欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

K8s-单master集群部署(1)

程序员文章站 2022-07-15 16:01:28
...

Kubernetes平台环境规划

K8s-单master集群部署(1)


K8s-单master集群部署(1)

部署环境

负载均衡
Nginx1:192.168.13.128/24
Nginx2:192.168.13.129/24
Master节点
master1:192.168.13.131/24 kube-apiserver kube-controller-manager kube-scheduler etcd
master2:192.168.13.130/24 kube-apiserver kube-controller-manager kube-scheduler etcd
Node节点
node1:192.168.13.132/24 kubelet kube-proxy docker flannel etcd
node2:192.168.13.133/24 kubelet kube-proxy docker flannel etcd

Kubernetes单节点部署步骤

1:自签ETCD证书 
2:ETCD部署 
3:Node安装docker 
4:Flannel部署(先写入子网到etcd)
-----------master---------------------------
5:自签APIServer证书 
6:部署APIServer组件(token,csv)
7:部署controller-manager(指定apiserver证书)和scheduler组件 
-----------node----------------------------------
8:生成kubeconfig(bootstrap,kubeconfig和kube-proxy.kubeconfig)
9:部署kubelet组件
10:部署kube-proxy组件
---------------加入群集-----------------
11:kubectl get csr && kubectl certificate approve 允许办法证书,加入群集
12:添加一个node节点
13:查看kubectl get node 节点

一,etcd证书及flannel网络部署

1,在master01中自签ETCD证书

[aaa@qq.com ~]# mkdir k8s
[aaa@qq.com ~]# cd k8s/
[aaa@qq.com k8s]# rz -E  ##上传etcd脚本
[aaa@qq.com k8s]# ls
etcd-cert.sh  etcd.sh

vim etcd-cert.sh  ##证书创建脚本内容
cat > ca-config.json <<EOF
{
	"signing": {
		"default": {
			"expiry": "87600h"
		},
		"profiles": {
			"www": {
				 "expiry": "87600h",
				 "usages": [
						"signing",
						"key encipherment",
						"server auth",
						"client auth"
				]
			}
		}
	}
}
EOF

cat > ca-csr.json <<EOF
{
		"CN": "etcd CA",
		"key": {
				"algo": "rsa",
				"size": 2048
		},
		"names": [
				{
						"C": "CN",
						"L": "Beijing",
						"ST": "Beijing"
				}
		]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------

cat > server-csr.json <<EOF
{
		"CN": "etcd",
		"hosts": [
		"10.206.240.188",
		"10.206.240.189",
		"10.206.240.111"
		],
		"key": {
				"algo": "rsa",
				"size": 2048
		},
		"names": [
				{
						"C": "CN",
						"L": "BeiJing",
						"ST": "BeiJing"
				}
		]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

vim etcd.sh ##etcd服务脚本
#!/bin/bash
# example: ./etcd.sh etcd01 192.168.1.10 etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380

ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3

WORK_DIR=/opt/etcd

cat <<EOF >$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF

cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd

[aaa@qq.com k8s]# mkdir etcd-cert   ##创建证书目录
[aaa@qq.com k8s]# mv etcd-cert.sh etcd-cert   ##将脚本放到目录中
[aaa@qq.com k8s]# vim cfssl.sh   ##工具下载脚本
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
[aaa@qq.com k8s]# bash cfssl.sh  ##下载cfssl官方包
[aaa@qq.com k8s]# ls /usr/local/bin/
cfssl  cfssl-certinfo  cfssljson
##cfssl生成证书工具、cfssljson通过传入json文件生成证书、cfssl-certinfo查看证书信息
[aaa@qq.com k8s]# cd /root/k8s/etcd-cert/  ##切换到证书脚本目录下
[aaa@qq.com etcd-cert]# ls
etcd-cert.sh

##定义ca证书
[aaa@qq.com etcd-cert]# cat > ca-config.json <<EOF
{
	"signing": {
		"default": {
			"expiry": "87600h"
		},
		"profiles": {
			"www": {
				 "expiry": "87600h",
				 "usages": [
						"signing",
						"key encipherment",
						"server auth",
						"client auth"     
				]  
			} 
		}         
	}
}
EOF 

##实现证书的签名
[aaa@qq.com etcd-cert]# cat > ca-csr.json <<EOF 
 {   
		"CN": "etcd CA",
		"key": {
				 "algo": "rsa",
				 "size": 2048
		 },
		 "names": [
				 {
						 "C": "CN",
						 "L": "Beijing",
						 "ST": "Beijing"
				 }
		 ]
 }
 EOF

[aaa@qq.com etcd-cert]# ls
ca-config.json  ca-csr.json  etcd-cert.sh
[aaa@qq.com etcd-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -  
##生产证书,生成ca-key.pem  ca.pem
2020/02/09 18:09:13 [INFO] generating a new CA key and certificate from CSR
2020/02/09 18:09:13 [INFO] generate received request
2020/02/09 18:09:13 [INFO] received CSR
2020/02/09 18:09:13 [INFO] generating key: rsa-2048
2020/02/09 18:09:13 [INFO] encoded CSR
2020/02/09 18:09:13 [INFO] signed certificate with serial number 443437184464842782624738198723332409563005728279
[aaa@qq.com etcd-cert]# ls
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem  etcd-cert.sh

##指定etcd三个节点之间的通信验证
[aaa@qq.com etcd-cert]#cat > server-csr.json <<EOF
{
		"CN": "etcd",
		"hosts": [
		"192.168.13.131",    ##三个主机的地址
		"192.168.13.132",
		"192.168.13.133"
		],
		"key": {
				"algo": "rsa",
				"size": 2048
		},
		"names": [
				{
						"C": "CN",
						"L": "BeiJing",
						"ST": "BeiJing"
				}
		]
}
EOF

[aaa@qq.com etcd-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
##生成ETCD证书 server-key.pem   server.pem

2,在master01和node节点上部署etcd

[aaa@qq.com etcd-cert]# cd /root/k8s/
[aaa@qq.com k8s]# rz -E   ##将源码包放到k8s目录下
[aaa@qq.com k8s]# ls
etcd-cert                        flannel-v0.10.0-linux-amd64.tar.gz
etcd.sh                          kubernetes-server-linux-amd64.tar.gz
etcd-v3.3.10-linux-amd64.tar.gz
[aaa@qq.com k8s]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz ##解压
[aaa@qq.com k8s]# cd etcd-v3.3.10-linux-amd64/
[aaa@qq.com etcd-v3.3.10-linux-amd64]# ls
Documentation  etcd  etcdctl  README-etcdctl.md  README.md  READMEv2-etcdctl.md
[aaa@qq.com etcd-v3.3.10-linux-amd64]# mkdir /opt/etcd/{cfg,bin,ssl} -p  
##创建配置文件,命令文件,证书工作目录
[aaa@qq.com etcd-v3.3.10-linux-amd64]# mv etcd etcdctl /opt/etcd/bin/  ##放置命令
[aaa@qq.com etcd-v3.3.10-linux-amd64]# cd ../etcd-cert/
[aaa@qq.com etcd-cert]# cp *.pem /opt/etcd/ssl/   ##证书拷贝
[aaa@qq.com etcd-cert]# ls /opt/etcd/ssl/
ca-key.pem  ca.pem  server-key.pem  server.pem
[aaa@qq.com etcd-cert]# cd ../
[aaa@qq.com k8s]# bash etcd.sh etcd01 192.168.13.131 etcd02=https://192.168.13.132:2380,etcd03=https://192.168.13.133:2380
##执行etcd.sh服务脚本,进入卡住状态等待其他节点加入
[aaa@qq.com ~]# ps -ef | grep etcd
##使用另外一个会话打开,会发现etcd进程已经开启
[aaa@qq.com ~]# systemctl stop firewalld.service  ##关闭防火墙
[aaa@qq.com ~]# setenforce 0
#######node节点的防火墙也需要关闭
[aaa@qq.com ~]# systemctl stop firewalld.service  ##关闭防火墙
[aaa@qq.com ~]# setenforce 0
#########
[aaa@qq.com k8s]# scp -r /opt/etcd/ aaa@qq.com:/opt    ##拷贝证书去其他node节点
[aaa@qq.com k8s]# scp -r /opt/etcd/ aaa@qq.com:/opt
##启动脚本拷贝其他node节点
[aaa@qq.com k8s]# scp /usr/lib/systemd/system/etcd.service aaa@qq.com:/usr/lib/systemd/system/ 
[aaa@qq.com k8s]# scp /usr/lib/systemd/system/etcd.service aaa@qq.com:/usr/lib/systemd/system/
#########修改node01的etcd配置文件#########
[aaa@qq.com ~]# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd02"   ##修改名称
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.13.132:2380"   ##地址
ETCD_LISTEN_CLIENT_URLS="https://192.168.13.132:2379"   ##地址修改

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.13.132:2380"  ##地址修改
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.13.132:2379"   ##地址修改
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.13.131:2380,etcd02=https://192.168.13.132:2380,etcd03=https://192.168.13.133:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
#########修改node02的etcd配置文件#########
[aaa@qq.com ~]# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd03"   ##修改名称
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.13.133:2380"   ##修改地址
ETCD_LISTEN_CLIENT_URLS="https://192.168.13.133:2379"   ##修改地址

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.13.133:2380"   ##修改地址
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.13.133:2379"    ##修改地址
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.13.131:2380,etcd02=https://192.168.13.132:2380,etcd03=https://192.168.13.133:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
#########在master01上启动脚本等待节点加入#########
[aaa@qq.com k8s]# bash etcd.sh etcd01 192.168.13.131 etcd02=https://192.168.13.132:2380,etcd03=https://192.168.13.133:2380
#########在node上启动etcd服务#########
[aaa@qq.com ~]# systemctl start etcd.service   
[aaa@qq.com ~]# systemctl start etcd.service
#########在master01上检查群集状态#########
[aaa@qq.com k8s]# cd etcd-cert/   ##切换到证书的目录下
[aaa@qq.com etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.13.131:2379,https://192.168.13.132:2379,https://192.168.13.133:2379" cluster-health
##检查群集状态
member 76e0a15c7cd72ef7 is healthy: got healthy result from https://192.168.13.133:2379
member cbcfa6e700d4aa11 is healthy: got healthy result from https://192.168.13.132:2379
member e4f560fae6a18df3 is healthy: got healthy result from https://192.168.13.131:2379
cluster is healthy

3,在所有的node节点上安装docker

[aaa@qq.com ~]# yum install -y yum-utils device-mapper-persistent-data lvm2  ##安装依赖包
[aaa@qq.com ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
##设置阿里云镜像源
[aaa@qq.com ~]# yum install -y docker-ce  ##安装docker
[aaa@qq.com ~]# systemctl start docker.service
[aaa@qq.com ~]# systemctl enable docker.service
[aaa@qq.com ~]# tee /etc/docker/daemon.json <<-'EOF'   ##容器加速
 {
	 "registry-mirrors": ["https://3a9s8zx5.mirror.aliyuncs.com"]
 }
 EOF
[aaa@qq.com ~]# systemctl daemon-reload   ##重载
[aaa@qq.com ~]# systemctl restart docker
[aaa@qq.com ~]# vim /etc/sysctl.conf 
net.ipv4.ip_forward=1  ##开启路由转发
[aaa@qq.com ~]# sysctl -p   ##重载
[aaa@qq.com ~]# service network restart 
[aaa@qq.com ~]# systemctl restart docker 

4,在所有node上部署flannel网络

[aaa@qq.com etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.13.131:2379,https://192.168.13.132:2379,https://192.168.13.133:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
##写入分配的子网段到ETCD中,供flannel使用,网络为172.17.0.0
[aaa@qq.com etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.13.131:2379,https://192.168.13.132:2379,https://192.168.13.133:2379" get /coreos.com/network/config
##get查看写入的信息
[aaa@qq.com etcd-cert]# cd ../
##拷贝到所有node节点(只需要部署在node节点即可)
[aaa@qq.com k8s]# scp flannel-v0.10.0-linux-amd64.tar.gz aaa@qq.com:/root  
[aaa@qq.com k8s]# scp flannel-v0.10.0-linux-amd64.tar.gz aaa@qq.com:/root
#########在所有node节点上部署安装flannel###########
[aaa@qq.com ~]# tar zxvf flannel-v0.10.0-linux-amd64.tar.gz ##解压
flanneld
mk-docker-opts.sh
README.md
[aaa@qq.com ~]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p
[aaa@qq.com ~]# mv mk-docker-opts.sh flanneld /opt/kubernetes/bin/
[aaa@qq.com ~]# rz -E  ##上传flannel脚本文件

vim flannel.sh   ##编辑flannel配置文件个启动服务的脚本

#!/bin/bash

ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}

cat <<EOF >/opt/kubernetes/cfg/flanneld

FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"

EOF

cat <<EOF >/usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service

[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure

[Install]
WantedBy=multi-user.target

EOF

systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld

[aaa@qq.com ~]# bash flannel.sh https://192.168.13.131:2379,https://192.168.13.132:2379,https://192.168.13.133:2379
##开启flannel网络功能
[aaa@qq.com ~]# vim /usr/lib/systemd/system/docker.service  ##修改服务启动文件
 13 # for containers run by docker
 14 EnvironmentFile=/run/flannel/subnet.env  ##添加此项
 15 ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS -H fd:// --containerd=/ru    n/containerd/containerd.sock  
 ##引用参数
[aaa@qq.com ~]# cat /run/flannel/subnet.env  ##查看子网段信息
DOCKER_OPT_BIP="--bip=172.17.45.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=false"
DOCKER_OPT_MTU="--mtu=1450"
DOCKER_NETWORK_OPTIONS=" --bip=172.17.45.1/24 --ip-masq=false --mtu=1450"
[aaa@qq.com ~]# systemctl daemon-reload   ##重载docker
[aaa@qq.com ~]# systemctl restart docker
[aaa@qq.com ~]# ifconfig  ##此时docker0网关为172.17.45.1,flannel是虚拟网络
[aaa@qq.com ~]# docker run -it centos:7 /bin/bash   ##安装centos7并进入容器
[aaa@qq.com /]# yum install net-tools -y  ##安装网络工具
[aaa@qq.com /]# ifconfig  ##容器的地址为172.17.45.2
##############node2和node1一样的配置##############
##node2的docker0地址为172.17.1.1
[aaa@qq.com ~]# docker run -it centos:7 /bin/bash  ##开启容器并进入容器
[aaa@qq.com /]# yum install -y net-tools
[aaa@qq.com /]# ifconfig   ##容器地址为172.17.1.2
[aaa@qq.com /]# ping 172.17.45.2  ##测试flannel网络是否互通

二,部署master01节点上 apiserver,kube-controller-manager,kube-scheduler三个组件

1,自签APIServer证书

[aaa@qq.com k8s]# rz -E  ##上传master脚本压缩包
[aaa@qq.com k8s]# ls
master.zip
[aaa@qq.com k8s]# unzip master.zip   ##解压
Archive:  master.zip
	inflating: apiserver.sh            
	inflating: controller-manager.sh   
	inflating: scheduler.sh
[aaa@qq.com k8s]# chmod +x controller-manager.sh  ##给执行权限
[aaa@qq.com k8s]# mkdir k8s-cert  ##apiserver自签证书目录
[aaa@qq.com k8s]# cd k8s-cert/
[aaa@qq.com k8s-cert]# rz -E
[aaa@qq.com k8s-cert]# ls   ##上传k8s证书脚本
k8s-cert.sh

vim k8s-cert.sh    ##api证书脚本
cat > ca-config.json <<EOF
{
	"signing": {
		"default": {
			"expiry": "87600h"
		},
		"profiles": {
			"kubernetes": {
				 "expiry": "87600h",
				 "usages": [
						"signing",
						"key encipherment",
						"server auth",
						"client auth"
				]
			}
		}
	}
}
EOF

cat > ca-csr.json <<EOF
{
		"CN": "kubernetes",
		"key": {
				"algo": "rsa",
				"size": 2048
		},
		"names": [
				{
						"C": "CN",
						"L": "Beijing",
						"ST": "Beijing",
						"O": "k8s",
						"OU": "System"
				}
		]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------

cat > server-csr.json <<EOF
{
		"CN": "kubernetes",
		"hosts": [
			"10.0.0.1",
			"127.0.0.1",
			"192.168.13.131",  //master1
			"192.168.13.130",  //master2
			"192.168.13.100",  //vip 公共访问入口
			"192.168.13.128",  //lb负载均衡 (master)
			"192.168.13.129",  //lb负载均衡(backup)
			"kubernetes",
			"kubernetes.default",
			"kubernetes.default.svc",
			"kubernetes.default.svc.cluster",
			"kubernetes.default.svc.cluster.local"
		],
		"key": {
				"algo": "rsa",
				"size": 2048
		},
		"names": [
				{
						"C": "CN",
						"L": "BeiJing",
						"ST": "BeiJing",
						"O": "k8s",
						"OU": "System"
				}
		]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

#-----------------------

cat > admin-csr.json <<EOF
{
	"CN": "admin",
	"hosts": [],
	"key": {
		"algo": "rsa",
		"size": 2048
	},
	"names": [
		{
			"C": "CN",
			"L": "BeiJing",
			"ST": "BeiJing",
			"O": "system:masters",
			"OU": "System"
		}
	]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

#-----------------------

cat > kube-proxy-csr.json <<EOF
{
	"CN": "system:kube-proxy",
	"hosts": [],
	"key": {
		"algo": "rsa",
		"size": 2048
	},
	"names": [
		{
			"C": "CN",
			"L": "BeiJing",
			"ST": "BeiJing",
			"O": "k8s",
			"OU": "System"
		}
	]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

[aaa@qq.com k8s-cert]# bash k8s-cert.sh   ##执行脚本
[aaa@qq.com k8s-cert]# ls *pem   ##生成8个证书
admin-key.pem  ca-key.pem  kube-proxy-key.pem  server-key.pem
admin.pem      ca.pem      kube-proxy.pem      server.pem
[aaa@qq.com k8s-cert]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p   ##创建工作目录
[aaa@qq.com k8s-cert]# cp ca*pem server*pem /opt/kubernetes/ssl/  ##证书复制到工作目录

2,部署APIServer组件(token,csv)

[aaa@qq.com k8s-cert]# cd ..
[aaa@qq.com k8s]# tar zxvf kubernetes-server-linux-amd64.tar.gz   ##解压
[aaa@qq.com k8s]# cd kubernetes/server/bin/   ##查看工具
[aaa@qq.com bin]# ls
apiextensions-apiserver              kube-controller-manager.tar
cloud-controller-manager             kubectl
cloud-controller-manager.docker_tag  kubelet
cloud-controller-manager.tar         kube-proxy
hyperkube                            kube-proxy.docker_tag
kubeadm                              kube-proxy.tar
kube-apiserver                       kube-scheduler
kube-apiserver.docker_tag            kube-scheduler.docker_tag
kube-apiserver.tar                   kube-scheduler.tar
kube-controller-manager              mounter
kube-controller-manager.docker_tag
[aaa@qq.com bin]# cp kube-apiserver kubectl kube-scheduler kube-controller-manager /opt/kubernetes/bin/
##将master的组件拷贝到工作目录下
[aaa@qq.com bin]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '  ##随机生成***
b555625c736044a609cf020902e773fa
[aaa@qq.com bin]# vim /opt/kubernetes/cfg/token.csv  ##编辑token角色
b555625c736044a609cf020902e773fa,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
##***,用户名,id,角色

vim /root/k8s/apiserver.sh  ##查看apiserver脚本
#!/bin/bash

MASTER_ADDRESS=$1
ETCD_SERVERS=$2

cat <<EOF >/opt/kubernetes/cfg/kube-apiserver

KUBE_APISERVER_OPTS="--logtostderr=true \\
--v=4 \\
--etcd-servers=${ETCD_SERVERS} \\
--bind-address=${MASTER_ADDRESS} \\
--secure-port=6443 \\
--advertise-address=${MASTER_ADDRESS} \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,Res    ourceQuota,NodeRestriction \\
--authorization-mode=RBAC,Node \\
--kubelet-https=true \\
--enable-bootstrap-token-auth \\
--token-auth-file=/opt/kubernetes/cfg/token.csv \\
--service-node-port-range=30000-50000 \\
--tls-cert-file=/opt/kubernetes/ssl/server.pem  \\
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"

EOF

cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-apiserver
systemctl restart kube-apiserver

[aaa@qq.com bin]# cd /root/k8s/
[aaa@qq.com k8s]# bash apiserver.sh 192.168.13.131 https://192.168.13.131:2379,https://192.168.13.132:2379,https://192.168.13.133:2379
##开启apiserver前面是本地地址,后面是etcd群集的地址
[aaa@qq.com k8s]# ps aux | grep kube  ##检查进程是否启动成功
[aaa@qq.com k8s]# cat /opt/kubernetes/cfg/kube-apiserver  ##查看配置文件
[aaa@qq.com k8s]# netstat -ntap | grep 6443   ##查看https的端口
tcp        0      0 192.168.13.131:6443     0.0.0.0:*               LISTEN      38191/kube-apiserve 
tcp        0      0 192.168.13.131:6443     192.168.13.131:34900    ESTABLISHED 38191/kube-apiserve 
tcp        0      0 192.168.13.131:34900    192.168.13.131:6443     ESTABLISHED 38191/kube-apiserve 
[aaa@qq.com k8s]# netstat -ntap | grep 8080  ##查看8080端口
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      38191/kube-apiserve 

3,部署controller-manager(指定apiserver证书)和scheduler组件


vim scheduler.sh   ##调度的脚本
#!/bin/bash

MASTER_ADDRESS=$1

cat <<EOF >/opt/kubernetes/cfg/kube-scheduler

KUBE_SCHEDULER_OPTS="--logtostderr=true \\
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\
--leader-elect"

EOF

cat <<EOF >/usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler

[aaa@qq.com k8s]# ./scheduler.sh 127.0.0.1  ##开启scheduler服务

vim controller-manager.sh  ##控制管理脚本
#!/bin/bash

MASTER_ADDRESS=$1

cat <<EOF >/opt/kubernetes/cfg/kube-controller-manager


KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \\
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\
--leader-elect=true \\
--address=127.0.0.1 \\
--service-cluster-ip-range=10.0.0.0/24 \\
--cluster-name=kubernetes \\
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem  \\
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--experimental-cluster-signing-duration=87600h0m0s"

EOF

cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl restart kube-controller-manager

[aaa@qq.com k8s]# ./controller-manager.sh 127.0.0.1 ##启动controller-manager
[aaa@qq.com k8s]# /opt/kubernetes/bin/kubectl get cs  ##查看master 节点状态
NAME                 STATUS    MESSAGE             ERROR
scheduler            Healthy   ok                  
controller-manager   Healthy   ok                  
etcd-2               Healthy   {"health":"true"}   
etcd-0               Healthy   {"health":"true"}   
etcd-1               Healthy   {"health":"true"}

三,部署node节点上kubelet kube-proxy组件

1,生成kubeconfig(bootstrap,kubeconfig和kube-proxy.kubeconfig)

##在master01上操作
[aaa@qq.com k8s]# cd kubernetes/server/bin/
##把 kubelet、kube-proxy拷贝到node节点上去
[aaa@qq.com bin]# scp kubelet kube-proxy aaa@qq.com:/opt/kubernetes/bin/
[aaa@qq.com bin]# scp kubelet kube-proxy aaa@qq.com:/opt/kubernetes/bin/
##在node节点上操作
[aaa@qq.com ~]# rz -E  ##上传node脚本压缩包
[aaa@qq.com ~]# unzip node.zip   ##解压
Archive:  node.zip
	inflating: proxy.sh                
	inflating: kubelet.sh
##在master01上操作
[aaa@qq.com bin]# cd /root/k8s/
[aaa@qq.com k8s]# mkdir kubeconfig  ##创建目录
[aaa@qq.com k8s]# cd kubeconfig/
[aaa@qq.com kubeconfig]# rz -E   ##上传kubeconfig脚本
[aaa@qq.com kubeconfig]# ls
kubeconfig.sh
[aaa@qq.com kubeconfig]# cat /opt/kubernetes/cfg/token.csv 
b555625c736044a609cf020902e773fa,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
##复制***进行脚本修改

vim kubeconfig.sh  ##脚本信息
##token部分要删除

APISERVER=$1
SSL_DIR=$2

# 创建kubelet bootstrapping kubeconfig 
export KUBE_APISERVER="https://$APISERVER:6443"

# 设置集群参数
kubectl config set-cluster kubernetes \
	--certificate-authority=$SSL_DIR/ca.pem \
	--embed-certs=true \
	--server=${KUBE_APISERVER} \
	--kubeconfig=bootstrap.kubeconfig

# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
	--token=b555625c736044a609cf020902e773fa \   ##修改***
	--kubeconfig=bootstrap.kubeconfig

# 设置上下文参数
kubectl config set-context default \
	--cluster=kubernetes \
	--user=kubelet-bootstrap \
	--kubeconfig=bootstrap.kubeconfig

# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig

#----------------------

# 创建kube-proxy kubeconfig文件

kubectl config set-cluster kubernetes \
	--certificate-authority=$SSL_DIR/ca.pem \
	--embed-certs=true \
	--server=${KUBE_APISERVER} \
	--kubeconfig=kube-proxy.kubeconfig

kubectl config set-credentials kube-proxy \
	--client-certificate=$SSL_DIR/kube-proxy.pem \
	--client-key=$SSL_DIR/kube-proxy-key.pem \
	--embed-certs=true \
	--kubeconfig=kube-proxy.kubeconfig

kubectl config set-context default \
	--cluster=kubernetes \
	--user=kube-proxy \
	--kubeconfig=kube-proxy.kubeconfig

kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

[aaa@qq.com kubeconfig]# vim /etc/profile  ##修改环境变量
export PATH=$PATH:/opt/kubernetes/bin/
[aaa@qq.com kubeconfig]# source /etc/profile  ##刷新配置文件
[aaa@qq.com kubeconfig]# bash kubeconfig 192.168.13.131 /root/k8s/k8s-cert/ ##生成配置文件
[aaa@qq.com kubeconfig]# ls
bootstrap.kubeconfig  kubeconfig  kube-proxy.kubeconfig
[aaa@qq.com kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig aaa@qq.com:/opt/kubernetes/cfg/
##拷贝配置文件到node节点
[aaa@qq.com kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig aaa@qq.com:/opt/kubernetes/cfg/
[aaa@qq.com kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
##创建bootstrap角色赋予权限用于连接apiserver请求签名(关键)

2,部署kubelet组件


#####在node01上操作#######
vim kubelet.sh   脚本信息
#!/bin/bash

NODE_ADDRESS=$1
DNS_SERVER_IP=${2:-"10.0.0.2"}

cat <<EOF >/opt/kubernetes/cfg/kubelet

KUBELET_OPTS="--logtostderr=true \\
--v=4 \\
--hostname-override=${NODE_ADDRESS} \\
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\
--config=/opt/kubernetes/cfg/kubelet.config \\
--cert-dir=/opt/kubernetes/ssl \\
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"

EOF

cat <<EOF >/opt/kubernetes/cfg/kubelet.config

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: ${NODE_ADDRESS}
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- ${DNS_SERVER_IP} 
clusterDomain: cluster.local.
failSwapOn: false
authentication:
	anonymous:
		enabled: true
EOF

cat <<EOF >/usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
KillMode=process

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet

[aaa@qq.com ~]# bash kubelet.sh 192.168.13.132  ##执行脚本
[aaa@qq.com ~]# ps aux | grep kube  ##查看服务启动状态
##########在master01上操作############
[aaa@qq.com kubeconfig]# kubectl get csr ##查看证书状态
NAME                                                   AGE   REQUESTOR           CONDITION
node-csr-PvqJh9Nza5SyPUakuwOkiMUsh7zo3ZG9vw3OTNtlkgg   73s   kubelet-bootstrap   Pending 
##等待集群给该节点颁发证书
[aaa@qq.com kubeconfig]# kubectl certificate approve node-csr-PvqJh9Nza5SyPUakuwOkiMUsh7zo3ZG9vw3OTNtlkgg
[aaa@qq.com kubeconfig]# kubectl get csr  ##查看证书状态
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-PvqJh9Nza5SyPUakuwOkiMUsh7zo3ZG9vw3OTNtlkgg   3m34s   kubelet-bootstrap   Approved,Issued
##已经被允许加入群集
[aaa@qq.com kubeconfig]# kubectl get node  ##查看群集节点,成功加入node01节点
NAME             STATUS   ROLES    AGE    VERSION
192.168.13.132   Ready    <none>   115s   v1.12.3

3,部署kube-proxy组件


vim proxy.sh  ##proxy脚本
#!/bin/bash

NODE_ADDRESS=$1

cat <<EOF >/opt/kubernetes/cfg/kube-proxy

KUBE_PROXY_OPTS="--logtostderr=true \\
--v=4 \\
--hostname-override=${NODE_ADDRESS} \\
--cluster-cidr=10.0.0.0/24 \\
--proxy-mode=ipvs \\
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"

EOF

cat <<EOF >/usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-proxy
systemctl restart kube-proxy

##在node01节点操作
[aaa@qq.com ~]# bash proxy.sh 192.168.13.132  ##启动proxy服务
[aaa@qq.com ~]# systemctl status kube-proxy.service  ##查看服务状态

4,部署node02节点

##在node01上操作
[aaa@qq.com ~]# scp -r /opt/kubernetes/ aaa@qq.com:/opt/  
//把现成的/opt/kubernetes目录复制到其他节点进行修改即可
[aaa@qq.com ~]# scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service aaa@qq.com:/usr/lib/systemd/system/
//把kubelet,kube-proxy的service文件拷贝到node2中
##在node02上操作,进行修改
[aaa@qq.com ~]# cd /opt/kubernetes/ssl/   ##切换到证书目录下
[aaa@qq.com ssl]# ls
kubelet-client-2020-02-10-00-10-11.pem  kubelet.crt
kubelet-client-current.pem              kubelet.key
[aaa@qq.com ssl]# rm -rf *    ##首先删除复制过来的证书,等会node02会自行申请证书
[aaa@qq.com ssl]# cd ../cfg/ ##修改配置文件kubelet  kubelet.config kube-proxy(三个配置文件)
[aaa@qq.com cfg]# vim kubelet   
--hostname-override=192.168.13.133 \   ##修改地址
[aaa@qq.com cfg]# vim kubelet.config
address: 192.168.13.133  ##修改地址
[aaa@qq.com cfg]# vim kube-proxy
--hostname-override=192.168.13.133 \    ##修改地址
[aaa@qq.com cfg]# systemctl start kubelet.service   ##启动kubelet服务
[aaa@qq.com cfg]# systemctl enable kubelet.service      
[aaa@qq.com cfg]# systemctl start kube-proxy.service   ##启动kube-proxy服务
[aaa@qq.com cfg]# systemctl enable kube-proxy.service

四,加入群集

##在master01上操作
[aaa@qq.com k8s]# kubectl get csr  ##查看请求
NAME                                                   AGE    REQUESTOR           CONDITION
node-csr-PvqJh9Nza5SyPUakuwOkiMUsh7zo3ZG9vw3OTNtlkgg   23m    kubelet-bootstrap   Approved,Issued
node-csr-qE6kNPzFp6dducllhsQucd-3PJQA5t7eVf-xNkx48MA   103s   kubelet-bootstrap   Pending
[aaa@qq.com k8s]# kubectl certificate approve node-csr-qE6kNPzFp6dducllhsQucd-3PJQA5t7eVf-xNkx48MA
//授权许可加入群集
[aaa@qq.com k8s]# kubectl get node  ##查看群集中的节点
NAME             STATUS   ROLES    AGE   VERSION
192.168.13.132   Ready    <none>   21m   v1.12.3
192.168.13.133   Ready    <none>   70s   v1.12.3

单节点部署完毕,未完待续…

.168.13.133 ##修改地址
[aaa@qq.com cfg]# vim kube-proxy
–hostname-override=192.168.13.133 \ ##修改地址
[aaa@qq.com cfg]# systemctl start kubelet.service ##启动kubelet服务
[aaa@qq.com cfg]# systemctl enable kubelet.service
[aaa@qq.com cfg]# systemctl start kube-proxy.service ##启动kube-proxy服务
[aaa@qq.com cfg]# systemctl enable kube-proxy.service

四,加入群集

##在master01上操作
[aaa@qq.com k8s]# kubectl get csr  ##查看请求
NAME                                                   AGE    REQUESTOR           CONDITION
node-csr-PvqJh9Nza5SyPUakuwOkiMUsh7zo3ZG9vw3OTNtlkgg   23m    kubelet-bootstrap   Approved,Issued
node-csr-qE6kNPzFp6dducllhsQucd-3PJQA5t7eVf-xNkx48MA   103s   kubelet-bootstrap   Pending
[aaa@qq.com k8s]# kubectl certificate approve node-csr-qE6kNPzFp6dducllhsQucd-3PJQA5t7eVf-xNkx48MA
//授权许可加入群集
[aaa@qq.com k8s]# kubectl get node  ##查看群集中的节点
NAME             STATUS   ROLES    AGE   VERSION
192.168.13.132   Ready    <none>   21m   v1.12.3
192.168.13.133   Ready    <none>   70s   v1.12.3

单节点部署完毕,未完待续…

相关标签: ks