欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

Kubernetes部署(三)-部署master组件、node节点

程序员文章站 2022-07-13 22:24:28
...

一、部署master组件

1、api-server生成证书

cd k8s     #将 master.zip包拖入

unzip master.zip
chmod +x controller-manager.sh

mkdir /opt/kubernetes/{cfg,bin,ssl} -p

mkdir k8s-cert
cd k8s-cert/     #将写好的k8s-cert.sh脚本上传到该目录下
#查看并修改k8s-cert.sh脚本
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
      	    "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------

cat > server-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "192.168.100.100",  //master1
      "192.168.100.140",  //master2
      "192.168.100.100",  //vip
      "192.168.100.120",  //lb (master)
      "192.168.100.130",  //lb (backup)
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

#-----------------------

cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

2、生成k8s证书

bash k8s-cert.sh

ls *.pem

cp ca*pem server*pem /opt/kubernetes/ssl/

3、解压kubernetes压缩包

cd ..

tar zxvf kubernetes-server-linux-amd64.tar.gz

cd /root/k8s/kubernetes/server/bin

4、复制关键命令文件

cp kube-apiserver kubectl kube-controller-manager

cd /root/k8s/

head -c 16 /dev/urandom | od -An -t x | tr -d ' '
#使用 head -c 16 /dev/urandom | od -An -t x | tr -d ' ' 可以随机生成***

vim /opt/kubernetes/cfg/token.csv

5、二进制文件,token,证书都准备好,开启apiserver

bash apiserver.sh 192.168.200.10 https://192.168.100.110:2379,https://192.168.100.120:2379,https://192.168.100.130:2379

#检查进程是否启动成功
ps aux | grep kube

6、查看配置文件

cat /opt/kubernetes/cfg/kube-apiserver

KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=https://192.168.200.10:2379,https://192.168.200.40:2379,https://192.168.200.60:2379 \
--bind-address=192.168.200.10 \
--secure-port=6443 \
--advertise-address=192.168.200.10 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--kubelet-https=true \
--enable-bootstrap-token-auth \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/opt/kubernetes/ssl/server.pem  \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"

#监听的https端口
netstat -ntap | grep 6443

7、启动scheduler服务

./scheduler.sh 127.0.0.1

ps aux | grep ku

8、启动controller-manager

 ./controller-manager.sh 127.0.0.1

9、查看master 节点状态

/opt/kubernetes/bin/kubectl get cs

二、node节点部署

#master上操作

1、把 kubelet、kube-proxy拷贝到node节点上去

cd /root/k8s/kubernetes/server/bin
scp kubelet kube-proxy [email protected]:/opt/kubernetes/bin/

scp kubelet kube-proxy [email protected]:/opt/kubernetes/bin/

#nod01节点操作

2、复制node.zip到/root目录下再解压

 #将node.zip上传到/root目录下

#解压node.zip,获得kubelet.sh  proxy.sh 
unzip node.zip 

#在master上操作

mkdir kubeconfig
cd kubeconfig/

#拷贝kubeconfig.sh文件到该目录下,并进行重命名
mv kubeconfig.sh kubeconfig
vim kubeconfig

----------------删除以下部分----------------------------------------------------------------------
# 创建 TLS Bootstrapping Token
#BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008

cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF

3、配置文件修改为tokenID

#获取token信息
cat /opt/kubernetes/cfg/token.csv

vim kubeconfig
kubectl config set-credentials kubelet-bootstrap \
  --token=849b37696c2aefc70a979562a2bab824 \   #修改此处
  --kubeconfig=bootstrap.kubeconfig

4、设置环境变量(可以写入到/etc/profile中)

vim /etc/profile

source /etc/profile

kubectl get cs
NAME                 STATUS    MESSAGE             ERROR
scheduler            Healthy   ok                  
etcd-1               Healthy   {"health":"true"}   
etcd-2               Healthy   {"health":"true"}   
controller-manager   Healthy   ok                  
etcd-0               Healthy   {"health":"true"}   

5、生成配置文件

在这里插入代码片
bash kubeconfig 192.168.100.110 /root/k8s/k8s-cert/

ls
bootstrap.kubeconfig  kubeconfig  kube-proxy.kubeconfig

6、拷贝配置文件到node节点

scp bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/

scp bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/

7、创建bootstrap角色赋予权限用于连接apiserver请求签名(关键)

kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap

#在node01节点上操作

#执行kubelet.sh脚本
bash kubelet.sh 192.168.100.120

#检查kubelet服务启动
ps aux | grep kube

#master上操作

#检查到node01节点的请求
 kubectl get csr

kubectl certificate approve node-csr-ROXvPI34y36KB5tjPw2YWHro-g7s9u-9AYDkt7kd_fQ    #此处的***为上面使用kubectl get csr显示的NAME

#继续查看证书状态
kubectl get csr

#查看群集节点,成功加入node01节点
kubectl get node

#在node01节点操作

#启动proxy服务
bash proxy.sh 192.168.100.120

systemctl status kube-proxy.service   #查看是否启动成功

#node02节点部署

#在node01节点操作
scp -r /opt/kubernetes/ [email protected]:/opt/

#把kubelet,kube-proxy的service文件拷贝到node2中
scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service [email protected]:/usr/lib/systemd/system/

#在node02上操作,进行修改

#首先删除复制过来的证书,等会node02会自行申请证书

cd /opt/kubernetes/ssl/
ls
rm -rf *

#修改配置文件kubelet kubelet.config kube-proxy(三个配置文件)
cd ../cfg/

vim kubelet

KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.100.130 \    #修改为node2自己的IP
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"

vim kubelet.config 

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.100.130     #修改为自己的IP
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
  anonymous:
    enabled: true

vim kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.100.130 \     #修改为自己的IP
--cluster-cidr=10.0.0.0/24 \
--proxy-mode=ipvs \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
#启动服务
systemctl start kubelet.service
systemctl enable kubelet.service 
systemctl start kube-proxy.service 
systemctl enable kube-proxy.service 

#在master上操作

#查看node2请求
kubectl get csr

授权许可加入群集
kubectl certificate approve node-csr-WpTFLoUV_yPjqF6SvuiX4OwChJWqirvgHtLDoI7ZMVI     #注意修改***

kubectl get node