ITOO系统-K8s部署(一)

00-集群规划和基础参数设定.md

在每个节点安装依赖工具

Ubuntu 16.04 执行以下脚本:

# 文档中脚本默认均以root用户执行
apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y
# 安装python2
apt-get install python2.7
# Ubuntu16.04可能需要配置以下软连接
ln -s /usr/bin/python2.7 /usr/bin/python

在deploy节点安装及准备ansible

# Ubuntu 16.04 
apt-get install git python-pip -y
# CentOS 7
yum install git python-pip -y
# pip安装ansible(国内如果安装太慢可以直接用pip阿里云加速)
#pip install pip --upgrade
#pip install ansible
pip install pip --upgrade -i http://mirrors.aliyun.com/pypi/simple/ --trusted-host mirrors.aliyun.com
pip install --no-cache-dir ansible -i http://mirrors.aliyun.com/pypi/simple/ --trusted-host mirrors.aliyun.com

在deploy节点配置免密码登陆

ssh-keygen -t rsa -b 2048 回车 回车 回车
ssh-copy-id $IPs #$IPs为所有节点地址包括自身,按照提示输入yes 和root密码

在deploy节点编排k8s安装

# 下载项目文件
git clone https://github.com/gjmzj/kubeasz.git
mkdir -p /etc/ansible
mv kubeasz/* /etc/ansible
# 下载已打包好的binaries,解压到/etc/ansible/bin目录
# 国内请从百度云链接下载 https://pan.baidu.com/s/1c4RFaA 
# 如果你有合适网络环境也可以按照/down/download.sh自行从官网下载各种tar包到 ./down目录,并执行download.sh
tar zxvf k8s.193.tar.gz
mv bin/* /etc/ansible/bin
cd /etc/ansible
cp example/hosts.m-masters.example hosts
# 根据上文实际规划修改此hosts文件
vi hosts

验证ansible安装

ansible all -m ping

  如果配置正确可以看到类似输出:则成功

192.168.1.42 | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"
}
192.168.1.43 | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"
}
192.168.1.44 | SUCCESS => {
    "changed": false, 
    "failed": false, 
    "ping": "pong"
}

安装

# 一步安装
ansible-playbook 90.setup.yml

01-创建证书和环境配置.md

创建 CA 配置文件 ca-config.json.j2

{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}

创建 CA 证书签名请求ca-csr.json.j2

{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "HangZhou",
      "L": "XS",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

生成CA 证书和私钥

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

生成 kubeconfig 配置文件
  kubectl使用~/.kube/config 配置文件与kube-apiserver进行交互,且拥有管理 K8S集群的完全权限,准备kubectl使用的admin 证书签名请求 admin-csr.json.j2

{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "HangZhou",
      "L": "XS",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}

生成 kube-proxy.kubeconfig 配置文件

  创建 kube-proxy 证书请求

{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "HangZhou",
      "L": "XS",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

安装haproxy

  配置haproxy haproxy.cfg.j2

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        nbproc 1

defaults
        log     global
        timeout connect 5000
        timeout client  50000
        timeout server  50000

listen kube-master
        bind 0.0.0.0:{{ KUBE_APISERVER.split(':')[2] }}
        mode tcp
        option tcplog
        balance source
        server s1 {{ master1 }}  check inter 10000 fall 2 rise 2 weight 1
        server s2 {{ master2 }}  check inter 10000 fall 2 rise 2 weight 1

安装keepalived

  配置keepalived主节点 keepalived-master.conf.j2

global_defs {
    router_id lb-master
}

vrrp_script check-haproxy {
    script "killall -0 haproxy"
    interval 5
    weight -30
}

vrrp_instance VI-kube-master {
    state MASTER
    priority 120
    dont_track_primary
    interface {{ LB_IF }}
    virtual_router_id {{ ROUTER_ID }}
    advert_int 3
    track_script {
        check-haproxy
    }
    virtual_ipaddress {
        {{ MASTER_IP }}
    }
}

  配置keepalived备节点 keepalived-backup.conf.j2

global_defs {
    router_id lb-backup
}

vrrp_instance VI-kube-master {
    state BACKUP
    priority 110
    dont_track_primary
    interface {{ LB_IF }}
    virtual_router_id {{ ROUTER_ID }}
    advert_int 3
    virtual_ipaddress {
        {{ MASTER_IP }}
    }
}

启动 keepalived 和 haproxy 后验证

systemctl status haproxy    # 检查进程状态
journalctl -u haproxy       # 检查进程日志是否有报错信息
systemctl status keepalived     # 检查进程状态
journalctl -u keepalived    # 检查进程日志是否有报错信息
netstat -antlp|grep 8443    # 检查tcp端口是否监听

  
  
  
  
  
  

  
  
  
  
  
  

  
  
  
  
  
  

你可能感兴趣的:(☆Ops,K8s,Kubernetes)