Kubernetes 集群部署(三)(master、node 部分)
程序员文章站
2022-07-13 22:24:34
...
本文承接: Kubernetes 集群部署(二)(flannel 网络配置)
Kubernetes 集群部署(三)(部署 master/node 组件)
1.部署 master(组件)
①创建 K8S 工作目录及证书目录
[[email protected] ~]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p '//创建k8s工作目录'
[[email protected] ~]# cd k8s/
[[email protected] k8s]# mkdir k8s-cert '//创建K8S存储证书的目录'
[[email protected] k8s]# cd k8s-cert/
②撰写创建证书脚本并执行
[[email protected] k8s-cert]# vim k8s-cert.sh '//撰写创建证书的脚本'
cat > ca-config.json <<EOF '//定义ca证书,格式为json'
{
"signing": {
"default": {
"expiry": "87600h" '//周期为87600h=10年'
},
"profiles": {
"kubernetes": { '//k8s'
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF '//实现证书,签名'
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s", '//表示为单元'
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
'//生成证书,创建,初始化ca,使用到ca签名文件;使用cfssjson格式创建一个ca证书'
#-----------------------
cat > server-csr.json <<EOF '//使用server端证书,json格式'
{
"CN": "kubernetes",
"hosts": [ '//这里考虑后续多节点,提前添加2个nginx为负载均衡群集'
"10.0.0.1", '//内部集群通讯会用到的IP地址'
"127.0.0.1", '//自身回环地址'
"192.168.126.11", '//master01'
"192.168.126.12", '//master02'
"192.168.126.15" '//nginx01'
"192.168.126.16" '//nginx02'
"192.168.126.100", '//VIP(漂移)'
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
'//生成,创建,使用ca证书与秘钥,ca配置文件,指定名称生成文件'
'//使用cfssljson格式创建名为server的证书'
#-----------------------
'//需要一个管理员身份的绑定来具备操作资源的权限,以下来制作相关证书'
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
'//制作出admin的两张证书'
#-----------------------
cat > kube-proxy-csr.json <<EOF '//制作网络代理证书'
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
'//制作出两张proxy的证书'
[[email protected] k8s-cert]# . k8s-cert.sh
...
...
[[email protected] k8s-cert]# ls *.pem '//最终制作出这8张证书'
admin-key.pem ca-key.pem kube-proxy-key.pem server-key.pem
admin.pem ca.pem kube-proxy.pem server.pem
③完善 K8S 工作目录
[[email protected] k8s-cert]# cp ca*.pem server*.pem /opt/kubernetes/ssl/
'//这里master只需要ca与server,admin与proxy给node'
[[email protected] k8s-cert]# cd ..
[[email protected] k8s]# rz -E
rz waiting to receive. '//将下载好的K8S软件包传至目录下'
[[email protected] k8s]# ls kuber*
kubernetes-server-linux-amd64.tar.gz '//包含server与node的所有组件包/执行脚本,非常庞大'
[[email protected] k8s]# tar zxvf kubernetes-server-linux-amd64.tar.gz
...
...
[[email protected] k8s]# cd kubernetes/
[[email protected] kubernetes]# ls
addons kubernetes-src.tar.gz LICENSES server
[[email protected] kubernetes]# cd server/
[[email protected] server]# ls
bin
[[email protected] server]# cd bin/
[[email protected] bin]# ls '//接下来将我们需要的脚本文件拷贝至K8S工作目录下'
apiextensions-apiserver kubectl-convert
kubeadm kubelet
kube-aggregator kube-proxy
kube-apiserver kube-proxy.docker_tag
kube-apiserver.docker_tag kube-proxy.tar
kube-apiserver.tar kube-scheduler
kube-controller-manager kube-scheduler.docker_tag
kube-controller-manager.docker_tag kube-scheduler.tar
kube-controller-manager.tar mounter
kubectl
[[email protected] bin]# cp kube-apiserver kubectl kube-scheduler kube-controller-manager /opt/kubernetes/bin/
[[email protected] bin]# tree /opt/kubernetes/
/opt/kubernetes/
├── bin
│ ├── kube-apiserver
│ ├── kube-controller-manager
│ ├── kubectl
│ └── kube-scheduler
├── cfg '//还缺配置文件和启动脚本'
└── ssl
├── ca-key.pem
├── ca.pem
├── server-key.pem
└── server.pem
3 directories, 8 files
④建立 token 令牌并撰写一个启动 apiserver 的脚本
[[email protected] bin]# cd /root/k8s/
[[email protected] k8s]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
46f66211f8331155527e36e3a4d59a31
'//随机生成16位***,后续有用'
[[email protected] k8s]# vim /opt/kubernetes/cfg/token.csv
'//建立token令牌,K8S的管理需要令牌服务(系统-角色-操作权限)'
46f66211f8331155527e36e3a4d59a31,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
'//***,用户名(kubelet),id,角色身份'
'//kubelet是一个组件,但是我们需要创建一个角色来控制其'
[[email protected] k8s]# vim apiserver.sh
'//撰写一个启动aipserver的脚本'
#!/bin/bash
MASTER_ADDRESS=$1 '//master IP,本机'
ETCD_SERVERS=$2 '//etcd IP'
cat <<EOF >/opt/kubernetes/cfg/kube-apiserver '//生成一个配置文件'
KUBE_APISERVER_OPTS="--logtostderr=true \\ '//日志格式'
--v=4 \\ '//日志版本'
--etcd-servers=${ETCD_SERVERS} \\ '//etcd IP'
--bind-address=${MASTER_ADDRESS} \\ '//master IP'
--secure-port=6443 \\ '//https(安全)'
--advertise-address=${MASTER_ADDRESS} \\ '//监听IP'
--allow-privileged=true \\ '//开放许可权限'
--service-cluster-ip-range=10.0.0.0/24 \\ '//群集内部通讯地址'
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\ '//插件'
--authorization-mode=RBAC,Node \\ '//安全访问形式使用RBAC安全框架'
--kubelet-https=true \\ '//开启https协议'
--enable-bootstrap-token-auth \\ '使用token令牌进行验证'
--token-auth-file=/opt/kubernetes/cfg/token.csv \\ '//指定配置文件'
--service-node-port-range=30000-50000 \\ '//proxy暴露端口号映射范围,不会和常用端口号冲突'
--tls-cert-file=/opt/kubernetes/ssl/server.pem \\ '//通讯使用tls安全加密,使用到server端证书'
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\ '//etcd端证书'
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF
cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service '//服务启动'
[Unit]
Description=Kubernetes API Server '//API Server'
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver '//指定配置文件路径'
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS '//启动路径,变量指向日志文件也同时开启'
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl restart kube-apiserver
⑤启动 apiserver
[[email protected] k8s]# . apiserver.sh 192.168.126.11 https://192.168.126.11:2379,https://192.168.126.13:2379,https://192.168.126.14:2379
'//指定masterIP,ETCD群集IP,开启apiserver'
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-apiserver.service to /usr/lib/systemd/system/kube-apiserver.service.
[[email protected] k8s]# systemctl status kube-apiserver.service
[[email protected] k8s]# ps aux | grep kube '//查看进程'
[[email protected] k8s]# cat /opt/kubernetes/cfg/kube-apiserver '//查看生成的配置文件'
[[email protected] k8s]# netstat -ntap | grep 6443 '//查看可供安全访问的端口是否开启'
tcp 0 0 192.168.126.11:6443 0.0.0.0:* LISTEN 23837/kube-apiserve
tcp 0 0 192.168.126.11:6443 192.168.126.11:56606 ESTABLISHED 23837/kube-apiserve
tcp 0 0 192.168.126.11:56606 192.168.126.11:6443 ESTABLISHED 23837/kube-apiserve
[[email protected] k8s]# netstat -ntap | grep 8080
'//http协议端口,用于内部通讯'
⑥撰写 scheduler/controller-manager 脚本并启动
[[email protected] k8s]# vim scheduler.sh
'//撰写一个启动scheduler的脚本'
#!/bin/bash
MASTER_ADDRESS=$1 '//这里建议填写127.0.0.1,因为方便后续多节点操作,拷贝文件过去直接就可以用'
cat <<EOF >/opt/kubernetes/cfg/kube-scheduler
KUBE_SCHEDULER_OPTS="--logtostderr=true \\
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\ '//内部通讯可使用8080的http协议端口,在安全的基础上高效'
--leader-elect"
EOF
cat <<EOF >/usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler
[[email protected] k8s]# . scheduler.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-scheduler.service to /usr/lib/systemd/system/kube-scheduler.service.
[[email protected] k8s]# systemctl status kube-scheduler.service
[[email protected] k8s]# vim controller-manager.sh
#!/bin/bash
MASTER_ADDRESS=$1
cat <<EOF >/opt/kubernetes/cfg/kube-controller-manager
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \\
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\
--leader-elect=true \\
--address=127.0.0.1 \\
--service-cluster-ip-range=10.0.0.0/24 \\
--cluster-name=kubernetes \\
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--experimental-cluster-signing-duration=87600h0m0s"
EOF
cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl restart kube-controller-manager
[[email protected] k8s]# . controller-manager.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /usr/lib/systemd/system/kube-controller-manager.service.
[[email protected] k8s]# systemctl status kube-controller-manager.service
[[email protected] k8s]# ps aux | grep kube '//查看进程'
[[email protected] k8s]# /opt/kubernetes/bin/kubectl get cs
'//使用kubectl命令管理工具查看master节点状态(通过apiserver)'
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
etcd-0 Healthy {"health": "true"}
etcd-1 Healthy {"health": "true"}
etcd-2 Healthy {"health": "true"}
controller-manager Healthy ok
2.部署 node (组件)
①在 master 节点将 kubelet、kube-proxy 传输至 node 节点
----master----
[[email protected] k8s]# cd kubernetes/server/bin/
[[email protected] bin]# ls
apiextensions-apiserver kube-controller-manager.tar
cloud-controller-manager kubectl
cloud-controller-manager.docker_tag kubelet
cloud-controller-manager.tar kube-proxy
hyperkube kube-proxy.docker_tag
kubeadm kube-proxy.tar
kube-apiserver kube-scheduler
kube-apiserver.docker_tag kube-scheduler.docker_tag
kube-apiserver.tar kube-scheduler.tar
kube-controller-manager mounter
kube-controller-manager.docker_tag
'//node组件需要kubelet与kube-proxy'
[[email protected] bin]# scp kubelet kube-proxy [email protected]:/opt/kubernetes/bin/
[email protected]'s password:
kubelet 100% 168MB 84.0MB/s 00:02
kube-proxy 100% 48MB 70.9MB/s 00:00
[[email protected] bin]# scp kubelet kube-proxy [email protected]:/opt/kubernetes/bin/
[email protected]'s password:
kubelet 100% 168MB 88.8MB/s 00:01
kube-proxy 100% 48MB 87.0MB/s 00:00
②创建 kubeconfig 目录并完善
'//apierver与kubelet通讯需要用到6443端口,内部通讯则可以用到8080端口'
'//需要建立TLS通讯安全加密'
'//kubelet需要先准备参数提交给apiserver,其确认完了颁发证书给kubelet(授权)'
'//即kubelet加入到K8S之前需要准备一些列参数、证书、凭证'
[[email protected] k8s]# mkdir kubeconfig
'//存放以上所需要参数的目录,以供apiserver与kubelet通讯'
'//kubelet启动后,其证书授权会颁发给node节点'
[[email protected] k8s]# cd kubeconfig/
[[email protected] kubeconfig]# vim kubeconfig '//注意该脚本没有加.sh,因为内容中会有冲突'
APISERVER=$1
SSL_DIR=$2 '//存放证书目录'
# 创建kubelet bootstrapping kubeconfig,建立访问端口
export KUBE_APISERVER="https://$APISERVER:6443"
# 设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=$SSL_DIR/ca.pem \
--embed-certs=true \ '//true表示将以上证书写入至kubeconfig中'
--server=${KUBE_APISERVER} \
--kubeconfig=bootstrap.kubeconfig
'//其内置了token.csv中用户的token及apiserver CA证书,kubelet首次启动会加载此文件,使用apiserver CA证书建立与apiserver的TLS通讯,使其中的token用户作为身份标识向apiserver发起CSR请求'
# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
--token=758de51593b30a0ece374abfbf7a2b4a \ '//依赖于token令牌'
--kubeconfig=bootstrap.kubeconfig
# 设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \ '//集群名称'
--user=kubelet-bootstrap \ '//用户名称'
--kubeconfig=bootstrap.kubeconfig '//配置文件'
# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
'//创建资源(命名空间,属于bootstrap.kubeconfig)'
#----------------------
# 创建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes \ '//proxy也需要证书'
--certificate-authority=$SSL_DIR/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=$SSL_DIR/kube-proxy.pem \
--client-key=$SSL_DIR/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
[[email protected] kubeconfig]# vim /etc/profile
'//在末行插入以下全局变量,便于使用kubectl管理命令'
export PATH=$PATH:/opt/kubernetes/bin/
[[email protected] kubeconfig]# source /etc/profile '//使其生效'
[[email protected] kubeconfig]# kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-0 Healthy {"health": "true"}
etcd-2 Healthy {"health": "true"}
etcd-1 Healthy {"health": "true"}
[[email protected] kubeconfig]# . kubeconfig 192.168.126.11 /root/k8s/k8s-cert/
'//执行该脚本,指定本机IP与存放证书目录'
Cluster "kubernetes" set.
User "kubelet-bootstrap" set.
Context "default" created.
Switched to context "default".
Cluster "kubernetes" set.
User "kube-proxy" set.
Context "default" created.
Switched to context "default".
[[email protected] kubeconfig]# ls '//生成2个新文件'
bootstrap.kubeconfig kubeconfig kube-proxy.kubeconfig
③拷贝配置文件至 node 节点并创建 bootstrap 角色用于连接 apiserver
'//拷贝配置文件至node节点'
[[email protected] kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/
[email protected]'s password:
bootstrap.kubeconfig 100% 2168 1.4MB/s 00:00
kube-proxy.kubeconfig 100% 6274 3.6MB/s 00:00
[[email protected] kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/
[email protected]'s password:
bootstrap.kubeconfig 100% 2168 509.3KB/s 00:00
kube-proxy.kubeconfig 100% 6274 5.4MB/s 00:00
'//创建bootstrap角色赋予权限用于连接apiserver请求签名'
'clusterrole为集群角色,绑定至bootstrapper,kubelet以node身份连接K8S'
[[email protected] kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
④启动 kubelet
----node----
[[email protected] ~]# vim kubelet.sh '//撰写一个kubelet启动脚本'
#!/bin/bash
NODE_ADDRESS=$1 '//本机地址'
DNS_SERVER_IP=${2:-"10.0.0.2"} '//指定DNS解析地址'
cat <<EOF >/opt/kubernetes/cfg/kubelet '//配置文件'
KUBELET_OPTS="--logtostderr=true \\
--v=4 \\
--hostname-override=${NODE_ADDRESS} \\
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\
--config=/opt/kubernetes/cfg/kubelet.config \\
--cert-dir=/opt/kubernetes/ssl \\
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
'//基础容器:创建一个pod,同时还会隐藏性创建一个基础pod去管理当前容器的生命周期'
EOF
cat <<EOF >/opt/kubernetes/cfg/kubelet.config '//前面有定义,配置资源;yml'
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: ${NODE_ADDRESS}
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- ${DNS_SERVER_IP}
clusterDomain: cluster.local.
failSwapOn: false
authentication:
anonymous:
enabled: true
EOF
cat <<EOF >/usr/lib/systemd/system/kubelet.service '//启动'
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet
[[email protected] ~]# . kubelet.sh 192.168.126.13 '//启动脚本,此时kubelet处于代授权状态'
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[[email protected] ~]# ps aux|grep kube
'//检查kubelet服务进程是否启动'
⑤master 节点同意 node01 节点请求
----master----
[[email protected] kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-VBHgXo-rVVHmC0kv3gBp3oZIx_Y3tX_t4T7zrRU_OPU 82s kubelet-bootstrap Pending
'//检测到node01节点请求,等待集群给该节点颁发证书'
[[email protected] kubeconfig]# kubectl certificate approve node-csr-VBHgXo-rVVHmC0kv3gBp3oZIx_Y3tX_t4T7zrRU_OPU
'//修改资源,同意一个自签证书请求'
[[email protected] kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-VBHgXo-rVVHmC0kv3gBp3oZIx_Y3tX_t4T7zrRU_OPU 4h58m kubelet-bootstrap Approved,Issued
'//Approved,Issued表示为已经被正式允许加入群集'
'//本人这里遇到过坑,全部服务正常启动,配置也没问题,但就是没Issued出来,后来重启主机再重新开启一遍服务就好了,坑的一笔'
[[email protected] kubeconfig]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.126.13 Ready <none> 10m v1.12.3
'//查看集群节点,已成功加入node01节点'
⑥node01 启动 proxy
----node01----
'//再撰写一个启动proxy的脚本'
[[email protected] ~]# vim proxy.sh
#!/bin/bash
NODE_ADDRESS=$1
cat <<EOF >/opt/kubernetes/cfg/kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \\
--v=4 \\
--hostname-override=${NODE_ADDRESS} \\
--cluster-cidr=10.0.0.0/24 \\
--proxy-mode=ipvs \\ '//网络代理模式为ipvs:L4负载均衡'
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
EOF
cat <<EOF >/usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-proxy
systemctl restart kube-proxy
[[email protected] ~]# . proxy.sh 192.168.126.13 '//指定node(自身)IP'
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[[email protected] ~]# systemctl status kube-proxy.service
'//kube-proxy已正常启动'
⑦node02
----node02----
'//node01直接将配置好的K8S工作目录复制到node02节点即可,后续再做修改'
[[email protected] ~]# scp -r /opt/kubernetes/ [email protected]:/opt/
The authenticity of host '192.168.126.14 (192.168.126.14)' can't be established.
ECDSA key fingerprint is SHA256:KYwbK4GjzV61NspNK1g9iQSSXL38RbX51ghM9FysXgA.
ECDSA key fingerprint is MD5:19:e6:2c:12:57:e4:0c:d2:68:c9:ad:21:4a:1a:c9:0b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.126.14' (ECDSA) to the list of known hosts.
[email protected]'s password:
flanneld 100% 238 306.3KB/s 00:00
kubelet 100% 378 157.2KB/s 00:00
kubelet.config 100% 268 493.5KB/s 00:00
bootstrap.kubeconfig 100% 2168 3.9MB/s 00:00
kube-proxy.kubeconfig 100% 6274 11.9MB/s 00:00
kubelet.kubeconfig 100% 2297 4.8MB/s 00:00
kube-proxy 100% 190 327.9KB/s 00:00
mk-docker-opts.sh 100% 2139 2.4MB/s 00:00
flanneld 100% 37MB 86.8MB/s 00:00
kubelet 100% 168MB 98.3MB/s 00:01
kube-proxy 100% 48MB 105.4MB/s 00:00
kubelet.crt 100% 2193 2.8MB/s 00:00
kubelet.key 100% 1679 1.4MB/s 00:00
kubelet-client-2021-04-14-21-32-44.pem 100% 1277 959.9KB/s 00:00
kubelet-client-current.pem 100% 1277 1.2MB/s 00:00
'//将kubelet、kube-proxy的serbice文件拷贝至node02'
[[email protected] ~]# scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service [email protected]:/usr/lib/systemd/system/
[email protected]'s password:
kubelet.service 100% 264 456.2KB/s 00:00
kube-proxy.service 100% 231 167.4KB/s 00:00
'//开始进行修改'
'//首先修改复制过来的node01的证书,等会node02会自行申请证书'
[[email protected] cfg]# vim kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.126.14 \ '//修改IP'
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
[[email protected] cfg]# vim kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.126.14 '//修改IP'
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
anonymous:
enabled: true
[[email protected] cfg]# vim kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.126.14 \ '//修改IP'
--cluster-cidr=10.0.0.0/24 \
--proxy-mode=ipvs \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
[[email protected] cfg]# systemctl daemon-reload
[[email protected] cfg]# systemctl start kubelet.service
[[email protected] cfg]# systemctl enable kubelet.service
[[email protected] cfg]# systemctl status kubelet.service
[[email protected] cfg]# systemctl start kube-proxy.service && systemctl enable kube-proxy.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
'//回到master,查看node02的kubelet请求'
[[email protected] kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-VBHgXo-rVVHmC0kv3gBp3oZIx_Y3tX_t4T7zrRU_OPU 5h36m kubelet-bootstrap Approved,Issued
node-csr-fMkvyYgM667Bye8Ggvnby6gQuXnWdIu9gFuf1937LpU 82m kubelet-bootstrap Pending
[[email protected] k8s]# kubectl certificate approve node-csr-fMkvyYgM667Bye8Ggvnby6gQuXnWdIu9gFuf1937LpU
'//授权许可加入群集'
[[email protected] kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-VBHgXo-rVVHmC0kv3gBp3oZIx_Y3tX_t4T7zrRU_OPU 5h37m kubelet-bootstrap Approved,Issued
node-csr-fMkvyYgM667Bye8Ggvnby6gQuXnWdIu9gFuf1937LpU 83m kubelet-bootstrap Approved,Issued
[[email protected] kubeconfig]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.126.13 Ready <none> 47m v1.12.3
192.168.126.14 Ready <none> 47m v1.12.3
上一篇: python中的元组:写死的只读列表
下一篇: Kubernetes安装部署Master
推荐阅读
-
Kubernetes 集群部署(三)(master、node 部分)
-
CentOS 学习Kubernetes(四)——部署master和node
-
Kubernetes部署(三)-部署master组件、node节点
-
Kubernetes 多master集群部署
-
Kubernetes 集群部署之Master部署
-
kubernetes v1.5.2搭建,部署nginx,tomcat,三台centos7 集群,一篇秒懂kubernetes工具
-
在Kubernetes上部署 Redis 三主三从 集群
-
在Kubernetes上部署 Redis 三主三从 集群
-
k8s学习二:k8s集群搭建——单master多node简易部署
-
kubernetes 部署 master,node 方法