二进制安装K8S - NODE 节点的安装
安装系统
Linux node02 3.10.0-1062.el7.x86_64 #1 SMP Wed Aug 7 18:08:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
配置系统
关闭 防火墙
systemctl stop firewalld
systemctl disable firewalld
关闭 SeLinux
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
关闭 swap
swapoff -a
yes | cp /etc/fstab /etc/fstab_bak
cat /etc/fstab_bak |grep -v swap > /etc/fstab
yum epel源
yum install wget telnet -y
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache
修改 /etc/sysctl.conf
modprobe br_netfilter
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
vm.swappiness=0
EOF
sysctl -p /etc/sysctl.d/k8s.conf
开启 ipvs
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4
安装 docker
# 设置 yum repository
yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 安装并启动 docker
yum install -y docker-ce-18.09.7 docker-ce-cli-18.09.7 containerd.io
# 添加ipvs支持
yum install -y nfs-utils ipset ipvsadm
安装 flannel(可选,flannel 可以用容器方式部署)
flannel 主节点安装查看 二进制安装k8s - MASTER 节点的安装
这里直接 复制已经生成的证书和启动文件
# 复制主ca证书
scp ca* 192.168.100.57:/data/k8s/cert/
scp -r flannel/ 192.168.100.57:/data/k8s/
运行flannel
cp flanneld.service /etc/systemd/system/
systemctl daemon-reload
systemctl start flanneld.service
systemctl status flanneld.service
安装 kubelet
:::master节点操作:::
# 创建 token
kubeadm token create \
--description kubelet-bootstrap-token \
--groups system:bootstrappers:node01 \
--kubeconfig ~/.kube/config
# 设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=/data/k8s/cert/ca.pem \
--embed-certs=true \
--server=https://192.168.100.58:6443 \
--kubeconfig=bootstrap.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
--token=这里是上面生成的token \
--kubeconfig=bootstrap.kubeconfig
# 设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=bootstrap.kubeconfig
# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
# kubelet授权
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --group=system:bootstrappers
# 复制生成的认证配置到节点
scp bootstrappers 192.168.100.59:/data/k8s/kubelet/
:::node 节点操作:::
配置文件
kubelet.config.json
{
"kind": "KubeletConfiguration",
"apiVersion": "kubelet.config.k8s.io/v1beta1",
"authentication": {
"x509": {
"clientCAFile": "/data/k8s/cert/ca.pem"
},
"webhook": {
"enabled": true,
"cacheTTL": "2m0s"
},
"anonymous": {
"enabled": false
}
},
"authorization": {
"mode": "Webhook",
"webhook": {
"cacheAuthorizedTTL": "5m0s",
"cacheUnauthorizedTTL": "30s"
}
},
"address": "这里为node节点IP",
"port": 10250,
"readOnlyPort": 0,
"cgroupDriver": "cgroupfs",
"hairpinMode": "promiscuous-bridge",
"serializeImagePulls": false,
"featureGates": {
"RotateKubeletClientCertificate": true,
"RotateKubeletServerCertificate": true
},
"clusterDomain": "cluster.local",
"clusterDNS": ["10.96.0.2"]
}
kubelet.service
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/data/k8s/kubelet
ExecStart=/data/k8s/bin/kubelet \
--bootstrap-kubeconfig=/data/k8s/kubelet/bootstrap.kubeconfig \
--cert-dir=/data/k8s/cert \
--kubeconfig=/data/k8s/kubelet/kubelet.kubeconfig \
--config=/data/k8s/kubelet/kubelet.config.json \
--hostname-override=node01(这里是显示的node名) \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 \
--alsologtostderr=true \
--logtostderr=false \
--log-dir=/data/k8s/logs \
--v=4
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
@注:
kubelet.kubeconfig 文件连接上master后会自动生成。
启动
mkdir /data/k8s/logs
cp kubelet.service /etc/systemd/system/
systemctl daemon-reload
systemctl start kubelet
systemctl status kubelet
:::master 节点操作:::
手动认证 node节点
# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-TO3HPgCc_zkDPN3iZZs6q7wWbh2ZLc-JNftOsLZv0xE 53s system:bootstrap:0pmyt7 Pending
# kubectl certificate approve node-csr-TO3HPgCc_zkDPN3iZZs6q7wWbh2ZLc-JNftOsLZv0xE
certificatesigningrequest.certificates.k8s.io/node-csr-TO3HPgCc_zkDPN3iZZs6q7wWbh2ZLc-JNftOsLZv0xE approved
# kubectl get node
可以看到刚刚添加的node节点了
安装 kube-proxy
:::master 操作:::
创建证书文件
kube-proxy-csr.json
扫描二维码关注公众号,回复:
13087830 查看本文章
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "ChengDu",
"L": "ChengDu",
"O": "k8s",
"OU": "lswzw"
}
]
}
生成证书
cfssl gencert -ca=/opt/k8s/cert/ca.pem \
-ca-key=/opt/k8s/cert/ca-key.pem \
-config=/opt/k8s/cert/ca-config.json \
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
ls *kube-proxy*
kube-proxy.csr kube-proxy-csr.json kube-proxy-key.pem kube-proxy.pem
创建kubeconfig 文件
kube-proxy.kubeconfig
cfssl gencert -ca=/data/k8s/cert/ca.pem \
-ca-key=/data/k8s/cert/ca-key.pem \
-config=/data/k8s/cert/ca-config.json \
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
kubectl config set-cluster kubernetes \
--certificate-authority=/data/k8s/cert/ca.pem \
--embed-certs=true \
--server=https://192.168.100.58:6443 \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=/data/k8s/cert/kube-proxy.pem \
--client-key=/data/k8s/cert/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context kube-proxy@kubernetes \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context kube-proxy@kubernetes --kubeconfig=kube-proxy.kubeconfig
# 文件拷贝到NODE节点
scp kube-proxy.kubeconfig 192.168.100.59:/data/k8s/kube-proxy/
:::node节点操作:::
创建配置文件
kube-proxy.config.yaml
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 192.168.100.59
clientConnection:
kubeconfig: /data/k8s/kube-proxy/kube-proxy.kubeconfig
clusterCIDR: 10.44.0.0/16
healthzBindAddress: 192.168.100.59:10256
hostnameOverride: node01
kind: KubeProxyConfiguration
metricsBindAddress: 192.168.100.59:10249
mode: "ipvs"
@注:
上面所有ip均为node节点IP hostname 不同节点须要改
kube-proxy.service
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
WorkingDirectory=/data/k8s/kube-proxy
ExecStart=/data/k8s/bin/kube-proxy \
--config=/data/k8s/kube-proxy/kube-proxy.config.yaml \
--alsologtostderr=true \
--logtostderr=false \
--log-dir=/data/k8s/logs \
--v=4
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
启动
cp kube-proxy.service /etc/systemd/system/
systemctl daemon-reload
systemctl start kube-proxy
systemctl status kube-proxy
检查状态
:::master 操作:::
kubectl describe node