Kubernetes 完整二进制部署(精品)
<p></p><div class="toc"><div class="toc-container-header">目录</div><ul><li>1、基础环境</li><li>2、部署DNS</li><li>3、准备自签证书</li><li>4、部署Docker环境</li><li>5、私有仓库Harbor部署</li><li>6、部署Master节点<ul><li>6.1、部署Etcd集群</li><li>6.2、部署kube-apiserver集群<ul><li>6.2.1、创建cliient证书</li><li>6.2.2、签发kube-apiserver证书</li><li>6.2.3、kube-apiserver配置</li></ul></li><li>6.3、L4反向代理<ul><li>6.3.1、部署Nginx</li><li>6.3.2、部署keepalived</li></ul></li><li>6.4、部署controller-manager</li><li>6.5、部署kube-scheduler</li></ul></li><li>7、部署Node节点服务<ul><li>7.1、部署Kubelet<ul><li>7.1.1、签发kubelet证书</li><li>7.1.2、kubelet配置</li><li>7.1.3、准备pause基础镜像</li><li>7.1.4、创建kubelet启动脚本</li></ul></li><li>7.2、部署kube-proxy<ul><li>7.2.1、签发kube-proxy证书</li><li>7.2.2、Kube-proxy配置</li><li>7.2.3、创建kube-proxy启动脚本</li></ul></li></ul></li><li>8、验证集群</li></ul></div><p></p><h1 id="1基础环境">1、基础环境</h1>
<p>1.安装epel-release</p>
<pre><code class="language-bash">$ yum install epel-release -y
</code></pre>
<p>2.保证系统内核版本为3.10.x以上</p>
<pre><code class="language-bash">$ uname -a
Linux k8s-node01 3.10.0-693.el7.x86_64
</code></pre>
<p>3.关闭防火墙和selinux</p>
<pre><code class="language-bash">$ systemctl stop firewalld && systemctl disable firewalld
$ sed -i.bak 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
$ setenforce 0
</code></pre>
<p>4.时间同步</p>
<pre><code class="language-bash">$ echo '#time sync by lidao at 2017-03-08' >>/var/spool/cron/root
$ echo '*/5 * * * * /usr/sbin/ntpdate pool.ntp.org >/dev/null 2>&1' >>/var/spool/cron/root
$ crontab -l
</code></pre>
<p>5.内核优化</p>
<pre><code class="language-bash">$ cat >>/etc/sysctl.conf<<EOF
net.ipv4.tcp_fin_timeout = 2
net.ipv4.ip_forward = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 600
net.ipv4.ip_local_port_range = 4000 65000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.core.somaxconn = 16384
net.core.netdev_max_backlog = 16384
net.ipv4.tcp_max_orphans = 16384
EOF
$ sysctl -p
</code></pre>
<p>6.安装必要工具</p>
<pre><code class="language-bash">$ yum install wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils -y
</code></pre>
<h1 id="2部署dns">2、部署DNS</h1>
<p>bind9服务来实现DNS,在ingress中实现七层代理,在实验环境中就得绑定hosts方式实现访问,而且容器也没办法绑定hosts,这里通过DNS来实现。</p>
<p>1.安装bind9软件(hdss7-11)</p>
<pre><code class="language-bash">$ yum install bind -y
</code></pre>
<p>2.主配置文件</p>
<pre><code class="language-bash">$ vim /etc/named.conf
listen-on port 53 { 10.4.7.11; }; # dns监听地址
allow-query { any; }; # 允许所有主机访问dns服务
forwarders { 10.4.7.2; }; # 指定上级dns
recursion yes; # dns采用递归算法查询(另一种是迭代)
dnssec-enable no; # 节约资源将其关闭
dnssec-validation no; # 节约资源将其关闭
</code></pre>
<p>配置文件语法校验</p>
<pre><code class="language-bash"># 没有报错说明语法没问题
$ named-checkconf
</code></pre>
<p>2.区域配置文件</p>
<blockquote>
<p>定义了两个域,都为主DNS,运行本机update</p>
</blockquote>
<pre><code class="language-bash">$ vim /etc/named.rfc1912.zones
zone "host.com" IN {
type master;
file "host.com.zone";
allow-update { 10.4.7.11; };
};
zone "od.com" IN {
type master;
file "od.com.zone";
allow-update { 10.4.7.11; };
};
</code></pre>
<p>3.配置区域数据文件</p>
<ul>
<li>/var/named/host.com.zone</li>
</ul>
<pre><code class="language-bash">$ORIGIN host.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.host.com. dnsadmin.host.com. (
2019011001 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.host.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
HDSS7-11 A 10.4.7.11
HDSS7-12 A 10.4.7.12
HDSS7-21 A 10.4.7.21
HDSS7-22 A 10.4.7.22
HDSS7-200 A 10.4.7.200
</code></pre>
<ul>
<li>/var/named/od.com.zone</li>
</ul>
<pre><code class="language-bash">$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2019011001 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
</code></pre>
<p>4.启动dns服务</p>
<pre><code class="language-bash">$ systemctl start named && systemctl enable named
</code></pre>
<p>5.验证是否可解析</p>
<pre><code class="language-bash">$ dig -t A hdss7-21.host.com @10.4.7.11 +short
10.4.7.21
$ dig -t A hdss7-200.host.com @10.4.7.11 +short
10.4.7.200
</code></pre>
<p>6.DNS客户端配置</p>
<p>所有节点</p>
<ul>
<li>修改网卡dns方式</li>
</ul>
<pre><code class="language-bash"># 修改网卡配置文件DNS1
$ vim /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=10.4.7.11
$ systemctl restart network
# 测试ping
$ ping baidu.com
PING baidu.com (39.156.69.79) 56(84) bytes of data.
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=1 ttl=128 time=47.0 ms
64 bytes from 39.156.69.79 (39.156.69.79): icmp_seq=2 ttl=128 time=48.3 ms
$ ping hdss7-21.host.com
PING HDSS7-21.host.com (10.4.7.21) 56(84) bytes of data.
64 bytes from 10.4.7.21 (10.4.7.21): icmp_seq=1 ttl=64 time=0.821 ms
64 bytes from 10.4.7.21 (10.4.7.21): icmp_seq=2 ttl=64 time=0.598 ms
</code></pre>
<ul>
<li>添加search(短域名)</li>
</ul>
<pre><code class="language-bash">$ vim /etc/resolv.conf
# Generated by NetworkManager
search host.com
nameserver 10.4.7.2
# Ping短域名
$ ping hdss7-200
PING HDSS7-200.host.com (10.4.7.200) 56(84) bytes of data.
64 bytes from 10.4.7.200 (10.4.7.200): icmp_seq=1 ttl=64 time=1.18 ms
64 bytes from 10.4.7.200 (10.4.7.200): icmp_seq=2 ttl=64 time=0.456 ms
</code></pre>
<h1 id="3准备自签证书">3、准备自签证书</h1>
<p>运维主机<code>hdss7-200.host.com</code>上:</p>
<p>1.安装CFSSL</p>
<pre><code class="language-bash">$ wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
$ wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
$ wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
$ chmod +x /usr/bin/cfssl*
</code></pre>
<ul>
<li>关于cfssl工具:
<ul>
<li>cfssl:证书签发的主要工具</li>
<li>cfssl-json:将cfssl生成的整数(json格式)变为文件承载式证书</li>
<li>cfssl-certinfo:验证证书的信息</li>
</ul>
</li>
</ul>
<p>2.创建生成CA证书签名请求(csr)的json配置文件</p>
<blockquote>
<p>自签证书会有个根证书ca(需权威机构签发/可自签)</p>
</blockquote>
<pre><code class="language-bash">$ vim /opt/certs/ca-csr.json
{
"CN": "Sky",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
</code></pre>
<blockquote>
<p>CN:浏览器使用该字段验证网站是否合法,一般写的是域名,非常重要</p>
<p>C:国家</p>
<p>ST:州/省</p>
<p>L:地区/城市</p>
<p>O:组织名称/公司名称</p>
<p>OU:组织单位名称,公司部门</p>
</blockquote>
<p>3.生成CA证书和私钥</p>
<pre><code class="language-bash">$ cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
2020/01/10 13:58:49 generating a new CA key and certificate from CSR
2020/01/10 13:58:49 generate received request
2020/01/10 13:58:49 received CSR
2020/01/10 13:58:49 generating key: rsa-2048
2020/01/10 13:58:49 encoded CSR
2020/01/10 13:58:49 signed certificate with serial number 214125439771303219718649555160058070055859759808
$ ll
total 16
-rw-r--r-- 1 root root328 Jan 10 13:53 ca-csr.json # 请求文件
-rw------- 1 root root 1675 Jan 10 13:58 ca-key.pem# 私钥
-rw-r--r-- 1 root root993 Jan 10 13:58 ca.csr
-rw-r--r-- 1 root root 1346 Jan 10 13:58 ca.pem # 证书
</code></pre>
<h1 id="4部署docker环境">4、部署Docker环境</h1>
<p><code>hdss7-200.host.com</code>,<code>hdss7-21.host.com</code>,<code>hdss7-22.host.com</code>上:</p>
<p>1.一键安装Docker-ce</p>
<pre><code class="language-bash">$ curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
$ docker version
</code></pre>
<p>2.配置文件</p>
<pre><code class="language-bash">$ mkdir /etc/docker/
$ mkdir -p /data/docker
$ vim /etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
"bip": "172.7.21.1/24",
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
</code></pre>
<blockquote>
<p>bip:172.7.x.1/24,x按照宿主机IP地址最后一位来设置</p>
</blockquote>
<p>3.启动docker</p>
<pre><code class="language-bash">$ systemctl restart docker.service && systemctl enable docker.service
</code></pre>
<h1 id="5私有仓库harbor部署">5、私有仓库Harbor部署</h1>
<p><code>hdss7-200.host.com</code>上:</p>
<p>1.下载软件二进制包并解压</p>
<p>https://github.com/goharbor/harbor</p>
<pre><code class="language-bash">$ tar xf harbor-offline-installer-v1.8.1.tgz -C /opt/
$ mv /opt/harbor/ /opt/harbor-v1.8.1
$ ln -s /opt/harbor-v1.8.1/ /opt/harbor
</code></pre>
<p>2.配置文件</p>
<pre><code class="language-bash">$ vim /opt/harbor/harbor.yml
hostname: harbor.od.com
http:
port: 180
data_volume: /data/harbor
location: /data/harbor/logs
</code></pre>
<p>创建相应目录</p>
<pre><code class="language-bash">$ mkdir -p /data/harbor/logs
</code></pre>
<p>3.安装docker-compose</p>
<blockquote>
<p>用于编排harbor</p>
</blockquote>
<pre><code class="language-bash">$ yum install docker-compose -y
</code></pre>
<p>4.启动harbor</p>
<pre><code class="language-bash">$ sh /opt/harbor/install.sh
$ docker-compose ps
</code></pre>
<p>5.基于Nginx实现代理访问Harbor</p>
<pre><code class="language-bash">$ yum install nginx -y
$ vim /etc/nginx/conf.d/harbor.od.com.conf
server {
listen 80;
server_nameharbor.od.com;
client_max_body_size 1000m;
location / {
proxy_pass http://127.0.0.1:180;
}
}
</code></pre>
<blockquote>
<p>配置说明:用户访问url:harbor.od.com 端口80 将其流量代理到 127.0.0.1:180</p>
</blockquote>
<p>启动nginx</p>
<pre><code class="language-bash">$ nginx -t
$ systemctl start nginx && systemctl enable nginx
</code></pre>
<p>6.<code>hdss7-11</code>上添加<code>dns A记录</code></p>
<pre><code class="language-bash">$ vi /var/named/od.com.zone
harbor A 10.4.7.200
</code></pre>
<blockquote>
<p>注意serial前滚一个序号</p>
</blockquote>
<p>重启dns并测试</p>
<pre><code class="language-bash">$ systemctl restart named
$ dig -t A harbor.od.com +short
10.4.7.200
</code></pre>
<p>7.浏览器访问:<code>harbor.od.com</code></p>
<blockquote>
<p>用户名:admin、密码:Harbor12345<br>
<img src="https://img2020.cnblogs.com/blog/1679739/202004/1679739-20200416221928429-1532596700.png" alt="" loading="lazy"></p>
</blockquote>
<p>8.harbor上新建一个名:public 公开项目<br>
<img src="https://img2020.cnblogs.com/blog/1679739/202004/1679739-20200416222006540-1895854613.png" alt="" loading="lazy"></p>
<p>9.从docker.io拉取nginx镜像</p>
<pre><code class="language-bash">$ docker pull nginx:1.7.9
# 等价于
$ docker pull docker.io/library/nginx:1.7.9
</code></pre>
<p>将从公网下载的nginx打上刚才创建的harbor仓库下public项目的tag</p>
<pre><code class="language-bash"># 找到nginx image id将其打上new tag
$ docker tag 84581e99d807 harbor.od.com/public/nginx:v1.7.9
# 需先登录harbor
$ docker login harbor.od.com
Username: admin
Password:
# 然后在推送镜像到私有仓库
$ docker push harbor.od.com/public/nginx:v1.7.9
</code></pre>
<h1 id="6部署master节点">6、部署Master节点</h1>
<h2 id="61部署etcd集群">6.1、部署Etcd集群</h2>
<p>集群规划</p>
<table>
<thead>
<tr>
<th>主机名</th>
<th>角色</th>
<th>ip</th>
</tr>
</thead>
<tbody>
<tr>
<td>hdss7-12.host.com</td>
<td>etcd lead</td>
<td>10.4.7.12</td>
</tr>
<tr>
<td>hdss7-21.host.com</td>
<td>etcd follow</td>
<td>10.4.7.21</td>
</tr>
<tr>
<td>hdss7-22.host.com</td>
<td>etcd follow</td>
<td>10.4.7.22</td>
</tr>
</tbody>
</table>
<p>注意:这里部署文档以<code>hdss7-12.host.com</code>主机为例,另外两台主机安装部署方法类似</p>
<p>1.创建基于根证书的config配置文件</p>
<p>运维主机<code>hdss7-200上</code>:</p>
<pre><code class="language-bash">$ vim /opt/certs/ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
</code></pre>
<blockquote>
<p>证书类型</p>
<p>client:客户端使用,用于服务端认证客户端,例如etcdctl、etcd proxy、fleetctl、docker客户端。</p>
<p>server:服务端使用,客户端以此验证服务端身份,例如docker服务端、kube-apiserver</p>
<p>peer:双向证书,用于etcd集群成员间通信</p>
</blockquote>
<p>2.创建生成<code>etcd</code>自签证书签名请求(csr)的json配置文件</p>
<p>运维主机<code>hdss7-200上</code>:</p>
<pre><code class="language-bash">$ vim /opt/certs/etcd-peer-csr.json
{
"CN": "k8s-etcd",
"hosts": [
"10.4.7.11",
"10.4.7.12",
"10.4.7.21",
"10.4.7.22"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
</code></pre>
<blockquote>
<p>hosts:添加部署etcd机器的IP地址,尽量多预留几个</p>
</blockquote>
<p>3.生成etcd证书和私钥</p>
<p>运维主机<code>hdss7-200上</code>:</p>
<pre><code class="language-bash">$ cd /opt/certs
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json|cfssl-json -bare etcd-peer
2020/01/10 15:05:30 generate received request
2020/01/10 15:05:30 received CSR
2020/01/10 15:05:30 generating key: rsa-2048
2020/01/10 15:05:30 encoded CSR
2020/01/10 15:05:30 signed certificate with serial number 257419759502713087580344599035913411225571544160
2020/01/10 15:05:30 This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
</code></pre>
<p>检查生成的证书、私钥</p>
<pre><code class="language-bash">$ ll etcd-peer*
-rw-r--r-- 1 root root364 Jan 10 15:03 etcd-peer-csr.json
-rw------- 1 root root 1675 Jan 10 15:05 etcd-peer-key.pem
-rw-r--r-- 1 root root 1062 Jan 10 15:05 etcd-peer.csr
-rw-r--r-- 1 root root 1428 Jan 10 15:05 etcd-peer.pem
</code></pre>
<p>4.创建etcd用户</p>
<p><code>hdss7-12.host.com</code>上:</p>
<pre><code class="language-bash">$ useradd -s /sbin/nologin -M etcd
</code></pre>
<p>5.下载软件、解压,做软连接</p>
<p><code>hdss7-12.host.com</code>上:</p>
<p>etcd下载地址</p>
<pre><code class="language-bash">$ tar xf etcd-v3.1.20-linux-amd64.tar.gz-C /opt/
$ mv /opt/etcd-v3.1.20-linux-amd64/ /opt/etcd-v3.1.20
$ ln -s /opt/etcd-v3.1.20/ /opt/etcd
</code></pre>
<p>6.创建目录,拷贝证书、私钥</p>
<p><code>hdss7-12.host.com</code>上:</p>
<ul>
<li>创建目录</li>
</ul>
<pre><code class="language-bash">$ mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server
</code></pre>
<ul>
<li>拷贝证书</li>
</ul>
<p>将运维主机上生成的<code>ca.pem</code>、<code>etcd-peer-key.pem</code>、<code>etcd-peer.pem</code>拷贝到<code>/opt/etcd/certs</code>目录中,注意私钥文件权限600</p>
<pre><code class="language-bash">$ ll -l
total 12
-rw-r--r-- 1 root root 1346 Jan 27 12:04 ca.pem
-rw------- 1 root root 1675 Jan 27 12:03 etcd-peer-key.pem
-rw-r--r-- 1 root root 1432 Jan 27 12:03 etcd-peer.pem
</code></pre>
<ul>
<li>修改权限</li>
</ul>
<pre><code class="language-bash">$ chown -R etcd.etcd /opt/etcd-v3.1.20 /data/etcd/ /data/logs/etcd-server/
</code></pre>
<blockquote>
<p>必须使用etcd用户启动</p>
</blockquote>
<p>7.创建etcd服务启动脚本</p>
<p><code>hdss7-12.host.com</code>上:</p>
<pre><code class="language-bash">$ vim /opt/etcd/etcd-server-startup.sh
#!/bin/sh
./etcd --name etcd-server-7-12 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://10.4.7.12:2380 \
--listen-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://10.4.7.12:2380 \
--advertise-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \
--initial-clusteretcd-server-7-12=https://10.4.7.12:2380,etcd-server-7-21=https://10.4.7.21:2380,etcd-server-7-22=https://10.4.7.22:2380 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth\
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
</code></pre>
<p><strong>配置参数说明</strong></p>
<table>
<thead>
<tr>
<th style="text-align: left">参数</th>
<th>说明</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">--listen-peer-urls</td>
<td>本member侧使用,用于监听其他member发送信息的地址。ip为全0代表监听本member侧所有接口</td>
</tr>
<tr>
<td style="text-align: left">--listen-client-urls</td>
<td>本member侧使用,用于监听etcd客户发送信息的地址。ip为全0代表监听本member侧所有接口</td>
</tr>
<tr>
<td style="text-align: left">--initial-advertise-peer-urls</td>
<td>其他member使用,其他member通过该地址与本member交互信息。一定要保证从其他member能可访问该地址。静态配置方式下,该参数的value一定要同时在--initial-cluster参数中存在。memberID的生成受--initial-cluster-token和--initial-advertise-peer-urls影响。</td>
</tr>
<tr>
<td style="text-align: left">--advertise-client-urls</td>
<td>etcd客户使用,客户通过该地址与本member交互信息。一定要保证从客户侧能可访问该地址</td>
</tr>
<tr>
<td style="text-align: left">--initial-cluster</td>
<td>etcd集群所有节点配置,多个用逗号隔开</td>
</tr>
<tr>
<td style="text-align: left">-quota-backend-bytes</td>
<td>指定etcd存储配额超过指定大小后引发报警</td>
</tr>
<tr>
<td style="text-align: left">--client-cert-auth</td>
<td>启动客户端证书进行身份验证</td>
</tr>
<tr>
<td style="text-align: left">--log-output</td>
<td>指定“ stdout”或“ stderr”以跳过日志记录,即使在systemd或逗号分隔的输出目标列表下运行时也是如此。</td>
</tr>
</tbody>
</table>
<p>详细请点击</p>
<p>给脚本添加执行权限</p>
<pre><code class="language-bash">$ chmod +x /opt/etcd/etcd-server-startup.sh
</code></pre>
<p>8.创建etcd-server的启动配置</p>
<p><code>hdss7-12.host.com</code>上:</p>
<p>安装supervisor(优势:自动拉起挂掉的程序)</p>
<pre><code class="language-bash">$ yum install supervisor -y
$ systemctl start supervisord && systemctl enable supervisord
</code></pre>
<p>将etcd启动脚本交给supervisor管理</p>
<pre><code class="language-bash">$ vim /etc/supervisord.d/etcd-server.ini
command=/opt/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/etcd ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected
quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=etcd ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
killasgroup=true
stopasgroup=true
</code></pre>
<blockquote>
<p>注意:etcd集群各主机启动配置略有不同,配置其它节点时注意修改;</p>
</blockquote>
<p>9.启动etcd</p>
<p><code>hdss7-12.host.com</code>上:</p>
<pre><code class="language-bash">$ supervisorctl update
etcd-server-7-12: added process group
</code></pre>
<p>检查是否启动</p>
<pre><code class="language-bash">$ supervisorctl status
etcd-server-7-12 RUNNING pid 5029, uptime 0:02:11
$ netstat -lntup | grep "etcd"
tcp 0 0 10.4.7.12:2379 0.0.0.0:* LISTEN 5030/./etcd
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 5030/./etcd
tcp 0 0 10.4.7.12:2380 0.0.0.0:* LISTEN 5030/./etcd
</code></pre>
<p>10.检查集群状态(必须在三节点起来后)</p>
<pre><code class="language-bash">$ /opt/etcd/etcdctl cluster-health
member 988139385f78284 is healthy: got healthy result from http://127.0.0.1:2379
member 5a0ef2a004fc4349 is healthy: got healthy result from http://127.0.0.1:2379
member f4a0cb0a765574a8 is healthy: got healthy result from http://127.0.0.1:2379
cluster is healthy
</code></pre>
<p>检查集群角色</p>
<pre><code class="language-bash">$ ./etcdctl member list
988139385f78284: name=etcd-server-7-22 peerURLs=https://10.4.7.22:2380 clientURLs=http://127.0.0.1:2379,https://10.4.7.22:2379 isLeader=false
5a0ef2a004fc4349: name=etcd-server-7-21 peerURLs=https://10.4.7.21:2380 clientURLs=http://127.0.0.1:2379,https://10.4.7.21:2379 isLeader=false
f4a0cb0a765574a8: name=etcd-server-7-12 peerURLs=https://10.4.7.12:2380 clientURLs=http://127.0.0.1:2379,https://10.4.7.12:2379 isLeader=true
</code></pre>
<h2 id="62部署kube-apiserver集群">6.2、部署kube-apiserver集群</h2>
<p>集群规划</p>
<table>
<thead>
<tr>
<th>主机名</th>
<th>角色</th>
<th>ip</th>
</tr>
</thead>
<tbody>
<tr>
<td>hdss7-21.host.com</td>
<td>kube-apiserver</td>
<td>10.4.7.21</td>
</tr>
<tr>
<td>hdss7-22.host.com</td>
<td>kube-apiserver</td>
<td>10.4.7.22</td>
</tr>
<tr>
<td>hdss7-11.host.com</td>
<td>4层负载均衡</td>
<td>10.4.7.11</td>
</tr>
<tr>
<td>hdss7-12.host.com</td>
<td>4层负载均衡</td>
<td>10.4.7.12</td>
</tr>
</tbody>
</table>
<p>注意:这里<code>10.4.7.11</code>和<code>10.4.7.12</code>使用nginx做4层负载均衡,用keepalived跑一个VIP:10.4.7.10,代理两个kube-apiserver,实现高可用</p>
<p>这类部署文档以<code>hdss7-21.host.com</code>主机为例,另外一台运算节点部署方法类似</p>
<p>下载软件,解压,做软连接</p>
<p><code>hdss7-21.host.com</code>上:</p>
<p>kubernetes官方Github地址</p>
<p>kuberneetes下载地址</p>
<pre><code class="language-bash">$ tar xf /opt/src/kubernetes-server-linux-amd64-v1.15.2.tar.gz-C /opt/
$ mv /opt/kubernetes/ /opt/kubernetes-v1.15.2
$ ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes
</code></pre>
<h3 id="621创建cliient证书">6.2.1、创建cliient证书</h3>
<p>运维主机<code>hdss7-200上</code>:</p>
<p>1创建生成证书签名请求(csr)的json配置文件</p>
<pre><code class="language-bash">$ vim /opt/certs/client-csr.json
{
"CN": "k8s-node",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
</code></pre>
<p>2.生成client证书和私钥</p>
<pre><code class="language-bash">$ cd /opt/certs/
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
2020/01/10 16:16:35 generate received request
2020/01/10 16:16:35 received CSR
2020/01/10 16:16:35 generating key: rsa-2048
\2020/01/10 16:16:36 encoded CSR
2020/01/10 16:16:36 signed certificate with serial number 294650890732881478597150479545220844543007627512
2020/01/10 16:16:36 This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
</code></pre>
<p>3.检查生成的证书、私钥</p>
<pre><code class="language-bash">$ ll client*
-rw-r--r-- 1 root root280 Jan 10 16:15 client-csr.json
-rw------- 1 root root 1679 Jan 10 16:16 client-key.pem
-rw-r--r-- 1 root root993 Jan 10 16:16 client.csr
-rw-r--r-- 1 root root 1363 Jan 10 16:16 client.pem
</code></pre>
<h3 id="622签发kube-apiserver证书">6.2.2、签发kube-apiserver证书</h3>
<p>运维主机<code>hdss7-200上</code>:</p>
<p>1.创建生成证书签名请求(csr)的json配置文件</p>
<pre><code class="language-bash">$ vim /opt/certs/apiserver-csr.json
{
"CN": "k8s-apiserver",
"hosts": [
"127.0.0.1",
"192.168.0.1",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"10.4.7.10",
"10.4.7.21",
"10.4.7.22",
"10.4.7.23"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
</code></pre>
<p>注意:</p>
<ul>
<li>hosts 字段指定授权使用该证书的 IP 或域名列表,这里列出了 VIP 、apiserver节点 IP、kubernetes 服务 IP 和域名;</li>
<li>域名最后字符不能是 . (如不能为kubernetes.default.svc.cluster.local. ),否则解析时失败,提示: x509:cannot parse dnsName "kubernetes.default.svc.cluster.local." ;</li>
<li>如果使用非 cluster.local 域名,如 opsnull.com ,则需要修改域名列表中的最后两个域名为: kubernetes.default.svc.opsnull 、 kubernetes.default.svc.opsnull.com</li>
<li>kubernetes 服务 IP 是 apiserver 自动创建的,一般是 --service-cluster-ip-range 参数指定的网段的第一个IP,后续可以通过如下命令获取:</li>
</ul>
<pre><code class="language-bash">$ kubectl get svc kubernetes
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 192.168.0.1 <none> 443/TCP 4d
</code></pre>
<p>2.生成api-server证书和私钥</p>
<pre><code class="language-bash">$ cd /opt/certs
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver
2020/01/10 16:21:06 generate received request
2020/01/10 16:21:06 received CSR
2020/01/10 16:21:06 generating key: rsa-2048
2020/01/10 16:21:07 encoded CSR
2020/01/10 16:21:07 signed certificate with serial number 533398970701884951320970228765072309875544569205
2020/01/10 16:21:07 This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
</code></pre>
<p>3.检查生成的证书、私钥</p>
<pre><code class="language-bash">$ ll apiserver*
-rw-r--r-- 1 root root566 Jan 10 16:19 apiserver-csr.json
-rw------- 1 root root 1679 Jan 10 16:21 apiserver-key.pem
-rw-r--r-- 1 root root 1249 Jan 10 16:21 apiserver.csr
-rw-r--r-- 1 root root 1598 Jan 10 16:21 apiserver.pem
</code></pre>
<h3 id="623kube-apiserver配置">6.2.3、kube-apiserver配置</h3>
<p><code>hdss7-21上</code>:</p>
<p>1.创建目录存放证书和私钥以及配置文件</p>
<pre><code class="language-bash">$ mkdir /opt/kubernetes/server/bin/cert /opt/kubernetes/server/bin/conf
</code></pre>
<blockquote>
<p>/opt/kubernetes/server/bin/cert:存放证书</p>
<p>/opt/kubernetes/server/bin/conf:存放启动配置文件</p>
</blockquote>
<p>2.拷贝证书、私钥,注意私钥文件属性600</p>
<pre><code class="language-bash">$ ll # 三套证书
total 24
-rw------- 1 root root 1679 Jan 10 16:32 apiserver-key.pem
-rw-r--r-- 1 root root 1598 Jan 10 16:32 apiserver.pem
-rw------- 1 root root 1675 Jan 10 16:32 ca-key.pem
-rw-r--r-- 1 root root 1346 Jan 10 16:32 ca.pem
-rw------- 1 root root 1679 Jan 10 16:32 client-key.pem
-rw-r--r-- 1 root root 1363 Jan 10 16:32 client.pem
</code></pre>
<p>3.创建api-server审计策略文件</p>
<pre><code class="language-bash">$ vi /opt/kubernetes/server/bin/conf/audit.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
</code></pre>
<p>4.创建启动脚本</p>
<pre><code class="language-bash">$ vim /opt/kubernetes/server/bin/kube-apiserver.sh
#!/bin/bash
./kube-apiserver \
--apiserver-count 2 \
--insecure-port 8080 \
--secure-port 6443 \
--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
--audit-policy-file ./conf/audit.yaml \
--authorization-mode RBAC \
--client-ca-file ./cert/ca.pem \
--requestheader-client-ca-file ./cert/ca.pem \
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
--etcd-cafile ./cert/ca.pem \
--etcd-certfile ./cert/client.pem \
--etcd-keyfile ./cert/client-key.pem \
--etcd-servers https://10.4.7.12:2379,https://10.4.7.21:2379,https://10.4.7.22:2379 \
--service-account-key-file ./cert/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--service-node-port-range 3000-29999 \
--target-ram-mb=1024 \
--kubelet-client-certificate ./cert/client.pem \
--kubelet-client-key ./cert/client-key.pem \
--log-dir/data/logs/kubernetes/kube-apiserver \
--tls-cert-file ./cert/apiserver.pem \
--tls-private-key-file ./cert/apiserver-key.pem \
--v 2
</code></pre>
<blockquote>
<p>service-cluster-ip-range:指定service IP(cluster ip)范围</p>
</blockquote>
<p><strong>配置参数说明</strong></p>
<table>
<thead>
<tr>
<th>参数</th>
<th>说明</th>
</tr>
</thead>
<tbody>
<tr>
<td>--apiserver-count</td>
<td>指定集群运行模式,多台 kube-apiserver 会通过 leader选举产生一个工作节点,其它节点处于阻塞状态</td>
</tr>
<tr>
<td>--authorization-mode</td>
<td>开启指定授权模式,拒绝未授权的请求,默认值:AlwaysAllow;以逗号分隔的列表:AlwaysAllow,AlwaysDeny,ABAC,Webhook,RBAC,Node</td>
</tr>
<tr>
<td>--enable-admission-plugins</td>
<td>启用指定插件</td>
</tr>
<tr>
<td>--etcd-servers</td>
<td>etcd服务器列表(格式://ip:port),逗号分隔</td>
</tr>
<tr>
<td>--service-account-key-file</td>
<td>包含PEM编码的x509 RSA或ECDSA私有或者公共密钥的文件。用于验证service account token。指定的文件可以包含多个值。参数可以被指定多个不同的文件。如未指定,--tls-private-key-file将被使用。如果提供了--service-account-signing-key,则必须指定该参数</td>
</tr>
<tr>
<td>--service-cluster-ip-range</td>
<td>CIDR表示IP范围,用于分配服务集群IP(service ip)。不能与分配给pod节点的IP重叠 (default 10.0.0.0/24)</td>
</tr>
<tr>
<td>--service-node-port-range</td>
<td>为NodePort服务保留的端口范围。默认值 30000-32767</td>
</tr>
<tr>
<td>--kubelet-client-certificate、kubelet-client-key</td>
<td>如果指定,则使用 https 访问 kubelet APIs;需要为证书对应的用户(上面 kubernetes*.pem 证书的用户为 kubernetes) 用户定义 RBAC 规则,否则访问 kubelet API 时提示未授权</td>
</tr>
<tr>
<td>--tls-cert-file、tls-private-key-file</td>
<td>使用 https 输出 metrics 时使用的 Server 证书和秘钥</td>
</tr>
<tr>
<td>--insecure-port</td>
<td>HTTP服务,默认端口8080,默认IP是本地主机,修改标识--insecure-bind-address,在HTTP中没有认证和授权检查</td>
</tr>
<tr>
<td>--secure-port</td>
<td>HTTPS服务,默认端口6443,默认IP是首个非本地主机的网络接口,修改标识--bind-address,设置证书和秘钥的标识,--tls-cert-file,--tls-private-key-file,认证方式,令牌文件或者客户端证书,使用基于策略的授权方式</td>
</tr>
</tbody>
</table>
<p>给脚本添加执行权限</p>
<pre><code class="language-bash">$ chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh
</code></pre>
<p>5.创建api-server的启动配置</p>
<pre><code class="language-bash">$ vi /etc/supervisord.d/kube-apiserver.ini
command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
killasgroup=true
stopasgroup=true
</code></pre>
<p>6.创建日志目录</p>
<pre><code class="language-bash">$ mkdir -p /data/logs/kubernetes/kube-apiserver
</code></pre>
<p>7.启动并检查</p>
<pre><code class="language-bash">$ supervisorctl update
$ supervisorctl status
etcd-server-7-22 RUNNING pid 4013, uptime 1:12:36
kube-apiserver-7-22 RUNNING pid 4596, uptime 0:00:31
</code></pre>
<p>8.查看api-server端口</p>
<pre><code class="language-bash">$ netstat -lntup | egrep "8080|6443"
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 20375/./kube-apiser
tcp6 0 0 :::6443 :::* LISTEN 20375/./kube-apiser
</code></pre>
<h2 id="63l4反向代理">6.3、L4反向代理</h2>
<p><code>hdss7-11</code>和<code>hdss7-12</code>上基于nginx实现L4反向代理调度到后端的kubernetes api-server:<br>
<img src="https://img2020.cnblogs.com/blog/1679739/202004/1679739-20200416222216030-1284467059.png" alt="" loading="lazy"></p>
<p>所有Node节点的k8s组件:kubelet,kube-proxy会去访问https://10.4.7.10:7443这个地址,并携带证书</p>
<h3 id="631部署nginx">6.3.1、部署Nginx</h3>
<p>1.安装nginx</p>
<pre><code class="language-bash">$ yum install nginx -y
</code></pre>
<p>2.nginx配置文件</p>
<pre><code class="language-bash">$ vim /etc/nginx/nginx.conf # 黏贴到http标签外
stream {
# kubernetes api-server ip地址以及https端口
upstream kube-apiserver {
server 10.4.7.21:6443 max_fails=3 fail_timeout=30s;
server 10.4.7.22:6443 max_fails=3 fail_timeout=30s;
}
# 监听7443端口,将其接收的流量转发至指定proxy_pass
server {
listen 7443;
proxy_connect_timeout 2s;
proxy_timeout 900s;
proxy_pass kube-apiserver;
}
}
</code></pre>
<p>3.启动nginx</p>
<pre><code class="language-bash">$ systemctl start nginx && systemctl enable nginx
</code></pre>
<h3 id="632部署keepalived">6.3.2、部署keepalived</h3>
<p>1.安装keepalived</p>
<pre><code class="language-bash">$ yum install keepalived -y
</code></pre>
<p>2.监听脚本</p>
<pre><code class="language-bash">$ vi /etc/keepalived/check_port.sh
#!/bin/bash
# keepalived 监控端口脚本
# 使用方法:
# 在keepalived的配置文件中
# vrrp_script check_port {#创建一个vrrp_script脚本,检查配置
# script "/etc/keepalived/check_port.sh 6379" #配置监听的端口
# interval 2 #检查脚本的频率,单位(秒)
# }
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
if [ $PORT_PROCESS -eq 0 ];then
echo "Port $CHK_PORT Is Not Used,End."
exit 1
fi
else
echo "Check Port Cant Be Empty!"
fi
</code></pre>
<p>添加可执行权限</p>
<pre><code class="language-bash">$ chmod +x /etc/keepalived/check_port.sh
</code></pre>
<p>3.keepalived主配置文件</p>
<pre><code class="language-bash">$ vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 10.4.7.11
}
vrrp_script chk_nginx {
# 调用脚本检测nginx监听的7443端口是否存在
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 251
priority 100
advert_int 1
# 当前主机IP
mcast_src_ip 10.4.7.11
nopreempt
# 高可用认证
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
# 虚拟IP
virtual_ipaddress {
10.4.7.10
}
}
</code></pre>
<p>4.keepalived备配置文件</p>
<pre><code class="language-bash">$ vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 10.4.7.12
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 251
mcast_src_ip 10.4.7.12
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.4.7.10
}
}
</code></pre>
<p>5.启动</p>
<pre><code class="language-bash">$ systemctl start keepalived.service && systemctl enable keepalived.service
</code></pre>
<h2 id="64部署controller-manager">6.4、部署controller-manager</h2>
<p><code>hdss7-21.host.com</code>和<code>hdss7-22.host.com</code>都部署了api-server,并且暴露了<code>127.0.0.1:8080</code>端口,也就是只能当前机器访问,那么<code>controller-manager</code>也是部署到当前机器,那就可以通过非安全端口8080直接访问到本机的api-server,即访问快捷/速度快又不需要证书认证。</p>
<p><strong>集群规划</strong></p>
<table>
<thead>
<tr>
<th style="text-align: left">主机名</th>
<th>角色</th>
<th>ip</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">hdss7-21.host.com</td>
<td>controller-manager</td>
<td>10.4.7.21</td>
</tr>
<tr>
<td style="text-align: left">hdss7-22.host.com</td>
<td>controller-manager</td>
<td>10.4.7.22</td>
</tr>
</tbody>
</table>
<blockquote>
<p>注意:这里部署文档以hdds7-21.host.com主机为例,另外一台运算节点安装部署方法类似</p>
</blockquote>
<p>1.创建启动脚本</p>
<pre><code class="language-bash">$ vim /opt/kubernetes/server/bin/kube-controller-manager.sh
#!/bin/sh
./kube-controller-manager \
--cluster-cidr 172.7.0.0/16 \
--leader-elect true \
--log-dir /data/logs/kubernetes/kube-controller-manager \
--master http://127.0.0.1:8080 \
--service-account-private-key-file ./cert/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--root-ca-file ./cert/ca.pem \
--v 2
</code></pre>
<p><strong>配置参数说明</strong></p>
<table>
<thead>
<tr>
<th>参数</th>
<th>说明</th>
</tr>
</thead>
<tbody>
<tr>
<td>--cluster-cidr</td>
<td>集群中Pod的CIDR范围,</td>
</tr>
<tr>
<td>--master</td>
<td>kubernetes api server的地址,将会覆盖kubeconfig设置的值</td>
</tr>
<tr>
<td>--service-cluster-ip-range</td>
<td>集群service的cidr范围,需要--allocate-node-cidrs设置为true</td>
</tr>
<tr>
<td>--leader-elect</td>
<td>多个master情况设置为true保证高可用,进行leader选举</td>
</tr>
<tr>
<td>--leader-elect-lease-duration duration</td>
<td>当leader-elect设置为true生效,选举过程中非leader候选等待选举的时间间隔(default 15s)</td>
</tr>
<tr>
<td>--leader-elect-renew-deadline duration</td>
<td>eader选举过程中在停止leading,再次renew时间间隔,小于或者等于leader-elect-lease-duration duration,也是leader-elect设置为true生效(default 10s)</td>
</tr>
<tr>
<td>--leader-elect-retry-period duration</td>
<td>当leader-elect设置为true生效,获取leader或者重新选举的等待间隔(default 2s)</td>
</tr>
</tbody>
</table>
<p>2.调整文件权限,创建日志存放目录</p>
<pre><code class="language-bash">$ chmod +x /opt/kubernetes/server/bin/kube-controller-manager.sh
$ mkdir -p /data/logs/kubernetes/kube-controller-manager
</code></pre>
<p>3.创建controller-manager的启动配置</p>
<pre><code class="language-bash">$ vi /etc/supervisord.d/kube-conntroller-manager.ini
command=/opt/kubernetes/server/bin/kube-controller-manager.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-controller-manager/controller.stdout.log; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
killasgroup=true
stopasgroup=true
</code></pre>
<p>4.启动并检查</p>
<pre><code class="language-bash">$ supervisorctl update
$ supervisorctl status
etcd-server-7-21 RUNNING pid 4148, uptime 2:07:47
kube-apiserver-7-21 RUNNING pid 4544, uptime 1:02:36
kube-controller-manager-7-21 RUNNING pid 4690, uptime 0:00:32
</code></pre>
<h2 id="65部署kube-scheduler">6.5、部署kube-scheduler</h2>
<p><code>hdss7-21.host.com</code>和<code>hdss7-22.host.com</code>都部署了api-server,并且暴露了<code>127.0.0.1:8080</code>端口,也就是只能当前机器访问,那么<code>kube-scheduler</code>也是部署到当前机器,那就可以通过非安全端口8080直接访问到本机的api-server,即访问快捷/速度快又不需要证书认证。</p>
<p><strong>集群规划</strong></p>
<table>
<thead>
<tr>
<th style="text-align: left">主机名</th>
<th>角色</th>
<th>ip</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">hdss7-21.host.com</td>
<td>kube-scheduler</td>
<td>10.4.7.21</td>
</tr>
<tr>
<td style="text-align: left">hdss7-22.host.com</td>
<td>kube-scheduler</td>
<td>10.4.7.22</td>
</tr>
</tbody>
</table>
<blockquote>
<p>注意:这里部署文档以hdds7-21.host.com主机为例,另外一台运算节点安装部署方法类似</p>
</blockquote>
<p>1.创建启动脚本</p>
<pre><code class="language-bash">$ vim /opt/kubernetes/server/bin/kube-scheduler.sh
#!/bin/sh
./kube-scheduler \
--leader-elect\
--log-dir /data/logs/kubernetes/kube-scheduler \
--master http://127.0.0.1:8080 \
--v 2
</code></pre>
<blockquote>
<p>master:指定api-server</p>
</blockquote>
<p>2.调整文件权限,创建目录</p>
<pre><code class="language-bash">$ chmod +x /opt/kubernetes/server/bin/kube-scheduler.sh
$ mkdir -p /data/logs/kubernetes/kube-scheduler
</code></pre>
<p>3.创建controller-manager的启动配置</p>
<pre><code class="language-bash">$ vi /etc/supervisord.d/kube-scheduler.ini
command=/opt/kubernetes/server/bin/kube-scheduler.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-scheduler/scheduler.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
killasgroup=true
stopasgroup=true
</code></pre>
<p>4.启动并检查</p>
<pre><code class="language-bash">$ supervisorctl update
$ supervisorctl status
etcd-server-7-21 RUNNING pid 4148, uptime 2:11:12
kube-apiserver-7-21 RUNNING pid 4544, uptime 1:06:01
kube-controller-manager-7-21 RUNNING pid 4690, uptime 0:03:57
kube-scheduler-7-21 RUNNING pid 4727, uptime 0:00:32
</code></pre>
<p>5.检查集群健康状态</p>
<pre><code class="language-bash">$ ln -s /opt/kubernetes/server/bin/kubectl /usr/bin/kubectl
$ kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-2 Healthy {"health": "true"}
etcd-0 Healthy {"health": "true"}
etcd-1 Healthy {"health": "true"}
</code></pre>
<h1 id="7部署node节点服务">7、部署Node节点服务</h1>
<h2 id="71部署kubelet">7.1、部署Kubelet</h2>
<p>集群规划</p>
<table>
<thead>
<tr>
<th style="text-align: left">主机名</th>
<th>角色</th>
<th>ip</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">hdss7-21.host.com</td>
<td>kubelet</td>
<td>10.4.7.21</td>
</tr>
<tr>
<td style="text-align: left">hdss7-22.host.com</td>
<td>kubelet</td>
<td>10.4.7.22</td>
</tr>
</tbody>
</table>
<blockquote>
<p>注意:这里部署文档以hdds7-21.host.com主机为例,另外一台运算节点安装部署方法类似</p>
</blockquote>
<h3 id="711签发kubelet证书">7.1.1、签发kubelet证书</h3>
<p>运维主机<code>hdss7-200.host.com</code>上:</p>
<p>1.创建生成证书签名请求(csr)的json配置文件</p>
<pre><code class="language-bash">$ vim /opt/certs/kubelet-csr.json
{
"CN": "k8s-kubelet",
"hosts": [
"127.0.0.1",
"10.4.7.10",
"10.4.7.21",
"10.4.7.22",
"10.4.7.23",
"10.4.7.24",
"10.4.7.25",
"10.4.7.26",
"10.4.7.27",
"10.4.7.28"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
</code></pre>
<p>2.生成证书和私钥</p>
<pre><code class="language-bash">$ cd /opt/certs
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server kubelet-csr.json | cfssl-json -bare kubelet
2020/01/10 20:15:39 generate received request
2020/01/10 20:15:39 received CSR
2020/01/10 20:15:39 generating key: rsa-2048
2020/01/10 20:15:40 encoded CSR
2020/01/10 20:15:40 signed certificate with serial number 526251135664766815056179206511844993208257685250
2020/01/10 20:15:40 This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
</code></pre>
<p>3.检查证书和私钥</p>
<pre><code class="language-bash">$ ll kubelet*
-rw-r--r-- 1 root root452 Jan 10 20:15 kubelet-csr.json
-rw------- 1 root root 1675 Jan 10 20:15 kubelet-key.pem
-rw-r--r-- 1 root root 1115 Jan 10 20:15 kubelet.csr
-rw-r--r-- 1 root root 1468 Jan 10 20:15 kubelet.pem
</code></pre>
<h3 id="712kubelet配置">7.1.2、kubelet配置</h3>
<p><code>hdss7-21.host.com</code>上:</p>
<p>1.拷贝证书到各运算节点,并创建配置(证书、私钥,注意私钥文件权限600)</p>
<pre><code class="language-bash">$ll /opt/kubernetes/server/bin/cert/
total 32
-rw------- 1 root root 1679 Jan 10 16:32 apiserver-key.pem
-rw-r--r-- 1 root root 1598 Jan 10 16:32 apiserver.pem
-rw------- 1 root root 1675 Jan 10 16:32 ca-key.pem
-rw-r--r-- 1 root root 1346 Jan 10 16:32 ca.pem
-rw------- 1 root root 1679 Jan 10 16:32 client-key.pem
-rw-r--r-- 1 root root 1363 Jan 10 16:32 client.pem
-rw------- 1 root root 1675 Jan 10 20:20 kubelet-key.pem
-rw-r--r-- 1 root root 1468 Jan 10 20:20 kubelet.pem
</code></pre>
<p>2.创建kubelet配置文件</p>
<blockquote>
<p>基于https的方式访问到nginx反代的vip</p>
</blockquote>
<pre><code class="language-bash"># 进入指定目录
$ cd /opt/kubernetes/server/bin/conf/
# 指定根证书和api-server的vip
$ kubectl config set-cluster myk8s \
--certificate-authority=/opt/kubernetes/server/bin/cert/ca.pem \
--embed-certs=true \
--server=https://10.4.7.10:7443 \
--kubeconfig=kubelet.kubeconfig
# 拿客户端密钥和api-server通信
$ kubectl config set-credentials k8s-node \
--client-certificate=/opt/kubernetes/server/bin/cert/client.pem \
--client-key=/opt/kubernetes/server/bin/cert/client-key.pem \
--embed-certs=true \
--kubeconfig=kubelet.kubeconfig
# 以k8s-node用户去访问api-server(该用户需要授权)
$ kubectl config set-context myk8s-context \
--cluster=myk8s \
--user=k8s-node \
--kubeconfig=kubelet.kubeconfig
$ kubectl config use-context myk8s-context --kubeconfig=kubelet.kubeconfig
</code></pre>
<ul>
<li>关于<code>kubeconfig</code>文件
<ul>
<li>这是一个k8s用户的配置文件</li>
<li>它里面含有证书信息</li>
<li>证书过期或更换,需要同步替换该文件</li>
</ul>
</li>
</ul>
<p>3.创建授权资源配置文件k8s-node.yaml</p>
<blockquote>
<p>创建一次即可,用于给k8s-node这个访问账户授权,权限为k8s节点</p>
</blockquote>
<pre><code class="language-yaml">$ vim /opt/kubernetes/server/bin/conf/k8s-node.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-node
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: k8s-node
</code></pre>
<ul>
<li>User account是为人设计的,而service account则是为Pod中的进程调用Kubernetes API而设计;</li>
<li>User account是跨namespace的,而service account则是仅局限它所在的namespace</li>
</ul>
<p>4.使用<code>kubctl</code>创建</p>
<pre><code class="language-bash">$ kubectl create -f /opt/kubernetes/server/bin/conf/k8s-node.yaml
</code></pre>
<h3 id="713准备pause基础镜像">7.1.3、准备pause基础镜像</h3>
<p>pause镜像是k8s里必不可少的以pod方式运行业务容器时的一个基础容器。</p>
<p>运维主机<code>hdss7-200.host.com</code>上:</p>
<p>1.下载</p>
<pre><code class="language-bash">$ docker pull kubernetes/pause
</code></pre>
<p>2.提交至私有仓库(harbor)中</p>
<pre><code class="language-bash">$ docker tag f9d5de079539 harbor.od.com/public/pause:latest
$ docker push harbor.od.com/public/pause:latest
</code></pre>
<h3 id="714创建kubelet启动脚本">7.1.4、创建kubelet启动脚本</h3>
<p><code>hdss7-21.host.com</code>上:</p>
<p>1.启动脚本</p>
<pre><code class="language-bash">$ vim /opt/kubernetes/server/bin/kubelet.sh
#!/bin/sh
./kubelet \
--anonymous-auth=false \
--cgroup-driver systemd \
--cluster-dns 192.168.0.2 \
--cluster-domain cluster.local \
--runtime-cgroups=/systemd/system.slice \
--kubelet-cgroups=/systemd/system.slice \
--fail-swap-on="false" \
--client-ca-file ./cert/ca.pem \
--tls-cert-file ./cert/kubelet.pem \
--tls-private-key-file ./cert/kubelet-key.pem \
--hostname-override hdss7-22.host.com \
--image-gc-high-threshold 20 \
--image-gc-low-threshold 10 \
--kubeconfig ./conf/kubelet.kubeconfig \
--log-dir /data/logs/kubernetes/kube-kubelet \
--pod-infra-container-image harbor.od.com/public/pause:latest \
--root-dir /data/kubelet
</code></pre>
<blockquote>
<p>cluster-dns:指定集群内部dns地址</p>
<p>hostname-override:当前机器主机名</p>
<p>pod-infra-container-image:pause镜像拉取地址</p>
<p>kubeconfig:指定上面创建的上下文配置文件</p>
</blockquote>
<p><strong>参数配置解析</strong></p>
<table>
<thead>
<tr>
<th>参数</th>
<th>说明</th>
</tr>
</thead>
<tbody>
<tr>
<td>--anonymous-auth</td>
<td>允许匿名请求到 kubelet 服务。未被另一个身份验证方法拒绝的请求被视为匿名请求。匿名请求包含系统的用户名: anonymous ,以及系统的组名: unauthenticated (默认 true )</td>
</tr>
<tr>
<td>--cgroup-driver</td>
<td>可选值有cgroupfs和systemd(默认cgroupfs)与docker驱动一致</td>
</tr>
<tr>
<td>--cluster-dns</td>
<td>DNS 服务器的IP列表,多个用逗号分隔</td>
</tr>
<tr>
<td>--cluster-domain</td>
<td>集群域名, kubelet 将配置所有容器除了主机搜索域还将搜索当前域</td>
</tr>
<tr>
<td>--fail-swap-on</td>
<td>如果设置为true则启动kubelet失败(default true)</td>
</tr>
<tr>
<td>--hostname-override</td>
<td>cluster中的node name</td>
</tr>
<tr>
<td>--image-gc-high-threshold</td>
<td>磁盘使用率最大值,超过此值将执行镜像垃圾回收(default 85)</td>
</tr>
<tr>
<td>--image-gc-low-threshold</td>
<td>磁盘使用率最大值,低于此值将停止镜像垃圾回收(default 80)</td>
</tr>
<tr>
<td>--kubeconfig</td>
<td>用来指定如何连接到 API server</td>
</tr>
<tr>
<td>--pod-infra-container-image</td>
<td>每个 pod 中的 network/ipc 命名空间容器将使用的pause镜像</td>
</tr>
<tr>
<td>--root-dir</td>
<td>kubelet 的工作目录</td>
</tr>
</tbody>
</table>
<p>创建目录</p>
<pre><code class="language-bash">$ mkdir -p /data/logs/kubernetes/kube-kubelet /data/kubelet
</code></pre>
<p>给脚本添加+x权限</p>
<pre><code class="language-bash">$ chmod +x /opt/kubernetes/server/bin/kubelet.sh
</code></pre>
<p>2.创建kubelet的启动配置</p>
<pre><code class="language-bash">$ vi /etc/supervisord.d/kube-kubelet.ini
command=/opt/kubernetes/server/bin/kubelet.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-kubelet/kubelet.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
killasgroup=true
stopasgroup=true
</code></pre>
<p>3.启动并检查</p>
<pre><code class="language-bash">$ supervisorctl update
$ supervisorctl status
etcd-server-7-21 RUNNING pid 4148, uptime 5:20:56
kube-apiserver-7-21 RUNNING pid 4544, uptime 4:15:45
kube-controller-manager-7-21 RUNNING pid 4690, uptime 3:13:41
kube-kubelet-7-21 RUNNING pid 5099, uptime 0:01:33
kube-scheduler-7-21 RUNNING pid 4727, uptime 3:10:16
</code></pre>
<p>4.查看节点</p>
<pre><code class="language-bash"># 给节点打上标签
$ kubectl label node hdss7-22.host.com node-role.kubernetes.io/node=
$ kubectl label node hdss7-22.host.com node-role.kubernetes.io/master=
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
hdss7-21.host.com Ready master,node 9m56s v1.15.2
hdss7-22.host.com Ready master,node 4m5s v1.15.2
</code></pre>
<h2 id="72部署kube-proxy">7.2、部署kube-proxy</h2>
<p><strong>集群规划</strong></p>
<table>
<thead>
<tr>
<th style="text-align: left">主机名</th>
<th>角色</th>
<th>ip</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align: left">hdss7-21.host.com</td>
<td>kubelet</td>
<td>10.4.7.21</td>
</tr>
<tr>
<td style="text-align: left">hdss7-22.host.com</td>
<td>kube-proxy</td>
<td>10.4.7.22</td>
</tr>
</tbody>
</table>
<blockquote>
<p>注意:这里部署文档以hdds7-21.host.com主机为例,另外一台运算节点安装部署方法类似</p>
</blockquote>
<h3 id="721签发kube-proxy证书">7.2.1、签发kube-proxy证书</h3>
<p>运维主机<code>hdss-200.host.com</code>上:</p>
<p>1.创建生成证书签名请求(csr)的json配置文件</p>
<pre><code class="language-bash">$ vim /opt/certs/kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
</code></pre>
<p>2.生成证书和私钥</p>
<pre><code class="language-bash">$ cd /opt/certs
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client kube-proxy-csr.json |cfssl-json -bare kube-proxy-client
2020/01/10 21:12:40 generate received request
2020/01/10 21:12:40 received CSR
2020/01/10 21:12:40 generating key: rsa-2048
2020/01/10 21:12:41 encoded CSR
2020/01/10 21:12:41 signed certificate with serial number 377857644553048066195455948935822375401500792612
2020/01/10 21:12:41 This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
</code></pre>
<p>3.检查证书和私钥</p>
<pre><code class="language-bash">$ llkube-proxy*
-rw------- 1 root root 1675 Jan 10 21:12 kube-proxy-client-key.pem
-rw-r--r-- 1 root root 1005 Jan 10 21:12 kube-proxy-client.csr
-rw-r--r-- 1 root root 1375 Jan 10 21:12 kube-proxy-client.pem
-rw-r--r-- 1 root root267 Jan 10 21:12 kube-proxy-csr.json
</code></pre>
<h3 id="722kube-proxy配置">7.2.2、Kube-proxy配置</h3>
<p><code>hdss7-21.host.com</code>上:</p>
<p>1.拷贝证书到各运算节点,并创建配置(证书、私钥,注意私钥文件权限600)</p>
<pre><code class="language-bash">$ ll
total 40
-rw------- 1 root root 1679 Jan 10 16:32 apiserver-key.pem
-rw-r--r-- 1 root root 1598 Jan 10 16:32 apiserver.pem
-rw------- 1 root root 1675 Jan 10 16:32 ca-key.pem
-rw-r--r-- 1 root root 1346 Jan 10 16:32 ca.pem
-rw------- 1 root root 1679 Jan 10 16:32 client-key.pem
-rw-r--r-- 1 root root 1363 Jan 10 16:32 client.pem
-rw------- 1 root root 1675 Jan 10 21:16 kube-proxy-client-key.pem
-rw-r--r-- 1 root root 1375 Jan 10 21:16 kube-proxy-client.pem
-rw------- 1 root root 1675 Jan 10 20:20 kubelet-key.pem
-rw-r--r-- 1 root root 1468 Jan 10 20:20 kubelet.pem
</code></pre>
<p>2.创建kube-proxy配置</p>
<pre><code class="language-bash"># 进入指定目录
$ cd /opt/kubernetes/server/bin/conf/
$ kubectl config set-cluster myk8s \
--certificate-authority=/opt/kubernetes/server/bin/cert/ca.pem \
--embed-certs=true \
--server=https://10.4.7.10:7443 \
--kubeconfig=kube-proxy.kubeconfig
$ kubectl config set-credentials kube-proxy \
--client-certificate=/opt/kubernetes/server/bin/cert/kube-proxy-client.pem \
--client-key=/opt/kubernetes/server/bin/cert/kube-proxy-client-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
$ kubectl config set-context myk8s-context \
--cluster=myk8s \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
$ kubectl config use-context myk8s-context --kubeconfig=kube-proxy.kubeconfig
</code></pre>
<h3 id="723创建kube-proxy启动脚本">7.2.3、创建kube-proxy启动脚本</h3>
<p><code>hdss7-21.host.com</code>上:</p>
<p>1.加载ipvs模块</p>
<pre><code class="language-bash">$ vi /root/ipvs.sh
#!/bin/bash
ipvs_mods_dir="/usr/lib/modules/$(uname -r)/kernel/net/netfilter/ipvs"
for i in $(ls $ipvs_mods_dir|grep -o "^[^.]*")
do
/sbin/modinfo -F filename $i &>/dev/null
if [ $? -eq 0 ];then
/sbin/modprobe $i
fi
done
</code></pre>
<p>添加+x权限</p>
<pre><code class="language-bash">$ chmod +x /root/ipvs.sh
</code></pre>
<p>执行脚本并检查<code>ip_vs</code>模块是否加载</p>
<pre><code class="language-bash">$ sh /root/ipvs.sh
$ lsmod| grepip_vs
</code></pre>
<p>2.创建启动脚本</p>
<pre><code class="language-bash">$ vim /opt/kubernetes/server/bin/kube-proxy.sh
#!/bin/sh
./kube-proxy \
--cluster-cidr 172.7.0.0/16 \
--hostname-override hdss7-21.host.com \
--proxy-mode=ipvs \
--ipvs-scheduler=nq \
--kubeconfig ./conf/kube-proxy.kubeconfig
</code></pre>
<blockquote>
<p>cluster-cidr:指定docker ip范围</p>
</blockquote>
<p>创建日志存放目录</p>
<pre><code class="language-bash">$ mkdir -p /data/logs/kubernetes/kube-proxy
</code></pre>
<p>给脚本添加+x权限</p>
<pre><code class="language-bash">$ chmod +x /opt/kubernetes/server/bin/kube-proxy.sh
</code></pre>
<p>2.创建kubelet的启动配置</p>
<pre><code class="language-bash">$ vi /etc/supervisord.d/kube-proxy.ini
command=/opt/kubernetes/server/bin/kube-proxy.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at
unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-proxy/proxy.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
killasgroup=true
stopasgroup=true
</code></pre>
<p>启动并检查</p>
<pre><code class="language-bash">$ supervisorctl update
$ supervisorctl status
etcd-server-7-21 RUNNING pid 4148, uptime 5:59:11
kube-apiserver-7-21 RUNNING pid 4544, uptime 4:54:00
kube-controller-manager-7-21 RUNNING pid 4690, uptime 3:51:56
kube-kubelet-7-21 RUNNING pid 5099, uptime 0:39:48
kube-proxy-7-21 RUNNING pid 14452, uptime 0:00:45
kube-scheduler-7-21 RUNNING pid 4727, uptime 3:48:31
</code></pre>
<p>3.安装ipvs管理工具</p>
<pre><code class="language-bash">$ yum install ipvsadm -y
</code></pre>
<p>4.检查ipvs是否成功</p>
<pre><code class="language-bash">$ ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP192.168.0.1:443 nq
-> 10.4.7.21:6443 Masq 1 0 0
-> 10.4.7.22:6443 Masq 1 0 0
</code></pre>
<h1 id="8验证集群">8、验证集群</h1>
<p>1.在任意一个运算节点, 创建一个资源清单</p>
<p>这里我们选<code>hdss7-21.host.com</code>主机</p>
<pre><code class="language-yaml">$ vi /root/nginx-ds.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: nginx-ds
spec:
template:
metadata:
labels:
app: nginx-ds
spec:
containers:
- name: my-nginx
image: harbor.od.com/public/nginx:v1.7.9
ports:
- containerPort: 80
</code></pre>
<p>创建资源</p>
<pre><code class="language-bash">$ kubectl create -f /root/nginx-ds.yaml
daemonset.extensions/nginx-ds created
</code></pre>
<p>查看pod状态</p>
<pre><code class="language-bash">$ kubctl get pods
NAME READY STATUS RESTARTS AGE
nginx-ds-gl9mg 1/1 Running 0 20s
nginx-ds-mlptx 1/1 Running 0 20s
</code></pre>
<p>2.查看集群状态</p>
<pre><code class="language-bash">$ kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-1 Healthy {"health": "true"}
etcd-0 Healthy {"health": "true"}
etcd-2 Healthy {"health": "true"}
$ kubectl get node
NAME STATUS ROLES AGE VERSION
hdss7-21.host.com Ready master,node 48m v1.15.2
hdss7-22.host.com Ready master,node 42m v1.15.2
</code></pre><br><br>
来源:https://www.cnblogs.com/jasonminghao/p/12716239.html
頁:
[1]