k8s單master節點的部署(實驗)
文章目錄
1.單master集羣部署的環境
- 搭建k8s集羣部署所需要的服務器(三個節點):
| 服務器 | 需要安裝的軟件 |
|---|---|
| master(192.168.73.11) | kube-apiserver、kube-controller-manager、kube-scheduler、etcd |
| node01(192.168.73.12) | kubelet、kube-proxy、docker、flannel、etcd |
| node02(192.168.73.13) | kubelet、kube-proxy、docker、flannel、etcd |
- 將網卡配置成靜態網卡
vim /etc/sysconfig/network-scripts/ifcfg-ens33
#將網卡設置爲靜態的網卡
BOOTPROTO=static
#開啓開機自啓網卡
ONBOOT=yes
#配置IP地址、子網掩碼、網關、上網的dns
IPADDR=192.168.73.11
#另外的兩個IP地址爲:192.168.73.12、192.168.73.13
NETMASK=255.255.255.0
GATEWAY=192.168.73.2
DNS1=8.8.8.8
DNS2=114.114.114.114
- 防止重啓虛擬機IP的地址變化
systemctl stop NetworkManager
#關閉網絡管理
systemctl disable NetworkManager
#關閉網絡管理的開機自啓動
systemctl restart network
#重啓網卡
ping www.baidu.com
#對百度的ping測試,確保能夠上網
- 防火牆不要關閉
systemctl start firewalld
#開啓防火牆
iptables -F
#清空防火牆的規則鏈
setenforce 0
#關閉防火牆的核心防護
2.ETCD集羣的部署
- ETCD之間通信都是經過加密,所以要創建CA證書所使用TLS加密通訊
2.1 安裝製作證書的工具cfssl
- master節點:
[root@localhost ~]# mkdir k8s
[root@localhost ~]# cd k8s/
//編寫cfssl.sh腳本,從官網下載製作證書的工具cfssl,直接放在/usr/local/bin目錄下,方便系統識別,最後給工具加執行權限
[root@localhost k8s]# vi cfssl.sh
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
[root@localhost k8s]# bash cfssl.sh #執行腳本等待安裝下載軟件
[root@localhost k8s]# ls /usr/local/bin/ #可以看到三個製作證書的工具
cfssl cfssl-certinfo cfssljson
#cfssl:生成證書工具
#cfssl-certinfo:查看證書信息
#cfssljson:通過傳入json文件生成證書
2.2 製作CA證書
[root@localhost k8s]# mkdir etcd-cert
[root@localhost k8s]# cd etcd-cert/
- 創建生成ca證書的配置文件
[root@localhost etcd-cert]# cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
- 創建ca證書的簽名證書
[root@localhost etcd-cert]# cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
- 用ca簽名證書生成ca證書,得到ca-key.pem ca.pem
[root@localhost etcd-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
- 指定etcd三個節點之間的通信驗證需要服務器簽名證書server-csr.json
[root@localhost etcd-cert]# cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.73.11", #修改成自己的節點IP地址
"192.168.73.12",
"192.168.73.13"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
- 使用ca-key.pem、ca.pem、服務器簽名證書 生成ETCD證書 server-key.pem server.pem
[root@localhost etcd-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2.3 使用證書、etcd腳本搭建ETCD集羣
- 上傳一個生成etcd配置文件的腳本etcd.sh到/root/k8s目錄下面,腳本內容如下:
[root@localhost k8s]# vi /root/k8s/etcd.sh
#!/bin/bash
# example: ./etcd.sh etcd01 192.168.73.11 etcd02=https://192.168.73.12:2380,etcd03=https://192.168.73,13:2380
ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3
WORK_DIR=/opt/etcd
#創建節點的配置文件模板
cat <<EOF >$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
#創建節點的啓動腳本模板
cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
#重啓服務,並設置開機自啓
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd
- 把下載好的三個軟件上傳到k8s目錄下
- 先解壓etcd軟件包到當前的目錄下,再創建etcd集羣的工作目錄
[root@localhost k8s]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz
[root@localhost k8s]# ls etcd-v3.3.10-linux-amd64
Documentation etcd etcdctl README-etcdctl.md README.md READMEv2-etcdctl.md
#稍後使用源碼包中的etcd、etcdctl 應用程序命令
[root@localhost k8s]# mkdir -p /opt/etcd/{cfg,bin,ssl}
[root@localhost k8s]# ls /opt/etcd/
bin cfg ssl
- 把etcd、etcdctl執行文件放在/opt/etcd/bin/
[root@localhost k8s]# mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/
- 拷貝證書到/opt/etcd/ssl/目錄下
[root@localhost k8s]# cp etcd-cert/*.pem /opt/etcd/ssl/
[root@localhost k8s]# ls /opt/etcd/ssl/
ca-key.pem ca.pem server-key.pem server.pem
- 執行etcd.sh腳本產生etcd集羣的配置腳本和服務啓動腳本,進行卡住狀態等待其他節點加入
#注意:修改成自己的ip地址
[root@localhost k8s]# bash etcd.sh etcd01 192.168.73.11 etcd02=https://192.168.73.12:2380,etcd03=https://192.168.73.13:2380
//使用另外一個會話窗口,會發現etcd進程己經開啓
[root@localhost k8s]# ps -ef | grep etcd
2.4node節點加入ETCD集羣
- 在master節點上拷貝證書到其他的node節點
[root@localhost k8s]# scp -r /opt/etcd/ [email protected]:/opt/
#將master上面的文件拷貝到node01節點上
[root@localhost k8s]# scp -r /opt/etcd/ [email protected]:/opt/
#將master上面的文件拷貝到node02節點上
- 將master服務的啓動文件拷貝到其他的node節點上
[root@localhost k8s]# scp /usr/lib/systemd/system/etcd.service [email protected]:/usr/lib/systemd/system/
[email protected]'s password:
etcd.service 100% 923 105.2KB/s 00:00
[root@localhost k8s]# scp /usr/lib/systemd/system/etcd.service [email protected]:/usr/lib/systemd/system/
[email protected]'s password:
etcd.service 100% 923 830.1KB/s 00:00
[root@localhost k8s]#
- 修改拷貝到node01節點上面的etcd配置文件
vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd02" #ETCD集羣的節點名稱
#下面的地址都要指向自己的IP地址
ETCD_LISTEN_PEER_URLS="https://192.168.73.12:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.73.12:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.73.12:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.73.12:2379"
- 修改拷貝到node01節點上面的etcd配置文件
vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd03" #ETCD集羣的節點名稱
#下面的地址都要指向自己的IP地址
ETCD_LISTEN_PEER_URLS="https://192.168.73.13:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.73.13:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.73.13:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.713:2379"
- 在master節點輸入bash等待node節點加入
[root@localhost k8s]# bash etcd.sh etcd01 192.168.73.11 etcd02=https://192.168.73.12:2380,etcd03=https://192.168.73.13:2380
- 快速的啓動node01、node02節點
[root@localhost ~]# systemctl start etcd
[root@localhost ~]# systemctl status etcd
- 查看集羣狀態
#在master節點上面操作
[root@localhost k8s]# cd /opt/etcd/ssl/
[root@localhost ssl]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.73.11:2379,https://192.168.73.12:2379,https://192.168.73.13:2379" cluster-health
3.docker的部署
//node節點上面配置docker
[root@localhost ~]# yum -y install yum-utils device-mapper-persistent-data lvm2
[root@localhost ~]#yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@localhost ~]# yum -y install docker-ce
#啓動docker
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# systemctl enable docker
#配置鏡像加速
[root@localhost ~]# tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors":["https://v8z6yng7.mirror.aliyuncs.com"]
}
EOF
#重啓docker
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
#網絡優化
[root@localhost ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@localhost ~]# sysctl -p
[root@localhost ~]# service network restart
[root@localhost ~]# systemctl restart docker
[root@localhost ~]# docker images
[root@localhost ~]# docker ps -a
4.flannel網絡組件的部署
- 建立ETCD集羣與外部通信
- 在master節點上,將分配的子網段寫入到etcd中,以便於flannel使用
注意:必須在證書存放的路徑/root/k8s/etcd-cert下執行此命令。
[root@localhost etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.73.11:2379,https://192.168.73.12:2379,https://192.168.73.13:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
- 查看寫入信息
[root@localhost etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.73.11:2379,https://192.168.73.12:2379,https://192.168.73.13:2379" get /coreos.com/network/config
{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}
- 在兩個node節點上創建k8s工作目錄
[root@localhost ~]# mkdir -p /opt/kubernetes/{cfg,bin,ssl}
[root@localhost ~]# mv mk-docker-opts.sh flanneld /opt/kubernetes/bin/
[root@localhost ~]# ls /opt/kubernetes/bin/
- 上傳可以生成配置文件和啓動文件的腳本flannel.sh
//腳本內容:
[root@localhost ~]# vi flannel.sh
#!/bin/bash
ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}
cat <<EOF >/opt/kubernetes/cfg/flanneld
FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF
cat <<EOF >/usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld
- 兩個node節點開啓flannel網絡功能
[root@localhost ~]# bash flannel.sh https://192.168.73.11:2379,https://192.168.73.12:2379,https://192.168.73.13:2379
- 查看網絡狀態是否運行
[root@localhost ~]# systemctl status flanneld
- 創建docker連接flannel網絡
- 兩個node節點,修改docker的配置文件
[root@localhost ~]# vi /usr/lib/systemd/system/docker.service
//修改添加兩處:
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS -H fd:// --containerd=/run/containerd/containerd.sock
- 查看flannel網絡分配的子網段
[root@localhost ~]# cat /run/flannel/subnet.env
- 啓動docker服務
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
- 兩個node節點分別創建並自動進入centos:7容器
[root@localhost ~]# docker run -it centos:7 /bin/bash
Unable to find image 'centos:7' locally
7: Pulling from library/centos
ab5ef0e58194: Pull complete
Digest: sha256:4a701376d03f6b39b8c2a8f4a8e499441b0d567f9ab9d58e4991de4472fb813c
Status: Downloaded newer image for centos:7
[root@690ec8bdaa81 /]# yum install -y net-tools #安裝後可以使用ifconfig命令
- 在容器裏面查看IP地址,並進行ping測試
ifconfig #查看容器的IP地址
ping 對方的IP地址
5.部署master組件
- 在master上操作,api-server生成證書
[root@master k8s]# mkdir -p /opt/kubernetes/{cfg,bin,ssl} '//創建k8s工作目錄'
[root@master k8s]# mkdir k8s-cert '//創建k8s證書目錄'
[root@master k8s]# unzip master.zip -d /opt/kubernetes/ '//解壓 maste.zip'
[root@master k8s]# ls /opt/k8s/
apiserver.sh bin cfg controller-manager.sh scheduler.sh ssl '//發現controller-manager.sh 沒有執行權限'
[root@master k8s]# chmod +x /opt/kubernetes/controller-manager.sh '//給執行權限'
[root@master k8s]# cd k8s-cert/
[root@master k8s-cert]# vim k8s-cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.233.131", '//master1,配置文件中要刪除此類註釋'
"192.168.233.130", '//master2'
"192.168.233.100", '//VIP'
"192.168.233.128", '//nginx代理master'
"192.168.233.129", '//nginx代理backup'
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
#-----------------------
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
#-----------------------
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
'//爲什麼沒有寫node節點的IP地址?因爲如果寫了node節點IP地址,後期增加或者刪除node節點的時候會非常麻煩'
- 生成證書
[root@master k8s-cert]# bash k8s-cert.sh '//生成證書'
[root@master k8s-cert]# ls
admin.csr admin.pem ca-csr.json k8s-cert.sh kube-proxy-key.pem server-csr.json
admin-csr.json ca-config.json ca-key.pem kube-proxy.csr kube-proxy.pem server-key.pem
admin-key.pem ca.csr ca.pem kube-proxy-csr.json server.csr server.pem
[root@master k8s-cert]# ls *.pem
admin-key.pem ca-key.pem kube-proxy-key.pem server-key.pem
admin.pem ca.pem kube-proxy.pem server.pem
[root@master k8s-cert]# cp ca*.pem server*.pem /opt/kubernets/ssl/ '//複製證書到工作目錄'
[root@master k8s-cert]# ls /opt/kubernets/ssl/
ca-key.pem ca.pem server-key.pem server.pem
- 解壓k8s服務器端壓縮包
[root@master k8s-cert]# cd ..
[root@master k8s]# ls
cfssl.sh etcd-v3.3.10-linux-amd64 k8s-cert
etcd-cert etcd-v3.3.10-linux-amd64.tar.gz kubernetes-server-linux-amd64.tar.gz
etcd.sh flannel-v0.10.0-linux-amd64.tar.gz master.zip
[root@master k8s]# tar zxvf kubernetes-server-linux-amd64.tar.gz
- 複製服務器端關鍵命令到k8s工作目錄中
[root@master k8s]# cd kubernetes/server/bin/
[root@master bin]# cp kube-controller-manager kube-scheduler kubectl kube-apiserver /opt/kubernets/bin/
[root@master bin]# ls /opt/kubernetes/bin/
kube-apiserver kube-controller-manager kubectl kube-scheduler
- 編輯令牌並綁定角色kubelet-bootstrap
[root@master bin]# cd /root/k8s/
[root@master k8s]# head -c 16 /dev/urandom | od -An -t x | tr -d '' '//隨機生成序列號'
7ea8f86b 157225fd 4b927376 5e88a3ca
[root@master k8s]# vim /opt/kubernets/cfg/token.csv
7ea8f86b157225fd4b9273765e88a3ca,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
'//序列號,用戶名,id,角色,這個用戶是master用來管理node節點的'
- 開啓apiserver,並將數據存放在etcd集羣中並檢查kube狀態
[root@master kubernetes]# bash apiserver.sh 192.168.73.11 https://192.168.73.11:2379,https://192.168.73.12:2379,https://192.168.73.13:2379
[root@master kubernetes]# ls /opt/kubernetes/cfg/
kube-apiserver token.csv
[root@master kubernetes]# netstat -ntap |grep kube
[root@master kubernetes]# ps aux |grep kube
[root@master kubernetes]# vim /opt/kubernetes/cfg/kube-apiserver
...省略內容
--secure-port=6443 \ '//其實就是443,https協議通信端口'
...省略內容
[root@master kubernetes]# netstat -ntap |grep 6443
tcp 0 0 192.168.73.11:6443 0.0.0.0:* LISTEN 12636/kube-apiserve
tcp 0 0 192.168.73.11:40686 192.168.73.11:6443 ESTABLISHED 12636/kube-apiserve
tcp 0 0 192.168.73.11:6443 192.168.73.11:40686 ESTABLISHED 12636/kube-apiserve
- 啓動scheduler服務
[root@master kubernetes]# ./scheduler.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-scheduler.service to /usr/lib/systemd/system/kube-scheduler.service.
[root@master kubernetes]# systemctl status kube-scheduler
- 啓動controller-manager
[root@master kubernetes]# ./controller-manager.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /usr/lib/systemd/system/kube-controller-manager.service.
[root@master kubernetes]# systemctl status kube-controller-manager
- 查看master節點狀態
[root@master kubernetes]# /opt/kubernetes/bin/kubectl get cs '//發現是正常的,沒問題'
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}
- node01節點部署
- master節點將kubectl和kube-proxy拷貝到node節點
[root@master kubernetes]# cd /root/k8s/kubernetes/server/bin/
[root@master bin]# ls
apiextensions-apiserver kube-apiserver.docker_tag kube-proxy
cloud-controller-manager kube-apiserver.tar kube-proxy.docker_tag
cloud-controller-manager.docker_tag kube-controller-manager kube-proxy.tar
cloud-controller-manager.tar kube-controller-manager.docker_tag kube-scheduler
hyperkube kube-controller-manager.tar kube-scheduler.docker_tag
kubeadm kubectl kube-scheduler.tar
kube-apiserver kubelet
[root@master bin]# scp kubelet kube-proxy [email protected]:/opt/k8s/bin
[root@master bin]# scp kubelet kube-proxy [email protected]:/opt/k8s/bin
- node節點解壓node.zip
[root@node01 ~]# rz -E
rz waiting to receive.
[root@node01 ~]# ls
anaconda-ks.cfg flannel-v0.10.0-linux-amd64.tar.gz node.zip
[root@node01 ~]# unzip node.zip
[root@node01 ~]# ls
anaconda-ks.cfg flannel-v0.10.0-linux-amd64.tar.gz kubelet.sh node.zip proxy.sh
- master節點創建kubeconfig目錄
[root@master bin]# cd /root/k8s/
[root@master k8s]# mkdir kubeconfig
[root@master k8s]# cd kubeconfig/
[root@master kubeconfig]# vim kubeconfig
APISERVER=$1
SSL_DIR=$2
# 創建kubelet bootstrapping kubeconfig
export KUBE_APISERVER="https://$APISERVER:6443"
# 設置集羣參數
kubectl config set-cluster kubernetes \
--certificate-authority=$SSL_DIR/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=bootstrap.kubeconfig
# 設置客戶端認證參數
kubectl config set-credentials kubelet-bootstrap \
--token=7ea8f86b157225fd4b9273765e88a3ca \ '//此token序列號就是之前/opt/kubernetes/cfg/token.csv 文件中使用的的'
--kubeconfig=bootstrap.kubeconfig
# 設置上下文參數
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=bootstrap.kubeconfig
# 設置默認上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
#----------------------
# 創建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=$SSL_DIR/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=$SSL_DIR/kube-proxy.pem \
--client-key=$SSL_DIR/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
[root@master kubeconfig]# export PATH=$PATH://opt/kubernetes/bin '//設置環境變量(可以寫入到/etc/prlfile中)'
- 生成配置文件並拷貝到node節點
[root@master kubeconfig]# bash kubeconfig 192.168.73.11 /root/k8s/k8s-cert/
[root@master kubeconfig]# ls
bootstrap.kubeconfig kubeconfig kube-proxy.kubeconfig
[root@master kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/k8s/cfg
[root@master kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/k8s/cfg
- 創建bootstrap角色並賦予權限用於連接apiserver請求籤名
[root@master kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
- node01節點操作生成kubelet kubelet.config配置文件
[root@node01 ~]# vim kubelet.sh
'//將/opt/kubernetes路徑都修改爲/opt/k8s'
[root@node01 ~]# bash kubelet.sh 192.168.73.12
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[root@node01 ~]# ls /opt/k8s/cfg/
bootstrap.kubeconfig flanneld kubelet kubelet.config kube-proxy.kubeconfig
[root@node01 ~]# systemctl status kubelet
- master上檢查到node01節點的請求,查看證書狀態
[root@master kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-xmi9gQiUIFuyZ9KAIKFIyf4JiQOuPN1tACjVzu_SH6s 71s kubelet-bootstrap Pending
'//pending:等待集羣給該節點辦法證書'
- 頒發證書,再次查看證書狀態
[root@master kubeconfig]# kubectl certificate approve node-csr-xmi9gQiUIFuyZ9KAIKFIyf4JiQOuPN1tACjVzu_SH6s
certificatesigningrequest.certificates.k8s.io/node-csr-xmi9gQiUIFuyZ9KAIKFIyf4JiQOuPN1tACjVzu_SH6s approved
[root@master kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-xmi9gQiUIFuyZ9KAIKFIyf4JiQOuPN1tACjVzu_SH6s 3m9s kubelet-bootstrap Approved,Issued '//已經被允許加入集羣'
- 查看集羣狀態並啓動proxy
[root@master kubeconfig]# kubectl get node '//如果有一個節點noready,檢查kubelet,如果很多節點noready,那就檢查apiserver,如果沒問題再檢查VIP地址,keepalived'
NAME STATUS ROLES AGE VERSION
192.168.73.12 Ready <none> 92s v1.12.3
[root@node01 ~]# vim proxy.sh '//修改配置文件,將/opt/kubernetes路徑換成/opt/k8s'
[root@node01 ~]# bash proxy.sh 192.168.73.12
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[root@node01 ~]# systemctl status kube-proxy.service '//發現服務是running狀態'
- node02節點部署
- 將node01之前生成的配置文件直接複製到node02
[root@node01 ~]# scp -r /opt/k8s/cfg/ [email protected]:/opt/k8s/cfg/
[root@node01 ~]# scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service [email protected]:/usr/lib/systemd/system '//複製啓動腳本過去'
- 修改三個配置文件的IP地址
[root@node02 ~]# cd /opt/k8s/cfg/
[root@node02 cfg]# vim kubelet
--hostname-override=192.168.73.13 \ '//修改爲自己的IP地址'
[root@node02 cfg]# vim kubelet.config
address: 192.168.73.13
[root@node02 cfg]# vim kube-proxy
--hostname-override=192.168.73.13 \
- 啓動服務並查看狀態
[root@node02 cfg]# systemctl start kubelet
[root@node02 cfg]# systemctl enable kubelet
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[root@node02 cfg]# systemctl status kubelet
[root@node02 cfg]# systemctl start kube-proxy
[root@node02 cfg]# systemctl enable kube-proxy
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[root@node02 cfg]# systemctl status kube-proxy
- master上操作查看請求並同意node02證書
[root@master kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-A8BX2W67HKODPGvn0Q0dZ8Lr5Q8_2fXFt1O0STzZdis 74s kubelet-bootstrap Pending
node-csr-xmi9gQiUIFuyZ9KAIKFIyf4JiQOuPN1tACjVzu_SH6s 21m kubelet-bootstrap Approved,Issued
[root@master kubeconfig]# kubectl certificate approve node-csr-A8BX2W67HKODPGvn0Q0dZ8Lr5Q8_2fXFt1O0STzZdis '//同意證書'
certificatesigningrequest.certificates.k8s.io/node-csr-A8BX2W67HKODPGvn0Q0dZ8Lr5Q8_2fXFt1O0STzZdis approved
[root@master kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-A8BX2W67HKODPGvn0Q0dZ8Lr5Q8_2fXFt1O0STzZdis 99s kubelet-bootstrap Approved,Issued
node-csr-xmi9gQiUIFuyZ9KAIKFIyf4JiQOuPN1tACjVzu_SH6s 21m kubelet-bootstrap Approved,Issued
[root@master kubeconfig]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.73.12 Ready <none> 19m v1.12.3
192.168.73.13 Ready <none> 44s v1.12.3
6.總結
-
回憶一下k8s單節點的部署流程
1.自籤etcd的證書
2.etcd部署
3.node安裝docker
4.flannel部署(先寫入子網到etcd)
5.自籤APIServer證書
6.部署APIServer組件(token,csv)
7.部署controller-manager(指定apiserver證書)和scheduler組件
8.生成kubeconfig(bootstrap,kubeconfig和kube-proxy.kubeconfig)
9.部署kubelet組件
10.部署kube-proxy組件
11.kubectl get csr && kubectl certificate approve允許辦法證書
12.添加一個node節點