一 、k8s1.12优化 二进制安装(非常方便维护)
1.12我将采用更加优化的部署方式,方便维护管理
环境规划参考:
各个组件证书依赖
1、安装证书工具:
2、etcd安装
3、flanneld 安装
4、docker配置
5、配置k8s组件证书
6、安装master组件
7、安装node组件
8 增加节点
1、安装证书工具:
cd /opt/ssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x *
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
2、etcd安装
采用最新的etcd安装包
wget https://github.com/etcd-io/etcd/releases/download/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz
mkdir -p /opt/etcd/{bin,cfg,ssl}
cp etcd-v3.3.10-linux-amd64/etcd* /opt/etcd/bin
之前装过的需要将/var/lib/etcd删掉,不然会报错。
配置etcd证书:
[root@k8s-master01 ssl]# cat etcd-cert.sh
cat > ca-config.json < ca-csr.json < server-csr.json < 运行该脚本,然后将ca和server相关的pem拷贝到指定路径
cp ca*.pem /opt/etcd/ssl/
cp server*.pem /opt/etcd/ssl/
编写安装脚本:
vim etcd.sh
#!/bin/bash
# example: ./etcd.sh etcd01 192.168.1.10 etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380
ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3
WORK_DIR=/opt/etcd
cat <$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
cat </usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd
运行脚本:
chmod +x etcd.sh
./etcd.sh etcd01 192.168.1.6 etcd02=https://192.168.1.7:2380,etcd03=https://192.168.1.8:2380
检测:
ps aux |grep ecd
分发文件到另外2个节点:
scp -r etcd 192.168.1.7:/opt/
scp -r etcd 192.168.1.8:/opt/
scp /usr/lib/systemd/system/etcd.service 192.168.1.7:/usr/lib/systemd/system/
scp /usr/lib/systemd/system/etcd.service 192.168.1.8:/usr/lib/systemd/system/
将/opt/etcd/cfg/etcd配置文件修改成对应的ip,ETCD_NAME改成对应的名字,不懂的参考1.10.7安装etcd
将节点的etcd启动:
systemctl enable etcd
systemctl start etcd
检测etcd健康:
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379" cluster-health
如果健康检测通过了,但是systemctl status etcd出现了证书相关的问题,不用理会,例如:
3、flanneld 安装
我们先在master上面操作,即192.168.1.6
下载二进制包:
此处我们用的比较新的0.10版本
wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz
将解压后得到的可执行文件放入我们之定义的路径下面
cp flanneld mk-docker-opts.sh /opt/kubernetes/bin/
分配自网段:
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
测试:
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379" get /coreos.com/network/config
配置flannel文件
[root@k8s-master01 shell]# cat flannel.sh
#!/bin/bash
# ./flannel.sh https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379
ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}
cat </opt/kubernetes/cfg/flanneld
FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF
cat </usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
cat </usr/lib/systemd/system/dockerd.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd \$DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP \$MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld
systemctl restart dockerd
运行该脚本:
后面参数是etcd集群地址
./flannel.sh https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379
启动:
systemctl enable flanneld
systemctl start flanneld
测试flanneld:
cat /run/flannel/subnet.env
systemctl status flanneld.service
然后将文件分发下去,其他节点也装上flannel,不用做任何变动:
scp -r /opt/kubernetes 192.168.1.6:/opt/
scp -r /opt/kubernetes 192.168.1.7:/opt/
scp -r /usr/lib/systemd/system/flanneld.service 192.168.1.6:/usr/lib/systemd/system/
scp -r /usr/lib/systemd/system/flanneld.service 192.168.1.7:/usr/lib/systemd/system/
4、docker配置
docker和1.10.7一样,这一块没有变动
cat </usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd \$DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP \$MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl restart docker
查看ifconfig 中 会出现一个flannel 网络,并且flannel和docker0 网络段会相同
查看docker进程可以检测:
[root@k8s-master01 shell]# ps -ef |grep docker
root 8548 1 0 11:59 ? 00:00:31 /usr/bin/dockerd --bip=172.17.56.1/24 --ip-masq=false --mtu=1450
root 8555 8548 0 11:59 ? 00:00:51 docker-containerd --config /var/run/docker/containerd/containerd.toml
root 22005 7466 0 15:02 pts/1 00:00:00 grep --color=auto docker
所有节点都进行此操作
5、配置k8s组件证书
生成证书脚本:
[root@k8s-master01 k8s-crt]# cat k8s-cert.sh
cat > ca-config.json < ca-csr.json < server-csr.json < admin-csr.json < kube-proxy-csr.json < 运行该脚本会生成一堆证书,我们可以将需要的证书放置指定路径,其中的ip是我们需要的各个与k8s相关的脚本
sh k8s-cert.sh
[root@k8s-master01 k8s-crt]# ls
admin.csr admin-key.pem ca-config.json ca-csr.json ca.pem kube-proxy.csr kube-proxy-key.pem server.csr server-key.pem
admin-csr.json admin.pem ca.csr ca-key.pem k8s-cert.sh kube-proxy-csr.json kube-proxy.pem server-csr.json server.pem
拷贝证书到指定路径
cp *.pem /opt/kubernetes/ssl
6、安装master组件
下载最新包:
wget https://storage.googleapis.com/kubernetes-release/release/v1.12.1/kubernetes-server-linux-amd64.tar.gz
tar xvf kubernetes-server-linux-amd64.tar.gz
将需要的包拷贝到指定路径:
cp kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/
生成k8s需要的token
[root@k8s-master01 shell]# cat token.sh
token=$(head -c 10 /dev/urandom |od -An -t x|tr -d ' ')
cat </opt/kubernetes/cfg/token.csv
${token},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
运行该脚本会在/opt/kubernetes/cfg/ 生产一个token文件
配置kube-apiserver
[root@k8s-master01 shell]# cat apiserver.sh
#!/bin/bash
#./apiserver.sh 192.168.1.6 https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379
MASTER_ADDRESS=$1
ETCD_SERVERS=$2
cat </opt/kubernetes/cfg/kube-apiserver
KUBE_APISERVER_OPTS="--logtostderr=true \\
--v=4 \\
--etcd-servers=${ETCD_SERVERS} \\
--bind-address=${MASTER_ADDRESS} \\
--secure-port=6443 \\
--advertise-address=${MASTER_ADDRESS} \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
--authorization-mode=RBAC,Node \\
--kubelet-https=true \\
--enable-bootstrap-token-auth \\
--token-auth-file=/opt/kubernetes/cfg/token.csv \\
--service-node-port-range=30000-50000 \\
--tls-cert-file=/opt/kubernetes/ssl/server.pem \\
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF
cat </usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl restart kube-apiserver
运行该脚本:
./apiserver.sh 192.168.1.6 https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379
其中第一个参数代表本机ip,第二个代表etcd ip组
检测:systemctl status kube-apiserver
配置kube-controller-manager
[root@k8s-master01 shell]# cat controller-manager.sh
#!/bin/bash
#./controller-manager.sh 127.0.0.1
MASTER_ADDRESS=$1
cat </opt/kubernetes/cfg/kube-controller-manager
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \\
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\
--leader-elect=true \\
--address=127.0.0.1 \\
--service-cluster-ip-range=10.0.0.0/24 \\
--cluster-name=kubernetes \\
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--experimental-cluster-signing-duration=87600h0m0s"
EOF
cat </usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl restart kube-controller-manager
运行该脚本:
./controller-manager.sh 127.0.0.1
检测:systemctl status kube-controller-manager.service
配置:kube-scheduler
[root@k8s-master01 shell]# cat scheduler.sh
#!/bin/bash
#./scheduler.sh 127.0.0.1
MASTER_ADDRESS=$1
cat </opt/kubernetes/cfg/kube-scheduler
KUBE_SCHEDULER_OPTS="--logtostderr=true \\
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\
--leader-elect"
EOF
cat </usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler
执行该脚本:
./scheduler.sh 127.0.0.1
检测:
systemctl status kube-scheduler.service
netstat -lnp |grep 8080
7、安装node组件
a、首先我们在master上面创建用户认证:
将kubelete-bootstrap用户绑定在集群角色上
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
如果有可以先删除:
kubectl delete clusterrolebinding kubelet-bootstrap
如果有缺少对system:anonymous用户的授权,kubelet启动的时候会报错如下:
error: failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User “system:anonymous” cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope
我们还需要对 system:anonymous用户的授权,不然以后node阶节点匿名向主节点传递信息的时候会有问题:
kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous
将node节点需要的执行文件分发下去:
从我们解压的安装包获取相关文件
cd /root/kubernetes/server/bin
scp kubelet kube-proxy 192.168.1.7:/opt/kubernetes/bin/
scp kubelet kube-proxy 192.168.1.8:/opt/kubernetes/bin/
b、创建kubeconfig 文件
注意:这里的BOOTSTRAP_TOKEN 的值需要用我们之前生成的值,就是token.scv里面的值
[root@k8s-master01 shell]# cat kubeconfig.sh
# 创建 TLS Bootstrapping Token
#BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008
#cat > token.csv <执行该脚本:
./kubeconfig.sh 192.168.1.6 /opt/k8s-crt
将生成的2个配置文件分发到node节点上去
rsync -avPz bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/
rsync -avPz bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/
c、安装node组件
编辑kubelet安装脚本:
[root@k8s-node01 shell]# cat kubelet.sh
#!/bin/bash
#./kubelet.sh 192.168.1.7 10.0.0.2
NODE_ADDRESS=$1
DNS_SERVER_IP=${2:-"10.0.0.2"}
cat </opt/kubernetes/cfg/kubelet
KUBELET_OPTS="--logtostderr=true \\
--v=4 \\
--address=${NODE_ADDRESS} \\
--hostname-override=${NODE_ADDRESS} \\
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\
--experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\
--config=/opt/kubernetes/cfg/kubelet.config \\
--cert-dir=/opt/kubernetes/ssl \\
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
EOF
cat </opt/kubernetes/cfg/kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: ${NODE_ADDRESS}
port: 10250
cgroupDriver: cgroupfs
clusterDNS:
- ${DNS_SERVER_IP}
clusterDomain: cluster.local.
failSwapOn: false
readOnlyPort: 10255
authentication:
anonymous:
enabled: true
EOF
cat </usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet
运行次脚本:
./kubelet.sh 192.168.1.7 10.0.0.2
此时会在ssl下面生成一些证书相关的文件,
检测:
ps -ef |grep kubelet
安装proxy文件脚本
[root@k8s-node01 shell]# cat proxy.sh
#!/bin/bash
#./proxy.sh 192.168.1.7
NODE_ADDRESS=$1
cat </opt/kubernetes/cfg/kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \\
--v=4 \\
--hostname-override=${NODE_ADDRESS} \\
--cluster-cidr=10.0.0.0/24 \\
--proxy-mode=ipvs \\
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
EOF
cat </usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-proxy
systemctl restart kube-proxy
运行次脚本:
./proxy.sh 192.168.1.7
检测:
systemctl status kube-proxy.service
此时我们第一台node已经安装好,我们可以在master上检测是否有节点信息请求注册:
[root@k8s-master01 shell]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-lYZU4lw685vTnpaIEMNF4vCfttB07CJvZMOxBuYT4DQ 10m system:kubelet-bootstrapPending
通过请求:
[root@k8s-master01 shell]# kubectl certificate approve node-csr-lYZU4lw685vTnpaIEMNF4vCfttB07CJvZMOxBuYT4DQ
此时状态已经改变:
[root@k8s-master01 shell]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-lYZU4lw685vTnpaIEMNF4vCfttB07CJvZMOxBuYT4DQ 16m system:kubelet-bootstrap Approved,Issued
查看k8s节点:
[root@k8s-master01 shell]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.1.7 Ready 13s v1.12.1
8 增加节点:
此时我们加入另一台就显得非常简单:
首先kubelet.kubeconfig,kube-proxy.kubeconfig,这2个配置文件必须之前已经分发过来
我们加入安装脚本:
./kubelet.sh 192.168.1.8 10.0.0.2
./proxy.sh 192.168.1.8
运行脚本,然后去master :
kubectl get csr 查看节点是否自动注册过来,然后加入便可