二进制安装kubernetes集群

原作者: sysit

1. 环境说明

1.1 部署拓扑

部署拓扑
本文采用外置etcd的方式部署

实际组件部署

本文中etcd集群和master集群融合部署，大集群建议单独的服务器部署etcd。

1.2 集群环境

操作系统：CentOS Linux release 7.9.2009 (Core)
版本：Kubenetes 1.20.7（生产环境建议使用小版本大于5的包，如1.20.5以上）
etcd: 3.3.11
网络方案：Calico
容器：docker-ce 19.03
插件：
- CoreDns
- Dashboard
- Metrics-Server
- EFK(ElasticSearch、Fluentd、Kibana)
镜像仓库
- harbor
ingress控制器：ingress-nginx

1.3 服务器信息

192.168.112.141 master1.sysit.cn master1
192.168.112.142 master2.sysit.cn master2
192.168.112.143 master3.sysit.cn master3
192.168.112.144 node1.sysit.cn node1
192.168.112.145 node2.sysit.cn node2
192.168.112.146 node3.sysit.cn node3

2. 环境初始化

2.1 操作系统初始化

见本站CentOS 7.3初始化

2.2 关闭swap(kubelet节点操作）

#如果开启了 swap 分区，kubelet 会启动失败(可以通过将参数 --fail-swap-on 设置为 false 来忽略 swap on)，故需要在每台机器上关闭 swap 分区：
swapoff -a && sysctl -w vm.swappiness=0
#为了防止开机自动挂载 swap 分区，可以注释 /etc/fstab 中相应的条目：
sed -i '/ swap / s/^$.*$$/#\1/g' /etc/fstab

2.3 关闭防火墙

systemctl stop firewalld
systemctl disable firewalld

2.4 关闭selinux

setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config

2.5 设置主机名和hosts

hostnamectl set-hostname master1.sysit.cn
cat > /etc/hosts <<'EOF'
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.112.140 master.sysit.cn master
192.168.112.141 master1.sysit.cn master1
192.168.112.142 master2.sysit.cn master2
192.168.112.143 master3.sysit.cn master3
192.168.112.144 node1.sysit.cn node1
192.168.112.145 node2.sysit.cn node2
192.168.112.146 node3.sysit.cn node3
EOF

2.6 安装依赖包

sudo yum install -y epel-release
sudo yum install -y conntrack ipvsadm ipset jq sysstat curl iptables libseccomp
yum install sshpass -y

2.7 用户及免密（可选）

# 免密，后续所有操作都在master1上执行，因此创建maste1到其他服务器的免密登录。
ssh-keygen -t rsa
export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
export pwd="rootpassword"
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
sshpass -p ${pwd} ssh-copy-id -o StrictHostKeyChecking=no root@${node} 2>/dev/null
done

1.2.8 设置系统参数

#将桥接的IPv4流量传递到iptables的链
cat > /etc/sysctl.d/kubernetes.conf <<'EOF'
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sudo sysctl -p /etc/sysctl.d/kubernetes.conf

2.9 升级内核

升级完内核之后重启服务器

# CentOS自带的内核版本较低，为了运行docker容器的稳定性，建议将内核版本升级。
yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
# 安装完成后检查 /boot/grub2/grub.cfg 中对应内核 menuentry 中是否包含 initrd16 配置，如果没有，再安装一次！
sudo yum --enablerepo=elrepo-kernel install -y kernel-lt
# 设置开机从新内核启动
grub2-set-default 0 && grub2-mkconfig -o /etc/grub2.cfg
# 确认是否启动默认内核指向新的内核
grubby --default-kernel
# 开启user_namespace
grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"

2.10 加载内核模块

cat > /etc/sysconfig/modules/ipvs.modules <<'EOF'
#!/bin/bash
ipvs_modules="ip_vs ip_vs_lc ip_vs_wlc ip_vs_rr ip_vs_wrr ip_vs_lblc ip_vs_lblcr ip_vs_dh ip_vs_sh ip_vs_fo ip_vs_nq ip_vs_sed ip_vs_ftp nf_conntrack"
for kernel_module in ${ipvs_modules}; do
/sbin/modinfo -F filename ${kernel_module} > /dev/null 2>&1
if [ $? -eq 0 ]; then
/sbin/modprobe ${kernel_module}
fi
done
EOF
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep ip_vs

2.11 关闭 NUMA

grubby --update-kernel=ALL --args="numa=off" --update-kernel="$(grubby --default-kernel)"

2.12 重启系统

# 重启加载新内核
reboot

2.13 配置时区及时间同步

配置时区

ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

安装chronyd

# 所有节点
yum install chrony -y

主时间服务器配置

# master1作为主时间服务器，其他服务器同步master1的时间，
# 配置本机时间，当外部时间无法获取的时候，采用本地时间。
cat >>/etc/chrony.conf <<'EOF'
allow 192.168.112.0/24
server 127.127.1.0
allow 127.0.0.0/8
local stratum 10
EOF
# 重启
systemctl enable chronyd
systemctl restart chronyd
# 检查
chronyc sources

其他节点作为client同步master1时间

# chrony client配置，除master1之外的所有节点
sed -i "s/server/#server/g" /etc/chrony.conf
echo "server master1 iburst" >>/etc/chrony.conf
#启动
systemctl enable chronyd
systemctl start chronyd
# 检查
chronyc sources

3. 部署高可用haproxy+keepalived

3.1 安装配置haproxy

安装

# 三个master节点安装
yum install haproxy -y

haproxy配置

grep -v ^# /etc/haproxy/haproxy.cfg
global
chroot /var/lib/haproxy
daemon
group haproxy
user haproxy
maxconn 4000
pidfile /var/run/haproxy.pid
log 127.0.0.1 local0 info
defaults
log global
maxconn 4000
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
# haproxy监控页
listen stats
bind 0.0.0.0:1080
mode http
stats enable
stats uri /
stats realm Kuberentes\ Haproxy
stats auth admin:admin
stats refresh 30s
stats show-node
stats show-legends
stats hide-version
frontend kube-api-https_frontend
bind 192.168.112.140:6443
mode tcp
default_backend kube-api-https_backend
backend kube-api-https_backend
balance roundrobin
mode tcp
stick-table type ip size 200k expire 30m
stick on src
server master1.sysit.cn 192.168.112.141:6443 maxconn 1024 cookie 1 weight 3 check inter 1500 rise 2 fall 3
server master2.sysit.cn 192.168.112.142:6443 maxconn 1024 cookie 2 weight 3 check inter 1500 rise 2 fall 3
server master3.sysit.cn 192.168.112.143:6443 maxconn 1024 cookie 3 weight 3 check inter 1500 rise 2 fall 3

haproxy配置日志

建议开启haproxy的日志功能，便于后续的问题排查！
#创建HAProxy记录日志文件并授权
mkdir /var/log/haproxy && chmod a+w /var/log/haproxy
yum install rsyslog
#在rsyslog文件下修改以下字段
vim /etc/rsyslog.conf
#启用tcp/udp模块
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#添加haproxy配置
local0.=info -/var/log/haproxy/haproxy-info.log
local0.=err -/var/log/haproxy/haproxy-err.log
local0.notice;local0.!=err -/var/log/haproxy/haproxy-notice.log
systemctl restart rsyslog

haproxy监听内核

#全部控制节点修改内核参数；
#net.ipv4.ip_nonlocal_bind：是否允许no-local ip绑定，关系到haproxy实例与vip能否绑定并切换；
#net.ipv4.ip_forward：是否允许转发
echo "net.ipv4.ip_nonlocal_bind = 1" >>/etc/sysctl.conf
echo "net.ipv4.ip_forward = 1" >>/etc/sysctl.conf
sysctl -p

haproxy启动

systemctl enable haproxy
systemctl restart haproxy

3.2 安装配置keepalived

安装配置keepalived

# 三个节点
yum install -y keepalived

keepalived配置

注意修改配置priority的值

! Configuration File for keepalived
global_defs {
notification_email {
root@localhost.local
}
notification_email_from root@localhost.local
smtp_server 192.168.112.11
smtp_connect_timeout 30
router_id Haproxy_DEVEL
}
vrrp_script chk_haproxy {
script "/etc/haproxy/chk_haproxy.sh"
interval 1
#haproxy在线,权重加2
#weight 2
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 51
# 注意修改成不同的priority值
priority 100
advert_int 1
nopreempt
authentication {
auth_type PASS
auth_pass sysit
}
virtual_ipaddress {
192.168.112.140
}
track_script {
chk_haproxy
}
}

haproxy检测脚本

cat >/etc/haproxy/chk_haproxy.sh<<'EOF'
#!/bin/bash
# check haproxy process, if there isn't any process, try to start the process once,
# check it again after 3s, if there isn't any process still, restart keepalived process, change state.
# 2017-03-22 v0.1
if [ $(ps -C haproxy --no-header | wc -l) -eq 0 ]; then
/etc/rc.d/init.d/haproxy start
sleep 3
if [ $(ps -C haproxy --no-header | wc -l) -eq 0 ]; then
systemctl restart keepalived
fi
fi
EOF
chmod +x /etc/haproxy/chk_haproxy.sh

启动服务

systemctl enable keepalived
systemctl start keepalived

4. CA证书与秘钥

4.1 cfssl工具

本文档采用 CloudFlare 的 PKI 工具集 cfssl 来生成 Certificate Authority (CA) 证书和秘钥文件，CA 是自签名的证书，用来签名后续创建的其它 TLS证书。

# 选择任意一台服务器
mkdir -p /usr/local/cfssl/bin
cd /usr/local/cfssl/bin
curl https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl_1.5.0_linux_amd64 -o cfssl
curl https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssl-certinfo_1.5.0_linux_amd64 -o cfssl-certinfo
curl https://github.com/cloudflare/cfssl/releases/download/v1.5.0/cfssljson_1.5.0_linux_amd64 -o cfssljson
chmod +x cfssl cfssl-certinfo cfssljson
echo 'export PATH=$PATH:/usr/local/cfssl/bin' >>/etc/bashrc

4.2 CA配置文件

CA 证书是集群所有节点共享的，只需要创建一个 CA 证书，后续创建的所有证书都由它签名。
CA 配置文件用于配置根证书的使用场景 (profile) 和具体参数 (usage，过期时间、服务端认证、客户端认证、加密等)，后续在签名其它证书时需要指定特定场景。

CA配置文件

# ca-config.json：1个profiles，分别指定不同的过期时间，使用场景等参数，根据需要在不同场景使用不同的profile签名证书；这里以生成的模板为基础修改；
cd /opt/k8s/
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF

signing：表示该证书可用于签名其它证书，生成的 ca.pem 证书中 CA=TRUE；
server auth：表示 client 可以用该该证书对 server 提供的证书进行验证；
client auth：表示 server 可以用该该证书对 client 提供的证书进行验证；

CA证书签名请求

cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Chengdu",
"ST": "Sichuan",
"O": "k8s",
"OU": "System"
}
]
}
EOF

生成CA证书与秘钥

cfssl gencert -initca ca-csr.json | cfssljson -bare ca
ls ca*
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
#简单查看
cfssl-certinfo -cert ca.pem

分发

# 将生成的CA证书，秘钥，配置文件等分发到所有机器/etc/kubernetes/cert目录下；
# ca-key.pem与ca.pem重要
export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "mkdir -p /etc/kubernetes/cert"
scp ca*pem root@${node}:/etc/kubernetes/cert/
done

5. etcd安装

见etcd安装配置文档，注意如果单独安装的话，两个ca文件可以不同。
但是为了保持一致，建议使用同一个ca文件。
注意：为了以后扩展或服务器变更，建议预留几个IP地址。

6. 安装docker

所有节点

curl -o /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo
# 修改为清华大学源，加快安装速度
sudo sed -i 's+download.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo
yum install docker-ce-19.03.15 -y
# 编辑systemctl的Docker启动文件
# Docker从1.13版本开始调整了默认的防火墙规则，禁用了iptables filter表中FOWARD链，这样会引起Kubernetes集群中跨Node的Pod无法通信，因此docker安装完成后，还需要手动修改iptables规则。
sed -i "13i ExecStartPost=/usr/sbin/iptables -P FORWARD ACCEPT" /usr/lib/systemd/system/docker.service
# 1.15.x以后版本添加如下
mkdir /etc/docker
cat > /etc/docker/daemon.json <<EOF
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
]
}
EOF
mkdir -p /etc/systemd/system/docker.service.d
# Restart Docker
systemctl daemon-reload
systemctl enable docker
systemctl restart docker

7. 安装二进制包

下载地址： https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.20.md
注：下载一个server包就够了，包含了Master和Worker Node二进制文件，生产环境建议使用大于5的包，比如1.20.5以后的包。

cd /opt/k8s
wget https://dl.k8s.io/v1.20.7/kubernetes-server-linux-amd64.tar.gz
tar zxvf kubernetes-server-linux-amd64.tar.gz
cd kubernetes/server/bin
# master节点分发
# mkdir -p /opt/kubernetes/bin
# cp kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bin/
export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "mkdir -p /opt/kubernetes/bin"
scp kube-apiserver kube-scheduler kube-controller-manager root@${node}:/opt/kubernetes/bin/
done
# work节点
# cp kubelet kube-proxy /opt/kubernetes/bin/
export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "mkdir -p /opt/kubernetes/bin"
scp kubelet kube-proxy root@${node}:/opt/kubernetes/bin/
done
# kubectl
# cp kubectl /usr/bin
for node in master1 master2 master3
do
echo ">>> ${node}"
scp kubectl root@${node}:/usr/bin/
done

8. kubectl配置

8.1 创建kubectl TLS证书与私钥

创建kubectl证书签名请求

cat > admin-csr.json <<'EOF'
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Chengdu",
"ST": "Sichuan",
"O": "system:masters",
"OU": "System"
}
]
}
EOF

生成

cfssl gencert -ca=/opt/k8s/ca.pem \
-ca-key=/opt/k8s/ca-key.pem \
-config=/opt/k8s/ca-config.json \
-profile=kubernetes admin-csr.json | cfssljson -bare admin
# 查看
ls
admin.csr admin-csr.json admin-key.pem admin.pem

分发key

export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
scp admin*pem root@${node}:/etc/kubernetes/cert
done

8.2 kubectl kubeconfig文件

创建

cd /opt/k8s/
mkdir /root/.kube
KUBE_CONFIG="/root/.kube/config"
KUBE_APISERVER="https://192.168.112.140:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials cluster-admin \
--client-certificate=./admin.pem \
--client-key=./admin-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user=cluster-admin \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}

分发kubeconfig文件

export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "mkdir -p ~/.kube/"
scp kubectl.kubeconfig root@${node}:~/.kube/config
done

8.3 让kubectl 可以使用tab

yum install bash-completion -y
echo "source <(kubectl completion bash)" >> ~/.bashrc && source ~/.bashrc

9 安装配置kube-apiserver

三个master节点安装

9.1 kubernetes 证书和私钥

创建证书签名文件

cat > kubernetes-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.112.140",
"192.168.112.141",
"192.168.112.142",
"192.168.112.143",
"192.168.112.200",
"10.0.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.sysit",
"kubernetes.default.svc.sysit.cn"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Sichuan",
"L": "Chengdu",
"O": "k8s",
"OU": "System"
}
]
}
EOF

上述文件hosts字段中IP为所有Master/LB/VIP IP，一个都不能少！为了方便后期扩容可以多写几个预留的IP。

hosts 字段指定授权使用该证书的 IP 或域名列表，这里列出了 VIP 、apiserver 节点 IP、kubernetes 服务 IP 和域名，为了扩展要求，建议增加IP地址备用；

域名最后字符不能是 .(如不能为 kubernetes.default.svc.sysit.cn.)，否则解析时失败，提示： x509: cannot parse dnsName "kubernetes.default.svc.sysit.cn."；

如果使用其他域名如bootgo.com，则需要修改域名列表中的最后两个域名为：kubernetes.default.svc.bootgo、kubernetes.default.svc.bootgo.com

kubernetes 服务 IP 是 apiserver 自动创建的，一般是 --service-cluster-ip-range 参数指定的网段的第一个IP，后续可以通过如下命令获取：
$ kubectl get svc kubernetes
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes 10.0.0.1 443/TCP 1d

生成证书和私钥

cfssl gencert -ca=/opt/k8s/ca.pem \
-ca-key=/opt/k8s/ca-key.pem \
-config=/opt/k8s/ca-config.json \
-profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
# 查看
ls kubernetes*pem
kubernetes-key.pem kubernetes.pem

将生成的证书和私钥文件分发到 master 节点

# cp kubernetes*.pem /etc/kubernetes/ssl/
export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
scp kubernetes*.pem root@${node}:/etc/kubernetes/ssl/
done

9.2 kube-apiserver配置文件

创建配置文件

# 注意修改bind-address和advertise-address的地址
cat > kube-apiserver.conf << 'EOF'
KUBE_APISERVER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/var/log/kubernetes/ \
--etcd-servers=https://192.168.112.141:2379,https://192.168.112.142:2379,https://192.168.112.143:2379 \
--bind-address=#NODE_IP# \
--secure-port=6443 \
--advertise-address=#NODE_IP# \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth=true \
--token-auth-file=/etc/kubernetes/conf/token.csv \
--service-node-port-range=30000-32767 \
--kubelet-client-certificate=/etc/kubernetes/cert/kubernetes.pem \
--kubelet-client-key=/etc/kubernetes/cert/kubernetes-key.pem \
--tls-cert-file=/etc/kubernetes/cert/kubernetes.pem \
--tls-private-key-file=/etc/kubernetes/cert/kubernetes-key.pem \
--client-ca-file=/etc/kubernetes/cert/ca.pem \
--service-account-key-file=/etc/kubernetes/cert/ca-key.pem \
--service-account-issuer=api \
--service-account-signing-key-file=/etc/kubernetes/cert/kubernetes-key.pem \
--etcd-cafile=/etc/etcd/cert/ca.pem \
--etcd-certfile=/etc/etcd/cert/etcd.pem \
--etcd-keyfile=/etc/etcd/cert/etcd-key.pem \
--requestheader-client-ca-file=/etc/kubernetes/cert/ca.pem \
--proxy-client-cert-file=/etc/kubernetes/cert/kubernetes.pem \
--proxy-client-key-file=/etc/kubernetes/cert/kubernetes-key.pem \
--requestheader-allowed-names=kubernetes \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-group-headers=X-Remote-Group \
--requestheader-username-headers=X-Remote-User \
--enable-aggregator-routing=true \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/var/log/kubernetes/k8s-audit.log"
EOF

–logtostderr：启用日志
—v：日志等级
–log-dir：日志目录
–etcd-servers：etcd集群地址
–bind-address：监听地址
–secure-port：https安全端口
–advertise-address：集群通告地址
–allow-privileged：启用授权
–service-cluster-ip-range：Service虚拟IP地址段
–enable-admission-plugins：准入控制模块
–authorization-mode：认证授权，启用RBAC授权和节点自管理
–enable-bootstrap-token-auth：启用TLS bootstrap机制
–token-auth-file：bootstrap token文件
–service-node-port-range：Service nodeport类型默认分配端口范围
–kubelet-client-xxx：apiserver访问kubelet客户端证书
–tls-xxx-file：apiserver https证书
1.20版本必须加的参数：–service-account-issuer，–service-account-signing-key-file
–etcd-xxxfile：连接Etcd集群证书
–audit-log-xxx：审计日志启动聚合层相关配置：–requestheader-client-ca-file，–proxy-client-cert-file，–proxy-client-key-file，
–requestheader-allowed-names，–requestheader-extra-headers-prefix，–requestheader-group-headers，
–requestheader-username-headers，–enable-aggregator-routing

分发配置文件

# mkdir -p /etc/kubernetes/conf && mkdir /var/log/kubernetes
# cp kube-apiserver.conf /etc/kubernetes/conf/
for ip in 192.168.112.{141,142,143}
do
echo ">>> ${ip}"
ssh root@${ip} "mkdir -p /etc/kubernetes/conf && mkdir /var/log/kubernetes"
scp kube-apiserver.conf root@${ip}:/etc/kubernetes/conf/kube-apiserver.conf
ssh root@${ip} "sed -i 's/#NODE_IP#/${ip}/g' /etc/kubernetes/conf/kube-apiserver.conf"
done

9.3 启用TLS Bootstrapping机制

TLS Bootstraping：Master
apiserver启用TLS认证后，Node节点kubelet和kube-proxy要与kube-apiserver进行通信，
必须使用CA签发的有效证书才可以，当Node节点很多时，这种客户端证书颁发需要大量工作，同样也会增加集群扩展复杂度。
为了简化流程，Kubernetes引入了TLS
bootstraping机制来自动颁发客户端证书，kubelet会以一个低权限用户自动向apiserver申请证书，
kubelet的证书由apiserver动态签署。所以强烈建议在Node上使用这种方式，目前主要用于kubelet，kube-proxy还是由我们统一颁发一个证书。

生成token.csv

cat > /etc/kubernetes/conf/token.csv << EOF
$(head -c 16 /dev/urandom | od -An -t x | tr -d ' '),kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF

分发token.csv

export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
scp token.csv root@${node}:/etc/kubernetes/conf/
done

9.4 kube-apiserver systemd unit文件

创建文件

cat > kube-apiserver.service << 'EOF'
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/etc/kubernetes/conf/kube-apiserver.conf
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF

分发文件

export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
scp kube-apiserver.service root@${node}:/usr/lib/systemd/system/kube-apiserver.service
done

9.5 启动

# systemctl daemon-reload
# systemctl enable kube-apiserver
# systemctl restart kube-apiserver
export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "/var/log/kubernetes/kube-apiserver"
ssh root@${node} "systemctl daemon-reload && systemctl enable kube-apiserver && systemctl restart kube-apiserver"
done

9.6 检查启动结果

export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "systemctl status kube-apiserver|grep Active"
done

9.7 查看kube-apiserver写入etcd的数据

ETCDCTL_API=3 etcdctl \
--endpoints=https://192.168.112.141:2379,https://192.168.112.142:2379,https://192.168.112.143:2379 \
--cacert=/etc/etcd/cert/ca.pem \
--cert=/etc/etcd/cert/etcd.pem \
--key=/etc/etcd/cert/etcd-key.pem \
get /registry/ --prefix --keys-only

10 部署kube-controller-manager

该集群包含 3 个节点，启动后将通过竞争选举机制产生一个 leader 节点，其它节点为阻塞状态。当 leader 节点不可用后，剩余节点将再次进行选举产生新的 leader 节点，从而保证服务的可用性。

10.1 创建 kube-controller-manager 证书和私钥

创建证书签名请求

cat > kube-controller-manager-csr.json <<EOF
{
"CN": "system:kube-controller-manager",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Chengdu",
"ST": "Sichuan",
"O": "system:masters",
"OU": "System"
}
]
}
EOF

生成证书和私钥：

cfssl gencert -ca=/opt/k8s/ca.pem \
-ca-key=/opt/k8s/ca-key.pem \
-config=/opt/k8s/ca-config.json \
-profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager

将生成的证书和私钥分发到所有 master 节点

export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
scp kube-controller-manager*.pem root@${node}:/etc/kubernetes/cert/
done

10.2 kubeconfig文件

kubeconfig 文件包含访问 apiserver 的所有信息，如 apiserver 地址、CA 证书和自身使用的证书；

生成kubeconfig文件

# --server：指定api-server，采用ha之后的vip；
# cluster名自定义，设定之后需保持一致；
# --kubeconfig：指定kubeconfig文件路径与文件名；如果不设置，默认生成在~/.kube/config文件
#生成kubeconfig文件（以下是shell命令，直接在终端执行）：
KUBE_CONFIG="kube-controller-manager.kubeconfig"
KUBE_APISERVER="https://192.168.112.140:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/cert/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials kube-controller-manager \
--client-certificate=./kube-controller-manager.pem \
--client-key=./kube-controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-controller-manager \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}

分发kubeconfig文件

export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
scp kube-controller-manager.kubeconfig root@${node}:/etc/kubernetes/conf/
done

10.3 kube-controller-manager 配置文件

创建配置文件

cat > kube-controller-manager.conf << 'EOF'
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/var/log/kubernetes/kube-controller-manager/ \\
--leader-elect=true \\
--kubeconfig=/opt/kubernetes/conf/kube-controller-manager.kubeconfig \
--bind-address=127.0.0.1 \
--allocate-node-cidrs=true \
--cluster-cidr=10.244.0.0/16 \
--service-cluster-ip-range=10.0.0.0/24 \
--cluster-signing-cert-file=/opt/kubernetes/cert/ca.pem \
--cluster-signing-key-file=/opt/kubernetes/cert/ca-key.pem \
--root-ca-file=/opt/kubernetes/cert/ca.pem \
--service-account-private-key-file=/opt/kubernetes/cert/ca-key.pem \
--cluster-signing-duration=87600h0m0s"
EOF

–kubeconfig：连接apiserver配置文件
–leader-elect：当该组件启动多个时，自动选举（HA）
–cluster-signing-cert-file/–cluster-signing-key-file：自动为kubelet颁发证书的CA，与apiserver保持一致

分发配置文件

export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
scp kube-controller-manager.conf root@${node}:/etc/kubernetes/conf/kube-controller-manager.conf
done

10.4 kube-controller-manager systemd unit 文件

创建

cat > kube-controller-manager.service << 'EOF'
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/etc/kubernetes/conf/kube-controller-manager.conf
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF

分发

export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
scp kube-controller-manager.service root@${node}:/usr/lib/systemd/system/kube-controller-manager.service
done

10.5 启动 kube-controller-manager 服务

# systemctl daemon-reload
# systemctl enable kube-controller-manager
# systemctl restart kube-controller-manager
export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "/var/log/kubernetes/kube-controller-manager"
ssh root@${node} "systemctl daemon-reload && systemctl enable kube-controller-manager && systemctl restart kube-controller-manager"
done

10.6 检查启动结果

export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "systemctl status kube-controller-manager|grep Active"
done

10.7 测试 kube-controller-manager 集群的高可用

停掉一个或两个节点的 kube-controller-manager 服务，观察其它节点的日志，看是否获取了 leader 权限。

11. kube-scheduler安装

11.1 创建 kube-scheduler 证书和私钥

创建证书签名文件

cat > kube-scheduler-csr.json <<EOF
{
"CN": "system:kube-scheduler",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Sichuan",
"L": "Chengdu",
"O": "system:kube-scheduler",
"OU": "System"
}
]
}
EOF

生成证书和私钥

cfssl gencert -ca=/opt/k8s/ca.pem \
-ca-key=/opt/k8s/ca-key.pem \
-config=/opt/k8s/ca-config.json \
-profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler

11.2 kubeconfig 文件

创建

#生成kubeconfig文件（以下是shell命令，直接在终端执行）：
KUBE_CONFIG="kube-scheduler.kubeconfig"
KUBE_APISERVER="https://192.168.112.140:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/cert/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials kube-scheduler \
--client-certificate=./kube-scheduler.pem \
--client-key=./kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-scheduler \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}

分发

export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
scp kube-scheduler.kubeconfig root@${node}:/etc/kubernetes/conf/
done

11.3 kube-scheduler配置文件

创建配置文件

cat > kube-scheduler.conf << 'EOF'
KUBE_SCHEDULER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/var/log/kubernetes/kube-scheduler/ \
--leader-elect \
--kubeconfig=/etc/kubernetes/conf/kube-scheduler.kubeconfig \
--bind-address=127.0.0.1"
EOF

分发配置文件

export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
scp kube-scheduler.conf root@${node}:/etc/kubernetes/conf/kube-scheduler.conf
done

11.4 kube-scheduler systemd unit 文件

创建

cat > kube-scheduler.service <<'EOF'
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/etc/kubernetes/conf/kube-scheduler.conf
ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF

分发

export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
scp kube-scheduler.service root@${node}:/usr/lib/systemd/system/kube-scheduler.service
done

11.5 启动 kube-scheduler 服务

# systemctl daemon-reload
# systemctl enable kube-scheduler
# systemctl restart kube-scheduler
export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "mkdir -p /var/log/kubernetes/kube-scheduler"
ssh root@${node} "systemctl daemon-reload && systemctl enable kube-scheduler && systemctl restart kube-scheduler"
done

11.6 检查启动结果

export MASTER_NAMES=(master1 master2 master3)
for node in ${MASTER_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "systemctl status kube-scheduler|grep Active"
done

12. kubelet安装

kublet 运行在每个 worker 节点上（生产环境可能需要在master节点上也运行），接收 kube-apiserver 发送的请求，管理 Pod 容器，执行交互式命令，如 exec、run、logs 等。

kublet 启动时自动向 kube-apiserver 注册节点信息，为确保安全，本文档只开启接收 https 请求的安全端口，对请求进行认证和授权，拒绝未授权的访问(如 apiserver、heapster)。

12.1 kubelet bootstrap kubeconfig 文件

创建

KUBE_CONFIG="kubelet-bootstrap.kubeconfig"
KUBE_APISERVER="https://192.168.112.140:6443"
BOOTSTRAP_TOKEN=$(awk -F "," '{print $1}' /etc/kubernetes/conf/token.csv)
#生成 kubelet bootstrap kubeconfig 配置文件
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials "kubelet-bootstrap" \
--token=${TOKEN} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user="kubelet-bootstrap" \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}

证书中写入 Token 而非证书，证书后续由 controller-manager 创建。

分发

export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
scp kubelet-bootstrap.kubeconfig root@${node}:/etc/kubernetes/conf/kubelet-bootstrap.kubeconfig
done

12.2 参数配置文件

创建

cat > kubelet-config.yaml << EOF
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
cgroupDriver: systemd
clusterDNS: ["10.0.0.2"]
clusterDomain: "sysit.cn"
failSwapOn: false
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 2m0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/cert/ca.pem
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 5m0s
cacheUnauthorizedTTL: 30s
evictionHard:
imagefs.available: 15%
memory.available: 100Mi
nodefs.available: 10%
nodefs.inodesFree: 5%
maxOpenFiles: 1000000
maxPods: 110
EOF

有人说clusterDomain 后应该有一个“.”，如“sysit.cn.”，待验证。
cgroupDriver 如果docker的驱动为systemd，cgroupDriver修改为systemd。此处设置很重要，否则后面node节点无法加入到集群
分发

export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
scp kubelet-config.yaml root@${node}:/etc/kubernetes/conf/kubelet-config.yaml
done

12.3 kubelet配置文件

创建

cat > kubelet.conf << 'EOF'
KUBELET_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/var/log/kubernetes/kubelet/ \
--hostname-override=#NODE_NAME# \
--network-plugin=cni \
--kubeconfig=/etc/kubernetes/conf/kubelet.kubeconfig \
--bootstrap-kubeconfig=/etc/kubernetes/conf/bootstrap.kubeconfig \
--config=/etc/kubernetes/conf/kubelet-config.yaml \
--cert-dir=/etc/kubernetes/cert \
--pod-infra-container-image=lizhenliang/pause-amd64:3.0"
EOF

–hostname-override：显示名称，集群中唯一
–network-plugin：启用CNI
–kubeconfig：空路径，会自动生成，后面用于连接apiserver
–bootstrap-kubeconfig：首次启动向apiserver申请证书
–config：配置参数文件
–cert-dir：kubelet证书生成目录
–pod-infra-container-image：管理Pod网络容器的镜像

分发

export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "mkdir -p /etc/kubernetes/conf"
scp kubelet.conf root@${node}:/etc/kubernetes/conf/kubelet.conf
ssh root@${node} "sed -i 's/#NODE_NAME#/${node}.sysit.cn/g' /etc/kubernetes/conf/kubelet.conf"
done

12.4 kubelet systemd unit 文件

创建

cat > kubelet.service <<'EOF'
[Unit]
Description=Kubernetes Kubelet
After=docker.service
[Service]
EnvironmentFile=/etc/kubernetes/conf/kubelet.conf
ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF

分发

export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
scp kubelet.service root@${node}:/usr/lib/systemd/system/kubelet.service
done

12.5 启动

# systemctl daemon-reload
# systemctl start kubelet
# systemctl enable kubelet
export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "mkdir -p /var/lib/kubelet && mkdir -p /var/log/kubernetes/kubelet"
ssh root@${node} "systemctl daemon-reload && systemctl enable kubelet && systemctl restart kubelet"
done

12.6 检查启动结果

export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "systemctl status kubelet|grep Active"
done

12.7 批准kubelet证书申请并加入集群

查看CSR请求
确认kubelet服务启动成功后，接着到master上Approve一下bootstrap请求。执行如下命令可以看到 CSR 请求：

kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
node-csr-uCEGPOIiDdlLODKts8J658HrFq9CZ--K6M4G7bjhk8A 6m3s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending

批准申请

kubectl certificate approve node-csr-uCEGPOIiDdlLODKts8J658HrFq9CZ--K6M4G7bjhk8A

查看节点

NAME STATUS ROLES AGE VERSION
master1.sysit.cn NotReady <none> 15s v1.20.7
master2.sysit.cn NotReady <none> 15s v1.20.7
master3.sysit.cn NotReady <none> 15s v1.20.7
node1.sysit.cn NotReady <none> 15s v1.20.7
node2.sysit.cn NotReady <none> 15s v1.20.7
node3.sysit.cn NotReady <none> 15s v1.20.7

此时还没有安装网络插件，安装网络插件之后，状态会变成Ready。

12.8 授权apiserver访问kubelet

#应用场景：例如kubectl logs
cat > apiserver-to-kubelet-rbac.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-apiserver-to-kubelet
rules:
- apiGroups:
- ""
resources:
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
- nodes/metrics
- pods/log
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:kube-apiserver
namespace: ""
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-apiserver-to-kubelet
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubernetes
EOF
kubectl apply -f apiserver-to-kubelet-rbac.yaml

13 部署kube-proxy

13.1 生成kube-proxy证书：

创建证书请求文件

cat > kube-proxy-csr.json << EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Chengdu",
"ST": "Sichuan",
"O": "k8s",
"OU": "System"
}
]
}
EOF

生成证书

cfssl gencert -ca=/opt/k8s/ca.pem \
-ca-key=/opt/k8s/ca-key.pem \
-config=/opt/k8s/ca-config.json \
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

13.2 kubeconfig文件

创建

KUBE_CONFIG="kube-proxy.kubeconfig"
KUBE_APISERVER="https://192.168.112.140:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials kube-proxy \
--client-certificate=./kube-proxy.pem \
--client-key=./kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}

分发 kubeconfig 文件

export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
scp kube-proxy.kubeconfig root@${node}:/etc/kubernetes/conf/
done

13.3 kube-proxy参数文件

创建

cat >kube-proxy-config.yaml << EOF
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
metricsBindAddress: 0.0.0.0:10249
clientConnection:
kubeconfig: /etc/kubernetes/conf/kube-proxy.kubeconfig
hostnameOverride: #NODE_NAME#
clusterCIDR: 10.0.0.0/24
mode: "ipvs"
EOF

分发

export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
scp kube-proxy-config.yaml root@${node}:/etc/kubernetes/conf/kube-proxy-config.yaml
ssh root@${node} "sed -i 's/#NODE_NAME#/${node}.sysit.cn/g' /etc/kubernetes/conf/kube-proxy-config.yaml"
done

13.4 kube-proxy 配置文件

创建

cat > kube-proxy.conf <<'EOF'
KUBE_PROXY_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/var/log/kubernetes/kube-proxy/ \\
--config=/etc/kubernetes/conf/kube-proxy-config.yaml"
EOF

分发

export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
scp kube-proxy.conf root@${node}:/etc/kubernetes/conf/kube-proxy.conf
done

13.5 kube-proxy systemd unit文件

创建

cat > kube-proxy.service <<'EOF'
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=/etc/kubernetes/conf/kube-proxy.conf
ExecStart=/opt/kubernetes/bin/kube-proxy $KUBE_PROXY_ARGS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF

分发kube-proxy systemd unit文件

export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
scp kube-proxy.service root@${node}:/usr/lib/systemd/system/kube-proxy.service
done

13.6 启动

export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "mkdir -p /var/lib/kube-proxy && mkdir -p /var/log/kubernetes/kube-proxy"
ssh root@${node} "systemctl daemon-reload && systemctl enable kube-proxy && systemctl restart kube-proxy"
done

13.7 检查启动结果

export NODE_NAMES=(master1 master2 master3 node1 node2 node3)
for node in ${NODE_NAMES[@]}
do
echo ">>> ${node}"
ssh root@${node} "systemctl status kube-proxy|grep Active"
done

14. 部署网络插件calico

这里配置calico作为网络插件，参考文档：https://docs.projectcalico.org/getting-started/kubernetes/self-managed-onprem/onpremises#install-calico-on-nodes

配置文件
注意修改calico.yaml文件中的子网信息与config文件中的podSubnet相匹配，本文中是10.244.0.0/16

wget https://docs.projectcalico.org/manifests/calico.yaml
cp calico.yaml{,.ori}
[root@master1 k8s]# diff calico.yaml calico.yaml.ori
3683,3684c3683,3684
< - name: CALICO_IPV4POOL_CIDR
< value: "10.244.0.0/16"
---
> # - name: CALICO_IPV4POOL_CIDR
> # value: "192.168.0.0/16"

应用

kubectl apply -f calico.yaml

查看节点

[root@master1 k8s]# kubectl get node
NAME STATUS ROLES AGE VERSION
master1.sysit.cn Ready <none> 1h v1.20.7
master2.sysit.cn Ready <none> 1h v1.20.7
master3.sysit.cn Ready <none> 1h v1.20.7
node1.sysit.cn Ready <none> 1h v1.20.7
node2.sysit.cn Ready <none> 1h v1.20.7
node3.sysit.cn Ready <none> 1h v1.20.7

15 部署coreDNS

部署

wget https://github.com/coredns/deployment/archive/refs/tags/coredns-1.14.0.tar.gz
tar -zxvf deployment-coredns-1.14.0.tar.gz
cd deployment-coredns-1.14.0/kubernetes/
export CLUSTER_DNS_SVC_IP="10.0.0.2"
export CLUSTER_DNS_DOMAIN="sysit.cn"
./deploy.sh -i ${CLUSTER_DNS_SVC_IP} -d ${CLUSTER_DNS_DOMAIN} | kubectl apply -f -

检查

kubectl run -it --rm dns-test --image=busybox:1.28.4 sh
/ # nslookup kubernetes
Server: 10.0.0.2
Address 1: 10.0.0.2 kube-dns.kube-system.svc.sysit.cn
Name: kubernetes
Address 1: 10.0.0.1 kubernetes.default.svc.sysit.cn

16. dashboard和metrics

详见本站kubernetes dashboard安装及addons安装

参考文章: https://blog.51cto.com/lizhenliang/2717923

posted @ 2021-12-03 10:02 JV_GGG 阅读(263) 评论(0) 收藏举报

刷新页面返回顶部