kubernetes集群环境搭建(1)
kubernetes集群环境搭建
目录
一、kubernetes集群环境搭建
1.1.1 集群环境准备
- 系统环境
[root@db01 ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
[root@db01 ~]# uname -ar
Linux db01 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
- 虚拟主机准备
| 主机名 | IP地址 |
|---|---|
| 10.0.0.11 | hdss-11.host.com |
| 10.0.0.12 | hdss-12.host.com |
| 10.0.0.21 | hdss-21.host.com |
| 10.0.0.22 | hdss-22.host.com |
| 10.0.0.201 | hdss-201.host.com |
- 检查是否关闭selinux和firewall防护墙
[root@hdss-11.host.com ~]# getenforce
Disabled
[root@hdds-12.host.com ~]# getenforce
Disabled
[root@hdss-21.host.com ~]# getenforce
Disabled
[root@hdss-22.host.com ~]# getenforce
Disabled
[root@hdss-201.host.com ~]# getenforce
Disabled
[root@hdss-11.host.com ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@hdds-12.host.com ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@hdss-21.host.com ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@hdss-22.host.com ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
[root@hdss-201.host.com ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
# 没有关闭selinux和Firewall的执行以下命令
sed -i '#SELINUX=enforcing#SELINUX=disabled#' /etc/selinux/config
systemctl stop firewalld
systemctl disable firewalld
- 安装epel源
#更换国内原之后安装要快些
yum install -y epel-release
- 每个节点都安装常用工具
[root@hdss-11.host.com ~]# yum install -y wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils
Loaded plugins: fastestmirror
[root@hdds-12.host.com ~]# yum install -y wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils
Loaded plugins: fastestmirror
[root@hdss-21.host.com ~]# yum install -y wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils
Loaded plugins: fastestmirror
[root@hdss-22.host.com ~]# yum install -y wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils
Loaded plugins: fastestmirror
[root@hdss-201.host.com ~]# yum install -y wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils
Loaded plugins: fastestmirror
二、安装bind9 DNS服务
2.1.1 安装bind服务
- 在hdss-11.host.com上安装bind(dns)
[root@hdss-11.host.com ~]# yum install bind -y
#配置主配置文件
[root@hdss7-11 ~]# vi /etc/named.conf # BIND进程的工作属性,区域的定义
13 listen-on port 53 { 10.0.0.11; }; # 监听本机IP
14 listen-on-v6 port 53 { ::1; }; # 删除,不监听IPV6
20 allow-query { any; }; # 允许所有主机查看
21 forwarders { 10.0.0.254; }; # 办公网上一级的DNS 这一行需要手动添加
33 recursion yes; # dns采用递归的查询
35 dnssec-enable no; # 关闭,节省资源(生产可能不需要关闭)
36 dnssec-validation no; # 关闭,节省资源,不做互联网认证
# 检查配置文件是否有报错
[root@hdss-11.host.com ~]# named-checkconf
- 配置DNS区域配置文件
[root@hdss-11.host.com ~]# vim /etc/named.rfc1912.zones
#配置如下
zone "host.com" IN { #定义域
type master;
file "host.com.zone"; #域数据库文件名
allow-update { none; };
};
zone "od.com" IN {
type master;
file "od.com.zone";
allow-update { none; };
};
- 配置区域数据库文件
[root@hdss-11.host.com ~]# cd /var/named/
[root@hdss-11.host.com /var/named]# cp named.localhost host.com.zone
[root@hdss-11.host.com /var/named]# cp named.localhost od.com.zone
[root@hdss-11.host.com /var/named]# vim host.com.zone
$ORIGIN host.com.
$TTL 600 ; 10 minutes # 过期时间2019.12.09+01序号
@ IN SOA dns.host.com. dnsadmin.host.com. ( # 区域授权文件的开始,OSA记录,dnsadmin.host.com为邮箱
202061001 ; serial # 安装的当天时间+序号
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.host.com. # NS记录
$TTL 60 ; 1 minute
dns A 10.0.0.11 # A记录
HDSS-11 A 10.0.0.11
HDSS-12 A 10.0.0.12
HDSS-21 A 10.0.0.21
HDSS-22 A 10.0.0.22
HDSS-201 A 10.0.0.201
[root@hdss-11.host.com /var/named]# cat od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
202061001 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 10.0.0.11
#检查文件是否配置成功
#named-checkzone [选项] [区域名] [区域数据库文件名]
[root@hdss-11.host.com /var/named]# named-checkzone host.com host.com.zone
zone host.com/IN: loaded serial 202061001
OK
[root@hdss-11.host.com /var/named]# named-checkzone od.com od.com.zone
zone od.com/IN: loaded serial 202061001
OK
- 更改文件的属组,权限(否则无法解析)
[root@hdss-11.host.com /var/named]# chown root:named /var/named/host.com.zone
[root@hdss-11.host.com /var/named]# chown root:named /var/named/od.com.zone
[root@hdss-11.host.com /var/named]# chmod 640 /var/named/host.com.zone
[root@hdss-11.host.com /var/named]# chmod 640 /var/named/od.com.zone
[root@hdss-11.host.com /var/named]# systemctl restart named
[root@hdss-11.host.com /var/named]# ll /var/named/od.com.zone
-rw-r----- 1 root named 322 Jun 10 01:42 /var/named/od.com.zone
[root@hdss-11.host.com /var/named]# ll /var/named/host.com.zone
-rw-r----- 1 root named 520 Jun 10 02:01 /var/named/host.com.zone
- 启动DNS服务
[root@hdss-11.host.com ~]# systemctl start named
[root@hdss-11.host.com ~]# systemctl status named
[root@hdss-11.host.com ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@hdss-11.host.com ~]# netstat -luntp|grep 53
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 18588/named
tcp 0 0 10.0.0.11:53 0.0.0.0:* LISTEN 18588/named
tcp6 0 0 ::1:953 :::* LISTEN 18588/named
tcp6 0 0 ::1:53 :::* LISTEN 18588/named
udp 0 0 10.0.0.11:53 0.0.0.0:* 18588/named
udp6 0 0 ::1:53 :::* 18588/named
- 使用dig测试解析
[root@hdss-11.host.com /var/named]# dig -t A hdss-201.host.com @10.0.0.11 +short
10.0.0.201
[root@hdss-11.host.com /var/named]# dig -t A hdss-22.host.com @10.0.0.11 +short
10.0.0.22
[root@hdss-11.host.com /var/named]# dig -t A hdss-21.host.com @10.0.0.11 +short
10.0.0.21
[root@hdss-11.host.com /var/named]# dig -t A hdss-12.host.com @10.0.0.11 +short
10.0.0.12
- 配置DNS客服端(所有主机都要配置)
[root@hdss-11.host.com ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=10.0.0.11 #添加这么行
#DNS2=8.8.8.8 #注释掉
#DNS3=114.114.114.114 #注释掉
[root@hdss-11.host.com ~]# systemctl resatrt network
[root@hdss-11.host.com ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.0.0.11
#检测是否能上外网和ping通其它主机
[root@hdss-11.host.com ~]# ping -c 2 www.baidu.com
PING www.a.shifen.com (112.80.248.75) 56(84) bytes of data.
64 bytes from 112.80.248.75 (112.80.248.75): icmp_seq=1 ttl=128 time=45.1 ms
64 bytes from 112.80.248.75 (112.80.248.75): icmp_seq=2 ttl=128 time=42.3 ms
--- www.a.shifen.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 42.319/43.712/45.105/1.393 ms
[root@hdss-11.host.com ~]# ping -c 2 hdss-201.host.com
PING HDSS-201.host.com (10.0.0.201) 56(84) bytes of data.
64 bytes from 10.0.0.201 (10.0.0.201): icmp_seq=1 ttl=64 time=0.937 ms
64 bytes from 10.0.0.201 (10.0.0.201): icmp_seq=2 ttl=64 time=0.274 ms
--- HDSS-201.host.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.274/0.605/0.937/0.332 ms
[root@hdss-11.host.com ~]# ping -c 2 hdss-21.host.com
PING HDSS-21.host.com (10.0.0.21) 56(84) bytes of data.
64 bytes from 10.0.0.21 (10.0.0.21): icmp_seq=1 ttl=64 time=0.959 ms
64 bytes from 10.0.0.21 (10.0.0.21): icmp_seq=2 ttl=64 time=1.38 ms
--- HDSS-21.host.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.959/1.169/1.380/0.213 ms
- 添加主机域search host.com使用短域名(所有主机都要配置)
[root@hdss-11.host.com ~]# vim /etc/resolv.conf
search host.com
[root@hdss-11.host.com ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search host.com
nameserver 10.0.0.11
[root@hdss-11.host.com ~]# ping -c 2 hdss-21
PING HDSS-21.host.com (10.0.0.21) 56(84) bytes of data.
64 bytes from 10.0.0.21 (10.0.0.21): icmp_seq=1 ttl=64 time=0.258 ms
64 bytes from 10.0.0.21 (10.0.0.21): icmp_seq=2 ttl=64 time=0.315 ms
--- HDSS-21.host.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.258/0.286/0.315/0.033 ms
[root@hdss-11.host.com ~]# ping -c 2 hdss-22
PING HDSS-22.host.com (10.0.0.22) 56(84) bytes of data.
64 bytes from 10.0.0.22 (10.0.0.22): icmp_seq=1 ttl=64 time=0.744 ms
64 bytes from 10.0.0.22 (10.0.0.22): icmp_seq=2 ttl=64 time=0.321 ms
--- HDSS-22.host.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.321/0.532/0.744/0.212 ms
- 因为我们要使用Windows,所以Windows上也要设置DNS
将Windows的首选DNS改为10.0.0.11
C:\Users\小黄人>ping hdss-12.host.com
正在 Ping HDSS-12.host.com [10.0.0.12] 具有 32 字节的数据:
来自 10.0.0.12 的回复: 字节=32 时间<1ms TTL=64
来自 10.0.0.12 的回复: 字节=32 时间<1ms TTL=64
来自 10.0.0.12 的回复: 字节=32 时间<1ms TTL=64
来自 10.0.0.12 的回复: 字节=32 时间<1ms TTL=64
10.0.0.12 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
C:\Users\小黄人>ping hdss-201.host.com
正在 Ping HDSS-201.host.com [10.0.0.201] 具有 32 字节的数据:
来自 10.0.0.201 的回复: 字节=32 时间<1ms TTL=64
来自 10.0.0.201 的回复: 字节=32 时间<1ms TTL=64
来自 10.0.0.201 的回复: 字节=32 时间<1ms TTL=64
来自 10.0.0.201 的回复: 字节=32 时间<1ms TTL=64
10.0.0.201 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 0ms,平均 = 0ms
三、准备签发证书环境
3.1.1 准备签发证书环境
- 在hdss-201.host.com上安装证书签发工具(证书签发工具有两种OpenSSL 和CFSSL)我们用CFSSL
官网地址:https://pkg.cfssl.org/
[root@hdss-201.host.com ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
--2020-06-10 21:21:27-- https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
Resolving pkg.cfssl.org (pkg.cfssl.org)... 104.16.235.19, 104.16.234.19
Connecting to pkg.cfssl.org (pkg.cfssl.org)|104.16.235.19|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10376657 (9.9M) [application/octet-stream]
Saving to: ‘/usr/bin/cfssl’
100%[===========================================================================================>] 10,376,657 864KB/s in 14s
2020-06-10 21:21:52 (736 KB/s) - ‘/usr/bin/cfssl’ saved [10376657/10376657]
[root@hdss-201.host.com ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
--2020-06-10 21:22:59-- https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
Resolving pkg.cfssl.org (pkg.cfssl.org)... 104.16.234.19, 104.16.235.19, 2606:4700::6810:eb13, ...
Connecting to pkg.cfssl.org (pkg.cfssl.org)|104.16.234.19|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2277873 (2.2M) [application/octet-stream]
Saving to: ‘/usr/bin/cfssl-json’
100%[===========================================================================================>] 2,277,873 474KB/s in 4.7s
2020-06-10 21:23:07 (474 KB/s) - ‘/usr/bin/cfssl-json’ saved [2277873/2277873]
[root@hdss-201.host.com ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
--2020-06-10 21:23:41-- https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
Resolving pkg.cfssl.org (pkg.cfssl.org)... 104.16.235.19, 104.16.234.19, 2606:4700::6810:ea13, ...
Connecting to pkg.cfssl.org (pkg.cfssl.org)|104.16.235.19|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6595195 (6.3M) [application/octet-stream]
Saving to: ‘/usr/bin/cfssl-certinfo’
100%[===========================================================================================>] 6,595,195 422KB/s in 16s
2020-06-10 21:24:00 (400 KB/s) - ‘/usr/bin/cfssl-certinfo’ saved [6595195/6595195]
- 赋予执行权限
[root@hdss-201.host.com ~]# chmod +x /usr/bin/cfssl*
[root@hdss-201.host.com ~]# ll /usr/bin/cfssl*
-rwxr-xr-x 1 root root 10376657 Mar 30 2016 /usr/bin/cfssl
-rwxr-xr-x 1 root root 6595195 Mar 30 2016 /usr/bin/cfssl-certinfo
-rwxr-xr-x 1 root root 2277873 Mar 30 2016 /usr/bin/cfssl-json
- 签发证书
[root@hdss-201.host.com ~]# cd /opt/
[root@hdss-201.host.com /opt]# mkdir certs
[root@hdss-201.host.com /opt]# cd certs/
#签发根证书 -- 创建生成CA证书签名请求(csr)的JSON配置文件
{
"CN": "OldboyEdu", # 机构名称,浏览器使用该字段验证网站是否合法,一般写的是域名,非常重要,浏览器使用该字段验证网站是否合法
"hosts": [
],
"key": {
"algo": "rsa", # 算法
"size": 2048 # 长度
},
"names": [
{
"C": "CN", # C,国家
"ST": "guizhou", # ST 州,省
"L": "guiyang", # L 地区 城市
"O": "od", # O 组织名称,公司名称
"OU": "ops" # OU 组织单位名称,公司部门
}
],
"ca": {
"expiry": "175200h" # expiry 过期时间,任何证书都有过期时间.20年
}
}
- 签发承载式证书
[root@hdss-201.host.com /opt/certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
2020/06/10 21:49:54 [INFO] generating a new CA key and certificate from CSR
2020/06/10 21:49:54 [INFO] generate received request
2020/06/10 21:49:54 [INFO] received CSR
2020/06/10 21:49:54 [INFO] generating key: rsa-2048
2020/06/10 21:49:55 [INFO] encoded CSR
2020/06/10 21:49:55 [INFO] signed certificate with serial number 316451461908738352836628254210527098323851467214
[root@hdss-201.host.com /opt/certs]# ll
total 16
-rw-r--r-- 1 root root 993 Jun 10 21:49 ca.csr
-rw-r--r-- 1 root root 345 Jun 10 21:48 ca-csr.json
-rw------- 1 root root 1675 Jun 10 21:49 ca-key.pem
-rw-r--r-- 1 root root 1346 Jun 10 21:49 ca.pem
-----你努力获得的,都是自己的,不容易忘掉。
星辰和大海都需要门票,诗和远方的路费都很贵。来人间一次,努力成为最好的自己。人间值得,未来可期。
