首页 > Web开发 > 详细

Kubernetes V1.12 二进制 部署多Master高可用集群

时间:2019-09-09 23:57:48      阅读:210      评论:0      收藏:0      [点我收藏+]
环境:

高可用环境架构:
技术分享图片

组件版本:

软件 版本
Linux操作系统 CentOS7.5_x64
Kubernetes 1.12
Docker 18.xx-ce
Etcd 3.x
Flannel 0.10

服务器角色:

角色 IP 组件
master01 192.168.1.43 kube-apiserver,kube-controller-manager,kube-scheduler etcd
master02 192.168.1.63 kube-apiserver,kube-controller-manager,kube-scheduler etcd
node01 192.168.1.30 kubelet,kube-proxy,docker,flannel,etcd
node02 192.168.1.51 kubelet,kube-proxy,docker,flannel
node03 192.168.1.141 kubelet,kube-proxy,docker,flannel
Load Balancer (Master) 192.168.1.31 192.168.1.31 (VIP) Nginx L4
Load Balancer (Backup) 192.168.1.186 Nginx L4

自签SSL证书:

组件 使用的证书
etcd ca.pem,server.pem,server-key.pem
flannel ca.pem,server.pem,server-key.pem
kube-apiserver ca.pem,server.pem,server-key.pem
kubelet ca.pem,ca-key.pem
kube-proxy ca.pem,kube-proxy.pem,kube-proxy-key.pem
kubectl ca.pem,admin.pem,admin-key.pem

1.部署ETCD集群

1.1安装cfssl

curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl                #cfssl来生成证书
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson        #cfssljson传入json文件生成证书
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo      #cfssl-cetinfo查看生成证书信息
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo

1.2生成证书

# mkdir ~/k8s/etcd-cert -p
# cd ~/k8s/etcd-cert

ca根证书:

# cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

ca请求签名证书:

# cat > ca-csr.json <<EOF
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

为ETCD颁发ssl证书:(将etcd节点ip加入其中)

# cat > server-csr.json <<EOF
{
    "CN": "etcd",
    "hosts": [
    "192.168.1.43",
    "192.168.1.30",
    "192.168.1.51"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        }
    ]
}
EOF

生成证书:

初始化ca根证书:
        cfssl gencert -initca ca-csr.json | cfssljson -bare ca -    #会生成ca-key.pem,ca.pem
生成证书:
        cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server     #会生成server-key,server
#说明:
        #-ca=ca.pem 指定ca
        #-ca-key=ca-key.pem 指定ca私钥
        #-config=ca-config.json 指定ca配置文件
        #-profile=www 应用配置文件中的www

1.3ETCD数据库集群部署

二进制包下载https://github.com/etcd-io/etcd/releases

解压二进制包:

# cd ~/k8s
# tar -zxvf etcd-v3.3.10-linux-amd64.tar.gz
创建etcd目录:
# mkdir /opt/etcd/{cfg,bin,ssl} -p     #配置,可执行,证书目录

移动可执行文件到etcd目录:

# cd ~/k8s/etcd-v3.3.10-linux-amd64
# mv etcd etcdctl /opt/etcd/bin/
# ls /opt/etcd/bin/
    etcd  etcdctl

把刚生成的拷贝ssl文件到etc目录:

# cd ~/k8s/etcd-cert
# cp *pem 
# ls /opt/etcd/ssl/
    ca-key.pem  ca.pem  server-key.pem  server.pem

创建etcd配置文件:

# cat <<EOF >/opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.1.43:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.1.43:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.43:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.43:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.1.43:2380,etcd02=https://192.168.1.30:2380,etcd03=https://192.168.1.51:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
  • ETCD_NAME 节点名称
  • ETCD_DATA_DIR 数据目录
  • ETCD_LISTEN_PEER_URLS 集群通信监听地址
  • ETCD_LISTEN_CLIENT_URLS 客户端访问监听地址
  • ETCD_INITIAL_ADVERTISE_PEER_URLS 集群通告地址
  • ETCD_ADVERTISE_CLIENT_URLS 客户端通告地址
  • ETCD_INITIAL_CLUSTER 集群节点地址
  • ETCD_INITIAL_CLUSTER_TOKEN 集群Token
  • ETCD_INITIAL_CLUSTER_STATE 加入集群的当前状态,new是新集群,existing表示加入已有集群

创建systemctld管理文件:

# cat /usr/lib/systemd/system/etcd.service 
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd
ExecStart=/opt/etcd/bin/etcd --name=${ETCD_NAME} --data-dir=${ETCD_DATA_DIR} --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} --initial-cluster=${ETCD_INITIAL_CLUSTER} --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} --initial-cluster-state=new --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

开机并启动etcd:

# systemctl daemon-reload && systemctl enable etcd && systemctl restart etcd

1.4其他节点安装etcd

Kubernetes V1.12 二进制 部署多Master高可用集群

原文:https://blog.51cto.com/14257939/2436668

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!