kubernets部署思路
0.配置主机名和关闭防火墙
1.自签名SSL证书
2.ETCD数据库集群部署
3.Node安装Docker
4.Flannel容器集群网络部署
5.部署Master组件
6.部署Node组件
7.部署集群内部DNS解析服务(coredns)
8.部署DashBoard
##############################
# 1.自签名SSL证书
##############################
#各个组件及使用的证书
#ETCD: ca.pem server.pem server-key.pem
#Flannel: ca.pem server.pem server-key.pem
#Kube-apiserver: ca.pem server.pem server-key.pem
#Kubelet: ca.pem kube-proxy.pem kube-proxy-key.pem
#kubelet-proxy: ca.pem kube-proxy.pem kube-proxy-key.pem
#kubectl: ca.pem admin.pem admin-key.pem
cat>/$HOME/SSL.sh<<'EOFALG' #!/bin/bash #1. 生成CA证书,各个组件之间通讯必须有ca证书 mkdir -p /k8s/{etcd,kubernetes}/{cfg,bin,ssl,apps,data} cd /k8s/etcd/ssl/ #ca-config.json是ca证书的配置文件 cat > ca-config.json<<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "etcd": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF #ca-csr.json是ca证书的签名文件 cat > ca-csr.json<<EOF { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca #server-csr.json是三个节点之间的通信验证 #192.168.31.82 etc1 #192.168.31.83 etc2 #192.168.31.84 etc3 cat > server-csr.json<<EOF { "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.31.82", "192.168.31.83", "192.168.31.84" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server EOFALG
##############################
# 2.ETCD数据库集群部署
##############################
#创建启动脚本和配置文件
#创建启动脚本和配置文件 cat >/$HOME/StartETCD.sh<<'EOFALG' #!/bin/bash ############################################################# # # example: StartEtcd.sh etc01 192.168.31.82 etcd02=https://192.168.31.83:2380,etcd03=https://192.168.31.84:2380 # ############################################################# ETCD_NAME=$1 ETCD_IP=$2 ETCD_CLUSTER=$3 cat >/k8s/etcd/cfg/etcd.conf<<EOF #[Member] ETCD_NAME="${ETCD_NAME}" ETCD_DATA_DIR="/k8s/etcd/data" ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380" ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379,http://127.0.0.1:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380" ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379" ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" #[Security] ETCD_CERT_FILE="/k8s/etcd/ssl/server.pem" ETCD_KEY_FILE="/k8s/etcd/ssl/server-key.pem" ETCD_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem" ETCD_CLIENT_CERT_AUTH="true" ETCD_PEER_CERT_FILE="/k8s/etcd/ssl/server.pem" ETCD_PEER_KEY_FILE="/k8s/etcd/ssl/server-key.pem" ETCD_PEER_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem" ETCD_PEER_CLIENT_CERT_AUTH="true" EOF cat >/usr/lib/systemd/system/etcd.service<<'EOF' [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify WorkingDirectory=${ETCD_DATA_DIR} EnvironmentFile=-/k8s/etcd/cfg/etcd.conf # set GOMAXPROCS to number of processors ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /k8s/etcd/bin/etcd --name="${ETCD_NAME}" --data-dir="${ETCD_DATA_DIR}" --listen-client-urls="${ETCD_LISTEN_CLIENT_URLS}" --listen-peer-urls="${ETCD_LISTEN_PEER_URLS}" --advertise-client-urls="${ETCD_ADVERTISE_CLIENT_URLS}" --initial-cluster-token="${ETCD_INITIAL_CLUSTER_TOKEN}" --initial-cluster="${ETCD_INITIAL_CLUSTER}" --initial-cluster-state="${ETCD_INITIAL_CLUSTER_STATE}" --cert-file="${ETCD_CERT_FILE}" --key-file="${ETCD_KEY_FILE}" --trusted-ca-file="${ETCD_TRUSTED_CA_FILE}" --client-cert-auth="${ETCD_CLIENT_CERT_AUTH}" --peer-cert-file="${ETCD_PEER_CERT_FILE}" --peer-key-file="${ETCD_PEER_KEY_FILE}" --peer-trusted-ca-file="${ETCD_PEER_TRUSTED_CA_FILE}" --peer-client-cert-auth="${ETCD_PEER_CLIENT_CERT_AUTH}"" Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOFALG