Kubernetes源码安装（环境准备）

Kubernetes源码安装

环境初始化

资源规划

Hostname	Config
master	2CPU8G
node1	2CPU4G
node2	2CPU4G

我这里使用的是aliyun的服务器，所以不需要配置防火墙策略

如果是VM，需要关闭防火墙等配置

#修改IP Host脚本
master=172.22.213.49
node1=172.22.213.52
node2=172.22.213.53
 
 
temp=$(ifconfig ens33 | grep "inet " | awk -F " " '{print $2}')
 if [ $temp = $master ];then         
   hostnamectl set-hostname master
  elif  [ $temp = $node1 ];then
      hostnamectl set-hostname node1
  elif  [ $temp = $node2 ];then
      hostnamectl set-hostname node2
  fi

#添加域名解析
cat <<EOF>>/etc/hosts
172.22.213.49   master  master
172.22.213.52   node1   node1
172.22.213.53   node2   node2
EOF

#虚拟机做如下设置
#关闭防火墙
systemctl stop firewalld && systemctl disable firewalld
#关闭虚拟内存，并设置开机不启动
swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
setenforce 0 && sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config

#将桥接的 IPv4 流量传递到 iptables 的链
cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
 
# 让系统生效
sysctl --system   

创建证书Etcd

#拉去证书制作工具

curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo

#授权
chmod +x /usr/local/bin/cfssl*

生成Etcd证书

#创建工作目录：
mkdir -p ~/TLS/{
    
    etcd,k8s}
cd ~/TLS/etcd

#自签证书颁发机构CA
cat > ca-config.json<< EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
     },
     "profiles": {
       "www": {
         "expiry": "87600h",
         "usages": [
           "signing",
           "key encipherment",
           "server auth",
           "client auth"
      ]
     }
    }
  }
}
EOF

#Etcd证书配置
cat > ca-csr.json<< EOF
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
  },
        
  "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
     ]
}
EOF

#生成证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -    #。*pem为证书文件

自签CA做Etcd HTTPS证书

#目前集群配置为1个master，2个node
[root@master etcd]# cat > server-csr.json<< EOF
{
    
    
    "CN": "etcd",
    "hosts": [
    "172.22.213.49",
    "172.22.213.52",
    "172.22.213.53"
    ],
    "key": {
    
    
        "algo": "rsa",
        "size": 2048
    },
    "names": [
      {
    
    
        "C": "CN",
        "L": "BeiJing",
        "ST": "BeiJing"
    }
  ]
}
EOF
#生成证书
[root@master etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

#证书已经生成完成