Kubernetes高可用部署

一、环境准备

主机名	IP	部署应用
cnsz-fbu-bck8s-master01-uat	10.81.0.101	kubeadm, kubectl, kubelet, docker, apiserver, controllerManager, scheduler, helm
cnsz-fbu-bck8s-master02-uat	10.81.0.102	kubeadm, kubectl, kubelet, docker, apiserver, controllerManager, scheduler
cnsz-fbu-bck8s-master03-uat	10.81.0.103	kubeadm, kubectl, kubelet, docker, apiserver, controllerManager, scheduler
cnsz-fbu-bck8s-node01-uat	10.81.0.104	kubeadm, kubelet, docker, kubeproxy
cnsz-fbu-bck8s-node02-uat	10.81.0.105	kubeadm, kubelet, docker, kubeproxy
cnsz-fbu-etcd01-uat	10.81.64.37 vip：10.81.64.110	etcd, nginx, keepalived
cnsz-fbu-etcd02-uat	10.81.64.38	etcd, nginx, keepalived
cnsz-fbu-etcd03-uat	10.81.64.39	etcd

升级内核版本到4.0以上，设置docker存储驱动为overlay2需要内核版本高于4.0。

yum -y install http://192.168.73.43/soft/kernel-4.9.86-30.el7.x86_64.rpm
awk -F "'" '$1=="menuentry "{print $2}' /etc/grub2.cfg
cat >>/etc/rc.local <<'EOF'
grub2-set-default 'CentOS Linux (4.9.86-30.el7.x86_64) 7 (Core)'
EOF
reboot

uname -r

关闭swap交换空间，swapoff -a，然后在/etc/fstab文件下删除swap项。

在安全内网环境时，关闭防火墙服务。

systemctl stop firewalld
systemctl disable firewalld

禁用SELinux，让容器可以读取主机文件系统

setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux

确保每个节点上的MAC地址和product_uuid是唯一的

ip a
cat /sys/class/dmi/id/product_uuid

允许iptables检查桥接流量

cat <

设置kubectl命令补全功能

yum -y install bash-completion
echo "source <(kubectl completion bash)" >> ~/.bash_profile
source /etc/profile.d/bash_completion.sh
source /root/.bash_profile

设置host解析

cat >> /etc/hosts <<'EOF'
10.81.0.101 cnsz-fbu-bck8s-master01-uat
10.81.0.102 cnsz-fbu-bck8s-master02-uat
10.81.0.103 cnsz-fbu-bck8s-master03-uat
10.81.0.104 cnsz-fbu-bck8s-node01-uat
10.81.0.105 cnsz-fbu-bck8s-node02-uat
10.81.64.110 apiserver
EOF

二、使用kubeadm工具安装

1、安装容器运行时docker

• 卸载旧版本

  yum -y remove docker \
                    docker-client \
                    docker-client-latest \
                    docker-common \
                    docker-latest \
                    docker-latest-logrotate \
                    docker-logrotate \
                    docker-engine
  

• 安装docker

  yum install -y yum-utils
  yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
  yum list docker-ce --showduplicates | sort -r
  yum -y install docker-ce-18.09.9-3.el7 docker-ce-cli-18.09.9-3.el7 containerd.io docker-compose-plugin
  

• 设置docker

  mkdir /etc/docker
  mkdir -p /data/docker/data
  cat > /etc/docker/daemon.json <<'EOF'
  {
    "registry-mirrors": ["https://xigwl1gq.mirror.aliyuncs.com"],
    "exec-opts": ["native.cgroupdriver=systemd"],
    "log-driver": "json-file",
    "log-opts": {
      "max-size": "200m",
      "max-file": "7"
    },
    "data-root": "/data/docker/data",
    "storage-driver": "overlay2",
    "storage-opts": ["overlay2.override_kernel_check=true"],
    "dns": ["192.168.94.94", "192.168.94.95", "192.168.109.104"]
  }
  EOF
  cat >> /etc/sysctl.conf <<'EOF'
  net.ipv4.conf.all.forwarding = 1
  EOF
  sysctl -p
  

• 启动docker

  systemctl start docker
  systemctl enable docker
  

2、安装外部ETCD集群

• 下载etcd二进制文件

  mkdir -p /data/svc
  cd /usr/local/src && wget https://github.com/etcd-io/etcd/releases/download/v3.4.18/etcd-v3.4.18-linux-amd64.tar.gz
  tar zxf etcd-v3.4.18-linux-amd64.tar.gz -C /data/svc
  cd /data/svc
  mv etcd-v3.4.18-linux-amd64 etcd-v3.4.18
  

• 使用TLS协议加密通信

  在etcd01主机上，下载cfssl工具

  wget -O /usr/bin/cfssl "https://pkg.cfssl.org/R1.2/cfssl_linux-amd64"
  wget -O /usr/bin/cfssljson "https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64"
  chmod a+x /usr/bin/cfssl*
  

  生成CA证书

  mkdir -p /data/certs/etcd
  cat > /data/certs/etcd/ca-config.json <<'EOF'
  {
      "signing": {
          "default": {
              "expiry": "876000h"
          },
          "profiles": {
              "server": {
                  "expiry": "876000h",
                  "usages": [
                      "signing",
                      "key encipherment",
                      "server auth",
                      "client auth"
                  ]
              },
              "client": {
                  "expiry": "876000h",
                  "usages": [
                      "signing",
                      "key encipherment",
                      "client auth"
                  ]
              },
              "peer": {
                  "expiry": "876000h",
                  "usages": [
                      "signing",
                      "key encipherment",
                      "server auth",
                      "client auth"
                  ]
              }
          }
      }
  }
  EOF
  cat > /data/certs/etcd/ca-csr.json <<'EOF'
  {
      "CN": "etcd",
      "key": {
          "algo": "rsa",
          "size": 2048
      }
  }
  EOF
  cd /data/certs/etcd && cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
  

  生成服务器证书及对等证书

  cat > /data/certs/etcd/server.json <<'EOF'
  {
      "CN": "etcd",
      "hosts": [
          "127.0.0.1",
          "10.81.64.37",
          "10.81.64.38",
          "10.81.64.39"
      ],
      "key": {
          "algo": "ecdsa",
          "size": 256
      },
      "names": [
          {
              "C": "CN",
              "L": "BeiJing",
              "ST": "BeiJing"
          }
      ]
  }
  EOF
  cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server
  cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer server.json | cfssljson -bare peer
  

  生成客户端证书

  cat > /data/certs/etcd/client.json <<'EOF'
  {
      "CN": "client",
      "hosts": [""],
      "key": {
          "algo": "ecdsa",
          "size": 256
      },
      "names": [
          {
              "C": "CN",
              "L": "BeiJing",
              "ST": "BeiJing"
          }
      ]
  }
  EOF
  cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client
  

  分发相关证书

  #etcd02/etcd03主机创建目录
  mkdir /data/certs
  
  rsync -avzP -e "ssh -p 60025" /data/certs/etcd 10.81.64.38:/data/certs/
  rsync -avzP -e "ssh -p 60025" /data/certs/etcd 10.81.64.39:/data/certs/
  #k8s master主机创建目录
  mkdir -p /data/certs/etcd
  
  rsync -avzP -e "ssh -p 60025" /data/certs/etcd/client*.pem 10.81.0.101:/data/certs/etcd
  rsync -avzP -e "ssh -p 60025" /data/certs/etcd/client*.pem 10.81.0.102:/data/certs/etcd
  rsync -avzP -e "ssh -p 60025" /data/certs/etcd/client*.pem 10.81.0.103:/data/certs/etcd
  rsync -avzP -e "ssh -p 60025" /data/certs/etcd/ca.pem 10.81.0.101:/data/certs/etcd
  rsync -avzP -e "ssh -p 60025" /data/certs/etcd/ca.pem 10.81.0.102:/data/certs/etcd
  rsync -avzP -e "ssh -p 60025" /data/certs/etcd/ca.pem 10.81.0.103:/data/certs/etcd
  

• 修改配置文件

  mkdir -p /data/etcd/conf
  mkdir -p /data/etcd/data
  cat > /data/etcd/conf/etcd.conf.yml <<'EOF'
  # 集群节点名称，对应修改
  name: 'etcd01'
  # Path to the data directory.
  data-dir: '/data/etcd/data'
  # Number of committed transactions to trigger a snapshot to disk.
  snapshot-count: 50000
  # Time (in milliseconds) of a heartbeat interval.
  heartbeat-interval: 100
  # Time (in milliseconds) for an election to timeout.
  election-timeout: 1000
  # Raise alarms when backend size exceeds the given quota. 0 means use the
  # default quota.
  quota-backend-bytes: 8589934592
  # List of comma separated URLs to listen on for peer traffic.修改对应IP
  listen-peer-urls: https://10.81.64.37:2380
  # List of comma separated URLs to listen on for client traffic.修改对应IP
  listen-client-urls: https://10.81.64.37:2379
  # Maximum number of snapshot files to retain (0 is unlimited).
  max-snapshots: 5
  max-request-bytes: 10485760
  # Maximum number of wal files to retain (0 is unlimited).
  max-wals: 5
  # Comma-separated white list of origins for CORS (cross-origin resource sharing).
  cors:
  # List of this member's peer URLs to advertise to the rest of the cluster.
  # The URLs needed to be a comma-separated list.修改对应IP
  initial-advertise-peer-urls: https://10.81.64.37:2380
  # List of this member's client URLs to advertise to the public.
  # The URLs needed to be a comma-separated list.修改对应IP
  advertise-client-urls: https://10.81.64.37:2379
  # Discovery URL used to bootstrap the cluster.
  discovery:
  # Valid values include 'exit', 'proxy'
  discovery-fallback: 'proxy'
  # HTTP proxy to use for traffic to discovery service.
  discovery-proxy:
  # DNS domain used to bootstrap initial cluster.
  discovery-srv:
  # Initial cluster configuration for bootstrapping.
  initial-cluster: 'etcd01=https://10.81.64.37:2380,etcd02=https://10.81.64.38:2380,etcd03=https://10.81.64.39:2380'
  # Initial cluster token for the etcd cluster during bootstrap.
  initial-cluster-token: 'etcd-cluster'
  # Initial cluster state ('new' or 'existing').
  initial-cluster-state: 'new'
  # Reject reconfiguration requests that would cause quorum loss.
  strict-reconfig-check: false
  # Enable runtime profiling data via HTTP server
  enable-pprof: true
  # Valid values include 'on', 'readonly', 'off'
  proxy: 'off'
  # Time (in milliseconds) an endpoint will be held in a failed state.
  proxy-failure-wait: 5000
  # Time (in milliseconds) of the endpoints refresh interval.
  proxy-refresh-interval: 30000
  # Time (in milliseconds) for a dial to timeout.
  proxy-dial-timeout: 1000
  # Time (in milliseconds) for a write to timeout.
  proxy-write-timeout: 5000
  # Time (in milliseconds) for a read to timeout.
  proxy-read-timeout: 0
  client-transport-security:
    # Path to the client server TLS cert file.
    cert-file: '/data/certs/etcd/server.pem'
    # Path to the client server TLS key file.
    key-file: '/data/certs/etcd/server-key.pem'
    # Enable client cert authentication.
    client-cert-auth: true
    # Path to the client server TLS trusted CA cert file.
    trusted-ca-file: '/data/certs/etcd/ca.pem'
    # Client TLS using generated certificates
    auto-tls: false
  peer-transport-security:
    # Path to the peer server TLS cert file.
    cert-file: '/data/certs/etcd/peer.pem'
    # Path to the peer server TLS key file.
    key-file: '/data/certs/etcd/peer-key.pem'
    # Enable peer client cert authentication.
    client-cert-auth: true
    # Path to the peer server TLS trusted CA cert file.
    trusted-ca-file: '/data/certs/etcd/ca.pem'
    # Peer TLS using generated certificates.
    auto-tls: false
  # The validity period of the self-signed certificate, the unit is year.
  self-signed-cert-validity: 100
  # Enable debug-level logging for etcd.
  log-level: 'info'
  logger: zap
  # Specify 'stdout' or 'stderr' to skip journald logging even when running under systemd.
  log-outputs: [stderr]
  # Force to create a new one member cluster.
  force-new-cluster: false
  auto-compaction-mode: periodic
  auto-compaction-retention: "1"
  EOF
  

• 设置systemd管理

  cat > /etc/systemd/system/etcd.service <<'EOF'
  [Unit]
  Description=Etcd Server
  After=network.target
  After=network-online.target
  Wants=network-online.target
  
  [Service]
  Type=notify
  ExecStart=/data/svc/etcd-v3.4.18/etcd --config-file /data/etcd/conf/etcd.conf.yml
  Restart=on-failure
  LimitNOFILE=65535
  OOMScoreAdjust=-999
  
  [Install]
  WantedBy=multi-user.target
  EOF
  systemctl daemon-relaod
  systemctl start etcd
  systemctl enable etcd
  

• 验证集群是否正常

  $ /data/svc/etcd-v3.4.18/etcdctl --cacert=ca.pem --cert=server.pem --key=server-key.pem --endpoints="https://10.81.64.37:2379" member list
  2259985fb5165391, started, etcd02, https://10.81.64.38:2380, https://10.81.64.38:2379, false
  592e58e2927d0458, started, etcd01, https://10.81.64.37:2380, https://10.81.64.37:2379, false
  d32cce3d601b23ec, started, etcd03, https://10.81.64.39:2380, https://10.81.64.39:2379, false
  $ /data/svc/etcd-v3.4.18/etcdctl --cacert=ca.pem --cert=server.pem --key=server-key.pem --endpoints="https://10.81.64.37:2379" endpoint health
  https://10.81.64.37:2379 is healthy: successfully committed proposal: took = 11.013657ms
  

3、安装Nginx+Keepalived反代apiServer

• 安装nginx

  yum -y install nginx nginx-all-modules.noarch
  

• 修改nginx配置文件

  user nginx nginx;
  worker_processes auto;
  worker_cpu_affinity auto;
  error_log /var/log/nginx/error.log;
  pid /run/nginx.pid;
  
  # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
  include /usr/share/nginx/modules/*.conf;
  
  events {
      use epoll;
      accept_mutex off;
      worker_connections 1024;
  }
  
  stream {
    upstream apiserver {
      server 10.81.0.101:6443 max_fails=3 fail_timeout=30s;
      server 10.81.0.102:6443 max_fails=3 fail_timeout=30s;
      server 10.81.0.103:6443 max_fails=3 fail_timeout=30s;
    }
    log_format nginx-json-log '{"remote_addr":"$remote_addr","time_local":"$time_local","ssl_protocol":"$ssl_protocol","status":"$status","bytes_sent":"$bytes_sent","bytes_received":"$bytes_received","session_time":"$session_time","upstream_addr":"$upstream_addr","upstream_bytes_sent":"$upstream_bytes_sent","upstream_bytes_received":"$upstream_bytes_received","upstream_connect_time":"$upstream_connect_time","ng_server":"$ng_server"}';
    server {
      listen 6443;
      set $ng_server k8s-apiserver;
      access_log /var/log/nginx/k8s-apiserver.log nginx-json-log;
      proxy_connect_timeout 2s;
      proxy_timeout 600s;
      proxy_pass apiserver;
    }
  }
  

• 启动nginx

  systemctl start nginx
  systemctl enable nginx
  systemctl status nginx
  

• 安装keepalived软件

  yum -y install keepalived
  

• 修改keepalived配置文件

  cat > /etc/keepalived/keepalived.conf <<'EOF'
  global_defs {
     ##标识身份，默认本地主机名,需修改
     router_id nginx37
     script_user root root
     enable_script_security
  }
  
  vrrp_script CheckNginx {
      script "/bin/bash /etc/keepalived/check_nginx.sh"
      interval 1
      weight -20
  }
  
  vrrp_instance VI_1 {
      #定义该实例的初始化状态，需修改
      state MASTER
      #对应网卡接口
      interface ens192
      #实例身份标识要保持一致
      virtual_router_id 51
      #权重大小，需修改
      priority 150
      advert_int 1
      nopreempt
      track_script {
          CheckNginx
      }
      authentication {
          auth_type PASS
          auth_pass I9OsLmlb
      }
      virtual_ipaddress {
          10.81.64.110
      }
  }
  EOF
  
  cat > /etc/keepalived/check_nginx.sh <<'EOF'
  #!/bin/bash
  
  if ! pidof nginx >/dev/null 2>&1;then
    nginx -t && nginx 
    sleep 5
    if ! pidof nginx >/dev/null 2>&1;then
      systemctl stop keepalived
    fi
  fi
  EOF
  

• 启动keepalived

  systemctl start keepalived
  systemctl enable keepalived
  

4、开启ipvs

• 安装软件工具

  yum -y install ipset ipvsadm
  

• 加载模块配置

  cat > /etc/sysconfig/modules/ipvs.modules <

5、安装kubeadm及相关工具

上传修改好证书有效期重新编译的kubeadm命令

cat >/etc/yum.repos.d/kubernetes.repo <<'EOF'
[kubernetes]
name=Kubernetes Repository
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
EOF
yum makecache fast
yum -y install kubelet-1.19.6-0 kubeadm-1.19.6-0 kubectl-1.19.6-0 --disableexcludes=kubernetes
systemctl enable --now kubelet

替换为重新编译的kubeadm命令

mv /usr/bin/kubeadm{,_bak}
tar zxf kubeadm.tar.gz -C /usr/bin

cat >/etc/yum.repos.d/kubernetes.repo <<'EOF'
[kubernetes]
name=Kubernetes Repository
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
EOF
yum makecache fast
yum -y install kubelet-1.19.6-0 kubeadm-1.19.6-0 --disableexcludes=kubernetes
systemctl enable --now kubelet

替换为重新编译的kubeadm命令

mv /usr/bin/kubeadm{,_bak}
tar zxf kubeadm.tar.gz -C /usr/bin

6、初始化master01节点

• 编写初始化配置文件

  mkdir -p /data/k8s/install
  mkdir -p /data/certs/kubernetes
  cat > /data/k8s/install/init-config.yml <<'EOF'
  apiVersion: kubeadm.k8s.io/v1beta2
  kind: InitConfiguration
  bootstrapTokens:
  - groups:
    - system:bootstrappers:kubeadm:default-node-token
    token: abcdef.0123456789abcdef
    ttl: 24h0m0s
    usages:
    - signing
    - authentication
  nodeRegistration:
    #修改为对应节点主机名
    name: cnsz-fbu-bck8s-master01-uat
    criSocket: "/var/run/dockershim.sock"
    taints:
    - effect: NoSchedule
      key: node-role.kubernetes.io/control-plane
  localAPIEndpoint:
    #修改为对应节点IP
    advertiseAddress: 10.81.0.101
    bindPort: 6443
  ---
  apiVersion: kubeadm.k8s.io/v1beta2
  kind: ClusterConfiguration
  etcd:
    external:
      endpoints:
      - "https://10.81.64.37:2379"
      - "https://10.81.64.38:2379"
      - "https://10.81.64.39:2379"
      caFile: "/data/certs/etcd/ca.pem"
      certFile: "/data/certs/etcd/client.pem"
      keyFile: "/data/certs/etcd/client-key.pem" 
  networking:
    dnsDomain: cluster.local
    serviceSubnet: 10.96.0.0/16
    podSubnet: "10.100.0.0/16"
  kubernetesVersion: "v1.19.6"
  controlPlaneEndpoint: "apiserver:6443"
  apiServer:
    extraArgs:
      service-node-port-range: "80-65535"
    certSANs:
    - cnsz-fbu-bck8s-master01-uat
    - cnsz-fbu-bck8s-master02-uat
    - cnsz-fbu-bck8s-master03-uat
    - cnsz-fbu-bck8s-node01-uat
    - cnsz-fbu-bck8s-node02-uat
    - apiserver
    - 10.81.0.101
    - 10.81.0.102
    - 10.81.0.103
    - 10.81.0.104
    - 10.81.0.105
    - 10.81.64.110
    timeoutForControlPlane: 4m0s
  controllerManager:
    extraArgs:
      experimental-cluster-signing-duration: "876000h"
  scheduler: {}
  dns:
    type: CoreDNS
  certificatesDir: "/data/certs/kubernetes"
  imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
  clusterName: bc-kubernetes
  ---
  apiVersion: kubelet.config.k8s.io/v1beta1
  kind: KubeletConfiguration
  cgroupDriver: "systemd"
  maxPods: 300
  containerLogMaxSize: "100Mi"
  containerLogMaxFiles: 7
  ---
  apiVersion: kubeproxy.config.k8s.io/v1alpha1
  kind: KubeProxyConfiguration
  clusterCIDR: "10.100.0.0/16"
  metricsBindAddress: "0.0.0.0:10249"
  mode: "ipvs"
  EOF
  

• 拉取组件镜像

  cd /data/k8s/install
  kubeadm config images pull --config init-config.yml
  docker images
  

• 初始化控制平面

  kubeadm init --config init-config.yml
  
  #如果初始化报错，要先重置初始化再进行初始化
  kubeadm reset
  kubeadm init --config init-config.yml
  

• 记录加入集群的相关信息

  Your Kubernetes control-plane has initialized successfully!
  
  To start using your cluster, you need to run the following as a regular user:
  
    mkdir -p $HOME/.kube
    sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    sudo chown $(id -u):$(id -g) $HOME/.kube/config
  
  Alternatively, if you are the root user, you can run:
  
    export KUBECONFIG=/etc/kubernetes/admin.conf
  
  You should now deploy a pod network to the cluster.
  Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
    https://kubernetes.io/docs/concepts/cluster-administration/addons/
  
  You can now join any number of control-plane nodes by copying certificate authorities
  and service account keys on each node and then running the following as root:
  
    kubeadm join apiserver:6443 --token abcdef.0123456789abcdef \
      --discovery-token-ca-cert-hash sha256:2b2858a9663dd0be99b8a0d3af941b666b7361d48fc5f9a05eabad140d36373c \
      --control-plane 
  
  Then you can join any number of worker nodes by running the following on each as root:
  
  kubeadm join apiserver:6443 --token abcdef.0123456789abcdef \
      --discovery-token-ca-cert-hash sha256:2b2858a9663dd0be99b8a0d3af941b666b7361d48fc5f9a05eabad140d36373c
  

• 设置kubeconfig文件的环境变量

  echo 'export KUBECONFIG=/etc/kubernetes/admin.conf' >> /etc/profile
  source /etc/profile
  

• 关闭禁止使用非安全的http接口参数

  sed -i 's/- --port=0/#- --port=0/g' /etc/kubernetes/manifests/kube-controller-manager.yaml
  sed -i 's/- --port=0/#- --port=0/g' /etc/kubernetes/manifests/kube-scheduler.yaml
  

• 检查组件状态

  $ kubectl get pods -n kube-system -o wide
  $ kubectl get nodes
  $ kubectl get cs
  Warning: v1 ComponentStatus is deprecated in v1.19+
  NAME                 STATUS      MESSAGE                                                                                       ERROR
  #该不健康状态为正常，不管是否开启http端口，get cs都是使用的非安全的http端口查询
  scheduler            Unhealthy   Get "http://127.0.0.1:10251/healthz": dial tcp 127.0.0.1:10251: connect: connection refused   
  controller-manager   Unhealthy   Get "http://127.0.0.1:10252/healthz": dial tcp 127.0.0.1:10252: connect: connection refused   
  etcd-0               Healthy     {"health":"true"}                                                                             
  etcd-1               Healthy     {"health":"true"}                                                                             
  etcd-2               Healthy     {"health":"true"}
  

7、其他master节点加入控制平面集群

• 从master01节点拉取证书

  mkdir -p /data/certs/kubernetes
  rsync -avzP 10.81.0.101:/data/certs/kubernetes/* /data/certs/kubernetes/
  

• 设置kubeconfig文件的环境变量

  echo 'export KUBECONFIG=/etc/kubernetes/admin.conf' >> /etc/profile
  source /etc/profile
  

• 编写加入集群配置文件

  mkdir -p /data/k8s/install
  cat > /data/k8s/install/join-config.yml <<'EOF'
  apiVersion: kubeadm.k8s.io/v1beta2
  kind: JoinConfiguration
  nodeRegistration:
    #修改为对应节点主机名
    name: cnsz-fbu-bck8s-master02-uat
    criSocket: "/var/run/dockershim.sock"
    taints:
    - effect: NoSchedule
      key: node-role.kubernetes.io/control-plane
  caCertPath: "/data/certs/kubernetes/ca.crt"
  discovery:
    bootstrapToken:
      token: "abcdef.0123456789abcdef"
      apiServerEndpoint: "apiserver:6443"
      caCertHashes:
      - "sha256:2b2858a9663dd0be99b8a0d3af941b666b7361d48fc5f9a05eabad140d36373c"
  controlPlane:
    localAPIEndpoint:
      #修改为对应节点ip
      advertiseAddress: "10.81.0.102"
      bindPort: 6443
  EOF
  

• 执行命令加入集群

  kubeadm join --config /data/k8s/install/join-config.yml
  

• 关闭禁止使用非安全的http接口参数

  sed -i 's/- --port=0/#- --port=0/g' /etc/kubernetes/manifests/kube-controller-manager.yaml
  sed -i 's/- --port=0/#- --port=0/g' /etc/kubernetes/manifests/kube-scheduler.yaml
  systemctl restart kubelet
  

• 检查集群状态

  kubectl get nodes
  

8、开启PodPreset资源

• 修改apiserver配置文件

  vim /etc/kubernetes/manifests/kube-apiserver.yaml
  # 修改
  - --enable-admission-plugins=NodeRestriction,PodPreset
  # 新增
  - --runtime-config=settings.k8s.io/v1alpha1=true
  

• 重启kubelet

  systemctl restart kubelet
  

9、worker节点加入集群

• 从master01节点拉取证书

  mkdir -p /data/certs/kubernetes
  rsync -avzP 10.81.0.101:/data/certs/kubernetes/ca.crt /data/certs/kubernetes/
  

• 编写加入集群配置文件

  mkdir -p /data/k8s/install
  cat > /data/k8s/install/join-worker-config.yml <<'EOF'
  apiVersion: kubeadm.k8s.io/v1beta2
  kind: JoinConfiguration
  nodeRegistration:
    #修改为对应节点主机名
    name: cnsz-fbu-bck8s-node02-uat
    criSocket: "/var/run/dockershim.sock"
  discovery:
    bootstrapToken:
      token: "abcdef.0123456789abcdef"
      apiServerEndpoint: "apiserver:6443"
      caCertHashes:
      - "sha256:2b2858a9663dd0be99b8a0d3af941b666b7361d48fc5f9a05eabad140d36373c"
  EOF
  

• 执行命令加入集群

  kubeadm join --config /data/k8s/install/join-worker-config.yml
  

• 如果token过期，使用以下命令重新生成

  kubeadm token create --print-join-command
  

10、安装pod网络插件

(1)、flannel

• 上传kube-flannel.yml文件

  kube-flannel.yml

• 修改文件配置

• 启动flannel

  kubectl apply -f /data/k8s/install/kube-flannel.yml
  

(2)、calico

• 下载修改yml文件

  cd /data/k8s/install
  wget https://docs.projectcalico.org/archive/v3.19/manifests/calico.yaml
  

• 修改yml文件

  vim calico.yaml
  ...
              # Cluster type to identify the deployment type
              - name: CLUSTER_TYPE
                value: "k8s,bgp"
              # Auto-detect the BGP IP address.
              - name: IP
                value: "autodetect"
              # 关闭IPIP模式，启用BGP模式
              - name: CALICO_IPV4POOL_IPIP
                value: "Always"
              # Enable or Disable VXLAN on the default IP pool.
              - name: CALICO_IPV4POOL_VXLAN
                value: "Never"
  ...
              # The default IPv4 pool to create on startup if none exists. Pod IPs will be
              # chosen from this range. Changing this value after installation will have
              # no effect. This should fall within `--cluster-cidr
              # 修改pod网段地址
              - name: CALICO_IPV4POOL_CIDR
                value: "10.100.0.0/16"
  ...
  

• 如果无法匹配网卡名，可自定义匹配规则

  vim calico.yaml
  ...
              # Cluster type to identify the deployment type
              - name: CLUSTER_TYPE
                value: "k8s,bgp"
              # IP automatic detection
              - name: IP_AUTODETECTION_METHOD
                value: "interface=en.*,eth0"
              # Auto-detect the BGP IP address.
              - name: IP
                value: "autodetect"
              # 关闭IPIP模式，启用BGP模式
              - name: CALICO_IPV4POOL_IPIP
                value: "Always"
              # Enable or Disable VXLAN on the default IP pool.
              - name: CALICO_IPV4POOL_VXLAN
                value: "Never"
  ...
  

• 启动calico

  kubectl apply -f calico.yaml
  

11、创建一个服务测试

• 编写yaml文件

  mkdir /data/k8s/deploy
  cat > /data/k8s/deploy/nginx-deployment.yml <<'EOF'
  apiVersion: apps/v1
  kind: Deployment
  metadata:
    name: nginx
    labels:
      app: nginx
  spec:
    replicas: 2
    selector:
      matchLabels:
        app: nginx
    template:
      metadata:
        labels:
          app: nginx
      spec:
        containers:
        - name: nginx-demo
          image: nginx:1.17.6-alpine
          imagePullPolicy: IfNotPresent
          ports:
          - containerPort: 80
  EOF
  
  cat > /data/k8s/deploy/nginx-service.yml <<'EOF'
  apiVersion: v1
  kind: Service
  metadata:
    name: nginx-service
  spec:
    type: NodePort
    ports:
    - port: 80
      nodePort: 32000
    selector:
      app: nginx
  EOF
  

• 创建资源

  kubectl apply -f /data/k8s/deploy/nginx-deployment.yml
  kubectl apply -f /data/k8s/deploy/nginx-service.yml
  

• 访问页面是否正常

  http://10.81.0.105:32000

三、修改证书有效期

1、使用脚本修改证书有效期

该脚本为一位码友编写，https://github.com/yuyicai/update-kube-cert

• 查看证书有效期

  $ kubeadm alpha certs check-expiration
  [check-expiration] Reading configuration from the cluster...
  [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
  
  CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
  admin.conf                 Jun 02, 2023 02:31 UTC   364d                                    no      
  apiserver                  Jun 02, 2023 02:16 UTC   364d            ca                      no      
  apiserver-kubelet-client   Jun 02, 2023 02:16 UTC   364d            ca                      no      
  controller-manager.conf    Jun 02, 2023 02:31 UTC   364d                                    no      
  front-proxy-client         Jun 02, 2023 02:16 UTC   364d            front-proxy-ca          no      
  scheduler.conf             Jun 02, 2023 02:31 UTC   364d                                    no      
  
  CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
  ca                      May 30, 2032 02:16 UTC   9y              no      
  front-proxy-ca          May 30, 2032 02:16 UTC   9y              no
  

• 下载脚本

  cd /usr/local/src
  git clone https://github.com/yuyicai/update-kube-cert.git
  cd update-kubeadm-cert
  chmod 755 update-kubeadm-cert.sh
  

• 修改证书目录及设置有效期

  vim update-kubeadm-cert.sh
  ...
  main() {
    local node_type=$1
  
    # CERT_DAYS=3650
    CERT_DAYS=36500
  
    KUBE_PATH=/etc/kubernetes
    # PKI_PATH=${KUBE_PATH}/pki
    PKI_PATH=/data/certs/kubernetes
  
    # master certificates path
    # apiserver
  
  ...
  

• 执行脚本

  ./update-kubeadm-cert.sh master
  

• 查看证书有效期

  $ kubeadm alpha certs check-expiration
  [check-expiration] Reading configuration from the cluster...
  [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
  
  CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
  admin.conf                 May 10, 2122 01:54 UTC   99y                                     no      
  apiserver                  May 10, 2122 01:54 UTC   99y             ca                      no      
  apiserver-kubelet-client   May 10, 2122 01:54 UTC   99y             ca                      no      
  controller-manager.conf    May 10, 2122 01:54 UTC   99y                                     no      
  front-proxy-client         May 10, 2122 01:54 UTC   99y             front-proxy-ca          no      
  scheduler.conf             May 10, 2122 01:54 UTC   99y                                     no      
  
  CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
  ca                      May 30, 2032 02:16 UTC   9y              no      
  front-proxy-ca          May 30, 2032 02:16 UTC   9y              no
  

2、修改源码重新编译

• 下载源码

  cd /usr/local/src
  wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.19.6.tar.gz
  tar zxf v1.19.6.tar.gz
  

• 修改源码CA证书有效期时间

  cd kubernetes-1.19.6/
  vim staging/src/k8s.io/client-go/util/cert/cert.go
  ...
  func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) {
          now := time.Now()
          tmpl := x509.Certificate{
                  SerialNumber: new(big.Int).SetInt64(0),
                  Subject: pkix.Name{
                          CommonName:   cfg.CommonName,
                          Organization: cfg.Organization,
                  },
                  NotBefore:             now.UTC(),
                  // NotAfter:              now.Add(duration365d * 10).UTC(),
                  NotAfter:              now.Add(duration365d * 100).UTC(),
                  KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
                  BasicConstraintsValid: true,
                  IsCA:                  true,
          }
  
          certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
          if err != nil {
                  return nil, err
          }
          return x509.ParseCertificate(certDERBytes)
  }
  ...
  

• 修改源码其他证书有效期时间

  vim cmd/kubeadm/app/constants/constants.go
  ...
          // CertificateValidity defines the validity for all the signed certificates generated by kubeadm
          // CertificateValidity = time.Hour * 24 * 365
          CertificateValidity = time.Hour * 24 * 365 * 100
  ...
  

• 查看 kube-cross 的 TAG 版本号

  $ cat build/build-image/cross/VERSION
  v1.15.5-1
  

• 安装GoLang环境

  yum -y install rsync jq gcc make
  cd /usr/local/src
  wget https://dl.google.com/go/go1.15.5.linux-amd64.tar.gz
  tar zxf go1.15.5.linux-amd64.tar.gz
  export PATH=$PATH:/usr/local/src/go/bin/
  

• 编译kubeadm

  cd /usr/local/src/kubernetes-1.19.6/
  make all WHAT=cmd/kubeadm GOFLAGS=-v
  

• 替换kubeadm命令

  mv /usr/bin/kubeadm{,_bak}
  cp _output/local/bin/linux/amd64/kubeadm /usr/bin/
  

• 更新证书有效期

  无法更新CA证书有效期，要更新CA证书需一开始构建集群就使用该重新编译的kubadm命令

  cp -rp /data/certs/kubernetes{,_bak}
  kubeadm alpha certs check-expiration
  kubeadm alpha certs renew all
  kubeadm alpha certs check-expiration
  

四、helm(k8s包管理器)安装

• 下载二进制包安装

  cd /usr/local/src
  wget https://get.helm.sh/helm-v3.4.2-linux-amd64.tar.gz
  tar zxf helm-v3.4.2-linux-amd64.tar.gz
  cp linux-amd64/helm /usr/bin/
  

• 设置命令补全

  echo 'source <(helm completion bash)' >>/root/.bash_profile
  source /root/.bash_profile
  

• 添加常用的仓库

  helm repo add elastic https://helm.elastic.co
  helm repo add gitlab https://charts.gitlab.io
  helm repo add harbor https://helm.goharbor.io
  helm repo add bitnami https://charts.bitnami.com/bitnami
  helm repo add stable http://mirror.azure.cn/kubernetes/charts
  helm repo add aliyun https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts
  helm repo update
  helm repo list
  

• 验证测试

  # 查找仓库里nginx的chart
  helm search repo nginx
  # 拉取一个chart并解压
  helm pull bitnami/nginx
  tar zxf nginx-12.0.1.tgz
  
  # 修改chart里默认配置值，改为使用国内镜像并修改容器端口
  vim nginx/values.yaml
  ...
  ## Bitnami NGINX image version
  ## ref: https://hub.docker.com/r/bitnami/nginx/tags/
  ## @param image.registry NGINX image registry
  ## @param image.repository NGINX image repository
  ## @param image.tag NGINX image tag (immutable tags are recommended)
  ## @param image.pullPolicy NGINX image pull policy
  ## @param image.pullSecrets Specify docker-registry secret names as an array
  ## @param image.debug Set to true if you would like to see extra information on logs
  ##
  image:
    repository: nginx
    tag: 1.17.6-alpine
  ...
  ## Configures the ports NGINX listens on
  ## @param containerPorts.http Sets http port inside NGINX container
  ## @param containerPorts.https Sets https port inside NGINX container
  ##
  containerPorts:
    http: 80
    https: ""
  ...
  
  # 安装该chart
  helm install nginx ./nginx
  
  # 访问是否正常
  kubectl get pods -o wide
  kubectl get svc
  curl http://[cluster_ip]
  # 卸载chart
  helm uninstall nginx
  

五、Ingress Controller安装

1、Ingress Nginx Controller

• 创建kube-system命名空间podpreset

  cat > /data/k8s/install/podpreset.yaml <<'EOF'
  apiVersion: settings.k8s.io/v1alpha1
  kind: PodPreset
  metadata:
    name: tz-env
    namespace: kube-system
  spec:
    selector:
      matchLabels:
    env:
      - name: TZ
        value: Asia/Shanghai
  EOF
  kubectl apply -f /data/k8s/install/podpreset.yaml
  

• helm添加仓库

  mkdir -p /data/helm/install
  cd /data/helm/install
  helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
  helm repo update
  

• 拉取ingress-nginx对应版本chart

  helm pull ingress-nginx/ingress-nginx --version=4.1.3
  tar zxf ingress-nginx-4.1.3.tgz
  

• 将已有证书上传到k8s集群

  mkdir -p /data/certs/nginx-ingress
  cd /data/certs/nginx-ingress
  kubectl create secret tls nginx-ingress --cert=eminxing.crt --key=eminxing.key -n kube-system
  

• 修改values配置

  vim ingress-nginx/values.yaml
  ...
    # -- Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
    config:
      use-gzip: true
      gzip-level: 4
      gzip-types: "text/plain text/javascript application/x-javascript application/javascript text/css application/xml"
      worker-processes: 1
      proxy-body-size: "200m"
      proxy-connect-timeout: 60
      proxy-read-timeout: 1800
      proxy-send-timeout: 1800
      proxy-buffer-size: "256k"
  
    # -- Annotations to be added to the controller config configuration configmap.
    configAnnotations:
      nginx.ingress.kubernetes.io/enable-cors: "true"
      nginx.ingress.kubernetes.io/cors-allow-origin: "PUT, GET, POST, OPTIONS"
      nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Forwarded-For"
      nginx.ingress.kubernetes.io/cors-expose-headers: "*"
      nginx.ingress.kubernetes.io/cors-allow-origin: "*"
  
  ...
    watchIngressWithoutClass: true
  ...
    ingressClassResource:
      # -- Name of the ingressClass
      name: nginx
      # -- Is this ingressClass enabled or not
      enabled: true
      # -- Is this the default ingressClass for the cluster
      default: true
      # -- Controller-value of the controller that is processing this ingressClass
      controllerValue: "k8s.io/ingress-nginx"
  ...
    #extraArgs: {}
    extraArgs:
      default-ssl-certificate: "kube-system/nginx-ingress"
  ...
    tolerations:
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Equal"
      effect: "NoSchedule"
  ...
    terminationGracePeriodSeconds: 30
    nodeSelector:
      node-role.kubernetes.io/master: ""
  ...
    replicaCount: 3
  ...
      #type: LoadBalancer
  
      type: NodePort
      nodePorts:
        http: 80
        https: 443
        tcp:
          8080: 32808
      #nodePorts:
      #  http: ""
      #  https: ""
      #  tcp: {}
      #  udp: {}
  ...
  

• 安装ingress-nginx

  helm install ingress-nginx ingress-nginx/ -n kube-system
  

• 测试是否正常

  $ curl http://10.81.0.101
  
  
  
  404 Not Found
  nginx
  
  
  

2、Nginx Ingress Controller

• 创建kube-system命名空间podpreset

  cat > /data/k8s/install/podpreset.yaml <<'EOF'
  apiVersion: settings.k8s.io/v1alpha1
  kind: PodPreset
  metadata:
    name: tz-env
    namespace: kube-system
  spec:
    selector:
      matchLabels:
    env:
      - name: TZ
        value: Asia/Shanghai
  EOF
  kubectl apply -f /data/k8s/install/podpreset.yaml
  

• helm添加仓库

  mkdir -p /data/helm/install
  cd /data/helm/install
  helm repo add nginx-stable https://helm.nginx.com/stable
  helm repo update
  

• 拉取nginx-ingress对应版本chart

  helm pull nginx-stable/nginx-ingress --version=0.13.2
  tar zxf nginx-ingress-0.13.2.tgz
  

• 将已有证书上传到k8s集群

  mkdir -p /data/certs/nginx-ingress
  cd /data/certs/nginx-ingress
  kubectl create secret tls nginx-ingress --cert=eminxing.crt --key=eminxing.key -n kube-system
  

• 修改values配置

  vim nginx-ingress/values.yaml
  ...
    # Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start.
    nginxReloadTimeout: 5000
  ...
    config:
      ## The name of the ConfigMap used by the Ingress Controller.
      ## Autogenerated if not set or set to "".
      name: nginx-config
      ## The annotations of the Ingress Controller configmap.
      annotations: {}
      ## The entries of the ConfigMap for customizing NGINX configuration.
      entries:
        proxy-connect-timeout: "60s"
        proxy-read-timeout: "1800s"
        proxy-send-timeout: "1800s"
        client-max-body-size: "200m"
        worker-processes: "auto"
        worker-rlimit-nofile: "65535"
        worker-connections: "65535"
        keepalive-timeout: "300s"
        access-log-off: "true"
        log-format-escaping: "json"
        max-fails: "3"
        fail-timeout: "5s"
        keepalive: "256"
        server-snippets: |
          add_header Access-Control-Allow-Origin '*';
          add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS,PUT,DELETE,OPTION';
          add_header Access-Control-Allow-Headers 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-Forwarded-For';
          add_header Access-Control-Allow-Credentials 'true';
        location-snippets: |
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;
  ...
    defaultTLS:
      cert: ""
      key: ""
      secret: kube-system/nginx-ingress
  ...
    ## The node selector for pod assignment for the Ingress Controller pods.
    nodeSelector:
      node-role.kubernetes.io/master: ""
    tolerations:
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Equal"
      effect: "NoSchedule"
  ...
    ## The number of replicas of the Ingress Controller deployment.
    replicaCount: 3
    setAsDefaultIngress: true
    enableSnippets: true
      ## The type of service to create for the Ingress Controller.
      type: NodePort
      httpPort:
        enable: true
        port: 80
        nodePort: "80"
        targetPort: 80
      httpsPort:
        enable: true
        port: 443
        nodePort: "443"
        targetPort: 443
  ...
  

• 安装nginx-ingress

  helm install nginx-ingress nginx-ingress/ -n kube-system
  

• 测试是否正常

  $ curl http://10.81.0.101
  
  
  
  404 Not Found
  nginx
  
  
  

六、Rancher(k8s管理web)高可用安装

• helm添加rancher仓库

  helm repo add rancher-stable http://rancher-mirror.oss-cn-beijing.aliyuncs.com/server-charts/stable
  

• 创建rancher命名空间

  kubectl create ns cattle-system
  

• 创建cattle-system命名空间podpreset

  cat > /data/k8s/install/podpreset.yaml <<'EOF'
  apiVersion: settings.k8s.io/v1alpha1
  kind: PodPreset
  metadata:
    name: tz-env
    namespace: cattle-system
  spec:
    selector:
      matchLabels:
    env:
      - name: TZ
        value: Asia/Shanghai
  EOF
  kubectl apply -f /data/k8s/install/podpreset.yaml
  

• 将已有证书上传到k8s集群

  cd /data/certs/nginx-ingress
  kubectl create secret tls tls-rancher-ingress --cert=eminxing.crt --key=eminxing.key -n cattle-system
  

• 拉取rancher对应版本chart

  mkdir -p /data/helm/install
  cd /data/helm/install
  helm pull rancher-stable/rancher --version=2.5.5
  tar zxf rancher-2.5.5.tgz
  

• 修改values配置

  vim rancher/values.yaml
  ...
  # Fully qualified name to reach your Rancher server
  # hostname: rancher.my.org
  hostname: rancher.eminxing.com
  ...
  ### ingress ###
  # Readme for details and instruction on adding tls secrets.
  ingress:
    extraAnnotations: {}
  
    # configurationSnippet - Add additional Nginx configuration. This example statically sets a header on the ingress.
    # configurationSnippet: |
    #   more_set_input_headers "X-Forwarded-Host: {{ .Values.hostname }}";
  
    tls:
      # options: rancher, letsEncrypt, secret
      source: secret
  ...
  # Number of Rancher server replicas.
  replicas: 2
  ...
  

• 安装Rancher

  helm install rancher rancher/ -n cattle-system
  

• 绑定host访问

  10.81.0.101 rancher.eminxing.com