首页 > 其他 > 详细

二进制部署k8s 1.18.14(高可用)

时间:2021-01-10 22:54:26      阅读:43      评论:0      收藏:0      [点我收藏+]

一、安装环境准备

1.机器列表

主机名 IP 操作系统 角色 安装软件 VM配置
k8s-master1 192.168.0.101 CentOS 7 管理节点

docker
kube-apiserver
kube-schduler
kube-controller-manager
etcd
flannel

Haproxy
keepalived

CPU:2G

MEM:2core
k8s-master2 192.168.0.102 CentOS 7 管理节点

docker
kube-apiserver
kube-schduler
kube-controller-manager
etcd
flannel

Haproxy
keepalived

CPU:2G

MEM:2core
k8s-node1 192.168.0.111 CentOS 7 工作节点 docker
kubelet
kube-proxy
flannel

CPU:2G

MEM:2core
k8s-node2 192.168.0.112 CentOS 7 工作节点 docker
kubelet
kube-proxy
flannel

CPU:2G

MEM:2core
VIP 192.168.0.100        
master 192.168.0.123 CentOS 7 主控节点 不需要

CPU:1G

MEM:1core

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2.版本信息

docker: 19.03.13
etcd: 3.4.14
kubernetes: 1.18.14
pod 网段:10.244.0.0/16
service 网段:10.96.0.0/12
kubernetes 内部地址:10.96.0.1
flannel: 0.13.0
coredns: v1.6.7
coredns 地址: 10.96.0.10

3.环境初始化

  说明:以 maser 做主控机,对其他机器做远程操作。

  3.1免密登录

  在master主控机上执行以下两步操作。

[root@master ~]# ssh-keygen -t rsa
[root@master ~]# for i in 101 102 111 112; do ssh-copy-id 192.168.0.$i; done

  3.2在master主机添加hosts

[root@master ~]# vim /etc/hosts
192.168.0.101   k8s-master1
192.168.0.102   k8s-master2
192.168.0.111   k8s-node1
192.168.0.112   k8s-node2

  注意:以下操作在四台k8s机器和两台ha机器上都要执行

  3.2时间同步

  将系统时间设置为当前时间,并写入CMOS,否则系统重启后修改时间会失效。

#设置系统时间
[root@master ~]# date -s 2021-01-10 12:09:00
Sun Jan 10 12:09:00 CST 2021
#系统时间强制写入CMOS
[root@master ~]# clock -w
#显示系统时间
[root@master ~]# date
Sun Jan 10 12:09:41 CST 2021
#显示硬件时间
[root@master ~]# hwclock --show
Sun 10 Jan 2021 12:09:49 PM CST  -0.411765 seconds

  3.3关闭防火墙

systemctl stop firewalld  && systemctl disable firewalld

  3.4关闭selinux

setenforce 0 && sed -i s/=enforcing/=disabled/g /etc/selinux/config

  3.5关闭swap

swapoff -a && sed -i /swap/s/^/#/ /etc/fstab

   默认情况下,kubelet不允许所在的主机存在交换分区,后期规划的时候,可以考虑在系统安装的时候不创建交换分区,针对已经存在交换分区的可以设置忽略禁止使用swap的限制,不然无法启动kubelet。一般直接禁用swap就可以了,不需要执行此步骤。

vim /etc/sysconfig/kubelet
KUBELET_EXTRA_ARGS="--fail-swap-on=false"

  3.6安装docker并配置加速器

vim install_docker.sh
#!/bin/bash
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install docker-ce-19.03.13 -y
systemctl enable docker
systemctl start docker

vim /etc/docker/daemon.json
{
  "registry-mirrors": ["https://wyt8gbxw.mirror.aliyuncs.com"]
}

systemctl daemon-reload
systemctl restart docker

二、安装Haproxy+Keepalived

  说明:在两台管理节点上安装,安装步骤一样,只是配置文件略有不同。

1.haproxy

  1.1安装和配置如下

  因为haproxy和kube-apiserver在同一台主机,所以监听端口要不同,这里haproxy监听8443,kube-apiserver监听6443

[root@k8s-master1 ~]# yum install -y haproxy

[root@k8s-master1 ~]# cat /etc/haproxy/haproxy.cfg
global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
defaults
    mode                    tcp
    log                     global
    retries                 3
    timeout connect         10s
    timeout client          1m
    timeout server          1m
frontend  k8s-api
    bind        *:8443 #监听地址
    bind        *:443
    mode        tcp
    option      tcplog
    default_backend k8s-api
backend k8s-api
    mode        tcp
    option      tcplog
    option      tcp-check
    balance     roundrobin
    default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
    server k8s-api-1 192.168.0.101:6443 check
    server k8s-api-2 192.168.0.102:6443 check

  1.2启动

systemctl start haproxy
systemctl enable haproxy
systemctl status haproxy

2.keepalived

  2.1安装和配置如下

[root@k8s-master1 ~]# yum install -y keepalived

[root@k8s-master1 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   router_id k8s-master1 #唯一标识,主机名即可
}

vrrp_instance VI_1 {
    state MASTER #master2为BACKUP
    interface ens32
    virtual_router_id 51
    priority 100 #master2为50
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.0.100/24
    }
}

  2.2启动

systemctl start keepalived
systemctl enable keepalived
systemctl status keepalived

3.验证

  在master1节点上执行以下命令,有输出则表示启动成功,0.100为VIP地址。

[root@k8s-master1 ~]# ip addr | grep 0.100
    inet 192.168.0.100/24 scope global secondary ens32

三、集群搭建

  说明:相关执行脚本和文件都放在/root/k8s目录下,提前在每个节点创建好该目录

1.创建相应目录

  1.1管理节点用

[root@master mkdir]# vim mkdir_master.sh
#!/bin/bash
mkdir /opt/etcd/{bin,data,cfg,ssl} -p
mkdir /opt/kubernetes/{bin,cfg,ssl,logs}  -p
mkdir /opt/kubernetes/logs/{kubelet,kube-proxy,kube-scheduler,kube-apiserver,kube-controller-manager} -p

echo export PATH=$PATH:/opt/kubernetes/bin >> /etc/profile
echo export PATH=$PATH:/opt/etcd/bin >> /etc/profile
source /etc/profile

  1.2工作节点用

[root@master mkdir]# vim mkdir_node.sh
#!/bin/bash
mkdir /opt/kubernetes/{bin,cfg,ssl,logs}  -p
mkdir /opt/kubernetes/logs/{kubelet,kube-proxy} -p

echo export PATH=$PATH:/opt/kubernetes/bin >> /etc/profile
source /etc/profile

  1.3发送脚本到相应远程k8s主机

[root@master mkdir]# ls
mkdir_master.sh  mkdir_node.sh
[root@master mkdir]# cd ..
[root@master k8s]# ls
install_docker.sh  mkdir
[root@master k8s]# for i in 1 2; do scp -r mkdir/ k8s-master$i:/root/k8s/; done
[root@master k8s]# for i in 1 2; do scp -r mkdir/ k8s-node$i:/root/k8s/; done

  1.4在所有k8s主机上执行该脚本

[root@k8s-master1 mkdir]# bash mkdir_master.sh
[root@k8s-master2 mkdir]# bash mkdir_master.sh
[root@k8s-node1 mkdir]# bash mkdir_node.sh
[root@k8s-node2 mkdir]# bash mkdir_node.sh

2.生成证书

  2.1脚本内容如下

[root@master ssl]# vim certificate.sh
#!/bin/bash

command_exists() {
    command -v "$@" > /dev/null 2>&1
}

if command_exists cfssl; then
    echo "命令已存在"
else
    # 下载生成证书命令
    wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
    wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
    wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

    # 添加执行权限
    chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64

    # 移动到 /usr/local/bin 目录下
    mv cfssl_linux-amd64 /usr/local/bin/cfssl
    mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
    mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
fi

#配置文件,默认签 10cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

#颁发者信息 CN - 一般名词,O - 组织 , OU组织单位,
cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------
#颁发给组织信息
#包含master节点、node节点、VIP、coredns等,可以多些几个节点IP方便后续扩展用
cat > server-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
      "127.0.0.1",
      "192.168.0.101",
      "192.168.0.102",
      "192.168.0.111",
      "192.168.0.112","192.168.0.100",
      "10.96.0.1",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

#-----------------------
#颁发给管理员管理集群
cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

#-----------------------
#颁发给proxy
cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

#-----------------------
#查看证书有效期
for item in $(ls *.pem |grep -v key) ;do echo ======================$item===================;openssl x509 -in $item -text -noout| grep Not;done

  2.2执行脚本

[root@master ssl]# bash certificate.sh
......
======================admin.pem===================
            Not Before: Jan 10 04:30:00 2021 GMT
            Not After : Jan  8 04:30:00 2031 GMT
======================ca.pem===================
            Not Before: Jan 10 04:30:00 2021 GMT
            Not After : Jan  9 04:30:00 2026 GMT
======================kube-proxy.pem===================
            Not Before: Jan 10 04:30:00 2021 GMT
            Not After : Jan  8 04:30:00 2031 GMT
======================server.pem===================
            Not Before: Jan 10 04:30:00 2021 GMT
            Not After : Jan  8 04:30:00 2031 GMT

  2.3将证书发送到相应节点

etcd集群的
[root@master ssl]# for i in 1 2; do scp ca.pem server.pem server-key.pem k8s-master$i:/opt/etcd/ssl; done

k8s集群的
[root@master ssl]# for i in 1 2; do scp *.pem k8s-master$i:/opt/kubernetes/ssl; done
[root@master ssl]# for i in 1 2; do scp *.pem k8s-node$i:/opt/kubernetes/ssl; done

3.安装etcd集群

  3.1下载etcd二进制包,解压,并发送到各管理节点

[root@master src]# wget https://github.com/etcd-io/etcd/releases/download/v3.4.14/etcd-v3.4.14-linux-amd64.tar.gz
[root@master src]# cd etcd-v3.4.14-linux-amd64/
[root@master etcd-v3.4.14-linux-amd64]# for i in 1 2; do scp etcd etcdctl k8s-master$i:/opt/etcd/bin; done

  3.2启动etcd

  启动脚本内容如下

[root@master k8s]# vim etcd.sh
#!/bin/bash
# example: bash etcd.sh etcd01 192.168.0.101 etcd01=https://192.168.0.101:2380,etcd02=https://192.168.0.102:2380

ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3

ETCD_VERSION=3.4.14

cat <<EOF >/opt/etcd/cfg/etcd.yml
#etcd ${ETCD_VERSION}
name: ${ETCD_NAME}
data-dir: /opt/etcd/data
listen-peer-urls: https://${ETCD_IP}:2380
listen-client-urls: https://${ETCD_IP}:2379,https://127.0.0.1:2379

advertise-client-urls: https://${ETCD_IP}:2379
initial-advertise-peer-urls: https://${ETCD_IP}:2380
initial-cluster: ${ETCD_CLUSTER}
initial-cluster-token: etcd-cluster
initial-cluster-state: new
enable-v2: true

client-transport-security:
  cert-file: /opt/etcd/ssl/server.pem
  key-file: /opt/etcd/ssl/server-key.pem
  client-cert-auth: false
  trusted-ca-file: /opt/etcd/ssl/ca.pem
  auto-tls: false

peer-transport-security:
  cert-file: /opt/etcd/ssl/server.pem
  key-file: /opt/etcd/ssl/server-key.pem
  client-cert-auth: false
  trusted-ca-file: /opt/etcd/ssl/ca.pem
  auto-tls: false

debug: false
logger: zap
log-outputs: [stderr]
EOF

cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
Documentation=https://github.com/etcd-io/etcd
Conflicts=etcd.service
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
LimitNOFILE=65536
Restart=on-failure
RestartSec=5s
TimeoutStartSec=0
ExecStart=/opt/etcd/bin/etcd --config-file=/opt/etcd/cfg/etcd.yml

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd

  发送启动脚本到各管理节点

[root@master k8s]# for i in 1 2; do scp etcd.sh k8s-master$i:/root/k8s; done

  在各管理节点执行启动脚本

[root@k8s-master1 k8s]# bash etcd.sh etcd01 192.168.0.101 etcd01=https://192.168.0.101:2380,etcd02=https://192.168.0.102:2380 
[root@k8s-master2 k8s]# bash etcd.sh etcd02 192.168.0.102 etcd01=https://192.168.0.101:2380,etcd02=https://192.168.0.102:2380 

说明:在etcd01执行后会卡住,这时是在等待其他节点加入,此时接着启动etcd02即可

  验证集群是否健康

[root@k8s-master1 k8s]# etcdctl --write-out="table" --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints=https://192.168.0.101:2379,https://192.168.0.102:2379 endpoint health       
+----------------------------+--------+-------------+-------+
|          ENDPOINT          | HEALTH |    TOOK     | ERROR |
+----------------------------+--------+-------------+-------+
| https://192.168.0.101:2379 |   true | 10.305523ms |       |
| https://192.168.0.102:2379 |   true | 12.624803ms |       |
+----------------------------+--------+-------------+-------+

  查看集群成员

[root@k8s-master1 k8s]# etcdctl --write-out="table" --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints=https://192.168.0.101:2379,https://192.168.0.102:2379 member list
+------------------+---------+--------+----------------------------+----------------------------+------------+
|        ID        | STATUS  |  NAME  |         PEER ADDRS         |        CLIENT ADDRS        | IS LEARNER |
+------------------+---------+--------+----------------------------+----------------------------+------------+
|  aeed280fbd4b48b | started | etcd01 | https://192.168.0.101:2380 | https://192.168.0.101:2379 |      false |
| 1e149427bfba9593 | started | etcd02 | https://192.168.0.102:2380 | https://192.168.0.102:2379 |      false |
+------------------+---------+--------+----------------------------+----------------------------+------------+

4.master管理节点部署

  4.1下载kubernetes二进制包,解压,并将相应组件发送到各节点

[root@master src]# wget https://dl.k8s.io/v1.18.14/kubernetes-server-linux-amd64.tar.gz
#管理节点
[root@master bin]# for i in 1 2; do scp kube-apiserver kube-scheduler kube-controller-manager kubectl k8s-master$i:/opt/kubernetes/bin/; done
#工作节点
[root@master bin]# for i in 1 2; do scp kubelet kube-proxy k8s-node$i:/opt/kubernetes/bin/; done

  4.2生成kubeconfig文件

  创建token文件

[root@master kubeconfig]# head -c 16 /dev/urandom | od -An -t x | tr -d  
8e72984386f2ab78f0b769bb66d75b98
[root@master kubeconfig]# cat token.csv 
8e72984386f2ab78f0b769bb66d75b98,kubelet-bootstrap,10001,"system:kubelet-bootstrap"

  脚本内容如下

[root@master kubeconfig]# vim kubeconfig.sh
#!/bin/bash

# TLS Bootstrapping Token
BOOTSTRAP_TOKEN=8e72984386f2ab78f0b769bb66d75b98

APISERVER=$1
SSL_DIR=$2

export KUBE_APISERVER="https://${APISERVER}:8443"

#----------------------

# 创建kubelet bootstrapping kubeconfig
# 设置集群参数
kubectl config set-cluster kubernetes   --certificate-authority=${SSL_DIR}/ca.pem   --embed-certs=true   --server=${KUBE_APISERVER}   --kubeconfig=bootstrap.kubeconfig

# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap   --token=${BOOTSTRAP_TOKEN}   --kubeconfig=bootstrap.kubeconfig

# 设置上下文参数
kubectl config set-context default   --cluster=kubernetes   --user=kubelet-bootstrap   --kubeconfig=bootstrap.kubeconfig

# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig

#----------------------

# 创建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes   --certificate-authority=${SSL_DIR}/ca.pem   --embed-certs=true   --server=${KUBE_APISERVER}   --kubeconfig=kube-proxy.kubeconfig

kubectl config set-credentials kube-proxy   --client-certificate=${SSL_DIR}/kube-proxy.pem   --client-key=${SSL_DIR}/kube-proxy-key.pem   --embed-certs=true   --kubeconfig=kube-proxy.kubeconfig

kubectl config set-context default   --cluster=kubernetes   --user=kube-proxy   --kubeconfig=kube-proxy.kubeconfig

kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

#----------------------

# 创建 admin kubeconfig文件
kubectl config set-cluster kubernetes   --certificate-authority=${SSL_DIR}/ca.pem   --embed-certs=true   --server=${KUBE_APISERVER}   --kubeconfig=admin.kubeconfig

kubectl config set-credentials admin   --client-certificate=${SSL_DIR}/admin.pem   --client-key=${SSL_DIR}/admin-key.pem   --embed-certs=true   --kubeconfig=admin.kubeconfig

kubectl config set-context default   --cluster=kubernetes   --user=admin   --kubeconfig=admin.kubeconfig

kubectl config use-context default --kubeconfig=admin.kubeconfig

  注意:设置kube-apiserver访问地址, 因为需要对kube-apiserver配置高可用集群, 这里设置apiserver浮动IP, KUBE_APISERVER=浮动IP,端口为8443

  发送token.csv文件和执行脚本到各管理节点

[root@master k8s]# for i in 1 2; do scp -r kubeconfig k8s-master$i:/root/k8s/; done

  在各管理节点上执行脚本,192.168.0.100为VIP,/opt/kubernetes/ssl为证书路径

[root@k8s-master1 kubeconfig]# bash kubeconfig.sh 192.168.0.100 /opt/kubernetes/ssl
Cluster "kubernetes" set.
User "kubelet-bootstrap" set.
Context "default" created.
Switched to context "default".
Cluster "kubernetes" set.
User "kube-proxy" set.
Context "default" created.
Switched to context "default".
Cluster "kubernetes" set.
User "admin" set.
Context "default" created.
Switched to context "default".
[root@k8s-master1 kubeconfig]# ls
admin.kubeconfig  bootstrap.kubeconfig  kubeconfig.sh  kube-proxy.kubeconfig  token.csv
[root@k8s-master1 kubeconfig]# cp token.csv *config /opt/kubernetes/cfg/

[root@k8s-master2 kubeconfig]# bash kubeconfig.sh 192.168.0.100 /opt/kubernetes/ssl
[root@k8s-master2 kubeconfig]# ls
admin.kubeconfig  bootstrap.kubeconfig  kubeconfig.sh  kube-proxy.kubeconfig  token.csv
[root@k8s-master2 kubeconfig]# cp token.csv *config /opt/kubernetes/cfg/

  发送配置文件到各工作节点

[root@k8s-master1 kubeconfig]# for i in 111 112; do scp token.csv *config 192.168.0.$i:/opt/kubernetes/cfg/; done

  4.3启动各组件

  4.3.1各组件启动脚本内容如下

  kube-apiserver

[root@master master]# vim apiserver.sh
#!/bin/bash

MASTER_ADDRESS=$1
ETCD_SERVERS=$2

cat <<EOF >/opt/kubernetes/cfg/kube-apiserver
KUBE_APISERVER_OPTS="--logtostderr=false \\
--v=2 \--log-dir=/opt/kubernetes/logs/kube-apiserver \--etcd-servers=${ETCD_SERVERS} \--bind-address=0.0.0.0 \--secure-port=6443 \--advertise-address=${MASTER_ADDRESS} \--allow-privileged=true \--service-cluster-ip-range=10.96.0.0/12 \--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction \--authorization-mode=RBAC,Node \--kubelet-https=true \--enable-bootstrap-token-auth=true \--token-auth-file=/opt/kubernetes/cfg/token.csv \--service-node-port-range=30000-50000 \--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \--tls-cert-file=/opt/kubernetes/ssl/server.pem  \--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \--client-ca-file=/opt/kubernetes/ssl/ca.pem \--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \--etcd-cafile=/opt/etcd/ssl/ca.pem \--etcd-certfile=/opt/etcd/ssl/server.pem \--etcd-keyfile=/opt/etcd/ssl/server-key.pem \--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \--requestheader-extra-headers-prefix=X-Remote-Extra- \--requestheader-group-headers=X-Remote-Group \--requestheader-username-headers=X-Remote-User \--runtime-config=api/all=true \--audit-log-maxage=30 \--audit-log-maxbackup=3 \--audit-log-maxsize=100 \--audit-log-truncate-enabled=true \--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
EOF

cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-apiserver
systemctl restart kube-apiserve

   kube-scheduler

[root@master master]# vim scheduler.sh
#!/bin/bash

MASTER_ADDRESS=$1

cat <<EOF >/opt/kubernetes/cfg/kube-scheduler
KUBE_SCHEDULER_OPTS="--logtostderr=false \\
--v=2 \--log-dir=/opt/kubernetes/logs/kube-scheduler \--master=${MASTER_ADDRESS}:8080 \--address=0.0.0.0 \--leader-elect"
EOF

cat <<EOF >/usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler

  kube-controller-manager

[root@master master]# vim controller-manager.sh 
#!/bin/bash

MASTER_ADDRESS=$1

cat <<EOF >/opt/kubernetes/cfg/kube-controller-manager
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \\
--v=2 \--log-dir=/opt/kubernetes/logs/kube-controller-manager \--master=${MASTER_ADDRESS}:8080 \--leader-elect=true \--bind-address=0.0.0.0 \--service-cluster-ip-range=10.96.0.0/12 \--cluster-name=kubernetes \--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem  \--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \--experimental-cluster-signing-duration=87600h0m0s \--feature-gates=RotateKubeletServerCertificate=true \--feature-gates=RotateKubeletClientCertificate=true \--allocate-node-cidrs=true \--cluster-cidr=10.244.0.0/16 \--root-ca-file=/opt/kubernetes/ssl/ca.pem"
EOF

cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl restart kube-controller-manager

  4.3.2发送脚本到各管理节点

[root@master k8s]# for i in 1 2; do scp -r master k8s-master$i:/root/k8s/; done

  4.3.3在各管理节点执行启动脚本,apiserver参数为节点IP和etcd集群地址

#管理节点1
cd /root/k8s/master
[root@k8s-master1 master]# bash apiserver.sh 192.168.0.101 https://192.168.0.101:2379,https://192.168.0.102:2379
[root@k8s-master1 master]# bash scheduler.sh 127.0.0.1
[root@k8s-master1 master]# bash controller-manager.sh 127.0.0.1
#管理节点2
cd /root/k8s/master
[root@k8s-master2 master]# bash apiserver.sh 192.168.0.102 https://192.168.0.101:2379,https://192.168.0.102:2379
[root@k8s-master2 master]# bash scheduler.sh 127.0.0.1
[root@k8s-master2 master]# bash controller-manager.sh 127.0.0.1

  4.3.4查看各组件状态

#管理节点1
[root@k8s-master1 master]# kubectl get cs
NAME                 STATUS    MESSAGE             ERROR
controller-manager   Healthy   ok                  
scheduler            Healthy   ok                  
etcd-0               Healthy   {"health":"true"}   
etcd-1               Healthy   {"health":"true"}
#管理节点2
[root@k8s-master2 master]# kubectl get cs
NAME                 STATUS    MESSAGE             ERROR
controller-manager   Healthy   ok                  
scheduler            Healthy   ok                  
etcd-1               Healthy   {"health":"true"}   
etcd-0               Healthy   {"health":"true"}

  输出以上结果表示各组件正常运行。

5.node工作节点部署

  5.1将kubelet-bootstrap用户绑定到系统集群角色

  节点 kubelet 启动时自动创建 CSR 请求,将kubelet-bootstrap用户绑定到系统集群角色 ,这个是为了颁发证书用的权限。

  Master apiserver启用TLS认证后,Node节点kubelet组件想要加入集群,必须使用CA签发的有效证书才能与 apiserver通信,当Node节点很多时,签署证书是一件很繁琐的事情,因此有了TLS Bootstrapping机制,kubelet 会以一个低权限用户自动向apiserver申请证书,kubelet的证书由apiserver动态签署。

  在任意一台管理节点上执行以下命令

[root@k8s-master1 ~]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created

  5.2启动各组件

  5.2.1各组件启动脚本内容如下

  kubelet

[root@master node]# vim kubelet.sh
#!/bin/bash

NODE_ADDRESS=$1

cat <<EOF >/opt/kubernetes/cfg/kubelet
KUBELET_OPTS="--logtostderr=true \\
--v=2 \--log-dir=/opt/kubernetes/logs/kubelet \--hostname-override=${NODE_ADDRESS} \--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \--config=/opt/kubernetes/cfg/kubelet.config \--cert-dir=/opt/kubernetes/ssl \--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
EOF

cat <<EOF >/opt/kubernetes/cfg/kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
  - 10.96.0.10
clusterDomain: cluster.local.
failSwapOn: false

# 身份验证
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 2m0s
    enabled: true
  x509:
    clientCAFile: /opt/kubernetes/ssl/ca.pem

# 授权
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 5m0s
    cacheUnauthorizedTTL: 30s

# Node 资源保留
evictionHard:
  imagefs.available: 15%
  memory.available: 300Mi
  nodefs.available: 10%
  nodefs.inodesFree: 5%
evictionPressureTransitionPeriod: 5m0s

# 镜像删除策略
imageGCHighThresholdPercent: 85
imageGCLowThresholdPercent: 80
imageMinimumGCAge: 2m0s

# 旋转证书
rotateCertificates: true # 旋转kubelet client 证书
featureGates:
  RotateKubeletServerCertificate: true
  RotateKubeletClientCertificate: true

maxOpenFiles: 1000000
maxPods: 110
EOF

cat <<EOF >/usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
KillMode=process

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet

  kube-proxy

[root@master node]# vim kube-proxy.sh
#!/bin/bash

NODE_ADDRESS=$1

cat <<EOF >/opt/kubernetes/cfg/kube-proxy.conf
KUBE_PROXY_OPTS="--logtostderr=false \\
--v=2 \--log-dir=/opt/kubernetes/logs/kube-proxy \--config=/opt/kubernetes/cfg/kube-proxy-config.yml"
EOF

cat <<EOF >/opt/kubernetes/cfg/kube-proxy-config.yml
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
address: 0.0.0.0 
clientConnection:
  kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig 
hostnameOverride: ${NODE_ADDRESS} 
clusterCIDR: 10.244.0.0/16
mode: iptables 
EOF

cat <<EOF >/usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy.conf
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-proxy
systemctl restart kube-proxy

  5.2.2发送脚本到各工作节点

[root@master k8s]# for i in 1 2; do scp -r node k8s-node$i:/root/k8s/; done

  5.2.3在各工作节点执行启动脚本

#工作节点1
cd /root/k8s/node
[root@k8s-node1 node]# bash kubelet.sh 192.168.0.111
[root@k8s-node1 node]# bash kube-proxy.sh 192.168.0.111
#工作节点2
cd /root/k8s/node
[root@k8s-node2 node]# bash kubelet.sh 192.168.0.112
[root@k8s-node2 node]# bash kube-proxy.sh 192.168.0.112

  5.2.4在master节点手动审批

  kubelet启动后还没加入到集群中,需要手动允许该节点才可以。

 

二进制部署k8s 1.18.14(高可用)

原文:https://www.cnblogs.com/zlw-xyz/p/14237897.html
(0)
(0)
   
举报
评论 一句话评论(0
分享档案
更多>
2021年09月23日 (328)
2021年09月24日 (313)
2021年09月17日 (191)
2021年09月15日 (369)
2021年09月16日 (411)
2021年09月13日 (439)
2021年09月11日 (398)
2021年09月12日 (393)
2021年09月10日 (160)
2021年09月08日 (222)
最新文章
更多>
教程昨日排行
更多>
友情链接
汇智网   PHP教程   插件网  
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!