2. 程式人生 > 其它 >centos7 二進位制部署kubernetes(v1.19.0) 高可用叢集

centos7 二進位制部署kubernetes(v1.19.0) 高可用叢集

阿新 發佈:2021-08-05

centos7 二進位制部署kubernetes(v1.19.0) 高可用叢集

一、規劃

1. master/etcd 叢集節點-3臺:

192.168.21.30(master)
192.168.21.31(node1)
192.168.21.32(node2)

2. node節點-3臺:

192.168.21.31(node1)
192.168.21.32(node2)
192.168.21.33(node3)

3. haproxy keepalived叢集高可用節點-2臺

192.168.21.30(master)
192.168.21.31(node1)

4. harbor 節點-1臺

192.168.21.34(node4)

二、部署etcd高可用叢集

1. 為etcd和kubernetes叢集建立安全連線的CA證書

使用openssl頒發自簽名證書,放在/etc/kubernetes/pki 目錄下

openssl genrsa -out ca.key 2048

openssl req -x509 -new -nodes -key ca.key -subj "/CN=192.16
8.21.30" -days 36500 -out ca.crt

[root@master pki]# pwd
/etc/kubernetes/pki
[root@master pki]# ls
ca.crt  ca.key

2. 建立etcd的CA證書

  • 建立CA根證書,包括ca.key和ca.crt
vim etcd_ssl.cnf

[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[ req_distinguished_name ]

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
IP.1 = 192.168.21.30
IP.2 = 192.168.21.31
IP.3 = 192.168.21.32
  • 2.建立etcd伺服器端證書
    使用openssl命令建立etcd的服務端CA證書,包括etcd_server.key和etcd_server.crt 儲存在/etc/etcd/pki下
[root@master pki]# openssl genrsa -out etcd_server.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................................................
.................+++.............+++
e is 65537 (0x10001)

[root@master pki]# openssl req -new -key etcd_server.key -config etcd_ssl.cnf -subj "
/CN=etcd-server" -out etcd_server.csr

[root@master pki]# openssl x509 -req -in etcd_server.csr -CA /etc/kubernetes/pki/ca.c
rt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile etcd_ssl.cnf -out etcd_server.crtSignature ok
subject=/CN=192.168.21.30
Getting CA Private Key
  • 3.建立etcd客戶端CA證書
    使用openssl命令建立etcd的服務端CA證書,包括etcd_client.key和etcd_client.crt 儲存在/etc/etcd/pki下
[root@master pki]# openssl genrsa -out etcd_client.key 2048
Generating RSA private key, 2048 bit long modulus
.............................................+++
..............................................................................+++
e is 65537 (0x10001)
[root@master pki]# openssl req -new -key etcd_client.key -config etcd_ssl.cnf -subj "
/CN=etcd-client" -out etcd_client.csr[root@master pki]# openssl x509 -req -in etcd_client.csr -CA /etc/kubernetes/pki/ca.c
rt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req \
-extfile etcd_ssl.cnf -out etcd_client.crt
Signature ok
subject=/CN=etcd-client
Getting CA Private Key

另外2臺的證書,直接複製第一個節點的即可。

3. 配置etcd

編輯/etc/etcd/etcd.conf,使用環境變數方式
以其中一個節點為例,其它節點更改相應IP即可

ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.21.30:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.21.30:2379"
ETCD_NAME="etcd1"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.21.30:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.21.30:2379"
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.21.30:2380,etcd2=https://192.168.21.31:23
80,etcd3=https://192.168.21.32:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_CERT_FILE="/etc/etcd/pki/etcd_server.crt"
ETCD_KEY_FILE="/etc/etcd/pki/etcd_server.key"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/kubernetes/pki/ca.crt"
ETCD_PEER_CERT_FILE="/etc/etcd/pki/etcd_server.crt"
ETCD_PEER_KEY_FILE="/etc/etcd/pki/etcd_server.key"
ETCD_PEER_TRUSTED_CA_FILE="/etc/kubernetes/pki/ca.crt"

啟動etcd並設定開機自啟

systemctl restart etcd && systemctl enable etcd

驗證etcd叢集健康與否

etcdctl --ca-file=/etc/kubernetes/pki/ca.crt --cert-file=/etc/etcd/pki/etcd_client.crt \
--key-file=/etc/etcd/pki/etcd_client.key \
--endpoints=https://192.168.21.30:2379,https://192.168.21.31:2379,https://192.168.21.32:2379 cluster-health
member a5753ed960575bb4 is healthy: got healthy result from https://192.168.21.31:237
9member ca2a47d444bac4dd is healthy: got healthy result from https://192.168.21.30:237
9member d85cddbd7165b028 is healthy: got healthy result from https://192.168.21.32:237
9cluster is healthy

三、部署k8s master高可用叢集(1.19.0)

1. 下載服務端元件二進位制包並將可執行檔案拷貝到/usr/bin目錄下

下載地址:https://dl.k8s.io/v1.19.0/kubernetes-server-linux-amd64.tar.gz
解壓kubernetes-server-linux-amd64.tar.gz 把bin目錄下的可執行檔案拷貝到/usr/bin/ 目錄下

[root@master k8s-1.19.0]# ls
kubernetes-client-linux-amd64.tar.gz  kubernetes-server
kubernetes-node-linux-amd64.tar.gz    kubernetes-server-linux-amd64.tar.gz

[root@master bin]# pwd
/root/k8s/k8s-1.19.0/kubernetes-server/server/bin
[root@master bin]# ls
1.txt                               kubectl
apiextensions-apiserver             kubelet
kubeadm                             kube-proxy
kube-aggregator                     kube-proxy.docker_tag
kube-apiserver                      kube-proxy.tar
kube-apiserver.docker_tag           kube-scheduler
kube-apiserver.tar                  kube-scheduler.docker_tag
kube-controller-manager             kube-scheduler.tar
kube-controller-manager.docker_tag  mounter
kube-controller-manager.tar
[root@master bin]# find . -perm 755 -exec cp {} /usr/bin/ \;

2. 部署 kube-apiserver服務

  • 配置服務端CA證書
[root@master pki]# pwd
/etc/kubernetes/pki
[root@master pki]# vim master_ssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = master
DNS.6 = node1
DNS.7 = node2
DNS.8 = node3
DNS.9 = node4
IP.1 = 172.16.0.100
IP.2 = 192.168.21.30
IP.3 = 192.168.21.31
IP.4 = 192.168.21.32
IP.5 = 192.168.21.33
IP.6 = 192.168.21.34
IP.7 = 192.168.21.35

[root@master pki]# openssl genrsa -out apiserver.key 2048
Generating RSA private key, 2048 bit long modulus
...................................+++
...............................+++
e is 65537 (0x10001)

[root@master pki]# openssl req -new -key apiserver.key -config master_ssl.cnf -subj "
/CN=192.168.21.30" -out apiserver.csr[root@master pki]# openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcr
eateserial -days 36500 -extensions v3_req -extfile master_ssl.cnf -out apiserver.crtSignature ok
subject=/CN=192.168.21.30
Getting CA Private Key
  • 建立systemd服務
[root@master pki]# vim /usr/lib/systemd/system/kube-apiserver.service[Unit]Description=kubernetes API ServerDocumentation=https://github.com/kubernetes/kubernetes[Service]EnvironmentFile=/etc/kubernetes/apiserver.confExecStart=/usr/bin/kube-apiserver $KUBE_API_ARGSRestart=always[Install]WantedBy=multi-user.target建立配置檔案/etc/kubernetes/apiserver.conf[root@master pki]# vim /etc/kubernetes/apiserver.confKUBE_API_ARGS="--insecure-port=0 \--secure-port=6443 \--tls-cert-file=/etc/kubernetes/pki/apiserver.crt \--tls-private-key-file=/etc/kubernetes/pki/apiserver.key \--client-ca-file=/etc/kubernetes/pki/ca.crt--apiserver-count=3 --endpoint-reconciler-type=master-count \--etcd-servers=https://192.168.21.30:2379,https://192.168.21.31:2379,https://192.168.21.32:2379 \--etcd-cafile=/etc/kubernetes/pki/ca.crt \--etcd-certfile=/etc/etcd/pki/etcd_client.crt \--etcd-keyfile=/etc/etcd/pki/etcd_client.key \--service-cluster-ip-range=169.169.0.0/16 \--service-node-port-rang=30000-32767 \--allow-privileged=true \--logtostderr=false \--log-dir=/var/log/kubernetes --v=0"
  • 啟動kube-apiserver並加入開機自啟動
systemctl start kube-apiserver.service && systemctl enable kube-apiserver.service[root@master k8s]# netstat -an |grep 6443tcp6       0      0 :::6443                 :::*                    LISTEN     tcp6       0      0 ::1:52844               ::1:6443                ESTABLISHEDtcp6       0      0 ::1:6443                ::1:52844               ESTABLISHED
  • 建立客戶端CA證書
[root@master pki]# openssl genrsa -out client.key 2048Generating RSA private key, 2048 bit long modulus....+++.........................................+++e is 65537 (0x10001)[root@master pki]# openssl req -new -key client.key -subj "/CN=admin" -out client.csr[root@master pki]# openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 36500Signature oksubject=/CN=adminGetting CA Private Key
  • 建立客戶端連線kube-apiserver服務所需的kubeconfig配置檔案
[root@master kubernetes]# pwd/etc/kubernetes[root@master kubernetes]# vim kubeconfigapiVersion: v1kind: Configclusters: - name: default  cluster:    server: https://192.168.21.35:9443    certificate-authority: /etc/kubernetes/pki/ca.crtusers: - name: admin  user:     client-certificate: /etc/kubernetes/pki/client.crt    client-key: /etc/kubernetes/pki/client.keycontexts: - context:    cluster: default    user: admin  name: defaultcurrent-context: default

3.部署kube-controller-manager服務

  • 建立kube-controller-manager的systemd服務
[root@master kubernetes]# cat /usr/lib/systemd/system/kube-controller-manager.service[Unit]Description=Kubernetes Controller ManagerDocumentation=https://github.com/kubernetes/kubernetes[Service]EnvironmentFile=/etc/kubernetes/controller-manager.confExecStart=/usr/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_ARGSRestart=always[Install]WantedBy=multi-user.target
  • 建立controller-manager.conf配置檔案
[root@master kubernetes]# cat controller-manager.conf KUBE_CONTROLLER_MANAGER_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig \--leader-elect=true \--service-cluster-ip-range=169.169.0.0/16 \--service-account-private-key-file=/etc/kubernetes/pki/apiserver.key \--root-ca-file=/etc/kubernetes/pki/ca.crt \--log-dir=/var/log/kubernetes --logtostderr=false --v=0"
  • 啟動kube-controller-manager並設定為開機自啟動
[root@master kubernetes]# systemctl start kube-controller-manager.service && systemct[root@master kubernetes]# ps aux |grep kube-controllerroot     16451  6.1  1.8 810028 72476 ?        Ssl  09:50   0:01 /usr/bin/kube-controller-manager --kubeconfig=/etc/kubernetes/kubeconfig --leader-elect=true --service-cluster-ip-range=169.169.0.0/16 --service-account-private-key-file=/etc/kubernetes/pki/apiserver.key --root-ca-file=/etc/kubernetes/pki/ca.crt --log-dir=/var/log/kubernetes --logtostderr=false --v=0

4.部署kube-scheduler服務

  • 建立kube-scheduler的systemd服務
[root@master kubernetes]# vim /usr/lib/systemd/system/kube-scheduler.service[Unit]Description=Kubernetes SchedulerDocumentation=https://github.com/kubernetes/kubernetes[Service]EnvironmentFile=/etc/kubernetes/scheduler.confExecStart=/usr/bin/kube-scheduler $KUBE_SCHEDULER_ARGSRestart=always[Install]WantedBy=multi-user.target
  • 建立scheduler.conf配置檔案
[root@master kubernetes]# vim scheduler.conf[root@master kubernetes]# cat scheduler.conf KUBE_SCHEDULER_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig \--leader-elect=true \--logtostderr=false --log-dir=/var/log/kubernetes --v=0"
  • 啟動kube-scheduler.service並設定開機自啟
[root@master kubernetes]# systemctl start kube-scheduler.service && systemctl enable kube-scheduler.service Created symlink from /etc/systemd/system/multi-user.target.wants/kube-scheduler.service to /usr/lib/systemd/system/kube-scheduler.service.[root@master kubernetes]# ps aux |grep kube-schroot     17369 10.1  1.1 746396 44876 ?        Ssl  10:04   0:01 /usr/bin/kube-scheduler --kubeconfig=/etc/kubernetes/kubeconfig --leader-elect=true --logtostderr=false --log-dir=/var/log/kubernetes --v=0root     17407  0.0  0.0 112820  2256 pts/0    R+   10:04   0:00 grep --color=auto kube-sch

5.使用haproxy和keepalive部署高可用的負載均衡器

為了避免單點故障,使用2臺主機組成高可用,本例使用21.30,21.31這2臺主機部署。vip:192.168.21.35

  • 安裝haproxy和keepalived
[root@master kubernetes]# yum install haproxy[root@master kubernetes]# yum install keepalived
  • 配置haproxy
[root@master haproxy]# cat haproxy.cfg |grep -Ev "^#" |grep -Ev "^*#"global    log         127.0.0.1 local2    chroot      /var/lib/haproxy    pidfile     /var/run/haproxy.pid    maxconn     4096    user        haproxy    group       haproxy    daemon    stats socket /var/lib/haproxy/statsdefaults    mode                    http    log                     global    option                  httplog    option                  dontlognull    option http-server-close    option forwardfor       except 127.0.0.0/8    option                  redispatch    retries                 3    timeout http-request    10s    timeout queue           1m    timeout connect         10s    timeout client          1m    timeout server          1m    timeout http-keep-alive 10s    timeout check           10s    maxconn                 3000frontend  kube-apiserver     mode                 tcp    bind                 *:9443    option               tcplog    default_backend      kube-apiserverlisten stats    mode           http    bind           *:8888    stats auth     admin:password    stats refresh  5s    stats realm    HAProxy\ Statistics    stats uri      /stats    log            127.0.0.1 local3 errbackend kube-apiserver    mode        tcp    balance     roundrobin    server  master 192.168.21.30:6443 check    server  node1 192.168.21.31:6443 check    server  node2 192.168.21.32:6443 check
  • 啟動haproxy並設為開機自啟
[root@master ~]# systemctl start haproxy.service && systemctl enable haproxy.service Created symlink from /etc/systemd/system/multi-user.target.wants/haproxy.service to /usr/lib/systemd/system/haproxy.service.

驗證haproxy

  • 配置keepalived
    第一個節點:
[root@master keepalived]# cat keepalived.conf! Configuration File for keepalivedglobal_defs {   router_id LVS_1}vrrp_script checkhaproxy {  script "/usr/bin/check-haproxy.sh"  interval 2  weight -30}vrrp_instance VI_1 {    state MASTER    interface eth0    virtual_router_id 51    priority 100    advert_int 1    authentication {        auth_type PASS        auth_pass password    }    virtual_ipaddress {        192.168.21.35/24 dev eth0    }    track_script {      checkhaproxy    }}[root@master keepalived]# cat /usr/bin/check-haproxy.sh#!/bin/bashcount=`netstat -apn | grep 9443 | wc -l`if [ $count -gt 0 ]; then  exit 0else  exit 1fi

第二個節點:

[root@node1 ~]# cat /etc/keepalived/keepalived.conf ! Configuration File for keepalivedglobal_defs {   router_id LVS_2}vrrp_script checkhaproxy {  script "/usr/bin/check-haproxy.sh"  interval 2  weight -30}vrrp_instance VI_1 {    state BACKUP    interface eth0    virtual_router_id 51    priority 100    advert_int 1    authentication {        auth_type PASS        auth_pass password    }    virtual_ipaddress {        192.168.21.35/24 dev eth0    }    track_script {      checkhaproxy    }}
  • 啟動keepalived並設為開機自啟
[root@master keepalived]# systemctl start keepalived.service && systemctl enable keepalived.service Created symlink from /etc/systemd/system/multi-user.target.wants/keepalived.service to /usr/lib/systemd/system/keepalived.service.[root@master keepalived]# ps aux |grep keeproot     22629  0.0  0.0 123008  2108 ?        Ss   11:32   0:00 /usr/sbin/keepalived -Droot     22630  0.0  0.1 123008  5708 ?        S    11:32   0:00 /usr/sbin/keepalived -Droot     22631  0.0  0.1 125132  5708 ?        S    11:32   0:00 /usr/sbin/keepalived -Droot     22667  0.0  0.0 112820  2212 pts/0    S+   11:32   0:00 grep --color=auto keep
  • 驗證keepalive
[root@master keepalived]# curl -v -k https://192.168.21.35:9443* About to connect() to 192.168.21.35 port 9443 (#0)*   Trying 192.168.21.35...* Connected to 192.168.21.35 (192.168.21.35) port 9443 (#0)* Initializing NSS with certpath: sql:/etc/pki/nssdb* skipping SSL peer certificate verification* NSS: client certificate not found (nickname not specified)* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384* Server certificate:* 	subject: CN=192.168.21.30* 	start date: Jul 20 07:05:48 2021 GMT* 	expire date: Jun 26 07:05:48 2121 GMT* 	common name: 192.168.21.30* 	issuer: CN=192.168.21.30> GET / HTTP/1.1> User-Agent: curl/7.29.0> Host: 192.168.21.35:9443> Accept: */*> < HTTP/1.1 401 Unauthorized< Cache-Control: no-cache, private< Content-Type: application/json< Date: Wed, 21 Jul 2021 03:36:48 GMT< Content-Length: 165< {  "kind": "Status",  "apiVersion": "v1",  "metadata": {      },  "status": "Failure",  "message": "Unauthorized",  "reason": "Unauthorized",  "code": 401* Connection #0 to host 192.168.21.35 left intact

四. 部署網路元件flanneld

在所有node節點上安裝flanneld

1. 下載flannel

下載地址:https://github.com/flannel-io/flannel/releases

flannel-v0.14.0-linux-amd64.tar.gz

解壓後將 flanneld 和 mk-docker-opts.sh 拷貝到/usr/bin目錄下(所有node節點)

[root@node1 flannel]# pwd/root/k8s/flannel[root@node1 flannel]# lsflanneld  mk-docker-opts.sh  README.md[root@node1 flannel]# cp flanneld mk-docker-opts.sh /usr/bin/

2. 建立flanneld的systemd服務

[root@node1 flannel]# cat /usr/lib/systemd/system/flanneld.service [Unit]Description=Kubernetes Network Plugin FlannelDocumentation=https://flannelAfter=network-online.target network.targetBefore=docker.service[Service]Type=notifyEnvironmentFile=/etc/sysconfig/flanneld.confExecStart=/usr/bin/flanneld --ip-masq \$FLANNEL_OPTIONSExecStartPost=/usr/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.envRestart=on-failure[Install]WantedBy=multi-user.target

3. 建立flanneld.conf配置檔案

[root@node1 flannel]# cat /etc/sysconfig/flanneld.conf ETCD_ENDPOINTS=${"https://192.168.21.30:2379,https://192.168.21.31:2379,https://192.168.21.32:2379"}FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \--etcd-cafile=/etc/kubernetes/pki/ca.crt \--etcd-certfile=/etc/kubernetes/pki/etcd_server.crt \--etcd-keyfile=/etc/kubernetes/pki/etcd_server.key \--etcd-prefix=/coreos.com/network \--iface=eth0"

4.在etcd中建立條目(master節點上操作)

etcdctl --endpoints https://192.168.21.30:2379,https://192.168.21.31:2379,https://192.168.21.32:2379 --ca-file /etc/kubernetes/pki/ca.crt --cert-file /etc/kubernetes/pki/etcd_server.crt --key-file /etc/kubernetes/pki/etcd_server.key set /coreos.com/network/config '{"Network":"172.16.0.0/16","Backend":{"Type":"vxlan"}}'

5. 啟動flanneld服務並設定開機自啟

[root@node1 flannel]# systemctl start flanneld.service && systemctl enable flanneld.service

6. 驗證

# ifconfigflannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450        inet 172.16.62.0  netmask 255.255.255.255  broadcast 172.16.62.0        inet6 fe80::5898:9aff:fe32:56ab  prefixlen 64  scopeid 0x20<link>        ether 5a:98:9a:32:56:ab  txqueuelen 0  (Ethernet)        RX packets 3  bytes 252 (252.0 B)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 3  bytes 252 (252.0 B)        TX errors 0  dropped 5 overruns 0  carrier 0  collisions 0

五. 部署docker服務

在所有node節點上安裝docker,本例使用yum安裝。

1. docker-ce.repo

[root@node1 flannel]# cat /etc/yum.repos.d/docker-ce.repo [docker-ce-stable]name=Docker CE Stable - $basearchbaseurl=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/$releasever/$basearch/stableenabled=1gpgcheck=1gpgkey=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/gpg[docker-ce-stable-debuginfo]name=Docker CE Stable - Debuginfo $basearchbaseurl=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/$releasever/debug-$basearch/stableenabled=0gpgcheck=1gpgkey=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/gpg[docker-ce-stable-source]name=Docker CE Stable - Sourcesbaseurl=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/$releasever/source/stableenabled=0gpgcheck=1gpgkey=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/gpg[docker-ce-test]name=Docker CE Test - $basearchbaseurl=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/$releasever/$basearch/testenabled=0gpgcheck=1gpgkey=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/gpg[docker-ce-test-debuginfo]name=Docker CE Test - Debuginfo $basearchbaseurl=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/$releasever/debug-$basearch/testenabled=0gpgcheck=1gpgkey=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/gpg[docker-ce-test-source]name=Docker CE Test - Sourcesbaseurl=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/$releasever/source/testenabled=0gpgcheck=1gpgkey=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/gpg[docker-ce-nightly]name=Docker CE Nightly - $basearchbaseurl=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/$releasever/$basearch/nightlyenabled=0gpgcheck=1gpgkey=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/gpg[docker-ce-nightly-debuginfo]name=Docker CE Nightly - Debuginfo $basearchbaseurl=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/$releasever/debug-$basearch/nightlyenabled=0gpgcheck=1gpgkey=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/gpg[docker-ce-nightly-source]name=Docker CE Nightly - Sourcesbaseurl=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/$releasever/source/nightlyenabled=0gpgcheck=1gpgkey=https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/centos/gpg

2. 安裝

yum install docker-ce

3. 配置docker.service

[root@node1 flannel]# cat /usr/lib/systemd/system/docker.service[Unit]Description=Docker Application Container EngineDocumentation=https://docs.docker.comAfter=network-online.target firewalld.service containerd.serviceWants=network-online.targetRequires=docker.socket containerd.service[Service]Type=notify# the default is not to use systemd for cgroups because the delegate issues still# exists and systemd currently does not support the cgroup feature set required# for containers run by docker#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sockEnvironmentFile=/run/flannel/subnet.envExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONSExecReload=/bin/kill -s HUP $MAINPIDTimeoutSec=0RestartSec=2Restart=always# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.# Both the old, and new location are accepted by systemd 229 and up, so using the old location# to make them work for either version of systemd.StartLimitBurst=3# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make# this option work for either version of systemd.StartLimitInterval=60s# Having non-zero Limit*s causes performance problems due to accounting overhead# in the kernel. We recommend using cgroups to do container-local accounting.LimitNOFILE=infinityLimitNPROC=infinityLimitCORE=infinity# Comment TasksMax if your systemd version does not support it.# Only systemd 226 and above support this option.TasksMax=infinity# set delegate yes so that systemd does not reset the cgroups of docker containersDelegate=yes# kill only the docker process, not all processes in the cgroupKillMode=processOOMScoreAdjust=-500[Install]WantedBy=multi-user.target

4. 啟動docker並設定開機自啟

systemctl start docker && systemctl enable docker

5. 檢視docker網路

[root@node1 flannel]# ifconfigdocker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500        inet 172.16.62.1  netmask 255.255.255.0  broadcast 172.16.62.255        inet6 fe80::42:e0ff:fe18:9fa  prefixlen 64  scopeid 0x20<link>        ether 02:42:e0:18:09:fa  txqueuelen 0  (Ethernet)        RX packets 5  bytes 308 (308.0 B)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 10  bytes 904 (904.0 B)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 192.168.21.31  netmask 255.255.255.0  broadcast 192.168.21.255        inet6 fe80::8d62:e14a:b27d:d478  prefixlen 64  scopeid 0x20<link>        inet6 fe80::95d3:ac4d:e02d:e037  prefixlen 64  scopeid 0x20<link>        inet6 fe80::3ce7:8033:b538:bb4e  prefixlen 64  scopeid 0x20<link>        ether 3a:66:dd:a0:4b:f2  txqueuelen 1000  (Ethernet)        RX packets 1984756  bytes 277698227 (264.8 MiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 1962569  bytes 272656611 (260.0 MiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0flannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450        inet 172.16.62.0  netmask 255.255.255.255  broadcast 172.16.62.0        inet6 fe80::5898:9aff:fe32:56ab  prefixlen 64  scopeid 0x20<link>        ether 5a:98:9a:32:56:ab  txqueuelen 0  (Ethernet)        RX packets 3  bytes 252 (252.0 B)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 3  bytes 252 (252.0 B)        TX errors 0  dropped 5 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536        inet 127.0.0.1  netmask 255.0.0.0        inet6 ::1  prefixlen 128  scopeid 0x10<host>        loop  txqueuelen 1000  (Local Loopback)        RX packets 534202  bytes 108091817 (103.0 MiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 534202  bytes 108091817 (103.0 MiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

6. docker國內映象加速

[root@node1 ~]# cat /etc/docker/daemon.json {	"insecure-registries":["192.168.21.34"],	"registry-mirrors": ["https://s7s5jkzp.mirror.aliyuncs.com"]}

7. docker私有倉庫harbor

官網地址:https://goharbor.io/,本例使用192.168.21.34這臺主機。

六. 部署Node服務

1. 下載客戶端元件二進位制包並將可執行檔案拷貝到所有Node節點的/usr/bin目錄下

下載地址:https://dl.k8s.io/v1.19.0/kubernetes-node-linux-amd64.tar.gz
解壓kubernetes-node-linux-amd64.tar.gz 把bin目錄下的可執行檔案拷貝到/usr/bin/ 目錄下

2. 部署kubelet服務

  • 建立kubelet的systemd服務
[root@node1 pki]# cat /usr/lib/systemd/system/kubelet.service [Unit]Description=Kubernetes Kubelet ServerDocumentation=https://github.com/kubernetes/kubernetesAfter=docker.target[Service]EnvironmentFile=/etc/kubernetes/kubelet.confExecStart=/usr/bin/kubelet $KUBELET_ARGSRestart=always[Install]WantedBy=multi-user.target
  • 建立kublete.conf配置檔案
[root@node1 kubernetes]# cat kubelet.confKUBELET_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig \--config=/etc/kubernetes/kubelet.config \--hostname-override=192.168.21.31 #其它節點修改成相應的IP地址\--network-plugin=flannel \--logtostderr=false --log-dir=/var/log/kubernetes --v=0 \--runtime-cgroups=/systemd/system.slice \--kubelet-cgroups=/systemd/system.slice"

[root@node1 kubernetes]# cat kubelet.config kind: kubeletConfigurationapiVersion: kubelet.config.k8s.io/v1beta1address: 0.0.0.0port: 10250cgroupDriver: cgroupfscluster-dns=172.16.0.100cluster-domain=cluster.localauthentication:  anonymous:    enabled: true
  • 啟動kubelet.service並設定開機自啟
[root@node1 ~]# systemctl start kubelet.service && systemctl enable kubelet.service[root@node1 ~]# ps aux |grep kubeletroot      4821  0.0  0.0 112716  2264 pts/0    S+   12:02   0:00 grep --color=auto kubeletroot     21424  0.6  2.2 1168096 91636 ?       Ssl  10:59   0:24 /usr/bin/kubelet --kubeconfig=/etc/kubernetes/kubeconfig --config=/etc/kubernetes/kubelet.config --hostname-override=192.168.21.31 --logtostderr=false --log-dir=/var/log/kubernetes --v=0 --runtime-cgroups=/systemd/system.slice --kubelet-cgroups=/systemd/system.slice
  • 檢視後臺程序
[root@node1 ~]# ps aux |grep kubeletroot     17062  0.0  0.0 112716  2188 pts/0    S+   12:53   0:00 grep --color=auto kubeletroot     21424  0.6  2.3 1168096 93684 ?       Ssl  10:59   0:43 /usr/bin/kubelet --kubeconfig=/etc/kubernetes/kubeconfig --config=/etc/kubernetes/kubelet.config --hostname-override=192.168.21.31 --logtostderr=false --log-dir=/var/log/kubernetes --v=0 --runtime-cgroups=/systemd/system.slice --kubelet-cgroups=/systemd/system.slice

3. 部署kube-proxy服務

  • 建立kube-proxy的systemd服務
[root@node1 ~]# cat /usr/lib/systemd/system/kube-proxy.service [Unit]Description=kubernetes kube-proxy ServerDocumentation=https://github.com/kubernetes/kubernetesAfter=network.target[Service]EnvironmentFile=/etc/kubernetes/kube-proxy.confExecStart=/usr/bin/kube-proxy $KUBE_PROXY_ARGSRestart=always[Install]WantedBy=multi-user.target
  • 建立kube-proxy的配置檔案
[root@node1 ~]# cat /etc/kubernetes/kube-proxy.confKUBE_PROXY_ARGS="--kubeconfig /etc/kubernetes/kubeconfig \--hostname-override 192.168.21.31 #其它節點修改成相應的IP地址\--proxy-mode iptables \--logtostderr=false \--log-dir /var/log/kubernetes\ --v=0"
  • 啟動kube-proxy.service並設定開機自啟
[root@node3 ~]# systemctl enable kube-proxy.service Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.[root@node3 ~]# systemctl start kube-proxy.service
  • 檢視後臺程序
[root@node1 ~]# ps aux |grep kuberoot      3451  0.0  1.0 743152 41760 ?        Ssl  11:57   0:01 /usr/bin/kube-proxy \--kubeconfig /etc/kubernetes/kubeconfig --hostname-override 192.168.21.31 \--proxy-mode iptables --logtostderr=false \--log-dir /var/log/kubernetes --v=0

七. 部署CoreDNS服務

1. 建立資原始檔

coredns需要3個資源對像,1個configmap,1個Deployment和1個service。編輯coredns.yaml檔案包含這3個資源對像

apiVersion: v1kind: ConfigMapmetadata:   name: coredns  namespace: kube-system  labels:     addonmanager.kubernetes.io/mode: EnsureExistsdata:   Corefile: |    cluster.local {      errors      health {         lameduck 5s      }      ready      kubernetes cluster.local 172.16.0.0/16 {         fallthrough in-addr.arpa ip6.arpa      }      prometheus: 9153      forward . /etc/resolv.conf      cache 30      loop      reload      loadbalance    }    . {      cache 30      loadbalance      forward . /etc/resolv.conf    }---apiVersion: apps/v1kind: Deploymentmetadata:   name: coredns  namespace: kube-system  labels:     k8s-app: coredns    kubernetes.io/name: "CoreDNS"    kubernetes.io/cluster-service: "true"spec:   replicas: 1  selector:     matchLabels:       k8s-app: coredns  template:     metadata:       labels:         k8s-app: coredns      annotations:         scheduler.alpha.kubernetes.io/critical-pod: ''        scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly","operator":"Exists"}]'    spec:       containers:       - name: coredns        image: 192.168.21.34/release/coredns:latest        imagePullPolicy: IfNotPresent        resources:           limits:             memory: 170Mi          requests:             cpu: 100m            memory: 70Mi        args: [ "-conf", "/etc/coredns/Corefile" ]        volumeMounts:         - name: config-volume          mountPath: /etc/coredns          readOnly: true        ports:         - containerPort: 53          name: dns          protocol: UDP        - containerPort: 53          name: dns-tcp          protocol: TCP        - containerPort: 9153          name: metrics          protocol: TCP        securityContext:          allowPrivilegeEscalation: false          capabilities:             add:             - NET_BIND_SERVICE            drop:            - all          readOnlyRootFilesystem: true        livenessProbe:          httpGet:            path: /health            port: 8080            scheme: HTTP          initialDelaySeconds: 60          timeoutSeconds: 5          successThreshold: 1          failureThreshold: 5        readinessProbe:          httpGet:            path: /ready            port: 8181            scheme: HTTP      dnsPolicy: Default      volumes:        - name: config-volume          configMap:            name: coredns            items:            - key: Corefile              path: Corefile---apiVersion: v1kind: Servicemetadata:   name: coredns  namespace: kube-system  annotations:    prometheus.io/port: "9153"    prometheus.io/scrape: "true"  labels:     k8s-app: coredns    kubernetes.io/cluster-service: "true"    kubernetes.io/name: "CoreDNS"spec:   selector:     k8s-app: coredns  clusterIP: 172.16.0.100  ports:   - name: dns    port: 53    protocol: UDP  - name: dns-tcp    port: 53    protocol: TCP  - name: metrics    port: 9153    protocol: TCP

2. 建立coredns

[root@node1 coredns]# kubectl create -f coredns.yaml configmap/coredns createddeployment.apps/coredns createdservice/coredns created

檢視各資源的狀態

[root@node1 coredns]# kubectl get all --namespace=kube-systemNAME                           READY   STATUS             RESTARTS   AGEpod/coredns-7bff699665-zfj5r   0/1     CrashLoopBackOff   6          10mNAME              TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                  AGEservice/coredns   ClusterIP   172.16.0.100   <none>        53/UDP,53/TCP,9153/TCP   10mNAME                      READY   UP-TO-DATE   AVAILABLE   AGEdeployment.apps/coredns   0/1     1            0           10mNAME                                 DESIRED   CURRENT   READY   AGEreplicaset.apps/coredns-7bff699665   1         1         0       10m

情況有點不妙,pod和deployment資源沒有ready起來。先看下pod的日誌

[root@node1 coredns]# kubectl logs pod/coredns-7bff699665-zfj5r --namespace=kube-system/etc/coredns/Corefile:10 - Error during parsing: Unknown directive 'prometheus:'

發現,有個指令示識別(prometheus:),於是在coredns.yaml檔案中註釋掉這行

 ready      kubernetes cluster.local 172.16.0.0/16 {         fallthrough in-addr.arpa ip6.arpa      }      #prometheus: 9153      forward . /etc/resolv.conf

再次重新apply 一下

[root@node1 coredns]# kubectl apply -f coredns.yaml configmap/coredns configureddeployment.apps/coredns unchangedservice/coredns unchanged

檢視狀態正常

[root@node1 coredns]# kubectl get all --namespace=kube-systemNAME                           READY   STATUS    RESTARTS   AGEpod/coredns-7bff699665-zfj5r   1/1     Running   11         61mNAME              TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                  AGEservice/coredns   ClusterIP   172.16.0.100   <none>        53/UDP,53/TCP,9153/TCP   61mNAME                      READY   UP-TO-DATE   AVAILABLE   AGEdeployment.apps/coredns   1/1     1            1           61mNAME                                 DESIRED   CURRENT   READY   AGEreplicaset.apps/coredns-7bff699665   1         1         1       61m

3. 驗證coredns

建立一個nginx的pod和service

[root@node1 k8s]# cat svc/coredns-test.yaml apiVersion: v1kind: Podmetadata:  name: nginx  labels:    app: nginxspec:  containers:  - name: nginx    image: 192.168.21.34/release/nginx:v1.21.1    ports:    - containerPort: 80---apiVersion: v1kind: Servicemetadata:  name: nginxspec:  ports:  - port: 80    targetPort: 80    protocol: TCP  selector:    app: nginx[root@node1 svc]# kubectl create -f coredns-test.yaml pod/nginx createdservice/nginx created

再建立一個名為myweb的pod

[root@node1 pod]# cat nginx-pod-1.yaml apiVersion: v1kind: Podmetadata:   name: myweb spec:   containers:     - name: web      image: 192.168.21.34/release/nginx:v1.21.1      imagePullPolicy: IfNotPresent

進入myweb容器,curl nginx

[root@node1 pod]# kubectl exec -it myweb -- /bin/bashroot@myweb:/# curl nginx<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style>    body {        width: 35em;        margin: 0 auto;        font-family: Tahoma, Verdana, Arial, sans-serif;    }</style></head><body><h1>Welcome to nginx!</h1><p>If you see this page, the nginx web server is successfully installed andworking. Further configuration is required.</p><p>For online documentation and support please refer to<a href="http://nginx.org/">nginx.org</a>.<br/>Commercial support is available at<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p></body></html>root@myweb:/# exitexit

發現使用nginx名字可以訪問資源,使用busybox 測試一下nslookup

[root@node1 pod]# cat busybox.yaml apiVersion: v1kind: Podmetadata:   name: busybox  namespace: defaultspec:   containers:   - name: busybox    image: 192.168.21.34/release/busybox:latest    command:       - sleep      - "3600"[root@node1 pod]# kubectl exec busybox -- nslookup nginxServer:		172.16.0.100Address:	172.16.0.100:53Name:	nginx.default.svc.cluster.localAddress: 172.16.28.151

八. 驗證叢集

1. 在master節點上通過kubectl驗證node資訊

kubectl --kubeconfig=/etc/kubernetes/kubeconfig get nodesNAME            STATUS   ROLES    AGE   VERSION192.168.21.31   Ready    <none>   24h   v1.19.0192.168.21.32   Ready    <none>   24h   v1.19.0192.168.21.33   Ready    <none>   24h   v1.19.0

=======================================================================

知識無邊界,交流以長進

如需轉載,請註明出處,謝謝

=======================================================================

相關推薦

centos7 二進位制部署kubernetes(v1.19.0) 可用叢集

centos7 二進位制部署kubernetes(v1.19.0) 可用叢集 一、規劃 1. master/etcd 叢集節點-3臺:

kubeadm使用外部etcd部署kubernetes v1.17.3 可用叢集

文章轉載自:https://mp.weixin.qq.com/s?__biz=MzI1MDgwNzQ1MQ==&mid=2247483891&idx=1&sn=17dcd7cd0645df509c8e49059a2f00d7&chksm=e9fdd407de8a5d119d439b70dc2c381ec2eceddb63ed43767c2e1b7cffe

二進位制部署kubernetes v1.16.1單master點

一、初始化系統和全域性變數 1)叢集規劃 OS hostname memory CPU Role Centos 7.5 k8s-01 4G 4核心

ipad1可用軟體源_k8s 1.19.4可用叢集部署

技術標籤:ipad1可用軟體源 Kubernetes可用部署參考: https://kubernetes.io/docs/setup/independent/high-availability/ https://github.com/kubernetes-sigs/kubespray https://github.com/wise2c-devops/

部署一套完整的Kubernetes可用叢集二進位制v1.18版)

一、前置知識點 1.1 生產環境可部署Kubernetes叢集的兩種方式 目前生產部署Kubernetes叢集主要有兩種方式:

Kubernetes 1.18.0 二進位制可用叢集搭建

本文出自劉騰飛視訊教程:http://video.jessetalk.cn/ 主要步驟 準備虛擬機器環境,部署好centos,做好初始準備

86) 離線二進位制安裝kubernetes v1.18.5 生產CI-CD環境 [1. 環境部署篇]

1- 環境規劃說明 1.1- 系統環境 節點資訊 節點角色 主機名 IP cpu ram disk kernel 元件 master/worker

【k8s記錄】二進位制安裝kubernetes可用叢集全過程完整版 v1.20

1.總體規劃 1.1 伺服器規劃配置如下(master節點不安裝kubelet) IP地址主機名節點角色安裝元件192.168.1.180master1master,IP入口kube-apiserver、kube-controller-manager、kube-scheduler、etcd192.168.1.181ma

Kubeadm搭建可用(k8s)Kubernetes v1.24.0叢集

文章轉載自:https://i4t.com/5451.html 背景 Kubernetes 1.24新特性 從kubelet中移除dockershim,自1.20版本被棄用之後,dockershim元件終於在1.24的kubelet中被刪除。從1.24開始,大家需要使用其他受到支援的執行時

Kubernetes容器化工具Kind實踐部署Kubernetes v1.18.x 版本, 釋出WordPress和MySQL

Kind 介紹 Kind是Kubernetes In Docker的縮寫,顧名思義是使用Docker容器作為Node並將Kubernetes部署至其中的一個工具。官方檔案中也把Kind作為一種本地叢集搭建的工具進行推薦。預設情況下,Kind會先下載kindest/no

使用 Sealos 在 3 分鐘內快速部署一個生產級別的 Kubernetes 可用叢集

前提條件: 安裝並啟動docker, 版本離線包自帶docker,如沒安裝docker會自動安裝

Kubernetes 部署 Kubernetes-Dashboard v2.0.0

部署檔案 Github 地址:https://github.com/my-dlq/blog-example/tree/master/kubernetes/kubernetes-dashboard2.0.0-deploy

部署kubernetes dashboard v2.0.4

wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.4/aio/deploy/recommended.yaml -O dashboard.yaml

k8s 證書更新,基於kubernetes v1.19.3

學習記錄: 通過kubeadm安裝的K8S叢集,證書有效期為一年,一年過期後,會導致api service不可用,使用過程中會出現報錯:x509: certificate has expired or is not yet valid.

部署一套完整的Kubernetes可用叢集(上)

部署一套完整的Kubernetes可用叢集(上) 原創阿良DevOps技術棧6月1日 目錄[-] 一、前置知識點

Kubernetes容器叢集 - harbor倉庫可用叢集部署說明【轉】

之前介紹Harbor私有倉庫的安裝和使用,這裡重點說下Harbor可用叢集方案的部署,目前主要有兩種主流的Harbor可用叢集方案:1)雙主複製;2)多harbor例項共享後端儲存。

離線部署k8s-1.19.0叢集

0、節點說明: 1、環境配置 1.1 關閉防火牆、selinux、swap setenforce 0 sed -i \'s/=enforcing/=disabled/g\' /etc/selinux/config

ansible二進位制部署kubernetes叢集

kubernetes版本1.21.5 需要的資原始檔請自行到我的阿里雲盤下載 https://www.aliyundrive.com/s/zVegF78ATDV

二進位制部署k8s可用叢集

1.軟體版本 軟體 版本 OS Centos7.6 mini docker 1.20 kubernetes 1.20 2.服務規劃 型別 IP 服務 master1

|NO.Z.00008|——————————|^^ 構建 ^^|——|Mysql&Mariadb&二進位制部署配置.V1|

[Applications:Mysql&Mariadb&二進位制部署配置.V1]                                                   [Applications.Databases]