k8s v1.13 集群部署
阿新 • • 發佈:2018-12-09
ner allow cert tst ip地址 swap sig 顯示 kubectl k8s v1.13 集群部署
規劃
192.168.100.100 master.hequan.lol master
192.168.100.101 node01.hequan.lol node01
192.168.100.102 node02.hequan.lol node02準備工作
systemctl stop firewalld && systemctl disable firewalld setenforce 0 vi /etc/selinux/config SELINUX=disabled vim /etc/hosts 192.168.100.100 master.hequan.lol master 192.168.100.101 node01.hequan.lol node01 192.168.100.102 node02.hequan.lol node02 swapoff -a && sysctl -w vm.swappiness=0 vi /etc/fstab #UUID=7bff6243-324c-4587-b550-55dc34018ebf swap swap defaults 0 0 cat << EOF | tee /etc/sysctl.d/k8s.conf net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF sysctl -p /etc/sysctl.d/k8s.conf
mkdir /data/docker sudo yum install -y yum-utils device-mapper-persistent-data lvm2 sudo yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo sudo yum makecache fast sudo yum -y install docker-ce docker version systemctl enable docker.service systemctl start docker.service sudo mkdir -p /etc/docker sudo tee /etc/docker/daemon.json <<-‘EOF‘ {"registry-mirrors": ["https://890km4uy.mirror.aliyuncs.com"],"graph": "/data/docker"} EOF sudo systemctl daemon-reload sudo systemctl restart docker
etcd: 參考我的這篇博客 http://blog.51cto.com/hequan/2327820
flanneld: 參考我的這篇博客 http://blog.51cto.com/hequan/2327822在Master部署組件
生成證書
mkdir /data/ssl/k8s cd /data/ssl/k8s vim k8s-ssl.sh # cat ca-config.json cat > ca-config.json << EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF # cat ca-csr.json cat > ca-csr.json << EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca - # server-csr.json cat > server-csr.json << EOF { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "192.168.100.100", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server # cat kube-proxy-csr.json cat > kube-proxy-csr.json << EOF { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy sh k8s-ssl.sh ls *pem ca-key.pem ca.pem kube-proxy-key.pem kube-proxy.pem server-key.pem server.pem cp /data/ssl/k8s/*pem /opt/kubernetes/ssl/
apiserver
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.13.md
cd /data/src
kubernetes-server-linux-amd64.tar.gztar xf kubernetes-server-linux-amd64.tar.gz
cd kubernetes/server/bin/
cp kube-apiserver kube-scheduler kube-controller-manager kubectl /opt/kubernetes/binvim /opt/kubernetes/cfg/token.csv
MnCwST4J8KAn7qLkMnklR8LytumEBb,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
第一列:隨機字符串,自己可生成 可用 head -c 16 /dev/urandom | od -An -t x | tr -d ‘ ‘ 生成
第二列:用戶名
第三列:UID
第四列:用戶組vim /opt/kubernetes/cfg/kube-apiserver
KUBE_APISERVER_OPTS="--logtostderr=true --v=4 --etcd-servers=https://192.168.100.100:2379,https://192.168.100.101:2379,https://192.168.100.102:2379 --bind-address=192.168.100.100 --secure-port=6443 --advertise-address=192.168.100.100 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --enable-bootstrap-token-auth --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/etcd/ssl/ca.pem --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pem"
* --logtostderr 啟用日誌
* ---v 日誌等級
* --etcd-servers etcd集群地址
* --bind-address 監聽地址
* --secure-port https安全端口
* --advertise-address 集群通告地址
* --allow-privileged 啟用授權
* --service-cluster-ip-range Service虛擬IP地址段
* --enable-admission-plugins 準入控制模塊
* --authorization-mode 認證授權,啟用RBAC授權和節點自管理
* --enable-bootstrap-token-auth 啟用TLS bootstrap功能,後面會講到
* --token-auth-file token文件
* --service-node-port-range Service Node類型默認分配端口範圍
vim /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl restart kube-apiserver
scheduler組件
vim /opt/kubernetes/cfg/kube-scheduler
KUBE_SCHEDULER_OPTS="--logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect"
* --master 連接本地apiserver
* --leader-elect 當該組件啟動多個時,自動選舉(HA)
vim /usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable kube-scheduler.service
systemctl restart kube-scheduler.servicecontroller-manager組件
vim /opt/kubernetes/cfg/kube-controller-manager
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect=true --address=127.0.0.1 --service-cluster-ip-range=10.0.0.0/24 --cluster-name=kubernetes --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem --root-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem"
vim /usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl restart kube-controller-manager檢查
/opt/kubernetes/bin/kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-0 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}在node部署組件
說明
Master apiserver啟用TLS認證後,Node節點kubelet組件想要加入集群,必須使用CA簽發的有效證書才能與apiserver通信,當Node節點很多時,簽署證書是一件很繁瑣的事情,因此有了TLS Bootstrapping機制,kubelet會以一個低權限用戶自動向apiserver申請證書,kubelet的證書由apiserver動態簽署
master操作
vim /etc/profile
export PATH=/opt/kubernetes/bin:$PATH
source /etc/profile
將kubelet-bootstrap用戶綁定到系統集群角色
/opt/kubernetes/bin/kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
cd /data/ssl/k8s/
創建kubeconfig文件
在生成kubernetes證書的目錄下執行以下命令生成kubeconfig文件:
vim kubeconfig.sh
# 創建kubelet bootstrapping kubeconfig
# 註意更新密碼 和IP
BOOTSTRAP_TOKEN=MnCwST4J8KAn7qLkMnklR8LytumEBb
KUBE_APISERVER="https://192.168.100.100:6443"
# 設置集群參數
kubectl config set-cluster kubernetes --certificate-authority=./ca.pem --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=bootstrap.kubeconfig
# 設置客戶端認證參數
kubectl config set-credentials kubelet-bootstrap --token=${BOOTSTRAP_TOKEN} --kubeconfig=bootstrap.kubeconfig
# 設置上下文參數
kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=bootstrap.kubeconfig
# 設置默認上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
#----------------------
# 創建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes --certificate-authority=./ca.pem --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy --client-certificate=./kube-proxy.pem --client-key=./kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default --cluster=kubernetes --user=kube-proxy --kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
ls bootstrap.kubeconfig kube-proxy.kubeconfig
scp bootstrap.kubeconfig kube-proxy.kubeconfig root@node01:/opt/kubernetes/cfg/
scp bootstrap.kubeconfig kube-proxy.kubeconfig root@node02:/opt/kubernetes/cfg/
cd /data/src/kubernetes/server/bin
scp kubelet kube-proxy root@node01:/opt/kubernetes/bin/
scp kubelet kube-proxy root@node02:/opt/kubernetes/bin/node:
- node01 192.168.100.101 10.0.0.2
- node02 192.168.100.102 10.0.0.3
vim /opt/kubernetes/cfg/kubelet
KUBELET_OPTS="--logtostderr=true --v=4 --hostname-override=192.168.100.101 --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig --config=/opt/kubernetes/cfg/kubelet.config --cert-dir=/opt/kubernetes/ssl --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
* --hostname-override 在集群中顯示的主機名
* --kubeconfig 指定kubeconfig文件位置,會自動生成
* --bootstrap-kubeconfig 指定剛才生成的bootstrap.kubeconfig文件
* --cert-dir 頒發證書存放位置
* --pod-infra-container-image 管理Pod網絡的鏡像
vim /opt/kubernetes/cfg/kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.100.101
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS: ["10.0.0.2"]
clusterDomain: cluster.local.
failSwapOn: false
authentication:
anonymous:
enabled: true
vim /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet
kubectl get csr
kubectl certificate approve name
kubectl get nodekube-proxy
vim /opt/kubernetes/cfg/kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true --v=4 --hostname-override=192.168.100.101 --cluster-cidr=10.0.0.0/24 --kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
vim /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
ExecStart=/opt/kubernetes/bin/kube-proxy $KUBE_PROXY_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable kube-proxy
systemctl restart kube-proxy檢查
kubectl get componentstatus
kubectl get node啟動測試示例
kubectl run nginx --image=nginx --replicas=3
kubectl get pods -o wide
kubectl expose deployment nginx --port=88 --target-port=80 --type=NodePort
kubectl get svc nginxk8s v1.13 集群部署