二進位制方式搭建Kubernetes叢集
阿新 • • 發佈:2021-07-15
環境準備:
演練暫時用單節點一臺master和一臺node節點來進行部署搭建(kubernetes 1.19版本)
| 角色 | IP | 元件 |
|---|---|---|
| master | 10.129.246.114 | kube-apiserver,kube-controller-manager,kube -scheduler,etcd |
| node | 10.129.244.229 | kubelet,kube-proxy,docker etcd |
作業系統初始化
# 關閉防火牆 systemctl stop firewalld systemctl disable firewalld # 關閉 selinux sed -i 's/enforcing/disabled/' /etc/selinux/config # 永久 setenforce 0 # 臨時 # 關閉 swap swapoff -a # 臨時 sed -ri 's/.*swap.*/#&/' /etc/fstab # 永久 # 根據規劃設定主機名 hostnamectl set-hostname <hostname> # 在 master 新增 hosts cat >> /etc/hosts << EOF 192.168.44.147 master 192.168.44.148 node EOF # 將橋接的 IPv4 流量傳遞到 iptables 的鏈 cat > /etc/sysctl.d/k8s.conf << EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF sysctl --system # 生效 # 時間同步 yum install ntpdate -y ntp ntpdate time.windows.com
部署ETCD叢集
Etcd 是一個分散式鍵值儲存系統,Kubernetes 使用 Etcd 進行資料儲存,所以先準備 一個 Etcd 資料庫,為解決 Etcd 單點故障,應採用叢集方式部署,這裡使用 2 臺組建叢集
注:為了節省機器,這裡與 K8s 節點機器複用。也可以獨立於 k8s 叢集之外部署,只要 apiserver 能連線到就行
準備 cfssl 證書生成工具
cfssl 是一個開源的證書管理工具,使用 json 檔案生成證書,相比 openssl 更方便使用。 找任意一臺伺服器操作,這裡用 Master 節點 wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
生成 Etcd 證書
自簽證書頒發機構(CA)
#建立工作目錄
#mkdir -p /root/etcd
自籤CA:
#進入工作目錄/root/etcd/下 #cat > ca-config.json<< CFY { "signing":{ "default":{ "expiry":"87600h" }, "profiles":{ "www":{ "expiry":"87600h", "usages":[ "key encipherment", "server auth", "client auth" ] } } } } CFY
生成證書
#cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#ls *.pem
ca-key.pem ca.pem
使用自籤 CA 簽發 Etcd HTTPS 證書
建立證書申請檔案:
#cat > server-csr.json>> CFY
{
"CN":"etcd",
"hosts":[
"10.129.246.114",
"10.129.244.229"
],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"BeiJing",
"ST":"BeiJing"
}
]
}
CFY
生產證書
#cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json - profile=www server-csr.json | cfssljson -bare server
#ls server*pem
server-key.pem server.pem
下載二進位制檔案
官方地址:https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm/ 二進位制包
部署ETCD叢集
以下在節點master上操作,為簡化操作,待會將master節點生成的所有檔案拷貝到node節點
解壓二進位制包:
# mkdir /opt/etcd/{bin,cfg,ssl} -p
# tar zxvf etcd-v3.2.12-linux-amd64.tar.gz
# mv etcd-v3.2.12-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
建立etcd配置檔案
#cat > /opt/etcd/cfg/etcd.conf >> CFY
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://10.129.246.114:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.129.246.114:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.129.246.114:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://10.129.246.114:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://10.129.246.114:2380,etcd02=https://10.129.244.229:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
CFY
---------------------------------------------------------------
ETCE_NAME: 節點名稱
ETCD_DATE_DIR: 資料目錄
ETCD_LISTEN_PEER_URLS: 叢集通訊監聽地址
ETCD_LISTEN_CLIENT_URLS: 客戶端訪問監聽地址
ETCD_INITIAL_ADVERTISE_PEER_URLS: 叢集通告地址
ETCD_ADVERTISE_CLIENT_URLS: 客戶端通告地址
ETCD_INITIAL_CLUSTER: 叢集節點地址
ETCD_INITIAL_CLUSTER_TOKEN: 叢集Token
ETCD_INITIAL_CLUSTER_STATE: 加入叢集當前狀態,new是新叢集,existing表示加入已有叢集
systemd管理etcd配置啟動檔案
#cat > /usr/lib/systemd/system/etcd.service >> CFY
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--name=${ETCD_NAME} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
CFY
拷貝剛才生成的證書
把剛才生成的證書拷貝到配置檔案中的路徑:
#cp /root/etcd/ca*pem server*pem /opt/etcd/ssl
將上面master節點所有生成的檔案拷貝到node節點
scp -r /opt/etcd/ [email protected]:/opt/
scp /usr/lib/systemd/system/etcd.service [email protected]:/usr/lib/systemd/system/
修改node節點中etcd.conf配置檔案中的etcd_name和IP
#[Member]
ETCD_NAME="etcd02" # 修改此處,node改為etcd02
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://10.129.244.229:2380" # 修改此處為當前伺服器 IP
ETCD_LISTEN_CLIENT_URLS="https://10.129.244.229:2379" # 修改此處為當前伺服器 IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.129.244.229:2380" # 修改此處為當前伺服器 IP
ETCD_ADVERTISE_CLIENT_URLS="https://10.129.244.229:2379" # 修改此處為當前伺服器 IP
ETCD_INITIAL_CLUSTER="etcd01=https://10.129.246.114:2380,etcd02=https://10.129.244.229:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
啟動etcd叢集
啟動叢集並設定開機自啟動(先啟動node節點在啟動master節點同時進行)
#systemctl daemon-reload
# systemctl start etcd
# systemctl enable etcd
署完成檢查etcd叢集狀態
#./etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key114:2379,https://10.129.244.229:2379" cluster-health
member 2ea4f7be04a16167 is healthy: got healthy result from https://10.129.246.114:2
member a849ee1eb498b9b2 is healthy: got healthy result from https://10.129.244.229:2
cluster is healthy
#如果輸出上面資訊,就說明叢集部署成功,如果有問題第一步先看日誌:/var/log/message 或 journalctl -u etcd(如果提示timeout 則檢查防火牆)
node節點安裝Docker
未完。。。。。。。。。。。