二进制安装K8S - NODE 节点的安装

二进制安装K8S - NODE 节点的安装

安装系统

Linux node02 3.10.0-1062.el7.x86_64 #1 SMP Wed Aug 7 18:08:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

配置系统

关闭 防火墙

systemctl stop firewalld
systemctl disable firewalld

关闭 SeLinux

setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config

关闭 swap

swapoff -a
yes | cp /etc/fstab /etc/fstab_bak
cat /etc/fstab_bak |grep -v swap > /etc/fstab

yum epel源

yum install wget telnet -y
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache

修改 /etc/sysctl.conf

modprobe br_netfilter
cat <  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
vm.swappiness=0
EOF
sysctl -p /etc/sysctl.d/k8s.conf

开启 ipvs

cat > /etc/sysconfig/modules/ipvs.modules <

安装 docker

# 设置 yum repository
yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

# 安装并启动 docker
yum install -y docker-ce-18.09.7 docker-ce-cli-18.09.7 containerd.io

# 添加ipvs支持
yum install -y nfs-utils ipset ipvsadm

安装 flannel(可选，flannel 可以用容器方式部署)

flannel 主节点安装查看 二进制安装k8s - MASTER 节点的安装
这里直接 复制已经生成的证书和启动文件

# 复制主ca证书
scp ca* 192.168.100.57:/data/k8s/cert/
scp -r flannel/ 192.168.100.57:/data/k8s/

运行flannel

cp flanneld.service /etc/systemd/system/
systemctl daemon-reload
systemctl start flanneld.service
systemctl status flanneld.service

安装 kubelet

：：：master节点操作：：：

# 创建 token
kubeadm token create \
  --description kubelet-bootstrap-token \
  --groups system:bootstrappers:node01 \
  --kubeconfig ~/.kube/config

# 设置集群参数
kubectl config set-cluster kubernetes \
  --certificate-authority=/data/k8s/cert/ca.pem \
  --embed-certs=true \
  --server=https://192.168.100.58:6443 \
  --kubeconfig=bootstrap.kubeconfig
  
# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
  --token=这里是上面生成的token \
  --kubeconfig=bootstrap.kubeconfig

# 设置上下文参数
kubectl config set-context default \
  --cluster=kubernetes \
  --user=kubelet-bootstrap \
  --kubeconfig=bootstrap.kubeconfig
  
# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig

# kubelet授权
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --group=system:bootstrappers

# 复制生成的认证配置到节点
scp bootstrappers 192.168.100.59:/data/k8s/kubelet/

：：：node 节点操作：：：

配置文件

kubelet.config.json

{
  "kind": "KubeletConfiguration",
  "apiVersion": "kubelet.config.k8s.io/v1beta1",
  "authentication": {
    "x509": {
      "clientCAFile": "/data/k8s/cert/ca.pem"
    },
    "webhook": {
      "enabled": true,
      "cacheTTL": "2m0s"
    },
    "anonymous": {
      "enabled": false
    }
  },
  "authorization": {
    "mode": "Webhook",
    "webhook": {
      "cacheAuthorizedTTL": "5m0s",
      "cacheUnauthorizedTTL": "30s"
    }
  },
  "address": "这里为node节点IP",
  "port": 10250,
  "readOnlyPort": 0,
  "cgroupDriver": "cgroupfs",
  "hairpinMode": "promiscuous-bridge",
  "serializeImagePulls": false,
  "featureGates": {
    "RotateKubeletClientCertificate": true,
    "RotateKubeletServerCertificate": true
  },
  "clusterDomain": "cluster.local",
  "clusterDNS": ["10.96.0.2"]
}

kubelet.service

[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service

[Service]
WorkingDirectory=/data/k8s/kubelet
ExecStart=/data/k8s/bin/kubelet \
--bootstrap-kubeconfig=/data/k8s/kubelet/bootstrap.kubeconfig \
--cert-dir=/data/k8s/cert \
--kubeconfig=/data/k8s/kubelet/kubelet.kubeconfig \
--config=/data/k8s/kubelet/kubelet.config.json \
--hostname-override=node01(这里是显示的node名) \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 \
--alsologtostderr=true \
--logtostderr=false \
--log-dir=/data/k8s/logs \
--v=4
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

@注：
kubelet.kubeconfig 文件连接上master后会自动生成。

启动

mkdir /data/k8s/logs
cp kubelet.service /etc/systemd/system/
systemctl daemon-reload
systemctl start kubelet
systemctl status kubelet

：：：master 节点操作：：：

手动认证 node节点

# kubectl get csr
NAME                                                   AGE   REQUESTOR                 CONDITION
node-csr-TO3HPgCc_zkDPN3iZZs6q7wWbh2ZLc-JNftOsLZv0xE   53s   system:bootstrap:0pmyt7   Pending

# kubectl certificate approve node-csr-TO3HPgCc_zkDPN3iZZs6q7wWbh2ZLc-JNftOsLZv0xE
certificatesigningrequest.certificates.k8s.io/node-csr-TO3HPgCc_zkDPN3iZZs6q7wWbh2ZLc-JNftOsLZv0xE approved

# kubectl get node
可以看到刚刚添加的node节点了

安装 kube-proxy

：：：master 操作：：：

创建证书文件

kube-proxy-csr.json

{
  "CN": "system:kube-proxy",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "ChengDu",
      "L": "ChengDu",
      "O": "k8s",
      "OU": "lswzw"
    }
  ]
}

生成证书

cfssl gencert -ca=/opt/k8s/cert/ca.pem \
-ca-key=/opt/k8s/cert/ca-key.pem \
-config=/opt/k8s/cert/ca-config.json \
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

ls *kube-proxy*
kube-proxy.csr kube-proxy-csr.json kube-proxy-key.pem kube-proxy.pem

创建kubeconfig 文件

kube-proxy.kubeconfig

cfssl gencert -ca=/data/k8s/cert/ca.pem \
-ca-key=/data/k8s/cert/ca-key.pem \
-config=/data/k8s/cert/ca-config.json \
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy


kubectl config set-cluster kubernetes \
--certificate-authority=/data/k8s/cert/ca.pem \
--embed-certs=true \
--server=https://192.168.100.58:6443 \
--kubeconfig=kube-proxy.kubeconfig


kubectl config set-credentials kube-proxy \
--client-certificate=/data/k8s/cert/kube-proxy.pem \
--client-key=/data/k8s/cert/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig


kubectl config set-context kube-proxy@kubernetes \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig

kubectl config use-context kube-proxy@kubernetes --kubeconfig=kube-proxy.kubeconfig

# 文件拷贝到NODE节点
scp kube-proxy.kubeconfig 192.168.100.59:/data/k8s/kube-proxy/

：：：node节点操作：：：

创建配置文件

kube-proxy.config.yaml

apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 192.168.100.59
clientConnection:
  kubeconfig: /data/k8s/kube-proxy/kube-proxy.kubeconfig
clusterCIDR: 10.44.0.0/16
healthzBindAddress: 192.168.100.59:10256
hostnameOverride: node01
kind: KubeProxyConfiguration
metricsBindAddress: 192.168.100.59:10249
mode: "ipvs"

@注：
上面所有ip均为node节点IP hostname 不同节点须要改

kube-proxy.service

[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target

[Service]
WorkingDirectory=/data/k8s/kube-proxy
ExecStart=/data/k8s/bin/kube-proxy \
--config=/data/k8s/kube-proxy/kube-proxy.config.yaml \
--alsologtostderr=true \
--logtostderr=false \
--log-dir=/data/k8s/logs \
--v=4

Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

启动

cp kube-proxy.service /etc/systemd/system/
systemctl daemon-reload
systemctl start kube-proxy
systemctl status kube-proxy

检查状态

：：：master 操作：：：

kubectl describe node