Kubernetes---- 二進制集羣部署(ETCD集羣+Flannel網絡)

原創 weixin_45726050 2020-05-02 20:43

文章目錄

前言:

  • 本篇博客主要介紹二進制集羣之etcd+flannel組件部署~

一、實驗環境

  • 本實驗需求爲3個節點即可,配置2+4(2個CPU+4G內存)

  • 主機角色分配爲

    ① master 節點IP:192.168.226.128

    • 需安裝的軟件

      kube-apiserver

      kube-controller-manager

      kube-scheduler

      etcd

    ② node1 節點IP:192.168.226.132

    • 需安裝的軟件:

      kubelet

      kube-proxy

      docker

      flannel

      etcd

    ③ node2 節點IP:192.168.226.133

    • 需安裝的軟件與node1相同

  • 官網源碼包下載:https://github.com/kubernetes/kubernetes/releases?after=v1.13.1

  • ETCD 二進制包地址:https://github.com/etcd-io/etcd/releases

二、ETCD集羣部署

2.1 master 節點部署
2.1.1 定義兩個腳本文件
  • 創建/k8s目錄,在創建兩個腳本
[root@master ~]# mkdir k8s
[root@master ~]# cd k8s
[root@master k8s]# ls
etcd-cert.sh  etcd.sh
#etcd-cert.sh 是證書製作的腳本
#etcd.sh etcd啓動腳本

  • etcd-cert.sh 證書製作腳本詳解

    以下腳本書寫的格式爲:jason

[root@master k8s]# cat etcd-cert.sh 
cat > ca-config.json <<EOF			#CA證書配置文件
{
  "signing": {					#鍵名稱
    "default": {
      "expiry": "87600h"			#證書有效期(10年)
    },
    "profiles": {				#簡介
      "www": {					#名稱
         "expiry": "87600h",
         "usages": [				#使用方法
            "signing",				#鍵
            "key encipherment",			#密鑰驗證(密鑰驗證要設置在CA證書中)
            "server auth",			#服務器端驗證
            "client auth"			#客戶端驗證
        ]
      }
    }
  }
}
EOF

cat > ca-csr.json <<EOF				#CA簽名
{
    "CN": "etcd CA",				#CA簽名爲etcd指定(三個節點均需要)
    "key": {
        "algo": "rsa",				#使用rsa非對稱密鑰的形式
        "size": 2048				#密鑰長度爲2048
    },
    "names": [					#在證書中定義信息(標準格式)
        {
            "C": "CN",				#名稱
            "L": "Beijing",		
            "ST": "Beijing"		
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------

cat > server-csr.json <<EOF			#服務器端的簽名
{
    "CN": "etcd",
    "hosts": [					#定義三個節點的IP地址
    "192.168.226.128",
    "192.168.226.132",
    "192.168.226.133"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
#cfssl 爲證書製作工具
  • etcd.sh 啓動腳本內容詳解
[root@master k8s]# cat etcd.sh 
#!/bin/bash
#以下爲使用格式:etcd名稱 當前etcd的IP地址+完整的集羣名稱和地址
# example: ./etcd.sh etcd01 192.168.1.10 etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380

ETCD_NAME=$1						#位置變量1:etcd節點名稱
ETCD_IP=$2						#位置變量2:節點地址
ETCD_CLUSTER=$3						#位置變量3:集羣

WORK_DIR=/opt/etcd					#指定工作目錄

cat <<EOF >$WORK_DIR/cfg/etcd				#在指定工作目錄創建ETCD的配置文件
#[Member]
ETCD_NAME="${ETCD_NAME}"				#etcd名稱
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"		#etcd IP地址:2380端口。用於集羣之間通訊
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"	#etcd IP地址:2379端口,用於開放給外部客戶端通訊

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"	#對外提供的url使用https的協議進行訪問
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"		#多路訪問
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"		#tokens 令牌環名稱:etcd-cluster
ETCD_INITIAL_CLUSTER_STATE="new"			#狀態,重新創建
EOF

cat <<EOF >/usr/lib/systemd/system/etcd.service		#定義ectd的啓動腳本
[Unit]								#基本項			
Description=Etcd Server					#類似爲 etcd 服務
After=network.target					#vu癌症
After=network-online.target
Wants=network-online.target

[Service]						#服務項
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd	#etcd文件位置
ExecStart=${WORK_DIR}/bin/etcd \			#準啓動狀態及以下的參數
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \ #以下爲羣集內部的設定
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \	#羣集內部通信,也是使用的令牌,爲了保證安全(防範中間人竊取)
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \		#證書相關參數
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536					#開放最多的端口號

[Install]
WantedBy=multi-user.target				#進行啓動
EOF

systemctl daemon-reload					#參數重載
systemctl enable etcd
systemctl restart etcd
2.1.2 創建證書
  • 首先,創建證書目錄,複製k8s目錄下的證書創建腳本
[root@master k8s]# mkdir etcd-cert
[root@master k8s]# ls
etcd-cert  etcd-cert.sh  etcd.sh
[root@master k8s]# cd etcd-cert/
[root@master etcd-cert]# mv ../etcd-cert.sh ./
[root@master etcd-cert]# ls
etcd-cert.sh

  • 創建cfssl類型工具下載腳本

    先從官網源中製作證書的工具下載下來

[root@master etcd-cert]# cat cfssl.sh
#先從官網源中製作證書的工具下載下來,(-o:導出)放在/usr/local/bin中便於系統識別
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl

#從另一個站點源中下載cfssljson工具,用於識別json配置文件格式
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson

#下載cfssl-certinfo工具
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo

#給與權限
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
[root@master etcd-cert]# bash cfssl.sh 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  9.8M  100  9.8M    0     0   516k      0  0:00:19  0:00:19 --:--:--  622k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 2224k  100 2224k    0     0   181k      0  0:00:12  0:00:12 --:--:--  264k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 6440k  100 6440k    0     0   431k      0  0:00:14  0:00:14 --:--:--  796k
[root@master etcd-cert]# ls /usr/local/bin
cfssl  cfssl-certinfo  cfssljson

  • 定義生成CA證書的配置文件

    生成在etcd-cert目錄下

[root@master etcd-cert]# cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]  
      } 
    }
  }
}
EOF
[root@master etcd-cert]# ls
ca-config.json  cfssl.sh  etcd-cert.sh
  • 定義生成證書籤名文件
[root@master etcd-cert]# cat > ca-csr.json <<EOF 
{   
    "CN": "etcd CA",				#證書名稱 etcd CA
    "key": {
        "algo": "rsa",				#algo:算法 rsa 非對稱密鑰
        "size": 2048
    },
    "names": [					#項目標題
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF
[root@master etcd-cert]# ls
ca-config.json  ca-csr.json  cfssl.sh  etcd-cert.sh

  • 生成證書

    需生成ca-key.pem 密鑰證書和ca.pem證書

#命令、參數介紹:
#使用cfssl工具製作證書
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#gencert-initca:初始化ca
#初始化對象爲csr.json
#cfssljson -bare ca - 對照ca-config-json配置文件生成證書

#以下爲過程
[root@master etcd-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2020/04/28 22:23:51 [INFO] generating a new CA key and certificate from CSR
2020/04/28 22:23:51 [INFO] generate received request
2020/04/28 22:23:51 [INFO] received CSR
2020/04/28 22:23:51 [INFO] generating key: rsa-2048
2020/04/28 22:23:51 [INFO] encoded CSR
2020/04/28 22:23:51 [INFO] signed certificate with serial number 183162516941087785302161335460622789346733634483
[root@master etcd-cert]# ls
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem  cfssl.sh  etcd-cert.sh

  • 指定etcd三個節點之間的通信驗證

    定義服務器端的json文件

[root@master etcd-cert]# cat > server-csr.json <<EOF
{
    "CN": "etcd",
    "hosts": [					#定義羣集IP
    "192.168.226.128",
    "192.168.226.132",
    "192.168.226.133"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [					#項目名稱,內容需要與ca證書對應
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        }
    ]
}
EOF
[root@master etcd-cert]# ls
ca-config.json  ca-csr.json  ca.pem    etcd-cert.sh
ca.csr          ca-key.pem   cfssl.sh  server-csr.json
  • 生成服務器端密鑰證書:server-key.pem 和服務器端證書:server.pem
[root@master etcd-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
#命令參數簡介:cfssl gencert 使用cfssl工具製作證書
#-ca=ca.pem 製作證書依賴於CA頒發的ca.pem 
#-ca-key=ca-key.pem 製作證書同時依賴於CA的密鑰證書
#-config=ca-config.json 製作證書需要使用到ca的配置文件
#-profile=www 文件名爲www
#server-csr.json 使用之前製作的的簽名文件
#| cfssljson -bare server  生成證書
    
    
#製作過程
[root@master etcd-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2020/04/28 22:48:27 [INFO] generate received request
2020/04/28 22:48:27 [INFO] received CSR
2020/04/28 22:48:27 [INFO] generating key: rsa-2048
2020/04/28 22:48:27 [INFO] encoded CSR
2020/04/28 22:48:27 [INFO] signed certificate with serial number 355665838045981162128613702213192731340064915336
2020/04/28 22:48:27 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
  • 以上證書製作已完成,現已產生的證書文件主要包含以下
[root@master etcd-cert]# ls
ca-config.json  ca-csr.json  ca.pem    etcd-cert.sh  server-csr.json  server.pem
ca.csr          ca-key.pem   cfssl.sh  server.csr    server-key.pem
#其中 ca.pem、ca-key.pem、server.pem、 server-key.pem 就是我們製作完成的服務端證書和客戶端證書
2.1.3 ETCD 部署

  • ① 下載、解壓軟件包

    本次實驗軟件包已下載完成,軟件包下載地址在博客開頭已給出

    下載並將以下軟件包,並放在k8s目錄下

    etcd-v3.3.10-linux-amd64.tar.gz

    flannel-v0.10.0-linux-amd64.tar.gz

    kubernetes-server-linux-amd64.tar.gz

[root@master k8s]# ls
etcd-cert  etcd-v3.3.10-linux-amd64.tar.gz     kubernetes-server-linux-amd64.tar.gz
etcd.sh    flannel-v0.10.0-linux-amd64.tar.gz
  • 解壓etcd-v3.3.10-linux-amd64.tar.gz
[root@master k8s]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz
[root@master k8s]# ls etcd-v3.3.10-linux-amd64
Documentation  etcd  etcdctl  README-etcdctl.md  README.md  READMEv2-etcdctl.md

  • 創建ETCD工作目錄

    創建包括cfg:配置文件目錄、bin:命令文件目錄、ssl:證書文件目錄

[root@master k8s]# mkdir /opt/etcd/{cfg,bin,ssl} -p
[root@master k8s]# ls /opt/etcd
bin  cfg  ssl
  • 拷貝命令文件
[root@master k8s]# mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin
[root@master k8s]# ls /opt/etcd/bin
etcd  etcdctl
  • 拷貝證書文件
[root@master k8s]# cp etcd-cert/*.pem /opt/etcd/ssl
[root@master k8s]# ls /opt/etcd/ssl/
ca-key.pem  ca.pem  server-key.pem  server.pem

  • 進入卡住狀態等待其他節點加入

    執行此命令會產生兩個文件,一個是配置文件,一個是啓動腳本

    同時,等待加入的過程大約在5分鐘左右,如果沒有節點接入則會自動退出

[root@master k8s]# bash etcd.sh etcd01 192.168.226.128 etcd02=https://192.168.226.132:2380,etcd03=https://192.168.226.133:2380
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
  • 另起終端,查看產生的配置文件
[root@master ~]# cd /opt/etcd/cfg
[root@master cfg]# ls
etcd
[root@master cfg]# cat etcd 
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.226.128:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.226.128:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.226.128:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.226.128:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.226.128:2380,etcd02=https://192.168.226.132:2380,etcd03=https://192.168.226.133:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
#以上則是羣集信息和各節點信息,配置文件中的變量引用的則是我們之前在k8s目錄中設置的啓動腳本變量
  • 查看etcd 狀態/進程
[root@master cfg]# ps -ef | grep etcd
root      80972      1  2 10:56 ?        00:00:00 /opt/etcd/bin/etcd --name=etcd01 --data-dir=/var/lib/etcd/default.etcd --listen-peer-urls=https://192.168.226.128:2380 --listen-client-urls=https://192.168.226.128:2379,http://127.0.0.1:2379 --advertise-client-urls=https://192.168.226.128:2379 --initial-advertise-peer-urls=https://192.168.226.128:2380 --initial-cluster=etcd01=https://192.168.226.128:2380,etcd02=https://192.168.226.132:2380,etcd03=https://192.168.226.133:2380 --initial-cluster-token=etcd-cluster --initial-cluster-state=new --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
root      81895  71883  0 10:56 pts/2    00:00:00 grep --color=auto etcd
  • 最後,將證書和啓動腳本推送/複製到兩臺node節點中
#將etcd所有的配置文件、證書、腳本複製到兩個節點
[root@master k8s]# scp -r /opt/etcd/ [email protected]:/opt
[root@master k8s]# scp -r /opt/etcd/ [email protected]:/opt

#將啓動腳本複製到兩個節點
[root@master k8s]# scp -r /usr/lib/systemd/system/etcd.service [email protected]:/usr/lib/systemd/system/
[root@master k8s]# scp -r /usr/lib/systemd/system/etcd.service [email protected]:/usr/lib/systemd/system/
2.2 node節點部署
  • 查看、修改配置文件
[root@node1 ~]# ls /usr/lib/systemd/system/ | grep etcd
etcd.service

[root@node1 ~]# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd02"					#需修改節點名稱
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.226.132:2380"	#將url:2380端口的IP地址改爲132(本地節點IP)
ETCD_LISTEN_CLIENT_URLS="https://192.168.226.132:2379"		#將url:2379端口的IP地址改爲132(本地節點IP)

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.226.132:2380"	
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.226.132:2379"
#以上兩條選項的地址也改爲本地IP
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.226.128:2380,etcd02=https://192.168.226.132:2380,etcd03=https://192.168.226.133:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
#同理修改node2節點配置文件
  • 啓動服務
    • 先在master節點使用命令,開啓等待節點加入
    • 其他兩個node節點啓動etcd 服務
#master節點:
[root@localhost k8s]# bash etcd.sh etcd01 192.168.226.128 etcd02=https://192.168.226.132:2380,etcd03=https://192.168.226.133:2380

#node1、node2節點
[root@node1 cfg]# systemctl start etcd 
[root@node2 cfg]# systemctl start etcd
  • 檢查集羣狀態
#master節點
#因爲查看節點命令中要使用到ca證書,所以必須在包含ca證書文件的目執行
[root@localhost k8s]# cd etcd-cert/
[root@localhost etcd-cert]# ls
ca-config.json  ca-csr.json  ca.pem    etcd-cert.sh  server.csr       server-key.pem
ca.csr          ca-key.pem   cfssl.sh  etcd.sh       server-csr.json  server.pem

[root@localhost etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.226.128:2379,https://192.168.226.132:2379,https://192.168.226.133:2379" cluster-health
member 71154e5294d6d635 is healthy: got healthy result from https://192.168.226.128:2379
member ea2eb7f7893afcb7 is healthy: got healthy result from https://192.168.226.132:2379
member fab550d1713e6ebd is healthy: got healthy result from https://192.168.226.133:2379
cluster is healthy
#截至目前狀態,三個節點的通訊已完成

三、Flannel網絡部署

3.1 Flannel 介紹
3.1.1 Flannel 網絡概述
  • flannel是CoreOS提供用於解決Dokcer集羣跨主機通訊的覆蓋網絡工具。
  • 它的主要思路是:預先留出一個網段,每個主機使用其中一部分,然後每個容器被分配不同的ip;讓所有的容器認爲大家在同一個直連的網絡,底層通過UDP/VxLAN等進行報文的封裝和轉發。
  • Overlay Network:覆蓋網絡,在基礎網絡上疊加的一種虛擬網絡技術模式,該網絡中的主機通過虛擬鏈路連接起來
    • 類似VPN隧道,原理爲在物理網絡上實現的邏輯網絡
  • VXLAN:將源數據包封裝到UDP中,並使用基礎網絡的IP/MAC作爲外層包頭進行封裝,然後在以太網上傳輸,到達目的地後由隧道斷電解封並將數據發給目標地址
  • Flannel:是Overlay網絡的一種,也是將源數據包封裝在另一種網絡包中進行路由轉發和通信,目前已支持UDP、VXLAN、AWS VPN和GCE路由等數據轉發方式
3.1.2 flannel網絡架構圖

在這裏插入圖片描述

  • flannel原理簡介
  • ① 數據從源容器中發出後,經由所在主機的docker0虛擬網卡轉發到flannel0虛擬網卡,這是個P2P的虛擬網卡,flanneld服務監聽在網卡的另外一端。
  • ② Flannel通過Etcd服務維護了一張節點間的路由表,在稍後的配置部分我們會介紹其中的內容。
  • ③ 源主機的flanneld服務將原本的數據內容UDP封裝後根據自己的路由表投遞給目的節點的flanneld服務,數據到達以後被解包,然後直接進入目的節點的flannel0虛擬網卡,然後被轉發到目的主機的docker0虛擬網卡,最後就像本機容器通信一下的有docker0路由到達目標容器。
3.2 flannel部署
  • 首先兩個node節點需要先安裝docker引擎,具體流程可見:Docker安裝
3.2.1 flannel網絡配置
  • ① 寫入分配的子網段到ETCD中,供flannel使用(master主機)
[root@localhost etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.226.128:2379,https://192.168.226.132:2379,https://192.168.226.133:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}‘

#命令簡介:
#使用etcdctl命令,藉助ca證書,目標斷點爲三個ETCD節點IP,端口爲2379
#set /coreos.com/network/config 設置網段信息
#"Network": "172.17.0.0/16" 此網段必須是集合網段(B類地址),而Pod分配的資源必須在此網段中的子網段(C類地址)
#"Backend": {"Type": "vxlan"}} 外部通訊的類型是VXLAN
  • ② 查看寫入的信息
[root@localhost etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.226.128:2379,https://192.168.226.132:2379,https://192.168.226.133:2379" get /coreos.com/network/config
{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}
  • ③ 上傳flannel軟件包到所有的 node 節點並解壓
#node1
[root@node1 ~]# ls
anaconda-ks.cfg                     initial-setup-ks.cfg  公共  文檔  模板  音樂
flannel-v0.10.0-linux-amd64.tar.gz  下載                  圖片  桌面  視頻
[root@node1 ~]# tar zxvf flannel-v0.10.0-linux-amd64.tar.gz 
flanneld
mk-docker-opts.sh
README.md

#node2同node1
  • ④ 創建k8s工作目錄(所有node節點)
[root@node1 ~]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p
[root@node1 ~]# mv mk-docker-opts.sh flanneld /opt/kubernetes/bin/
[root@node1 ~]# ls /opt/kubernetes/bin/
flanneld  mk-docker-opts.sh
  • ⑤ 創建啓動腳本(兩個node節點)
[root@node1 ~]# vim flannel.sh
#!/bin/bash

ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}

cat <<EOF >/opt/kubernetes/cfg/flanneld 		#創建配置文件

FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \	#flannel在使用的時候需要參照CA證書
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"

EOF

cat <<EOF >/usr/lib/systemd/system/flanneld.service	#創建啓動腳本
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service

[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env	#Docker使用的網絡是flannel提供的
Restart=on-failure

[Install]
WantedBy=multi-user.target				#多用戶模式

EOF

systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld
-------》wq

#node2與node1相同
  • ⑥ 開啓flannel網絡功能(兩個node節點)
[root@node1 ~]# bash flannel.sh https://192.168.226.128:2379,https://192.168.226.132:2379,https://192.168.226.133:2379
Created symlink from /etc/systemd/system/multi-user.target.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.

#node2與node1相同
  • ⑦ 配置 docker 連接 flannel(兩個node節點)
[root@node1 ~]# vim /usr/lib/systemd/system/docker.service

#在13行向下插入以下內容:
#想要docker可以使用flannel網絡,需要設置env指向flannal的運行文件
EnvironmentFile=/run/flannel/subnet.env 

#原14行在dockerd 添加一個參數$DOCKER_NETWORK_OPTIONS
#此參數作用爲 讓docker使用的網絡組件爲flannel,而不是自身的組件
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS -H fd:// --containerd=/run/containerd/containerd.sock

-----》wq
  • 查看flannel分配的子網段
#node1
[root@node1 ~]# cat /run/flannel/subnet.env 
DOCKER_OPT_BIP="--bip=172.17.6.1/24"	#bip:指定啓動時的子網IP/網段
DOCKER_OPT_IPMASQ="--ip-masq=false"
DOCKER_OPT_MTU="--mtu=1450"
DOCKER_NETWORK_OPTIONS=" --bip=172.17.6.1/24 --ip-masq=false --mtu=1450"

#node2
[root@node2 ~]# cat /run/flannel/subnet.env 
DOCKER_OPT_BIP="--bip=172.17.25.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=false"
DOCKER_OPT_MTU="--mtu=1450"
DOCKER_NETWORK_OPTIONS=" --bip=172.17.25.1/24 --ip-masq=false --mtu=1450"

#也可以直接使用ifconfig查看flannel1信息
  • ⑧ 重載進程、重啓docker
[root@node1 ~]# systemctl daemon-reload 
[root@node1 ~]# systemctl restart docker
3.2.2 測試容器間互通
  • 在兩個node節點下載centos:7 ,並直接進入容器
[root@node2 ~]# docker run -it centos:7 /bin/bash
Unable to find image 'centos:7' locally

7: Pulling from library/centos
ab5ef0e58194: Pull complete 
Digest: sha256:4a701376d03f6b39b8c2a8f4a8e499441b0d567f9ab9d58e4991de4472fb813c
Status: Downloaded newer image for centos:7

[root@557a12dfadec /]#
  • 下載net-tools工具
yum install net-tools -y
  • 查看地址,使用ping 測試是否可以跨容器互通
#node1
[root@b3546847c994 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 172.17.6.2  netmask 255.255.255.0  broadcast 172.17.6.255
        ether 02:42:ac:11:06:02  txqueuelen 0  (Ethernet)
        RX packets 9815  bytes 7594496 (7.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4498  bytes 246084 (240.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

#node2
[root@557a12dfadec /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 172.17.25.2  netmask 255.255.255.0  broadcast 172.17.25.255
        ether 02:42:ac:11:19:02  txqueuelen 0  (Ethernet)
        RX packets 9812  bytes 7594774 (7.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4011  bytes 219965 (214.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  • 測試互聯

在這裏插入圖片描述

  • flannel在其中做了路由的角色

總結

  • 因爲整個集羣內部間的通信都需要ca證書支持,所以簡單羅列出個組件/服務需要的證書
  • ① etcd (所有節點)
    • ca.pem,server.pem,server-key.pem
  • ② flannel(node節點)
    • ca.pem,server.pem,server-key.pem
  • ③ kube-apiserver(master節點)
    • ca.pem,server.pem,server-key.pem
  • ④ kubelet(node節點)
    • ca.pem,server.pem
  • ⑤ kube-proxy(node節點)
    • ca.pem,kube-proxy.pem,kube-proxy-key.pem
  • ⑥ kubectl (master節點)
    • ca.pem,admin-pem,admin-key.pem
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

K8S監控方案

kubernetes集羣監控方案有許多種組合對其進行監控,但是在1.12版本後通常選擇prometheus-operator + grafana 進行監控下面我們進行部署監控 1 下載項目 git clone https://github.

原創 2022-04-30 13:38:38

領英遠程開發雲架構構建之路

{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null

Shivani Pai Kasturi 2021-12-14 13:34:05

Java 開發、全自研的開源監控組件來了,讓 openGauss 更香

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragr

万佳 2021-12-09 17:53:55

InfoQ專訪 Yaron Schneider:Dapr加入CNCF孵化器,希望Dapr API能夠成爲一個新標準

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

Eran Stiller 2021-11-26 13:28:57

騰訊雲正式加入FinOps基金會,聚焦“雲成本管理”

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragr

罗燕珊 2021-11-24 13:13:57

中間件Knative達1.0里程碑

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

Tina 2021-11-12 16:03:56

爲什麼數據科學家不需要了解Kubernetes

{"type":"doc","content":[{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"摘要"}]},{"t

Chip Huyen 2021-10-28 14:23:59

作業幫Kubernetes Serverless在大規模任務場景下的落地和優化

{"type":"doc","content":[{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"一、背景"}]},{

吕亚霖 2021-10-27 16:24:01

作業幫 Kubernetes 原生調度器優化實踐

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

吕亚霖 2021-10-21 18:33:55

Kubernetes上分佈式系統的演化

{"type":"doc","content":[{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"現代分佈式應用"}]

Bilgin Ibryam 2021-10-04 11:28:58

開源人才緊缺,雲和容器技術首超Linux成最受青睞技能

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

闫园园 2021-09-23 15:43:53

石墨文檔基於Kubernetes的Go微服務實踐(上篇)

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragr

彭友顺@石墨文档 2021-09-22 14:48:56

kubelet kubeadm 版本號不一致造成worker狀態一直爲NotReady

一、 問題 在對master、worker節點安裝kubelet kubeadm時剛好k8s的版本更新,之前的安裝是採用默認的安裝,爲指定版本號,造成worker節點加入到master節點時,node節點一直都是notReady狀態。 二、

原創 2021-09-12 09:13:30

Docker員工自述:我們爲什麼“輸”給了Kubernetes?

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragr

Scott Carey 2021-09-10 14:48:59

是的,我們不用 Kubernetes

{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null

Maik Zumstrull 2021-09-09 17:04:06