1.二进制部署kubernetes
<p></p><div class="toc"><div class="toc-container-header">目录</div><ul><li><strong>kubernetes的五个组件</strong><ul><li><strong>master节点的三个组件</strong><ul><li><strong>kube-apiserver</strong></li><li><strong>kube-controller-manager</strong></li><li><strong>kube-scheduler</strong></li></ul></li><li><strong>node节点的两个组件</strong><ul><li><strong>kubelet</strong></li><li><strong>kube-proxy</strong></li></ul></li></ul></li><li><strong>1.集群架构</strong></li><li><strong>2.基础环境准备</strong><ul><li><strong>2.1.系统设置</strong><ul><li><strong>2.1.1.设置主机名</strong></li><li><strong>2.1.2.关闭防火墙和selinux</strong></li><li><strong>2.1.3.设置网卡</strong></li><li><strong>2.1.4.设置yum源</strong></li><li><strong>2.1.5.安装常用工具</strong></li></ul></li><li><strong>2.2.安装bind服务</strong><ul><li><strong>2.2.1.安装bind 9</strong></li><li><strong>2.2.2.配置bind 9</strong></li><li><strong>2.2.3.检查配置并启动bind 9</strong></li><li><strong>2.2.4.检查</strong></li><li><strong>2.2.5.配置DNS客户端</strong></li><li><strong>2.2.6.检查</strong></li></ul></li><li><strong>2.3.准备签发证书环境</strong><ul><li><strong>2.3.1.安装cfssl</strong></li><li><strong>2.3.2.创建生成ca证书csr的json配置文件</strong></li><li><strong>2.3.3.生成ca证书文件</strong></li></ul></li><li><strong>2.4.部署docker</strong><ul><li><strong>2.4.1.安装</strong></li><li><strong>2.4.2.配置</strong></li><li><strong>2.4.3.启动</strong></li></ul></li><li><strong>2.5.部署docker镜像私有仓库harbor</strong><ul><li><strong>2.5.1.下载软件并解压</strong></li><li><strong>2.5.2.配置</strong></li><li><strong>2.5.3.安装docker-compose</strong></li><li><strong>2.5.4.安装harbor</strong></li><li><strong>2.5.5.检查harbor启动情况</strong></li><li><strong>2.5.6.配置harbor的dns内网解析</strong></li><li><strong>2.5.7.安装NGINX并配置</strong></li><li><strong>2.5.8.浏览器打开harbor.od.com并测试</strong></li><li><strong>2.5.9.检查</strong></li></ul></li></ul></li><li><strong>3.部署master节点</strong><ul><li><strong>3.1.部署etcd集群</strong><ul><li><strong>3.1.1.集群架构</strong></li><li><strong>3.1.2.创建基于根证书的config配置文件</strong></li><li><strong>3.1.3.创建生成自签发证书的csr的json配置文件</strong></li><li><strong>3.1.4.生成etcd证书</strong>文件</li><li><strong>3.1.5.检查生成的证书</strong>文件</li><li><strong>3.1.6.创建etcd用户</strong></li><li><strong>3.1.7.下载软件,解压,做软连接</strong></li><li><strong>3.1.8.创建目录,拷贝证书文件</strong></li><li><strong>3.1.9.创建etcd服务启动脚本</strong></li><li><strong>3.1.10.授权目录权限</strong></li><li><strong>3.1.11.安装supervisor软件</strong></li><li><strong>3.1.12.创建supervisor配置</strong></li><li><strong>3.1.13.启动etcd服务并检查</strong></li><li><strong>3.1.14.部署启动所有集群</strong></li><li><strong>3.1.15.检查集群状态</strong></li></ul></li><li><strong>3.2.部署kube-apiserver集群</strong><ul><li><strong>3.2.1.集群架构</strong></li><li><strong>3.2.2.下载软件,解压,做软连接</strong></li><li><strong>3.2.3.签发client证书</strong></li><li><strong>3.2.4.签发kube-apiserver证书</strong></li><li><strong>3.2.5.拷贝证书文件至各节点,并创建配置</strong></li><li><strong>3.2.6.创建apiserver启动脚本</strong></li><li><strong>3.2.7.授权和创建目录</strong></li><li><strong>3.2.8.创建supervisor配置</strong></li><li><strong>3.2.9.启动服务并检查</strong></li><li><strong>3.2.10.部署启动所有集群</strong></li></ul></li><li><strong>3.3.部署四层反向代理</strong><ul><li><strong>3.3.1.集群架构</strong></li><li><strong>3.3.2.安装NGINX和keepalived</strong></li><li><strong>3.3.3.启动代理并检查</strong></li></ul></li><li><strong>3.4.部署controller-manager</strong><ul><li><strong>3.4.1.集群架构</strong></li><li><strong>3.4.2.创建启动脚本</strong></li><li><strong>3.4.3.授权文件权限,创建目录</strong></li><li><strong>3.4.4.创建supervisor配置</strong></li><li><strong>3.4.5.启动服务并检查</strong></li><li><strong>3.4.6.部署启动所有集群</strong></li></ul></li><li><strong>3.5.部署kube-scheduler</strong><ul><li><strong>3.5.1.集群架构</strong></li><li><strong>3.5.2.创建启动脚本</strong></li><li><strong>3.5.3.授权文件权限,创建目录</strong></li><li><strong>3.5.4.创建supervisor配置</strong></li><li><strong>3.5.5.启动服务并检查</strong></li><li><strong>3.5.6.部署启动所有集群</strong></li></ul></li><li><strong>3.6.检查master节点</strong><ul><li><strong>3.6.1.建立kubectl软链接</strong></li><li><strong>3.6.2.检查master节点</strong></li></ul></li></ul></li><li><strong>4.部署node节点</strong><ul><li><strong>4.1.部署kubelet</strong><ul><li><strong>4.1.1.集群架构</strong></li><li><strong>4.1.2.签发kubelet证书</strong></li><li><strong>4.1.3.拷贝证书文件至各节点,并创建配置</strong></li><li><strong>4.1.4.准备pause基础镜像</strong></li><li><strong>4.1.5.创建kubelet启动脚本</strong></li><li><strong>4.1.6.授权,创建目录</strong></li><li><strong>4.1.7.创建supervisor配置</strong></li><li><strong>4.1.8.启动服务并检查</strong></li><li><strong>4.1.9.部署所有节点</strong></li><li><strong>4.1.10.检查所有节点并给节点打上标签</strong></li></ul></li><li><strong>4.2.部署kube-proxy</strong><ul><li><strong>4.2.1.集群架构</strong></li><li><strong>4.2.2.签发kube-proxy证书</strong></li><li><strong>4.2.3.拷贝证书文件至各节点,并创建配置</strong></li><li><strong>4.2.4.创建kube-proxy启动脚本</strong></li><li><strong>4.2.5.授权,创建目录</strong></li><li><strong>4.2.6.创建supervisor配置</strong></li><li><strong>4.2.7.启动服务并检查</strong></li><li><strong>4.2.8.部署所有节点</strong></li></ul></li></ul></li><li><strong>5.验证kubernetes集群</strong><ul><li><strong>5.1.在任意一个节点上创建一个资源配置清单</strong></li><li><strong>5.2.应用资源配置,并检查</strong><ul><li><strong>5.2.1.hdss7-21.host.com上</strong></li><li><strong>5.2.2.hdss7-22.host.com上</strong></li><li><strong>5.2.3.查看kubernetes是否搭建好</strong></li></ul></li></ul></li></ul></div><p></p><h4 id="kubernetes的五个组件"><strong>kubernetes的五个组件</strong></h4>
<h5 id="master节点的三个组件"><strong>master节点的三个组件</strong></h5>
<h6 id="kube-apiserver"><strong>kube-apiserver</strong></h6>
<pre><code>整个集群的唯一入口,并提供认证、授权、访问控制、API注册和发现等机制。
</code></pre>
<h6 id="kube-controller-manager"><strong>kube-controller-manager</strong></h6>
<pre><code>控制器管理器
负责维护集群的状态,比如故障检测、自动扩展、滚动更新等。保证资源到达期望值。
</code></pre>
<h6 id="kube-scheduler"><strong>kube-scheduler</strong></h6>
<pre><code>调度器
经过策略调度POD到合适的节点上面运行。分别有预选策略和优选策略。
</code></pre>
<h5 id="node节点的两个组件"><strong>node节点的两个组件</strong></h5>
<h6 id="kubelet"><strong>kubelet</strong></h6>
<pre><code>在集群节点上运行的代理,kubelet会通过各种机制来确保容器处于运行状态且健康。kubelet不会管理不是由kubernetes创建的容器。kubelet接收POD的期望状态(副本数、镜像、网络等),并调用容器运行环境来实现预期状态。
kubelet会定时汇报节点的状态给apiserver,作为scheduler调度的基础。kubelet会对镜像和容器进行清理,避免不必要的文件资源占用。
</code></pre>
<h6 id="kube-proxy"><strong>kube-proxy</strong></h6>
<pre><code>kube-proxy是集群中节点上运行的网络代理,是实现service资源功能组件之一。kube-proxy建立了POD网络和集群网络之间的关系。不同node上的service流量转发规则会通过kube-proxy来调用apiserver访问etcd进行规则更新。
service流量调度方式有三种方式:userspace(废弃,性能很差)、iptables(性能差,复杂,即将废弃)、ipvs(性能好,转发方式清晰)。
</code></pre>
<h4 id="1集群架构"><strong>1.集群架构</strong></h4>
<table>
<thead>
<tr>
<th style="text-align: center"><strong>主机名</strong></th>
<th style="text-align: center"><strong>IP地址</strong></th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">hdss7-11.host.com</td>
<td style="text-align: center">10.4.7.11</td>
</tr>
<tr>
<td style="text-align: center">hdss7-12.host.com</td>
<td style="text-align: center">10.4.7.12</td>
</tr>
<tr>
<td style="text-align: center">hdss7-21.host.com</td>
<td style="text-align: center">10.4.7.21</td>
</tr>
<tr>
<td style="text-align: center">hdss7-22.host.com</td>
<td style="text-align: center">10.4.7.22</td>
</tr>
<tr>
<td style="text-align: center">hdss7-200.host.com</td>
<td style="text-align: center">10.4.7.200</td>
</tr>
</tbody>
</table>
<h4 id="2基础环境准备"><strong>2.基础环境准备</strong></h4>
<h5 id="21系统设置"><strong>2.1.系统设置</strong></h5>
<h6 id="211设置主机名"><strong>2.1.1.设置主机名</strong></h6>
<pre><code>hostnamectl set-hostname hdss7-xx.host.com
</code></pre>
<h6 id="212关闭防火墙和selinux"><strong>2.1.2.关闭防火墙和selinux</strong></h6>
<pre><code>systemctl stop firewalld
systemctl disable firewalld
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
</code></pre>
<h6 id="213设置网卡"><strong>2.1.3.设置网卡</strong></h6>
<pre><code>cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
BOOTPROTO=none
NAME=eth0
DEVICE=eth0
ONBOOT=yes
IPADDR=10.4.7.xx
NETMASK=255.255.255.0
GATEWAY=10.4.7.254
DNS1=10.4.7.254
</code></pre>
<h6 id="214设置yum源"><strong>2.1.4.设置yum源</strong></h6>
<pre><code>wget -O /etc/yum.repos.d/CentOS-Base.repohttp://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repohttp://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache
</code></pre>
<h6 id="215安装常用工具"><strong>2.1.5.安装常用工具</strong></h6>
<pre><code>yum install wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils -y
</code></pre>
<h5 id="22安装bind服务"><strong>2.2.安装bind服务</strong></h5>
<p><strong>hdss7-11.host.com 上</strong></p>
<h6 id="221安装bind-9"><strong>2.2.1.安装bind 9</strong></h6>
<pre><code>yum install bind -y
</code></pre>
<h6 id="222配置bind-9"><strong>2.2.2.配置bind 9</strong></h6>
<pre><code>vi /etc/named.conf
listen-on port 53 { 10.4.7.11; };
allow-query { any; };
forwarders { 10.4.7.254; };
recursion yes;
dnssec-enable no;
dnssec-validation no
##########
named-checkconf
vi /etc/named.rfc1912.zones
zone "host.com" IN {
typemaster;
file"host.com.zone";
allow-update { 10.4.7.11; };
};
zone "od.com" IN {
typemaster;
file"od.com.zone";
allow-update { 10.4.7.11; };
};
##########
vi/var/named/host.com.zone
$ORIGIN host.com.
$TTL 600 ; 10 minutes
@ IN SOAdns.host.com. dnsadmin.host.com. (
2020032001 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.host.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
HDSS7-11 A 10.4.7.11
HDSS7-12 A 10.4.7.12
HDSS7-21 A 10.4.7.21
HDSS7-22 A 10.4.7.22
HDSS7-200 A 10.4.7.200
##########
vi/var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOAdns.od.com. dnsadmin.od.com. (
2020032001 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
</code></pre>
<h6 id="223检查配置并启动bind-9"><strong>2.2.3.检查配置并启动bind 9</strong></h6>
<pre><code>named-checkconf
systemctl start named
netstat -lntup|grep 53
</code></pre>
<h6 id="224检查"><strong>2.2.4.检查</strong></h6>
<pre><code># dig -t A hdss7-11.host.com @10.4.7.11 +short
10.4.7.11
# dig -t A hdss7-12.host.com @10.4.7.11+short
10.4.7.12
# dig -t A hdss7-21.host.com @10.4.7.11+short
10.4.7.21
# dig -t A hdss7-22.host.com @10.4.7.11+short
10.4.7.22
# dig -t A hdss7-200.host.com @10.4.7.11+short
10.4.7.200
</code></pre>
<h6 id="225配置dns客户端"><strong>2.2.5.配置DNS客户端</strong></h6>
<p><strong>Linux所有主机</strong></p>
<pre><code>vi /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=10.4.7.11
##########
vi /etc/resolv.conf
search host.com
nameserver 10.4.7.11
##########
systemctl restart network
</code></pre>
<p><strong>Windows主机</strong></p>
<pre><code>wmnet8网卡更改DNS:10.4.7.11
</code></pre>
<h6 id="226检查"><strong>2.2.6.检查</strong></h6>
<p><strong>Linux</strong></p>
<pre><code>ping www.baidu.com
ping hdss7-200
</code></pre>
<p><strong>Windows</strong></p>
<pre><code>ping hdss7-200.host.com
</code></pre>
<h5 id="23准备签发证书环境"><strong>2.3.准备签发证书环境</strong></h5>
<p><strong>hdss7-200.host.com 上</strong></p>
<h6 id="231安装cfssl"><strong>2.3.1.安装cfssl</strong></h6>
<pre><code>wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
chmod +x /usr/bin/cfssl*
</code></pre>
<h6 id="232创建生成ca证书csr的json配置文件"><strong>2.3.2.创建生成ca证书csr的json配置文件</strong></h6>
<pre><code>mkdir /opt/certs
vi/opt/certs/ca-csr.json
{
"CN": "OldboyEdu",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
</code></pre>
<h6 id="233生成ca证书文件"><strong>2.3.3.生成ca证书文件</strong></h6>
<pre><code>cd /opt/certs
cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
ll
ca.csr
ca-csr.json
ca-key.pem
ca.pem
</code></pre>
<h5 id="24部署docker"><strong>2.4.部署docker</strong></h5>
<p><strong>hdss7-21.host.com,hdss7-22.host.com,hdss7-200.host.com上</strong></p>
<h6 id="241安装"><strong>2.4.1.安装</strong></h6>
<pre><code># curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
</code></pre>
<h6 id="242配置"><strong>2.4.2.配置</strong></h6>
<pre><code>mkdir/etc/docker
vi/etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
"bip": "172.7.21.1/24",
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
##########
bip要根据宿主机ip变化
注意:hdss7-21.host.com bip 172.7.21.1/24
hdss7-22.host.com bip 172.7.22.1/24
hdss7-200.host.combip 172.7.200.1/24
</code></pre>
<h6 id="243启动"><strong>2.4.3.启动</strong></h6>
<pre><code>mkdir -p /data/docker
systemctl start docker
systemctl enable docker
docker --version
</code></pre>
<h5 id="25部署docker镜像私有仓库harbor"><strong>2.5.部署docker镜像私有仓库harbor</strong></h5>
<p><strong>hdss7-200.host.com 上</strong></p>
<h6 id="251下载软件并解压"><strong>2.5.1.下载软件并解压</strong></h6>
<pre><code>harbor官网github地址
https://github.com/goharbor/harbor
# tar xf harbor-offline-installer-v1.8.3.tgz -C /opt/
# mv harbor/ harbor-v1.8.3
# ln -s /opt/harbor-v1.8.3/ /opt/harbor
</code></pre>
<h6 id="252配置"><strong>2.5.2.配置</strong></h6>
<pre><code># vi /opt/harbor/harbor.yml
hostname: harbor.od.com
http:
port: 180
harbor_admin_password:Harbor12345
data_volume: /data/harbor
log:
level:info
rotate_count:50
rotate_size:200M
location: /data/harbor/logs
# mkdir -p /data/harbor/logs
</code></pre>
<h6 id="253安装docker-compose"><strong>2.5.3.安装docker-compose</strong></h6>
<pre><code># yum install docker-compose -y
</code></pre>
<h6 id="254安装harbor"><strong>2.5.4.安装harbor</strong></h6>
<pre><code># ./install.sh
</code></pre>
<h6 id="255检查harbor启动情况"><strong>2.5.5.检查harbor启动情况</strong></h6>
<pre><code># docker-compose ps
# docker ps -a
</code></pre>
<h6 id="256配置harbor的dns内网解析"><strong>2.5.6.配置harbor的dns内网解析</strong></h6>
<pre><code># vi /var/named/od.com.zone
2020032002 ; serial
harbor A 10.4.7.200
# systemctl restart named
# dig -t A harbor.od.com +short
10.4.7.200
</code></pre>
<h6 id="257安装nginx并配置"><strong>2.5.7.安装NGINX并配置</strong></h6>
<pre><code># yum install nginx -y
# vi /etc/nginx/conf.d/harbor.od.com.conf
server {
listen 80;
server_nameharbor.od.com;
client_max_body_size 1000m;
location / {
proxy_pass http://127.0.0.1:180;
}
}
# nginx -t
# systemctl start nginx
# systemctl enable nginx
</code></pre>
<h6 id="258浏览器打开harborodcom并测试"><strong>2.5.8.浏览器打开harbor.od.com并测试</strong></h6>
<pre><code># curl harbor.od.com
</code></pre>
<p><strong>1、浏览器输入:harbor.od.com 用户名:admin 密码:Harbor12345</strong></p>
<p><strong>2、新建项目:public访问级别:公开</strong></p>
<p><strong>3、下载镜像并给镜像打tag</strong></p>
<pre><code># docker pull nginx:1.7.9
# docker images |grep 1.7.9
# docker tag 84581e99d807 harbor.od.com/public/nginx:v1.7.9
</code></pre>
<p><strong>4、登录harbor并上传到仓库</strong></p>
<pre><code># docker login harbor.od.com
# docker push harbor.od.com/public/nginx:v1.7.9
</code></pre>
<h6 id="259检查"><strong>2.5.9.检查</strong></h6>
<p><strong>可以看到NGINX镜像已经上传到public下</strong></p>
<h4 id="3部署master节点"><strong>3.部署master节点</strong></h4>
<h5 id="31部署etcd集群"><strong>3.1.部署etcd集群</strong></h5>
<h6 id="311集群架构"><strong>3.1.1.集群架构</strong></h6>
<table>
<thead>
<tr>
<th style="text-align: center">主机名</th>
<th style="text-align: center">角色</th>
<th style="text-align: center">ip地址</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">hdss7-12.host.com</td>
<td style="text-align: center">lead</td>
<td style="text-align: center">10.4.7.12</td>
</tr>
<tr>
<td style="text-align: center">hdss7-21.host.com</td>
<td style="text-align: center">follow</td>
<td style="text-align: center">10.4.7.21</td>
</tr>
<tr>
<td style="text-align: center">hdss7-22.host.com</td>
<td style="text-align: center">follow</td>
<td style="text-align: center">10.4.7.22</td>
</tr>
</tbody>
</table>
<p><strong>部署方法以hdss7-12.host.com为例</strong></p>
<h6 id="312创建基于根证书的config配置文件"><strong>3.1.2.创建基于根证书的config配置文件</strong></h6>
<p><strong>hdss7-200上</strong></p>
<pre><code># vi /opt/certs/ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
</code></pre>
<h6 id="313创建生成自签发证书的csr的json配置文件"><strong>3.1.3.创建生成自签发证书的csr的json配置文件</strong></h6>
<pre><code># vi /opt/certs/etcd-peer-csr.json
{
"CN": "k8s-etcd",
"hosts": [
"10.4.7.11",
"10.4.7.12",
"10.4.7.21",
"10.4.7.22"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
</code></pre>
<h6 id="314生成etcd证书文件"><strong>3.1.4.生成etcd证书</strong>文件</h6>
<pre><code># cd /opt/certs/
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer
</code></pre>
<h6 id="315检查生成的证书文件"><strong>3.1.5.检查生成的证书</strong>文件</h6>
<pre><code># ll
etcd-peer.csr
etcd-peer-csr.json
etcd-peer-key.pem
etcd-peer.pem
</code></pre>
<h6 id="316创建etcd用户"><strong>3.1.6.创建etcd用户</strong></h6>
<p><strong>hdss7-12上</strong></p>
<pre><code># useradd -s /sbin/nologin -M etcd
</code></pre>
<h6 id="317下载软件解压做软连接"><strong>3.1.7.下载软件,解压,做软连接</strong></h6>
<pre><code>https://github.com/etcd-io/etcd/tags
# tar xf etcd-v3.1.20-linux-amd64.tar.gz -C /opt/
# cd ..
# mv etcd-v3.1.20-linux-amd64/ etcd-v3.1.20
# ln -s /opt/etcd-v3.1.20/ /opt/etcd
</code></pre>
<h6 id="318创建目录拷贝证书文件"><strong>3.1.8.创建目录,拷贝证书文件</strong></h6>
<p><strong>创建证书目录、数据目录、日志目录</strong></p>
<pre><code># mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server
</code></pre>
<p><strong>拷贝生成的证书文件</strong></p>
<pre><code># scp hdss7-200:/opt/certs/ca.pem .
# scp hdss7-200:/opt/certs/etcd-peer.pem .
# scp hdss7-200:/opt/certs/etcd-peer-key.pem .
</code></pre>
<h6 id="319创建etcd服务启动脚本"><strong>3.1.9.创建etcd服务启动脚本</strong></h6>
<pre><code># vi /opt/etcd/etcd-server-startup.sh
#!/bin/sh
./etcd --name etcd-server-7-12 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://10.4.7.12:2380 \
--listen-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://10.4.7.12:2380 \
--advertise-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \
--initial-clusteretcd-server-7-12=https://10.4.7.12:2380,etcd-server-7-21=https://10.4.7.21:2380,etcd-server-7-22=https://10.4.7.22:2380 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth\
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
# chmod +x /opt/etcd/etcd-server-startup.sh
</code></pre>
<h6 id="3110授权目录权限"><strong>3.1.10.授权目录权限</strong></h6>
<pre><code># chown -R etcd.etcd /opt/etcd-v3.1.20/ /data/etcd//data/logs/etcd-server/
</code></pre>
<h6 id="3111安装supervisor软件"><strong>3.1.11.安装supervisor软件</strong></h6>
<pre><code># yum install supervisor -y
# systemctl start supervisord
# systemctl enable supervisord
</code></pre>
<h6 id="3112创建supervisor配置"><strong>3.1.12.创建supervisor配置</strong></h6>
<pre><code># vi /etc/supervisord.d/etcd-server.ini
command=/opt/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/etcd ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=etcd ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
</code></pre>
<h6 id="3113启动etcd服务并检查"><strong>3.1.13.启动etcd服务并检查</strong></h6>
<pre><code># supervisorctl update
# supervisorctl status
# netstat -lntup|grep etcd
</code></pre>
<h6 id="3114部署启动所有集群"><strong>3.1.14.部署启动所有集群</strong></h6>
<p><strong>不同的地方</strong></p>
<pre><code>/opt/etcd/etcd-server-startup.sh
--name
--listen-peer-urls
--listen-client-urls
--initial-advertise-peer-urls
--advertise-client-urls
##########
/etc/supervisord.d/etcd-server.ini
</code></pre>
<h6 id="3115检查集群状态"><strong>3.1.15.检查集群状态</strong></h6>
<pre><code># ./etcdctlcluster-health
# ./etcdctl member list
</code></pre>
<h5 id="32部署kube-apiserver集群"><strong>3.2.部署kube-apiserver集群</strong></h5>
<h6 id="321集群架构"><strong>3.2.1.集群架构</strong></h6>
<table>
<thead>
<tr>
<th style="text-align: center">主机名</th>
<th style="text-align: center">角色</th>
<th style="text-align: center">ip地址</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">hdss7-21.host.com</td>
<td style="text-align: center">kube-apiserver</td>
<td style="text-align: center">10.4.7.21</td>
</tr>
<tr>
<td style="text-align: center">hdss7-22.host.com</td>
<td style="text-align: center">kube-apiserver</td>
<td style="text-align: center">10.4.7.22</td>
</tr>
</tbody>
</table>
<p><strong>部署方法以hdss7-21.host.com为例</strong></p>
<h6 id="322下载软件解压做软连接"><strong>3.2.2.下载软件,解压,做软连接</strong></h6>
<p><strong>hdss7-21.host.com上</strong></p>
<pre><code>https://github.com/kubernetes/kubernetes/releases/tag/v1.15.2
CHANGELOG-1.15.md--→server binaries--→kubernetes-server-linux-amd64.tar.gz
# tar xf kubernetes-server-linux-amd64-v1.15.2.tar.gz-C /opt
# mv kubernetes/ kubernetes-v1.15.2
# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes
# cd kubernetes
# rm -rf kubernetes-src.tar.gz
# cd server/bin
# rm -f *.tar
# rm -f *_tag
</code></pre>
<h6 id="323签发client证书"><strong>3.2.3.签发client证书</strong></h6>
<p><strong>hdss7-200.host.com上</strong></p>
<p><strong>1、创建生成证书csr的json配置文件</strong></p>
<pre><code>#vi /opt/certs/client-csr.json
{
"CN": "k8s-node",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
</code></pre>
<p><strong>2、生成client证书文件</strong></p>
<pre><code># cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
</code></pre>
<p><strong>3、检查生成的证书文件</strong></p>
<pre><code># ll
client.csr
client-csr.json
client-key.pem
client.pem
</code></pre>
<h6 id="324签发kube-apiserver证书"><strong>3.2.4.签发kube-apiserver证书</strong></h6>
<p><strong>hdss7-200.host.com上</strong></p>
<p><strong>1、创建生成证书csr的json配置文件</strong></p>
<pre><code># vi /opt/certs/apiserver-csr.json
{
"CN": "k8s-apiserver",
"hosts": [
"127.0.0.1",
"192.168.0.1",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"10.4.7.10",
"10.4.7.21",
"10.4.7.22",
"10.4.7.23"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
</code></pre>
<p><strong>2、生成kube-apiserver证书文件</strong></p>
<pre><code># cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver
</code></pre>
<p><strong>3、检查生成的证书文件</strong></p>
<pre><code># ll
apiserver.csr
apiserver-csr.json
apiserver-key.pem
apiserver.pem
</code></pre>
<h6 id="325拷贝证书文件至各节点并创建配置"><strong>3.2.5.拷贝证书文件至各节点,并创建配置</strong></h6>
<p><strong>1、拷贝证书文件到/opt/kubernetes/server/bin/cert目录下</strong></p>
<pre><code># scp hdss7-200:/opt/certs/ca.pem .
# scp hdss7-200:/opt/certs/ca-key.pem .
# scp hdss7-200:/opt/certs/client.pem .
# scp hdss7-200:/opt/certs/client-key.pem .
# scp hdss7-200:/opt/certs/apiserver.pem .
# scp hdss7-200:/opt/certs/apiserver-key.pem .
</code></pre>
<p><strong>2、创建配置</strong></p>
<pre><code># mkdir conf
# vi audit.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
</code></pre>
<h6 id="326创建apiserver启动脚本"><strong>3.2.6.创建apiserver启动脚本</strong></h6>
<pre><code># vi /opt/kubernetes/server/bin/kube-apiserver.sh
#!/bin/bash
./kube-apiserver \
--apiserver-count 2 \
--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
--audit-policy-file ./conf/audit.yaml \
--authorization-mode RBAC \
--client-ca-file ./cert/ca.pem \
--requestheader-client-ca-file ./cert/ca.pem \
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
--etcd-cafile ./cert/ca.pem \
--etcd-certfile ./cert/client.pem \
--etcd-keyfile ./cert/client-key.pem \
--etcd-servers https://10.4.7.12:2379,https://10.4.7.21:2379,https://10.4.7.22:2379 \
--service-account-key-file ./cert/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--service-node-port-range 3000-29999 \
--target-ram-mb=1024 \
--kubelet-client-certificate ./cert/client.pem \
--kubelet-client-key ./cert/client-key.pem \
--log-dir/data/logs/kubernetes/kube-apiserver \
--tls-cert-file ./cert/apiserver.pem \
--tls-private-key-file ./cert/apiserver-key.pem \
--v 2
</code></pre>
<h6 id="327授权和创建目录"><strong>3.2.7.授权和创建目录</strong></h6>
<pre><code> # chmod +x kube-apiserver.sh
# mkdir -p /data/logs/kubernetes/kube-apiserver
</code></pre>
<h6 id="328创建supervisor配置"><strong>3.2.8.创建supervisor配置</strong></h6>
<pre><code>#vi /etc/supervisord.d/kube-apiserver.ini
command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
</code></pre>
<h6 id="329启动服务并检查"><strong>3.2.9.启动服务并检查</strong></h6>
<pre><code># supervisorctl update
# supervisorctl status
# netstat -nltup|grep kube-api
</code></pre>
<h6 id="3210部署启动所有集群"><strong>3.2.10.部署启动所有集群</strong></h6>
<p><strong>不同的地方</strong></p>
<pre><code>/etc/supervisord.d/kube-apiserver.ini
</code></pre>
<h5 id="33部署四层反向代理"><strong>3.3.部署四层反向代理</strong></h5>
<h6 id="331集群架构"><strong>3.3.1.集群架构</strong></h6>
<table>
<thead>
<tr>
<th style="text-align: center">主机名</th>
<th style="text-align: center">角色</th>
<th style="text-align: center">IP地址</th>
<th style="text-align: center">VIP地址</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">hdss7-11.host.com</td>
<td style="text-align: center">L4</td>
<td style="text-align: center">10.4.7.11</td>
<td style="text-align: center">10.4.7.10</td>
</tr>
<tr>
<td style="text-align: center">hdss7-12.host.com</td>
<td style="text-align: center">L4</td>
<td style="text-align: center">10.4.7.12</td>
<td style="text-align: center">10.4.7.10</td>
</tr>
</tbody>
</table>
<h6 id="332安装nginx和keepalived"><strong>3.3.2.安装NGINX和keepalived</strong></h6>
<p><strong>1、hdss7-11.host.com和hdss7-12.host.com都安装NGINX和keepalived</strong></p>
<pre><code># yum install nginx keepalived -y
</code></pre>
<p><strong>2、hdss7-11.host.com和hdss7-12.host.com配置NGINX</strong></p>
<pre><code># vi /etc/nginx/nginx.conf
stream {
upstream kube-apiserver {
server 10.4.7.21:6443 max_fails=3 fail_timeout=30s;
server 10.4.7.22:6443 max_fails=3 fail_timeout=30s;
}
server {
listen 7443;
proxy_connect_timeout 2s;
proxy_timeout 900s;
proxy_pass kube-apiserver;
}
}
# nginx -t
</code></pre>
<p><strong>3、hdss7-11.host.com和hdss7-12.host.com配置keepalived</strong></p>
<pre><code>检查脚本
# vi /etc/keepalived/check_port.sh
#!/bin/bash
#keepalived 监控端口脚本
#使用方法:
#在keepalived的配置文件中
#vrrp_script check_port {#创建一个vrrp_script脚本,检查配置
# script "/etc/keepalived/check_port.sh 6379" #配置监听的端口
# interval 2 #检查脚本的频率,单位(秒)
#}
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
if [ $PORT_PROCESS -eq 0 ];then
echo "Port $CHK_PORT Is Not Used,End."
exit 1
fi
else
echo "Check Port Cant Be Empty!"
fi
# chmod +x /etc/keepalived/check_port.sh
##########
配置文件
keepalived 主:
# vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 10.4.7.11
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 251
priority 100
advert_int 1
mcast_src_ip 10.4.7.11
nopreempt
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.4.7.10
}
}
keepalived 从:
# vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 10.4.7.12
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 251
mcast_src_ip 10.4.7.12
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.4.7.10
}
}
nopreempt:非抢占式
</code></pre>
<h6 id="333启动代理并检查"><strong>3.3.3.启动代理并检查</strong></h6>
<pre><code>systemctl start nginx keepalived
systemctl enable nginx keepalived
netstat -lntup|grep nginx
ip addr
</code></pre>
<h5 id="34部署controller-manager"><strong>3.4.部署controller-manager</strong></h5>
<h6 id="341集群架构"><strong>3.4.1.集群架构</strong></h6>
<table>
<thead>
<tr>
<th style="text-align: center">主机名</th>
<th style="text-align: center">角色</th>
<th style="text-align: center">IP地址</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">hdss7-21.host.com</td>
<td style="text-align: center">controller-manager</td>
<td style="text-align: center">10.4.7.21</td>
</tr>
<tr>
<td style="text-align: center">hdss7-22.host.com</td>
<td style="text-align: center">controller-manager</td>
<td style="text-align: center">10.4.7.22</td>
</tr>
</tbody>
</table>
<p><strong>部署方法以hdss7-21.host.com为例</strong></p>
<h6 id="342创建启动脚本"><strong>3.4.2.创建启动脚本</strong></h6>
<p><strong>hdss7-21.host.com上</strong></p>
<pre><code># vi /opt/kubernetes/server/bin/kube-controller-manager.sh
#!/bin/sh
./kube-controller-manager \
--cluster-cidr 172.7.0.0/16 \
--leader-elect true \
--log-dir /data/logs/kubernetes/kube-controller-manager \
--master http://127.0.0.1:8080 \
--service-account-private-key-file ./cert/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--root-ca-file ./cert/ca.pem \
--v 2
</code></pre>
<h6 id="343授权文件权限创建目录"><strong>3.4.3.授权文件权限,创建目录</strong></h6>
<pre><code># chmod +x /opt/kubernetes/server/bin/kube-controller-manager.sh
# mkdir -p /data/logs/kubernetes/kube-controller-manager
</code></pre>
<h6 id="344创建supervisor配置"><strong>3.4.4.创建supervisor配置</strong></h6>
<pre><code># vi /etc/supervisord.d/kube-conntroller-manager.ini
command=/opt/kubernetes/server/bin/kube-controller-manager.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-controller-manager/controller.stdout.log; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
</code></pre>
<h6 id="345启动服务并检查"><strong>3.4.5.启动服务并检查</strong></h6>
<pre><code># supervisorctl update
# supervisorctl status
</code></pre>
<h6 id="346部署启动所有集群"><strong>3.4.6.部署启动所有集群</strong></h6>
<p><strong>不同的地方</strong></p>
<pre><code>/etc/supervisord.d/kube-conntroller-manager.ini
</code></pre>
<h5 id="35部署kube-scheduler"><strong>3.5.部署kube-scheduler</strong></h5>
<h6 id="351集群架构"><strong>3.5.1.集群架构</strong></h6>
<table>
<thead>
<tr>
<th style="text-align: center">主机名</th>
<th style="text-align: center">角色</th>
<th style="text-align: center">IP地址</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">hdss7-21.host.com</td>
<td style="text-align: center">kube-scheduler</td>
<td style="text-align: center">10.4.7.21</td>
</tr>
<tr>
<td style="text-align: center">hdss7-22.host.com</td>
<td style="text-align: center">kube-scheduler</td>
<td style="text-align: center">10.4.7.22</td>
</tr>
</tbody>
</table>
<p><strong>部署方法以hdss7-21.host.com为例</strong></p>
<h6 id="352创建启动脚本"><strong>3.5.2.创建启动脚本</strong></h6>
<p><strong>hdss7-21.host.com上</strong></p>
<pre><code># vi /opt/kubernetes/server/bin/kube-scheduler.sh
#!/bin/sh
./kube-scheduler \
--leader-elect\
--log-dir /data/logs/kubernetes/kube-scheduler \
--master http://127.0.0.1:8080 \
--v 2
</code></pre>
<h6 id="353授权文件权限创建目录"><strong>3.5.3.授权文件权限,创建目录</strong></h6>
<pre><code># chmod +x/opt/kubernetes/server/bin/kube-scheduler.sh
# mkdir -p /data/logs/kubernetes/kube-scheduler
</code></pre>
<h6 id="354创建supervisor配置"><strong>3.5.4.创建supervisor配置</strong></h6>
<pre><code># vi /etc/supervisord.d/kube-scheduler.ini
command=/opt/kubernetes/server/bin/kube-scheduler.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-scheduler/scheduler.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
</code></pre>
<h6 id="355启动服务并检查"><strong>3.5.5.启动服务并检查</strong></h6>
<pre><code># supervisorctl update
# supervisorctl status
</code></pre>
<h6 id="356部署启动所有集群"><strong>3.5.6.部署启动所有集群</strong></h6>
<p><strong>不同的地方</strong></p>
<pre><code>/etc/supervisord.d/kube-scheduler.ini
</code></pre>
<h5 id="36检查master节点"><strong>3.6.检查master节点</strong></h5>
<h6 id="361建立kubectl软链接"><strong>3.6.1.建立kubectl软链接</strong></h6>
<pre><code>#ln -s /opt/kubernetes/server/bin/kubectl /usr/bin/kubectl
</code></pre>
<h6 id="362检查master节点"><strong>3.6.2.检查master节点</strong></h6>
<pre><code># kubectl get cs
</code></pre>
<h4 id="4部署node节点"><strong>4.部署node节点</strong></h4>
<h5 id="41部署kubelet"><strong>4.1.部署kubelet</strong></h5>
<h6 id="411集群架构"><strong>4.1.1.集群架构</strong></h6>
<table>
<thead>
<tr>
<th style="text-align: center">主机名</th>
<th style="text-align: center">角色</th>
<th style="text-align: center">IP地址</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">hdss7-21.host.com</td>
<td style="text-align: center">kubelet</td>
<td style="text-align: center">10.4.7.21</td>
</tr>
<tr>
<td style="text-align: center">hdss7-22.host.com</td>
<td style="text-align: center">kubelet</td>
<td style="text-align: center">10.4.7.22</td>
</tr>
</tbody>
</table>
<p><strong>部署方法以hdss7-21.host.com为例</strong></p>
<h6 id="412签发kubelet证书"><strong>4.1.2.签发kubelet证书</strong></h6>
<p><strong>hdss7-200.host.com上</strong></p>
<p><strong>1、创建生成证书csr的json配置文件</strong></p>
<pre><code># vi kubelet-csr.json
{
"CN": "k8s-kubelet",
"hosts": [
"127.0.0.1",
"10.4.7.10",
"10.4.7.21",
"10.4.7.22",
"10.4.7.23",
"10.4.7.24",
"10.4.7.25",
"10.4.7.26",
"10.4.7.27",
"10.4.7.28"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
</code></pre>
<p><strong>2、生成kubelet证书文件</strong></p>
<pre><code># cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server kubelet-csr.json | cfssl-json -bare kubelet
</code></pre>
<p><strong>3、检查生成的证书文件</strong></p>
<pre><code># ll
kubelet.csr
kubelet-csr.json
kubelet-key.pem
kubelet.pem
</code></pre>
<h6 id="413拷贝证书文件至各节点并创建配置"><strong>4.1.3.拷贝证书文件至各节点,并创建配置</strong></h6>
<p><strong>hdss7-21.host.com上</strong></p>
<p><strong>1、拷贝证书文件</strong></p>
<pre><code># scp hdss7-200:/opt/certs/kubelet.pem .
# scp hdss7-200:/opt/certs/kubelet-key.pem .
</code></pre>
<p><strong>2、创建配置</strong></p>
<p><strong>(1)、set-cluster</strong></p>
<pre><code># kubectl config set-cluster myk8s \
--certificate-authority=/opt/kubernetes/server/bin/cert/ca.pem \
--embed-certs=true \
--server=https://10.4.7.10:7443 \
--kubeconfig=kubelet.kubeconfig
</code></pre>
<p><strong>(2)、set-credentials</strong></p>
<pre><code># kubectl config set-credentials k8s-node \
--client-certificate=/opt/kubernetes/server/bin/cert/client.pem \
--client-key=/opt/kubernetes/server/bin/cert/client-key.pem \
--embed-certs=true \
--kubeconfig=kubelet.kubeconfig
</code></pre>
<p><strong>(3)、set-context</strong></p>
<pre><code># kubectl config set-context myk8s-context \
--cluster=myk8s \
--user=k8s-node \
--kubeconfig=kubelet.kubeconfig
</code></pre>
<p><strong>(4)、use-context</strong></p>
<pre><code># kubectl config use-context myk8s-context --kubeconfig=kubelet.kubeconfig
</code></pre>
<p><strong>(5)、查看生成的kubelet.kubeconfig</strong></p>
<pre><code># ll
kubelet.kubeconfig
</code></pre>
<p><strong>(6)、k8s-node.yaml</strong></p>
<p>(1)创建配置文件</p>
<pre><code># vi k8s-node.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-node
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: k8s-node
</code></pre>
<p>(2)应用资源配置</p>
<pre><code># kubectl create -f k8s-node.yaml
</code></pre>
<p>(3)查看集群角色和角色属性</p>
<pre><code># kubectl get clusterrolebinding k8s-node
# kubectl get clusterrolebinding k8s-node -o yaml
</code></pre>
<p>(4)拷贝kubelet.kubeconfig 到hdss7-22.host.com上</p>
<pre><code># scp hdss7-21:/opt/kubernetes/server/bin/conf/kubelet.kubeconfig .
</code></pre>
<h6 id="414准备pause基础镜像"><strong>4.1.4.准备pause基础镜像</strong></h6>
<p><strong>hdss7-200.host.com上</strong></p>
<p><strong>1、下载pause镜像</strong></p>
<pre><code># docker pull kubernetes/pause
</code></pre>
<p><strong>2、上传到docker私有仓库harbor中</strong></p>
<p><strong>(1)、给镜像打tag</strong></p>
<pre><code># docker images -a
# docker tag f9d5de079539 harbor.od.com/public/pause:latest
# docker images -a
</code></pre>
<p><strong>(2)、上传到harbor上</strong></p>
<pre><code># docker push harbor.od.com/public/pause:latest
</code></pre>
<h6 id="415创建kubelet启动脚本"><strong>4.1.5.创建kubelet启动脚本</strong></h6>
<p><strong>hdss7-21.host.com上</strong></p>
<pre><code># vi /opt/kubernetes/server/bin/kubelet.sh
#!/bin/sh
./kubelet \
--anonymous-auth=false \
--cgroup-driver systemd \
--cluster-dns 192.168.0.2 \
--cluster-domain cluster.local \
--runtime-cgroups=/systemd/system.slice \
--kubelet-cgroups=/systemd/system.slice \
--fail-swap-on="false" \
--client-ca-file ./cert/ca.pem \
--tls-cert-file ./cert/kubelet.pem \
--tls-private-key-file ./cert/kubelet-key.pem \
--hostname-override hdss7-21.host.com \
--image-gc-high-threshold 20 \
--image-gc-low-threshold 10 \
--kubeconfig ./conf/kubelet.kubeconfig \
--log-dir /data/logs/kubernetes/kube-kubelet \
--pod-infra-container-image harbor.od.com/public/pause:latest \
--root-dir /data/kubelet
</code></pre>
<h6 id="416授权创建目录"><strong>4.1.6.授权,创建目录</strong></h6>
<p><strong>hdss7-21.host.com上</strong></p>
<pre><code># chmod +x /opt/kubernetes/server/bin/kubelet.sh
# mkdir -p /data/logs/kubernetes/kube-kubelet /data/kubelet
</code></pre>
<h6 id="417创建supervisor配置"><strong>4.1.7.创建supervisor配置</strong></h6>
<pre><code>#vi /etc/supervisord.d/kube-kubelet.ini
command=/opt/kubernetes/server/bin/kubelet.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-kubelet/kubelet.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
</code></pre>
<h6 id="418启动服务并检查"><strong>4.1.8.启动服务并检查</strong></h6>
<pre><code># supervisorctlupdate
# supervisorctl status
</code></pre>
<h6 id="419部署所有节点"><strong>4.1.9.部署所有节点</strong></h6>
<p><strong>不同的地方</strong></p>
<pre><code>/opt/kubernetes/server/bin/kubelet.sh
--hostname-override
##########
/etc/supervisord.d/kube-kubelet.ini
</code></pre>
<h6 id="4110检查所有节点并给节点打上标签"><strong>4.1.10.检查所有节点并给节点打上标签</strong></h6>
<pre><code># kubectl get nodes
# kubectl label node hdss7-21.host.com node-role.kubernetes.io/master=
# kubectl label node hdss7-21.host.com node-role.kubernetes.io/node=
# kubectl get nodes
</code></pre>
<h5 id="42部署kube-proxy"><strong>4.2.部署kube-proxy</strong></h5>
<h6 id="421集群架构"><strong>4.2.1.集群架构</strong></h6>
<table>
<thead>
<tr>
<th style="text-align: center">主机名</th>
<th style="text-align: center">角色</th>
<th style="text-align: center">IP地址</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: center">hdss7-21.host.com</td>
<td style="text-align: center">kube-proxy</td>
<td style="text-align: center">10.4.7.21</td>
</tr>
<tr>
<td style="text-align: center">hdss7-22.host.com</td>
<td style="text-align: center">kube-proxy</td>
<td style="text-align: center">10.4.7.22</td>
</tr>
</tbody>
</table>
<p><strong>部署方法以hdss7-21.host.com为例</strong></p>
<h6 id="422签发kube-proxy证书"><strong>4.2.2.签发kube-proxy证书</strong></h6>
<p><strong>hdss7-200.host.com上</strong></p>
<p><strong>1、创建生成证书csr的json配置文件</strong></p>
<pre><code># vi kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
</code></pre>
<p><strong>2、生成kube-proxy证书文件</strong></p>
<pre><code># cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client kube-proxy-csr.json |cfssl-json -bare kube-proxy-client
</code></pre>
<p><strong>3、检查生成的证书文件</strong></p>
<pre><code># ll
kube-proxy-client.csr
kube-proxy-client-key.pem
kube-proxy-client.pem
kube-proxy-csr.json
</code></pre>
<h6 id="423拷贝证书文件至各节点并创建配置"><strong>4.2.3.拷贝证书文件至各节点,并创建配置</strong></h6>
<p><strong>hdss7-21.host.com上</strong></p>
<p><strong>1、拷贝证书文件</strong></p>
<pre><code># scp hdss7-200:/opt/certs/kube-proxy-client.pem .
# scp hdss7-200:/opt/certs/kube-proxy-client-key.pem .
</code></pre>
<p><strong>2、创建配置</strong></p>
<p><strong>(1)、set-cluster</strong></p>
<pre><code># kubectl config set-cluster myk8s \
--certificate-authority=/opt/kubernetes/server/bin/cert/ca.pem \
--embed-certs=true \
--server=https://10.4.7.10:7443 \
--kubeconfig=kube-proxy.kubeconfig
</code></pre>
<p><strong>(2)、set-credentials</strong></p>
<pre><code>#kubectl config set-credentials kube-proxy \
--client-certificate=/opt/kubernetes/server/bin/cert/kube-proxy-client.pem \
--client-key=/opt/kubernetes/server/bin/cert/kube-proxy-client-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
</code></pre>
<p><strong>(3)、set-context</strong></p>
<pre><code># kubectl config set-context myk8s-context \
--cluster=myk8s \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
</code></pre>
<p><strong>(4)、use-context</strong></p>
<pre><code># kubectl config use-context myk8s-context --kubeconfig=kube-proxy.kubeconfig
</code></pre>
<p><strong>(5)、拷贝kube-proxy.kubeconfig 到 hdss7-22.host.com的conf目录下</strong></p>
<pre><code># scp hdss7-21:/opt/kubernetes/server/bin/conf/kube-proxy.kubeconfig .
</code></pre>
<h6 id="424创建kube-proxy启动脚本"><strong>4.2.4.创建kube-proxy启动脚本</strong></h6>
<p><strong>hdss7-21.host.com上</strong></p>
<p><strong>1、加载ipvs模块</strong></p>
<pre><code># lsmod |grep ip_vs
# vi /root/ipvs.sh
#!/bin/bash
ipvs_mods_dir="/usr/lib/modules/$(uname -r)/kernel/net/netfilter/ipvs"
for i in $(ls $ipvs_mods_dir|grep -o "^[^.]*")
do
/sbin/modinfo -F filename $i &>/dev/null
if [ $? -eq 0 ];then
/sbin/modprobe $i
fi
done
# chmod +x /root/ipvs.sh
# sh /root/ipvs.sh
# lsmod |grep ip_vs
</code></pre>
<p><strong>2、创建启动脚本</strong></p>
<pre><code># vi /opt/kubernetes/server/bin/kube-proxy.sh
#!/bin/sh
./kube-proxy \
--cluster-cidr 172.7.0.0/16 \
--hostname-override hdss7-21.host.com \
--proxy-mode=ipvs \
--ipvs-scheduler=nq \
--kubeconfig ./conf/kube-proxy.kubeconfig
</code></pre>
<h6 id="425授权创建目录"><strong>4.2.5.授权,创建目录</strong></h6>
<pre><code># ls -l /opt/kubernetes/server/bin/conf/|grep kube-proxy
# chmod +x /opt/kubernetes/server/bin/kube-proxy.sh
# mkdir -p /data/logs/kubernetes/kube-proxy
</code></pre>
<h6 id="426创建supervisor配置"><strong>4.2.6.创建supervisor配置</strong></h6>
<pre><code># vi /etc/supervisord.d/kube-proxy.ini
command=/opt/kubernetes/server/bin/kube-proxy.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-proxy/proxy.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
</code></pre>
<h6 id="427启动服务并检查"><strong>4.2.7.启动服务并检查</strong></h6>
<pre><code># supervisorctl update
# supervisorctl status
# yum install ipvsadm -y
# ipvsadm -Ln
# kubectl get svc
</code></pre>
<h6 id="428部署所有节点"><strong>4.2.8.部署所有节点</strong></h6>
<p><strong>不同的地方</strong></p>
<pre><code>/opt/kubernetes/server/bin/kube-proxy.sh
--hostname-override
##########
/etc/supervisord.d/kube-proxy.ini
</code></pre>
<h4 id="5验证kubernetes集群"><strong>5.验证kubernetes集群</strong></h4>
<h5 id="51在任意一个节点上创建一个资源配置清单"><strong>5.1.在任意一个节点上创建一个资源配置清单</strong></h5>
<p><strong>hdss7-21.host.com上</strong></p>
<pre><code># vi /root/nginx-ds.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: nginx-ds
spec:
template:
metadata:
labels:
app: nginx-ds
spec:
containers:
- name: my-nginx
image: harbor.od.com/public/nginx:v1.7.9
ports:
- containerPort: 80
</code></pre>
<h5 id="52应用资源配置并检查"><strong>5.2.应用资源配置,并检查</strong></h5>
<h6 id="521hdss7-21hostcom上"><strong>5.2.1.hdss7-21.host.com上</strong></h6>
<pre><code># kubectl create -f /root/nginx-ds.yaml
# kubectl get pods
# kubectl get pods -o wide
# curl 172.7.21.2
</code></pre>
<h6 id="522hdss7-22hostcom上"><strong>5.2.2.hdss7-22.host.com上</strong></h6>
<pre><code># kubectl get pods
# kubectl get pods -o wide
# curl 172.7.22.2
</code></pre>
<h6 id="523查看kubernetes是否搭建好"><strong>5.2.3.查看kubernetes是否搭建好</strong></h6>
<pre><code># kubectl get cs
# kubectl get node
# kubectl get pods
</code></pre><br><br>
来源:https://www.cnblogs.com/yanyanqaq/p/12607713.html
頁:
[1]