kubernetes安装
192.168.1.101 k8s-node02 192.168.1.73 k8s-node01 192.168.1.23 k8s-master01 下载:链接: https://pan.baidu.com/s/1dN51XMMNw8GbZ246YubVPQ 提取码: d3ca
1:配置TLS证书
组件: 需要的证书 etcd ca.pem server.pem server-key.pem kube-apiserver ca.pem server.pem server-key.pem kubelet ca.pem ca-key.pem kube-proxy ca.pem kube-proxy.pem kube-proxy-key.pem kubectl ca.pem admin.pem admin-key.pem
安装证书生成工具
[root@k8s-master01 ~]# wget http://pkg.cfssl.org/R1.2/cfssl_linux-amd64 [root@k8s-master01 ~]# wget http://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 [root@k8s-master01 ~]# wget http://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 [root@k8s-master01 ~]# chmod +x cfssl* [root@k8s-master01 ~]# mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo [root@k8s-master01 ~]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson [root@k8s-master01 ~]# mv cfssl_linux-amd64 /usr/local/bin/cfssl [root@k8s-master01 ~]# mkdir /root/ssl [root@k8s-master01 ~]# cd /root/ssl
生成ca证书
[root@k8s-master01 ssl]# cat ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
[root@k8s-master01 ssl]# cat ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Zhengzhou",
"ST": "Zhengzhou",
"O": "k8s",
"OU": "System"
}
]
}
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
生成server证书
[root@k8s-master01 ssl]# cat server-csr.json
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.1.23",
"192.168.1.73",
"192.168.1.101",
"kubernetes",
"k8s-node01",
"k8s-master01",
"k8s-node02",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Zhengzhou",
"ST": "Zhengzhou",
"O": "k8s",
"OU": "System"
}
]
}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
生成admin证书
[root@k8s-master01 ssl]# cat admin-csr.json
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Zhengzhou",
"ST": "Zhengzhou",
"O": "System:masters",
"OU": "System"
}
]
}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
生成kube-proxy证书
[root@k8s-master01 ssl]# cat kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Zhengzhou",
"ST": "Zhengzhou",
"O": "k8s",
"OU": "System"
}
]
}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
注意生成的证书要每个服务器同步一下
[root@k8s-node02 flanneld]# scp -r /root/ssl k8s-node01:/root/
[root@k8s-node02 flanneld]# scp -r /root/ssl k8s-node02:/root/
部署etcd存储集群
[root@k8s-master01 ~]#wget https://github.com/etcd-io/etcd/releases/download/v3.3.11/etcd-v3.3.11-linux-amd64.tar.gz
[root@k8s-master01 ~]#tar xf etcd-v3.3.11-linux-amd64.tar.gz
[root@k8s-master01 ~]#mkdir /k8s/etcd/{bin,cfg} -p
[root@k8s-master01 ~]#mv etcd-v3.3.11-linux-amd64/etcd* /k8s/etcd/bin
[root@k8s-master01 ~]#vim /k8s/etcd/cfg/etcd
#[root@k8s-master01 etcd-v3.3.11-linux-amd64]# cat /k8s/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.1.23:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.1.23:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.23:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.23:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.1.23:2380,etcd02=https://192.168.1.73:2380,etcd03=https://192.168.1.101:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-clusters"
ETCD_INITIAL_CLUSTER_STATE="new"
[root@k8s-master01 etcd-v3.3.11-linux-amd64]# cat /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/k8s/etcd/cfg/etcd
ExecStart=/k8s/etcd/bin/etcd \
--name=${ETCD_NAME} \
--data-dir=${ETCD_DATA_DIR} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=/root/ssl/server.pem \
--key-file=/root/ssl/server-key.pem \
--peer-cert-file=/root/ssl/server.pem \
--peer-key-file=/root/ssl/server-key.pem \
--trusted-ca-file=/root/ssl/ca.pem \
--peer-trusted-ca-file=/root/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
[root@k8s-master01 etcd-v3.3.11-linux-amd64]# systemctl daemon-reload
[root@k8s-master01 etcd-v3.3.11-linux-amd64]# systemctl restart etcd
复制到从节点
[root@k8s-master01 ~]# scp /usr/lib/systemd/system/etcd.service k8s-node01:/usr/lib/systemd/system/etcd.service
[root@k8s-master01 ~]# scp /usr/lib/systemd/system/etcd.service k8s-node02:/usr/lib/systemd/system/etcd.service
[root@k8s-master01 ~]# scp -r etcd k8s-node01:/k8s/
[root@k8s-master01 ~]# scp -r etcd k8s-node02:/k8s/
注意修改:
[root@k8s-master01 k8s]# cat /k8s/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd01" #对应的服务器 修改为下列: ETCD_INITIAL_CLUSTER里面的etcd0#
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.1.23:2380" #修改为对应服务器的ip
ETCD_LISTEN_CLIENT_URLS="https://192.168.1.23:2379" #修改为对应服务器的ip
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.23:2380" #修改为对应服务器的ip
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.23:2379" #修改为对应服务器的ip
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.1.23:2380,etcd02=https://192.168.1.73:2380,etcd03=https://192.168.1.101:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-clusters"
ETCD_INITIAL_CLUSTER_STATE="new"
三台分别执行:systemctl daemon-reload&&systemctl enable etcd&& systemctl restart etcd&&ps -ef|grep etcd
检查集群健康状态
[root@k8s-master01 ~]# etcdctl --ca-file=/root/ssl/ca.pem --cert-file=/root/ssl/server.pem --key-file=/root/ssl/server-key.pem --endpoints=" https://192.168.1.23:2379,https://192.168.1.73:2379,https://192.168.1.101:2379" cluster-health
部署flannel网路
是Overkay网络的一种,也是将源数据包封装在另一种网络里面进行路由转发和通信,目前已经支持UDP,CXLAN,AWS VPC和GCE路由等数据转发方式。
多主机容器网络通信其他主流方案:隧道(Weave,openSwitch),路由方案(calico)等
[root@k8s-master01 ~]# wget https://github.com/coreos/flannel/releases/download/v0.11.0/flannel-v0.11.0-linux-amd64.tar.gz
[root@k8s-master01 ~]# tar xf flannel-v0.11.0-linux-amd64.tar.gz
[root@k8s-master01 ~]# mkdir /k8s/flanneld/{bin,cfg}
[root@k8s-master01 ~]# cd flannel-v0.11.0-linux-amd64
[root@k8s-master01 ~]# mv flanneld mk-docker-opts.sh /k8s/flanneld/bin
[root@k8s-master01 ~]# cat /etc/profile
export PATH=/k8s/etcd/bin:/k8s/flanneld/bin:$PATH
向 etcd 写入集群 Pod 网段信息
[root@k8s-master01 ~]# etcdctl --ca-file=/root/ssl/ca.pem --cert-file=/root/ssl/server.pem --key-file=/root/ssl/server-key.pem --endpoints="https://192.168.1.23:2379,https://192.168.1.73:2379,https://192.168.1.101:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
设置flanneld配置文件和启动管理文件
[root@k8s-master01 flanneld]# vim /k8s/flanneld/cfg/flanneld
FLANNEL_OPTIONS="--etcd-endpoints=https://192.168.1.23:2379,https://192.168.1.73:2379,https://192.168.1.101:2379 -etcd-cafile=/root/ssl/ca.pem -etcd-certfile=/root/ssl/server.pem -etcd-keyfile=/root/ssl/server-key.pem"
[root@k8s-master01 flanneld]# vim /usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/k8s/flanneld/cfg/flanneld
ExecStart=/k8s/flanneld/bin/flanneld --ip-masq $FLANNEL_OPTIONS
ExecStartPost=/k8s/flanneld/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure
[Install]
WantedBy=multi-user.target
[root@k8s-master01 flanneld]#systemctl daemon-reload
[root@k8s-master01 flanneld]#systemctl enable flanneld
[root@k8s-master01 flanneld]#systemctl start flanneld
检查启动:ifconfig查看flanneld网口
flannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.17.39.0 netmask 255.255.255.255 broadcast 0.0.0.0
inet6 fe80::ec16:16ff:fe4b:cd1 prefixlen 64 scopeid 0x20<link>
ether ee:16:16:4b:0c:d1 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 12 overruns 0 carrier 0 collisions 0
查看生成子网的接口
[root@k8s-master01 flanneld]# vim /run/flannel/subnet.env
DOCKER_OPT_BIP="--bip=172.17.39.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=false"
DOCKER_OPT_MTU="--mtu=1450"
DOCKER_NETWORK_OPTIONS=" --bip=172.17.39.1/24 --ip-masq=false --mtu=1450"
配置 Docker 启动指定flanneld子网段
[root@k8s-master01 flanneld]# mv /usr/lib/systemd/system/docker.service /usr/lib/systemd/system/docker.service_back
[root@k8s-master01 flanneld]# cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
[root@k8s-master01 flanneld]# systemctl daemon-reload
[root@k8s-master01 flanneld]# systemctl restart docker
然后ifconfig查看docker是否从flanneld得到ip地址
[root@k8s-master01 flanneld]# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.39.1 netmask 255.255.255.0 broadcast 172.17.39.255
ether 02:42:f0:f7:a0:74 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
flannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.17.39.0 netmask 255.255.255.255 broadcast 0.0.0.0
inet6 fe80::ec16:16ff:fe4b:cd1 prefixlen 64 scopeid 0x20<link>
ether ee:16:16:4b:0c:d1 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 13 overruns 0 carrier 0 collisions 0
复制配置到从节点
[root@k8s-master01 ~]# cd /k8s/
[root@k8s-master01 k8s]# scp -r flanneld k8s-node01:/k8s/
[root@k8s-master01 k8s]# scp -r flanneld k8s-node02:/k8s/
[root@k8s-master01 k8s]# scp /usr/lib/systemd/system/docker.service k8s-node01:/usr/lib/systemd/system/docker.service
[root@k8s-master01 k8s]# scp /usr/lib/systemd/system/docker.service k8s-node02:/usr/lib/systemd/system/docker.service
[root@k8s-master01 k8s]# scp /usr/lib/systemd/system/flanneld.service k8s-node01:/usr/lib/systemd/system/flanneld.service
[root@k8s-master01 k8s]# scp /usr/lib/systemd/system/flanneld.service k8s-node02:/usr/lib/systemd/system/flanneld.service
node01执行
[root@k8s-node01 cfg]# systemctl daemon-reload
[root@k8s-node01 cfg]# systemctl enable docker
[root@k8s-node01 cfg]# systemctl enable flanneld
Created symlink from /etc/systemd/system/multi-user.target.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.
[root@k8s-node01 cfg]# systemctl start flanneld
[root@k8s-node01 cfg]# systemctl start docker
node02执行
[root@k8s-node02 flanneld]# systemctl daemon-reload
[root@k8s-node02 flanneld]# systemctl enable docker
[root@k8s-node02 flanneld]# systemctl enable flanneld
[root@k8s-node02 flanneld]# systemctl restart flanneld
[root@k8s-node02 flanneld]# systemctl restart docker
这样:不同的服务器flanneld会生成不同的IP地址,docker会根据flanneld生成的网络接口生成*.1的ip地址
#检查网络是否互通
ping 对应docker的ip地址即可
#查看etcd注册的ip地址
[root@k8s-master01 k8s]# etcdctl --ca-file=/root/ssl/ca.pem --cert-file=/root/ssl/server.pem --key-file=/root/ssl/server-key.pem --endpoints=" https://192.168.1.23:2379,https://192.168.1.73:2379,https://192.168.1.101:2379 " ls /coreos.com/network/subnets
/coreos.com/network/subnets/172.17.89.0-24
/coreos.com/network/subnets/172.17.44.0-24
/coreos.com/network/subnets/172.17.39.0-24
[root@k8s-master01 k8s]# etcdctl --ca-file=/root/ssl/ca.pem --cert-file=/root/ssl/server.pem --key-file=/root/ssl/server-key.pem --endpoints="https://192.168.1.23:2379,https://192.168.1.73:2379,https://192.168.1.101:2379" get /coreos.com/network/subnets/172.17.39.0-24
{"PublicIP":"192.168.1.23","BackendType":"vxlan","BackendData":{"VtepMAC":"ee:16:16:4b:0c:d1"}}
PublicIP: 节点ip地址
BackendType: 类型
VtepMAC: 虚拟的mac
查看下路由表:
### master上创建node节点的kubeconfig文件
创建 TLS Bootstrapping Token生成token.csv文件
head -c 16 /dev/urandom |od -An -t x |tr -d ' ' > /k8s/kubenerets/token.csv [root@k8s-master01 kubenerets]# cat toker.csv 454b513c7148ab3a0d2579e8f0c4e884,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
创建apiserver配置文件
[root@k8s-master01 kubenerets]# export KUBE_APISERVER="https://192.168.1.23:6443"
创建kubelet bootstrapping kubeconfig
BOOTSTRAP_TOKEN=454b513c7148ab3a0d2579e8f0c4e884 KUBE_APISERVER="https://192.168.1.23:6443"
设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=/root/ssl/ca.pem\
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=bootstrap.kubeconfig
设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=bootstrap.kubeconfig
设置上下文参数
kubectl config set-context default \ --cluster=kubernetes \ --user=kubelet-bootstrap \ --kubeconfig=bootstrap.kubeconfig
设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
创建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=/root/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=/root/ssl/kube-proxy.pem \
--client-key=/root/ssl/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
部署 apiserver kube-scheduler kube-controller-manager
创建apiserver配置文件
[root@k8s-master01 cfg]# cat /k8s/kubenerets/cfg/kube-apisever
KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=https://192.168.1.23:2379,https://192.168.1.73:2379,https://192.168.1.101:2379 \
--insecure-bind-address=0.0.0.0 \
--insecure-port=8080 \
--bind-address=192.168.1.23 \
--secure-port=6443 \
--advertise-address=192.168.1.23 \
--allow-privileged=true \
--service-cluster-ip-range=10.10.10.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth \
--token-auth-file=/k8s/kubenerets/cfg/toker.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/root/ssl/server.pem \
--kubelet-https=true \
--tls-private-key-file=/root/ssl/server-key.pem \
--client-ca-file=/root/ssl/ca.pem \
--service-account-key-file=/root/ssl/ca-key.pem \
--etcd-cafile=/root/ssl/ca.pem \
--etcd-certfile=/root/ssl/server.pem \
--etcd-keyfile=/root/ssl/server-key.pem"
kube-apiserver启动脚本
[root@k8s-master01 cfg]# cat /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/k8s/kubenerets/cfg/kube-apisever
ExecStart=/k8s/kubenerets/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
scheduler 部署
[root@k8s-master01 cfg]# cat kube-scheduler KUBE_SCHEDULER_OPTS="--logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect"
启动脚本
[root@k8s-master01 cfg]# cat /usr/lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/k8s/kubenerets/cfg/kube-scheduler ExecStart=/k8s/kubenerets/bin/kube-scheduler $KUBE_SCHEDULER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target
kube-controller-manager 部署
[root@k8s-master01 cfg]# cat kube-controller-manager KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \ --v=4 \ --master=127.0.0.1:8080 \ --leader-elect=true \ --address=127.0.0.1 \ --service-cluster-ip-range=10.10.10.0/24 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/root/ssl/ca.pem \ --cluster-signing-key-file=/root/ssl/ca-key.pem \ --root-ca-file=/root/ssl/ca.pem \ --service-account-private-key-file=/root/ssl/ca-key.pem
启动脚本
[root@k8s-master01 cfg]# cat /usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/k8s/kubenerets/cfg/kube-controller-manager ExecStart=/k8s/kubenerets/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target systemctl daemon-reload systemctl enable kube-apiserver systemctl enable kube-controller-manager systemctl enable kube-scheduler systemctl restart kube-apiserver systemctl restart kube-controller-manager systemctl restart kube-scheduler
#查看master集群状态
[root@k8s-master01 cfg]# kubectl get cs,nodes
复制 文件到从节点
复制证书文件到node节点
[root@k8s-master01 cfg]# scp -r /root/ssl k8s-node01:/root/
[root@k8s-master01 cfg]# scp -r /root/ssl k8s-node02:/root/
复制bootstrap.kubeconfig kube-proxy.kubeconfig
[root@k8s-master01 kubenerets]# scp *.kubeconfig k8s-node01:/k8s/kubenerets/
bootstrap.kubeconfig 100% 2182 4.1MB/s 00:00
kube-proxy.kubeconfig 100% 6300 12.2MB/s 00:00
[root@k8s-master01 kubenerets]# scp *.kubeconfig k8s-node02:/k8s/kubenerets/
bootstrap.kubeconfig 100% 2182 4.1MB/s 00:00
kube-proxy.kubeconfig 100% 6300 12.2MB/s 00:00
我这里直接把可执行命令都发送到测试环境
[root@k8s-master01 bin]# scp ./* k8s-node01:/k8s/kubenerets/bin/ && scp ./* k8s-node02:/k8s/kubenerets/bin/ apiextensions-apiserver 100% 41MB 70.0MB/s 00:00 cloud-controller-manager 100% 96MB 95.7MB/s 00:01 hyperkube 100% 201MB 67.1MB/s 00:03 kubeadm 100% 38MB 55.9MB/s 00:00 kube-apiserver 100% 160MB 79.9MB/s 00:02 kube-controller-manager 100% 110MB 69.4MB/s 00:01 kubectl 100% 41MB 80.6MB/s 00:00 kubelet 100% 122MB 122.0MB/s 00:01 kube-proxy 100% 35MB 66.0MB/s 00:00 kube-scheduler 100% 37MB 78.5MB/s 00:00 mounter 100% 1610KB 17.9MB/s 00:00
部署node节点组件
kubernetes work 节点运行如下组件: docker 前面已经部署 kubelet kube-proxy
部署 kubelet 组件
kublet 运行在每个 worker 节点上,接收 kube-apiserver 发送的请求,管理 Pod 容器,执行交互式命令,如exec、run、logs 等; kublet 启动时自动向 kube-apiserver 注册节点信息,内置的 cadvisor 统计和监控节点的资源使用情况; 为确保安全,本文档只开启接收 https 请求的安全端口,对请求进行认证和授权,拒绝未授权的访问(如apiserver、heapster)。
部署kubelet
[root@k8s-node01 cfg]# cat /k8s/kubenerets/cfg/kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--address=192.168.1.73 \
--hostname-override=192.168.1.73 \
--kubeconfig=/k8s/kubenerets/cfg/kubelet.kubeconfig \ #自己生成 不需要创建
--experimental-bootstrap-kubeconfig=/k8s/kubenerets/bootstrap.kubeconfig \
--cert-dir=/root/ssl \
--allow-privileged=true \
--cluster-dns=10.10.10.2 \
--cluster-domain=cluster.local \
--fail-swap-on=false \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
#kubelet启动脚本
[root@k8s-node01 cfg]# cat /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
EnvironmentFile=/k8s/kubenerets/cfg/kubelet
ExecStart=/k8s/kubenerets/bin/kubelet $KUBELET_OPTS
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
部署kube-proxy
kube-proxy 运行在所有 node节点上,它监听 apiserver 中 service 和 Endpoint 的变化情况,创建路由规则来进行服务负载均衡。
创建 kube-proxy 配置文件
[root@k8s-node01 cfg]# vim /k8s/kubenerets/cfg/kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.1.73 \
--kubeconfig=/k8s/kubenerets/kube-proxy.kubeconfig"
bindAddress: 监听地址;
clientConnection.kubeconfig: 连接 apiserver 的 kubeconfig 文件;
clusterCIDR: kube-proxy 根据 –cluster-cidr 判断集群内部和外部流量,指定 –cluster-cidr 或 –masquerade-all 选项后 kube-proxy 才会对访问 Service IP 的请求做 SNAT;
hostnameOverride: 参数值必须与 kubelet 的值一致,否则 kube-proxy 启动后会找不到该 Node,从而不会创建任何 ipvs 规则;
mode: 使用 ipvs 模式;
创建kube-proxy systemd unit 文件
[root@k8s-node01 cfg]# cat /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=-/k8s/kubenerets/cfg/kube-proxy
ExecStart=/k8s/kubenerets/bin/kube-proxy $KUBE_PROXY_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable kubelet
systemctl start kubelet
systemctl enable kube-proxy
systemctl start kube-prox
在master创建用户角色并绑定权限
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
master节点查看csr
[root@k8s-master01 cfg]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-YCL1SJyx3q0tSDCQuFLe4DmMdxUZgLA3-2EmDCOKiD4 19m kubelet-bootstrap Pending
master节点授权允许node节点皆在csr
kubectl certificate approve node-csr-YCL1SJyx3q0tSDCQuFLe4DmMdxUZgLA3-2EmDCOKiD4
再次查看src发现CONDITION 变更为:Approved,Issued
master查看node加载进度
[root@k8s-master01 cfg]# kubectl get nodes NAME STATUS ROLES AGE VERSION 192.168.1.73 Ready <none> 48s v1.14.1
这时候node01节点应该自动生成了kubelet的证书
[root@k8s-node01 cfg]# ls /root/ssl/kubelet*
/root/ssl/kubelet-client-2019-05-14-11-29-40.pem /root/ssl/kubelet-client-current.pem /root/ssl/kubelet.crt /root/ssl/kubelet.key
其他从节点加入集群方式同上
[root@k8s-node01 kubenerets]# scp /usr/lib/systemd/system/kube* k8s-node02:/usr/lib/systemd/system/ [root@k8s-node01 cfg]# cd /k8s/kubenerets/cfg [root@k8s-node01 cfg]# scp kubelet kube-proxy k8s-node02:/k8s/kubenerets/cfg/
修改kubelet和kube-proxy
[root@k8s-node02 cfg]# cat kubelet KUBELET_OPTS="--logtostderr=true \ --v=4 \ --address=192.168.1.101 \ --hostname-override=192.168.1.101 \ --kubeconfig=/k8s/kubenerets/cfg/kubelet.kubeconfig \ --experimental-bootstrap-kubeconfig=/k8s/kubenerets/bootstrap.kubeconfig \ --cert-dir=/root/ssl \ --allow-privileged=true \ --cluster-dns=10.10.10.2 \ --cluster-domain=cluster.local \ --fail-swap-on=false \ --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0" [root@k8s-node02 cfg]# cat kube-proxy KUBE_PROXY_OPTS="--logtostderr=true \ --v=4 \ --hostname-override=192.168.1.101 \ --kubeconfig=/k8s/kubenerets/kube-proxy.kubeconfig"
启动
systemctl daemon-reload systemctl enable kubelet systemctl start kubelet systemctl enable kube-proxy systemctl start kube-proxy
master节点加载crs
[root@k8s-master01 cfg]# kubectl get csr [root@k8s-master01 cfg]# kubectl certificate approve node-csr-gHgQ5AYjpn6nFUMVEEYvIfyNqUK2ctmpA14YMecQtHY
以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网
猜你喜欢:
- Kubernetes 二进制安装过程
- 离线环境下使用二进制方式安装配置Kubernetes集群(三)
- 自动化部署工具 Syncd v1.1.0 发布,提供二进制安装包
- 二进制手表
- 二进制状态码
- Cocoapods 二进制
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
Java Web整合开发王者归来
刘京华 / 清华大学 / 2010-1 / 99.80元
《Java Web整合开发王者归来(JSP+Servlet+Struts+Hibernate+Spring)》全面介绍了Java Web开发中的各种相关技术及知识。全书分为9篇,内容层次清晰,难度循序渐进。第1篇为入门篇,内容包括Java Web开发概述等;第2篇为基础篇,内容包括Servlet技术、JSP技术、会话跟踪、过滤器Filter、监听器Listener等;第3篇为高级篇,内容包括JST......一起来看看 《Java Web整合开发王者归来》 这本书的介绍吧!
