k8s-1-13二进制安装部署
环境规划
系统:centos7 +docker18.09+k8s 1.13 +etcd3.3.10+flanneld0.10
IP地址规划
| 节点 | IP | 功能 |
|---|---|---|
| node1 | 192.168.57.13 | kube-apiserver etcd kube-controller-manager kube-scheduler |
| node2 | 192.168.57.14 | kubelet kube-proxy etcd flanneld docker |
| node3 | 192.168.57.15 | kubelet kube-proxy etcd flanneld docker |
目录规划
mkdir /opt/{etcd,kubernetes}/{bin,ssl,cfg} -p1.MASTER部署
证书生成:
1.1 软件下载
curl -L http://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L http://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L http://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo1.2 etcd证书生成
ca配置
cat << EOF tee ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"etcd": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOFca证书制作
cat << EOF tee ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOFcfssl gencert -initca ca-csr.json cfssljson -bare caserver证书制作,hosts配置为要安装etcd服务的主机IP地址
cat << EOF tee server-csr.json
{
"CN": "etcd",
"hosts": [
"192.168.57.13",
"192.168.57.14",
"192.168.57.15"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json cfssljson -bare server拷贝生成的所有pem文件到要安装etcd服务的主机/opt/etcd/ssl/目录下
scp *.pem node2:/opt/etcd/ssl/
scp *.pem node3:/opt/etcd/ssl/
cp *.pem /opt/etcd/ssl/1.3 etcd 安装
tar xvf etcd-v3.3.10-linux-amd64.tar.gz
cd etcd-v3.3.10-linux-amd64
scp etcd etcdctl node2:/opt/etcd/bin/
scp etcd etcdctl node3:/opt/etcd/bin/
mv etcd etcdctl /opt/etcd/bin/etcd配置文件详细内容,对应的主机请修改name及ip地址,以下是etcd01的配置
vim /opt/etcd/cfg/etcd.conf
[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/data1/etcd"
ETCD_LISTEN_PEER_URLS="http://192.168.57.13:2380"
ETCD_LISTEN_CLIENT_URLS="http://192.168.57.13:2379"
[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.57.13:2380"
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.57.13:2379"
ETCD_INITIAL_CLUSTER="etcd01=http://192.168.57.13:2380,etcd02=http://192.168.57.14:2380,etcd03=http://192.168.57.15:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
[Security]
ETCD_CERT_FILE="/opt/etcd/ssl/server.pem"
ETCD_KEY_FILE="/opt/etcd/ssl/server-key.pem"
ETCD_TRUSTED_CA_FILE="/opt/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/opt/etcd/ssl/server.pem"
ETCD_PEER_KEY_FILE="/opt/etcd/ssl/server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/opt/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"etcd 服务配置详细内容
vim /usr/lib/systemd/system/etcd.service
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/data1/etcd/
EnvironmentFile=-/opt/etcd/cfg/etcd.conf
##### set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /opt/etcd/bin/etcd
--name="${ETCD_NAME}" \
--data-dir="${ETCD_DATA_DIR}" \
--listen-client-urls="${ETCD_LISTEN_CLIENT_URLS}" \
--listen-peer-urls="${ETCD_LISTEN_PEER_URLS}" \
--advertise-client-urls="${ETCD_ADVERTISE_CLIENT_URLS}" \
--initial-cluster-token="${ETCD_INITIAL_CLUSTER_TOKEN}" \
--initial-cluster="${ETCD_INITIAL_CLUSTER}" \
--initial-cluster-state="${ETCD_INITIAL_CLUSTER_STATE}" \
--cert-file="${ETCD_CERT_FILE}" \
--key-file="${ETCD_KEY_FILE}" \
--trusted-ca-file="${ETCD_TRUSTED_CA_FILE}" \
--client-cert-auth="${ETCD_CLIENT_CERT_AUTH}" \
--peer-cert-file="${ETCD_PEER_CERT_FILE}" \
--peer-key-file="${ETCD_PEER_KEY_FILE}" \
--peer-trusted-ca-file="${ETCD_PEER_TRUSTED_CA_FILE}" \
--peer-client-cert-auth="${ETCD_PEER_CLIENT_CERT_AUTH}""
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target拷贝到其他主机,注意修改对应主机的ip和name
scp /usr/lib/systemd/system/etcd.service node2:/usr/lib/systemd/system/etcd.service
scp /usr/lib/systemd/system/etcd.service node3:/usr/lib/systemd/system/etcd.service
scp /opt/etcd/cfg/etcd.conf node2:/opt/etcd/cfg/etcd.conf
scp /opt/etcd/cfg/etcd.conf node3:/opt/etcd/cfg/etcd.conf启动etcd服务,查看健康状态
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
export PATH=$PATH:/opt/etcd/bin/:/opt/kubernetes/bin/
etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="http://192.168.57.13:2379,http://192.168.57.14:2379,http://192.168.57.15:2379" cluster-health
member 36513deb10729932 is healthy: got healthy result from http://192.168.57.13:2379
member 4dc1cf72420494f7 is healthy: got healthy result from http://192.168.57.14:2379
member cb3821c5c48fcd62 is healthy: got healthy result from http://192.168.57.15:2379
cluster is healthy1.4 k8s证书制作
ca配置
cat << EOF tee ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOFca证书制作
cat << EOF tee ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOFcfssl gencert -initca ca-csr.json cfssljson -bare ca -制作apiserver证书
cat << EOF tee server-csr.json
{
"CN": "kubernetes",
"hosts": [
"10.254.0.1",
"127.0.0.1",
"192.168.57.13",
"192.168.57.14",
"192.168.57.15",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOFcfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json cfssljson -bare server制作kube-proxy证书
cat << EOF tee kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOFcfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json cfssljson -bare kube-proxy拷贝所有pem文件到 /opt/kubernetes/ssl/
cp *.pem /opt/kubernetes/ssl/1.5 部署kube-apiserver
tar -zxvf kubernetes-server-linux-amd64.tar.gz
cd kubernetes/server/bin/
cp kube-scheduler kube-apiserver kube-controller-manager kubectl /opt/kubernetes/bin/创建token
head -c 16 /dev/urandom od -An -t x tr -d ' '
f01405245c53ec55ea3967e30e3d7019
vim /opt/kubernetes/cfg/token.csv
f01405245c53ec55ea3967e30e3d7019,kubelet-bootstrap,10001,"system:kubelet-bootstrap"创建apiserver配置文件
[root@node1 ssl]# vim /opt/kubernetes/cfg/kube-apiserver
KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=http://192.168.57.13:2379,http://192.168.57.14:2379,http://192.168.57.15:2379 \
--bind-address=192.168.57.13 \
--secure-port=6443 \
--advertise-address=192.168.57.13 \
--allow-privileged=true \
--service-cluster-ip-range=10.254.0.0/16 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"创建apiserver system文件
vim /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=http://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target启动apiserver
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl start kube-apiserver1.6 部署kube-scheduler组件
创建kube-scheduler配置文件
vim /opt/kubernetes/cfg/kube-scheduler
KUBE_SCHEDULER_OPTS="--logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect"创建kube-scheduler system文件
vim /usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=http://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target启动kube-scheduler
systemctl daemon-reload
systemctl enable kube-scheduler.service
systemctl start kube-scheduler.service1.7 部署kube-controller-manager组件
创建kube-controller-manager配置文件
vim /opt/kubernetes/cfg/kube-controller-manager
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \
--v=4 \
--master=127.0.0.1:8080 \
--leader-elect=true \
--address=127.0.0.1 \
--service-cluster-ip-range=10.254.0.0/16 \
--cluster-name=kubernetes \
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \
--root-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem"创建kube-controller-manager system文件
vim /usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=http://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target启动kube-controller-manager
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl start kube-controller-manager1.8 验证服务状态
[root@node1 ssl]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}2. node节点安装
2.1 docker安装
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://download.docker.com/linux/centos/docker-ce.repo
yum install docker-ce docker-ce-cli containerd.io -y2.2 操作在master节点执行,拷贝证书到node节点,并制作bootstrap.kubectlconfig
vim /opt/kubernetes/cfg/environment.sh
#!/bin/bash
#创建kubelet bootstrapping kubeconfig
BOOTSTRAP_TOKEN=f01405245c53ec55ea3967e30e3d7019
KUBE_APISERVER="http://192.168.57.13:6443"
#设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=bootstrap.kubeconfig
#设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=bootstrap.kubeconfig
# 设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=bootstrap.kubeconfig
# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
#----------------------
# 创建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=/opt/kubernetes/ssl/kube-proxy.pem \
--client-key=/opt/kubernetes/ssl/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfigsh environment.sh 执行此脚本会生成两个文件 拷贝到node节点上bootstrap.kubeconfig environment.sh kube-proxy.kubeconfig2.3 将kubelet-bootstrap用户绑定到系统集群角色
kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap2.4 创建kubelet参数配置模板文件,操作在node节点上执行,对应的ip地址为node节点的ip
vim /opt/kubernetes/cfg/kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.57.14
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS: ["10.254.0.10"]
clusterDomain: cluster.local.
failSwapOn: false
authentication:
anonymous:
enabled: true2.5 安装kubelet
拷贝kube-proxy 和kubelet到node节点
tar xvf kubernetes-server-linux-amd64.tar.gz
cd kubernetes/server/bin
scp kubelet kube-proxy node2:/opt/kubernetes/bin/
scp kubelet kube-proxy node3:/opt/kubernetes/bin/创建kubelet配置文件
vim /opt/kubernetes/cfg/kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.57.14 \
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"创建system文件
vim /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target启动服务
systemctl daemon-reload
systemctl enable kubelet
systemctl start kubelet2.6 安装kube-proxy
创建kube-proxy配置文件
vim /opt/kubernetes/cfg/kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.57.14 \
--cluster-cidr=10.254.0.0/16 \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"创建system文件
vim /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
ExecStart=/opt/kubernetes/bin/kube-proxy $KUBE_PROXY_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target启动服务
systemctl daemon-reload
systemctl enable kube-proxy
systemctl start kube-proxy2.7 查看csr并接受
kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-ij3py9j-yi-eoa8sOHMDs7VeTQtMv0N3Efj3ByZLMdc 102s kubelet-bootstrap Pendingkubectl certificate approve node-csr-ij3py9j-yi-eoa8sOHMDs7VeTQtMv0N3Efj3ByZLMdc
certificatesigningrequest.certificates.k8s.io/node-csr-ij3py9j-yi-eoa8sOHMDs7VeTQtMv0N3Efj3ByZLMdc approvedkubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-ij3py9j-yi-eoa8sOHMDs7VeTQtMv0N3Efj3ByZLMdc 5m13s kubelet-bootstrap Approved,Issued2.8 查看node
kubectl get nodes
NAME STATUS ROLES AGE VERSION
192.168.57.14 Ready <none> 9m15s v1.13.13. flannel安装
3.1 注册网段
etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="http://192.168.57.13:2379,http://192.168.57.14:2379,http://192.168.57.15:2379" set /k8s/network/config '{ "Network": "10.254.0.0/16", "Backend": {"Type": "vxlan"}}'3.2 解压安装文件
tar -xvf flannel-v0.10.0-linux-amd64.tar.gz
mv flanneld mk-docker-opts.sh /opt/kubernetes/bin/3.3 配置文件
[root@node2 ~]# cat /opt/kubernetes/cfg/flanneld
FLANNEL_OPTIONS="--etcd-endpoints=http://192.168.57.13:2379,http://192.168.57.14:2379,http://192.168.57.15:2379 \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem \
-etcd-prefix=/k8s/network \
-iface=enp0s8 " #指定使用那块网卡做桥接3.4 system文件
[root@node2 ~]# cat /usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq $FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure
[Install]
WantedBy=multi-user.target3.5 docker相关配置
vim /usr/lib/systemd/system/docker.service
删除原来的ExecStart这一行修改为以下两行3.6 启动服务
systemctl daemon-reload
systemctl start flanneld
systemctl enable flanneld
systemctl start docker
systemctl restart kubelet
systemctl restart kube-proxy查看网段
[root@node2 ~]# cat /run/flannel/subnet.env
DOCKER_OPT_BIP="--bip=10.254.73.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=false"
DOCKER_OPT_MTU="--mtu=1450"
DOCKER_NETWORK_OPTIONS=" --bip=10.254.73.1/24 --ip-masq=false --mtu=1450"k8s-1-13二进制安装部署
http://www.jcwit.com/article/175/