
    # systemctl restart kube-controller-manager

    检查集群master组件是否健康:

    部署node节点

      将hel用户绑定到系统集群角色

      注意:这里如果不同节点的话,需要创建不同的用户来管理。

    kubectl create clusterrolebinding hel 
      --clusterrole=system:node-bootstrapper 
      --user=hel

     创建kubeconfig文件:

    export KUBE_APISERVER="https://192.168.174.140:6443"
    TOKEN=674c457d4dcf2eefe4920d7dbb6b0ddc
    
    # 设置集群参数,在k8s CA证书的目录下
    kubectl config set-cluster kubernetes 
      --certificate-authority=./ca.pem 
      --embed-certs=true 
      --server=${KUBE_APISERVER} 
      --kubeconfig=hel.kubeconfig
    
    # 设置客户端认证参数
    kubectl config set-credentials hel 
      --token=${TOKEN} 
      --kubeconfig=hel.kubeconfig
    
    
    # 设置上下文参数
    kubectl config set-context default 
      --cluster=kubernetes 
      --user=hel 
      --kubeconfig=hel.kubeconfig

    kubectl config use-context default --kubeconfig=bootstrap.kubeconfig

    创建kube-proxy证书:

    # cat kube-proxy-csr.json
    {
      "CN": "system:kube-proxy",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "L": "BeiJing",
          "ST": "BeiJing",
          "O": "k8s",
          "OU": "System"
        }
      ]
    }

    生成kube-proxy证书:

    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

    创建kube-proxy kubeconfig文件:

    kubectl config set-cluster kubernetes 
      --certificate-authority=./ca.pem 
      --embed-certs=true 
      --server=${KUBE_APISERVER} 
      --kubeconfig=kube-proxy.kubeconfig
    
    kubectl config set-credentials kube-proxy 
      --client-certificate=./kube-proxy.pem 
      --client-key=./kube-proxy-key.pem 
      --embed-certs=true 
      --kubeconfig=kube-proxy.kubeconfig
    
    kubectl config set-context default 
      --cluster=kubernetes 
      --user=kube-proxy 
      --kubeconfig=kube-proxy.kubeconfig
    
    kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig


    将hel.kubeconfig  kube-proxy.kubeconfig这两个文件拷贝到Node节点/opt/kubernetes/cfg目录下

    在node节点上:

    创建kubelet配置文件:

    # cat /opt/kubernetes/cfg/kubelet
    KUBELET_OPTS="--logtostderr=true 
    --v=4 
    --hostname-override=192.168.174.151 
    --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig 
    --bootstrap-kubeconfig=/opt/kubernetes/cfg/hel.kubeconfig 
    --cert-dir=/opt/kubernetes/ssl 
    --cluster-dns=10.0.0.2 
    --cluster-domain=cluster.local. 
    --fail-swap-on=false 
    --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
    参数说明:
    
    --hostname-override 在集群中显示的主机名
    --kubeconfig 指定kubeconfig文件位置,会自动生成
    --bootstrap-kubeconfig 指定刚才生成的bootstrap.kubeconfig文件
    --cert-dir 颁发证书存放位置
    --cluster-dns 集群DNS IP,先配置上,后面会讲到
    --cluster-domain DNS域
    --fail-swap-on=false 禁止使用swap
    --pod-infra-container-image 管理Pod网络的镜像

    创建kubelet启动文件:

    # cat /usr/lib/systemd/system/kubelet.service 
    [Unit]
    Description=Kubernetes Kubelet
    After=docker.service
    Requires=docker.service
    
    [Service]
    EnvironmentFile=/opt/kubernetes/cfg/kubelet
    ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS
    Restart=on-failure
    KillMode=process
    
    [Install]
    WantedBy=multi-user.target

     启动服务:

    # systemctl daemon-reload
    # systemctl enable kubelet
    # systemctl restart kubelet

    在Master审批Node加入集群:

    启动后还没加入到集群中,需要手动允许该节点才可以。 在Master节点查看请求签名的Node:

    # kubectl get csr
    # kubectl certificate approve XXXXID
    # kubectl get node

    部署kube-proxy组件:

    创建kube-proxy配置文件:

    # cat /opt/kubernetes/cfg/kube-proxy
    KUBE_PROXY_OPTS="--logtostderr=true 
    --v=4 
    --hostname-override=192.168.174.151 
    --cluster-cidr=10.0.0.0/24 
    --kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"

    创建kube-proxy启动文件:

    # cat /usr/lib/systemd/system/kube-proxy.service 
    [Unit]
    Description=Kubernetes Proxy
    After=network.target
    
    [Service]
    EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
    ExecStart=/opt/kubernetes/bin/kube-proxy $KUBE_PROXY_OPTS
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target

    启动服务:

    # systemctl daemon-reload
    # systemctl enable kube-proxy
    # systemctl restart kube-proxy

    OK,至此,k8s二进制安装已完成。

    测试是否能正常运行:

    查看集群节点状态:

     说明集群创建成功。

    三、测试

    跑个nginx服务,测试是否能生成pod并正常被访问:

    kubectl run nginx-deploy --image=nginx --port=80 --replicas=1

     

     

  • 相关阅读:
    k8s 1.20.x版本NFS动态存储配置
    移动互联安全扩展要求(一)安全物理环境
    云计算安全扩展要求(四)安全区域边界
    安全管理机构(二)人员配备
    安全管理机构(三)授权和审批
    移动互联安全扩展要求(五)安全运维管理
    工业控制系统安全扩展要求(二)安全通信网络
    CentOS搭建Git服务器及权限管理
    LAB10:节点健康状态
    物联网安全扩展要求(三)安全计算环境
  • 原文地址:https://www.cnblogs.com/hel7512/p/13064603.html
Copyright © 2020-2023  润新知