Kubernetes学习一：Kubernetes集群搭建之etcd安装部署

目录

1、软件版本和环境介绍

2、服务器信息介绍（以下称主机名）

3、etcd安装部署

3.1、cfssl安装

3.2、创建etcd证书

3.3、etcd ca配置

3.4、etcd ca证书

3.5、etcd server证书

3.6、生成etcd ca证书和私钥 初始化ca

3.7、生成server证书

3.8、下发证书和秘钥

3.9、etcd安装（三台机器都的执行此步骤，只是主文件的配置信息有区别。其他都一样）

3.10、启动etcd

3.11、服务检查

---

1、软件版本和环境介绍

软件或者操作系统	版本
OS	Centos7.6
kubernetes-client	v1.13.1
kubernetes-server	v1.13.1
kubernetes-node	v1.13.1
etcd	v3.3.10
flannel	v0.10.0

 

 

 

 

 

 

 

 

2、服务器信息介绍（以下称主机名）

服务器IP/主机名	用途
192.168.10.200/k8s-master1	etcd、kube-apiserver、kube-controller-manager、kube-scheduler
192.168.10.201/k8s-node1	etcd、kubelet、docker、kube_proxy
192.168.10.202/k8s-node2	etcd、kubelet、docker、kube_proxy

 

 

 

 

 

3、etcd安装部署

3.1、cfssl安装

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

3.2、创建etcd证书

mkdir /k8s/etcd/{bin,cfg,ssl} -p
mkdir /k8s/kubernetes/{bin,cfg,ssl} -p
cd /k8s/etcd/ssl/

3.3、etcd ca配置

cat << EOF | tee ca-config.json
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "etcd": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

3.4、etcd ca证书

cat << EOF | tee ca-csr.json
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

3.5、etcd server证书

cat << EOF | tee server-csr.json
{
    "CN": "etcd",
    "hosts": [
	"127.0.0.1",
    "192.168.10.200",
    "192.168.10.201",
    "192.168.10.202"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

3.6、生成etcd ca证书和私钥 初始化ca

cfssl gencert -initca ca-csr.json | cfssljson -bare ca 

3.7、生成server证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server

3.8、下发证书和秘钥

以上步骤在k8s-master1机器上面执行完之后在目录/k8s/etcd/ssl/下会生成如下图所示六个文件即以csr和pem后缀结尾的文件。将这六个文件拷贝到k8s-node1和k8s-node2的相同目录下（需要自己创建目录）

3.9、etcd安装（三台机器都的执行此步骤，只是主文件的配置信息有区别。其他都一样）

解压缩

tar -xvf etcd-v3.3.10-linux-amd64.tar.gz
cd etcd-v3.3.10-linux-amd64/
cp etcd etcdctl /k8s/etcd/bin/

配置etcd主文件（k8s-master1机器的配置）

vim /k8s/etcd/cfg/etcd.conf   
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/data1/etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.10.200:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.10.200:2379,http://127.0.0.1:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.10.200:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.10.200:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.10.200:2380,etcd02=https://192.168.10.201:2380,etcd03=https://192.168.10.202:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

#[Security]
ETCD_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_PEER_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"

配置etcd主文件（k8s-node1机器的配置）

vim /k8s/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/data1/etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.10.201:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.10.201:2379,http://127.0.0.1:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.10.201:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.10.201:2379"
ETCD_INITIAL_CLUSTER="etcd02=https://192.168.10.201:2380,etcd01=https://192.168.10.200:2380,etcd03=https://192.168.10.202:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

#[Security]
ETCD_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_PEER_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"

配置etcd主文件（k8s-node2机器的配置）

vim /k8s/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd03"
ETCD_DATA_DIR="/data1/etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.10.202:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.10.202:2379,http://127.0.0.1:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.10.202:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.10.202:2379"
ETCD_INITIAL_CLUSTER="etcd03=https://192.168.10.202:2380,etcd01=https://192.168.10.200:2380,etcd02=https://192.168.10.201:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

#[Security]
ETCD_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_PEER_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"

配置etcd启动文件

mkdir /data1/etcd
vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
WorkingDirectory=/data1/etcd/
EnvironmentFile=-/k8s/etcd/cfg/etcd.conf
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /k8s/etcd/bin/etcd --name=\"${ETCD_NAME}\" --data-dir=\"${ETCD_DATA_DIR}\" --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\" --listen-peer-urls=\"${ETCD_LISTEN_PEER_URLS}\" --advertise-client-urls=\"${ETCD_ADVERTISE_CLIENT_URLS}\" --initial-cluster-token=\"${ETCD_INITIAL_CLUSTER_TOKEN}\" --initial-cluster=\"${ETCD_INITIAL_CLUSTER}\" --initial-cluster-state=\"${ETCD_INITIAL_CLUSTER_STATE}\" --cert-file=\"${ETCD_CERT_FILE}\" --key-file=\"${ETCD_KEY_FILE}\" --trusted-ca-file=\"${ETCD_TRUSTED_CA_FILE}\" --client-cert-auth=\"${ETCD_CLIENT_CERT_AUTH}\" --peer-cert-file=\"${ETCD_PEER_CERT_FILE}\" --peer-key-file=\"${ETCD_PEER_KEY_FILE}\" --peer-trusted-ca-file=\"${ETCD_PEER_TRUSTED_CA_FILE}\" --peer-client-cert-auth=\"${ETCD_PEER_CLIENT_CERT_AUTH}\""
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

3.10、启动etcd

#以下三个命令可以通过xshell工具三台机器同时执行（如何执行，自行百度）
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd

3.11、服务检查

/k8s/etcd/bin/etcdctl --ca-file=/k8s/etcd/ssl/ca.pem --cert-file=/k8s/etcd/ssl/server.pem --key-file=/k8s/etcd/ssl/server-key.pem --endpoints="https://192.168.10.200:2379,https://192.168.10.201:2379,https://192.168.10.202:2379" cluster-health

如上图所示的效果，即表明etcd安装部署成功了

注意启动etcd有可能会执行报错：publish error: etcdserver: request timed out。这个可能是因为防火墙的问题，关闭三台服务器的防火墙就可以了。命令：systemctl stop firewalld

但是基于安全考虑可以将etcd涉及到的端口加入到防火墙的策略里面。执行如下的命令即可：

firewall-cmd --zone=public --add-port=2379/tcp --permanent
firewall-cmd --zone=public --add-port=2380/tcp --permanent
firewall-cmd --reload

参考：https://www.kubernetes.org.cn/5025.html