環(huán)境說明
$
命令行提示符捉片,安裝過程中需要執(zhí)行的命令
172.16.10.11 k8s-master1
172.16.10.12 k8s-master2
172.16.10.13 k8s-master3
172.16.10.14 k8s-node1
172.16.10.15 k8s-node2
172.16.10.16 k8s-node3
172.16.10.17 k8s-node4
三個(gè)master
節(jié)點(diǎn)安裝etcd數(shù)據(jù)庫
etcd
版本 3.4.10
flannel
版本 0.12.0
kubernetes
版本 18.6
所有節(jié)點(diǎn)都為centos7,提前關(guān)閉防火墻、selinux
$ systemctl disable firewalld
$ systemctl stopfirewalld
$ setenforce 0
$ sed -ri 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
下載安裝包
kubernetes Github下載地址
https://dl.k8s.io/v1.18.6/kubernetes-server-linux-amd64.tar.gz
etcdh Github下載地址
https://github.com/etcd-io/etcd/releases/download/v3.4.10/etcd-v3.4.10-linux-amd64.tar.gz
部署ETCD集群
下載安裝cfssl工具
$ wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
$ wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
$ wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
$ chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
$ mv cfssl_linux-amd64 /usr/local/bin/cfssl
$ mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
$ mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
生成證書
創(chuàng)建以下三個(gè)文件:
$ cat ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
$ cat ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
$ cat server-csr.json
{
"CN": "etcd",
"hosts": [
"172.16.10.11",
"172.16.10.12",
"172.16.10.13"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
$ ls *pem
生成以下4個(gè)文件表示成功
ca-key.pem ca.pem server-key.pem server.pem
安裝Etcd
創(chuàng)建安裝etcd所需要的目錄
$ mkdir /opt/etcd/{bin,cfg,ssl,data} -p
創(chuàng)建etcd配置文件
$ cat /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://172.16.10.11:2380"
ETCD_LISTEN_CLIENT_URLS="https://172.16.10.11:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.10.11:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://172.16.10.11:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://172.16.10.11:2380,etcd02=https://172.16.10.12:2380,etcd03=https://172.16.10.13:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
# flannel操作etcd使用的是v2的API,而kubernetes操作etcd使用的v3的API坎藐,為了兼容flannel产上,將默認(rèn)開啟v2版本
ETCD_ENABLE_V2="true"
參數(shù)說明
- ETCD_NAME 節(jié)點(diǎn)名稱
- ETCD_DATA_DIR 數(shù)據(jù)目錄
- ETCD_LISTEN_PEER_URLS 集群通信監(jiān)聽地址
- ETCD_LISTEN_CLIENT_URLS 客戶端訪問監(jiān)聽地址
- ETCD_INITIAL_ADVERTISE_PEER_URLS 集群通告地址
- ETCD_ADVERTISE_CLIENT_URLS 客戶端通告地址
- ETCD_INITIAL_CLUSTER 集群節(jié)點(diǎn)地址
- ETCD_INITIAL_CLUSTER_TOKEN 集群Token
- ETCD_INITIAL_CLUSTER_STATE 加入集群的當(dāng)前狀態(tài),new是新集群胚鸯,existing表示加入已有集群
systemd管理etcd
$ cat /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
把剛才生成的證書拷貝到配置文件中的位置:
$ cp ca*pem server*pem /opt/etcd/ssl/
同步文件到另外兩臺(tái)服務(wù)器
$ rsync -av /opt/etcd 172.16.10.12:/opt/
$ rsync -av /opt/etcd 172.16.10.13:/opt/
同步完成后記得修改另外兩個(gè)節(jié)點(diǎn)中/opt/etcd/cfg/etcd
配置文件中的三個(gè)配置:
ETCD_NAME
ETCD_LISTEN_PEER_URLS
ETCD_LISTEN_CLIENT_URLS
同步systemd配置文件
$ scp /usr/lib/systemd/system/etcd.service 172.16.10.12:/usr/lib/systemd/system/etcd.service
scp /usr/lib/systemd/system/etcd.service 172.16.10.13:/usr/lib/systemd/system/etcd.service
啟動(dòng)并設(shè)置開啟啟動(dòng),三臺(tái)服務(wù)器都要操作
$ systemctl daemon-reload
$ systemctl start etcd
$ systemctl enable etcd