一、环境介绍
| 主机名称 | IP地址 | 部署软件 | 备注 |
|---|---|---|---|
| k8s-master1 | 192.168.66.30 | etcd+kube-apiserver+kube-controller-manager+kube-scheduler+Kubelet+docker+kube-proxy | master |
| k8s-master2 | 192.168.66.31 | etcd+kube-apiserver+kube-controller-manager+kube-scheduler+Kubelet+docker+kube-proxy | master |
| k8s-master3 | 192.168.66.32 | etcd+kube-apiserver+kube-controller-manager+kube-scheduler+Kubelet+docker+kube-proxy | master |
| K8s-node1 | 192.168.66.35 | Kubelet+kube-proxy+docker | node1 |
| VIP | 192.168.66.100 | vip | |
| Haproxy1 | 192.168.66.98 | Haproxy+keepalive | |
| Haproxy2 | 192.168.66.99 | Haproxy+keepalive |
主键下载地址:
- kubernetes下载地址:
https://github.com/kubernetes/kubernetes/releases - Etcd下载地址:
https://github.com/etcd-io/etcd/releases - flannel下载地:
https://github.com/coreos/flannel/releases - cni-plugins下载地址:
https://github.com/containernetworking/plugins/releases - docker下载地址:
https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/Packages/ - cfssl下载地址:
https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 - heapster下载地址:
https://github.com/kubernetes-retired/heapster/archive/v1.5.4.tar.gz
二、环境准备
1、操作机器上生成密钥,无密码ssh登陆所有机器
ssh-keygen -t rsa- 1
for i in 30 31 32 35 36; do ssh-copy-id 192.168.66.$i; done- 1
2、升级内核
查看内核版本:uname -r
内核下载地址:
https://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-ml-5.7.8-1.el7.elrepo.x86_64.rpm
https://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-ml-devel-5.7.8-1.el7.elrepo.x86_64.rpm
for i in 30 31 32 35 36; do scp -r
/root/内核文件/ root@192.168.66.$i:/root/; done- 1
- 2
cd 内核文件/- 1
yum -y install kernel-ml-5.7.8-1.el7.elrepo.x86_64.rpm kernel-ml-devel-5.7.8-1.el7.elrepo.x86_64.rpm- 1
调整默认启动内核
cat /boot/grub2/grub.cfg | grep menuentry- 1
grub2-set-default “CentOS Linux (5.7.8-1.el7.elrepo.x86_64) 7 (Core)”
查看是否设置成功
grub2-editenv list- 1
reboot- 1
3、开启ipvs支持
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
ipvs_modules="ip_vs ip_vs_lc ip_vs_wlc ip_vs_rr ip_vs_wrr ip_vs_lblc ip_vs_lblcr ip_vs_dh ip_vs_sh ip_vs_fo ip_vs_nq ip_vs_sed ip_vs_ftp"
for kernel_module in \${ipvs_modules}; do
/sbin/modinfo -F filename \${kernel_module} > /dev/null 2>&1
if [ $? -eq 0 ]; then
/sbin/modprobe \${kernel_module}
fi
done
EOF- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
chmod 755 /etc/sysconfig/modules/ipvs.modules- 1
bash /etc/sysconfig/modules/ipvs.modules- 1
lsmod | grep ip_vs- 1
4、关闭防火墙
systemctl stop firewalld && systemctl disable firewalld- 1
5、关闭swap分区
swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab- 1
6、关闭SELinux
setenforce 0- 1
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config- 1
7、修改文件句柄数
vim /etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536
* soft nproc 65536
* hard nproc 65536
* soft memlock unlimited
* hard memlock unlimited- 1
- 2
- 3
- 4
- 5
- 6
- 7
8、修改系统参数
vim /etc/sysctl.d/k8s.conf
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 10
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
net.ipv4.ip_forward = 1
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.netfilter.nf_conntrack_max = 2310720
fs.inotify.max_user_watches=89100
fs.may_detach_mounts = 1
fs.file-max = 52706963
fs.nr_open = 52706963
net.bridge.bridge-nf-call-arptables = 1
vm.swappiness = 0
vm.overcommit_memory=1
vm.panic_on_oom=0- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
sysctl --system- 1
9、在生产环境建议预留内存,避免内存耗尽导致ssh连不上主机
(32G的机器留2G,251的留3G, 500G的留5G)。下面是预留3G
echo 'vm.min_free_kbytes=3000000' >> /etc/sysctl.conf
sysctl -p- 1
- 2
10、在master添加hosts
vim /etc/hosts
192.168.66.30 k8s-master1
192.168.66.31 k8s-master2
192.168.66.32 k8s-master3
192.168.66.35 k8s-node1
192.168.66.36 k8s-node2- 1
- 2
- 3
- 4
- 5
- 6
11、检查时间同步
yum -y install chrony- 1
systemctl restart chronyd- 1
date- 1
三、搭建keepalived+haproxy
1、所有haproxy安装haproxy
yum install -y haproxy- 1
cat <<EOF > /etc/haproxy/haproxy.cfg
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
defaults
mode tcp
log global
retries 3
timeout connect 10s
timeout client 1m
timeout server 1m
frontend k8s-api
bind *:6443
bind *:443
mode tcp
option tcplog
default_backend k8s-api
backend k8s-api
mode tcp
option tcplog
option tcp-check
balance roundrobin
default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
server k8s-api-1 192.168.66.30:6443 check
server k8s-api-2 192.168.66.31:6443 check
server k8s-api-3 192.168.66.32:6443 check
EOF- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
所有haproxy启动haproxy
systemctl start haproxy
systemctl status haproxy
systemctl enable haproxy- 1
- 2
- 3
2、所有haproxy安装keepalived
yum install -y keepalived- 1
cat <<EOF > /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_K8S
}
vrrp_instance VI_1 {
state MASTER(BACKUP)
interface ens32
virtual_router_id 51
priority 100(备50)
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
VIP/24
}
}
EOF- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
所有haproxy启动keepalived
systemctl restart keepalived- 1
启动时会自动添加一个drop的防火墙规则,需要清空
iptables -F- 1
systemctl status keepalived
systemctl enable keepalived- 1
- 2
查看vip
ip add | grep 66.100- 1
四、在操作机上集群需要使用的证书签发
所有机器上创建相关目录
mkdir -p /opt/kubernetes/{bin,ssl,yaml,conf,log,cfg}- 1
echo 'export PATH=$PATH:/opt/kubernetes/bin' >> /etc/profile- 1
source /etc/profile- 1
1、创建证书工具
cd cfssl,证书产生/
把cfssl_linux-amd64放入/usr/local/bin/cfssl
把cfssljson_linux-amd64放入/usr/local/bin/cfssljson
把cfssl-certinfo_linux-amd64放入/usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl*- 1
- 2
- 3
- 4
- 5
2、创建证书签发机构CA
mkdir -p /data/ssl- 1
cd /data/ssl- 1
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
正书签名请求
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "ShangHai",
"ST": "ShangHai",
"O": "k8s",
"OU": "System"
}
]
}
EOF- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
生成CA证书和对应的私钥
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -- 1
把生产的证书放到所有节点上
for i in 30 31 32 35 36; do scp -r /data/ssl/ca* root@192.168.66.$i:/opt/kubernetes/ssl/; done- 1
3、签发ETCD证书
mkdir /data/ssl/etcd- 1
cd /data/ssl/etcd- 1
创建证书
cat > etcd-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"k8s-master1ip",
"k8s-master2ip",
"k8s-master3ip"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "ShangHai",
"ST": "ShangHai",
"O": "k8s",
"OU": "System"
}
]
}
EOF- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
生成etcd证书和对应的私钥
cfssl gencert -ca=/data/ssl/ca.pem \
-ca-key=/data/ssl/ca-key.pem \
-config=/data/ssl/ca-config.json \
-profile=kubernetes etcd-csr.json \
| cfssljson -bare etcd- 1
- 2
- 3
- 4
- 5
把生产的证书放到所有节点上
for i in 30 31 32 35 36; do scp -r /data/ssl/etcd root@192.168.66.$i:/opt/kubernetes/ssl/; done- 1
4、签发api server证书
mkdir /data/ssl/apiserver- 1
cd /data/ssl/apiserver- 1
创建证书#可以多写几个nodeip方便后期扩容
cat > kubernetes-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"k8s-master1ip",
"k8s-master2ip",
"k8s-master3ip",
"k8s-node1ip",
"k8s-node2ip",
"haproxy1ip",
"haproxy2ip",
"10.0.0.1",
"vip",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "ShangHai",
"ST": "ShangHai",
"O": "k8s",
"OU": "System"
}
]
}
EOF- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
生成api server证书和对应的私钥
cfssl gencert -ca=/data/ssl/ca.pem \
-ca-key=/data/ssl/ca-key.pem \
-config=/data/ssl/ca-config.json \
-profile=kubernetes kubernetes-csr.json \
| cfssljson -bare kubernetes- 1
- 2
- 3
- 4
- 5
把生产的证书放到所有节点上
for i in 30 31 32 35 36; do scp -r /data/ssl/apiserver root@192.168.66.$i:/opt/kubernetes/ssl/; done- 1
5、启用 TLS Bootstrapping 机制创建token
TLS Bootstraping:Master
apiserver启用TLS认证后,Node节点kubelet和kube-proxy 要与kube-
apiserver进行通信,必须使用CA签发的有效证书才可以,当Node节 点很多时,这种客户端证书颁发需要大量工作,同样也会增加集群扩展复杂度。为 了简化流程,Kubernetes引入了TLS
bootstraping机制来自动颁发客户端证书, kubelet会以一个低权限用户自动向apiserver申请证书,kubelet的证书由apiserver 动态签署。所以强烈建议在Node上使用这种方式,目前主要用于kubelet, kube-proxy还是由我们统一颁发一个证书。
TLS bootstraping 工作流程
创建上述配置文件中token文件格式:
token,用户名,UID,用户组
mkdir /data/ssl/token- 1
cd /data/ssl/token- 1
cat <<EOF > token.csv
$(head -c 32 /dev/urandom | base64),kubelet-bootstrap,10001,"system:node-bootstrapr"
EOF- 1
- 2
- 3
把生产的证书放到所有节点上
for i in 30 31 32 35 36; do scp -r /data/ssl/token
root@192.168.66.$i:/opt/kubernetes/ssl/; done- 1
- 2
6、签发kube-proxy证书
mkdir /data/ssl/kube-proxy- 1
cd /data/ssl/kube-proxy- 1
创建证书
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "ShangHai",
"ST": "ShangHai",
"O": "k8s",
"OU": "System"
}
]
}
EOF- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
生成kube-proxy证书和对应的私钥
cfssl gencert -ca=/data/ssl/ca.pem \
-ca-key=/data/ssl/ca-key.pem \
-config=/data/ssl/ca-config.json \
-profile=kubernetes kube-proxy-csr.json \
| cfssljson -bare kube-proxy- 1
- 2
- 3
- 4
- 5
把生产的证书放到所有节点上
for i in 30 31 32 35 36; do scp -r /data/ssl/kube-proxy root@192.168.66.$i:/opt/kubernetes/ssl/; done- 1
五、组件安装
1、Master上安装Etcd
是用来保存集群所有状态的 Key/Value 存储系统,常用于服务发现、共享配置以及并发控制(如 leader
选举、分布式锁等)。kubernetes 使用 etcd 存储所有运行数据。
- 创建etcd工作目录(所有master节点都要执行)
mkdir -p /data/etcd- 1
- 解压部署二进制文件
tar -xvf etcd-v3.4.9-linux-amd64.tar.gz -C /root/
把etcd-v3.4.9-linux-amd64/etcd*文件传到有所有master节点
for i in 30 31 32; do scp /root/etcd-v3.4.9-linux-amd64/etcd* root@192.168.66.$i:/opt/kubernetes/bin; done- 1
- 2
- 3
- 编辑启动文件
vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/conf/etcd.conf
ExecStart=/opt/kubernetes/bin/etcd \
--cert-file=/opt/kubernetes/ssl/etcd/etcd.pem \
--key-file=/opt/kubernetes/ssl/etcd/etcd-key.pem \
--peer-cert-file=/opt/kubernetes/ssl/etcd/etcd.pem \
--peer-key-file=/opt/kubernetes/ssl/etcd/etcd-key.pem \
--trusted-ca-file=/opt/kubernetes/ssl/ca.pem \
--peer-trusted-ca-file=/opt/kubernetes/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
for i in 30 31 32; do scp /usr/lib/systemd/system/etcd.service root@192.168.66.$i:/usr/lib/systemd/system/; done- 1
- 所有Master写入配置文件
vim /opt/kubernetes/conf/etcd.conf
#[Member]
#节点名称,集群中唯一
ETCD_NAME="etcd-1"
#数据目录
ETCD_DATA_DIR="/data/etcd/default.etcd"
#集群通信监听地址
ETCD_LISTEN_PEER_URLS="https://当前ip:2380"
#客户端访问监听地址
ETCD_LISTEN_CLIENT_URLS="https://当前ip:2379"
#[Clustering]
#集群通告地址
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://当前ip:2380"
#客户端通告地址
ETCD_ADVERTISE_CLIENT_URLS="https://当前ip:2379"
#集群节点地址
ETCD_INITIAL_CLUSTER="etcd-1=https://k8s-master1ip:2380,etcd-2=https://k8s-master2ip:2380,etcd-3=https://k8s-master3ip:2380"
#集群Token
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#加入集群的当前状态,new是新集群,existing表示加入已有集群
ETCD_INITIAL_CLUSTER_STATE="new"- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 所有Master启动etcd服务
systemctl daemon-reload
systemctl start etcd.service
systemctl status etcd.service
systemctl enable etcd.service- 1
- 2
- 3
- 4
- 验证集群
查看集群状态
etcdctl --cacert=/opt/kubernetes/ssl/ca.pem \
--cert=/opt/kubernetes/ssl/etcd/etcd.pem \
--key=/opt/kubernetes/ssl/etcd/etcd-key.pem \
--endpoints=https://etcd-1ip:2379,https://etcd-2ip:2379,https://etcd-3ip:2379 \
endpoint health- 1
- 2
- 3
- 4
- 5
查看集群成员
etcdctl --cacert=/opt/kubernetes/ssl/ca.pem \
--cert=/opt/kubernetes/ssl/etcd/etcd.pem \
--key=/opt/kubernetes/ssl/etcd/etcd-key.pem \
--endpoints=https://etcd-1ip:2379,https://etcd-2ip:2379,https://etcd-3ip:2379 \
member list- 1
- 2
- 3
- 4
- 5
2、部署api-server
- 传输所有master组件启动的二进制
tar -xvf kubernetes-server-linux-amd64.tar.gz -C /root/
cd /root/kubernetes/server/bin/
#把相关二进制文件传输所有master节点
for i in 30 31 32; do scp kube-apiserver kubeadm kubectl kube-controller-manager kube-scheduler root@192.168.66.$i:/opt/kubernetes/bin/; done- 1
- 2
- 3
- 4
- 编辑启动文件
vim /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/conf/kube-apiserver.conf
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
for i in 30 31 32; do scp /usr/lib/systemd/system/kube-apiserver.service root@192.168.66.$i:/usr/lib/systemd/system/; done- 1
- 所有Master写入配置文件
vim /opt/kubernetes/conf/kube-apiserver.conf
KUBE_APISERVER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/log \
--etcd-servers=https://k8s-master1ip:2379,https://k8s-master2ip:2379,https://k8s-master3ip:2379 \
--bind-address=本机IP \
--secure-port=6443 \
--advertise-address=本机IP \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth=true \
--token-auth-file=/opt/kubernetes/ssl/token/token.csv \
--service-node-port-range=30000-50000 \
--kubelet-client-certificate=/opt/kubernetes/ssl/apiserver/kubernetes.pem \
--kubelet-client-key=/opt/kubernetes/ssl/apiserver/kubernetes-key.pem \
--tls-cert-file=/opt/kubernetes/ssl/apiserver/kubernetes.pem \
--tls-private-key-file=/opt/kubernetes/ssl/apiserver/kubernetes-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/kubernetes/ssl/ca.pem \
--etcd-certfile=/opt/kubernetes/ssl/etcd/etcd.pem \
--etcd-keyfile=/opt/kubernetes/ssl/etcd/etcd-key.pem \
--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \
--proxy-client-cert-file=/opt/kubernetes/ssl/apiserver/kubernetes.pem \
--proxy-client-key-file=/opt/kubernetes/ssl/apiserver/kubernetes-key.pem \
--requestheader-allowed-names=kubernetes \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-group-headers=X-Remote-Group \
--requestheader-username-headers=X-Remote-User \
--enable-aggregator-routing=true \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/opt/kubernetes/log/k8s-audit.log"- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
配置解说
–logtostderr:启用日志
—v:日志等级
–log-dir:日志目录
–etcd-servers:etcd集群地址
–bind-address:监听地址
–secure-port:https安全端口
–advertise-address:集群通告地址
–allow-privileged:启用授权
–service-cluster-ip-range:Service虚拟IP地址段
–enable-admission-plugins:准入控制模块
–authorization-mode:认证授权,启用RBAC授权和节点自管理
–enable-bootstrap-token-auth:启用TLS bootstrap机制
–token-auth-file:bootstrap token文件
–service-node-port-range:Service nodeport类型默认分配端口范围
–kubelet-client-xxx:apiserver访问kubelet客户端证书
–tls-xxx-file:apiserver https证书
–etcd-xxxfile:连接Etcd集群证书
–audit-log-xxx:审计日志
#开启API 聚合用于允许第三方应用程序通过将自己注册到kube-apiserver上
–requestheader-client-ca-file
–proxy-client-cert-file=/opt/kubernetes/ssl/apiserver/kubernetes.pem
–proxy-client-key-file=/opt/kubernetes/ssl/apiserver/kubernetes-key.pem
–requestheader-allowed-names=kubernetes
–requestheader-extra-headers-prefix=X-Remote-Extra-
–requestheader-group-headers=X-Remote-Group
–requestheader-username-headers=X-Remote-User
–enable-aggregator-routing=true \
- 所有Master启动kube-apiserver服务
systemctl daemon-reload
systemctl start kube-apiserver
systemctl status kube-apiserver
systemctl enable kube-apiserver- 1
- 2
- 3
- 4
查看报错日志 journalctl -xe
- 授权kubelet-bootstrap用户允许请求证书
kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap- 1
- 2
- 3
3、部署kube-controller-manager
- 编辑启动文件
vim /usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/conf/kube-controller-manager.conf
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
for i in 30 31 32; do scp /usr/lib/systemd/system/kube-controller-manager.service root@192.168.66.$i:/usr/lib/systemd/system/; done- 1
- 所有Master写入配置文件
vim /opt/kubernetes/conf/kube-controller-manager.conf
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/log \
--leader-elect=true \
--master=127.0.0.1:8080 \
--bind-address=127.0.0.1 \
--allocate-node-cidrs=true \
--cluster-cidr=10.244.0.0/16 \
--service-cluster-ip-range=10.0.0.0/24 \
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \
--root-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \
--experimental-cluster-signing-duration=87600h0m0s"- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
配置解说
–logtostderr:启用日志
—v:日志等级
–log-dir:日志目录
–bind-address:监听地址
–service-cluster-ip-range:Service虚拟IP地址段
–master:通过本地非安全本地端口8080连接apiserver。
–leader-elect:当该组件启动多个时,自动选举(HA)
–cluster-signing-cert-file/–cluster-signing-key-file:自动为kubelet颁发证书的CA,与apiserver保持一致
- 所有Master启动kube-controller-manager服务
systemctl daemon-reload
systemctl start kube-controller-manager
systemctl status kube-controller-manager
systemctl enable kube-controller-manager- 1
- 2
- 3
- 4
4、部署kube-scheduler
- 编辑启动文件
vim /usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/conf/kube-scheduler.conf
ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
for i in 30 31 32; do scp /usr/lib/systemd/system/kube-scheduler.service root@192.168.66.$i:/usr/lib/systemd/system/; done- 1
- 所有Master写入配置文件
vim /opt/kubernetes/conf/kube-scheduler.conf
KUBE_SCHEDULER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/log \
--leader-elect \
--master=127.0.0.1:8080 \
--bind-address=127.0.0.1"- 1
- 2
- 3
- 4
- 5
- 6
- 7
配置解说
–logtostderr:启用日志
—v:日志等级
–log-dir:日志目录
–bind-address:监听地址
–master:通过本地非安全本地端口8080连接apiserver。
–leader-elect:当该组件启动多个时,自动选举(HA)
- 所有Master启动kube-scheduler服务
systemctl daemon-reload
systemctl start kube-scheduler
systemctl status kube-scheduler
systemctl enable kube-scheduler- 1
- 2
- 3
- 4
所有Master查看集群状态
kubectl get cs- 1
Master和node部署组件(有些pod会跑在master上)
1. 操作机器上传输相关启动二进制
cd /root/kubernetes/server/bin/- 1
- 把相关二进制文件传输所有节点
for i in 30 31 32 35 36; do scp kube-proxy kubelet root@192.168.66.$i:/opt/kubernetes/bin/; done- 1
2. 所有节点安装Docker
- 配置阿里云 docker hub 镜像
export REGISTRY_MIRROR=https://registry.cn-hangzhou.aliyuncs.com- 1
- 安装依赖
yum install -y yum-utils device-mapper-persistent-data lvm2- 1
- 配置稳定的repositories
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo- 1
- 查找Docker-CE的版本
yum list docker-ce.x86_64 --showduplicates | sort -r- 1
- 安装
yum install -y docker-ce-19.03.6 docker-ce-cli-19.03.6 containerd.io- 1
- 阿里云镜像加速配置
mkdir -p /etc/docker- 1
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://uyah70su.mirror.aliyuncs.com"]
}
EOF- 1
- 2
- 3
- 4
- 5
- 显示出的docker.service路径配置daemon
systemctl enable docker- 1
vim /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd://
--containerd=/run/containerd/containerd.sock --graph /data/docker- 1
- 2
- 3
- 启动
systemctl daemon-reload
systemctl start docker
版本查看:docker version- 1
- 2
- 3
- 开启动网络转发功能,默认会自动开启
查看:为1是开启的
cat /proc/sys/net/ipv4/ip_forward- 1
手动开启:
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1- 1
- 2
sysctl -p #生效- 1
3、所有节点安装部署Kubelet
- 操作机器上上传 /opt/kubernetes/yaml/kubelet-config.yml
for i in 30 31 32 35 36; do scp -r /opt/kubernetes/yaml/kubelet root@192.168.66.$i:/opt/kubernetes/yaml/; done- 1
- 操作机器上生成独立的bootstrap.kubeconfig文件
生成 kubelet bootstrap kubeconfig 配置文件
cd /opt/kubernetes/cfg- 1
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://VIP:6443 \
--kubeconfig=bootstrap.kubeconfig- 1
- 2
- 3
- 4
- 5
#与token.csv里保持一致
kubectl config set-credentials "kubelet-bootstrap" \
--token=Tfz+cSNpRxGDMUPjTHKOxgPJrdCszIyPK9bfSF+H7PI= \
--kubeconfig=bootstrap.kubeconfig- 1
- 2
- 3
kubectl config set-context default \
--cluster=kubernetes \
--user="kubelet-bootstrap" \
--kubeconfig=bootstrap.kubeconfig- 1
- 2
- 3
- 4
kubectl config use-context default \
--kubeconfig=bootstrap.kubeconfig- 1
- 2
- 1
for i in 30 31 32 35 36; do scp /opt/kubernetes/cfg/bootstrap.kubeconfig root@192.168.66.$i:/opt/kubernetes/cfg/; done- 1
- 操作机器上编辑启动文件
vim /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/conf/kubelet.conf
ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
for i in 30 31 32 35 36; do scp /usr/lib/systemd/system/kubelet.service root@192.168.66.$i:/usr/lib/systemd/system/; done- 1
- 所有节点写入配置文件
vim /opt/kubernetes/conf/kubelet.conf
KUBELET_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/log \
--hostname-override=k8s-master1 \
--network-plugin=cni \
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/yaml/kubelet/kubelet-config.yml \
--cert-dir=/opt/kubernetes/ssl/apiserver \
--pod-infra-container-image=lizhenliang/pause-amd64:3.0"- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
配置解说
–logtostderr:启用日志
—v:日志等级
–log-dir:日志目录
–hostname-override:显示名称,集群中唯一
–network-plugin:启用CNI
–kubeconfig:空路径,会自动生成,后面用于连接apiserver
–bootstrap-kubeconfig:首次启动向apiserver申请证书
–config:配置参数文件
–cert-dir:kubelet证书生成目录
–pod-infra-container-image:管理Pod网络容器的镜像
4、所有节点安装部署kube-proxy
- 操作机器上上传 /opt/kubernetes/yaml/kube-proxy-config.yml
for i in 30 31 32 35 36; do scp -r /opt/kubernetes/yaml/kube-proxy root@192.168.66.$i:/opt/kubernetes/yaml/; done- 1
- 所有节点修改kube-proxy-config.yml
vim /opt/kubernetes/yaml/kube-proxy/kube-proxy-config.yml
hostnameOverride: k8s-master1- 1
- 2
- 操作机器上生成独立的kube-proxy.kubeconfig文件
生成 kubelet bootstrap kubeconfig 配置文件
cd /opt/kubernetes/cfg- 1
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://vip:6443 \
--kubeconfig=kube-proxy.kubeconfig- 1
- 2
- 3
- 4
- 5
kubectl config set-credentials kube-proxy \
--client-certificate=/opt/kubernetes/ssl/kube-proxy/kube-proxy.pem \
--client-key=/opt/kubernetes/ssl/kube-proxy/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig- 1
- 2
- 3
- 4
- 5
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig- 1
- 2
- 3
- 4
kubectl config use-context default \
--kubeconfig=kube-proxy.kubeconfig- 1
- 2
for i in 30 31 32 35 36; do scp /opt/kubernetes/cfg/kube-proxy.kubeconfig root@192.168.66.$i:/opt/kubernetes/cfg/; done- 1
- 操作机器上编辑启动文件
vim /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=/opt/kubernetes/conf/kube-proxy.conf
ExecStart=/opt/kubernetes/bin/kube-proxy $KUBE_PROXY_OPTS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
for i in 30 31 32 35 36; do scp /usr/lib/systemd/system/kube-proxy.service root@192.168.66.$i:/usr/lib/systemd/system/; done- 1
- 所有节点写入配置文件
vim /opt/kubernetes/conf/kube-proxy.conf
KUBE_PROXY_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/log \
--config=/opt/kubernetes/yaml/kube-proxy/kube-proxy-config.yml"- 1
- 2
- 3
- 4
- 5
配置解说
–logtostderr:启用日志
—v:日志等级
–log-dir:日志目录
–config:配置参数文件
- 所有节点启动
重启docker
systemctl restart docker- 1
启动kube-scheduler服务
systemctl daemon-reload
systemctl start kubelet
systemctl status kubelet
systemctl enable kubelet- 1
- 2
- 3
- 4
启动kube-proxy服务
systemctl daemon-reload
systemctl start kube-proxy
systemctl status kube-proxy
systemctl enable kube-proxy- 1
- 2
- 3
- 4
- 在操作机上批准所有Master的kubelet证书申请并加入集群
查看kubelet证书请求
kubectl get csr- 1
- 2
批准申请
kubectl certificate approve NAME- 1
- 2
查看节点
kubectl get node- 1
- 2
部署CNI网络
- 所有节点创建相关目录
mkdir -p /opt/cni/bin- 1
- 操作主机部署相关命令和文件
tar zxvf cni-plugins-linux-amd64-v0.8.6.tgz -C /opt/cni/bin- 1
for i in 30 31 32 35 36; do scp -r -p /opt/cni root@192.168.66.$i:/opt/; done- 1
- 上传/opt/kubernetes/yaml/kube-flannel.yml
修改kube-flannel.yml
Network与kube-controller-manager.conf中的 --cluster-cidr一样- 1
- 2
for i in 30 31 32 35 36; do scp -r /opt/kubernetes/yaml/flannel root@192.168.66.$i:/opt/kubernetes/yaml/; done- 1
- 操作主机上启动
kubectl apply -f /opt/kubernetes/yaml/flannel/kube-flannel.yml- 1
kubectl get pods -n kube-system- 1
kubectl get node- 1
操作主机上授权apiserver访问
kubelet将下来配置RBAC的授权,来允许 kube-apiserver去访问在每个worker节点上kubelet API.
访问kubelet API主要是用来检索度量,日志和执行Pods中的命令
- 上传/opt/kubernetes/yaml/apiserver-to-kubelet-rbac.yaml
for i in 30 31 32 35 36; do scp /opt/kubernetes/yaml/flannel/apiserver-to-kubelet-rbac.yaml root@192.168.66.$i:/opt/kubernetes/yaml/flannel/; done- 1
- 启动
kubectl apply -f \
/opt/kubernetes/yaml/flannel/apiserver-to-kubelet-rbac.yaml- 1
- 2
部署Dashboard
- 操作主机上部署Dashboard
上传/opt/kubernetes/yaml/kubernetes-dashboard.yaml- 1
for i in 30 31 32 35 36; do scp -r /opt/kubernetes/yaml/Dashboard root@192.168.66.$i:/opt/kubernetes/yaml/; done- 1
- 操作主机上启动
kubectl apply -f \
/opt/kubernetes/yaml/Dashboard/kubernetes-dashboard.yaml- 1
- 2
kubectl get pods,svc -n kubernetes-dashboard- 1
- 访问地址:https://随意个NodeIP:30001
- 操作主机上创建service account并绑定默认cluster-admin管理员集群角色
kubectl create serviceaccount dashboard-admin -n kube-system- 1
kubectl create clusterrolebinding dashboard-admin \
--clusterrole=cluster-admin \
--serviceaccount=kube-system:dashboard-admin- 1
- 2
- 3
查看登入token值
kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')- 1
部署CoreDNS:CoreDNS用于集群内部Service名称解析。
- 操作主机上部署CoreDNS
上传/opt/kubernetes/yaml/coredns.yaml- 1
for i in 30 31 32 35 36; do scp -r /opt/kubernetes/yaml/CoreDNS root@192.168.66.$i:/opt/kubernetes/yaml/; done- 1
- 操作主机上启动
kubectl apply -f /opt/kubernetes/yaml/CoreDNS/coredns.yaml- 1
kubectl get pods -n kube-system- 1
- 操作主机上DNS解析测试
kubectl run -it --rm dns-test --image=busybox:1.28.4 sh- 1
部署Metrics Server:判断是否需要扩容收容
Metrics Server是一个集群范围的资源使用情况的数据聚合器。作为一个应用部署在集群中。
Metric server从每个节点上Kubelet公开的摘要API收集指标。 Metrics
server通过Kubernetes聚合器注册在MasterAPIServer中
- 操作主机上部署Metrics Server
上传/opt/kubernetes/yaml/metrics-server/- 1
vim metrics-server/metrics-server-deployment.yaml
忽略证书并以ip采集
...
containers:
- name: metrics-server
image: lizhenliang/metrics-server-amd64:v0.3.1
command:
- /metrics-server
- --kubelet-insecure-tls
- --kubelet-preferred-address-types=InternalIP
...- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 操作主机上启动
cd /opt/kubernetes/yaml/metrics-server/- 1
kubectl create -f .- 1
查看pod启动状态
kubectl get pods -n kube-system- 1
查看日志
kubectl logs pods名字 -n kube-system- 1
查看是否注册到聚合成
kubectl get apiservers- 1
查看node、pod的资源利用率
kubectl top node
kubectl top pods- 1
- 2
工作使用apiserver
kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes- 1
Helm应用包管理器:
- 安装Helm
上传helm/helm-v3.0.0-linux-amd64.tar.gz- 1
tar zxvf helm-v3.0.0-linux-amd64.tar.gz- 1
mv linux-amd64/helm /usr/bin/- 1
- 配置国内Chart仓库
安装push插件用于harbor连接仓库插件
helm plugin install https://github.com/chartmuseum/helm-push
或者
tar zxvf helm-push_0.7.1_linux_amd64.tar.gz
mkdir -p /root/.local/share/helm/plugins/helm-push
chmod +x bin/*
mv bin plugin.yaml /root/.local/share/helm/plugins/helm-push- 1
- 2
- 3
- 4
- 5
- 6
- 微软仓库(http://mirror.azure.cn/kubernetes/charts/)这个仓库强烈推荐,基本上官网有的chart这里都有。
- 阿里云仓库(https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts )
- 官方仓库(https://hub.kubeapps.com/charts/incubator)官方chart仓库,国内有点不好使。
- 添加存储库:
helm repo add stable http://mirror.azure.cn/kubernetes/charts- 1
helm repo add aliyun https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts- 1
helm repo add --username admin --password Harbor12345 myrepo http://192.168.10.163:8000/chartrepo/library- 1
helm repo update- 1
- 删除存储库
helm repo remove aliyun- 1
- 上传镜像到自己的仓库
helm push mysql-1.4.0.tgz --username=admin --password=Harbor12345 http://192.168.10.163:8000/harbor/projects/1/repositories- 1
- 查看配置的存储库:
helm repo list- 1
helm search repo stable- 1
- 命令使用
查找对应的软件包
helm search repo mysql- 1
把chart包下载下来查看详情
helm pull stable/mysql --untar- 1
可以打包推送的charts仓库共享别人使用
helm package mychart/- 1
查看chart信息
helm show chart stable/mysql- 1
查看发布状态、信息
helm status 名字- 1
列出使用的chart
helm list- 1
列出版本
helm history 名字- 1
升级
helm upgrade -f values.yaml 名字 mychart- 1
回滚
helm rollback 名字 #回滚到上一个版本
helm rollback 名字 第几个版本- 1
- 2
删除
helm uninstall 名字- 1
使用官方提供的chart
安装部署
helm show values stable/mysql > value.yaml- 1
#使用准备的yaml文件替换install中的默认值
helm install 名字 -f value.yaml stable/mysql- 1
或者命令行替代变量
helm install 名字 --set persistence.storageClass="managed-nfs-storage" stable/mysql- 1
使用自定义chart
创建chart目录
helm create mychart- 1
Mychart
#目录里存放这个chart依赖的所有子chart Charts
#用于描述这个 Chart的基本信息,包括名字、描述信息以及版本等 Chart.yaml
#目录里面存放所有yaml模板文件 templates deployment.yaml
#放置模板助手的地方,可以在整个 chart 中重复使用
_helpers.tpl ingress.yaml
#用于介绍Chart帮助信息,helm install 部署后展示给用户。 例如:如何使用这个 Chart、列出缺省的设置等 NOTES.txt service.yaml
#用于存储 templates 目录中模板文件中用到变量的值 values.yaml
启动
helm install 名字 mychart/- 1
查看渲染后的yaml
helm get manifest 名字- 1
喜欢的亲可以关注点赞评论哦!以后每天都会更新的哦!本文为小编原创文章;
文章中用到的文件、安装包等可以加小编联系方式获得;
欢迎来交流小编联系方式VX:CXKLittleBrother
进入运维交流群