Kubernetes部署(三)-部署master组件、node节点
程序员文章站
2022-07-13 22:24:28
...
这里写自定义目录标题
一、部署master组件
1、api-server生成证书
cd k8s #将 master.zip包拖入
unzip master.zip
chmod +x controller-manager.sh
mkdir /opt/kubernetes/{cfg,bin,ssl} -p
mkdir k8s-cert
cd k8s-cert/ #将写好的k8s-cert.sh脚本上传到该目录下
#查看并修改k8s-cert.sh脚本
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.100.100", //master1
"192.168.100.140", //master2
"192.168.100.100", //vip
"192.168.100.120", //lb (master)
"192.168.100.130", //lb (backup)
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
#-----------------------
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
2、生成k8s证书
bash k8s-cert.sh
ls *.pem
cp ca*pem server*pem /opt/kubernetes/ssl/
3、解压kubernetes压缩包
cd ..
tar zxvf kubernetes-server-linux-amd64.tar.gz
cd /root/k8s/kubernetes/server/bin
4、复制关键命令文件
cp kube-apiserver kubectl kube-controller-manager
cd /root/k8s/
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
#使用 head -c 16 /dev/urandom | od -An -t x | tr -d ' ' 可以随机生成***
vim /opt/kubernetes/cfg/token.csv
5、二进制文件,token,证书都准备好,开启apiserver
bash apiserver.sh 192.168.200.10 https://192.168.100.110:2379,https://192.168.100.120:2379,https://192.168.100.130:2379
#检查进程是否启动成功
ps aux | grep kube
6、查看配置文件
cat /opt/kubernetes/cfg/kube-apiserver
KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=https://192.168.200.10:2379,https://192.168.200.40:2379,https://192.168.200.60:2379 \
--bind-address=192.168.200.10 \
--secure-port=6443 \
--advertise-address=192.168.200.10 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--kubelet-https=true \
--enable-bootstrap-token-auth \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
#监听的https端口
netstat -ntap | grep 6443
7、启动scheduler服务
./scheduler.sh 127.0.0.1
ps aux | grep ku
8、启动controller-manager
./controller-manager.sh 127.0.0.1
9、查看master 节点状态
/opt/kubernetes/bin/kubectl get cs
二、node节点部署
#master上操作
1、把 kubelet、kube-proxy拷贝到node节点上去
cd /root/k8s/kubernetes/server/bin
scp kubelet kube-proxy [email protected]:/opt/kubernetes/bin/
scp kubelet kube-proxy [email protected]:/opt/kubernetes/bin/
#nod01节点操作
2、复制node.zip到/root目录下再解压
#将node.zip上传到/root目录下
#解压node.zip,获得kubelet.sh proxy.sh
unzip node.zip
#在master上操作
mkdir kubeconfig
cd kubeconfig/
#拷贝kubeconfig.sh文件到该目录下,并进行重命名
mv kubeconfig.sh kubeconfig
vim kubeconfig
----------------删除以下部分----------------------------------------------------------------------
# 创建 TLS Bootstrapping Token
#BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008
cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
3、配置文件修改为tokenID
#获取token信息
cat /opt/kubernetes/cfg/token.csv
vim kubeconfig
kubectl config set-credentials kubelet-bootstrap \
--token=849b37696c2aefc70a979562a2bab824 \ #修改此处
--kubeconfig=bootstrap.kubeconfig
4、设置环境变量(可以写入到/etc/profile中)
vim /etc/profile
source /etc/profile
kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
etcd-1 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
controller-manager Healthy ok
etcd-0 Healthy {"health":"true"}
5、生成配置文件
在这里插入代码片
bash kubeconfig 192.168.100.110 /root/k8s/k8s-cert/
ls
bootstrap.kubeconfig kubeconfig kube-proxy.kubeconfig
6、拷贝配置文件到node节点
scp bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/
scp bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/
7、创建bootstrap角色赋予权限用于连接apiserver请求签名(关键)
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
#在node01节点上操作
#执行kubelet.sh脚本
bash kubelet.sh 192.168.100.120
#检查kubelet服务启动
ps aux | grep kube
#master上操作
#检查到node01节点的请求
kubectl get csr
kubectl certificate approve node-csr-ROXvPI34y36KB5tjPw2YWHro-g7s9u-9AYDkt7kd_fQ #此处的***为上面使用kubectl get csr显示的NAME
#继续查看证书状态
kubectl get csr
#查看群集节点,成功加入node01节点
kubectl get node
#在node01节点操作
#启动proxy服务
bash proxy.sh 192.168.100.120
systemctl status kube-proxy.service #查看是否启动成功
#node02节点部署
#在node01节点操作
scp -r /opt/kubernetes/ [email protected]:/opt/
#把kubelet,kube-proxy的service文件拷贝到node2中
scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service [email protected]:/usr/lib/systemd/system/
#在node02上操作,进行修改
#首先删除复制过来的证书,等会node02会自行申请证书
cd /opt/kubernetes/ssl/
ls
rm -rf *
#修改配置文件kubelet kubelet.config kube-proxy(三个配置文件)
cd ../cfg/
vim kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.100.130 \ #修改为node2自己的IP
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
vim kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.100.130 #修改为自己的IP
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
anonymous:
enabled: true
vim kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.100.130 \ #修改为自己的IP
--cluster-cidr=10.0.0.0/24 \
--proxy-mode=ipvs \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
#启动服务
systemctl start kubelet.service
systemctl enable kubelet.service
systemctl start kube-proxy.service
systemctl enable kube-proxy.service
#在master上操作
#查看node2请求
kubectl get csr
授权许可加入群集
kubectl certificate approve node-csr-WpTFLoUV_yPjqF6SvuiX4OwChJWqirvgHtLDoI7ZMVI #注意修改***
kubectl get node
上一篇: kubernetes部署Master组件