• k8s-离线安装k8s


    1.开始

    目标

    coreos的igniton.json有很强的可配置性,通过安装时指定集群配置的ignition.json,

    安装完成后打开https://{{Master_IP}}:6443/ui直接访问k8s集群。

     

    背景

    coreos的官网有一篇裸机安装coreos并部署k8s的教程,CoreOS + Kubernetes Step By Step

    请确保已阅,下图是在ignition.json中配置的实际流程。

    服务

    说明

    HTTP Server

    提供aci镜像下载,以及其他文件下载

    TimeZone.Service

    将时区设置为上海

    Registry.Service

    在rkt容器中运行,docker镜像服务,供整个集群下载k8s镜像

    ETCD.Service

    在rkt容器中运行,集群发现服务

    Flannel.Service

    在rkt容器中运行,为docker容器设置网络

    Docker.Service

     

    Kubelet.Service

    在rkt容器中运行,K8S的基础服务kubelet

    kubelet-gac.Service

    为K8S基础服务预缓存镜像gcr.io/google_containers

    kubelet-ssl.Service

    为K8S制作证书

    kubelet-kubectl.Service

    为K8S的Master节点安装kubectl工具

    kubelet-addon.Service

    为K8S集群安装dns,dashboard,heapster等服务

    2.部署

    准备http服务器

    http://192.168.3.235/k8s

    文件

    说明

    ./registry-2.6.1.tgz

    registry-2.6.1.aci

    ./etcd-v3.2.0.tgz

    etcd-v3.2.0.aci

    ./flannel-v0.7.1.tgz

    flannel-v0.7.1.aci

    ./hyperkube-v1.7.3.tgz

    hyperkube-v1.7.3.aci

    ./registry-data-v1.7.3.tgz

    ./registry/data(pause,hyperkube,dns,dashboard,heapster)

    ./kubectl-v1.7.0.tgz

    kubectl-v1.7.0

    aci , rkt的标准镜像,coreos启动时把aci镜像下载到本地,这样不需要请求镜像服务即可运行服务;

    registry-data , 在互联网环境下预下载好安装k8s所需镜像,然后将registry/data导出,服务器下载后,待registry服务启动将能提供k8s镜像给集群内节点下载;

    kubectl , kubectl工具目前是1.7.0版本

     

    准备pem格式根证书

    文件

    示例

    ./ca.key

    -----BEGIN RSA PRIVATE KEY-----

    MIIEpAIBAAKCAQEA4dafEVttwUB7eXofPzmpdmR533+Imn0KuMg4XhtB0sdyjKFf

    PaDJxByNh84ysmAfuadDgcXNrF/8fDupIA0wf2qGLDlttahr2DA7Ug==

    -----END RSA PRIVATE KEY-----

    ./ca.pem

    -----BEGIN CERTIFICATE-----

    MIIC+TCCAeECCQDjC0MVaVasEjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdr

    RousxpNr1QvU6EwLupKYZc006snlVh4//r9QNjh5QRxRhl71XafR1S3pamBo

    -----END CERTIFICATE-----

    $ openssl genrsa -out ca.key 2048

    $ openssl req -x509 -new -nodes -key ca.key -days 36500 -out ca.pem -subj "/CN=kube-ca"

         

     

    CoreOS分配IP

    Match : eth0

    DNS : 192.168.3.1

    Gateway : 192.168.3.1

    节点

    IP

    HOSTNAME

    Worker

    192.168.3.101

    systech01

    Master

    192.168.3.102

    systech02

    Worker

    192.168.3.103

    systech03

     

    master.yml模版

    参数

    示例

    {{ MASTER_HOSTNAME }}

    systech01

    {{ MASTER_IP }}

    192.168.3.102

    {{ ETCD_CLUSTER }}

    systech01=http://192.168.3.101:2380,systech02=http://192.168.3.102:2380,systech03=http://192.168.3.103:2380

    {{ CA_KEY }}

    -----BEGIN RSA PRIVATE KEY-----

    MIIEpAIBAAKCAQEA4dafEVttwUB7eXofPzmpdmR533+Imn0KuMg4XhtB0sdyjKFf

    PaDJxByNh84ysmAfuadDgcXNrF/8fDupIA0wf2qGLDlttahr2DA7Ug==

    -----END RSA PRIVATE KEY-----

    {{ CA_PEM }}

    -----BEGIN CERTIFICATE-----

    MIIC+TCCAeECCQDjC0MVaVasEjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdr

    RousxpNr1QvU6EwLupKYZc006snlVh4//r9QNjh5QRxRhl71XafR1S3pamBo

    -----END CERTIFICATE-----

    {{ NETWORK_MATCH }}

    eth0

    {{ NETWORK_DNS }}

    192.168.3.1

    {{ NETWORK_GATEWAY }}

    192.168.3.1

    {{ HTTP_SERVER_LOCAL }}

    http://192.168.3.235/k8s

    passwd:
      users:           
        - name: "root"
          password_hash: "$1$maTXmv6V$4UuGlRDpBZtipAhlPZ2/J0"
    update:
      group:  "stable"
      server: "https://public.update.core-os.net/v1/update/"
    locksmith:
      reboot_strategy: "etcd-lock"
      window_start:    "Sun 1:00"
      window_length:   "2h"              
    storage:
      files:
      - filesystem: "root"
        path:       "/etc/hostname"
        mode:       0644
        contents:
          inline: {{ MASTER_HOSTNAME }}
      - filesystem: "root"
        path:       "/etc/hosts"
        mode:       0644
        contents:
          inline: |
            127.0.0.1	localhost
            127.0.0.1 {{ MASTER_HOSTNAME }}
            {{ MASTER_IP }} reg.local    
      - filesystem: "root"
        path:       "/etc/kubernetes/scripts/registry.sh"
        mode:       0755
        contents:
          inline: |
            #!/bin/bash 
            
            set -e 
    
            KUBELET_SESSION="${KUBELET_SESSION:-/etc/kubernetes/session}" 
            HTTP_SERVER="${HTTP_SERVER:-http://192.168.3.100:8000/k8s}" 
    
            mkdir -p $KUBELET_SESSION
    
            cd /etc/kubernetes   
    
            if [[ -e $KUBELET_SESSION/registry.session ]]; then
              exit 0
            fi
    
            mkdir -p /etc/kubernetes/downloads
            curl $HTTP_SERVER/registry-2.6.1.tgz > /etc/kubernetes/downloads/registry-2.6.1.tgz
            curl $HTTP_SERVER/registry-data-v1.7.3.tgz > /etc/kubernetes/downloads/registry-data-v1.7.3.tgz
            cd /etc/kubernetes/downloads && tar -xzf /etc/kubernetes/downloads/registry-2.6.1.tgz
            cd /etc/kubernetes/downloads && tar -xzf /etc/kubernetes/downloads/registry-data-v1.7.3.tgz
            mkdir -p /home/docker/registry
            mv -n /etc/kubernetes/downloads/data /home/docker/registry/data
    
            touch $KUBELET_SESSION/registry.session     
      - filesystem: "root"
        path:       "/etc/kubernetes/scripts/kubelet-gac.sh"
        mode:       0755
        contents:
          inline: |
            #!/bin/bash 
            
            set -e 
    
            KUBELET_SESSION="${KUBELET_SESSION:-/etc/kubernetes/session}" 
    
            mkdir -p $KUBELET_SESSION
    
            cd /etc/kubernetes   
    
            if [[ -e $KUBELET_SESSION/kubelet-gac.session ]]; then
              exit 0
            fi
    
                    docker pull reg.local:5000/k8s/pause-amd64:3.0
            docker tag reg.local:5000/k8s/pause-amd64:3.0 gcr.io/google_containers/pause-amd64:3.0
            docker rmi reg.local:5000/k8s/pause-amd64:3.0
                    
    
            touch $KUBELET_SESSION/kubelet-gac.session             
      - filesystem: "root"
        path:       "/etc/kubernetes/scripts/etcd3.sh"
        mode:       0755
        contents:
          inline: |
            #!/bin/bash 
            
            set -e 
    
            KUBELET_SESSION="${KUBELET_SESSION:-/etc/kubernetes/session}" 
            HTTP_SERVER="${HTTP_SERVER:-http://192.168.3.100:8000/k8s}" 
    
            mkdir -p $KUBELET_SESSION
    
            cd /etc/kubernetes   
    
            if [[ -e $KUBELET_SESSION/etcd3.session ]]; then
              exit 0
            fi
    
            mkdir -p /etc/kubernetes/downloads
            curl $HTTP_SERVER/etcd-v3.2.0.tgz > /etc/kubernetes/downloads/etcd-v3.2.0.tgz
            cd /etc/kubernetes/downloads && tar -xzf /etc/kubernetes/downloads/etcd-v3.2.0.tgz
    
            touch $KUBELET_SESSION/etcd3.session        
      - filesystem: "root"
        path:       "/etc/kubernetes/scripts/flannel.sh"
        mode:       0755
        contents:
          inline: |
            #!/bin/bash 
            
            set -e 
    
            KUBELET_SESSION="${KUBELET_SESSION:-/etc/kubernetes/session}" 
            HTTP_SERVER="${HTTP_SERVER:-http://192.168.3.100:8000/k8s}" 
    
            mkdir -p $KUBELET_SESSION
    
            cd /etc/kubernetes   
    
            if [[ -e $KUBELET_SESSION/flannel.session ]]; then
              exit 0
            fi
    
            mkdir -p /etc/kubernetes/downloads
            curl $HTTP_SERVER/flannel-v0.7.1.tgz > /etc/kubernetes/downloads/flannel-v0.7.1.tgz
            cd /etc/kubernetes/downloads && tar -xzf /etc/kubernetes/downloads/flannel-v0.7.1.tgz
    
            touch $KUBELET_SESSION/flannel.session      
      - filesystem: "root"
        path:       "/etc/kubernetes/cni/net.d/10-flannel.conf"
        mode:       0755
        contents:
          inline: |
            {
              "name": "podnet",
              "type": "flannel",
              "delegate": {
                  "isDefaultGateway": true
              }
            }               
      - filesystem: "root"
        path:       "/etc/kubernetes/scripts/kubelet.sh"
        mode:       0755
        contents:
          inline: |
            #!/bin/bash 
            
            set -e 
    
            KUBELET_SESSION="${KUBELET_SESSION:-/etc/kubernetes/session}" 
            HTTP_SERVER="${HTTP_SERVER:-http://192.168.3.100:8000/k8s}" 
    
            mkdir -p $KUBELET_SESSION
    
            cd /etc/kubernetes   
    
            if [[ -e $KUBELET_SESSION/kubelet.session ]]; then
              exit 0
            fi
    
            mkdir -p /etc/kubernetes/downloads
            curl $HTTP_SERVER/hyperkube-v1.7.3.tgz > /etc/kubernetes/downloads/hyperkube-v1.7.3.tgz
            cd /etc/kubernetes/downloads && tar -xzf /etc/kubernetes/downloads/hyperkube-v1.7.3.tgz
    
            touch $KUBELET_SESSION/kubelet.session
      - filesystem: "root"
        path:       "/etc/kubernetes/manifests/kube-apiserver.yaml"
        mode:       0644
        contents:
          inline: |
            apiVersion: v1
            kind: Pod
            metadata:
              name: kube-apiserver
              namespace: kube-system
            spec:
              hostNetwork: true
              containers:
              - name: kube-apiserver
                image: reg.local:5000/k8s/hyperkube:v1.7.3
                command:
                - /hyperkube
                - apiserver
                - --bind-address=0.0.0.0
                - --etcd-servers=http://{{ MASTER_IP }}:2379
                - --allow-privileged=true
                - --service-cluster-ip-range=10.3.0.0/24
                - --service-node-port-range=0-32767
                - --secure-port=6443
                - --advertise-address={{ MASTER_IP }}
                - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota
                - --authorization-mode=RBAC
                - --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
                - --tls-private-key-file=/etc/kubernetes/ssl/apiserver.key
                - --client-ca-file=/etc/kubernetes/ssl/ca.pem
                - --service-account-key-file=/etc/kubernetes/ssl/apiserver.key
                - --basic-auth-file=/etc/kubernetes/ssl/admin.csv
                - --anonymous-auth=false
                - --runtime-config=extensions/v1beta1=true,extensions/v1beta1/networkpolicies=true,rbac.authorization.k8s.io/v1beta1=true
                ports:
                - containerPort: 6443
                  hostPort: 6443
                  name: https
                - containerPort: 8080
                  hostPort: 8080
                  name: local
                volumeMounts:
                - mountPath: /etc/kubernetes/ssl
                  name: ssl-certs-kubernetes
                  readOnly: true
                - mountPath: /etc/ssl/certs
                  name: ssl-certs-host
                  readOnly: true
              volumes:
              - hostPath:
                  path: /etc/kubernetes/ssl
                name: ssl-certs-kubernetes
              - hostPath:
                  path: /usr/share/ca-certificates
                name: ssl-certs-host    
      - filesystem: "root"
        path:       "/etc/kubernetes/manifests/kube-proxy.yaml"
        mode:       0644
        contents:
          inline: |
            ---
            apiVersion: v1
            kind: Pod
            metadata:
              name: kube-proxy
              namespace: kube-system
            spec:
              hostNetwork: true
              containers:
              - name: kube-proxy
                image: reg.local:5000/k8s/hyperkube:v1.7.3
                command:
                - /hyperkube
                - proxy
                - --master=http://127.0.0.1:8080
                securityContext:
                  privileged: true
                volumeMounts:
                - mountPath: /etc/ssl/certs
                  name: ssl-certs-host
                  readOnly: true
              volumes:
              - hostPath:
                  path: /usr/share/ca-certificates
                name: ssl-certs-host       
      - filesystem: "root"
        path:       "/etc/kubernetes/manifests/kube-controller-manager.yaml"
        mode:       0644
        contents:
          inline: |
            apiVersion: v1
            kind: Pod
            metadata:
              name: kube-controller-manager
              namespace: kube-system
            spec:
              hostNetwork: true
              containers:
              - name: kube-controller-manager
                image: reg.local:5000/k8s/hyperkube:v1.7.3
                command:
                - /hyperkube
                - controller-manager
                - --master=http://127.0.0.1:8080
                - --leader-elect=true
                - --service-account-private-key-file=/etc/kubernetes/ssl/apiserver.key
                - --root-ca-file=/etc/kubernetes/ssl/ca.pem
                resources:
                  requests:
                    cpu: 200m
                livenessProbe:
                  httpGet:
                    host: 127.0.0.1
                    path: /healthz
                    port: 10252
                  initialDelaySeconds: 15
                  timeoutSeconds: 15
                volumeMounts:
                - mountPath: /etc/kubernetes/ssl
                  name: ssl-certs-kubernetes
                  readOnly: true
                - mountPath: /etc/ssl/certs
                  name: ssl-certs-host
                  readOnly: true
              volumes:
              - hostPath:
                  path: /etc/kubernetes/ssl
                name: ssl-certs-kubernetes
              - hostPath:
                  path: /usr/share/ca-certificates
                name: ssl-certs-host
      - filesystem: "root"
        path:       "/etc/kubernetes/manifests/kube-scheduler.yaml"
        mode:       0644
        contents:
          inline: |
            apiVersion: v1
            kind: Pod
            metadata:
              name: kube-scheduler
              namespace: kube-system
            spec:
              hostNetwork: true
              containers:
              - name: kube-scheduler
                image: reg.local:5000/k8s/hyperkube:v1.7.3
                command:
                - /hyperkube
                - scheduler
                - --master=http://127.0.0.1:8080
                - --leader-elect=true
                resources:
                  requests:
                    cpu: 100m
                livenessProbe:
                  httpGet:
                    host: 127.0.0.1
                    path: /healthz
                    port: 10251
                  initialDelaySeconds: 15
                  timeoutSeconds: 15
      - filesystem: "root"
        path:       "/etc/kubernetes/ssl/admin.csv"
        mode:       0644
        contents:
          inline: |
            58772015,admin,admin
      - filesystem: "root"
        path:       "/etc/kubernetes/ssl/ca.key"
        mode:       0644
        contents:
          inline: |
            {{ CA_KEY }}
      - filesystem: "root"
        path:       "/etc/kubernetes/ssl/ca.pem"
        mode:       0644
        contents:
          inline: |
            {{ CA_PEM }}
      - filesystem: "root"
        path:       "/etc/kubernetes/ssl/openssl-admin.cnf"
        mode:       0644
        contents:
          inline: |
            [req]
            req_extensions = v3_req
            distinguished_name = req_distinguished_name
            [req_distinguished_name]
            [ v3_req ]
            basicConstraints = CA:FALSE
            keyUsage = nonRepudiation, digitalSignature, keyEncipherment
            subjectAltName = @alt_names
            [alt_names]
            IP.1 = {{ MASTER_IP }}
      - filesystem: "root"
        path:       "/etc/kubernetes/ssl/openssl-apiserver.cnf"
        mode:       0644
        contents:
          inline: |
            [req]
            req_extensions = v3_req
            distinguished_name = req_distinguished_name
            [req_distinguished_name]
            [ v3_req ]
            basicConstraints = CA:FALSE
            keyUsage = nonRepudiation, digitalSignature, keyEncipherment
            subjectAltName = @alt_names
            [alt_names]
            DNS.1 = kubernetes
            DNS.2 = kubernetes.default
            DNS.3 = kubernetes.default.svc
            DNS.4 = kubernetes.default.svc.cluster.local
            IP.1 = 10.3.0.1
            IP.2 = {{ MASTER_IP }}
      - filesystem: "root"
        path:       "/etc/kubernetes/scripts/kubelet-ssl.sh"
        mode:       0755
        contents:
          inline: |
            #!/bin/bash 
            
            set -e 
    
            KUBELET_SESSION="${KUBELET_SESSION:-/etc/kubernetes/session}" 
    
            mkdir -p $KUBELET_SESSION
    
            cd /etc/kubernetes/ssl    
    
            if [[ -e $KUBELET_SESSION/kubelet-ssl.session ]]; then
              exit 0 
            fi
    
            openssl genrsa -out apiserver.key 2048
            openssl req -new -key apiserver.key -out apiserver.csr -subj "/CN=apiserver/C=CN/ST=BeiJing/L=Beijing/O=k8s/OU=System" -config /etc/kubernetes/ssl/openssl-apiserver.cnf
            openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out apiserver.pem -days 365 -extensions v3_req -extfile /etc/kubernetes/ssl/openssl-apiserver.cnf
    
            openssl genrsa -out admin.key 2048 
            openssl req -new -key admin.key -out admin.csr -subj "/CN=admin/C=CN/ST=BeiJing/L=Beijing/O=system:masters/OU=System"
            openssl x509 -req -in admin.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out admin.pem -days 365
    
            touch $KUBELET_SESSION/kubelet-ssl.session
      - filesystem: "root"
        path:       "/etc/kubernetes/scripts/kubelet-kubectl.sh"
        mode:       0755
        contents:
          inline: |
            #!/bin/bash 
            
            set -e 
    
            KUBELET_SESSION="${KUBELET_SESSION:-/etc/kubernetes/session}" 
            HTTP_SERVER="${HTTP_SERVER:-http://192.168.3.100:8000/k8s}" 
    
            mkdir -p $KUBELET_SESSION
    
            cd /etc/kubernetes   
    
            if [[ -e $KUBELET_SESSION/kubelet-kubectl.session ]]; then
              exit 0
            fi
    
            mkdir -p /opt/bin
            rm -rf /opt/bin/kubectl-v1.7.0 
            rm -rf /opt/bin/kubectl
    
            curl $HTTP_SERVER/kubectl-v1.7.0.tgz > /opt/bin/kubectl-v1.7.0.tgz
            cd /opt/bin && tar -xzf /opt/bin/kubectl-v1.7.0.tgz
            rm -rf /opt/bin/kubectl-v1.7.0.tgz
            chmod 0744 /opt/bin/kubectl-v1.7.0
            ln -s /opt/bin/kubectl-v1.7.0 /opt/bin/kubectl
    
            MASTER_HOST={{ MASTER_IP }}
            CA_CERT=/etc/kubernetes/ssl/ca.pem
            ADMIN_KEY=/etc/kubernetes/ssl/admin.key
            ADMIN_CERT=/etc/kubernetes/ssl/admin.pem
    
            /opt/bin/kubectl config set-cluster kubernetes --server=https://$MASTER_HOST:6443 --certificate-authority=$CA_CERT --embed-certs=true
            /opt/bin/kubectl config set-credentials admin --certificate-authority=$CA_CERT --client-key=$ADMIN_KEY --client-certificate=$ADMIN_CERT --embed-certs=true
            /opt/bin/kubectl config set-context kubernetes --cluster=kubernetes --user=admin
            /opt/bin/kubectl config use-context kubernetes   
    
            touch $KUBELET_SESSION/kubelet-kubectl.session
      - filesystem: "root"
        path:       "/etc/kubernetes/addons/dns.yml"
        mode:       0644
        contents:
          inline: |
            ---
            kind: ConfigMap
            apiVersion: v1
            metadata:
              name: kube-dns
              namespace: kube-system
            data:
              stubDomains: |
                {"dex.ispacesys.cn":["{{ MASTER_IP }}"]}
              
            ---
            apiVersion: v1
            kind: Service
            metadata:
              name: kube-dns
              namespace: kube-system
              labels:
                k8s-app: kube-dns
                kubernetes.io/cluster-service: "true"
                kubernetes.io/name: "KubeDNS"
            spec:
              selector:
                k8s-app: kube-dns
              clusterIP: 10.3.0.10
              ports:
              - name: dns
                port: 53
                protocol: UDP
              - name: dns-tcp
                port: 53
                protocol: TCP
                
            ---
            apiVersion: v1
            kind: ServiceAccount
            metadata:
              name: kube-dns
              namespace: kube-system
              labels:
                kubernetes.io/cluster-service: "true"
                addonmanager.kubernetes.io/mode: Reconcile
    
            ---
            kind: ClusterRoleBinding
            apiVersion: rbac.authorization.k8s.io/v1alpha1
            metadata:
              name: k8s-kube-dns
            roleRef:
              kind: ClusterRole
              name: system:kube-dns
              apiGroup: rbac.authorization.k8s.io  
            subjects:
            - kind: ServiceAccount
              name: kube-dns
              namespace: kube-system    
    
            ---
            apiVersion: v1
            kind: ReplicationController
            metadata:
              name: kube-dns
              namespace: kube-system
              labels:
                k8s-app: kube-dns
                version: "1.14.4"
                kubernetes.io/cluster-service: "true"
                addonmanager.kubernetes.io/mode: Reconcile
            spec:
              replicas: 1
              selector:
                k8s-app: kube-dns
              template:
                metadata:
                  labels:
                    k8s-app: kube-dns
                  annotations:
                    scheduler.alpha.kubernetes.io/critical-pod: ''
                    scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
                spec:
                  volumes:
                  - name: kube-dns-config
                    configMap:
                      name: kube-dns
                      optional: true
                  containers:
                  - name: kubedns
                    image: reg.local:5000/k8s/k8s-dns-kube-dns-amd64:1.14.4
                    resources:
                      limits:
                        memory: 170Mi
                      requests:
                        cpu: 100m
                        memory: 70Mi
                    livenessProbe:
                      httpGet:
                        path: /healthcheck/kubedns
                        port: 10054
                        scheme: HTTP
                      initialDelaySeconds: 60
                      timeoutSeconds: 5
                      successThreshold: 1
                      failureThreshold: 5
                    readinessProbe:
                      httpGet:
                        path: /readiness
                        port: 8081
                        scheme: HTTP
                      initialDelaySeconds: 3
                      timeoutSeconds: 5
                    args:
                    - --domain=cluster.local
                    - --dns-port=10053
                    - --config-dir=/kube-dns-config
                    - --v=2
                    env:
                    - name: PROMETHEUS_PORT
                      value: "10055"
                    ports:
                    - containerPort: 10053
                      name: dns-local
                      protocol: UDP
                    - containerPort: 10053
                      name: dns-tcp-local
                      protocol: TCP
                    - containerPort: 10055
                      name: metrics
                      protocol: TCP
                    volumeMounts:
                    - name: kube-dns-config
                      mountPath: /kube-dns-config
                  - name: dnsmasq
                    image: reg.local:5000/k8s/k8s-dns-dnsmasq-nanny-amd64:1.14.4
                    livenessProbe:
                      httpGet:
                        path: /healthcheck/dnsmasq
                        port: 10054
                        scheme: HTTP
                      initialDelaySeconds: 60
                      timeoutSeconds: 5
                      successThreshold: 1
                      failureThreshold: 5
                    args:
                    - -v=2
                    - -logtostderr
                    - -configDir=/etc/k8s/dns/dnsmasq-nanny
                    - -restartDnsmasq=true
                    - --
                    - -k
                    - --cache-size=1000
                    - --log-facility=-
                    - --server=/cluster.local/127.0.0.1#10053
                    - --server=/in-addr.arpa/127.0.0.1#10053
                    - --server=/ip6.arpa/127.0.0.1#10053
                    ports:
                    - containerPort: 53
                      name: dns
                      protocol: UDP
                    - containerPort: 53
                      name: dns-tcp
                      protocol: TCP
                    resources:
                      requests:
                        cpu: 150m
                        memory: 20Mi
                    volumeMounts:
                    - name: kube-dns-config
                      mountPath: /etc/k8s/dns/dnsmasq-nanny
                  - name: sidecar
                    image: reg.local:5000/k8s/k8s-dns-sidecar-amd64:1.14.4
                    livenessProbe:
                      httpGet:
                        path: /metrics
                        port: 10054
                        scheme: HTTP
                      initialDelaySeconds: 60
                      timeoutSeconds: 5
                      successThreshold: 1
                      failureThreshold: 5
                    args:
                    - --v=2
                    - --logtostderr
                    - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.cluster.local,5,A
                    - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.cluster.local,5,A
                    ports:
                    - containerPort: 10054
                      name: metrics
                      protocol: TCP
                    resources:
                      requests:
                        memory: 20Mi
                        cpu: 10m
                  dnsPolicy: Default  
                  serviceAccountName: kube-dns
      - filesystem: "root"
        path:       "/etc/kubernetes/addons/dashboard.yml"
        mode:       0644
        contents:
          inline: |
            ---
            apiVersion: v1
            kind: ServiceAccount
            metadata:
              name: dashboard
              namespace: kube-system
    
            ---
            kind: ClusterRoleBinding
            apiVersion: rbac.authorization.k8s.io/v1alpha1
            metadata:
              name: dashboard-extended
            roleRef:
              kind: ClusterRole
              name: cluster-admin
              apiGroup: rbac.authorization.k8s.io  
            subjects:
            - kind: ServiceAccount
              name: dashboard
              namespace: kube-system
                
            ---
            apiVersion: v1
            kind: Service
            metadata:
              name: kubernetes-dashboard
              namespace: kube-system
              labels:
                k8s-app: kubernetes-dashboard
                kubernetes.io/cluster-service: "true"
            spec:
              selector:
                k8s-app: kubernetes-dashboard
              ports:
              - port: 80
                targetPort: 9090
    
            ---
            apiVersion: v1
            kind: ReplicationController
            metadata:
              name: kubernetes-dashboard
              namespace: kube-system
              labels:
                k8s-app: kubernetes-dashboard
                version: "v1.6.1"
                kubernetes.io/cluster-service: "true"
            spec:
              replicas: 1
              selector:
                k8s-app: kubernetes-dashboard
              template:
                metadata:
                  labels:
                    k8s-app: kubernetes-dashboard
                    version: "v1.6.1"
                    kubernetes.io/cluster-service: "true"
                  annotations:
                    scheduler.alpha.kubernetes.io/critical-pod: ''
                    scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
                spec:
                  serviceAccountName: dashboard
                  nodeSelector:
                    kubernetes.io/hostname: {{ MASTER_IP }}
                  containers:
                  - name: kubernetes-dashboard
                    image: reg.local:5000/k8s/kubernetes-dashboard-amd64:v1.6.1
                    resources:
                      limits:
                        cpu: 100m
                        memory: 50Mi
                      requests:
                        cpu: 100m
                        memory: 50Mi
                    ports:
                    - containerPort: 9090
                    livenessProbe:
                      httpGet:
                        path: /
                        port: 9090
                      initialDelaySeconds: 30
                      timeoutSeconds: 30
    
      - filesystem: "root"
        path:       "/etc/kubernetes/addons/heapster.yml"
        mode:       0644
        contents:
          inline: |
            ---
            apiVersion: v1
            kind: ServiceAccount
            metadata:
              name: heapster
              namespace: kube-system
    
            ---
            apiVersion: rbac.authorization.k8s.io/v1beta1
            kind: ClusterRoleBinding
            metadata:
              name: heapster
            roleRef:
              apiGroup: rbac.authorization.k8s.io
              kind: ClusterRole
              name: system:heapster
            subjects:
            - kind: ServiceAccount
              name: heapster
              namespace: kube-system
    
            ---
            kind: Service
            apiVersion: v1
            metadata:
              name: heapster
              namespace: kube-system
              labels:
                kubernetes.io/cluster-service: "true"
                addonmanager.kubernetes.io/mode: Reconcile
                kubernetes.io/name: "Heapster"
            spec: 
              ports: 
                - port: 80
                  targetPort: 8082
              selector: 
                k8s-app: heapster
    
            --- 
            apiVersion: extensions/v1beta1
            kind: Deployment
            metadata:
              name: heapster
              namespace: kube-system
              labels:
                k8s-app: heapster
                kubernetes.io/cluster-service: "true"
                addonmanager.kubernetes.io/mode: Reconcile
                version: v1.3.0
            spec:  
              replicas: 1
              selector:
                matchLabels:
                  k8s-app: heapster
                  version: v1.3.0
              template:
                metadata:
                  labels:
                    k8s-app: heapster
                    version: v1.3.0
                  annotations:
                    scheduler.alpha.kubernetes.io/critical-pod: ''
                spec:
                  serviceAccountName: heapster
                  containers:
                    - image: reg.local:5000/k8s/heapster-amd64:v1.3.0
                      name: heapster
                      livenessProbe:
                        httpGet:
                          path: /healthz
                          port: 8082
                          scheme: HTTP
                        initialDelaySeconds: 180
                        timeoutSeconds: 5
                      command:
                        - /heapster
                        - --source=kubernetes.summary_api:''
                        - --sink=influxdb:http://monitoring-influxdb:8086
                    - image: reg.local:5000/k8s/heapster-amd64:v1.3.0
                      name: eventer
                      command:
                        - /eventer
                        - --source=kubernetes:''
                        - --sink=influxdb:http://monitoring-influxdb:8086
                    - image: reg.local:5000/k8s/addon-resizer:1.7
                      name: heapster-nanny
                      resources:
                        limits:
                          cpu: 50m
                          memory: 93160Ki
                        requests:
                          cpu: 50m
                          memory: 93160Ki
                      env:
                        - name: MY_POD_NAME
                          valueFrom:
                            fieldRef:
                              fieldPath: metadata.name
                        - name: MY_POD_NAMESPACE
                          valueFrom:
                            fieldRef:
                              fieldPath: metadata.namespace
                      command:
                        - /pod_nanny
                        - --cpu=80m
                        - --extra-cpu=0.5m
                        - --memory=140Mi
                        - --extra-memory=4Mi
                        - --threshold=5
                        - --deployment=heapster-v1.3.0
                        - --container=heapster
                        - --poll-period=300000
                        - --estimator=exponential
                    - image: reg.local:5000/k8s/addon-resizer:1.7
                      name: eventer-nanny
                      resources:
                        limits:
                          cpu: 50m
                          memory: 93160Ki
                        requests:
                          cpu: 50m
                          memory: 93160Ki
                      env:
                        - name: MY_POD_NAME
                          valueFrom:
                            fieldRef:
                              fieldPath: metadata.name
                        - name: MY_POD_NAMESPACE
                          valueFrom:
                            fieldRef:
                              fieldPath: metadata.namespace
                      command:
                        - /pod_nanny
                        - --cpu=100m
                        - --extra-cpu=0m
                        - --memory=190Mi
                        - --extra-memory=500Ki
                        - --threshold=5
                        - --deployment=heapster-v1.3.0
                        - --container=eventer
                        - --poll-period=300000
                        - --estimator=exponential
                  tolerations:
                    - key: "CriticalAddonsOnly"
                      operator: "Exists"
      - filesystem: "root"
        path:       "/etc/kubernetes/addons/influxdb-grafana.yml"
        mode:       0644
        contents:
          inline: |
            ---
            apiVersion: v1
            kind: Service
            metadata:
              name: monitoring-grafana
              namespace: kube-system
              labels: 
                kubernetes.io/cluster-service: "true"
                addonmanager.kubernetes.io/mode: Reconcile
                kubernetes.io/name: "Grafana"
            spec:
              # On production clusters, consider setting up auth for grafana, and
              # exposing Grafana either using a LoadBalancer or a public IP.
              # type: LoadBalancer
              ports: 
                - port: 80
                  targetPort: 3000
              selector: 
                k8s-app: influxGrafana
    
            ---
            apiVersion: v1
            kind: Service
            metadata:
              name: monitoring-influxdb
              namespace: kube-system
              labels: 
                kubernetes.io/cluster-service: "true"
                addonmanager.kubernetes.io/mode: Reconcile
                kubernetes.io/name: "InfluxDB"
            spec: 
              ports: 
                - name: http
                  port: 8083
                  targetPort: 8083
                - name: api
                  port: 8086
                  targetPort: 8086
              selector: 
                k8s-app: influxGrafana    
    
            ---
            apiVersion: v1
            kind: ReplicationController
            metadata:
              name: monitoring-influxdb-grafana
              namespace: kube-system
              labels: 
                k8s-app: influxGrafana
                version: v4.0.2
                kubernetes.io/cluster-service: "true"
                addonmanager.kubernetes.io/mode: Reconcile
            spec: 
              replicas: 1
              selector: 
                k8s-app: influxGrafana
                version: v4.0.2
              template: 
                metadata: 
                  labels: 
                    k8s-app: influxGrafana
                    version: v4.0.2
                    kubernetes.io/cluster-service: "true"
                spec: 
                  containers: 
                    - image: reg.local:5000/k8s/heapster-influxdb-amd64:v1.1.1
                      name: influxdb
                      resources:
                        # keep request = limit to keep this container in guaranteed class
                        limits:
                          cpu: 100m
                          memory: 500Mi
                        requests:
                          cpu: 100m
                          memory: 500Mi
                      ports: 
                        - containerPort: 8083
                        - containerPort: 8086
                      volumeMounts:
                      - name: influxdb-persistent-storage
                        mountPath: /data
                    - image: reg.local:5000/k8s/heapster-grafana-amd64:v4.0.2
                      name: grafana
                      env:
                      resources:
                        # keep request = limit to keep this container in guaranteed class
                        limits:
                          cpu: 100m
                          memory: 100Mi
                        requests:
                          cpu: 100m
                          memory: 100Mi
                      env:
                        # This variable is required to setup templates in Grafana.
                        - name: INFLUXDB_SERVICE_URL
                          value: http://monitoring-influxdb:8086
                          # The following env variables are required to make Grafana accessible via
                          # the kubernetes api-server proxy. On production clusters, we recommend
                          # removing these env variables, setup auth for grafana, and expose the grafana
                          # service using a LoadBalancer or a public IP.
                        - name: GF_AUTH_BASIC_ENABLED
                          value: "false"
                        - name: GF_AUTH_ANONYMOUS_ENABLED
                          value: "true"
                        - name: GF_AUTH_ANONYMOUS_ORG_ROLE
                          value: Admin
                        - name: GF_SERVER_ROOT_URL
                          value: /api/v1/proxy/namespaces/kube-system/services/monitoring-grafana/
                      volumeMounts:
                      - name: grafana-persistent-storage
                        mountPath: /var
                  volumes:
                  - name: influxdb-persistent-storage
                    emptyDir: {}
                  - name: grafana-persistent-storage
                    emptyDir: {}
      - filesystem: "root"
        path:       "/etc/kubernetes/addons/rbac-admin.yml"
        mode:       0644
        contents:
          inline: |
            apiVersion: rbac.authorization.k8s.io/v1beta1
            kind: ClusterRoleBinding
            metadata:
              name: k8s-admin
              labels:
                kubernetes.io/cluster-service: "true"
                addonmanager.kubernetes.io/mode: Reconcile
            roleRef:
              apiGroup: rbac.authorization.k8s.io
              kind: ClusterRole
              name: cluster-admin
            subjects:
            - apiGroup: rbac.authorization.k8s.io
              kind: User
              name: admin                                                         
      - filesystem: "root"
        path:       "/etc/kubernetes/addons/rbac-mengkzhaoyun.yml"
        mode:       0644
        contents:
          inline: |
            kind: RoleBinding
            apiVersion: rbac.authorization.k8s.io/v1beta1
            metadata:
              name: k8s-mengkzhaoyun
              namespace: kube-system
            roleRef:
              kind: ClusterRole
              name: admin
              apiGroup: rbac.authorization.k8s.io
            subjects:
            - kind: User
              name: mengkzhaoyun@gmail.com
              apiGroup: rbac.authorization.k8s.io
      - filesystem: "root"
        path:       "/etc/kubernetes/scripts/kubelet-addon.sh"
        mode:       0755
        contents:
          inline: |
            #!/bin/bash 
            
            set -e 
    
            KUBELET_SESSION="${KUBELET_SESSION:-/etc/kubernetes/session}" 
    
            mkdir -p $KUBELET_SESSION
    
            cd /etc/kubernetes   
    
            if [[ -e $KUBELET_SESSION/kubelet-addon.session ]]; then
              exit 0 
            fi
    
            /opt/bin/kubectl get pods --namespace=kube-system
    
            /opt/bin/kubectl create -f /etc/kubernetes/addons/rbac-admin.yml
            /opt/bin/kubectl create -f /etc/kubernetes/addons/rbac-mengkzhaoyun.yml
    
            /opt/bin/kubectl create -f /etc/kubernetes/addons/dns.yml
            /opt/bin/kubectl create -f /etc/kubernetes/addons/dashboard.yml
            /opt/bin/kubectl create -f /etc/kubernetes/addons/heapster.yml
            /opt/bin/kubectl create -f /etc/kubernetes/addons/influxdb-grafana.yml
    
            touch $KUBELET_SESSION/kubelet-addon.session              
                  
    networkd:
      units:
      - name: 00-static.network
        contents: |
          [Match]
          Name={{ NETWORK_MATCH }}
    
          [Network]
          DNS={{ NETWORK_DNS }}
          Address={{ MASTER_IP }}/24
          Gateway={{ NETWORK_GATEWAY }}
          DHCP=no
    systemd:
      units:
      - name: "settimezone.service"
        enable: true
        contents: |
          [Unit]
          Description=time zone Asia/Shanghai
          [Service]
          ExecStart=/usr/bin/timedatectl set-timezone Asia/Shanghai
          RemainAfterExit=yes
          Type=oneshot  
          [Install]
          WantedBy=multi-user.target   
      - name: "download-registry.service"
        enable: true    
        contents: |
          [Unit]
          Description=download registry aci and data (HTTP)
          Documentation=https://github.com/coreos/registry
    
          [Service]
          Type=oneshot  
          Environment=HTTP_SERVER={{ HTTP_SERVER_LOCAL }}
          ExecStart=/etc/kubernetes/scripts/registry.sh
          [Install]
          WantedBy=multi-user.target   
      - name: "registry.service"
        enable: true    
        contents: |
          [Unit]
          Description=registry (Docker Hub)
          Documentation=https://github.com/coreos/registry
          After=download-registry.service
    
          [Service]
          Environment=PATH=/opt/bin/:/usr/bin/:/usr/sbin:$PATH
    
          ExecStartPre=/usr/bin/mkdir -p /home/docker/registry/auth
          ExecStartPre=/usr/bin/mkdir -p /home/docker/registry/data
          ExecStartPre=/usr/bin/mkdir --parents /var/lib/coreos
          ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/lib/coreos/registry-pod.uuid       
    
          ExecStart=/usr/bin/rkt run 
            --insecure-options=image 
            --uuid-file-save=/var/lib/coreos/registry-pod.uuid 
            --port=5000-tcp:5000 
            --volume auth,kind=host,source=/home/docker/registry/auth 
            --volume data,kind=host,source=/home/docker/registry/data 
            --mount volume=auth,target=/auth 
            --mount volume=data,target=/var/lib/registry 
            /etc/kubernetes/downloads/registry-2.6.1.aci 
            --name=registry 
    
          ExecStop=-/usr/bin/rkt stop --uuid-file=/var/lib/coreos/registry-pod.uuid
    
          Restart=always
          RestartSec=10
          TimeoutSec=infinity
          [Install]
          WantedBy=multi-user.target        
      - name: "etcd2.service"
        enable: false    
      - name: "etcd-member.service"
        enable: false        
      - name: "download-etcd3.service"
        enable: true    
        contents: |
          [Unit]
          Description=download etcd3 aci (HTTP)
          Documentation=https://github.com/coreos/registry
    
          [Service]
          Type=oneshot  
          Environment=HTTP_SERVER={{ HTTP_SERVER_LOCAL }}
          ExecStart=/etc/kubernetes/scripts/etcd3.sh
          [Install]
          WantedBy=multi-user.target           
      - name: "etcd3.service"
        enable: true    
        contents: |
          [Unit]
          Description=etcd (System Application Container)
          Documentation=https://github.com/coreos/etcd
          Wants=network.target
          Conflicts=etcd.service
          Conflicts=etcd2.service
          Conflicts=etcd-member.service
          After=download-etcd3.service
    
          [Service]
          Type=notify
          RestartSec=10s
          LimitNOFILE=40000
    
          ExecStartPre=/usr/bin/mkdir --parents /var/lib/coreos
          ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/lib/coreos/etcd3-pod.uuid
          
          Environment="ETCD_IMAGE=/etc/kubernetes/downloads/etcd-v3.2.0.aci"
          Environment="ETCD_USER=etcd"        
          Environment="ETCD_DATA_DIR=/var/lib/etcd3"
          Environment="RKT_GLOBAL_ARGS=--insecure-options=image"        
          Environment="RKT_RUN_ARGS=--uuid-file-save=/var/lib/coreos/etcd3-pod.uuid"
          Environment="ETCD_IMAGE_ARGS=--name=etcd"
    
          ExecStart=/usr/lib/coreos/etcd-wrapper 
            --name={{ MASTER_HOSTNAME }} 
            --initial-cluster-token=spacesystech.com 
            --initial-cluster={{ ETCD_CLUSTER }} 
            --initial-cluster-state=new 
            --advertise-client-urls=http://{{ MASTER_IP }}:2379 
            --initial-advertise-peer-urls=http://{{ MASTER_IP }}:2380 
            --listen-client-urls=http://{{ MASTER_IP }}:2379,http://127.0.0.1:2379 
            --listen-peer-urls=http://{{ MASTER_IP }}:2380
    
          ExecStop=-/usr/bin/rkt stop --uuid-file=/var/lib/coreos/etcd3-pod.uuid    
    
          [Install]
          WantedBy=multi-user.target
      - name: "download-flannel.service"
        enable: true    
        contents: |
          [Unit]
          Description=download flannel aci (HTTP)
          Documentation=https://github.com/coreos/registry
    
          [Service]
          Type=oneshot  
          Environment=HTTP_SERVER={{ HTTP_SERVER_LOCAL }}
          ExecStart=/etc/kubernetes/scripts/flannel.sh
          [Install]
          WantedBy=multi-user.target           
      - name: "flannel-docker-opts.service"
        enable: true    
        dropins:
          - name: 10-image.conf
            contents: |
              [Unit]
              After=download-flannel.service
              [Service]                                     
              Environment="FLANNEL_IMAGE=/etc/kubernetes/downloads/flannel-v0.7.1.aci"    
              Environment="RKT_GLOBAL_ARGS=--insecure-options=image"
      - name: "flanneld.service"
        enable: true    
        dropins:
          - name: 10-image.conf
            contents: |
              [Unit]
              After=etcd3.service download-flannel.service
              [Service]      
              ExecStartPre=/usr/bin/etcdctl set /spacesystech.com/network2/config '{ "Network": "10.2.0.0/16","Backend": {"Type":"vxlan"} }' 
    
              Environment="FLANNELD_IFACE={{ MASTER_IP }}"
              Environment="FLANNELD_ETCD_ENDPOINTS=http://{{ MASTER_IP }}:2379"
              Environment="FLANNELD_ETCD_PREFIX=/spacesystech.com/network2"
              Environment="FLANNEL_IMAGE=/etc/kubernetes/downloads/flannel-v0.7.1.aci"
              Environment="RKT_GLOBAL_ARGS=--insecure-options=image"
              Environment="FLANNEL_IMAGE_ARGS=--name=flannel"
      - name: "docker.service"
        enable: true    
        dropins:
          - name: 40-flannel.conf
            contents: |
              [Unit]
              Requires=flanneld.service
              After=flanneld.service
              [Service]
              Environment=DOCKER_OPT_BIP=""
              Environment=DOCKER_OPT_IPMASQ=""
          - name: 50-insecure-registry.conf
            contents: |
              [Service]
              Environment=DOCKER_OPTS='--insecure-registry="reg.local:5000" --insecure-registry="registry.ispacesys.cn:5000"'
    
      - name: "kubelet-ssl.service"
        enable: true    
        contents: |
          [Unit]
          Description=kubelet-ssl
          Documentation=https://kubernetes.io
          [Service]
          Type=oneshot
          Environment=KUBELET_SESSION=/etc/kubernetes/session
          ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/session
          ExecStart=/etc/kubernetes/scripts/kubelet-ssl.sh
          [Install]
          WantedBy=multi-user.target
      - name: "kubelet-gac.service"
        enable: true    
        contents: |
          [Unit]
          Description=kubelet-gac
          Documentation=https://kubernetes.io
          Requires=docker.service
          After=docker.service
          [Service]
          Type=oneshot
          Environment=KUBELET_SESSION=/etc/kubernetes/session
          ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/session
          ExecStart=/etc/kubernetes/scripts/kubelet-gac.sh
          [Install]
          WantedBy=multi-user.target      
      - name: "download-kubelet.service"
        enable: true    
        contents: |
          [Unit]
          Description=download kubelet aci (HTTP)
          Documentation=https://github.com/coreos/registry
    
          [Service]
          Type=oneshot  
          Environment=HTTP_SERVER={{ HTTP_SERVER_LOCAL }}
          ExecStart=/etc/kubernetes/scripts/kubelet.sh
          [Install]
          WantedBy=multi-user.target            
      - name: "kubelet.service"
        enable: true    
        contents: |
          [Unit]
          Description=kubelet
          Documentation=https://kubernetes.io
          After=kubelet-ssl.service kubelet-gac.service docker.service registry.service download-kubelet.service
          [Service]
          ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
          ExecStartPre=/usr/bin/mkdir -p /var/log/containers
          ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/kubelet-pod.uuid
    
          Environment=PATH=/opt/bin/:/usr/bin/:/usr/sbin:$PATH
          Environment=KUBELET_IMAGE=/etc/kubernetes/downloads/hyperkube-v1.7.3.aci
          Environment="RKT_GLOBAL_ARGS=--insecure-options=image" 
          Environment="RKT_OPTS=--volume modprobe,kind=host,source=/usr/sbin/modprobe 
            --mount volume=modprobe,target=/usr/sbin/modprobe 
            --volume lib-modules,kind=host,source=/lib/modules 
            --mount volume=lib-modules,target=/lib/modules 
            --uuid-file-save=/var/run/kubelet-pod.uuid 
            --volume var-log,kind=host,source=/var/log 
            --mount volume=var-log,target=/var/log 
            --volume dns,kind=host,source=/etc/resolv.conf 
            --mount volume=dns,target=/etc/resolv.conf"
    
          ExecStart=/usr/lib/coreos/kubelet-wrapper 
            --api-servers=http://127.0.0.1:8080 
            --network-plugin-dir=/etc/kubernetes/cni/net.d 
            --network-plugin= 
            --register-node=true 
            --allow-privileged=true 
            --pod-manifest-path=/etc/kubernetes/manifests 
            --hostname-override={{ MASTER_IP }} 
            --cluster-dns=10.3.0.10 
            --cluster-domain=cluster.local
    
          ExecStop=-/usr/bin/rkt stop --uuid-file=/var/run/kubelet-pod.uuid
    
          Restart=always
          RestartSec=10
          [Install]
          WantedBy=multi-user.target
      - name: "kubelet-kubectl.service"
        enable: true    
        contents: |
          [Unit]
          Description=kubelet-kubectl
          Documentation=https://kubernetes.io
          After=kubelet-ssl.service kubelet.service
          [Service]
          Type=oneshot
          RestartSec=20
          Environment=KUBELET_SESSION=/etc/kubernetes/session
          Environment=HTTP_SERVER={{ HTTP_SERVER_LOCAL }}
          ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/session
          ExecStart=/etc/kubernetes/scripts/kubelet-kubectl.sh
          [Install]
          WantedBy=multi-user.target            
      - name: "kubelet-addon.service"
        enable: true    
        contents: |
          [Unit]
          Description=kubelet-addon
          Documentation=https://kubernetes.io
          After=kubelet-kubectl
          [Service]
          Restart=on-failure
          RestartSec=10
          Environment=KUBELET_SESSION=/etc/kubernetes/session
          ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/session
          ExecStart=/etc/kubernetes/scripts/kubelet-addon.sh
          [Install]
          WantedBy=multi-user.target
          WantedBy=multi-user.target
    

    woker.yml模版

    参数

    示例

    {{ WORKER_HOSTNAME }}

    systech01

    {{ WORKER_IP }}

    192.168.3.101

    {{ MASTER_IP }}

    192.168.3.102

    {{ ETCD_CLUSTER }}

    systech01=http://192.168.3.101:2380,systech02=http://192.168.3.102:2380,systech03=http://192.168.3.103:2380

    {{ CA_KEY }}

    -----BEGIN RSA PRIVATE KEY-----

    MIIEpAIBAAKCAQEA4dafEVttwUB7eXofPzmpdmR533+Imn0KuMg4XhtB0sdyjKFf

    PaDJxByNh84ysmAfuadDgcXNrF/8fDupIA0wf2qGLDlttahr2DA7Ug==

    -----END RSA PRIVATE KEY-----

    {{ CA_PEM }}

    -----BEGIN CERTIFICATE-----

    MIIC+TCCAeECCQDjC0MVaVasEjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdr

    RousxpNr1QvU6EwLupKYZc006snlVh4//r9QNjh5QRxRhl71XafR1S3pamBo

    -----END CERTIFICATE-----

    {{ NETWORK_MATCH }}

    eth0

    {{ NETWORK_DNS }}

    192.168.3.1

    {{ NETWORK_GATEWAY }}

    192.168.3.1

    {{ HTTP_SERVER_LOCAL }}

    http://192.168.3.235/k8s

      

    passwd:
      users:           
        - name: "root"
          password_hash: "$1$maTXmv6V$4UuGlRDpBZtipAhlPZ2/J0"            
    update:
      group:  "stable"
      server: "https://public.update.core-os.net/v1/update/"
    locksmith:
      reboot_strategy: "etcd-lock"
      window_start:    "Sun 1:00"
      window_length:   "2h"              
    storage:
      files:
      - filesystem: "root"
        path:       "/etc/hostname"
        mode:       0644
        contents:
          inline: {{ WORKER_HOSTNAME }}
      - filesystem: "root"
        path:       "/etc/hosts"
        mode:       0644
        contents:
          inline: |
            127.0.0.1	localhost
            127.0.0.1 {{ WORKER_HOSTNAME }}
            {{ MASTER_IP }} reg.local
      - filesystem: "root"
        path:       "/etc/kubernetes/scripts/kubelet-gac.sh"
        mode:       0755
        contents:
          inline: |
            #!/bin/bash 
            
            set -e 
    
            KUBELET_SESSION="${KUBELET_SESSION:-/etc/kubernetes/session}" 
    
            mkdir -p $KUBELET_SESSION
    
            cd /etc/kubernetes   
    
            if [[ -e $KUBELET_SESSION/kubelet-gac.session ]]; then
              exit 0
            fi
    
            docker pull reg.local:5000/k8s/pause-amd64:3.0
            docker tag reg.local:5000/k8s/pause-amd64:3.0 gcr.io/google_containers/pause-amd64:3.0
            docker rmi reg.local:5000/k8s/pause-amd64:3.0           
    
            touch $KUBELET_SESSION/kubelet-gac.session   
      - filesystem: "root"
        path:       "/etc/kubernetes/scripts/etcd3.sh"
        mode:       0755
        contents:
          inline: |
            #!/bin/bash 
            
            set -e 
    
            KUBELET_SESSION="${KUBELET_SESSION:-/etc/kubernetes/session}" 
            HTTP_SERVER="${HTTP_SERVER:-http://192.168.3.100:8000/k8s}" 
    
            mkdir -p $KUBELET_SESSION
    
            cd /etc/kubernetes   
    
            if [[ -e $KUBELET_SESSION/etcd3.session ]]; then
              exit 0
            fi
    
            mkdir -p /etc/kubernetes/downloads
            curl $HTTP_SERVER/etcd-v3.2.0.tgz > /etc/kubernetes/downloads/etcd-v3.2.0.tgz
            cd /etc/kubernetes/downloads && tar -xzf /etc/kubernetes/downloads/etcd-v3.2.0.tgz
    
            touch $KUBELET_SESSION/etcd3.session        
      - filesystem: "root"
        path:       "/etc/kubernetes/scripts/flannel.sh"
        mode:       0755
        contents:
          inline: |
            #!/bin/bash 
            
            set -e 
    
            KUBELET_SESSION="${KUBELET_SESSION:-/etc/kubernetes/session}" 
            HTTP_SERVER="${HTTP_SERVER:-http://192.168.3.100:8000/k8s}" 
    
            mkdir -p $KUBELET_SESSION
    
            cd /etc/kubernetes   
    
            if [[ -e $KUBELET_SESSION/flannel.session ]]; then
              exit 0
            fi
    
            mkdir -p /etc/kubernetes/downloads
            curl $HTTP_SERVER/flannel-v0.7.1.tgz > /etc/kubernetes/downloads/flannel-v0.7.1.tgz
            cd /etc/kubernetes/downloads && tar -xzf /etc/kubernetes/downloads/flannel-v0.7.1.tgz
    
            touch $KUBELET_SESSION/flannel.session      
      - filesystem: "root"
        path:       "/etc/kubernetes/scripts/kubelet.sh"
        mode:       0755
        contents:
          inline: |
            #!/bin/bash 
            
            set -e 
    
            KUBELET_SESSION="${KUBELET_SESSION:-/etc/kubernetes/session}" 
            HTTP_SERVER="${HTTP_SERVER:-http://192.168.3.100:8000/k8s}" 
    
            mkdir -p $KUBELET_SESSION
    
            cd /etc/kubernetes   
    
            if [[ -e $KUBELET_SESSION/kubelet.session ]]; then
              exit 0
            fi
    
            mkdir -p /etc/kubernetes/downloads
            curl $HTTP_SERVER/hyperkube-v1.7.3.tgz > /etc/kubernetes/downloads/hyperkube-v1.7.3.tgz
            cd /etc/kubernetes/downloads && tar -xzf /etc/kubernetes/downloads/hyperkube-v1.7.3.tgz
    
            touch $KUBELET_SESSION/kubelet.session
      - filesystem: "root"
        path:       "/etc/kubernetes/manifests/kube-proxy.yaml"
        mode:       0644
        contents:
          inline: |
            ---
            apiVersion: v1
            kind: Pod
            metadata:
              name: kube-proxy
              namespace: kube-system
            spec:
              hostNetwork: true
              containers:
              - name: kube-proxy
                image: reg.local:5000/k8s/hyperkube:v1.7.3
                command:
                - /hyperkube
                - proxy
                - --master=https://{{ MASTER_IP }}:6443
                - --kubeconfig=/etc/kubernetes/kubeproxy-kubeconfig.yaml
                - --proxy-mode=iptables
                securityContext:
                  privileged: true
                volumeMounts:
                - mountPath: /etc/ssl/certs
                  name: "ssl-certs"
                - mountPath: /etc/kubernetes/kubeproxy-kubeconfig.yaml
                  name: "kubeconfig"
                  readOnly: true
                - mountPath: /etc/kubernetes/ssl
                  name: "etc-kube-ssl"
                  readOnly: true
                - mountPath: /var/run/dbus
                  name: dbus
                  readOnly: false
              volumes:
              - name: "ssl-certs"
                hostPath:
                  path: "/usr/share/ca-certificates"
              - name: "kubeconfig"
                hostPath:
                  path: "/etc/kubernetes/kubeproxy-kubeconfig.yaml"
              - name: "etc-kube-ssl"
                hostPath:
                  path: "/etc/kubernetes/ssl"
              - hostPath:
                  path: /var/run/dbus
                name: dbus
      - filesystem: "root"
        path:       "/etc/kubernetes/kubeproxy-kubeconfig.yaml"
        mode:       0644
        contents:
          inline: |
            apiVersion: v1
            kind: Config
            clusters:
            - name: local
              cluster:
                certificate-authority: /etc/kubernetes/ssl/ca.pem
            users:
            - name: kubelet
              user:
                client-certificate: /etc/kubernetes/ssl/kubelet.pem
                client-key: /etc/kubernetes/ssl/kubelet.key
            contexts:
            - context:
                cluster: local
                user: kubelet
              name: kubelet-context
            current-context: kubelet-context
      - filesystem: "root"
        path:       "/etc/kubernetes/kubelet-kubeconfig.yaml"
        mode:       0644
        contents:
          inline: |
            ---
            apiVersion: v1
            kind: Config
            clusters:
            - name: local
              cluster:
                certificate-authority: /etc/kubernetes/ssl/ca.pem
            users:
            - name: kubelet
              user:
                client-certificate: /etc/kubernetes/ssl/kubeproxy.pem
                client-key: /etc/kubernetes/ssl/kubeproxy.key
            contexts:
            - context:
                cluster: local
                user: kubelet
              name: kubelet-context
            current-context: kubelet-context                     
      - filesystem: "root"
        path:       "/etc/kubernetes/ssl/ca.key"
        mode:       0644
        contents:
          inline: |
            {{ CA_KEY }}
      - filesystem: "root"
        path:       "/etc/kubernetes/ssl/ca.pem"
        mode:       0644
        contents:
          inline: |
            {{ CA_PEM }}
      - filesystem: "root"
        path:       "/etc/kubernetes/ssl/openssl-kubelet.cnf"
        mode:       0644
        contents:
          inline: |
            [req]
            req_extensions = v3_req
            distinguished_name = req_distinguished_name
            [req_distinguished_name]
            [ v3_req ]
            basicConstraints = CA:FALSE
            keyUsage = nonRepudiation, digitalSignature, keyEncipherment
            subjectAltName = @alt_names
            [alt_names]
            IP.1 = {{ WORKER_IP }}
      - filesystem: "root"
        path:       "/etc/kubernetes/ssl/openssl-kubeproxy.cnf"
        mode:       0644
        contents:
          inline: |
            [req]
            req_extensions = v3_req
            distinguished_name = req_distinguished_name
            [req_distinguished_name]
            [ v3_req ]
            basicConstraints = CA:FALSE
            keyUsage = nonRepudiation, digitalSignature, keyEncipherment
            subjectAltName = @alt_names
            [alt_names]
            IP.1 = {{ WORKER_IP }}
      - filesystem: "root"
        path:       "/etc/kubernetes/scripts/ssl.sh"
        mode:       0755
        contents:
          inline: |
            #!/bin/bash 
            
            set -e 
    
            KUBELET_SESSION="${KUBELET_SESSION:-/etc/kubernetes/session}" 
    
            mkdir -p $KUBELET_SESSION
    
            cd /etc/kubernetes/ssl    
    
            if [[ -e $KUBELET_SESSION/kubelet-ssl.session ]]; then
              exit 0 
            fi
    
            openssl genrsa -out kubeproxy.key 2048
            openssl req -new -key kubeproxy.key -out kubeproxy.csr -subj "/CN=admin/C=CN/ST=BeiJing/L=Beijing/O=system:masters/OU=System" -config openssl-kubeproxy.cnf
            openssl x509 -req -in kubeproxy.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubeproxy.pem -days 365 -extensions v3_req -extfile openssl-kubeproxy.cnf
    
            openssl genrsa -out kubelet.key 2048
            openssl req -new -key kubelet.key -out kubelet.csr -subj "/CN=admin/C=CN/ST=BeiJing/L=Beijing/O=system:masters/OU=System" -config openssl-kubelet.cnf 
            openssl x509 -req -in kubelet.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out kubelet.pem -days 365 -extensions v3_req -extfile openssl-kubelet.cnf  
    
            touch $KUBELET_SESSION/kubelet-ssl.session
    networkd:
      units:
      - name: 00-static.network
        contents: |
          [Match]
          Name={{ NETWORK_MATCH }}
    
          [Network]
          DNS={{ NETWORK_DNS }}
          Address={{ WORKER_IP }}/24
          Gateway={{ NETWORK_GATEWAY }}
          DHCP=no      
    systemd:
      units:
      - name: "settimezone.service"
        enable: true
        contents: |
          [Unit]
          Description=Set the time zone Asia/Shanghai
    
          [Service]
          ExecStart=/usr/bin/timedatectl set-timezone Asia/Shanghai
          RemainAfterExit=yes
          Type=oneshot  
    
          [Install]
          WantedBy=multi-user.target   
      - name: "etcd2.service"
        enable: false    
      - name: "etcd-member.service"
        enable: false        
      - name: "download-etcd3.service"
        enable: true    
        contents: |
          [Unit]
          Description=download etcd3 aci (HTTP)
          Documentation=https://github.com/coreos/registry
    
          [Service]
          Type=oneshot  
          Environment=HTTP_SERVER={{ HTTP_SERVER_LOCAL }}
          ExecStart=/etc/kubernetes/scripts/etcd3.sh
          [Install]
          WantedBy=multi-user.target           
      - name: "etcd3.service"
        enable: true    
        contents: |
          [Unit]
          Description=etcd (System Application Container)
          Documentation=https://github.com/coreos/etcd
          Wants=network.target
          Conflicts=etcd.service
          Conflicts=etcd2.service
          Conflicts=etcd-member.service
          Requires=download-etcd3.service
          After=download-etcd3.service
    
          [Service]
          Type=notify
          RestartSec=10s
          LimitNOFILE=40000
    
          ExecStartPre=/usr/bin/mkdir --parents /var/lib/coreos
          ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/lib/coreos/etcd3-pod.uuid
          
          Environment="ETCD_IMAGE=/etc/kubernetes/downloads/etcd-v3.2.0.aci"
          Environment="ETCD_USER=etcd"        
          Environment="ETCD_DATA_DIR=/var/lib/etcd3"
          Environment="RKT_GLOBAL_ARGS=--insecure-options=image"        
          Environment="RKT_RUN_ARGS=--uuid-file-save=/var/lib/coreos/etcd3-pod.uuid"
          Environment="ETCD_IMAGE_ARGS=--name=etcd"
    
          ExecStart=/usr/lib/coreos/etcd-wrapper 
            --name={{ WORKER_HOSTNAME }} 
            --initial-cluster-token=spacesystech.com 
            --initial-cluster={{ ETCD_CLUSTER }} 
            --initial-cluster-state=new 
            --advertise-client-urls=http://{{ WORKER_IP }}:2379 
            --initial-advertise-peer-urls=http://{{ WORKER_IP }}:2380 
            --listen-client-urls=http://{{ WORKER_IP }}:2379,http://127.0.0.1:2379 
            --listen-peer-urls=http://{{ WORKER_IP }}:2380
    
          ExecStop=-/usr/bin/rkt stop --uuid-file=/var/lib/coreos/etcd3-pod.uuid    
    
          [Install]
          WantedBy=multi-user.target
      - name: "download-flannel.service"
        enable: true    
        contents: |
          [Unit]
          Description=download flannel aci (HTTP)
          Documentation=https://github.com/coreos/registry
    
          [Service]
          Type=oneshot  
          Environment=HTTP_SERVER={{ HTTP_SERVER_LOCAL }}
          ExecStart=/etc/kubernetes/scripts/flannel.sh
          [Install]
          WantedBy=multi-user.target           
      - name: "flannel-docker-opts.service"
        enable: true    
        dropins:
          - name: 10-image.conf
            contents: |
              [Unit]
              Requires=download-flannel.service
              After=download-flannel.service
              [Service]                                     
              Environment="FLANNEL_IMAGE=/etc/kubernetes/downloads/flannel-v0.7.1.aci"    
              Environment="RKT_GLOBAL_ARGS=--insecure-options=image"
      - name: "flanneld.service"
        enable: true    
        dropins:
          - name: 10-image.conf
            contents: |
              [Unit]
              Requires=etcd3.service download-flannel.service
              After=etcd3.service download-flannel.service
              [Service]      
              ExecStartPre=/usr/bin/etcdctl set /spacesystech.com/network2/config '{ "Network": "10.2.0.0/16","Backend": {"Type":"vxlan"} }' 
    
              Environment="FLANNELD_IFACE={{ WORKER_IP }}"
              Environment="FLANNELD_ETCD_ENDPOINTS=http://{{ WORKER_IP }}:2379"
              Environment="FLANNELD_ETCD_PREFIX=/spacesystech.com/network2"
              Environment="FLANNEL_IMAGE=/etc/kubernetes/downloads/flannel-v0.7.1.aci"
              Environment="RKT_GLOBAL_ARGS=--insecure-options=image"
              Environment="FLANNEL_IMAGE_ARGS=--name=flannel"
      - name: "docker.service"
        enable: true    
        dropins:
          - name: 40-flannel.conf
            contents: |
              [Unit]
              Requires=flanneld.service
              After=flanneld.service
              [Service]
              Environment=DOCKER_OPT_BIP=""
              Environment=DOCKER_OPT_IPMASQ=""
          - name: 50-insecure-registry.conf
            contents: |
              [Service]
              Environment=DOCKER_OPTS='--insecure-registry="reg.local:5000"'
      - name: "kubelet-ssl.service"
        enable: true    
        contents: |
          [Unit]
          Description=kubelet-ssl
          Documentation=https://kubernetes.io
          [Service]
          Type=oneshot
          Environment=KUBELET_SESSION=/etc/kubernetes/session
          ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/session
          ExecStart=/etc/kubernetes/scripts/ssl.sh
          [Install]
          WantedBy=multi-user.target
      - name: "kubelet-gac.service"
        enable: true    
        contents: |
          [Unit]
          Description=kubelet-gac
          Documentation=https://kubernetes.io
          Requires=docker.service
          After=docker.service
          [Service]
          Type=oneshot
          Environment=KUBELET_SESSION=/etc/kubernetes/session
          ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/session
          ExecStart=/etc/kubernetes/scripts/kubelet-gac.sh
          [Install]
          WantedBy=multi-user.target         
      - name: "download-kubelet.service"
        enable: true    
        contents: |
          [Unit]
          Description=download kubelet aci (HTTP)
          Documentation=https://github.com/coreos/registry
    
          [Service]
          Type=oneshot  
          Environment=HTTP_SERVER={{ HTTP_SERVER_LOCAL }}
          ExecStart=/etc/kubernetes/scripts/kubelet.sh
          [Install]
          WantedBy=multi-user.target            
      - name: "kubelet.service"
        enable: true    
        contents: |
          [Unit]
          Description=kubelet
          Documentation=https://kubernetes.io
          Requires=kubelet-ssl.service kubelet-gac.service docker.service download-kubelet.service
          After=kubelet-ssl.service kubelet-gac.service docker.service download-kubelet.service
          [Service]
          ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests
          ExecStartPre=/usr/bin/mkdir -p /var/log/containers
          ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/kubelet-pod.uuid
    
          Environment=PATH=/opt/bin/:/usr/bin/:/usr/sbin:$PATH
          Environment=KUBELET_IMAGE=/etc/kubernetes/downloads/hyperkube-v1.7.3.aci
          Environment="RKT_GLOBAL_ARGS=--insecure-options=image" 
          Environment="RKT_OPTS=--uuid-file-save=/var/run/kubelet-pod.uuid 
            --volume var-log,kind=host,source=/var/log 
            --mount volume=var-log,target=/var/log 
            --volume dns,kind=host,source=/etc/resolv.conf 
            --mount volume=dns,target=/etc/resolv.conf"
    
          ExecStart=/usr/lib/coreos/kubelet-wrapper 
            --api-servers=https://{{ MASTER_IP }}:6443 
            --network-plugin-dir=/etc/kubernetes/cni/net.d 
            --network-plugin= 
            --register-node=true 
            --allow-privileged=true 
            --pod-manifest-path=/etc/kubernetes/manifests 
            --hostname-override={{ WORKER_IP }} 
            --cluster-dns=10.3.0.10 
            --cluster-domain=cluster.local 
            --kubeconfig=/etc/kubernetes/kubelet-kubeconfig.yaml 
            --tls-cert-file=/etc/kubernetes/ssl/kubelet.pem 
            --tls-private-key-file=/etc/kubernetes/ssl/kubelet.key
            
          ExecStop=-/usr/bin/rkt stop --uuid-file=/var/run/kubelet-pod.uuid
    
          Restart=always
          RestartSec=10
          [Install]
          WantedBy=multi-user.target
    

      

    生成ignition.json

    使用jinja2将上述模版转化为实际配置

    ./systech01.yml

    ./systech02.yml

    ./systech03.yml

     

    下载CT工具将yml转化为ignition.json

    # ct v0.4.2

    2017.09.23

    github : https://github.com/coreos/container-linux-config-transpiler

     

    安装coreos

    使用上面生成的ignition.json安装coreos,一切顺利访问https://192.168.3.102:6443/ui将会看到dashboard页面

  • 相关阅读:
    Docker学习总结(一)--Docker简介
    Liunx软件安装之Zabbix监控软件
    Liunx软件安装之Nginx
    Liunx软件安装之Redis
    Liunx软件安装之Tomcat
    Liunx软件安装之JDK
    Liunx软件安装之MySQL
    Liunx学习总结(九)--防火墙
    tensorflow 错误
    anaconda安装失败
  • 原文地址:https://www.cnblogs.com/mengkzhaoyun/p/7599695.html
Copyright © 2020-2023  润新知