1、安装要求

在开始之前,部署 Kubernetes 集群机器需要满足以下几个条件:
(1)一台或多台机器,操作系统 CentOS7.x-86_x64
(2)硬件配置:2GB 或更多 RAM,2 个 CPU 或更多 CPU,硬盘 30GB 或更多
(3)集群中所有机器之间网络互通
(4)可以访问外网,需要拉取镜像,如果服务器不能上网,需要提前下载镜像并导入节点
(5)禁止 swap

2、准备环境

2.1、软件环境

软件 版本
操作系统 CentOS7.8_x64 (mini)
Docker 19-ce
Kubernetes 1.19

2.2、服务器规划

角色 IP 组件
k8s-master 192.168.31.71 kube-apiserver,kube-controller-manager,kube
-scheduler,etcd
k8s-node1 192.168.31.72 kubelet,kube-proxy,docker etcd
k8s-node2 192.168.31.73 kubelet,kube-proxy,docker,etcd

2.2、二进制包方式部署k8集群 - 图1

3、开始搭建

3.1、系统初始化

3.1.1、关闭防火墙

3.1.2、关闭 selinux

3.1.3、关闭 swap

3.1.4、设置主机名

3.1.5、在master添加hosts

  1. cat >> /etc/hosts << EOF 
  2. 192.168.44.147 m1 
  3. 192.168.44.148 n1
  4. EOF

3.1.6、将桥接的 IPv4 流量传递到 iptables 的链

3.1.7、时间同步

3.2、部署 Etcd 集群

Etcd 是一个分布式键值存储系统,Kubernetes 使用 Etcd 进行数据存储,所以先准备一个 Etcd 数据库,为解决 Etcd 单点故障,应采用集群方式部署,这里使用 3 台组建集群,可容忍 1 台机器故障,当然,你也可以使用 5 台组建集群,可容忍 2 台机器故障。

节点名称 IP
etcd-1 192.168.31.71
etcd-2 192.168.31.72
etcd-3 192.168.31.73

注:为了节省机器,这里与 K8s 节点机器复用。也可以独立于 k8s 集群之外部署,只要 apiserver 能连接到就行。

3.2.1、准备 cfssl 证书生成工具

cfssl 是一个开源的证书管理工具,使用 json 文件生成证书,相比 openssl 更方便使用。
找任意一台服务器操作,这里用 Master 节点。

  1. wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 
  2. wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 
  3. wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 
  4. chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 
  5. mv cfssl_linux-amd64 /usr/local/bin/cfssl 
  6. mv cfssljson_linux-amd64 /usr/local/bin/cfssljson 
  7. mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

3.2.2、生成 Etcd 证书

(1)自签证书颁发机构(CA)

创建工作目录:

  1. mkdir -p ~/TLS/{etcd,k8s} 
  2. cd TLS/etcd

自签 CA:

  1. cat > ca-config.json<< EOF
  2. {
  3.   "signing": { 
  4.       "default": { 
  5.           "expiry": "87600h" 
  6.        },
  7.        "profiles": { 
  8.            "www": { 
  9.                expiry": "87600h", 
  10.                "usages": [ 
  11.                    "signing",
  12.                    "key encipherment", 
  13.                    "server auth", 
  14.                    "client auth"
  15.                 ]
  16.             }
  17.          }
  18.     }
  19. }
  20. EOF
  1. cat > ca-csr.json<< EOF
  2. {
  3.     "CN": "etcd CA", 
  4.     "key": { 
  5.         "algo": "rsa", 
  6.         "size": 2048 
  7.      },
  8.     "names": [
  9.         { 
  10.             "C": "CN", 
  11.             "L": "Beijing", 
  12.             "ST": "Beijing" 
  13.         } 
  14.      ]
  15. }
  16. EOF

生成证书:

  1. cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
  2. ls *pem

可以看到:

ca-key.pem ca.pem

(2)使用自签 CA 签发 Etcd HTTPS 证书

创建证书申请文件:

  1. cat > server-csr.json<< EOF
  2. {
  3.     "CN": "etcd", 
  4.     "hosts": [ 
  5.         "192.168.31.71", 
  6.         "192.168.31.72", 
  7.         "192.168.31.73" 
  8.     ],
  9.     "key": { 
  10.         "algo": "rsa", 
  11.         "size": 2048 
  12.     },
  13.     "names": [ 
  14.          { 
  15.              "C": "CN", 
  16.              "L": "BeiJing", 
  17.              "ST": "BeiJing" 
  18.          } 
  19.     ]
  20. }
  21. EOF

注:上述文件 hosts 字段中 IP 为所有 etcd 节点的集群内部通信 IP,一个都不能少!为了方便后期扩容可以多写几个预留的 IP。
生成证书:

  1. cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server 
  2. ls server*pem

可以看到:

server-key.pem server.pem

3.2.3、部署 Etcd 集群

注意:不同版本的Etcd集群部署可能不一样,请依所使用的版本为准

以下在节点 1 上操作,为简化操作,待会将节点 1 生成的所有文件拷贝到节点 2 和节点 3.

(1)创建工作目录并解压二进制包
  1. mkdir /opt/etcd/{bin,cfg,ssl} p
  3. # 从 Github 下载二进制文件,下载地址:https://github.com/etcd-io/etcd/releases/tag/v3.5.4
  4. wget https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz
  6. tar zxvf etcd-v3.4.9-linux-amd64.tar.gz
  7. mv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/

解压后,可以看到三个目录:

  • etcd.service:这个是etcd的自启动文件,通过查看该文件的内容,可以知道etcd启动需要哪些配置,具体内容如下: ```bash [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target

[Service] Type=notify EnvironmentFile=/opt/etcd/cfg/etcd.conf ExecStart=/opt/etcd/bin/etcd \ —name=${ETCD_NAME} \ —data-dir=${ETCD_DATA_DIR} \ —listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \ —listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \ —advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \ —initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \ —initial-cluster=${ETCD_INITIAL_CLUSTER} \ —initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \ —initial-cluster-state=new \ —cert-file=/opt/etcd/ssl/server.pem \ —key-file=/opt/etcd/ssl/server-key.pem \ —peer-cert-file=/opt/etcd/ssl/server.pem \ —peer-key-file=/opt/etcd/ssl/server-key.pem \ —trusted-ca-file=/opt/etcd/ssl/ca.pem \ —peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \ —logger=zap Restart=on-failure LimitNOFILE=65536

[Install] WantedBy=multi-user.target 

  2. - etcd
  3.    - bin
  4.       - etcd
  5.       - etcdctl
  6.    - cfg
  7.       - etcd.conf
  8.    - ssl:这里需要删除原有的,替换成我们自己上一步生成的
  9.       - ca.pem
  10.       - server-key.pem
  11.       - server.pem
  12. <a name="C0ZAs"></a>
  13. ##### (2)创建 etcd 配置文件
  14. ```bash
  15. cat > /opt/etcd/cfg/etcd.conf << EOF
  16. #[Member] 
  17. ETCD_NAME="etcd-1" 
  18. ETCD_DATA_DIR="/var/lib/etcd/default.etcd" 
  19. ETCD_LISTEN_PEER_URLS="https://192.168.31.71:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.31.71:2379" 
  21. #[Clustering] 
  22. ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.31.71:2380" 
  23. ETCD_ADVERTISE_CLIENT_URLS="https://192.168.31.71:2379" 
  24. ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.31.71:2380,etcd- 2=https://192.168.31.72:2380,etcd-3=https://192.168.31.73:2380" 
  25. ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" 
  26. ETCD_INITIAL_CLUSTER_STATE="new"
  28. EOF

参数如下:

  • ETCD_NAME:节点名称,集群中唯一
  • ETCD_DATA_DIR:数据目录
  • ETCD_LISTEN_PEER_URLS:集群通信监听地址
  • ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
  • ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址
  • ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
  • ETCD_INITIAL_CLUSTER:集群节点地址
  • ETCD_INITIAL_CLUSTER_TOKEN:集群 Token
  • ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new 是新集群,existing 表示加入已有集群
    (3)systemd 管理 etcd
    ```bash cat > /usr/lib/systemd/system/etcd.service << EOF

[Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target

[Service] Type=notify EnvironmentFile=/opt/etcd/cfg/etcd.conf ExecStart=/opt/etcd/bin/etcd \ —cert-file=/opt/etcd/ssl/server.pem \ —key-file=/opt/etcd/ssl/server-key.pem \ —peer-cert-file=/opt/etcd/ssl/server.pem \ —peer-key-file=/opt/etcd/ssl/server-key.pem \ —trusted-ca-file=/opt/etcd/ssl/ca.pem \ —peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \ —logger=zap Restart=on-failure LimitNOFILE=65536

[Install] WantedBy=multi-user.target

EOF

  1. <a name="xD3uK"></a>
  2. ##### (4)拷贝刚才生成的证书
  3. 把刚才生成的证书拷贝到配置文件中的路径:
  4. ```bash
  5. cp ~/TLS/etcd/ca*pem ~/TLS/etcd/server*pem /opt/etcd/ssl/

(5)启动并设置开机启动
  1. systemctl daemon-reload 
  2. systemctl start etcd 
  3. systemctl enable etcd

(6)将上面节点 1 所有生成的文件拷贝到节点 2 和节点 3
  1. scp -r /opt/etcd/ root@192.168.31.72:/opt/ 
  2. scp /usr/lib/systemd/system/etcd.service root@192.168.31.72:/usr/lib/systemd/system/
  4. scp -r /opt/etcd/ root@192.168.31.73:/opt/ 
  5. scp /usr/lib/systemd/system/etcd.service root@192.168.31.73:/usr/lib/systemd/system/

然后在节点 2 和节点 3 分别修改 etcd.conf 配置文件中的节点名称和当前服务器 IP:

  1. vi /opt/etcd/cfg/etcd.conf
  1. #[Member] 
  2. ETCD_NAME="etcd-1" # 修改此处,节点 2 改为 etcd-2,节点 3 改为 etcd-3
  3. ETCD_DATA_DIR="/var/lib/etcd/default.etcd" 
  4. ETCD_LISTEN_PEER_URLS="https://192.168.31.71:2380" # 修改此处为当前服务器 IP 
  5. ETCD_LISTEN_CLIENT_URLS="https://192.168.31.71:2379" # 修改此处为当前服务器 IP 
  7. #[Clustering] 
  8. ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.31.71:2380" # 修改此处为当前服务器 IP 
  9. ETCD_ADVERTISE_CLIENT_URLS="https://192.168.31.71:2379" # 修改此处为当前服务器 
  10. IPETCD_INITIAL_CLUSTER="etcd-1=https://192.168.31.71:2380,etcd- 2=https://192.168.31.72:2380,etcd-3=https://192.168.31.73:2380" 
  11. ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" 
  12. ETCD_INITIAL_CLUSTER_STATE="new"

最后启动 etcd 并设置开机启动,同上。

  1. systemctl daemon-reload 
  2. systemctl start etcd 
  3. systemctl enable etcd

(7)查看集群状态
  1. ETCDCTL_API=3 
  2. /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem -- cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem -- endpoints="https://192.168.31.71:2379,https://192.168.31.72:2379,https://192.16 8.31.73:2379" endpoint health

结果如下:

https://192.168.31.71:2379 is healthy: successfully committed proposal: took = 8.154404ms https://192.168.31.73:2379 is healthy: successfully committed proposal: took = 9.044117ms https://192.168.31.72:2379 is healthy: successfully committed proposal: took = 10.000825ms

如果输出上面信息,就说明集群部署成功。如果有问题第一步先看日志:

  1. vi /var/log/message 
  2. # 或 
  3. journalctl -u etcd

3.3、安装 Docker

在所有节点操作。这里采用二进制安装Docker,用 yum 安装Docker也一样。

3.4、部署 Master Node

3.4.1、生成 kube-apiserver 证书

(1)自签证书颁发机构(CA)
  1. cat > ca-config.json<< EOF
  2. {
  3.     "signing": { 
  4.           "default": { 
  5.                 "expiry": "87600h" 
  6.            },
  7.            "profiles": { 
  8.                  "kubernetes": { 
  9.                        "expiry": "87600h", 
  10.                        "usages": [ 
  11.                              "signing", 
  12.                              "key encipherment", 
  13.                              "server auth", 
  14.                              "client auth" 
  15.                          ] 
  16.                    } 
  17.             }
  18.      }
  19. }
  20. EOF
  1. cat > ca-csr.json<< EOF
  2. {
  3.     "CN": "kubernetes", 
  4.     "key": { 
  5.           "algo": "rsa", 
  6.           "size": 2048 
  7.      },
  8.      "names": [ 
  9.            { 
  10.                  "C": "CN", 
  11.                  "L": "Beijing", 
  12.                  "ST": "Beijing", 
  13.                  "O": "k8s", 
  14.                  "OU": "System" 
  15.            } 
  16.       ]
  17. }
  18. EOF

生成证书:

  1. cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 
  3. ls *pem

结果如下:

ca-key.pem ca.pem

(2)使用自签 CA 签发 kube-apiserver HTTPS 证书

创建证书申请文件:

  1. cd TLS/k8s 
  2. cat > server-csr.json<< EOF
  3. {
  4.      "CN": "kubernetes", 
  5.      "hosts": [ 
  6.          "10.0.0.1", 
  7.          "127.0.0.1", 
  8.          "192.168.31.71", 
  9.          "192.168.31.72", 
  10.          "192.168.31.73", 
  11.          "192.168.31.74", 
  12.          "192.168.31.81", 
  13.          "192.168.31.82", 
  14.          "192.168.31.88", 
  15.          "kubernetes", 
  16.          "kubernetes.default", 
  17.          "kubernetes.default.svc", 
  18.          "kubernetes.default.svc.cluster", 
  19.          "kubernetes.default.svc.cluster.local" 
  20.        ],
  21.        "key": { 
  22.             "algo": "rsa", 
  23.             "size": 2048 
  24.         },
  25.         "names": [ 
  26.             { 
  27.                 "C": "CN", 
  28.                 "L": "BeiJing", 
  29.                 "ST": "BeiJing",
  30.                 "O": "k8s", 
  31.                 "OU": "System"
  32.             }
  33.         ]
  34. }
  35. EOF

生成证书:

  1. cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json - profile=kubernetes server-csr.json | cfssljson -bare server 
  3. ls server*pem

结果如下:

server-key.pem server.pem

3.4.2、下载解压二进制包

(1)从 Github 下载二进制文件

下载地址: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-
1.18.md#v1183
注:打开链接你会发现里面有很多包,下载一个 server 包就够了,包含了 Master 和 Worker Node 二进制文件。

(2)解压二进制包
  1. mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs} 
  2. tar zxvf kubernetes-server-linux-amd64.tar.gz 
  3. cd kubernetes/server/bin 
  4. cp kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bin 
  5. cp kubectl /usr/bin/

3.4.3、部署 kube-apiserver

1. 创建配置文件
  1. cat > /opt/kubernetes/cfg/kube-apiserver.conf << EOF
  2. KUBE_APISERVER_OPTS="--logtostderr=false \\
  3. --v=2 \\ 
  4. --log-dir=/opt/kubernetes/logs \\ 
  5. --etcd- servers=https://192.168.31.71:2379,https://192.168.31.72:2379,https://192.168.3 1.73:2379 \\ 
  6. --bind-address=192.168.31.71 \\ 
  7. --secure-port=6443 \\ 
  8. --advertise-address=192.168.31.71 \\ 
  9. --allow-privileged=true \\ 
  10. --service-cluster-ip-range=10.0.0.0/24 \\ 
  11. --enable-admission- plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestric tion \\ 
  12. --authorization-mode=RBAC,Node \\ 
  13. --enable-bootstrap-token-auth=true \\ 
  14. --token-auth-file=/opt/kubernetes/cfg/token.csv \\ 
  15. --service-node-port-range=30000-32767 \\ 
  16. --kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \\ 
  17. --kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \\ 
  18. --tls-cert-file=/opt/kubernetes/ssl/server.pem \\ 
  19. --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\ 
  20. --client-ca-file=/opt/kubernetes/ssl/ca.pem \\ 
  21. --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\ 
  22. --etcd-cafile=/opt/etcd/ssl/ca.pem \\ 
  23. --etcd-certfile=/opt/etcd/ssl/server.pem \\ 
  24. --etcd-keyfile=/opt/etcd/ssl/server-key.pem \\ 
  25. --audit-log-maxage=30 \\ 
  26. --audit-log-maxbackup=3 \\ 
  27. --audit-log-maxsize=100 \\ 
  28. --audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
  30. EOF

注:上面两个\ \ 第一个是转义符,第二个是换行符,使用转义符是为了使用 EOF 保留换行符。
参数详情如下:

  • –logtostderr:启用日志
  • —v:日志等级
  • –log-dir:日志目录
  • –etcd-servers:etcd 集群地址
  • –bind-address:监听地址
  • –secure-port:https 安全端口
  • –advertise-address:集群通告地址
  • –allow-privileged:启用授权
  • –service-cluster-ip-range:Service 虚拟 IP 地址段
  • –enable-admission-plugins:准入控制模块
  • –authorization-mode:认证授权,启用 RBAC 授权和节点自管理
  • –enable-bootstrap-token-auth:启用 TLS bootstrap 机制
  • –token-auth-file:bootstrap token 文件
  • –service-node-port-range:Service nodeport 类型默认分配端口范围
  • –kubelet-client-xxx:apiserver 访问 kubelet 客户端证书
  • –tls-xxx-file:apiserver https 证书
  • –etcd-xxxfile:连接 Etcd 集群证书
  • –audit-log-xxx:审计日志
    2. 拷贝刚才生成的证书
    把刚才生成的证书拷贝到配置文件中的路径:
    1. cp ~/TLS/k8s/ca*pem ~/TLS/k8s/server*pem /opt/kubernetes/ssl/
    3. 启用 TLS Bootstrapping 机制
    TLS Bootstraping:Master apiserver 启用 TLS 认证后,Node 节点 kubelet 和 kube-proxy 要与 kube-apiserver 进行通信,必须使用 CA 签发的有效证书才可以,当 Node 节点很多时,这种客户端证书颁发需要大量工作,同样也会增加集群扩展复杂度。为了简化流程,Kubernetes 引入了 TLS bootstraping 机制来自动颁发客户端证书,kubelet 会以一个低权限用户自动向 apiserver 申请证书,kubelet 的证书由 apiserver 动态签署。
    所以强烈建议在 Node 上使用这种方式,目前主要用于 kubelet,kube-proxy 还是由我们统一颁发一个证书。
    TLS bootstraping 工作流程:
    image.png
    创建上述配置文件中 token 文件:
    1. cat > /opt/kubernetes/cfg/token.csv << EOF
    2. c47ffb939f5ca36231d9e3121a252940,kubelet-bootstrap,10001,"system:node-bootstrapper" 
    3. EOF
    格式:token,用户名,UID,用户组
    token 也可自行生成替换:
    1. head -c 16 /dev/urandom | od -An -t x | tr -d ' '
    4. systemd 管理 apiserver
    ```bash cat > /usr/lib/systemd/system/kube-apiserver.service << EOF

[Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes

[Service] EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS Restart=on-failure

[Install] WantedBy=multi-user.target

EOF

  1. <a name="G027Z"></a>
  2. ##### 5. 启动并设置开机启动
  3. ```bash
  4. systemctl daemon-reload 
  5. systemctl start kube-apiserver 
  6. systemctl enable kube-apiserver

6. 授权 kubelet-bootstrap 用户允许请求证书
  1. kubectl create clusterrolebinding kubelet-bootstrap \ 
  2. --clusterrole=system:node-bootstrapper \ 
  3. --user=kubelet-bootstrap

3.4.4、部署 kube-controller-manager

1. 创建配置文件
  1. cat > /opt/kubernetes/cfg/kube-controller-manager.conf << EOF
  2. KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \\ 
  3. --v=2 \\ 
  4. --log-dir=/opt/kubernetes/logs \\ 
  5. --leader-elect=true \\ 
  6. --master=127.0.0.1:8080 \\ 
  7. --bind-address=127.0.0.1 \\ 
  8. --allocate-node-cidrs=true \\ 
  9. --cluster-cidr=10.244.0.0/16 \\ 
  10. --service-cluster-ip-range=10.0.0.0/24 \\ 
  11. --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\ 
  12. --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\ 
  13. --root-ca-file=/opt/kubernetes/ssl/ca.pem \\ 
  14. --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\ 
  15. --experimental-cluster-signing-duration=87600h0m0s" 
  17. EOF

参数详情如下:

  • –master:通过本地非安全本地端口 8080 连接 apiserver。
  • –leader-elect:当该组件启动多个时,自动选举(HA)
  • –cluster-signing-cert-file/–cluster-signing-key-file:自动为 kubelet 颁发证书的 CA,与 apiserver 保持一致
    2. systemd 管理 controller-manager
    ```bash cat > /usr/lib/systemd/system/kube-controller-manager.service << EOF

[Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes

[Service] EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure

[Install] WantedBy=multi-user.target

EOF

  1. <a name="J8Pey"></a>
  2. ##### 3. 启动并设置开机启动
  3. ```bash
  4. systemctl daemon-reload 
  5. systemctl start kube-controller-manager 
  6. systemctl enable kube-controller-manager

3.4.5、部署 kube-scheduler

1. 创建配置文件
  1. cat > /opt/kubernetes/cfg/kube-scheduler.conf << EOF 
  2. KUBE_SCHEDULER_OPTS="--logtostderr=false \ 
  3. --v=2 \ 
  4. --log-dir=/opt/kubernetes/logs \ 
  5. --leader-elect \ 
  6. --master=127.0.0.1:8080 \ 
  7. --bind-address=127.0.0.1" 
  8. EOF

参数详情如下:

  • –master:通过本地非安全本地端口 8080 连接 apiserver。
  • –leader-elect:当该组件启动多个时,自动选举(HA)
    2. systemd 管理 scheduler
    ```bash cat > /usr/lib/systemd/system/kube-scheduler.service << EOF

[Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes

[Service] EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS Restart=on-failure

[Install] WantedBy=multi-user.target

EOF

  1. <a name="mYEdQ"></a>
  2. ##### 3. 启动并设置开机启动
  3. ```bash
  4. systemctl daemon-reload 
  5. systemctl start kube-scheduler 
  6. systemctl enable kube-scheduler

3.4.6、 查看集群状态

所有组件都已经启动成功,通过 kubectl 工具查看当前集群组件状态:

  1. kubectl get cs

结果如下:

NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-2 Healthy {“health”:”true”} etcd-1 Healthy {“health”:”true”} etcd-0 Healthy {“health”:”true”}

如上输出说明 Master 节点组件运行正常。

3.5、部署 Worker Node

下面还是在 Master Node 上操作,即同时作为 Worker Node.

3.5.1、创建工作目录并拷贝二进制文件

在所有 worker node 创建工作目录:

  1. mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}

从 master 节点拷贝:

  1. cd kubernetes/server/bin 
  2. cp kubelet kube-proxy /opt/kubernetes/bin # 本地拷贝

3.5.2、部署 kubelet

1. 创建配置文件
  1. cat > /opt/kubernetes/cfg/kubelet.conf << EOF 
  2. KUBELET_OPTS="--logtostderr=false \\ 
  3. --v=2 \\ 
  4. --log-dir=/opt/kubernetes/logs \\ 
  5. --hostname-override=k8s-master \\ 
  6. --network-plugin=cni \\ 
  7. --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\ 
  8. --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\ 
  9. --config=/opt/kubernetes/cfg/kubelet-config.yml \\ 
  10. --cert-dir=/opt/kubernetes/ssl \\ 
  11. --pod-infra-container-image=lizhenliang/pause-amd64:3.0" 
  13. EOF

参数情况如下:

  • –hostname-override:显示名称,集群中唯一
  • –network-plugin:启用 CNI
  • –kubeconfig:空路径,会自动生成,后面用于连接 apiserver
  • –bootstrap-kubeconfig:首次启动向 apiserver 申请证书
  • –config:配置参数文件
  • –cert-dir:kubelet 证书生成目录
  • –pod-infra-container-image:管理 Pod 网络容器的镜像
    2. 配置参数文件
    ```bash cat > /opt/kubernetes/cfg/kubelet-config.yml << EOF kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: 0.0.0.0 port: 10250 readOnlyPort: 10255 cgroupDriver: cgroupfs clusterDNS:
    • 10.0.0.2 clusterDomain: cluster.local failSwapOn: false authentication: anonymous: 
      1. enabled: false
      webhook: 
      1. cacheTTL: 2m0s 
      2. enabled: true
      x509: 
      1. clientCAFile: /opt/kubernetes/ssl/ca.pem
      authorization: mode: Webhook webhook: 
      1. cacheAuthorizedTTL: 5m0s 
      2. cacheUnauthorizedTTL: 30s
      evictionHard: imagefs.available: 15% memory.available: 100Mi nodefs.available: 10% nodefs.inodesFree: 5% maxOpenFiles: 1000000 maxPods: 110

EOF

  1. <a name="xrRcl"></a>
  2. ##### 3. 生成 bootstrap.kubeconfig 文件
  3. ```bash
  4. KUBE_APISERVER="https://192.168.31.71:6443" # apiserver IP:PORT 
  5. TOKEN="c47ffb939f5ca36231d9e3121a252940" # 与 token.csv 里保持一致 
  7. # 生成 kubelet bootstrap kubeconfig 配置文件 
  8. kubectl config set-cluster kubernetes \ 
  9. --certificate-authority=/opt/kubernetes/ssl/ca.pem \ 
  10. --embed-certs=true \ 
  11. --server=${KUBE_APISERVER} \ 
  12. --kubeconfig=bootstrap.kubeconfig 
  14. kubectl config set-credentials "kubelet-bootstrap" \ 
  15. --token=${TOKEN} \ 
  16. --kubeconfig=bootstrap.kubeconfig 
  18. kubectl config set-context default \ 
  19. --cluster=kubernetes \ 
  20. --user="kubelet-bootstrap" \ 
  21. --kubeconfig=bootstrap.kubeconfig 
  23. kubectl config use-context default --kubeconfig=bootstrap.kubeconfig

拷贝到配置文件路径:

  1. cp bootstrap.kubeconfig /opt/kubernetes/cfg

4. systemd 管理 kubelet
  1. cat > /usr/lib/systemd/system/kubelet.service << EOF 
  3. [Unit] 
  4. Description=Kubernetes Kubelet 
  5. After=docker.service 
  7. [Service] 
  8. EnvironmentFile=/opt/kubernetes/cfg/kubelet.conf
  9. ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS 
  10. Restart=on-failure 
  11. LimitNOFILE=65536 
  13. [Install] 
  14. WantedBy=multi-user.target 
  16. EOF

5. 启动并设置开机启动
  1. systemctl daemon-reload 
  2. systemctl start kubelet 
  3. systemctl enable kubelet

3.5.3、批准 kubelet 证书申请并加入集群

1、查看 kubelet 证书请求

  1. kubectl get csr

结果如下:

NAME AGE SIGNERNAME REQUESTOR CONDITION node-csr-uCEGPOIiDdlLODKts8J658HrFq9CZ—K6M4G7bjhk8A 6m3s kubernetes.io/kube apiserver-client-kubelet kubelet-bootstrap Pending

2、批准申请

  1. kubectl certificate approve node-csr-uCEGPOIiDdlLODKts8J658HrFq9CZ--K6M4G7bjhk8A

3、查看节点

  1. kubectl get node

注:由于网络插件还没有部署,节点会没有准备就绪 NotReady

3.5.4、部署 kube-proxy

1. 创建配置文件
  1. cat > /opt/kubernetes/cfg/kube-proxy.conf << EOF 
  2. KUBE_PROXY_OPTS="--logtostderr=false \\ 
  3. --v=2 \\ 
  4. --log-dir=/opt/kubernetes/logs \\ 
  5. --config=/opt/kubernetes/cfg/kube-proxy-config.yml" 
  7. EOF

2. 配置参数文件
  1. cat > /opt/kubernetes/cfg/kube-proxy-config.yml << EOF 
  2. kind: KubeProxyConfiguration 
  3. apiVersion: kubeproxy.config.k8s.io/v1alpha1 
  4. bindAddress: 0.0.0.0 
  5. metricsBindAddress: 0.0.0.0:10249 
  6. clientConnection: 
  7.     kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig 
  8. hostnameOverride: k8s-master 
  9. clusterCIDR: 10.0.0.0/24 
  11. EOF

3. 生成 kube-proxy.kubeconfig 文件

(1)生成 kube-proxy 证书:
  1. # 切换工作目录 
  2. cd TLS/k8s 
  4. # 创建证书请求文件 
  5. cat > kube-proxy-csr.json<< EOF 
  6. { 
  7.     "CN": "system:kube-proxy", 
  8.     "hosts": [],
  9.     "key": { 
  10.         "algo": "rsa", 
  11.         "size": 2048 
  12.     },
  13.     "names": [ 
  14.         { 
  15.             "C": "CN", 
  16.             "L": "BeiJing", 
  17.             "ST": "BeiJing", 
  18.             "O": "k8s", 
  19.             "OU": "System" 
  20.         } 
  21.      ] 
  22. }
  24. EOF
  26. # 生成证书 
  27. cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json - profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
  29. ls kube-proxy*pem
  30. # kube-proxy-key.pem kube-proxy.pem

(2)生成 kubeconfig 文件:
  1. KUBE_APISERVER="https://192.168.31.71:6443" 
  2. kubectl config set-cluster kubernetes \ 
  3. --certificate-authority=/opt/kubernetes/ssl/ca.pem \ 
  4. --embed-certs=true \ 
  5. --server=${KUBE_APISERVER} \
  6. --kubeconfig=kube-proxy.kubeconfig 
  8. kubectl config set-credentials kube-proxy \ 
  9. --client-certificate=./kube-proxy.pem \ 
  10. --client-key=./kube-proxy-key.pem \ 
  11. --embed-certs=true \ 
  12. --kubeconfig=kube-proxy.kubeconfig 
  14. kubectl config set-context default \ 
  15. --cluster=kubernetes \ 
  16. --user=kube-proxy \ 
  17. --kubeconfig=kube-proxy.kubeconfig 
  19. kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

(3)拷贝到配置文件指定路径:
  1. cp kube-proxy.kubeconfig /opt/kubernetes/cfg/

4. systemd 管理 kube-proxy
  1. cat > /usr/lib/systemd/system/kube-proxy.service << EOF 
  3. [Unit] 
  4. Description=Kubernetes Proxy 
  5. After=network.target 
  7. [Service] 
  8. EnvironmentFile=/opt/kubernetes/cfg/kube-proxy.conf 
  9. ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS 
  10. Restart=on-failure 
  11. LimitNOFILE=65536 
  13. [Install] 
  14. WantedBy=multi-user.target 
  16. EOF

5. 启动并设置开机启动
  1. systemctl daemon-reload 
  2. systemctl start kube-proxy 
  3. systemctl enable kube-proxy

3.6、部署 CNI 网络

3.6.1、下载解压二进制文件

下载地址: https://github.com/containernetworking/plugins/releases/download/v0.8.6/cni- plugins-linux-amd64-v0.8.6.tgz
解压二进制包并移动到默认工作目录:

  1. mkdir /opt/cni/bin 
  2. tar zxvf cni-plugins-linux-amd64-v0.8.6.tgz -C /opt/cni/bin

3.6.2、部署 CNI 网络

  1. wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube- flannel.yml 
  2. sed -i -r "s#quay.io/coreos/flannel:.*-amd64#lizhenliang/flannel:v0.12.0- amd64#g" kube-flannel.yml

默认镜像地址无法访问,修改为 docker hub 镜像仓库。

  1. kubectl apply -f kube-flannel.yml 
  2. kubectl get pods -n kube-system 
  3. kubectl get node

部署好网络插件,Node 准备就绪。

3.7、授权 apiserver 访问 kubelet

  1. cat > apiserver-to-kubelet-rbac.yaml<< EOF 
  2. apiVersion: rbac.authorization.k8s.io/v1 
  3. kind: ClusterRole
  4. metadata: 
  5.     annotations: 
  6.         rbac.authorization.kubernetes.io/autoupdate: "true" 
  7.     labels: 
  8.         kubernetes.io/bootstrapping: rbac-defaults 
  9.     name: system:kube-apiserver-to-kubelet
  10. rules: 
  11.     - apiGroups: 
  12.         - "" 
  13.       resources: 
  14.           - nodes/proxy 
  15.           - nodes/stats 
  16.           - nodes/log 
  17.           - nodes/spec 
  18.           - nodes/metrics 
  19.           - pods/log 
  20.       verbs: 
  21.           - "*" 
  22. ---
  23. apiVersion: rbac.authorization.k8s.io/v1 
  24. kind: ClusterRoleBinding 
  25. metadata: 
  26.     name: system:kube-apiserver 
  27.     namespace: ""
  28. roleRef: 
  29.     apiGroup: rbac.authorization.k8s.io 
  30.     kind: ClusterRole 
  31.     name: system:kube-apiserver-to-kubelet 
  32. subjects:
  33.     - apiGroup: rbac.authorization.k8s.io 
  34.       kind: User 
  35.       name: kubernetes
  36. EOF
  38. kubectl apply -f apiserver-to-kubelet-rbac.yaml

3.8、新增加 Worker Node

3.8.1、 拷贝已部署好的 Node 相关文件到新节点

在 master 节点将 Worker Node 涉及文件拷贝到新节点 192.168.31.72/73

  1. scp -r /opt/kubernetes root@192.168.31.72:/opt/ 
  2. scp -r /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@192.168.31.72:/usr/lib/systemd/system
  4. scp -r /opt/cni/ root@192.168.31.72:/opt/ 
  5. scp /opt/kubernetes/ssl/ca.pem root@192.168.31.72:/opt/kubernetes/ssl

3.8.2、删除 kubelet 证书和 kubeconfig 文件

  1. rm /opt/kubernetes/cfg/kubelet.kubeconfig 
  2. rm -f /opt/kubernetes/ssl/kubelet*

注:这几个文件是证书申请审批后自动生成的,每个 Node 不同,必须删除重新生成。

3.8.3、修改主机名

  1. vi /opt/kubernetes/cfg/kubelet.conf 
  3. --hostname-override=k8s-node1
  6. vi /opt/kubernetes/cfg/kube-proxy-config.yml
  8. hostnameOverride: k8s-node1

3.8.4、启动并设置开机启动

  1. systemctl daemon-reload 
  2. systemctl start kubelet 
  3. systemctl enable kubelet 
  4. systemctl start kube-proxy 
  5. systemctl enable kube-proxy

3.8.5、在 Master 上批准新 Node kubelet 证书申请

  1. kubectl get csr

结果如下:

NAME AGE SIGNERNAME REQUESTOR CONDITION node-csr-4zTjsaVSrhuyhIGqsefxzVoZDCNKei-aE2jyTP81Uro 89s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending

批准:

  1. kubectl certificate approve node-csr-4zTjsaVSrhuyhIGqsefxzVoZDCNKei-aE2jyTP81Uro

3.8.6、.查看 Node 状态

  1. kubectl get node

Node2(192.168.31.73 )节点同上。记得修改主机名!