k8s master 负载均衡
1. 服务器规划
说明:只实现master负载均衡
服务器名称 | IP | 角色 |
k8s-master1 | 192.168.1.107 | k8s-master1、etcd |
k8s-master2 | 192.168.1.108 | k8s-master2 |
k8s-node1 | 192.168.1.109 | k8s-node1 |
nginx | 192.168.1.55 | nginx负载 |
2.k8s-master1 部署
1.安装Docker
# 关闭防火墙 ufw disable && ufw status # 执行脚本安装docker curl -s https://raw.githubusercontent.com/jy1779/docker/master/install/aliyun_docker_install.sh | bash # 修改docker.server参数 LINE=$(grep -n ExecStart /lib/systemd/system/docker.service|awk -F : '{print $1}') EXECSTARTPOST='ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT' sed "$LINE a$EXECSTARTPOST" -i /lib/systemd/system/docker.service # 重新加载docker.server及重启docker服务 systemctl daemon-reload && service docker restart service docker status
2. 生成配置文件及根证书
# 添加内核参数
/etc/sysctl.d/k8s.conf
# 参数说明:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Enable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
# 执行命令,添加内核参数 cat </etc/sysctl.d/k8s.conf net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF # 使内核参数生效 sysctl -p /etc/sysctl.d/k8s.conf
# 如提示以下报错,则执行:modprobe br_netfilter
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
# 获取k8s二进制文件及配置文件
# kubernetes.git 并非官网的文件,是自定义安装k8s集群所需的文件 git clone https://code.aliyun.com/jy1779/kubernetes.git tar xf ./kubernetes/kubernetes-bins.tar.gz -C /usr/local/sbin/ && rm -f ./kubernetes/kubernetes-bins.tar.gz echo 'export PATH=$PATH:/usr/local/sbin/kubernetes-bins' >> /etc/profile && source /etc/profile
# 检测环境变量
which kubectl /usr/local/sbin/kubernetes-bins/kubectl
# 生成配置文件
cd /root/kubernetes/kubernetes-starter/ # 修改配置文件 vim config.properties #kubernetes二进制文件目录,eg: /home/michael/bin BIN_PATH=/usr/local/sbin/kubernetes-bins #当前节点ip, eg: 192.168.1.102 NODE_IP=192.168.1.107 #etcd服务集群列表, eg: http://192.168.1.102:2379 #如果已有etcd集群可以填写现有的。没有的话填写:http://${MASTER_IP}:2379 (MASTER_IP自行替换成自己的主节点ip) ETCD_ENDPOINTS=https://192.168.1.107:2379 #kubernetes主节点ip地址, eg: 192.168.1.102 MASTER_IP=192.168.1.107 # 执行脚本生成配置文件 ./gen-config.sh with-ca ====替换变量列表==== BIN_PATH=/usr/local/sbin/kubernetes-bins NODE_IP=192.168.1.107 ETCD_ENDPOINTS=https://192.168.1.107:2379 MASTER_IP=192.168.1.107 ==================== ====替换配置文件==== all-node/kube-calico.service ca/admin/admin-csr.json ca/ca-config.json ca/ca-csr.json ca/calico/calico-csr.json ca/etcd/etcd-csr.json ca/kube-proxy/kube-proxy-csr.json ca/kubernetes/kubernetes-csr.json master-node/etcd.service master-node/kube-apiserver.service master-node/kube-controller-manager.service master-node/kube-scheduler.service services/kube-dashboard.yaml services/kube-dns.yaml worker-node/10-calico.conf worker-node/kubelet.service worker-node/kube-proxy.service ================= 配置生成成功,位置: /root/kubernetes/kubernetes-starter/target
# 安装cfssl
wget -q --show-progress --https-only --timestamping \ https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \ https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 # 修改为可执行权限 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 # 移动到bin目录 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson # 验证 cfssl version
# 生成根证书
# 创建目录存放ca证书
mkdir -p /etc/kubernetes/ca # 提示:ca-config.json、ca-csr.json事先已经准备好,可修改,也可以自己生成 # 复制ca文件 cp ~/kubernetes/kubernetes-starter/target/ca/ca-config.json /etc/kubernetes/ca cp ~/kubernetes/kubernetes-starter/target/ca/ca-csr.json /etc/kubernetes/ca # 生成证书和密钥 cd /etc/kubernetes/ca cfssl gencert -initca ca-csr.json | cfssljson -bare ca # 查看证书和密钥 ls ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
3. 部署Etcd
etcd节点需要提供给其他服务访问,就要验证其他服务的身份,所以需要一个标识自己监听服务的server证书,当有多个etcd节点的时候也需要client证书与etcd集群其他节点交互,当然也可以client和server使用同一个证书因为它们本质上没有区别。
# 创建存放etcd证书的目录
mkdir -p /etc/kubernetes/ca/etcd # 复制etcd证书配置 cp ~/kubernetes/kubernetes-starter/target/ca/etcd/etcd-csr.json /etc/kubernetes/ca/etcd/ cd /etc/kubernetes/ca/etcd/ # 修改etcd-csr.json配置文件 { "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.1.107", "192.168.1.108", #添加k8s-master2的IP "192.168.1.55" #添加nginx负载均衡的IP ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "XS", "O": "k8s", "OU": "System" } ] } # 复制etcd证书配置 cp ~/kubernetes/kubernetes-starter/target/ca/etcd/etcd-csr.json /etc/kubernetes/ca/etcd/ cd /etc/kubernetes/ca/etcd/ # 使用根证书(ca.pem)签发etcd证书 cfssl gencert \ -ca=/etc/kubernetes/ca/ca.pem \ -ca-key=/etc/kubernetes/ca/ca-key.pem \ -config=/etc/kubernetes/ca/ca-config.json \ -profile=kubernetes etcd-csr.json | cfssljson -bare etcd # 跟之前类似生成三个文件etcd.csr是个中间证书请求文件,我们最终要的是etcd-key.pem和etcd.pem ls etcd.csr etcd-csr.json etcd-key.pem etcd.pem # 创建工作目录(保存数据的地方) mkdir -p /var/lib/etcd # 把etcd服务配置文件copy到系统服务目录 cp ~/kubernetes/kubernetes-starter/target/master-node/etcd.service /lib/systemd/system/ # 创建etcd服务 systemctl enable etcd.service # 启动etcd服务 service etcd start # 查看服务日志,看是否有错误信息,确保服务正常 journalctl -f -u etcd.service # 测试etcd服务是否正常 ETCDCTL_API=3 etcdctl \ --endpoints=https://192.168.1.107:2379 \ --cacert=/etc/kubernetes/ca/ca.pem \ --cert=/etc/kubernetes/ca/etcd/etcd.pem \ --key=/etc/kubernetes/ca/etcd/etcd-key.pem \ endpoint health # 显示以下则为部署成功。 https://192.168.1.107:2379 is healthy: successfully committed proposal: took = 10.408412ms
4.部署APIServer
# 创建存放api证书目录 mkdir -p /etc/kubernetes/ca/kubernetes # 复制apiserver证书配置 cp ~/kubernetes/kubernetes-starter/target/ca/kubernetes/kubernetes-csr.json /etc/kubernetes/ca/kubernetes/ # 使用根证书(ca.pem)签发kubernetes证书 cd /etc/kubernetes/ca/kubernetes/ # 修改kubernetes-csr.json配置文件 { "CN": "kubernetes", "hosts": [ "127.0.0.1", "192.168.1.107", "192.168.1.108", #添加k8s-master2的IP "192.168.1.55", #添加nginx负载均衡的iP "10.68.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "XS", "O": "k8s", "OU": "System" } ] } cfssl gencert \ -ca=/etc/kubernetes/ca/ca.pem \ -ca-key=/etc/kubernetes/ca/ca-key.pem \ -config=/etc/kubernetes/ca/ca-config.json \ -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes # 跟之前类似生成三个文件kubernetes.csr是个中间证书请求文件,我们最终要的是kubernetes-key.pem和kubernetes.pem ls kubernetes.csr kubernetes-csr.json kubernetes-key.pem kubernetes.pem # 生成token认证文件 # 生成随机token head -c 16 /dev/urandom | od -An -t x | tr -d ' ' head -c 16 /dev/urandom | od -An -t x | tr -d ' ' 97e8c07dce2b2bab69cfd3162d5383c9 # 写入token.csv文件 echo "97e8c07dce2b2bab69cfd3162d5383c9,kubelet-bootstrap,10001,"system:kubelet-bootstrap"" > /etc/kubernetes/ca/kubernetes/token.csv # 把apiservice服务配置文件copy到系统服务目录 cp ~/kubernetes/kubernetes-starter/target/master-node/kube-apiserver.service /lib/systemd/system/ # 创建kube-apiserver服务 systemctl enable kube-apiserver.service # 启动kube-apiserver服务 service kube-apiserver start # 查看kube-apiserver日志 journalctl -f -u kube-apiserver # 默认api允许服务端口,可以修改,比如80端口,如果不修改就无法映射 cat ~/kubernetes/kubernetes-starter/target/master-node/kube-apiserver.service |grep port-range --service-node-port-range=20000-40000 \
5.部署Controller-manager
controller-manager一般与api-server在同一台机器上,所以可以使用非安全端口与api-server通讯,不需要生成证书和私钥。 # 把kube-controller-manager.service 服务配置文件copy到系统服务目录 cp ~/kubernetes/kubernetes-starter/target/master-node/kube-controller-manager.service /lib/systemd/system/ # 创建kube-controller-manager.service 服务 systemctl enable kube-controller-manager.service # 启动kube-controller-manager.service 服务 service kube-controller-manager start # 查看kube-controller-manager.service 日志 journalctl -f -u kube-controller-manager
6. 部署Scheduler
Scheduler一般与api-server在同一台机器上,所以可以使用非安全端口与api-server通讯,不需要生成证书和私钥。 # 把scheduler 服务配置文件copy到系统服务目录 cp ~/kubernetes/kubernetes-starter/target/master-node/kube-scheduler.service /lib/systemd/system/ # 创建kube-scheduler.service 服务 systemctl enable kube-scheduler.service # 启动kube-scheduler.service 服务 service kube-scheduler start # 查看kube-scheduler.service 日志 journalctl -f -u kube-scheduler
7.配置Kubectl管理
# 创建存放kubectl证书目录 mkdir -p /etc/kubernetes/ca/admin # 准备admin证书配置 - kubectl只需客户端证书,因此证书请求中 hosts 字段可以为空 # 复制kubectl证书配置 cp ~/kubernetes/kubernetes-starter/target/ca/admin/admin-csr.json /etc/kubernetes/ca/admin/ # 使用根证书(ca.pem)签发admin证书 cd /etc/kubernetes/ca/admin/ cfssl gencert \ -ca=/etc/kubernetes/ca/ca.pem \ -ca-key=/etc/kubernetes/ca/ca-key.pem \ -config=/etc/kubernetes/ca/ca-config.json \ -profile=kubernetes admin-csr.json | cfssljson -bare admin # 我们最终要的是admin-key.pem和admin.pem ls admin.csr admin-csr.json admin-key.pem admin.pem # 配置kubectl文件 # 指定apiserver的地址和证书位置 kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/ca/ca.pem \ --embed-certs=true \ --server=https://192.168.1.107:6443 # 设置客户端认证参数,指定admin证书和秘钥 kubectl config set-credentials admin \ --client-certificate=/etc/kubernetes/ca/admin/admin.pem \ --embed-certs=true \ --client-key=/etc/kubernetes/ca/admin/admin-key.pem # 关联用户和集群 kubectl config set-context kubernetes \ --cluster=kubernetes --user=admin # 设置当前上下文 kubectl config use-context kubernetes # 设置结果就是一个配置文件,可以看看内容 cat ~/.kube/config # 验证master组件 root@k8s-master1:/etc/kubernetes/ca/calico# kubectl get cs NAME STATUS MESSAGE ERROR etcd-0 Healthy {"health": "true"} controller-manager Healthy ok scheduler Healthy ok # 创建kubelet-bootstrap绑定 kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
8.部署Calico网络
Calico实现了CNI接口,是kubernetes网络方案的一种选择,它一个纯三层的数据中心网络方案(不需要Overlay),并且与OpenStack、Kubernetes、AWS、GCE等IaaS和容器平台都有良好的集成。 Calico在每一个计算节点利用Linux Kernel实现了一个高效的vRouter来负责数据转发,而每个vRouter通过BGP协议负责把自己上运行的workload的路由信息像整个Calico网络内传播——小规模部署可以直接互联,大规模下可通过指定的BGP route reflector来完成。 这样保证最终所有的workload之间的数据流量都是通过IP路由的方式完成互联的。
# calico证书用在四个地方:
# calico/node: 这个docker 容器运行时访问 etcd 使用证书
# cni 配置文件中 cni 插件: 需要访问 etcd 使用证书
# calicoctl: 操作集群网络时访问 etcd 使用证书
# calico/kube-controllers: 同步集群网络策略时访问 etcd 使用证书
# 创建存放calico证书 mkdir -p /etc/kubernetes/ca/calico # 准备calico证书配置 - calico只需客户端证书,因此证书请求中 hosts 字段可以为空 cp ~/kubernetes/kubernetes-starter/target/ca/calico/calico-csr.json /etc/kubernetes/ca/calico/ cd /etc/kubernetes/ca/calico/ cfssl gencert \ -ca=/etc/kubernetes/ca/ca.pem \ -ca-key=/etc/kubernetes/ca/ca-key.pem \ -config=/etc/kubernetes/ca/ca-config.json \ -profile=kubernetes calico-csr.json | cfssljson -bare calico # 我们最终要的是calico-key.pem和calico.pem ls calico.csr calico-csr.json calico-key.pem calico.pem # 启动kube-calico.service 服务 cp ~/kubernetes/kubernetes-starter/target/all-node/kube-calico.service /lib/systemd/system/ systemctl enable kube-calico.service # 启动kube-calico服务需要下载镜像 service kube-calico start
3.k8s-master2 部署
1.安装Docker
# 关闭防火墙 ufw disable && ufw status # 执行脚本安装docker curl -s https://raw.githubusercontent.com/jy1779/docker/master/install/aliyun_docker_install.sh | bash # 修改docker.server参数 LINE=$(grep -n ExecStart /lib/systemd/system/docker.service|awk -F : '{print $1}') EXECSTARTPOST='ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT' sed "$LINE a$EXECSTARTPOST" -i /lib/systemd/system/docker.service # 重新加载docker.server及重启docker服务 systemctl daemon-reload && service docker restart service docker status
2. 生成配置文件及根证书
# 添加内核参数
/etc/sysctl.d/k8s.conf
# 参数说明:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Enable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
# 执行命令,添加内核参数 cat </etc/sysctl.d/k8s.conf net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF # 使内核参数生效 sysctl -p /etc/sysctl.d/k8s.conf
# 如提示以下报错,则执行:modprobe br_netfilter
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory
sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
# 获取k8s二进制文件及配置文件 # kubernetes.git 并非官网的文件,是自定义安装k8s集群所需的文件 root@master:~# git clone https://code.aliyun.com/jy1779/kubernetes.git # 解压k8s二进制文件,并添加到系统环境变量 root@master:~# tar xf ./kubernetes/kubernetes-bins.tar.gz -C /usr/local/sbin/ && rm -f ./kubernetes/kubernetes-bins.tar.gz root@master:~# echo 'export PATH=$PATH:/usr/local/sbin/kubernetes-bins' >> /etc/profile && source /etc/profile # 检测环境变量 root@master:~# which kubectl /usr/local/sbin/kubernetes-bins/kubectl # 生成配置文件 cd /root/kubernetes/kubernetes-starter/ # 修改配置文件 vim config.propertie #kubernetes二进制文件目录,eg: /home/michael/bin BIN_PATH=/usr/local/sbin/kubernetes-bins #当前节点ip, eg: 192.168.1.102 NODE_IP=192.168.1.108 #etcd服务集群列表, eg: http://192.168.1.102:2379 #如果已有etcd集群可以填写现有的。没有的话填写:http://${MASTER_IP}:2379 (MASTER_IP自行替换成自己的主节点ip) ETCD_ENDPOINTS=https://192.168.1.107 #kubernetes主节点ip地址, eg: 192.168.1.102 MASTER_IP=192.168.1.108 ./gen-config.sh with-ca ====替换变量列表==== BIN_PATH=/usr/local/sbin/kubernetes-bins NODE_IP=192.168.1.72 ETCD_ENDPOINTS=https://192.168.1.72:2379,https://192.168.1.73:2379,https://192.168.1.74:2379 MASTER_IP=192.168.1.72 ==================== ====替换配置文件==== all-node/kube-calico.service ca/admin/admin-csr.json ca/ca-config.json ca/ca-csr.json ca/calico/calico-csr.json ca/etcd/etcd-csr.json ca/kube-proxy/kube-proxy-csr.json ca/kubernetes/kubernetes-csr.json master-node/etcd.service master-node/kube-apiserver.service master-node/kube-controller-manager.service master-node/kube-scheduler.service services/kube-dashboard.yaml services/kube-dns.yaml worker-node/10-calico.conf worker-node/kubelet.service worker-node/kube-proxy.service ================= 配置生成成功,位置: /root/kubernetes/kubernetes-starter/target
# 安装cfssl
wget -q --show-progress --https-only --timestamping \ https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \ https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 # 修改为可执行权限 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 # 移动到bin目录 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson # 验证 cfssl version
# 生成根证书
# 创建目录存放ca证书
mkdir -p /etc/kubernetes/ca
# 从k8s-master1获取证书
rsync -av 192.168.1.107:/etc/kubernetes/ca/ca.pem /etc/kubernetes/ca/
rsync -av 192.168.1.107:/etc/kubernetes/ca/ca-key.pem /etc/kubernetes/ca/
rsync -av 192.168.1.107:/etc/kubernetes/ca/ca-config.json /etc/kubernetes/ca/
# 创建存放etcd证书的目录
# 从k8s-master1获取证书
mkdir -p /etc/kubernetes/ca/etcd rsync -av 192.168.1.107:/etc/kubernetes/ca/etcd/etcd-key.pem /etc/kubernetes/ca/etcd/ rsync -av 192.168.1.107:/etc/kubernetes/ca/etcd/etcd.pem /etc/kubernetes/ca/etcd/
# 测试连接etcd服务
ETCDCTL_API=3 etcdctl \ --endpoints=https://192.168.1.107:2379 \ --cacert=/etc/kubernetes/ca/ca.pem \ --cert=/etc/kubernetes/ca/etcd/etcd.pem \ --key=/etc/kubernetes/ca/etcd/etcd-key.pem \ endpoint health # 提示以下,则正常 https://192.168.1.107:2379 is healthy: successfully committed proposal: took = 341.160166ms
3.部署APIServer
# 创建存放api证书目录
# 从k8s-master1获取证书
mkdir -p /etc/kubernetes/ca/kubernetes cd /etc/kubernetes/ca/kubernetes/ rsync -av 192.168.1.107:/etc/kubernetes/ca/kubernetes/kubernetes-key.pem /etc/kubernetes/ca/kubernetes/ rsync -av 192.168.1.107:/etc/kubernetes/ca/kubernetes/kubernetes.pem /etc/kubernetes/ca/kubernetes/ rsync -av 192.168.1.107:/etc/kubernetes/ca/kubernetes/token.csv /etc/kubernetes/ca/kubernetes/ # 把apiservice服务配置文件copy到系统服务目录 cp ~/kubernetes/kubernetes-starter/target/master-node/kube-apiserver.service /lib/systemd/system/ # 创建kube-apiserver服务 systemctl enable kube-apiserver.service # 启动kube-apiserver服务 service kube-apiserver start # 查看kube-apiserver日志 journalctl -f -u kube-apiserver
4. 部署Controller-manager
controller-manager一般与api-server在同一台机器上,所以可以使用非安全端口与api-server通讯,不需要生成证书和私钥。 # 把kube-controller-manager.service 服务配置文件copy到系统服务目录 cp ~/kubernetes/kubernetes-starter/target/master-node/kube-controller-manager.service /lib/systemd/system/ # 创建kube-controller-manager.service 服务 systemctl enable kube-controller-manager.service # 启动kube-controller-manager.service 服务 service kube-controller-manager start # 查看kube-controller-manager.service 日志 journalctl -f -u kube-controller-manager
5.部署Scheduler
Scheduler一般与api-server在同一台机器上,所以可以使用非安全端口与api-server通讯,不需要生成证书和私钥。
# 把scheduler 服务配置文件copy到系统服务目录 cp ~/kubernetes/kubernetes-starter/target/master-node/kube-scheduler.service /lib/systemd/system/ # 创建kube-scheduler.service 服务 systemctl enable kube-scheduler.service # 启动kube-scheduler.service 服务 service kube-scheduler start # 查看kube-scheduler.service 日志 journalctl -f -u kube-scheduler
6.配置Kubectl管理
# 创建存放kubectl证书目录
mkdir -p /etc/kubernetes/ca/admin # 准备admin证书配置 - kubectl只需客户端证书,因此证书请求中 hosts 字段可以为空 # 复制kubectl证书配置 cp ~/kubernetes/kubernetes-starter/target/ca/admin/admin-csr.json /etc/kubernetes/ca/admin/ # 使用根证书(ca.pem)签发admin证书 cd /etc/kubernetes/ca/admin/ cfssl gencert \ -ca=/etc/kubernetes/ca/ca.pem \ -ca-key=/etc/kubernetes/ca/ca-key.pem \ -config=/etc/kubernetes/ca/ca-config.json \ -profile=kubernetes admin-csr.json | cfssljson -bare admin # 配置kubectl文件 # 指定apiserver的地址和证书位置 kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/ca/ca.pem \ --embed-certs=true \ --server=https://192.168.1.108:6443 # 设置客户端认证参数,指定admin证书和秘钥 kubectl config set-credentials admin \ --client-certificate=/etc/kubernetes/ca/admin/admin.pem \ --embed-certs=true \ --client-key=/etc/kubernetes/ca/admin/admin-key.pem # 关联用户和集群 kubectl config set-context kubernetes \ --cluster=kubernetes --user=admin # 设置当前上下文 kubectl config use-context kubernetes # 查看认证 cat ~/.kube/config # 查看master 组件 kubectl get componentstatus NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-0 Healthy {"health": "true"}
7.部署Calico网络
# 创建存放calico证书 mkdir -p /etc/kubernetes/ca/calico rsync -av 192.168.1.107:/etc/kubernetes/ca/calico/calico.pem /etc/kubernetes/ca/calico rsync -av 192.168.1.107:/etc/kubernetes/ca/calico/calico-key.pem /etc/kubernetes/ca/calico # 启动kube-calico.service 服务 cp ~/kubernetes/kubernetes-starter/target/all-node/kube-calico.service /lib/systemd/system/ systemctl enable kube-calico.service # 启动kube-calico服务需要下载镜像 service kube-calico start journalctl -f -u kube-calico # 日志查看 calicoctl node status
4.部署nginx
服务器:192.168.1.55
docker-compose 部署nginx
# 查看nginx的docker-compose结构 tree -L 2 nginx/ nginx/ ├── conf │ ├── conf.d │ ├── fastcgi_params │ ├── koi-utf │ ├── koi-win │ ├── mime.types │ ├── modules -> /usr/lib/nginx/modules │ ├── nginx.conf │ ├── scgi_params │ ├── uwsgi_params │ └── win-utf ├── docker-compose.yml └── html ├── 50x.html └── index.html # docker-compose.yaml配置文件 cd nginx cat docker-compose.yml version: '2.0' services: nginxs: image: nginx container_name: nginxs network_mode: host volumes: - "./conf:/etc/nginx" - "./html:/usr/share/nginx/html" # 查看nginx配置文件 cat conf/nginx.conf user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } # 4层转发 stream { log_format ws "$remote_addr $upstream_addr $time_local $status"; access_log /var/log/nginx/k8s.log ws; server { listen 6443; proxy_pass app_server; } upstream app_server{ server 192.168.1.107:6443; #k8s-master1 server 192.168.1.108:6443; #k8s-master2 } } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; } docker-compose ps Name Command State Ports --------------------------------------------- nginxs nginx -g daemon off; Up # 查看端口 netstat -nutlp|grep 6443 tcp 0 0 0.0.0.0:6443 0.0.0.0:* LISTEN 5706/nginx: master
5.部署Node节点
1.安装Docker
# 关闭防火墙 ufw disable && ufw status # 执行docker安装脚本 curl -s https://raw.githubusercontent.com/jy1779/docker/master/install/aliyun_docker_install.sh | bash # 获取二进制文件 git clone https://code.aliyun.com/jy1779/kubernetes.git # 解压kubernetes-bins,添加到环境变量 tar xf ./kubernetes/kubernetes-bins.tar.gz -C /usr/local/sbin/ echo 'export PATH=$PATH:/usr/local/sbin/kubernetes-bins' >> /etc/profile && source /etc/profile # 修改docker.server LINE=$(grep -n ExecStart /lib/systemd/system/docker.service|awk -F : '{print $1}') EXECSTARTPOST='ExecStartPost=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT' sed "$LINE a$EXECSTARTPOST" -i /lib/systemd/system/docker.service # 重启docker systemctl daemon-reload && service docker restart service docker status
2.生成配置文件
# 添加内核参数 cat </etc/sysctl.d/k8s.conf net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF # 使内核参数生效 sysctl -p /etc/sysctl.d/k8s.conf # 修改配置文件config.properties cd /root/kubernetes/kubernetes-starter/ # 查看配置文件 cat config.properties #kubernetes二进制文件目录,eg: /home/michael/bin BIN_PATH=/usr/local/sbin/kubernetes-bins #当前节点ip, eg: 192.168.1.102 NODE_IP=192.168.1.109 #etcd服务集群列表, eg: http://192.168.1.102:2379 #如果已有etcd集群可以填写现有的。没有的话填写:http://${MASTER_IP}:2379 (MASTER_IP自行替换成自己的主节点ip) ETCD_ENDPOINTS=https://192.168.1.107:2379 #kubernetes主节点ip地址, eg: 192.168.1.102 MASTER_IP=192.168.1.55 # 生成配置文件 cd ~/kubernetes/kubernetes-starter && ./gen-config.sh with-ca ====替换变量列表==== BIN_PATH=/usr/local/sbin/kubernetes-bins NODE_IP=192.168.1.109 ETCD_ENDPOINTS=https://192.168.1.107:2379 MASTER_IP=192.168.1.55 ==================== ====替换配置文件==== all-node/kube-calico.service ca/admin/admin-csr.json ca/ca-config.json ca/ca-csr.json ca/calico/calico-csr.json ca/etcd/etcd-csr.json ca/kube-proxy/kube-proxy-csr.json ca/kubernetes/kubernetes-csr.json master-node/etcd.service master-node/kube-apiserver.service master-node/kube-controller-manager.service master-node/kube-scheduler.service services/kube-dashboard.yaml services/kube-dns.yaml worker-node/10-calico.conf worker-node/kubelet.service worker-node/kube-proxy.service ================= 配置生成成功,位置: /root/kubernetes/kubernetes-starter/target
# 安装cfssl
wget -q --show-progress --https-only --timestamping \ https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \ https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson cfssl version
# 创建存放证书目录
# 从k8s-master1获取
mkdir -p /etc/kubernetes/ca/ mkdir -p /etc/kubernetes/ca/calico/ rsync -av 192.168.1.107:/etc/kubernetes/ca/ca.pem /etc/kubernetes/ca/ rsync -av 192.168.1.107:/etc/kubernetes/ca/ca-key.pem /etc/kubernetes/ca/ rsync -av 192.168.1.107:/etc/kubernetes/ca/ca-config.json /etc/kubernetes/ca/ rsync -av 192.168.1.107:/etc/kubernetes/ca/calico/calico.pem /etc/kubernetes/ca/calico/ rsync -av 192.168.1.107:/etc/kubernetes/ca/calico/calico-key.pem /etc/kubernetes/ca/calico/
3.部署Calico网络
# 复制calico启动文件到系统服务目录 cp ~/kubernetes/kubernetes-starter/target/all-node/kube-calico.service /lib/systemd/system/ # 创建kube-calico.service systemctl enable kube-calico.service # 启动kube-calico.service 服务 service kube-calico start # 查看calico节点,可以看到master节点的calico calicoctl node status
4.部署Kubelet
cd /etc/kubernetes/ # 创建bootstrap.kubeconfig kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/ca/ca.pem \ --embed-certs=true \ --server=https://192.168.1.55:6443 \ --kubeconfig=bootstrap.kubeconfig kubectl config set-credentials kubelet-bootstrap \ --token=97e8c07dce2b2bab69cfd3162d5383c9 \ --kubeconfig=bootstrap.kubeconfig kubectl config set-context default \ --cluster=kubernetes \ --user=kubelet-bootstrap \ --kubeconfig=bootstrap.kubeconfig kubectl config use-context default --kubeconfig=bootstrap.kubeconfig # 准备cni mkdir -p /etc/cni/net.d/ cp ~/kubernetes/kubernetes-starter/target/worker-node/10-calico.conf /etc/cni/net.d/ # 创建存放kubelet工作目录 mkdir /var/lib/kubelet # 将kubelet.service 复制到系统目录 cp ~/kubernetes/kubernetes-starter/target/worker-node/kubelet.service /lib/systemd/system/ # 创建kubelet服务 systemctl enable kubelet # 启动kubelet服务 service kubelet start
5.Master签发证书
# 在master服务器执行 kubectl get csr NAME AGE REQUESTOR CONDITION node-csr-Vuj62TUED4foaVjOmsbvMLJpfDsy1RBHbKMAhgtuoyE 16s kubelet-bootstrap Pending # 执行指令签发 kubectl get csr|grep 'Pending' | awk '{print $1}'| xargs kubectl certificate approve certificatesigningrequest "node-csr-Vuj62TUED4foaVjOmsbvMLJpfDsy1RBHbKMAhgtuoyE" approved # 再次查看 kubectl get csr NAME AGE REQUESTOR CONDITION node-csr-Vuj62TUED4foaVjOmsbvMLJpfDsy1RBHbKMAhgtuoyE 1m kubelet-bootstrap Approved,Issued # 验证节点 kubectl get node NAME STATUS ROLES AGE VERSION 192.168.1.109 Ready52s v1.9.0
6.部署kube-proxy
# 创建kube-proxy工作目录及存放证书目录 mkdir -p /var/lib/kube-proxy mkdir -p /etc/kubernetes/ca/kube-proxy # 复制kube-proxy服务配置文件 cp ~/kubernetes/kubernetes-starter/target/ca/kube-proxy/kube-proxy-csr.json /etc/kubernetes/ca/kube-proxy/ cd /etc/kubernetes/ca/kube-proxy/ # 使用根证书(ca.pem)签发calico证书 cfssl gencert \ -ca=/etc/kubernetes/ca/ca.pem \ -ca-key=/etc/kubernetes/ca/ca-key.pem \ -config=/etc/kubernetes/ca/ca-config.json \ -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy cd /etc/kubernetes/ kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/ca/ca.pem \ --embed-certs=true \ --server=https://192.168.1.55:6443 \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-credentials kube-proxy \ --client-certificate=/etc/kubernetes/ca/kube-proxy/kube-proxy.pem \ --client-key=/etc/kubernetes/ca/kube-proxy/kube-proxy-key.pem \ --embed-certs=true \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-context default \ --cluster=kubernetes \ --user=kube-proxy \ --kubeconfig=kube-proxy.kubeconfig kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig # 复制kube-proxy启动文件到系统目录 cp ~/kubernetes/kubernetes-starter/target/worker-node/kube-proxy.service /lib/systemd/system/ # 创建kube-proxy服务 systemctl enable kube-proxy # 启动kube-proxy服务 service kube-proxy start
7.在k8s-master1创建deployment
# nginx-depolyment.yaml 配置文件 cat nginx-depolyment.yaml apiVersion: apps/v1beta1 kind: Deployment metadata: name: nginx annotations: nginx.ingress.kubernetes.io/secure-backends: "true" spec: replicas: 1 template: metadata: labels: app: nginx spec: containers: - name: nginx image: registry.cn-hangzhou.aliyuncs.com/jonny/nginx:1.9.14 ports: - containerPort: 80 # nginx-service.yaml配置文件 cat nginx-service.yaml apiVersion: v1 kind: Service metadata: name: nginx-service spec: selector: app: nginx ports: - protocol: TCP port: 80 targetPort: 80 nodePort: 20001 type: NodePort # 查看nginx pod kubectl get pods NAME READY STATUS RESTARTS AGE nginx-65dbdf6899-z8cp5 1/1 Running 0 2m kubectl get service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.68.0.1443/TCP 2h nginx-service NodePort 10.68.169.183 80:20001/TCP 2m # 验证nginx curl -I http://192.168.1.109:20001/ HTTP/1.1 200 OK Server: nginx/1.9.14 Date: Thu, 18 Apr 2019 09:04:03 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Wed, 21 Sep 2016 08:11:20 GMT Connection: keep-alive ETag: "57e240a8-264" Accept-Ranges: bytes
5.添加kubectl远程客户端
在nginx服务器上添加kubectl客户端 从k8s-master获取 rsync -av 192.168.1.107:/usr/local/sbin/kubernetes-bins/kubectl /usr/bin/kubectl rsync -av 192.168.1.107:/etc/kubernetes/ca/admin/ /root/kubectl/ca/ rsync -av 192.168.1.107:/etc/kubernetes/ca/ca.pem /root/kubectl/ca/ kubectl config set-cluster kubernetes --server=https://192.168.1.55:6443 --certificate-authority=ca.pem # 设置用户项中cluster-admin用户证书认证字段 kubectl config set-credentials cluster-admin --certificate-authority=ca.pem --client-key=admin-key.pem --client-certificate=admin.pem # 设置环境项中名为default的默认集群和用户 kubectl config set-context default --cluster=kubernetes --user=cluster-admin # 设置默认环境项为default kubectl config use-context default cat /root/.kube/config apiVersion: v1 clusters: - cluster: certificate-authority: /root/kubectl/ca/ca.pem server: https://192.168.1.55:6443 name: kubernetes contexts: - context: cluster: kubernetes user: cluster-admin name: default current-context: default kind: Config preferences: {} users: - name: cluster-admin user: as-user-extra: {} client-certificate: /root/kubectl/ca/admin.pem client-key: /root/kubectl/ca/admin-key.pem # 验证 kubectl get node NAME STATUS ROLES AGE VERSION 192.168.1.109 Ready1h v1.9.0
6.模拟关闭一个k8s-master1
# 在k8s-master1操作 service kube-apiserver stop service kube-controller-manager stop service kube-scheduler stop # 本地已经无法执行 kubectl get node The connection to the server 192.168.1.107:6443 was refused - did you specify the right host or port? # 在nginx服务器的远程的客户端执行,不受影响 kubectl get node NAME STATUS ROLES AGE VERSION 192.168.1.109 Ready48m v1.9.0 kubectl get pods NAME READY STATUS RESTARTS AGE nginx-65dbdf6899-z8cp5 1/1 Running 0 42m # 可以查看nginx的日志,当192.168.1.107 master关闭后,请求转发到另外一个master192.168.1.108 192.168.1.55 192.168.1.108:6443 18/Apr/2019:10:19:19 +0000 200