- 概述
- 安装环境准备:
K8s安装包下载
https://pan.baidu.com/s/1IiJwMYpZSNXYPGtPVx_eHg 提取码: 6e3b
部署节点:
192.168.1.2 node1 4C 4G 50G 【master】
192.168.1.3 node2 4C 4G 50G 【node】
192.168.1.4 node3 4C 4G 50G 【node】
2. 架构图:
Kubernets架构图
Flannel网络架构图
Kubernetes工作流程
集群功能各模块功能描述:
Master节点:
APIServer: APIServer负责对外提供RESTful的kubernetes API的服务,它是系统管理指令的统一接口,任何对资源的增删该查都要交给APIServer处理后再交给etcd,kubectl是直接和APIServer交互的。
schedule: schedule负责调度Pod到合适的Node上,如果把scheduler看成一个黑匣子,那么它的输入是pod和由多个Node组成的列表,输出是Pod和一个Node的绑定。 kubernetes目前提供了调度算法,同样也保留了接口。用户根据自己的需求定义自己的调度算法。
controller manager: 如果APIServer做的是前台的工作的话,那么controller manager就是负责后台的。每一个资源都对应一个控制器。而control manager就是负责管理这些控制器的,比如我们通过APIServer创建了一个Pod,当这个Pod创建成功后,APIServer的任务就算完成了。
etcd:etcd是一个高可用的键值存储系统,kubernetes使用它来存储各个资源的状态,从而实现了Restful的API。
Node节点:
kube-proxy: 实现了kubernetes中的服务发现和反向代理功能。kube-proxy支持TCP和UDP连接转发,默认基RR算法将客户端流量转发到与service对应的一组后端pod。服务发现方面,kube-proxy使用etcd的watch机制监控集群中service和endpoint对象数据的动态变化,维护一个service到endpoint的映射关系,保证了后端pod的IP变化不会对访问者造成影响。
kublet:kublet是Master在每个Node节点上面的agent,负责维护和管理该Node上的所有容器,【如果容器不是通过kubernetes创建的,它并不会管理】。本质上,它负责使Pod的运行状态与期望的状态一致
- Kubernetes安装及配置
- 初始化环境
- 设置关闭防火墙及selinux
- 关闭swap
- 设置docker所需参数
vim /etc/sysctl.d/k8s.conf
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
sysctl –p /etc/sysctl.d/k8s.conf
【如果报错:cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: 没有那个文件或目录】
解决方案:
modprobe br_netfilter
cat > /etc/rc.sysinit << EOF
#!/bin/bash
for file in /etc/sysconfig/modules/*.modules ; do
[ -x $file ] && $file
done
EOF
cat > /etc/sysconfig/modules/br_netfilter.modules << EOF
modprobe br_netfilter
EOF
chmod 755 /etc/sysconfig/modules/br_netfilter.modules
lsmod |grep br_netfilter
[注释:二层网桥在转发数据的时候也会手iptables规则过滤]
- 安装docker
下载docker-engine docker-engine-selinx两个rpm包,并自定义yum源
]# yum -y install docker-engine
]# systemctl restart docker && systemctl enable docker
- 创建安装目录
]# mkdir /k8s/etcd/{bin,cfg,ssl} –p
]# mkdir /k8s/kubernetes/{bin,cfg,ssl} –p
- 安装及配置CFSSL [证书生成工具]
]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
]# chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
]# mv cfssl_linux-amd64 /usr/local/bin/cfssl
]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
]# mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
- 创建认证证书
创建ETCD证书
]# cat <<EOF | tee ca-config.json
> {
> "signing": {
> "default": {
> "expiry": "87600h"
> },
> "profiles": {
> "www": {
> "expiry": "87600h",
> "usages": [
> "signing",
> "key encipherment",
> "server auth",
> "client auth"
> ]
> }
> }
> }
> }
> EOF
创建ETCD CA 配置文件
]# cat <<EOF | tee ca-csr.json
> {
> "CN": "etcd CA",
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "Shenzhen",
> "ST": "Shenzhen"
> }
> ]
> }
> EOF
创建ETCD Server证书
]# cat << EOF | tee server-csr.json
> {
> "CN": "etcd",
> "hosts": [
> "192.168.1.2",
> "192.168.1.3",
> "192.168.1.4"
> ],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "Shenzhen",
> "ST": "Shenzhen"
> }
> ]
> }
> EOF
创建ETCD CA证书和私钥
]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca –
]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
创建kubernetes CA证书
]# cat << EOF | tee ca-config.json
> {
> "signing": {
> "default": {
> "expiry": "87600h"
> },
> "profiles": {
> "kubernetes": {
> "expiry": "87600h",
> "usages": [
> "signing",
> "key encipherment",
> "server auth",
> "client auth"
> ]
> }
> }
> }
> }
> EOF
]# cat << EOF | tee ca-csr.json
> {
> "CN": "kubernetes",
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "Shenzhen",
> "ST": "Shenzhen",
> "O": "k8s",
> "OU": "System"
> }
> ]
> }
> EOF
]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca –
生成API_SERVER证书
]# cat << EOF | tee server-csr.json
> {
> "CN": "kubernetes",
> "hosts": [
> "10.0.0.1",
> "127.0.0.1",
> "192.168.1.2",
> "kubernetes",
> "kubernetes.default",
> "kubernetes.default.svc",
> "kubernetes.default.svc.cluster",
> "kubernetes.default.svc.cluster.local"
> ],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "Shenzhen",
> "ST": "Shenzhen",
> "O": "k8s",
> "OU": "System"
> }
> ]
> }
> EOF
]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
创建kubernetes proxy证书
]# cat << EOF | tee kube-proxy-csr.json
> {
> "CN": "system:kube-proxy",
> "hosts": [],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "Shenzhen",
> "ST": "Shenzhen",
> "O": "k8s",
> "OU": "System"
> }
> ]
> }
> EOF
]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
- ssh-key认证
ssh-keygen
ssh-copy-id 192.168.1.3
ssh-copy-id 192.168.1.4
2、部署ETCD
解压安装文件
]# tar -xf etcd-v3.3.10-linux-amd64.tar.gz
]# cd etcd-v3.3.10-linux-amd64/
]# cp etcd etcdctl /k8s/etcd/bin/
]# vim /k8s/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.1.2:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.1.2:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.2:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.2:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.1.2:2380,etcd02=https://192.168.1.3:2380,etcd03=https://192.168.1.4:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
创建etcd的systemd unit 文件
]# vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/k8s/etcd/cfg/etcd
ExecStart=/k8s/etcd/bin/etcd \
--name=${ETCD_NAME} \
--data-dir=${ETCD_DATA_DIR} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=/k8s/etcd/ssl/server.pem \
--key-file=/k8s/etcd/ssl/server-key.pem \
--peer-cert-file=/k8s/etcd/ssl/server.pem \
--peer-key-file=/k8s/etcd/ssl/server-key.pem \
--trusted-ca-file=/k8s/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/k8s/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
拷贝证书文件
]# cp ca*pem server*pem /k8s/etcd/ssl/
启动ETCD服务
]# systemctl daemon-reload
]# systemctl enable etcd
]# systemctl start etcd