K8S集群二进制搭建1——集群介绍及Etcd集群搭建

准备环境要求:

1、3台虚拟机,操作系统为Centos.x-86_x64

2、硬件配置,2G以上内存,硬盘30G以上,禁止使用swap分区

3、集群中所有容器的网络互通

单Msater服务器规划:

角色 IP 组件
k8s-master 192.168.1.206 kube-apiserver、kube-connroller、kube-scheduler、etcd
k8s1 192.168.1.207 kubelet、kube-proxy、docker、etcd
k8s2 192.168.1.208 kubelet、kube-proxy、docker、etcd

 

 

 

 

 

1、初始化操作:

修改主机名:[root@localhost ~]# hostnamectl set-hostname k8s-master

关闭防火墙:[root@k8s-master ~] systemctl stop firewalld

                     [root@k8s-master ~] systemctl disable firewalld

关闭selinux:[root@k8s-master ~]# sed -i 's/enforcing/disabled/' /etc/selinux/config   ##永久关闭

                     [root@k8s-master ~]# setenforce 0             ##临时关闭

关闭swap: [root@k8s-master ~]# swapoff  -a    ##临时关闭,可通过查看/etc/fstab文件是否配置了swap功能

                    [root@k8s-master ~]# sed -ri 's/.*swap.*/#&/' /etc/fstab   ##永久关闭

在主机hosts文件中添加解析:[root@k8s-master ~]# cat /etc/hosts

192.168.1.206 k8s-master
192.168.1.207 k8s1
192.168.1.208 k8s2

将桥接的IPv4流量传递到iptables的链:[root@k8s-master ~]# cat /etc/sysctl.d/k8s.conf 

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
[root@k8s-master ~]# sysctl --system

2、etcd集群搭建

      Etcd是一个分布式键值存储系统,Kuberneters使用Etcd进行数据存储,所以要准备一个Etcd数据库,为解决单点故障问题,采用集群方式部署,3台服务器构建集群,可容忍一台服务器故障;5台服务器构建集群,可容忍2台服务器故障。

      为了节省机器,Etcd集群与k8s节点机器复用。Etcd也可以独立与k8s集群外,只要能够与apiserver连接即可。

工作原理图:

   

 

Etcd集群规划:

节点名称 IP
etcd-1 192.168.1.206
etcd-2 192.168.1.207
etcd-3 192.168.1.208

 

 

 

 

 

2.1 cfssl证书

        cfssl是一个开源证书管理工具,使用json文件生成证书,相比openssl更加方便使用,在k8s-master上操作:

[root@k8s-master data]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 

[root@k8s-master data]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

 [root@k8s-master data]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

 [root@k8s-master data]# chmod +x cfssl*       ##为这三个文件添加执行权限  

[root@k8s-master data]# mv cfssl_linux-amd64 /usr/local/bin/cfssl
[root@k8s-master data]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
[root@k8s-master data]# mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-centionfo

创建工作目录:

[root@k8s-master data]# mkdir -p ~/TLS/{etcd,k8s}

自签CA:[root@k8s-master etcd]# cat ca-config.json 

{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}

[root@k8s-master etcd]# cat ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}

生成证书:[root@k8s-master etcd]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

 

 自签CA签发Etcd Https证书,若后面考虑升级Etcd集群,可多预留几个IP:

[root@k8s-master etcd]# cat server-csr.json
{
"CN": "etcd",
"hosts": [
"192.168.1.206",
"192.168.1.207",
"192.168.1.208"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}

2.2Etcd集群:

[root@k8s-master opt]# wget https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz

[root@k8s-master opt]# mkdir etcd/{bin,cfg,ssl} -p

[root@k8s-master opt]# mv etcd-v3.4.9-linux-amd64/etcd /opt/etcd/bin/
[root@k8s-master opt]# mv etcd-v3.4.9-linux-amd64/etcdctl /opt/etcd/bin/

[root@k8s-master opt]# vim /opt/etcd/cfg/etcd.conf

#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.1.206:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.1.206:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.206:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.206:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.1.206:2380,etcd-2=https://192.168.1.207:2380,etcd-3=https://192.168.1.208:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

各个配置注释:

  • ETCD_NAME:节点名称,集群中唯一

  • ETCD_DATA_DIR:数据目录

  • ETCD_LISTEN_PEER_URLS:集群通信监听地址

  • ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址

  • ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址

  • ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址

  • ETCD_INITIAL_CLUSTER:集群节点地址

  • ETCD_INITIAL_CLUSTER_TOKEN:集群Token

  • ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群

设置开机自启:

[root@k8s-master opt]# vim /usr/lib/systemd/system/etcd.service

[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target

[root@k8s-master etcd]# cp *.pem /opt/etcd/ssl/

同理把Etcd的相关文件复制到另外的主机:

[root@k8s-master opt]#  scp -r /opt/etcd 192.168.1.207:/opt
[root@k8s-master opt]#  scp -r /opt/etcd 192.168.1.208:/opt
[root@k8s-master opt]#  scp -r /usr/lib/systemd/system/etcd.service 192.168.1.208:/usr/lib/systemd/system/
[root@k8s-master opt]#  scp -r /usr/lib/systemd/system/etcd.service 192.168.1.207:/usr/lib/systemd/system/

注:记得修改etcd-2,etcd-3主机上的etcd配置文件,修改地方为字体标红处

再三台主机中都执行以下语句:

[root@k8s-master ~]# systemctl daemon-re   ##重新加载某个服务的配置文件

[root@k8s-master ~]# systemctl start etcd

[root@k8s-master ~]# systemctl enable etcd

查看集群监控状态,看到以下截图证明Etcd集群部署成功:

[root@k8s-master ~]# ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.1.206:2379,https://192.168.1.207:2379,https://192.168.1.208:2379" endpoint health

 

posted @ 2020-07-22 16:36  树运维  阅读(310)  评论(0)    收藏  举报