一、Etcd数据库集群部署
1.1、重命名
[root@server1 ~]# hostnamectl set-hostname master01
[root@server1 ~]# su
[root@master01 ~]#
[root@master ~]# hostnamectl set-hostname node01
[root@master ~]# su
[root@node01 ~]#
[root@docker1 ~]# hostnamectl set-hostname node02
[root@docker1 ~]# su
[root@node02 ~]#
1.2、master配置
[root@master01 ~]# mkdir k8s #创建k8s目录
[root@master01 ~]# cd k8s/
[root@master01 k8s]# mkdir etcd-cert #用来放etcd证书
[root@master01 etcd-cert]# cd /usr/local/bin
[root@master01 bin]# rz #上传制作证书的文件
[root@master01 bin]# ls
cfssl cfssl-certinfo cfssljson
[root@master01 bin]# chmod +x * #给予执行权限
[root@master01 bin]# cd /root/k8s/etcd-cert/
[root@master01 etcd-cert]# cat > ca-config.json <<EOF #定义ca证书
> {
> "signing": {
> "default": {
> "expiry": "87600h"
> },
> "profiles": {
> "www": {
> "expiry": "87600h",
> "usages": [
> "signing",
> "key encipherment",
> "server auth",
> "client auth"
> ]
> }
> }
> }
> }
> EOF
[root@master01 etcd-cert]# cat > ca-csr.json <<EOF #实现证书签名
> {
> "CN": "etcd CA",
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "Nanjing",
> "ST": "Nanjing"
> }
> ]
> }
> EOF
[root@master01 etcd-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #生产证书,生成ca-key.pem ca.pem
[root@master01 etcd-cert]# cat > server-csr.json <<EOF #指定etcd三个节点之间的通信验证
> {
> "CN": "etcd",
> "hosts": [
> "192.168.140.10",
> "192.168.140.20",
> "192.168.140.30"
> ],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "NanJing",
> "ST": "NanJing"
> }
> ]
> }
> EOF
[root@master01 etcd-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server #生成ETCD证书
[root@master01 k8s]# rz #上传ETCD 二进制包
[root@master01 k8s]# ls
etcd-cert etcd-v3.3.10-linux-amd64.tar.gz
[root@master01 k8s]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz #解压包
[root@master01 etcd-v3.3.10-linux-amd64]# mkdir /opt/etcd/{
cfg,bin,ssl} -p #创建存放配置文件,命令文件,证书的目录
[root@master01 etcd-v3.3.10-linux-amd64]# mv etcd etcdctl /opt/etcd/bin/
[root@master01 etcd-v3.3.10-linux-amd64]# cd ..
[root@master01 k8s]# ls
etcd-cert etcd-v3.3.10-linux-amd64 etcd-v3.3.10-linux-amd64.tar.gz
[root@master01 k8s]# cd etcd-cert/
[root@master01 etcd-cert]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem server.csr server-csr.json server-key.pem server.pem
[root@master01 etcd-cert]# cp *.pem /opt/etcd/ssl/
[root@master01 etcd-cert]# ls /opt/etcd/ssl/
ca-key.pem ca.pem server-key.pem server.pem
[root@master01 k8s]# rz
[root@master01 k8s]# ls
etcd-cert etcd.sh etcd-v3.3.10-linux-amd64 etcd-v3.3.10-linux-amd64.tar.gz
[root@master01 bin]# bash /root/k8s/etcd.sh etcd01 192.168.140.10 etcd02=https://192.168.140.20:2380,etcd03=https://192.168.140.30:2380 #执行脚本,构建集群
[root@master01 bin]# ps -ef | grep etcd #查看etcd是否启动
[root@master01 bin]# scp -r /opt/etcd/ root@192.168.140.20:/opt/ #拷贝证书去node1节点
[root@master01 bin]# scp -r /opt/etcd/ root@192.168.140.30:/opt/ #拷贝证书去node2节点
[root@master01 bin]# scp /usr/lib/systemd/system/etcd.service root@192.168.140.20:/usr/lib/systemd/system/ #启动脚本拷贝到node1节点
[root@master01 bin]# scp /usr/lib/systemd/system/etcd.service root@192.168.140.30:/usr/lib/systemd/system/ #启动脚本拷贝到node2节点
1.3、node节点操作
[root@node01 etcd]# cd cfg/
[root@node01 cfg]# ls
etcd
[root@node01 cfg]# vim etcd
[root@node02 etcd]# cd cfg
[root@node02 cfg]# ls
etcd
[root@node02 cfg]# vim etcd
[root@node01 cfg]# systemctl start etcd
[root@node01 cfg]# systemctl status etcd
[root@node02 cfg]# systemctl start etcd
[root@node02 cfg]# systemctl status etcd
1.4、master节点进行验证
[root@master01 bin]# bash /root/k8s/etcd.sh etcd01 192.168.140.10 etcd02=https://192.168.140.20:2380,etcd03=https://192.168.140.30:2380 #加入集群
[root@master01 bin]# cd /opt/etcd/ssl/
[root@master01 ssl]# ls
ca-key.pem ca.pem server-key.pem server.pem
[root@master01 ssl]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.140.10:2379,https://192.168.140.20:2379,https://192.168.140.30:2379" cluster-health #检测集群是否加入成功
二、flannel网络配置
2.1、写入分配的子网段到ETCD中,供flannel使用
[root@master01 etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.140.10:2379,https://192.168.140.20:2379,https://192.168.140.30:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
2.2、查看写入的信息
[root@master01 etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.140.10:2379,https://192.168.140.20:2379,https://192.168.140.30:2379" get /coreos.com/network/config
2.3、node上配置
2.3.1、node节点下载 flannel-v0.10.0-linux-amd64.tar.gz并解压
[root@node01 ~]# tar zxvf flannel-v0.10.0-linux-amd64.tar.gz
[root@node02 ~]# tar zxvf flannel-v0.10.0-linux-amd64.tar.gz
2.3.2、创建k8s工作目录,并拷贝文件
[root@node01 ~]# mkdir /opt/kubernetes/{
cfg,bin,ssl} -p
[root@node01 ~]# cd /opt/kubernetes/
[root@node01 kubernetes]# ls
bin cfg ssl
[root@node01 kubernetes]# cd
[root@node01 ~]# ls
anaconda-ks.cfg flanneld initial-setup-ks.cfg README.md 公共 视频 文档 音乐
compose_nginx flannel-v0.10.0-linux-amd64.tar.gz mk-docker-opts.sh tls 模板 图片 下载 桌面
[root@node01 ~]# mv mk-docker-opts.sh flanneld /opt/kubernetes/bin/
[root@node01 ~]# ls /opt/kubernetes/bin/
flanneld mk-docker-opts.sh
[root@node02 ~]# mkdir /opt/kubernetes/{
cfg,bin,ssl} -p
[root@node02 ~]# cd /opt/kubernetes/
[root@node02 kubernetes]# ls
bin cfg ssl
[root@node02 kubernetes]# cd
[root@node02 ~]# ls
anaconda-ks.cfg flannel-v0.10.0-linux-amd64.tar.gz mk-docker-opts.sh 公共 视频 文档 音乐
flanneld initial-setup-ks.cfg README.md 模板 图片 下载 桌面
[root@node02 ~]# mv mk-docker-opts.sh flanneld /opt/kubernetes/bin/
[root@node02 ~]# ls /opt/kubernetes/bin/
flanneld mk-docker-opts.sh
[root@node01 ~]# rz
[root@node01 ~]# ls
[root@node02 ~]# rz
[root@node02 ~]# ls
[root@node02 ~]# cat flannel.sh
#!/bin/bash
ETCD_ENDPOINTS=${
1:-"http://127.0.0.1:2379"}
cat <<EOF >/opt/kubernetes/cfg/flanneld
FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF
cat <<EOF >/usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld
2.3.3、开启flannel网络功能
[root@node01 ~]# bash flannel.sh https://192.168.140.10:2379,https://192.168.140.20:2379,https://192.168.140.30:2379
[root@node02 ~]# bash flannel.sh https://192.168.140.10:2379,https://192.168.140.20:2379,https://192.168.140.30:2379
2.3.4、配置docker连接flannel
[root@node01 ~]# ifconfig
[root@node02 ~]# ifconfig
[root@node01 ~]# vim /usr/lib/systemd/system/docker.service
[root@node02 ~]# vim /usr/lib/systemd/system/docker.service
[root@node01 ~]# cat /run/flannel/subnet.env
注:bip指定启动时的子网
[root@node01 ~]# systemctl daemon-reload
[root@node01 ~]# systemctl restart docker #重启docker服务
[root@node02 ~]# systemctl daemon-reload
[root@node02 ~]# systemctl restart docker
2.3.5、查看flannel网络
[root@node01 ~]# ifconfig
[root@node02 ~]# ifconfig
2.4、测试ping通对方docker0网卡 证明flannel起到路由作用
[root@node02 ~]# docker run -it centos:7 /bin/bash
[root@71abc28e903a /]# yum install net-tools -y
[root@node01 ~]# docker run -it centos:7 /bin/bash
[root@6b8f7c913bc6 /]# yum install net-tools -y
[root@6b8f7c913bc6 /]# ping 172.17.78.1
三、部署master组件
1、自签APIServeri证书
2、部署APIServer组件( token, csv)
3、部署controller - manager ( 指定apiserver证书)和scheduler组件
3.1、前期部署组件
[root@master01 k8s]# rz -E
[root@master01 k8s]# unzip master.zip
[root@master01 k8s]# chmod +x controller-manager.sh
[root@master01 k8s]# mkdir k8s-cert
[root@master01 k8s]# cd k8s-cert/
[root@master01 k8s-cert]# rz -E
[root@master01 k8s-cert]# vim k8s-cert.sh
[root@master01 k8s-cert]# bash k8s-cert.sh #生成k8s证书
[root@master01 k8s-cert]# mkdir /opt/kubernetes/{
cfg,bin,ssl} -p
[root@master01 k8s-cert]# cp ca*pem server*pem /opt/kubernetes/ssl/
[root@master01 k8s-cert]# ls /opt/kubernetes/ssl/
[root@master01 k8s]# tar zxvf kubernetes-server-linux-amd64.tar.gz
[root@master01 bin]# cp kube-apiserver kubectl kube-controller-manager kube-scheduler /opt/kubernetes/bin/
[root@master01 bin]# ls /opt/kubernetes/bin/
[root@master01 bin]# head -c 16 /dev/urandom | od -An -t x | tr -d ' ' #随机生成序列号
[root@master01 bin]# vim /opt/kubernetes/cfg/token.csv
bash apiserver.sh 192.168.140.10 https://192.168.140.10:2379,https://192.168.140.20:2379,https://192.168.140.30:2379
#二进制文件,token,证书都准备好,开启apiserver
[root@master01 k8s]# ps aux | grep kube #检查进程是否启动成功
[root@master01 k8s]# cat /opt/kubernetes/cfg/kube-apiserver #查看配置文件
[root@master01 k8s]# netstat -ntap | grep 6443 #查看监听的端口
[root@master01 k8s]# netstat -ntap | grep 8080
3.2、启动scheduler服务
[root@master01 k8s]# ./scheduler.sh 127.0.0.1
[root@master01 k8s]# ps aux | grep kube
3.3、启动controller-manager
[root@master01 k8s]# ./controller-manager.sh 127.0.0.1
3.4、查看master 节点状态
[root@master01 k8s]# /opt/kubernetes/bin/kubectl get cs
四、node节点部署
[root@master01 bin]# scp kubelet kube-proxy root@192.168.140.20:/opt/kubernetes/bin/
[root@master01 bin]# scp kubelet kube-proxy root@192.168.140.30:/opt/kubernetes/bin/
[root@node01 ~]# rz -E
[root@node01 ~]# unzip node.zip
[root@node02 ~]# unzip node.zip
4.1、在master上操作
[root@master01 k8s]# mkdir kubeconfig
[root@master01 k8s]# cd kubeconfig/
[root@master01 kubeconfig]# rz
[root@master01 kubeconfig]# ls
kubeconfig.sh
[root@master01 kubeconfig]# vim kubeconfig.sh
4.1.1、设置环境变量(可以写入到/etc/profile中)
[root@master01 kubeconfig]# vim /etc/profile #修改环境变量
[root@master01 kubeconfig]# source /etc/profile
[root@master01 kubeconfig]# kubectl get cs
[root@master01 kubeconfig]# mv kubeconfig.sh kubeconfig #脚本重命名
[root@master01 kubeconfig]# bash kubeconfig 192.168.140.10 /root/k8s/k8s-cert/ #生成配置文件
4.1.2、拷贝配置文件到node节点
[root@master01 kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.140.20:/opt/kubernetes/cfg/
[root@master01 kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.140.30:/opt/kubernetes/cfg/
4.1.3、创建bootstrap角色赋予权限用于连接apiserver请求签名
[root@master01 kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
4.2、node01节点操作
[root@node01 ~]# bash kubelet.sh 192.168.140.20
[root@node01 ~]# ps aux | grep kube
[root@node01 ~]# systemctl status kubelet.service
[root@master01 kubeconfig]# kubectl get csr #检查到node01节点的申请证书的请求
[root@master01 kubeconfig]# kubectl certificate approve node-csr-urvLrobhIE7H95T5L4NVnn8kTG2wHD6T7My3eqfMfXU #颁发证书
[root@master01 kubeconfig]# kubectl get csr
[root@master01 kubeconfig]# kubectl get node #查看群集节点
4.3、node01节点操作,启动proxy服务
[root@node01 ~]# bash proxy.sh 192.168.140.20
[root@node01 ~]# systemctl status kube-proxy.service
4.4、node02节点部署
4.4.1、在node01节点操作
[root@node01 ~]# scp -r /opt/kubernetes/ root@192.168.140.30:/opt/
# 把现成的/opt/kubernetes目录复制到其他节点进行修改即可
[root@node01 ~]# scp /usr/lib/systemd/system/{
kubelet,kube-proxy}.service root@192.168.140.30:/usr/lib/systemd/system/
4.4.2、在node02上操作,进行修改
[root@node02 ~]# cd /opt/kubernetes/ssl/
[root@node02 ssl]# rm -rf *
4.4.3、修改配置文件
[root@node02 ssl]# cd ..
[root@node02 kubernetes]# cd cfg/
[root@node02 cfg]# vim kubelet
[root@node02 cfg]# vim kubelet.config
[root@node02 cfg]# vim kube-proxy
[root@node02 cfg]# systemctl start kubelet.service #启动服务
[root@node02 cfg]# systemctl enable kubelet.service #设为开机自启
[root@node02 cfg]# systemctl status kubelet.service
[root@node02 cfg]# systemctl start kube-proxy.service
[root@node02 cfg]# systemctl enable kube-proxy.service
[root@node02 cfg]# systemctl status kube-proxy.service
4.5、在master上操作查看请求
[root@master01 kubeconfig]# kubectl get csr
[root@master01 kubeconfig]# kubectl certificate approve node-csr-SkXNumYnjfaNh5Mx3kshBNqGZ7G0O_JbOsGUOWxSBj4
[root@master01 kubeconfig]# kubectl get node
五、K8s单节点搭建步骤总结
- 自签ETCD证书
- ETCD部署
- Node安装docker
- Flannel部署(先写入子网到etcd)
5.1、master
- 自签APIServer证书
- 部署APIServer组件(token, csv)
- 部署controller- manager (指定apiserver证书)和scheduler组件
5.2、node
- 生成kubeconfig. (bootstrap, kubeconfi g和kube proxy. kubeconfig)
- 部署kubelet组件
- 部署kube- proxy组件
5.3、加入集群
- kubectl get csr & kubectl certificate approve允许颁发证书,添加一个node节点
- 查看kubectl get node 节点