本文主要采取二進(jìn)制方式部署k8s集群雹熬，二進(jìn)制部署可以幫助我們了解其組件間的調(diào)用關(guān)系苛茂，也利于我們后期維護(hù)

主機(jī)環(huán)境

系統(tǒng): centos7.5 3臺(tái)

內(nèi)存: 4G

磁盤:40G

cpu 2CPU

軟件版本

k8s 1.18

docker 19-ce

主機(jī)規(guī)劃

k8s-masetr 172.25.120.17 kube-apiserver月弛，kube-controller-manager豪筝，kube-scheduler瑞你，etcd

node-1 172.25.120.18 kubelet，kube-proxy氯哮，docker etcd

node-2 172.25.120.19 kubelet，kube-proxy商佛，docker etcd

1.主機(jī)環(huán)境初始化

在3個(gè)節(jié)點(diǎn)上操作

#關(guān)閉防火墻systemctl stop firewalld ; systemctl disable firewalld#關(guān)閉selinuxsetenforce 0 ;sed -i 's/enforcing/disabled/' /etc/selinux/config#關(guān)閉swap分區(qū)swapoff -a ; sed -ri 's/.*swap.*/#&/' /etc/fstab#添加hostscat >> /etc/hosts << EOF172.25.120.17 master k8s-master172.25.120.19?node1 k8s-node1172.16.210.55 node2 k8s-node2EOF#添加防火墻轉(zhuǎn)發(fā)cat > /etc/sysctl.d/k8s.conf << EOFnet.ipv4.ip_forward = 1net.bridge.bridge-nf-call-ip6tables = 1net.bridge.bridge-nf-call-iptables = 1EOFmodprobe br_netfiltersysctl --system ##生效#時(shí)間同步y(tǒng)um install -y ntpdate? ##安裝時(shí)間同步工具ntpdate time.windows.com? #同步windwos時(shí)間服務(wù)器

2.部署etcd集群

Etcd 是一個(gè)分布式鍵值存儲(chǔ)系統(tǒng)喉钢，Kubernetes使用Etcd進(jìn)行數(shù)據(jù)存儲(chǔ)

2.1準(zhǔn)備cfssl證書生成工具

cfssl是一個(gè)開源的證書管理工具，使用json文件生成證書良姆，相比openssl更方便使用

在master上操作:

##獲取證書管理工具wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64##添加看執(zhí)行權(quán)限并放進(jìn)可執(zhí)行目錄chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64mv cfssl_linux-amd64 /usr/local/bin/cfsslmv cfssljson_linux-amd64 /usr/local/bin/cfssljsonmv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

2.2生成Etcd證書

創(chuàng)建證書目錄

mkdir -p ~/TLS/{etcd,k8s} cd ~/TLS/etcd? ##進(jìn)入證書目錄

自簽CA：

cat > ca-config.json << EOF{? "signing": {? ? "default": {? ? ? "expiry": "87600h"? ? },? ? "profiles": {? ? ? "www": {? ? ? ? "expiry": "87600h",? ? ? ? "usages": [? ? ? ? ? ? "signing",? ? ? ? ? ? "key encipherment",? ? ? ? ? ? "server auth",? ? ? ? ? ? "client auth"? ? ? ? ]? ? ? }? ? }? }}EOFcat > ca-csr.json << EOF{? ? "CN": "etcd CA",? ? "key": {? ? ? ? "algo": "rsa",? ? ? ? "size": 2048? ? },? ? "names": [? ? ? ? {? ? ? ? ? ? "C": "CN",? ? ? ? ? ? "L": "Beijing",? ? ? ? ? ? "ST": "Beijing"? ? ? ? }? ? ]}EOF

生成證書：

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -ls *pem ##可以看到當(dāng)前目錄生成了兩個(gè)證書文件ca-key.pem? ca.pem

2. 使用自簽CA簽發(fā)Etcd HTTPS證書

創(chuàng)建證書申請(qǐng)文件：

cat > server-csr.json << EOF{? ? "CN": "etcd",? ? "hosts": [? ? "172.16.210.53",? ? "172.16.210.54",? ? "172.16.210.55"? ? ],? ? "key": {? ? ? ? "algo": "rsa",? ? ? ? "size": 2048? ? },? ? "names": [? ? ? ? {? ? ? ? ? ? "C": "CN",? ? ? ? ? ? "L": "BeiJing",? ? ? ? ? ? "ST": "BeiJing"? ? ? ? }? ? ]}EOF

生成證書:

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare serverls server*pem? ##可以看到生成了兩個(gè)sever證書server-key.pem? server.pem

2.3下載etcd二進(jìn)制文件

文件地址:https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz

以下操作在master上操作,待會(huì)將master生成的所有文件拷貝到node1和node2:

wget https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz ##獲取二進(jìn)制文件

2.4部署etcd集群

1.創(chuàng)建工作目錄并解壓二進(jìn)制文件

mkdir /opt/etcd/{bin,cfg,ssl} -ptar zxvf etcd-v3.4.9-linux-amd64.tar.gzmv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/

2.創(chuàng)建etcd配置文件

cat > /opt/etcd/cfg/etcd.conf << EOF#[Member]ETCD_NAME="etcd-1"ETCD_DATA_DIR="/var/lib/etcd/default.etcd"ETCD_LISTEN_PEER_URLS="https://172.16.210.53:2380"ETCD_LISTEN_CLIENT_URLS="https://172.16.210.53:2379"#[Clustering]ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.210.53:2380"ETCD_ADVERTISE_CLIENT_URLS="https://172.16.210.53:2379"ETCD_INITIAL_CLUSTER="etcd-1=https://172.16.210.53:2380,etcd-2=https://172.16.210.54:2380,etcd-3=https://172.16.210.55:2380"ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"ETCD_INITIAL_CLUSTER_STATE="new"EOF

參數(shù)詳解:

ETCD_DATA_DIR：數(shù)據(jù)目錄

ETCD_LISTEN_PEER_URLS：集群通信監(jiān)聽地址

ETCD_LISTEN_CLIENT_URLS：客戶端訪問監(jiān)聽地址

ETCD_INITIAL_ADVERTISE_PEER_URLS：集群通告地址

ETCD_ADVERTISE_CLIENT_URLS：客戶端通告地址

ETCD_INITIAL_CLUSTER：集群節(jié)點(diǎn)地址

ETCD_INITIAL_CLUSTER_TOKEN：集群Token

ETCD_INITIAL_CLUSTER_STATE：加入集群的當(dāng)前狀態(tài)肠虽，new是新集群，existing表示加入已有集群

3.配置systemd管理etcd

cat>/usr/lib/systemd/system/etcd.service<<EOF[Unit]Description=Etcd ServerAfter=network.targetAfter=network-online.targetWants=network-online.target[Service]Type=notifyEnvironmentFile=/opt/etcd/cfg/etcd.confExecStart=/opt/etcd/bin/etcd \--cert-file=/opt/etcd/ssl/server.pem \--key-file=/opt/etcd/ssl/server-key.pem \--peer-cert-file=/opt/etcd/ssl/server.pem \--peer-key-file=/opt/etcd/ssl/server-key.pem \--trusted-ca-file=/opt/etcd/ssl/ca.pem \--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \--logger=zapRestart=on-failureLimitNOFILE=65536[Install]WantedBy=multi-user.targetEOF

4. 拷貝剛才生成的證書

把剛才生成的證書拷貝到配置文件中的路徑：

cp~/TLS/etcd/ca*pem~/TLS/etcd/server*pem/opt/etcd/ssl/

5.將master生成的所有文件拷貝到其他節(jié)點(diǎn)

scp-r/opt/etcd/172.16.210.54:/opt/scp/usr/lib/systemd/system/etcd.service172.16.210.54:/usr/lib/systemd/system/scp-r/opt/etcd/172.16.210.55:/opt/scp/usr/lib/systemd/system/etcd.service172.16.210.55:/usr/lib/systemd/system/

6.在node1和node2分別修改etcd.conf配置文件中的節(jié)點(diǎn)名稱和當(dāng)前服務(wù)器IP

sed -i '4,8s/172.16.210.53/172.16.210.54/' /opt/etcd/cfg/etcd.conf? ; sed -i '2s/etcd-1/etcd-2/'? /opt/etcd/cfg/etcd.conf ###在node1執(zhí)行sed -i '4,8s/172.16.210.53/172.16.210.55/' /opt/etcd/cfg/etcd.conf? ; sed -i '2s/etcd-1/etcd-3/'? /opt/etcd/cfg/etcd.conf ###在node2執(zhí)行

7.啟動(dòng)3個(gè)節(jié)點(diǎn)的etcd并加入開機(jī)自啟

在三各節(jié)點(diǎn)操作

systemctl daemon-reloadsystemctl start etcdsystemctl enable etcd

8.查看etcd集群狀態(tài)

[root@master~]#ETCDCTL_API=3/opt/etcd/bin/etcdctl--cacert=/opt/etcd/ssl/ca.pem--cert=/opt/etcd/ssl/server.pem--key=/opt/etcd/ssl/server-key.pem--endpoints="https://172.16.210.53:2379,https://172.16.210.54:2379,https://172.16.210.55:2379"endpoint healthhttps://172.16.210.54:2379ishealthy:successfully committed proposal:took=14.194738mshttps://172.16.210.55:2379ishealthy:successfully committed proposal:took=14.97292mshttps://172.16.210.53:2379ishealthy:successfully committed proposal:took=14.847968ms

出現(xiàn)successfully,表面etcd部署成功,如果有異常情況可以使用systemctl stautus etcd -l進(jìn)一步查看報(bào)錯(cuò)信息

3.安裝Docker

可以使用yum安裝,這次我們采用二進(jìn)制的方式

以下所有操作在所有節(jié)點(diǎn)

3.1獲取docker安裝包

wget https://download.docker.com/linux/static/stable/x86_64/docker-19.03.9.tgz

3.2解壓docker二進(jìn)制包

tar zxvf docker-19.03.9.tgzmv docker/* /usr/bin

3.3配置systemd管理docker

cat > /usr/lib/systemd/system/docker.service << EOF[Unit]Description=Docker Application Container EngineDocumentation=https://docs.docker.comAfter=network-online.target firewalld.serviceWants=network-online.target[Service]Type=notifyExecStart=/usr/bin/dockerdExecReload=/bin/kill -s HUP $MAINPIDLimitNOFILE=infinityLimitNPROC=infinityLimitCORE=infinityTimeoutStartSec=0Delegate=yesKillMode=processRestart=on-failureStartLimitBurst=3StartLimitInterval=60s[Install]WantedBy=multi-user.targetEOF

3.4配置docker加速器

mkdir/etc/dockercat>/etc/docker/daemon.json<<EOF{"registry-mirrors":["https://jo6348gu.mirror.aliyuncs.com"]}EOF

3.5啟動(dòng)docker并加入開機(jī)自啟

systemctl daemon-reload systemctl start dockersystemctl enable docker

4.部署master

以下操作在master上

4.1 生成kube-apiserver證書

1. 自簽證書頒發(fā)機(jī)構(gòu)（CA）

cd TLS/k8scat > ca-config.json << EOF{? "signing": {? ? "default": {? ? ? "expiry": "87600h"? ? },? ? "profiles": {? ? ? "kubernetes": {? ? ? ? "expiry": "87600h",? ? ? ? "usages": [? ? ? ? ? ? "signing",? ? ? ? ? ? "key encipherment",? ? ? ? ? ? "server auth",? ? ? ? ? ? "client auth"? ? ? ? ]? ? ? }? ? }? }}EOFcat > ca-csr.json << EOF{? ? "CN": "kubernetes",? ? "key": {? ? ? ? "algo": "rsa",? ? ? ? "size": 2048? ? },? ? "names": [? ? ? ? {? ? ? ? ? ? "C": "CN",? ? ? ? ? ? "L": "Beijing",? ? ? ? ? ? "ST": "Beijing",? ? ? ? ? ? "O": "k8s",? ? ? ? ? ? "OU": "System"? ? ? ? }? ? ]}EOF

生成證書：

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -ls *pemca-key.pem? ca.pem? ##可以看到生成了兩個(gè)證書

2. 使用自簽CA簽發(fā)kube-apiserver HTTPS證書

創(chuàng)建證書申請(qǐng)文件：

cat > server-csr.json << EOF{? ? "CN": "kubernetes",? ? "hosts": [? ? ? "10.0.0.1",? ? ? "127.0.0.1",? ? ? "172.16.210.53",? ? ? "172.16.210.54",? ? ? "172.16.210.55",? ? ? "kubernetes",? ? ? "kubernetes.default",? ? ? "kubernetes.default.svc",? ? ? "kubernetes.default.svc.cluster",? ? ? "kubernetes.default.svc.cluster.local"? ? ],? ? "key": {? ? ? ? "algo": "rsa",? ? ? ? "size": 2048? ? },? ? "names": [? ? ? ? {? ? ? ? ? ? "C": "CN",? ? ? ? ? ? "L": "BeiJing",? ? ? ? ? ? "ST": "BeiJing",? ? ? ? ? ? "O": "k8s",? ? ? ? ? ? "OU": "System"? ? ? ? }? ? ]}EOF

生成證書:

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare serverls server*pemserver-key.pem? server.pem ##可以看到又生成兩個(gè)server證書

4.2 從Github下載k8s二進(jìn)制文件并解壓

1.獲取二進(jìn)制包

wget? https://dl.k8s.io/v1.18.3/kubernetes-server-linux-amd64.tar.gz

2.解壓二進(jìn)制包

mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs} tar zxvf kubernetes-server-linux-amd64.tar.gzcd kubernetes/server/bincp kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bincp kubectl /usr/bin/

4.3部署kube-apiserver

1. 創(chuàng)建配置文件

cat>/opt/kubernetes/cfg/kube-apiserver.conf<<EOFKUBE_APISERVER_OPTS="--logtostderr=false\\--v=4\\--log-dir=/opt/kubernetes/logs \\--etcd-servers=https://172.16.210.53:2379,https://172.16.210.54:2379,https://172.16.210.55:2379\\--bind-address=172.16.210.53\\--secure-port=6443\\--advertise-address=172.16.210.53\\--allow-privileged=true\\--service-cluster-ip-range=10.0.0.0/24\\--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction\\--authorization-mode=RBAC,Node\\--enable-bootstrap-token-auth=true\\--token-auth-file=/opt/kubernetes/cfg/token.csv \\--service-node-port-range=30000-32767\\--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \\--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \\--tls-cert-file=/opt/kubernetes/ssl/server.pem? \\--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\--client-ca-file=/opt/kubernetes/ssl/ca.pem \\--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\--etcd-cafile=/opt/etcd/ssl/ca.pem \\--etcd-certfile=/opt/etcd/ssl/server.pem \\--etcd-keyfile=/opt/etcd/ssl/server-key.pem \\--audit-log-maxage=30\\--audit-log-maxbackup=3\\--audit-log-maxsize=100\\--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"EOF

參數(shù)詳解:

–logtostderr：?jiǎn)⒂萌罩?/p>

—v：日志等級(jí)

–log-dir：日志目錄

–etcd-servers：etcd集群地址

–bind-address：監(jiān)聽地址

–secure-port：https安全端口

–advertise-address：集群通告地址

–allow-privileged：?jiǎn)⒂檬跈?quán)

–service-cluster-ip-range：Service虛擬IP地址段

–enable-admission-plugins：準(zhǔn)入控制模塊

–authorization-mode：認(rèn)證授權(quán)玛追，啟用RBAC授權(quán)和節(jié)點(diǎn)自管理

–enable-bootstrap-token-auth：?jiǎn)⒂肨LS bootstrap機(jī)制

–token-auth-file：bootstrap token文件

–service-node-port-range：Service nodeport類型默認(rèn)分配端口范圍

–kubelet-client-xxx：apiserver訪問kubelet客戶端證書

–tls-xxx-file：apiserver https證書

–etcd-xxxfile：連接Etcd集群證書

–audit-log-xxx：審計(jì)日志

2. 拷貝剛才生成的證書

把剛才生成的證書拷貝到配置文件中的路徑：

cp~/TLS/k8s/ca*pem~/TLS/k8s/server*pem/opt/kubernetes/ssl/

3. 啟用 TLS Bootstrapping 機(jī)制

TLS Bootstraping：Master apiserver啟用TLS認(rèn)證后税课，Node節(jié)點(diǎn)kubelet和kube-proxy要與kube-apiserver進(jìn)行通信，必須使用CA簽發(fā)的有效證書才可以痊剖，當(dāng)Node節(jié)點(diǎn)很多時(shí)韩玩，這種客戶端證書頒發(fā)需要大量工作，同樣也會(huì)增加集群擴(kuò)展復(fù)雜度陆馁。為了簡(jiǎn)化流程找颓，Kubernetes引入了TLS bootstraping機(jī)制來自動(dòng)頒發(fā)客戶端證書，kubelet會(huì)以一個(gè)低權(quán)限用戶自動(dòng)向apiserver申請(qǐng)證書叮贩，kubelet的證書由apiserver動(dòng)態(tài)簽署击狮。所以強(qiáng)烈建議在Node上使用這種方式，目前主要用于kubelet妇汗，kube-proxy還是由我們統(tǒng)一頒發(fā)一個(gè)證書帘不。

TLS bootstraping 工作流程：

image.png

創(chuàng)建上述配置文件中token文件：

cat>/opt/kubernetes/cfg/token.csv<<EOFb1dc586d69159ff4e3ef7efa9db60e48,10001,"system:node-bootstrapper"EOF

格式：token，用戶名杨箭，UID寞焙，用戶組

token也可自行生成替換：

head-c16/dev/urandom|od-An-t x|tr-d' '

4. systemd管理apiserver

cat>/usr/lib/systemd/system/kube-apiserver.service<<EOF[Unit]Description=KubernetesAPIServerDocumentation=https://github.com/kubernetes/kubernetes[Service]EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.confExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTSRestart=on-failure[Install]WantedBy=multi-user.targetEOF

5. 啟動(dòng)并設(shè)置開機(jī)啟動(dòng)

systemctl daemon-reloadsystemctl start kube-apiserversystemctl enable kube-apiserver

6. 授權(quán)kubelet-bootstrap用戶允許請(qǐng)求證書

kubectl create clusterrolebinding kubelet-bootstrap \--clusterrole=system:node-bootstrapper \--user=kubelet-bootstrap

4.4 部署kube-controller-manager

創(chuàng)建配置文件

cat>/opt/kubernetes/cfg/kube-controller-manager.conf<<EOFKUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false\\--v=4\\--log-dir=/opt/kubernetes/logs \\--leader-elect=true\\--master=127.0.0.1:8080\\--bind-address=127.0.0.1\\--allocate-node-cidrs=true\\--cluster-cidr=10.244.0.0/16\\--service-cluster-ip-range=10.0.0.0/24\\--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem? \\--root-ca-file=/opt/kubernetes/ssl/ca.pem \\--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\--experimental-cluster-signing-duration=87600h0m0s"EOF

–master：通過本地非安全本地端口8080連接apiserver。

–leader-elect：當(dāng)該組件啟動(dòng)多個(gè)時(shí)互婿，自動(dòng)選舉（HA）

–cluster-signing-cert-file/–cluster-signing-key-file：自動(dòng)為kubelet頒發(fā)證書的CA捣郊，與apiserver保持一致

2. systemd管理controller-manager

cat>/usr/lib/systemd/system/kube-controller-manager.service<<EOF[Unit]Description=KubernetesControllerManagerDocumentation=https://github.com/kubernetes/kubernetes[Service]EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.confExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTSRestart=on-failure[Install]WantedBy=multi-user.targetEOF

3.啟動(dòng)并設(shè)置開機(jī)啟動(dòng)

systemctl daemon-reloadsystemctl start kube-controller-managersystemctl enable kube-controller-manager

4.6 部署kube-scheduler

1. 創(chuàng)建配置文件

cat>/opt/kubernetes/cfg/kube-scheduler.conf<<EOFKUBE_SCHEDULER_OPTS="--logtostderr=false \

--v=2 \

--log-dir=/opt/kubernetes/logs \

--leader-elect \

--master=127.0.0.1:8080 \

--bind-address=127.0.0.1"EOF

–master：通過本地非安全本地端口8080連接apiserver。

–leader-elect：當(dāng)該組件啟動(dòng)多個(gè)時(shí)慈参，自動(dòng)選舉（HA）

2. systemd管理scheduler

cat>/usr/lib/systemd/system/kube-scheduler.service<<EOF[Unit]Description=KubernetesSchedulerDocumentation=https://github.com/kubernetes/kubernetes[Service]EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.confExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTSRestart=on-failure[Install]WantedBy=multi-user.targetEOF

3.啟動(dòng)并設(shè)置開機(jī)啟動(dòng)

systemctl daemon-reloadsystemctl start kube-schedulersystemctl enable kube-scheduler

4. 查看集群狀態(tài)

所有組件都已經(jīng)啟動(dòng)成功呛牲，通過kubectl get cs命令查看當(dāng)前集群組件狀態(tài)：

kubectlgetcsNAMESTATUSMESSAGEERRORcontroller-manager? Healthy? ok? ? ? ? ? ? ? ? ? scheduler? ? ? ? ? ? Healthy? ok? ? ? ? ? ? ? ? ? etcd-0Healthy{"health":"true"}etcd-1Healthy{"health":"true"}etcd-2Healthy{"health":"true"}

五、部署Worker Node

下面還是在master節(jié)點(diǎn)上操作驮配，即同時(shí)作為Worker Node

5.1 拷貝二進(jìn)制文件

cd ~/kubernetes/server/bincp kubelet kube-proxy /opt/kubernetes/bin

5.2 部署kubelet

1. 創(chuàng)建配置文件

cat>/opt/kubernetes/cfg/kubelet.conf<<EOFKUBELET_OPTS="--logtostderr=false\\--v=4\\--log-dir=/opt/kubernetes/logs \\--hostname-override=k8s-master \\--network-plugin=cni \\--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\--config=/opt/kubernetes/cfg/kubelet-config.yml \\--cert-dir=/opt/kubernetes/ssl \\--pod-infra-container-image=lizhenliang/pause-amd64:3.0"EOF

參數(shù)詳解:

–hostname-override：顯示名稱娘扩，集群中唯一

–network-plugin：?jiǎn)⒂肅NI

–kubeconfig：空路徑着茸，會(huì)自動(dòng)生成，后面用于連接apiserver

–bootstrap-kubeconfig：首次啟動(dòng)向apiserver申請(qǐng)證書

–config：配置參數(shù)文件

–cert-dir：kubelet證書生成目錄

–pod-infra-container-image：管理Pod網(wǎng)絡(luò)容器的鏡像

2. 創(chuàng)建配置參數(shù)yaml文件

cat>/opt/kubernetes/cfg/kubelet-config.yml<<EOFkind:KubeletConfigurationapiVersion:kubelet.config.k8s.io/v1beta1address:0.0.0.0port:10250readOnlyPort:10255cgroupDriver:cgroupfsclusterDNS:-10.0.0.2clusterDomain:cluster.local failSwapOn:falseauthentication:anonymous:enabled:falsewebhook:cacheTTL:2m0s? ? enabled:truex509:clientCAFile:/opt/kubernetes/ssl/ca.pem authorization:mode:Webhook? webhook:cacheAuthorizedTTL:5m0s? ? cacheUnauthorizedTTL:30sevictionHard:imagefs.available:15%memory.available:100Mi? nodefs.available:10%nodefs.inodesFree:5%maxOpenFiles:1000000maxPods:110EOF

3. 生成bootstrap.kubeconfig文件

##設(shè)置環(huán)境變量KUBE_APISERVER="https://172.16.210.53:6443" # apiserver IP:PORTTOKEN="b1dc586d69159ff4e3ef7efa9db60e48" # 與token.csv里保持一致# 生成 kubelet bootstrap kubeconfig 配置文件kubectl config set-cluster kubernetes \? --certificate-authority=/opt/kubernetes/ssl/ca.pem \? --embed-certs=true \? --server=${KUBE_APISERVER} \? --kubeconfig=bootstrap.kubeconfigkubectl config set-credentials "kubelet-bootstrap" \? --token=${TOKEN} \? --kubeconfig=bootstrap.kubeconfigkubectl config set-context default \? --cluster=kubernetes \? --user="kubelet-bootstrap" \? --kubeconfig=bootstrap.kubeconfigkubectl config use-context default --kubeconfig=bootstrap.kubeconfig

拷貝到配置文件路徑：

cp bootstrap.kubeconfig /opt/kubernetes/cfg

4. systemd管理kubelet

cat>/usr/lib/systemd/system/kubelet.service<<EOF[Unit]Description=KubernetesKubeletAfter=docker.service[Service]EnvironmentFile=/opt/kubernetes/cfg/kubelet.confExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTSRestart=on-failureLimitNOFILE=65536[Install]WantedBy=multi-user.targetEOF

5. 啟動(dòng)并設(shè)置開機(jī)啟動(dòng)

systemctl daemon-reloadsystemctl start kubeletsystemctl enable kubelet

5.3 批準(zhǔn)kubelet證書申請(qǐng)并加入集群

# 查看kubelet證書請(qǐng)求kubectl get csrNAME? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? AGE? SIGNERNAME? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? REQUESTOR? ? ? ? ? CONDITIONnode-csr-d-UyqVObT-tnWdXd881Ppc3oNVr6xkCBXV7VRlWyhf8? 30s? kubernetes.io/kube-apiserver-client-kubelet? kubelet-bootstrap? Pending# 批準(zhǔn)申請(qǐng)kubectl certificate approve node-csr-d-UyqVObT-tnWdXd881Ppc3oNVr6xkCBXV7VRlWyhf8# 查看節(jié)點(diǎn)kubectl get nodeNAME? ? ? ? STATUS? ? ROLES? ? AGE? VERSIONk8s-master? NotReady? ? 15s? v1.18.3? ##由于沒有部署網(wǎng)絡(luò)插件,所以節(jié)點(diǎn)是NotReady

5.4 部署kube-proxy

1. 創(chuàng)建配置文件

cat>/opt/kubernetes/cfg/kube-proxy.conf<<EOFKUBE_PROXY_OPTS="--logtostderr=false\\--v=4\\--log-dir=/opt/kubernetes/logs \\--config=/opt/kubernetes/cfg/kube-proxy-config.yml"EOF

2. 配置參數(shù)文件

cat>/opt/kubernetes/cfg/kube-proxy-config.yml<<EOFkind:KubeProxyConfigurationapiVersion:kubeproxy.config.k8s.io/v1alpha1bindAddress:0.0.0.0metricsBindAddress:0.0.0.0:10249clientConnection:kubeconfig:/opt/kubernetes/cfg/kube-proxy.kubeconfighostnameOverride:k8s-masterclusterCIDR:10.0.0.0/24EOF

3. 生成kube-proxy.kubeconfig文件

生成kube-proxy證書：

# 切換工作目錄cd ~/TLS/k8s# 創(chuàng)建證書請(qǐng)求文件cat > kube-proxy-csr.json << EOF{? "CN": "system:kube-proxy",? "hosts": [],? "key": {? ? "algo": "rsa",? ? "size": 2048? },? "names": [? ? {? ? ? "C": "CN",? ? ? "L": "BeiJing",? ? ? "ST": "BeiJing",? ? ? "O": "k8s",? ? ? "OU": "System"? ? }? ]}EOF# 生成證書cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxyls kube-proxy*pemkube-proxy-key.pem? kube-proxy.pem? ##可以看到生成了兩個(gè)kube-proxy的證書文件

生成kubeconfig文件

#創(chuàng)建環(huán)境變量KUBE_APISERVER="https://172.16.210.53:6443"kubectl configset-cluster kubernetes \--certificate-authority=/opt/kubernetes/ssl/ca.pem \--embed-certs=true\--server=${KUBE_APISERVER}\--kubeconfig=kube-proxy.kubeconfigkubectl configset-credentials kube-proxy \--client-certificate=./kube-proxy.pem \--client-key=./kube-proxy-key.pem \--embed-certs=true\--kubeconfig=kube-proxy.kubeconfigkubectl configset-contextdefault\--cluster=kubernetes \--user=kube-proxy \--kubeconfig=kube-proxy.kubeconfigkubectl config use-contextdefault--kubeconfig=kube-proxy.kubeconfig

拷貝到配置文件指定路徑：

cp kube-proxy.kubeconfig /opt/kubernetes/cfg/

4. systemd管理kube-proxy

cat>/usr/lib/systemd/system/kube-proxy.service<<EOF[Unit]Description=KubernetesProxyAfter=network.target[Service]EnvironmentFile=/opt/kubernetes/cfg/kube-proxy.confExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTSRestart=on-failureLimitNOFILE=65536[Install]WantedBy=multi-user.targetEOF

5. 啟動(dòng)并設(shè)置開機(jī)啟動(dòng)

systemctl daemon-reloadsystemctl start kube-proxysystemctl enable kube-proxy

5.5 部署CNI網(wǎng)絡(luò)

1.先下載CNI二進(jìn)制文件：

wget https://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-amd64-v0.8.6.tgz

2.解壓二進(jìn)制包并移動(dòng)到默認(rèn)工作目錄

mkdir -p /opt/cni/bintar zxvf cni-plugins-linux-amd64-v0.8.6.tgz -C /opt/cni/bin

5.5部署CNI網(wǎng)絡(luò)

獲取flanel網(wǎng)絡(luò)yaml文件,并修改鏡像地址

echo"151.101.76.133 raw.githubusercontent.com">>/etc/hostswget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.ymlsed-i-r"s#quay.io/coreos/flannel:.*-amd64#lizhenliang/flannel:v0.12.0-amd64#g"kube-flannel.yml##默認(rèn)鏡像地址無法訪問琐旁，修改為docker hub鏡像倉(cāng)庫(kù)涮阔。

開始部署CNI網(wǎng)絡(luò)：

kubectl apply-f kube-flannel.yml##查看pod是否運(yùn)行成功kubectlgetpods-n kube-systemNAMEREADYSTATUSRESTARTSAGEkube-flannel-ds-amd64-p9tdp1/1Running0##運(yùn)行成功后,再查看節(jié)點(diǎn)是否運(yùn)行正常kubectlgetnodesNAMESTATUSROLESAGEVERSIONk8s-master? Ready<none>19m? v1.18.3

5.6 授權(quán)apiserver訪問kubelet

cat>apiserver-to-kubelet-rbac.yaml<<EOFapiVersion:rbac.authorization.k8s.io/v1kind:ClusterRolemetadata:annotations:rbac.authorization.kubernetes.io/autoupdate:"true"labels:kubernetes.io/bootstrapping:rbac-defaults? name:system:kube-apiserver-to-kubeletrules:-apiGroups:-""resources:-nodes/proxy-nodes/stats-nodes/log-nodes/spec-nodes/metrics-pods/log? ? verbs:-"*"---apiVersion:rbac.authorization.k8s.io/v1kind:ClusterRoleBindingmetadata:name:system:kube-apiservernamespace:""roleRef:apiGroup:rbac.authorization.k8s.io? kind:ClusterRole? name:system:kube-apiserver-to-kubeletsubjects:-apiGroup:rbac.authorization.k8s.io? ? kind:User? ? name:kubernetesEOFkubectl apply-f apiserver-to-kubelet-rbac.yaml

5.7增加worke 節(jié)點(diǎn)

1. 拷貝已部署好的Node相關(guān)文件到新節(jié)點(diǎn)

在master節(jié)點(diǎn)將Worker Node涉及文件拷貝到節(jié)點(diǎn)172.16.210..54/55

scp-r/opt/kubernetes root@172.16.210.54:/opt/scp-r/usr/lib/systemd/system/{kubelet,kube-proxy}.service root@172.16.210.54:/usr/lib/systemd/systemscp-r/opt/cni/root@172.16.210.54:/opt/scp/opt/kubernetes/ssl/ca.pem root@172.16.210.54:/opt/kubernetes/ssl

2. 刪除kubelet證書和kubeconfig文件

rm -f /opt/kubernetes/cfg/kubelet.kubeconfig rm -f /opt/kubernetes/ssl/kubelet*

3. 修改主機(jī)名

sed -i 's/k8s-master/k8s-node1/g' /opt/kubernetes/cfg/kubelet.conf /opt/kubernetes/cfg/kube-proxy-config.yml? ##加入node2的主機(jī)只需要把這條命令的k8s-node1改成k8s-node2即可

4. 啟動(dòng)并設(shè)置開機(jī)啟動(dòng)

systemctl daemon-reloadsystemctl start kubeletsystemctl enable kubeletsystemctl start kube-proxysystemctl enable kube-proxy

5.在Master上批準(zhǔn)新Node kubelet證書申請(qǐng)

kubectlgetcsrNAMEAGESIGNERNAMEREQUESTORCONDITIONnode-csr--t2cjSYX0z7ba4Tyh4GCnngZaGBUwmAHyY1xuxU40j028s? kubernetes.io/kube-apiserver-client-kubelet? kubelet-bootstrapPendingkubectl certificate approve node-csr--t2cjSYX0z7ba4Tyh4GCnngZaGBUwmAHyY1xuxU40j0

6. 查看Node狀態(tài)

kubectl get nodesNAME? ? ? ? STATUS? ROLES? ? AGE? ? VERSIONk8s-master? Ready? ? ? 46m? ? v1.18.3k8s-node1? ? Ready? ? ? 8m57s? v1.18.3k8s-node2? ? Ready? ? ? 3m59s? v1.18.3

Node2（172.16.210.55 ）節(jié)點(diǎn)同上。記得修改主機(jī)名

六灰殴、部署Dashboard和CoreDNS

Dashboard的部署可以看我另一篇文檔,這里就不部署了

http://www.reibang.com/p/6bafe568f103

部署CoreDNS

CoreDNS用于集群內(nèi)部Service名稱解析

kubectl apply-f coredns.yaml kubectlgetpods-n kube-system ##查看coredns的pod是否運(yùn)行正常NAMEREADYSTATUSRESTARTSAGEcoredns-5ffbfd976d-rkcmt1/1Running023skube-flannel-ds-amd64-2kmcm1/1Running014mkube-flannel-ds-amd64-p9tdp1/1Running039mkube-flannel-ds-amd64-zg7xz1/1Running019m

測(cè)試

kubectl run-it--rm dns-test--image=busybox:1.28.4shIf you don't see a command prompt,trypressing enter./# nslookup kubernetesServer:10.0.0.2Address1:10.0.0.2kube-dns.kube-system.svc.cluster.localName:kubernetesAddress1:10.0.0.1kubernetes.default.svc.cluster.local

能正常解析,說明沒問題