一 、k8s1.12優化 二進位制安裝(非常方便維護)
1.12我將採用更加優化的部署方式,方便維護管理
環境規劃參考:
各個元件證書依賴
1、安裝證書工具:
2、etcd安裝
3、flanneld 安裝
4、docker配置
5、配置k8s元件證書
6、安裝master元件
7、安裝node元件
8 增加節點
1、安裝證書工具:
cd /opt/ssl wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x * mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
2、etcd安裝
採用最新的etcd安裝包
wget https://github.com/etcd-io/etcd/releases/download/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz
mkdir -p /opt/etcd/{bin,cfg,ssl}
之前裝過的需要將/var/lib/etcd刪掉,不然會報錯。
配置etcd證書:
[[email protected] ssl]# cat etcd-cert.sh cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "www": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json <<EOF { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #----------------------- cat > server-csr.json <<EOF { "CN": "etcd", "hosts": [ "192.168.1.6", "192.168.1.7", "192.168.1.8" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
執行該指令碼,然後將ca和server相關的pem拷貝到指定路徑
cp ca*.pem /opt/etcd/ssl/
cp server*.pem /opt/etcd/ssl/
編寫安裝指令碼:
vim etcd.sh #!/bin/bash # example: ./etcd.sh etcd01 192.168.1.10 etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380 ETCD_NAME=$1 ETCD_IP=$2 ETCD_CLUSTER=$3 WORK_DIR=/opt/etcd cat <<EOF >$WORK_DIR/cfg/etcd #[Member] ETCD_NAME="${ETCD_NAME}" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380" ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380" ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379" ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" EOF cat <<EOF >/usr/lib/systemd/system/etcd.service [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=${WORK_DIR}/cfg/etcd ExecStart=${WORK_DIR}/bin/etcd \ --name=\${ETCD_NAME} \ --data-dir=\${ETCD_DATA_DIR} \ --listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \ --listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \ --advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \ --initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \ --initial-cluster=\${ETCD_INITIAL_CLUSTER} \ --initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \ --initial-cluster-state=new \ --cert-file=${WORK_DIR}/ssl/server.pem \ --key-file=${WORK_DIR}/ssl/server-key.pem \ --peer-cert-file=${WORK_DIR}/ssl/server.pem \ --peer-key-file=${WORK_DIR}/ssl/server-key.pem \ --trusted-ca-file=${WORK_DIR}/ssl/ca.pem \ --peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable etcd systemctl restart etcd
執行指令碼:
chmod +x etcd.sh
./etcd.sh etcd01 192.168.1.6 etcd02=https://192.168.1.7:2380,etcd03=https://192.168.1.8:2380
檢測:
ps aux |grep ecd
分發檔案到另外2個節點:
scp -r etcd 192.168.1.7:/opt/
scp -r etcd 192.168.1.8:/opt/
scp /usr/lib/systemd/system/etcd.service 192.168.1.7:/usr/lib/systemd/system/
scp /usr/lib/systemd/system/etcd.service 192.168.1.8:/usr/lib/systemd/system/
將/opt/etcd/cfg/etcd配置檔案修改成對應的ip,不懂的參考1.10.7安裝etcd
將節點的etcd啟動:
systemctl enable etcd
systemctl start etcd
檢測etcd健康:
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379" cluster-health
如果健康檢測通過了,但是systemctl status etcd出現了證書相關的問題,不用理會,例如:
3、flanneld 安裝
我們先在master上面操作,即192.168.1.6
下載二進位制包:
此處我們用的比較新的0.10版本
wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz
將解壓後得到的可執行檔案放入我們之定義的路徑下面
cp flanneld mk-docker-opts.sh /opt/kubernetes/bin/
分配自網段:
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
測試:
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379" get /coreos.com/network/config
配置flannel檔案
[[email protected] shell]# cat flannel.sh
#!/bin/bash
# ./flannel.sh https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379
ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}
cat <<EOF >/opt/kubernetes/cfg/flanneld
FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF
cat <<EOF >/usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
cat <<EOF >/usr/lib/systemd/system/dockerd.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd \$DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP \$MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld
systemctl restart dockerd
執行該指令碼:
後面引數是etcd叢集地址
./flannel.sh https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379
啟動:
systemctl enable flanneld
systemctl start flanneld
測試flanneld:
cat /run/flannel/subnet.env
systemctl status flanneld.service
然後將檔案分發下去,其他節點也裝上flannel,不用做任何變動:
scp -r /opt/kubernetes 192.168.1.6:/opt/
scp -r /opt/kubernetes 192.168.1.7:/opt/
scp -r /usr/lib/systemd/system/flanneld.service 192.168.1.6:/usr/lib/systemd/system/
scp -r /usr/lib/systemd/system/flanneld.service 192.168.1.7:/usr/lib/systemd/system/
4、docker配置
docker和1.10.7一樣,這一塊沒有變動
cat <<EOF >/usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd \$DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP \$MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl restart docker
檢視ifconfig 中 會出現一個flannel 網路,並且flannel和docker0 網路段會相同
檢視docker程序可以檢測:
[[email protected] shell]# ps -ef |grep docker
root 8548 1 0 11:59 ? 00:00:31 /usr/bin/dockerd --bip=172.17.56.1/24 --ip-masq=false --mtu=1450
root 8555 8548 0 11:59 ? 00:00:51 docker-containerd --config /var/run/docker/containerd/containerd.toml
root 22005 7466 0 15:02 pts/1 00:00:00 grep --color=auto docker
所有節點都進行此操作
5、配置k8s元件證書
生成證書指令碼:
[[email protected] k8s-crt]# cat k8s-cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.1.6",
"192.168.1.7",
"192.168.1.8",
"192.168.1.9",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
#-----------------------
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
#-----------------------
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
執行該指令碼會生成一堆證書,我們可以將需要的證書放置指定路徑,其中的ip是我們需要的各個與k8s相關的指令碼
sh k8s-cert.sh
[[email protected] k8s-crt]# ls
admin.csr admin-key.pem ca-config.json ca-csr.json ca.pem kube-proxy.csr kube-proxy-key.pem server.csr server-key.pem
admin-csr.json admin.pem ca.csr ca-key.pem k8s-cert.sh kube-proxy-csr.json kube-proxy.pem server-csr.json server.pem
6、安裝master元件
下載最新包:
wget https://storage.googleapis.com/kubernetes-release/release/v1.12.1/kubernetes-server-linux-amd64.tar.gz
tar xvf kubernetes-server-linux-amd64.tar.gz
將需要的包拷貝到指定路徑:
cp kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/
生成k8s需要的token
[[email protected] shell]# cat token.sh
token=$(head -c 10 /dev/urandom |od -An -t x|tr -d ' ')
cat <<EOF >/opt/kubernetes/cfg/token.csv
${token},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
執行該指令碼會在/opt/kubernetes/cfg/ 生產一個token檔案
配置kube-apiserver
[[email protected] shell]# cat apiserver.sh
#!/bin/bash
#./apiserver.sh 192.168.1.6 https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379
MASTER_ADDRESS=$1
ETCD_SERVERS=$2
cat <<EOF >/opt/kubernetes/cfg/kube-apiserver
KUBE_APISERVER_OPTS="--logtostderr=true \\
--v=4 \\
--etcd-servers=${ETCD_SERVERS} \\
--bind-address=${MASTER_ADDRESS} \\
--secure-port=6443 \\
--advertise-address=${MASTER_ADDRESS} \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
--authorization-mode=RBAC,Node \\
--kubelet-https=true \\
--enable-bootstrap-token-auth \\
--token-auth-file=/opt/kubernetes/cfg/token.csv \\
--service-node-port-range=30000-50000 \\
--tls-cert-file=/opt/kubernetes/ssl/server.pem \\
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF
cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl restart kube-apiserver
執行該指令碼:
./apiserver.sh 192.168.1.6 https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379
其中第一個引數代表本機ip,第二個代表etcd ip組
檢測:systemctl status kube-apiserver
配置kube-controller-manager
[[email protected] shell]# cat controller-manager.sh
#!/bin/bash
#./controller-manager.sh 127.0.0.1
MASTER_ADDRESS=$1
cat <<EOF >/opt/kubernetes/cfg/kube-controller-manager
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \\
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\
--leader-elect=true \\
--address=127.0.0.1 \\
--service-cluster-ip-range=10.0.0.0/24 \\
--cluster-name=kubernetes \\
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--experimental-cluster-signing-duration=87600h0m0s"
EOF
cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl restart kube-controller-manager
執行該指令碼:
./controller-manager.sh 127.0.0.1
檢測:systemctl status kube-controller-manager.service
配置:kube-scheduler
[[email protected] shell]# cat scheduler.sh
#!/bin/bash
#./scheduler.sh 127.0.0.1
MASTER_ADDRESS=$1
cat <<EOF >/opt/kubernetes/cfg/kube-scheduler
KUBE_SCHEDULER_OPTS="--logtostderr=true \\
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\
--leader-elect"
EOF
cat <<EOF >/usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler
執行該指令碼:
./scheduler.sh 127.0.0.1
檢測:
systemctl status kube-scheduler.service
netstat -lnp |grep 8080
7、安裝node元件
a、首先我們在master上面建立使用者認證:
將kubelete-bootstrap使用者繫結在叢集角色上
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
如果有可以先刪除:
kubectl delete clusterrolebinding kubelet-bootstrap
如果有缺少對system:anonymous使用者的授權,kubelet啟動的時候會報錯如下:
error: failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User “system:anonymous” cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope
我們還需要對 system:anonymous使用者的授權,不然以後node階節點匿名向主節點傳遞資訊的時候會有問題:
kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous
將node節點需要的執行檔案分發下去:
從我們解壓的安裝包獲取相關檔案
cd /root/kubernetes/server/bin
scp kubelet kube-proxy 192.168.1.7:/opt/kubernetes/bin/
scp kubelet kube-proxy 192.168.1.8:/opt/kubernetes/bin/
b、建立kubeconfig 檔案
注意:這裡的BOOTSTRAP_TOKEN 的值需要用我們之前生成的值,就是token.scv裡面的值
[[email protected] shell]# cat kubeconfig.sh
# 建立 TLS Bootstrapping Token
#BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008
#cat > token.csv <<EOF
#${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
#EOF
#----------------------
APISERVER=$1
SSL_DIR=$2
# ./kubeconfig.sh 192.168.1.6 /opt/k8s-crt
# 建立kubelet bootstrapping kubeconfig
export KUBE_APISERVER="https://$APISERVER:6443"
# 設定叢集引數
kubectl config set-cluster kubernetes \
--certificate-authority=$SSL_DIR/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=bootstrap.kubeconfig
# 設定客戶端認證引數
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=bootstrap.kubeconfig
# 設定上下文引數
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=bootstrap.kubeconfig
# 設定預設上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
#----------------------
# 建立kube-proxy kubeconfig檔案
kubectl config set-cluster kubernetes \
--certificate-authority=$SSL_DIR/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=$SSL_DIR/kube-proxy.pem \
--client-key=$SSL_DIR/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
執行該指令碼:
./kubeconfig.sh 192.168.1.6 /opt/k8s-crt
將生成的2個配置檔案分發到node節點上去
rsync -avPz bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/
rsync -avPz bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/
c、安裝node元件
編輯kubelet安裝指令碼:
[[email protected] shell]# cat kubelet.sh
#!/bin/bash
#./kubelet.sh 192.168.1.7 10.0.0.2
NODE_ADDRESS=$1
DNS_SERVER_IP=${2:-"10.0.0.2"}
cat <<EOF >/opt/kubernetes/cfg/kubelet
KUBELET_OPTS="--logtostderr=true \\
--v=4 \\
--address=${NODE_ADDRESS} \\
--hostname-override=${NODE_ADDRESS} \\
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\
--experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\
--config=/opt/kubernetes/cfg/kubelet.config \\
--cert-dir=/opt/kubernetes/ssl \\
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
EOF
cat <<EOF >/opt/kubernetes/cfg/kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: ${NODE_ADDRESS}
port: 10250
cgroupDriver: cgroupfs
clusterDNS:
- ${DNS_SERVER_IP}
clusterDomain: cluster.local.
failSwapOn: false
readOnlyPort: 10255
authentication:
anonymous:
enabled: true
EOF
cat <<EOF >/usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet
執行次指令碼:
./kubelet.sh 192.168.1.7 10.0.0.2
此時會在ssl下面生成一些證書相關的檔案,
檢測:
ps -ef |grep kubelet
安裝proxy檔案指令碼
[[email protected] shell]# cat proxy.sh
#!/bin/bash
#./proxy.sh 192.168.1.7
NODE_ADDRESS=$1
cat <<EOF >/opt/kubernetes/cfg/kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \\
--v=4 \\
--hostname-override=${NODE_ADDRESS} \\
--cluster-cidr=10.0.0.0/24 \\
--proxy-mode=ipvs \\
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
EOF
cat <<EOF >/usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-proxy
systemctl restart kube-proxy
執行次指令碼:
./proxy.sh 192.168.1.7
檢測:
systemctl status kube-proxy.service
此時我們第一臺node已經安裝好,我們可以在master上檢測是否有節點資訊請求註冊:
[[email protected] shell]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-lYZU4lw685vTnpaIEMNF4vCfttB07CJvZMOxBuYT4DQ 10m system:kubelet-bootstrapPending
通過請求:
[[email protected] shell]# kubectl certificate approve node-csr-lYZU4lw685vTnpaIEMNF4vCfttB07CJvZMOxBuYT4DQ
此時狀態已經改變:
[[email protected] shell]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-lYZU4lw685vTnpaIEMNF4vCfttB07CJvZMOxBuYT4DQ 16m system:kubelet-bootstrap Approved,Issued
檢視k8s節點:
[[email protected] shell]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.1.7 Ready <none> 13s v1.12.1
8 增加節點:
此時我們加入另一臺就顯得非常簡單:
首先kubelet.kubeconfig,kube-proxy.kubeconfig,這2個配置檔案必須之前已經分發過來
我們加入安裝指令碼:
./kubelet.sh 192.168.1.8 10.0.0.2
./proxy.sh 192.168.1.8
執行指令碼,然後去master :
kubectl get csr 檢視節點是否自動註冊過來,然後加入便可