CentOS7.6配置do.cker和K.B.S

 方法一:

节点及功能

主机名

IP

Master、etcd、registry

K8s-01

10.8.8.31

Node1

K8s-02

10.8.8.32

Node2

K8s-03

10.8.8.33

 

一:环境搭建:(各节点均需配置)

  1.1:新建虚拟机(最好重新安装,不要用镜像文件)

    编辑网卡文件:vi /etc/sysconfig/network-scripts/ifcfg-ens33

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
#BOOTPROTO=dhcp
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
#UUID=1bc6ef33-bdb7-4f3d-8021-b138426828ed
DEVICE=ens33
#ONBOOT=no
ONBOOT=yes
IPADDR=10.8.8.31
NETMASK=255.255.255.0
GATEWAY=10.8.8.2
DNS1=8.8.8.8
DNS2=1.1.1.1

   

  1.2:修改机器名

    hostnamectl set-hostname k8s-01

 

  1.3:安装ansible

    yum install -y ansible

    vi /etc/ansible/hosts

# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
#   - Comments begin with the '#' character
#   - Blank lines are ignored
#   - Groups of hosts are delimited by [header] elements
#   - You can enter hostnames or ip addresses
#   - A hostname/ip can be a member of multiple groups
[k8s]
10.8.8.31
10.8.8.32
10.8.8.33
[master]
10.8.8.31
[node]
10.8.8.32
10.8.8.33

 

  1.4:配置ssh互信,所有结点都要运行

     ssh-keygen -t rsa

[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:NFGl8BmAOW6ch93oiRuBLzNS1jY5dcIU6bGpwLUyUeQ root@k8s-01
The key's randomart image is:
+---[RSA 2048]----+
|     oo=*=o..    |
|    ..= *+.+     |
|   . BEXoO+      |
|    O #.B..      |
|   o B OS.       |
|  . + = o        |
|   . + o         |
|      .          |
|                 |
+----[SHA256]-----+

  

    ssh-copy-id -i /root/.ssh/id_rsa.pub 10.8.8.31

    ssh-copy-id -i /root/.ssh/id_rsa.pub 10.8.8.32

    ssh-copy-id -i /root/.ssh/id_rsa.pub 10.8.8.33

[root@localhost .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub 10.8.8.33
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.8.8.33 (10.8.8.33)' can't be established.
ECDSA key fingerprint is SHA256:ozAbIXZWFBIwjiypTD23hQ9ioBr81+MZd1TGCQcc0o8.
ECDSA key fingerprint is MD5:9d:0c:48:4f:c4:50:7c:08:71:33:9e:86:13:46:b3:12.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '10.8.8.33'"
and check to make sure that only the key(s) you wanted were added.

   

  1.5:用ansible重启集群

    ansible all -a 'reboot'

   

  1.6:ansible all -a 'yum update -y

      ansible all -a 'yum install -y net-tools.x86_64'

      ansible all -a 'yum install -y vim-enhanced.x86_64'

      ansible all -a 'yum install -y wget'

      ansible all -a 'yum install -y tree'

      ansible all -a 'yum install -y ntp ntpdate'

      echo '*/10 *  *  *  * root    ntpdate cn.pool.ntp.org' >> /etc/crontab

      ansible all -a 'ntpdate cn.pool.ntp.org'

      编辑hosts文件,并分发到各节点

      vim /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.8.8.31       k8s-01
10.8.8.32       k8s-02
10.8.8.33       k8s-03

       scp /etc/hosts [email protected]:/etc/

 

  1.7:关闭防火墙

      [root@k8s-01 ~]# ansible all -a 'systemctl stop firewalld'

      [root@k8s-01 ~]# ansible all -a 'systemctl disable firewalld'

      [root@k8s-01 ~]# ansible all -a 'systemctl mask firewalld'

 

  1.8:关闭selinux

https://www.cnblogs.com/liwei0526vip/p/5644163.html  (sed用法)

      getenforce

      vim /etc/selinux/config

      SELINUX=disabled

      ansible all -a "sed -i '7s/.*/#&/' /etc/selinux/config"

      ansible all -a "sed -i '7a SELINUX=disabled' /etc/selinux/config"

 

  1.9:关闭交换分区swap

    swapoff -a

    rm /dev/mapper/centos-swap

    sed -i 's/.*swap.*/#&/' /etc/fstab

    ansible all -a 'swapoff -a'

    ansible all -a 'rm /dev/mapper/centos-swap'

    ansible all -a "sed -i 's/.*swap.*/#&/' /etc/fstab"

    ansible all -a 'reboot'

 

二:部署etcd(yum方法)

https://blog.csdn.net/xiaozhangdetuzi/article/details/81302405

https://www.jianshu.com/p/e892997b387b

  2.1:所有节点安装etcd

    ansible all -a 'yum install -y etcd'

  2.2:配置etcd.conf

    vim /etc/etcd/etcd.conf

[root@k8s-01 ~]# vim /etc/etcd/etcd.conf (原文件)

#[Member]
#ETCD_CORS=""
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
#ETCD_WAL_DIR=""
#ETCD_LISTEN_PEER_URLS="http://localhost:2380"
ETCD_LISTEN_CLIENT_URLS="http://localhost:2379"
#ETCD_MAX_SNAPSHOTS="5"
#ETCD_MAX_WALS="5"
ETCD_NAME="default"
#ETCD_SNAPSHOT_COUNT="100000"
#ETCD_HEARTBEAT_INTERVAL="100"
#ETCD_ELECTION_TIMEOUT="1000"
#ETCD_QUOTA_BACKEND_BYTES="0"
#ETCD_MAX_REQUEST_BYTES="1572864"
#ETCD_GRPC_KEEPALIVE_MIN_TIME="5s"
#ETCD_GRPC_KEEPALIVE_INTERVAL="2h0m0s"
#ETCD_GRPC_KEEPALIVE_TIMEOUT="20s"
#
#[Clustering]
#ETCD_INITIAL_ADVERTISE_PEER_URLS="http://localhost:2380"
ETCD_ADVERTISE_CLIENT_URLS="http://localhost:2379"
#ETCD_DISCOVERY=""
#ETCD_DISCOVERY_FALLBACK="proxy"
#ETCD_DISCOVERY_PROXY=""
#ETCD_DISCOVERY_SRV=""
#ETCD_INITIAL_CLUSTER="default=http://localhost:2380"
#ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#ETCD_INITIAL_CLUSTER_STATE="new"
#ETCD_STRICT_RECONFIG_CHECK="true"
#ETCD_ENABLE_V2="true"
#
#[Proxy]
#ETCD_PROXY="off"
#ETCD_PROXY_FAILURE_WAIT="5000"
#ETCD_PROXY_REFRESH_INTERVAL="30000"
#ETCD_PROXY_DIAL_TIMEOUT="1000"
#ETCD_PROXY_WRITE_TIMEOUT="5000"
#ETCD_PROXY_READ_TIMEOUT="0"
#
#[Security]
#ETCD_CERT_FILE=""
#ETCD_KEY_FILE=""
#ETCD_CLIENT_CERT_AUTH="false"
#ETCD_TRUSTED_CA_FILE=""
#ETCD_AUTO_TLS="false"
#ETCD_PEER_CERT_FILE=""
#ETCD_PEER_KEY_FILE=""
#ETCD_PEER_CLIENT_CERT_AUTH="false"
#ETCD_PEER_TRUSTED_CA_FILE=""
#ETCD_PEER_AUTO_TLS="false"
#
#[Logging]
#ETCD_DEBUG="false"
#ETCD_LOG_PACKAGE_LEVELS=""
#ETCD_LOG_OUTPUT="default"
#
#[Unsafe]
#ETCD_FORCE_NEW_CLUSTER="false"
#
#[Version]
#ETCD_VERSION="false"
#ETCD_AUTO_COMPACTION_RETENTION="0"
#
#[Profiling]
#ETCD_ENABLE_PPROF="false"
#ETCD_METRICS="basic"
#
#[Auth]
#ETCD_AUTH_TOKEN="simple"

 

      k8s-01

[root@k8s-01 ~]# vim /etc/etcd/etcd.conf

#[Member]
#节点名称
ETCD_NAME="k8s-01"
#指定节点的数据存储目录
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
#监听URL,用于与其他节点通讯
ETCD_LISTEN_PEER_URLS="http://10.8.8.31:2380"
#对外提供服务的地址,客户端会连接到这里和 etcd 交互
ETCD_LISTEN_CLIENT_URLS="http://10.8.8.31:2379,http://127.0.0.1:2379"

#[Clustering]
#该节点同伴监听地址,这个值会告诉集群中其他节点
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://10.8.8.31:2380"
#对外公告的该节点客户端监听地址,这个值会告诉集群中其他节点
ETCD_ADVERTISE_CLIENT_URLS="http://10.8.8.31:2379"
#集群中所有节点的信息,
#格式为 node1=http://ip1:2380,node2=http://ip2:2380,…
#注意:这里的 node1 是节点的 --name 指定的名字;后面的 ip1:2380 是 --initial-advertise-peer-urls 指定的值
ETCD_INITIAL_CLUSTER="k8s-01=http://10.8.8.31:2380,k8s-02=http://10.8.8.32:2380,k8s-03=http://10.8.8.33:2380"
#创建集群的 token,这个值每个集群保持唯一。
#这样的话,如果你要重新创建集群,即使配置和之前一样,也会再次生成新的集群和节点 uuid;否则会导致多个集群之间的冲突,造成未知的错误
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#新建集群的时候,这个值为 new ;假如已经存在的集群,这个值为 existing
ETCD_INITIAL_CLUSTER_STATE="new" 

 

       k8s-02

#[Member]
ETCD_NAME="k8s-02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="http://10.8.8.32:2380"
ETCD_LISTEN_CLIENT_URLS="http://10.8.8.32:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://10.8.8.32:2380"
ETCD_ADVERTISE_CLIENT_URLS="http://10.8.8.32:2379"
ETCD_INITIAL_CLUSTER="k8s-01=http://10.8.8.31:2380,k8s-02=http://10.8.8.32:2380,k8s-03=http://10.8.8.33:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

 

   2.3:etcd集群,

    所有节点分别运行

      systemctl start etcd

    或ansible运行

      ansible all -a 'systemctl start etcd'

     检测启动情况:

       etcdctl member list

[root@k8s-01 etcd]# etcdctl member list
21a69e29ab8d1218: name=k8s-02 peerURLs=http://10.8.8.32:2380 clientURLs=http://10.8.8.32:2379 isLeader=true
3df47f4e2d43b21a: name=k8s-03 peerURLs=http://10.8.8.33:2380 clientURLs=http://10.8.8.33:2379 isLeader=false
5b118d787e1ab5d3: name=k8s-01 peerURLs=http://10.8.8.31:2380 clientURLs=http://10.8.8.31:2379 isLeader=false

       k8s-02 isLeader=true 为主节点

      etcdctl -C http://10.8.8.31:2379 cluster-health

[root@k8s-01 etcd]# etcdctl -C http://10.8.8.31:2379 cluster-health
member 21a69e29ab8d1218 is healthy: got healthy result from http://10.8.8.32:2379
member 3df47f4e2d43b21a is healthy: got healthy result from http://10.8.8.33:2379
member 5b118d787e1ab5d3 is healthy: got healthy result from http://10.8.8.31:2379
cluster is healthy

     设置开机启动:

      ansible all -a 'systemctl enable etcd'

 

 三:安装docker

  3.1:安装docker yum (各节点都要安装)

    ansible all -a 'yum install -y docker'

    ansible all -a 'docker version'  (报错如下)

[root@k8s-01 etcd]# ansible all -a 'docker version'
10.8.8.31 | FAILED | rc=1 >>
Client:
 Version:         1.13.1
 API version:     1.26
 Package version: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?non-zero return code

10.8.8.32 | FAILED | rc=1 >>
Client:
 Version:         1.13.1
 API version:     1.26
 Package version: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?non-zero return code

10.8.8.33 | FAILED | rc=1 >>
Client:
 Version:         1.13.1
 API version:     1.26
 Package version: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?non-zero return code

       ansible all -a 'systemctl daemon-reload'

      ansible all -a 'systemctl restart docker'

         ansible all -a 'docker version'

[root@k8s-01 etcd]# ansible all -a 'docker version'
10.8.8.31 | SUCCESS | rc=0 >>
Client:
 Version:         1.13.1
 API version:     1.26
 Package version: docker-1.13.1-91.git07f3374.el7.centos.x86_64
 Go version:      go1.10.3
 Git commit:      07f3374/1.13.1
 Built:           Wed Feb 13 17:10:12 2019
 OS/Arch:         linux/amd64

Server:
 Version:         1.13.1
 API version:     1.26 (minimum version 1.12)
 Package version: docker-1.13.1-91.git07f3374.el7.centos.x86_64
 Go version:      go1.10.3
 Git commit:      07f3374/1.13.1
 Built:           Wed Feb 13 17:10:12 2019
 OS/Arch:         linux/amd64
 Experimental:    false

10.8.8.33 | SUCCESS | rc=0 >>
Client:
 Version:         1.13.1
 API version:     1.26
 Package version: docker-1.13.1-91.git07f3374.el7.centos.x86_64
 Go version:      go1.10.3
 Git commit:      07f3374/1.13.1
 Built:           Wed Feb 13 17:10:12 2019
 OS/Arch:         linux/amd64

Server:
 Version:         1.13.1
 API version:     1.26 (minimum version 1.12)
 Package version: docker-1.13.1-91.git07f3374.el7.centos.x86_64
 Go version:      go1.10.3
 Git commit:      07f3374/1.13.1
 Built:           Wed Feb 13 17:10:12 2019
 OS/Arch:         linux/amd64
 Experimental:    false

10.8.8.32 | SUCCESS | rc=0 >>
Client:
 Version:         1.13.1
 API version:     1.26
 Package version: docker-1.13.1-91.git07f3374.el7.centos.x86_64
 Go version:      go1.10.3
 Git commit:      07f3374/1.13.1
 Built:           Wed Feb 13 17:10:12 2019
 OS/Arch:         linux/amd64

Server:
 Version:         1.13.1
 API version:     1.26 (minimum version 1.12)
 Package version: docker-1.13.1-91.git07f3374.el7.centos.x86_64
 Go version:      go1.10.3
 Git commit:      07f3374/1.13.1
 Built:           Wed Feb 13 17:10:12 2019
 OS/Arch:         linux/amd64
 Experimental:    false

 

       ifconfig

[root@k8s-01 etcd]# ifconfig
docker0: flags=4099  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0
        ether 02:42:7f:71:21:01  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163  mtu 1500
        inet 10.8.8.31  netmask 255.255.255.0  broadcast 10.8.8.255
        inet6 fe80::4e95:1400:1371:99a4  prefixlen 64  scopeid 0x20
        ether 00:0c:29:0b:69:ff  txqueuelen 1000  (Ethernet)
        RX packets 83459  bytes 43293262 (41.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 60528  bytes 7960462 (7.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1358  bytes 731784 (714.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1358  bytes 731784 (714.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    3.2:设置开机启动:

      ansible all -a 'systemctl enable docker'

 

四:安装kubernetes

  4.1:安装kubernetes(各节点都要安装)

    ansible all -a 'yum install -y kubernetes'

 

   4.2:kubernetes master上要运行以下组件   

    Kubernets API Server

    Kubernets Controller Manager

    Kubernets Scheduler

   

  4.3:配置并启动master:(在master机器编辑)

    4.3.1:apiserver

https://segmentfault.com/a/1190000002920092

      vim /etc/kubernetes/apiserver

      apiserver原文件:

[root@k8s-01 ~]# vim /etc/kubernetes/apiserver 
(原文件)
###
# kubernetes system config
#
# The following values are used to configure the kube-apiserver
#

# The address on the local server to listen to.
KUBE_API_ADDRESS="--insecure-bind-address=127.0.0.1"

# The port on the local server to listen on.
# KUBE_API_PORT="--port=8080"

# Port minions listen on
# KUBELET_PORT="--kubelet-port=10250"

# Comma separated list of nodes in the etcd cluster
KUBE_ETCD_SERVERS="--etcd-servers=http://127.0.0.1:2379"

# Address range to use for services
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16"

# default admission control policies
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"

# Add your own!
KUBE_API_ARGS=""

 

       apiserver修改后文件:

[root@k8s-01 ~]# vim /etc/kubernetes/apiserver 

###
# kubernetes system config
#
# The following values are used to configure the kube-apiserver
#

# The address on the local server to listen to.
# –insecure-bind-address: apiserver绑定主机的非安全端口,设置0.0.0.0表示绑定所有IP地址 KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0" # The port on the local server to listen on.
# –insecure-port: apiserver绑定主机的非安全端口号,默认为8080 KUBE_API_PORT="--port=8080" # Port minions listen on # KUBELET_PORT="--kubelet-port=10250" # Comma separated list of nodes in the etcd cluster KUBE_ETCD_SERVERS="--etcd-servers=http://10.8.8.31:2379,http://10.8.8.32:2379,http://10.8.8.33:2379" # Address range to use for services
# –service-cluster-ip-range: Kubernetes集群中service的虚拟IP地址范围,以CIDR表示,该IP范围不能与物理机的真实IP段有重合
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16" # default admission control policies
# –admission_control: kubernetes集群的准入控制设置,各控制模块以插件的形式依次生效
# NamespaceExists它会观察所有的请求,如果请求尝试创建一个不存在的namespace,则这个请求被拒绝
# LimitRanger他会观察所有的请求,确保没有违反已经定义好的约束条件,这些条件定义在namespace中LimitRange对象中
#  如果在kubernetes中使用LimitRange对象,则必须使用这个插件
# SecurityContextDeny这个插件将会将使用了 SecurityContext的pod中定义的选项全部失效
# serviceAccount为运行在pod内的进程添加了相应的认证信息
# ResourceQuota它会观察所有的请求,确保在namespace中ResourceQuota对象处列举的container没有任何异常,
# 如果在kubernetes中使用了ResourceQuota对象,就必须使用这个插件来约束container,
# 推荐在admission control参数列表中,这个插件排最后一个! #KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota" # serviceAccount为运行在pod内的进程添加了相应的认证信息(因此例未做认证,所以此项取消)
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ResourceQuota"
# Add your own! KUBE_API_ARGS=""

 

    4.3.2:config

      vim /etc/kubernetes/config

       config原文件:

[root@k8s-01 ~]# vim /etc/kubernetes/config 

###
# kubernetes system config
#
# The following values are used to configure various aspects of all
# kubernetes services, including
#
#   kube-apiserver.service
#   kube-controller-manager.service
#   kube-scheduler.service
#   kubelet.service
#   kube-proxy.service
# logging to stderr means we get it in the systemd journal
KUBE_LOGTOSTDERR="--logtostderr=true"

# journal message level, 0 is debug
KUBE_LOG_LEVEL="--v=0"

# Should this cluster be allowed to run privileged docker containers
KUBE_ALLOW_PRIV="--allow-privileged=false"

# How the controller-manager, scheduler, and proxy find the apiserver
KUBE_MASTER="--master=http://127.0.0.1:8080"

 

    config修改后文件:

[root@k8s-01 ~]# vim /etc/kubernetes/config 

###
# kubernetes system config
#
# The following values are used to configure various aspects of all
# kubernetes services, including
#
#   kube-apiserver.service
#   kube-controller-manager.service
#   kube-scheduler.service
#   kubelet.service
#   kube-proxy.service
# logging to stderr means we get it in the systemd journal
KUBE_LOGTOSTDERR="--logtostderr=true"

# journal message level, 0 is debug
KUBE_LOG_LEVEL="--v=0"

# Should this cluster be allowed to run privileged docker containers
KUBE_ALLOW_PRIV="--allow-privileged=false"

# How the controller-manager, scheduler, and proxy find the apiserver
KUBE_MASTER="--master=http://10.8.8.31:8080"

 

      4.3.3:master节点启动服务并设置开机启动

          [root@k8s-01 ~]# systemctl start kube-apiserver

          [root@k8s-01 ~]# systemctl enable kube-apiserver

          [root@k8s-01 ~]# systemctl start kube-controller-manager

          [root@k8s-01 ~]# systemctl enable kube-controller-manager

          [root@k8s-01 ~]# systemctl start kube-scheduler

          [root@k8s-01 ~]# systemctl enable kube-scheduler

 

    4.4:配置并启动node:(node节点机器操作)

      4.4.1:在kubernetes node上需要运行以下组件:

          Kubelet

          Kubernets Proxy

      4.4.2:config

          vim /etc/kubernetes/config

          config原文件

[root@k8s-02 ~]# vim /etc/kubernetes/config 

###
# kubernetes system config
#
# The following values are used to configure various aspects of all
# kubernetes services, including
#
#   kube-apiserver.service
#   kube-controller-manager.service
#   kube-scheduler.service
#   kubelet.service
#   kube-proxy.service
# logging to stderr means we get it in the systemd journal
KUBE_LOGTOSTDERR="--logtostderr=true"

# journal message level, 0 is debug
KUBE_LOG_LEVEL="--v=0"

# Should this cluster be allowed to run privileged docker containers
KUBE_ALLOW_PRIV="--allow-privileged=false"

# How the controller-manager, scheduler, and proxy find the apiserver
KUBE_MASTER="--master=http://127.0.0.1:8080"

 

      config修改后文件:

[root@k8s-02 etcd]# vim /etc/kubernetes/config 

###
# kubernetes system config
#
# The following values are used to configure various aspects of all
# kubernetes services, including
#
#   kube-apiserver.service
#   kube-controller-manager.service
#   kube-scheduler.service
#   kubelet.service
#   kube-proxy.service
# logging to stderr means we get it in the systemd journal
KUBE_LOGTOSTDERR="--logtostderr=true"

# journal message level, 0 is debug
KUBE_LOG_LEVEL="--v=0"

# Should this cluster be allowed to run privileged docker containers
KUBE_ALLOW_PRIV="--allow-privileged=false"

# How the controller-manager, scheduler, and proxy find the apiserver
KUBE_MASTER="--master=http://10.8.8.31:8080"

 

       4.4.3:kubelet

          vim /etc/kubernetes/kubelet

          kubelet原文件:

[root@k8s-02 ~]# vim /etc/kubernetes/kubelet 

###
# kubernetes kubelet (minion) config

# The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
KUBELET_ADDRESS="--address=127.0.0.1"

# The port for the info server to serve on
# KUBELET_PORT="--port=10250"

# You may leave this blank to use the actual hostname
KUBELET_HOSTNAME="--hostname-override=127.0.0.1"

# location of the api-server
KUBELET_API_SERVER="--api-servers=http://127.0.0.1:8080"

# pod infrastructure container
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest"

# Add your own!
KUBELET_ARGS=""

 

        kubelet修改后文件:

[root@k8s-02 etcd]# vim /etc/kubernetes/kubelet

###
# kubernetes kubelet (minion) config

# The address for the info server to serve on (set to 0.0.0.0 or "" for all interfaces)
KUBELET_ADDRESS="--address=0.0.0.0"

# The port for the info server to serve on
# KUBELET_PORT="--port=10250"

# You may leave this blank to use the actual hostname
KUBELET_HOSTNAME="--hostname-override=10.8.8.32"

# location of the api-server
KUBELET_API_SERVER="--api-servers=http://10.8.8.31:8080"

# pod infrastructure container
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest"

# Add your own!
KUBELET_ARGS=""

 

      4.4.4:启动服务并添加开机启动

          [root@k8s-02 ~]# systemctl start kubelet

          [root@k8s-02 ~]# systemctl enable kubelet

          [root@k8s-02 ~]# systemctl start kube-proxy

          [root@k8s-02 ~]# systemctl enable kube-proxy

 坑!

vim /etc/kubernetes/kubelet中

KUBELET_HOSTNAME="--hostname-override=10.8.8.32"这里如果没有配置hostname,status会报错

3月 20 11:19:56 k8s-02 kube-proxy[29412]: E0320 11:19:56.256315   29412 server.go:421] Can't get Node "k8s-02", assuming iptables proxy, err: nodes "k8s-02" not found

修改配置为: KUBELET_HOSTNAME="--hostname-override=k8s-02"

重启服务:systemctl restart kube-proxy

        

  4.5:进入master机器,查看node状态

    kubectl -s http://10.8.8.31:8080 get node

[root@k8s-01 ~]# kubectl -s http://10.8.8.31:8080 get node
NAME        STATUS     AGE
10.8.8.32   NotReady   1h
k8s-02      Ready      2m
k8s-03      Ready      7m

 

五:配置网络flannel 

   5.1:安装flannel(各节点机器都要安装)

    [root@k8s-01 ~]# ansible all -a 'yum install -y flannel'

 

  5.2:配置flannel

      vim /etc/sysconfig/flanneld

[root@k8s-01 ~]# vim /etc/sysconfig/flanneld 

# Flanneld configuration options  

# etcd url location.  Point this to the server where etcd runs
FLANNEL_ETCD_ENDPOINTS="http://10.8.8.31:2379,http://10.8.8.32:2379,http://10.8.8.33:2379"

# etcd config key.  This is the configuration key that flannel queries
# For address range assignment
FLANNEL_ETCD_PREFIX="/atomic.io/network"

# Any additional options that you want to pass
#FLANNEL_OPTIONS=""

 

  5.3:配置flannel网段

      etcdctl mk /atomic.io/network/config '{ "Network":"10.10.0.0/16" }'

      Flannel使用Etcd进行配置,来保证多个Flannel实例之间的配置一致性,所以需要在etcd上进行如下配置:(‘/atomic.io/network/config’这个key与上文/etc/sysconfig/flannel中的配置项FLANNEL_ETCD_PREFIX是相对应的,错误的话启动就会出错)

[root@k8s-01 ~]# etcdctl mk /atomic.io/network/config '{ "Network":"10.10.0.0/16" }'
{ "Network":"10.10.0.0/16" }

 

  5.4:启动flannel服务并重启kubernetes服务

    5.4.1:master上启动

      [root@k8s-01 ~]# ansible master -a 'systemctl start flanneld'

      [root@k8s-01 ~]# ansible master -a 'systemctl enable flanneld'

      ifconfig 可以看到flannel信息

[root@k8s-01 ~]# ifconfig
docker0: flags=4099  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0
        ether 02:42:7f:71:21:01  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163  mtu 1500
        inet 10.8.8.31  netmask 255.255.255.0  broadcast 10.8.8.255
        inet6 fe80::4e95:1400:1371:99a4  prefixlen 64  scopeid 0x20
        ether 00:0c:29:0b:69:ff  txqueuelen 1000  (Ethernet)
        RX packets 900960  bytes 259734166 (247.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 843207  bytes 139504742 (133.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

flannel0: flags=4305  mtu 1472
        inet 10.10.43.0  netmask 255.255.0.0  destination 10.10.43.0
        inet6 fe80::da51:4e1c:3fdb:4c90  prefixlen 64  scopeid 0x20
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 245215  bytes 80894269 (77.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 245215  bytes 80894269 (77.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

       [root@k8s-01 ~]# ansible master -a 'systemctl restart docker'

      [root@k8s-01 ~]# ansible master -a 'systemctl restart kube-apiserver'

      [root@k8s-01 ~]# ansible master -a 'systemctl restart kube-controller-manager'

      [root@k8s-01 ~]# ansible master -a 'systemctl restart kube-scheduler'

 

    5.4.2:node上启动

       [root@k8s-01 ~]# ansible node -a 'systemctl start flanneld'

      [root@k8s-01 ~]# ansible node -a 'systemctl enable flanneld'

      [root@k8s-01 ~]# ansible node -a 'systemctl restart docker'

      [root@k8s-01 ~]# ansible node -a 'systemctl restart kubelet'

      [root@k8s-01 ~]# ansible node -a 'systemctl restart kube-proxy'

 

 六:kubernetes-dashboard安装

https://www.cnblogs.com/zhenyuyaodidiao/p/6500897.html

https://blog.csdn.net/qq1083062043/article/details/84949924

https://www.cnblogs.com/fengzhihai/p/9851470.html

https://www.cnblogs.com/yy-cxd/p/6650573.html

 

  6.1:准备registry.access.redhat.com/rhel7/pod-infrastructure:latest  (各节点都下载)

      wget http://mirror.centos.org/centos/7/os/x86_64/Packages/python-rhsm-certificates-1.19.10-1.el7_4.x86_64.rpm

      rpm2cpio python-rhsm-certificates-1.19.10-1.el7_4.x86_64.rpm | cpio -iv --to-stdout ./etc/rhsm/ca/redhat-uep.pem | tee /etc/rhsm/ca/redhat-uep.pem

      vim /etc/rhsm/ca/redhat-uep.pem 已经有数据

      docker pull registry.access.redhat.com/rhel7/pod-infrastructure:latest

   6.2:拉取kubernetes-dashboard-amd64:v1.5.1  (西游记)

      docker pull gcr.io/google_containers/kubernetes-dashboard-amd64:v1.5.1

  6.3:docker文件转tar包  (master上执行)

      docker save gcr.io/google_containers/kubernetes-dashboard-amd64:v1.5.1 > dashboard.tar

      docker save registry.access.redhat.com/rhel7/pod-infrastructure:latest > podinfrastructure.tar

  6.4:tar包转docker

      docker load < dashboard.tar

      

  6.5:准备yaml文件

    mkdir -p /etc/kubernetes/yamlfile

    cd /etc/kubernetes/yamlfile  

    wget https://rawgit.com/kubernetes/kubernetes/master/cluster/addons/dashboard/dashboard-controller.yaml

    wget https://rawgit.com/kubernetes/kubernetes/master/cluster/addons/dashboard/dashboard-service.yaml

    vim dashboard.yaml

  1 apiVersion: extensions/v1beta1
  2 kind: Deployment
  3 metadata:
  4 # Keep the name in sync with image version and
  5 # gce/coreos/kube-manifests/addons/dashboard counterparts
  6   name: kubernetes-dashboard-latest
  7   namespace: kube-system
  8 spec:
  9   replicas: 1
 10   template:
 11     metadata:
 12       labels:
 13         k8s-app: kubernetes-dashboard
 14         version: latest
 15         kubernetes.io/cluster-service: "true"
 16     spec:
 17       containers:
 18       - name: kubernetes-dashboard
 19         image: gcr.io/google_containers/kubernetes-dashboard-amd64:v1.5.1
 20         resources:
 21           # keep request = limit to keep this container in guaranteed class
 22           limits:
 23             cpu: 100m
 24             memory: 50Mi
 25           requests:
 26             cpu: 100m
 27             memory: 50Mi
 28         ports:
 29         - containerPort: 9090
 30         args:
 31          -  --apiserver-host=http://10.8.8.31:8080
 32         livenessProbe:
 33           httpGet:
 34             path: /
 35             port: 9090
 36           initialDelaySeconds: 30
 37           timeoutSeconds: 30

     vim dashboardsvc.yaml

  1 apiVersion: v1
  2 kind: Service
  3 metadata:
  4   name: kubernetes-dashboard
  5   namespace: kube-system
  6   labels:
  7     k8s-app: kubernetes-dashboard
  8     kubernetes.io/cluster-service: "true"
  9 spec:
 10   selector:
 11     k8s-app: kubernetes-dashboard
 12   ports:
 13   - port: 80
 14     targetPort: 9090

 

  6.6:用yaml启动

      kubectl create -f dashboard.yaml

      kubectl create -f dashboardsvc.yaml

[root@k8s-01 yamlfail]# kubectl create -f dashboard.yaml 
deployment "kubernetes-dashboard-latest" created
[root@k8s-01 yamlfail]# kubectl create -f dashboardsvc.yaml 
service "kubernetes-dashboard" created

       删除方法:

        kubectl delete -f xxx.yaml

        kubectl delete deployment kubernetes-dashboard-latest --namespace=kube-system

        kubectl delete svc  kubernetes-dashboard --namespace=kube-system

      注意:

        kubectl get deployment --all-namespaces

        不要直接删除pod,使用kubectl请删除拥有该pod的Deployment。如果直接删除pod,则Deployment将会重新创建该pod。

        

 

  6.7:查看pod状态

      kubectl get pod --all-namespaces

[root@k8s-01 yamlfail]# kubectl get pod --all-namespaces
NAMESPACE     NAME                                          READY     STATUS    RESTARTS   AGE
kube-system   kubernetes-dashboard-latest-190610294-c027r   1/1       Running   0          1h

       

      kubectl get svc  --all-namespaces

[root@k8s-01 yamlfail]# kubectl get svc  --all-namespaces
NAMESPACE     NAME                   CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
default       kubernetes             10.254.0.1              443/TCP   2d
kube-system   kubernetes-dashboard   10.254.112.86           80/TCP    1h

 

      kubectl get pod  -o wide  --all-namespaces

[root@k8s-01 yamlfail]# kubectl get pod  -o wide  --all-namespaces
NAMESPACE     NAME                                          READY     STATUS    RESTARTS   AGE       IP           NODE
kube-system   kubernetes-dashboard-latest-190610294-c027r   1/1       Running   0          1h        10.10.49.2   k8s-02

 

   6.8:web访问

      http://10.8.8.31:8080/ui

Error: 'dial tcp 10.10.49.2:9090: getsockopt: connection timed out'
Trying to reach: 'http://10.10.49.2:9090/'

       

  6.9:curl 10.10.49.2:9090

[root@k8s-02 ~]# curl 10.10.49.2:9090
     Kubernetes Dashboard              

 

      通过查看网卡信息,k8s-03为10.10.80.0网段

      [root@k8s-03 zm]# ifconfig

flannel0: flags=4305  mtu 1472
        inet 10.10.80.0  netmask 255.255.0.0  destination 10.10.80.0
        inet6 fe80::3624:5df7:a344:fc0e  prefixlen 64  scopeid 0x20
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 144 (144.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

   

      在k8s-03机器上可以ping通dashboard,其他机器不通

[root@k8s-03 zm]# ping 10.10.80.2
PING 10.10.80.2 (10.10.80.2) 56(84) bytes of data.
64 bytes from 10.10.80.2: icmp_seq=1 ttl=64 time=0.058 ms
64 bytes from 10.10.80.2: icmp_seq=2 ttl=64 time=0.043 ms

 

      查看docker ip:

        docker inspect -f '{{.Name}} - {{.NetworkSettings.IPAddress }}' $(docker ps -aq)

[root@k8s-03 zz]# docker inspect -f '{{.Name}} - {{.NetworkSettings.IPAddress }}' $(docker ps -aq)
/k8s_kubernetes-dashboard.88d5a45d_kubernetes-dashboard-latest-190610294-zxgtw_kube-system_9ba7a9b3-4bbc-11e9-958a-000c290b69ff_e5226d0a - 
/k8s_POD.28c50bab_kubernetes-dashboard-latest-190610294-zxgtw_kube-system_9ba7a9b3-4bbc-11e9-958a-000c290b69ff_c5434807 - 10.10.80.2
/k8s_kubernetes-dashboard.88d5a45d_kubernetes-dashboard-latest-190610294-zxgtw_kube-system_9ba7a9b3-4bbc-11e9-958a-000c290b69ff_443e86fe - 
/k8s_POD.28c50bab_kubernetes-dashboard-latest-190610294-zxgtw_kube-system_9ba7a9b3-4bbc-11e9-958a-000c290b69ff_618335e7 - 

 

        kubectl cluster-info

[root@k8s-01 yamlfail]# kubectl cluster-info
Kubernetes master is running at http://localhost:8080
kubernetes-dashboard is running at http://localhost:8080/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

 

     解决办法:

      各节点开启ip转发:

        echo "net.ipv4.ip_forward = 1" >>/usr/lib/sysctl.d/50-default.conf 

       各节点修改flannel配置文件:

        vim /etc/sysconfig/flanneld

 

 

 

填坑:

    [root@k8s-01 yamlfile]# kubectl create -f dashboard-controller.yaml

[root@k8s-01 yamlfile]# kubectl create -f dashboard-controller.yaml
Error from server (AlreadyExists): error when creating "dashboard-controller.yaml": serviceaccounts "kubernetes-dashboard" already exists
yaml: line 50: did not find expected key

     用如下方法删除

      kubectl delete -f kubernetes-dashboard.yaml

[root@k8s-01 yamlfile]# kubectl delete -f kubernetes-dashboard.yaml
secret "kubernetes-dashboard-certs" deleted
serviceaccount "kubernetes-dashboard" deleted

     再次创建

      kubectl create -f dashboard-controller.yaml

[root@k8s-01 yamlfile]# kubectl create -f dashboard-controller.yaml
serviceaccount "kubernetes-dashboard" created
error: yaml: line 50: did not find expected key

     

      kubectl create -f dashboard-service.yaml

[root@k8s-01 yamlfile]# kubectl create -f dashboard-service.yaml 
service "kubernetes-dashboard" created

     查看:

      kubectl get svc --all-namespaces

[root@k8s-01 yamlfile]# kubectl get svc --all-namespaces
NAMESPACE     NAME                   CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
default       kubernetes             10.254.0.1              443/TCP   23h
kube-system   kubernetes-dashboard   10.254.227.33           443/TCP   4m

 

    网页访问:

      http://10.8.8.31:8080/ui (不成功)

坑!

https://www.cnblogs.com/guyeshanrenshiwoshifu/p/9147238.html

    查看pod:

     kubectl get pods --all-namespaces

[root@k8s-01 yamlfile]# kubectl get pods --all-namespaces
NAMESPACE     NAME                                    READY     STATUS              RESTARTS   AGE
kube-system   kubernetes-dashboard-1468570674-zxgtw   0/1       ContainerCreating   0          7m

 

    查看信息:

      kubectl describe pod kubernetes-dashboard-2498798083-tgwsn --namespace=kube-system

[root@k8s-01 yamlfile]# kubectl describe pod kubernetes-dashboard-2498798083-tgwsn --namespace=kube-system
Name:		kubernetes-dashboard-2498798083-tgwsn
Namespace:	kube-system
Node:		k8s-03/10.8.8.33
Start Time:	Thu, 21 Mar 2019 12:04:12 +0800
Labels:		app=kubernetes-dashboard
		pod-template-hash=2498798083
Status:		Pending
IP:		
Controllers:	ReplicaSet/kubernetes-dashboard-2498798083
Containers:
  kubernetes-dashboard:
    Container ID:	
    Image:		gcr.io/google_containers/kubernetes-dashboard-amd64:v1.5.1
    Image ID:		
    Port:		9090/TCP
    Args:
      --apiserver-host=http://10.8.8.31:8080
    State:			Waiting
      Reason:			ContainerCreating
    Ready:			False
    Restart Count:		0
    Liveness:			http-get http://:9090/ delay=30s timeout=30s period=10s #success=1 #failure=3
    Volume Mounts:		
    Environment Variables:	
Conditions:
  Type		Status
  Initialized 	True 
  Ready 	False 
  PodScheduled 	True 
No volumes.
QoS Class:	BestEffort
Tolerations:	dedicated=master:Equal:NoSchedule
Events:
  FirstSeen	LastSeen	Count	From			SubObjectPath	Type		Reason		Message
  ---------	--------	-----	----			-------------	--------	------		-------
  1h		1m		18	{kubelet k8s-03}			Warning		FailedSync	Error syncing pod, skipping: failed to "StartContainer" for "POD" with ErrImagePull: "image pull failed for registry.access.redhat.com/rhel7/pod-infrastructure:latest, this may be because there are no credentials on this request.  details: (open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such file or directory)"

  1h	2s	296	{kubelet k8s-03}		Warning	FailedSync	Error syncing pod, skipping: failed to "StartContainer" for "POD" with ImagePullBackOff: "Back-off pulling image \"registry.access.redhat.com/rhel7/pod-infrastructure:latest\""

 

       cd /etc/docker/certs.d/registry.access.redhat.com/

[root@k8s-01 ~]# cd /etc/docker/certs.d/registry.access.redhat.com/
[root@k8s-01 registry.access.redhat.com]# ll
总用量 0
lrwxrwxrwx 1 root root 27 3月  20 09:06 redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem
[root@k8s-01 registry.access.redhat.com]# cd /etc/rhsm/ca/
[root@k8s-01 ca]# ll
总用量 0

       生成:redhat-uep.pem

        wget http://mirror.centos.org/centos/7/os/x86_64/Packages/python-rhsm-certificates-1.19.10-1.el7_4.x86_64.rpm

        rpm2cpio python-rhsm-certificates-1.19.10-1.el7_4.x86_64.rpm | cpio -iv --to-stdout ./etc/rhsm/ca/redhat-uep.pem | tee /etc/rhsm/ca/redhat-uep.pem

        vim /etc/rhsm/ca/redhat-uep.pem 已经有数据

        docker pull registry.access.redhat.com/rhel7/pod-infrastructure:latest

      删除并重新生成

        cd /etc/kubernetes/yamlfile/

        kubectl delete -f dashboard-controller.yaml

        kubectl delete -f dashboard-service.yaml

        kubectl create -f dashboard-controller.yaml

        kubectl create -f dashboard-service.yaml

 

 七:继续测试kube-ui

  7.1:web访问:

    http://10.8.8.31:8080/ui

    自动跳转到:

    http://10.8.8.31:8080/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/

    报错:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "endpoints \"kubernetes-dashboard\" not found",
  "reason": "NotFound",
  "details": {
    "name": "kubernetes-dashboard",
    "kind": "endpoints"
  },
  "code": 404
}

  

  7.2:重启各结点及创建docker

    测试网络联通性,master上要能ping通个node上的docker

    cd /etc/kubernetes/yamlfail

    kubectl create -f dashboard.yaml

    kubectl create -f dashboardsvc.yaml

[root@k8s-01 yamlfail]# kubectl create -f dashboard.yaml
deployment "kubernetes-dashboard-latest" created
您在 /var/spool/mail/root 中有新邮件
[root@k8s-01 yamlfail]# kubectl create -f dashboardsvc.yaml
service "kubernetes-dashboard" created

  

   7.3:查看状态

    kubectl get deployment --all-namespaces

    kubectl get svc --all-namespaces

    kubectl get pod -o wide --all-namespaces

[root@k8s-01 yamlfail]# kubectl get deployment --all-namespaces
NAMESPACE     NAME                          DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
kube-system   kubernetes-dashboard-latest   1         1         1            1           22s
[root@k8s-01 yamlfail]# kubectl get svc  --all-namespaces
NAMESPACE     NAME                   CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
default       kubernetes             10.254.0.1               443/TCP   14d
kube-system   kubernetes-dashboard   10.254.157.175           80/TCP    38s
[root@k8s-01 yamlfail]# kubectl get pod  -o wide  --all-namespaces
NAMESPACE     NAME                                          READY     STATUS    RESTARTS   AGE       IP          NODE
kube-system   kubernetes-dashboard-latest-190610294-nf0jc   1/1       Running   0          59s       10.10.7.2   k8s-03

  

   7.4:再次web访问:

    http://10.8.8.31:8080/ui

    http://10.8.8.31:8080/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/#/workload?namespace=default

 CentOS7.6配置do.cker和K.B.S_第1张图片

 

 

感谢:

条例清晰!(方法一)

https://www.cnblogs.com/zhenyuyaodidiao/p/6500830.html

https://www.cnblogs.com/zhenyuyaodidiao/p/6500897.html

有点繁杂:(方法二)

https://www.cnblogs.com/netsa/p/8279045.html

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      方法二      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

方法二:

 未完结!!!

 

一:环境准备

  1.1:删除原有go/golang

whereis go
whereis golang  
whereis gocode #如果需要的话
//找到后删除
rm -rf  xxx

 

  1.2:下载

     https://studygolang.com/dl

    wget https://studygolang.com/dl/golang/go1.12.linux-amd64.tar.gz

  

  1.3:解压到指定目录

    tar -C /usr/local/ -zxvf go1.12.linux-amd64.tar.gz

    cd /usr/local/go

  

  1.4:建立gopath目录

    mkdir -p /home/gocode

  

  1.5:添加环境

    vim /etc/profile

export GOROOT=/usr/local/go
export GOPATH=/home/gocode
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin

     source /etc/profile

    验证是否成功

    go version

  

  1.6:安装git

    yum install -y git

 

  1.7:下载

 go get -v github.com/gin-gonic/gin
 go get -v github.com/go-sql-driver/mysql
 go get -v github.com/robfig/cron

 

  1.8:测试

vim helloworld.go 

package main 
import "fmt" 
func main() { 
fmt.Printf("Hello, world.\n") 
} 

运行 go run helloworld.go 
编译 go build helloworld.go 
go install 
编译后的文件运行为 ./helloworld 
后台运行: 
Linux 在运行程序的尾部加入&,或者nohup ./example &

   1.9:SSH免密

https://blog.csdn.net/wangganggang3168/article/details/80568049

https://blog.csdn.net/wang704987562/article/details/78904350

    ssh-keygen -t rsa (各节点均需执行)

[root@docker-01 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:UhHoFCQ/SyuQdw61fWVPkQn/jhY59HwTvG/SpfC4CXk root@docker-01
The key's randomart image is:
+---[RSA 2048]----+
|    ..+oo.  +.o+ |
|   . +oo . o ++  |
|  o oo* o .   +o |
|   o =.= .   . =o|
|    . = S   . +o*|
|     . .   . + B=|
|          o E * =|
|           o + o |
|            o    |
+----[SHA256]-----+

    把各节点的id_rsa.pub内容集中拷贝到authorized_keys

    vim /root/.ssh/id_rsa.pub

    vim /root/.ssh/authorized_keys

    scp authorized_keys root@docker-01:/root/.ssh/

    分别登入其他节点,分别ssh到各节点,第一次ssh会有提示,输入yes后解除

[root@docker-02 .ssh]# ssh docker-04
The authenticity of host 'docker-04 (10.8.8.24)' can't be established.
ECDSA key fingerprint is SHA256:8UK41mz0DDPjzQ7UPH9ADOFYBN34cMFJVXaOJ5gADx0.
ECDSA key fingerprint is MD5:15:63:19:03:ad:fb:a6:e8:3d:74:01:0b:ab:88:88:0b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'docker-04,10.8.8.24' (ECDSA) to the list of known hosts.
Last login: Wed Mar 13 21:02:52 2019 from docker-01

  

二:生成证书:

  2.1:

    参考:https://kubernetes.io/zh/docs/concepts/cluster-administration/certificates/#创建证书

       CFSSL方法

    https://kubernetes.io/zh/docs/concepts/cluster-administration/certificates/#cfssl

    下载安装:cd /zz

curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /bin/cfssl-certinfo
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /bin/cfssljson
chmod +x cfssl*

   

  2.2:创建ca-config.jaon:

    mkdir -p /opt/ssl && cd /opt/ssl

    可用cfssl print-defaults config > ca-config.json自动生成后按需改配置

    vim ca-config.jaon

{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}

     过期时间配置为10年

    ca-config.json:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数,后续在签名证书时使用某个profile

    signing:表示该证书可用于签名其它证书,生成的ca.pem证书中CA=TRUE;

    server auth:表示client可以用该CA对server提供的证书进行验证;

    client auth:表示server可以用该CA对client提供的证书进行验证

 

   2.3:创建ca-csr.jaon

    可用cfssl print-defaults csr > ca-csr.json自动生成后按需修改

    vim ca-csr.jaon

{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names":[{
    "C": "",
    "ST": "",
    "L": "",
    "O": "",
    "OU": ""
  }]
}

   

{
  "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }

     CN : Common Name,kube-apiserver从证书中提取该字段作为请求的用户名;

    O : Organization,kube-apiserver从证书中提取该字段作为请求用户所属的组; 

  2.4:生成证书密钥:   

    cfssl gencert -initca ca-csr.json | cfssljson -bare ca
[root@docker-01 ssl]# vim ca-csr.json 
[root@docker-01 ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2019/03/13 11:01:36 [INFO] generating a new CA key and certificate from CSR
2019/03/13 11:01:36 [INFO] generate received request
2019/03/13 11:01:36 [INFO] received CSR
2019/03/13 11:01:36 [INFO] generating key: rsa-2048
2019/03/13 11:01:36 [INFO] encoded CSR
2019/03/13 11:01:36 [INFO] signed certificate with serial number 377680744285591674329230033735744500343528771314
[root@docker-01 ssl]# ll
总用量 20
-rw-r--r--. 1 root root  284 3月  12 21:33 ca-config.json
-rw-r--r--. 1 root root 1001 3月  13 11:01 ca.csr
-rw-r--r--. 1 root root  208 3月  13 11:01 ca-csr.json
-rw-------. 1 root root 1679 3月  13 11:01 ca-key.pem
-rw-r--r--. 1 root root 1359 3月  13 11:01 ca.pem

   

  2.5:创建kubernetes证书

     vim kubernetes-csr.json

{
    "CN": "kubernetes",
    "hosts": [
      "127.0.0.1",
      "10.8.8.21",
      "10.8.8.22",
      "10.8.8.23",
      "10.8.8.24",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

 

 

   2.6:生成kubernetes密钥

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes

[root@docker-01 ssl]# vim kubernetes-csr.json
[root@docker-01 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
2019/03/13 11:21:38 [INFO] generate received request
2019/03/13 11:21:38 [INFO] received CSR
2019/03/13 11:21:38 [INFO] generating key: rsa-2048
2019/03/13 11:21:38 [INFO] encoded CSR
2019/03/13 11:21:38 [INFO] signed certificate with serial number 466577397722502141135271666270895637824536137432
2019/03/13 11:21:38 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

   上面WARNING先忽略

 

  2.7:创建admin证书

    vim admin-csr.json

{
  "CN": "kubernetes-admin",
  "hosts": [
        "10.8.8.21",
        "10.8.8.22",
        "10.8.8.23",
        "10.8.8.24"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}

    kube-apiserver将提取CN作为客户端的用户名,这里是kubernetes-admin,

    将提取O作为用户所属的组,这里是system:master。

    kube-apiserver预定义了一些 RBAC使用的ClusterRoleBindings,

    例如 cluster-admin将组system:masters与 ClusterRole cluster-admin绑定,

    而cluster-admin拥有访问kube-apiserver的所有权限,

    因此kubernetes-admin这个用户将作为集群的超级管理员。 

 

   2.8:生成admin密钥

    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

[root@docker-01 ssl]# vim admin-csr.json 
[root@docker-01 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2019/03/13 13:19:32 [INFO] generate received request
2019/03/13 13:19:32 [INFO] received CSR
2019/03/13 13:19:32 [INFO] generating key: rsa-2048
2019/03/13 13:19:33 [INFO] encoded CSR
2019/03/13 13:19:33 [INFO] signed certificate with serial number 542875374330312060082808070092917596528046572224
2019/03/13 13:19:33 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

 

   2.9:创建kube-proxy-csr.json证书

      vim kube-proxy-csr.json

{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]

     指定证书User为 system:kube-proxy

    kube-apiserver 预定义的RoleBinding cluster-admin

    将User system:kube-proxy与Role system:node-proxier绑定,

    将Role授予调用kube-apiserver Proxy相关API的权限;

 

  生成kube-proxy证书和密钥

    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes  kube-proxy-csr.json | cfssljson -bare kube-proxy

[root@docker-01 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes  kube-proxy-csr.json | cfssljson -bare kube-proxy
2019/03/13 13:30:08 [INFO] generate received request
2019/03/13 13:30:08 [INFO] received CSR
2019/03/13 13:30:08 [INFO] generating key: rsa-2048
2019/03/13 13:30:08 [INFO] encoded CSR
2019/03/13 13:30:08 [INFO] signed certificate with serial number 567732124973226627997281945626780290685046730115
2019/03/13 13:30:08 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

 

   校验证书:看输出内容和json是否一致

    cfssl-certinfo -cert kubernetes.pem

组件 证书 说明
etcd ca.pem、kubernetes-key.pem、kubernetes.pem 和kube-apiserver通用
kube-apiserver ca.pem、kubernetes-key.pem、kubernetes.pem kube-controller、kube-scheduler和apiserver都是部署在master可以使用非安全通行,不再单独安装证书。
kube-proxy ca.pem、kube-proxy-key.pem、kube-proxy.pem  
kubectl ca.pem、admin-key.pem、admin.pem  

 

三:搭建Etcd

https://www.jianshu.com/p/98b8fa3e3596

  各节点均需执行!!!

  3.1:关闭selinux

    getenforce

    vim /etc/selinux/config

    SELINUX=disabled

 

  3.2:关闭交换分区swap

    swapoff -a

    rm /dev/mapper/centos-swap

    sed -i 's/.*swap.*/#&/' /etc/fstab

 

  3.3:设置内核

    vim /etc/sysctl.d/k8s.conf

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

     sysctl -p /etc/sysctl.conf

 

   3.4:环境配置

    vim /root/.bash_profile

# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
        . ~/.bashrc
fi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin

export PATH
export NODE_NAME=docker-01
export NODE_IP=10.8.8.21
export NODE_IPS="10.8.8.21 10.8.8.22 10.8.8.23 10.8.8.24"
export ETCD_NODES=docker-01=https://10.8.8.21:2380,docker-02=https://10.8.8.22:2380,docker-03=https://10.8.8.23:2380,docker-04=https://10.8.8.24:2380
~                                          

 

  3.5:etcd证书配置

    cd /etc/kubernetes/ssl

    创建etcd签名请求

    vim etcd-csr.json

{
  "CN": "etcd",
  "hosts": [
    "127.0.0.1",
    "10.8.8.21",
    "10.8.8.22",
    "10.8.8.23",
    "10.8.8.24"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

 

    生成etcd证书和秘钥

      cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
[root@docker-01 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
2019/03/13 16:09:32 [INFO] generate received request
2019/03/13 16:09:32 [INFO] received CSR
2019/03/13 16:09:32 [INFO] generating key: rsa-2048
2019/03/13 16:09:33 [INFO] encoded CSR
2019/03/13 16:09:33 [INFO] signed certificate with serial number 398364810642443697380742999828998753293408212966
2019/03/13 16:09:33 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@docker-01 ssl]# 

  

  3.6:安装ETCD

    https://coreos.com/etcd/docs/latest/dl_build.html

    tar -zxvf etcd-v3.3.12-linux-amd64.tar.gz

    cd etcd-v3.3.12-linux-amd64

    cp etcd* /usr/local/bin/

      export ETCDCTL_API=3

    env

    拷贝到其他节点:

      scp /usr/local/bin/etcd* root@docker-02:/usr/local/bin/

      scp /usr/local/bin/etcd* root@docker-03:/usr/local/bin/

      scp /usr/local/bin/etcd* root@docker-04:/usr/local/bin/

    创建etcd工作目录

      mkdir -p /var/lib/etcd 

      如果没有配置这个目录,会现现Failed at step CHDIR spawning /usr/local/bin/etcd: No such file or directory的错误信息。

    创建配置文件目录

      mkdir -p /etc/etcd

 

  3.7:创建ETCD的配置文件

    /etc/etcd/etcd-key.conf:存放我们证书的配置信息

    /etc/etcd/etcd.conf:存放ETCD集群的配置信息

    vim /etc/etcd/etcd-key.conf

ETCD_KEY='--cert-file=/etc/kubernetes/ssl/etcd.pem --key-file=/etc/kubernetes/ssl/etcd-key.pem --peer-cert-file=/etc/kubernetes/ssl/etcd.pem --peer-key-file=/etc/kubernetes/ssl/etcd-key.pem --trusted-ca-file=/etc/kubernetes/ssl/ca.pem --peer-trusted-ca-file=/etc/kubernetes/ssl/ca.pem'

    vim /etc/etcd/etcd.conf

    master配置:

ETCD_NAME='--name=k8s-master'
ETCD_DATA_DIR='--data-dir=/data/etcd'
ETCD_INITIAL_CLUSTER_STATE='--initial-cluster-state=new'
ETCD_INITIAL_CLUSTER_TOKEN='--initial-cluster-token=etcd-cluster-0'
ETCD_INITIAL_ADVERTISE_PEER_URLS='--initial-advertise-peer-urls=http://10.8.8.21:2380'
ETCD_LISTEN_PEER_URLS='--listen-peer-urls=http://10.8.8.21:2380'
ETCD_LISTEN_CLIENT_URLS='--listen-client-urls=http://10.8.8.21:2379,http://127.0.0.1:2379'
ETCD_ADVERTISE_CLIENT_URLS='--advertise-client-urls=http://10.8.8.21:2379'
ETCD_INITIAL_CLUSTER='--initial-cluster=k8s-master=http://10.8.8.21:2380,k8s-node02=http://10.8.8.22:2380,k8s-node03=http://10.8.8.23:2380,k8s-node04=http://10.8.8.24:2380'
#ETCD_KEY='/etc/kubernetes/ssl/'

  

    node配置:

 

ETCD_NAME='--name=k8s-node02'
ETCD_DATA_DIR='--data-dir=/data/etcd'
ETCD_INITIAL_CLUSTER_STATE='--initial-cluster-state=new'
ETCD_INITIAL_CLUSTER_TOKEN='--initial-cluster-token=etcd-cluster-0'
ETCD_INITIAL_ADVERTISE_PEER_URLS='--initial-advertise-peer-urls=http://10.8.8.22:2380'
ETCD_LISTEN_PEER_URLS='--listen-peer-urls=http://10.8.8.22:2380'
ETCD_LISTEN_CLIENT_URLS='--listen-client-urls=http://10.8.8.22:2379,http://127.0.0.1:2379'
ETCD_ADVERTISE_CLIENT_URLS='--advertise-client-urls=http://10.8.8.22:2379'
ETCD_INITIAL_CLUSTER='--initial-cluster=k8s-master=http://10.8.8.21:2380,k8s-node02=http://10.8.8.22:2380,k8s-node03=http://10.8.8.23:2380,k8s-node04=http://10.8.8.24:2380'
#ETCD_KEY='/etc/kubernetes/ssl/'

 

    /etc/etcd/etcd.conf文件中等号左边键与/usr/lib/systemd/system/etcd.service中$后的命名一致

    /etc/etcd/etcd.conf文件中等号右边单引号中等号左边的值与etcd --help中命名一致,如不一致启动集群时会报错

    vim /var/log/messages

Mar 14 13:53:22 docker-01 systemd: Starting Etcd Server...
Mar 14 13:53:22 docker-01 etcd: error verifying flags, 'k8s_master' is not a valid flag. See 'etcd --help'.
Mar 14 13:53:22 docker-01 systemd: etcd.service: main process exited, code=exited, status=1/FAILURE
Mar 14 13:53:22 docker-01 systemd: Failed to start Etcd Server.
Mar 14 13:53:22 docker-01 systemd: Unit etcd.service entered failed state.
Mar 14 13:53:22 docker-01 systemd: etcd.service failed.
Mar 14 13:53:23 docker-01 systemd: Stopped Etcd Server.

  

   3.8:添加服务 

    vim /usr/lib/systemd/system/etcd.service

[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
#Documentation=https://github.com/coreos

[Service]
Type=notify
WorkingDirectory=/data/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
EnvironmentFile=-/etc/etcd/etcd-key.conf
ExecStart=/usr/local/bin/etcd \
    $ETCD_NAME \
    $ETCD_DATA_DIR \
    $ETCD_INITIAL_CLUSTER_STATE \
    $ETCD_INITIAL_CLUSTER_TOKEN \
    $ETCD_INITIAL_ADVERTISE_PEER_URLS \
    $ETCD_LISTEN_PEER_URLS \
    $ETCD_LISTEN_CLIENT_URLS \
    $ETCD_ADVERTISE_CLIENT_URLS \
    $ETCD_INITIAL_CLUSTER \
    $ETCD_KEY

Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target 
    name
      节点名称     data-dir
      指定节点的数据存储目录     listen-peer-urls
       监听URL,用于与其他节点通讯     listen-client-urls
      对外提供服务的地址:比如 http://ip:2379,http://127.0.0.1:2379 ,客户端会连接到这里和 etcd 交互     initial-advertise-peer-urls
      该节点同伴监听地址,这个值会告诉集群中其他节点     initial-cluster
      集群中所有节点的信息,格式为 node1=http://ip1:2380,node2=http://ip2:2380,… 。注意:这里的 node1 是节点的 --name 指定的名字;后面的 ip1:2380 是 --initial-advertise-peer-urls 指定的值     initial-cluster-state
      新建集群的时候,这个值为 new ;假如已经存在的集群,这个值为 existing     initial-cluster-token
      创建集群的 token,这个值每个集群保持唯一。这样的话,如果你要重新创建集群,即使配置和之前一样,也会再次生成新的集群和节点 uuid;否则会导致多个集群之间的冲突,造成未知的错误     advertise-client-urls
      对外公告的该节点客户端监听地址,这个值会告诉集群中其他节点

    在不同的设备上要替换name、initial-advertise-peer-urls、listen-peer-urls、listen-client-urls、advertise-client-urls中的名称和IP

  复制到其他服务器:

    scp etcd.service root@docker-02:/usr/lib/systemd/system/

  修改配置文件etcd.service

   

   3.9:启动etcd集群(各节点均需启动,启动主节点时会停滞很久,因为其他节点还未开启)

    修改vim /usr/lib/systemd/system/etcd.service文件后要重新加载

      systemctl daemon-reload

      systemctl start etcd.service

         systemctl stop etcd.service

    报错处理:

      3.9.1:connection refused

Mar 14 14:32:46 docker-01 etcd: health check for peer 7d8eee4f1e1ab8e9 could not connect: dial tcp 10.8.8.22:2380: connect: connection refused (prober "ROUND_TRIPPER_SNAPSHOT")

        ssh连接不通

[root@docker-01 system]# ssh 10.8.8.24 -p 2380
ssh: connect to host 10.8.8.24 port 2380: Connection refused

        解决方法:先启动node节点机器,后启动master

 

      3.9.2:etcd.service服务配置文件中设置的工作目录WorkingDirectory=xxx目录必须存在,并且建好,否则/var/log/message报错

Mar 14 15:25:21 docker-03 systemd: Starting Etcd Server...
Mar 14 15:25:21 docker-03 systemd: Failed at step CHDIR spawning /usr/local/bin/etcd: No such file or directory
Mar 14 15:25:21 docker-03 systemd: etcd.service: main process exited, code=exited, status=200/CHDIR
Mar 14 15:25:21 docker-03 systemd: Failed to start Etcd Server.
Mar 14 15:25:21 docker-03 systemd: Unit etcd.service entered failed state.
Mar 14 15:25:21 docker-03 systemd: etcd.service failed.
Mar 14 15:25:23 docker-03 systemd: Stopped Etcd Server.

  

      3.9.3:request cluster ID mismatch

        https://blog.51cto.com/1666898/2156165

Mar 15 08:38:22 docker-01 etcd: request cluster ID mismatch (got ce8738a43379cfa0 want 25c4c375d3f1f1e)
Mar 15 08:38:22 docker-01 etcd: rejected connection from "10.8.8.22:57202" (error "tls: first record does not look like a TLS handshake", ServerName "")

        删除配置文件中--data-dir项!

        解决办法:删除了etcd集群所有节点中的--data_dir的内容
        分析: 因为集群搭建过程,单独启动过单一etcd,做为测试验证,集群内第一次启动其他etcd服务时候,是通过发现服务引导的,所以需要删除旧的成员信息
        参考:One of the member was bootstrapped via discovery service. You must remove the previous data-dir to clean up the member information. Or the member will ignore the new configuration and start with the old configuration. That is why you see the mismatch.

      3.9.4:以下是最终启动成功的etcd.service,note节点机器只用修改红字部分为本节点信息

        vim /usr/lib/systemd/system/etcd.service

[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
#Documentation=https://github.com/coreos
[Service]
User=root
After=network.target
After=network-online.target
Wants=network-online.target
#Documentation=https://github.com/coreos
[Service]
User=root
Type=notify
WorkingDirectory=/data/etcd/
ExecStart=/usr/local/bin/etcd \
--name=k8s-master \
--cert-file=/etc/kubernetes/ssl/etcd.pem \
--key-file=/etc/kubernetes/ssl/etcd-key.pem \
--trusted-ca-file=/etc/kubernetes/ssl/ca.pem \
--peer-cert-file=/etc/kubernetes/ssl/etcd.pem \
--peer-key-file=/etc/kubernetes/ssl/etcd-key.pem \
--peer-trusted-ca-file=/etc/kubernetes/ssl/ca.pem \
--peer-client-cert-auth \
--client-cert-auth \
--listen-peer-urls=https://10.8.8.21:2380 \
--initial-advertise-peer-urls=https://10.8.8.21:2380 \
--listen-client-urls=https://10.8.8.21:2379,https://127.0.0.1:2379 \
--advertise-client-urls=https://10.8.8.21:2379 \
--initial-cluster-token=etcd-cluster-0 \
--initial-cluster=k8s-master=https://10.8.8.21:2380,k8s-node02=https://10.8.8.22:2380,k8s-node03=https://10.8.8.23:2380,k8s-node04=https://10.8.8.24:2380 \
--initial-cluster-state=new
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target

  

    3.9.5:检查各节点情况

        etcdctl 2.2.1版本用如下方法

etcdctl  --ca-file=/etc/kubernetes/ssl/ca.pem \
    --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
     --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
     --endpoints=https://10.8.8.21:2379,https://10.8.8.22:2379, \
        https://10.8.8.23:2379,https://10.8.8.24:2379 cluster-health

        etcdctl 3.3.12版本用如下方法

etcdctl --cacert=/etc/kubernetes/ssl/ca.pem \
   --cert=/etc/kubernetes/ssl/kubernetes.pem \
   --key=/etc/kubernetes/ssl/kubernetes-key.pem \
   --endpoints=https://10.8.8.21:2379,https://10.8.8.22:2379, \
      https://10.8.8.23:2379,https://10.8.8.24:2379 endpoint health

        回显信息

[root@docker-02 network]# etcdctl --ca-file=/etc/kubernetes/ssl/ca.pem --cert-file=/etc/kubernetes/ssl/kubernetes.pem --key-file=/etc/kubernetes/ssl/kubernetes-key.pem --endpoints=https://10.8.8.21:2379,https://10.8.8.22:2379,https://10.8.8.23:2379,https://10.8.8.24:2379 cluster-health
member 9464641f79dde42 is healthy: got healthy result from https://10.8.8.23:2379
member 250662a51b30eed5 is healthy: got healthy result from https://10.8.8.24:2379
member 3255ddeea7f12617 is healthy: got healthy result from https://10.8.8.21:2379
member b488eb3b12837d51 is healthy: got healthy result from https://10.8.8.22:2379
cluster is healthy

    

    3.9.6:export ETCDCTL_API=3  这个变量要记得设置!!!否则会报错!

[root@docker-02 ~]# etcdctl mkdir /test-etcd
Error:  x509: certificate signed by unknown authority

  

[root@docker-02 ~]# export ETCDCTL_API=3
[root@docker-02 ~]# systemctl restart etcd
[root@docker-02 ~]# etcdctl member list
9464641f79dde42, started, k8s-node03, https://10.8.8.23:2380, https://10.8.8.23:2379
250662a51b30eed5, started, k8s-node04, https://10.8.8.24:2380, https://10.8.8.24:2379
3255ddeea7f12617, started, k8s-master, https://10.8.8.21:2380, https://10.8.8.21:2379
b488eb3b12837d51, started, k8s-node02, https://10.8.8.22:2380, https://10.8.8.22:2379

  

 四:安装Flannel

  4.1:下载并安装flannel

      wget https://github.com/coreos/flannel/releases/download/v0.11.0/flannel-v0.11.0-linux-amd64.tar.gz

       tar -zxvf flannel-v0.11.0-linux-amd64.tar.gz -C /zm/flannel

[root@docker-01 zm]# tar -zxvf flannel-v0.11.0-linux-amd64.tar.gz 
flanneld
mk-docker-opts.sh
README.md

      mv flanneld /usr/bin/

      mv mk-docker-opts.sh /usr/bin/

    创建服务文件:

https://blog.csdn.net/bbwangj/article/details/81205244

      vim /usr/lib/systemd/system/flanneld.service

[Unit]
Description=flannel
Before=docker.service

[Service]
ExecStart=/usr/bin/flanneld

[Install]
WantedBy=multi-user.target
RequiredBy=docker.service

 

[Unit]
Description=Flanneld overlay address etcd agent
After=network.target
After=network-online.target
Wants=network-online.target
After=etcd.service
Before=docker.service

[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/flanneld
EnvironmentFile=-/etc/sysconfig/docker-network
ExecStart=/usr/bin/flanneld -etcd-endpoints=${FLANNEL_ETCD} -etcd-prefix=${FLANNEL_ETCD_KEY} $FLANNEL_OPTIONS
ExecStartPost=/usr/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/docker
Restart=on-failure

[Install]
WantedBy=multi-user.target
RequiredBy=docker.service

  

     mkdir -p /etc/systemd/system/flanneld.service.d/ && vim /etc/systemd/system/flanneld.service.d/flannel.conf

[Service]
Environment="FLANNELD_ETCD_ENDPOINTS=http://10.8.8.21:2379"
Environment="FLANNELD_ETCD_PREFIX=/usr/local/flannel/network"

      检查是否生效

[root@docker-01 system]# systemctl daemon-reload
[root@docker-01 system]# systemctl show flanneld --property Environment
Environment=FLANNELD_ETCD_ENDPOINTS=http://10.8.8.21:2379 FLANNELD_ETCD_PREFIX=/usr/local/flannel/network

      启动flannel

        systemctl start flanneld

       设置IP:

 报错(1):

[root@docker-02 ~]# etcdctl mk /usr/local/flannel/network/config '{"Network":"10.9.0.0/16","SubnetMin":"10.9.1.0","SubnetMax":"10.9.254.0"}'
Error:  dial tcp 127.0.0.1:4001: connect: connection refused

       修改配置文件:

        vim /usr/lib/systemd/system/etcd.service 

          --listen-client-urls=https://10.8.8.22:2379,https://127.0.0.1:2379 \

          改为:

          --listen-client-urls=https://10.8.8.22:2379,http://127.0.0.1:2379 \

报错(2):

[root@docker-02 ~]# systemctl daemon-reload
[root@docker-02 ~]# systemctl stop etcd
[root@docker-02 ~]# systemctl start etcd
[root@docker-02 ~]# etcdctl mk /usr/local/flannel/network/config '{"Network":"10.9.0.0/16","SubnetMin":"10.9.1.0","SubnetMax":"10.9.254.0"}'
Error:  x509: certificate signed by unknown authority

 

  执行以下两条命令

etcdctl --endpoints=https://10.8.8.21:2379,https://10.8.8.22:2379,https://10.8.8.23:2379,https://10.8.8.24:2379 \
  --ca-file=/etc/kubernetes/ssl/ca.pem \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  mkdir /usr/local/flannel/network


etcdctl --endpoints=https://10.8.8.21:2379,https://10.8.8.22:2379,https://10.8.8.23:2379,https://10.8.8.24:2379 \
  --ca-file=/etc/kubernetes/ssl/ca.pem \
  --cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  mk /usr/local/flannel/network/config '{"Network":"10.9.0.0/16","SubnetLen":24,"Backend":{"Type":"host-gw"}}’

 

[root@docker-02 network]# etcdctl --endpoints=https://10.8.8.21:2379,https://10.8.8.22:2379,https://10.8.8.23:2379,https://10.8.8.24:2379   --ca-file=/etc/kubernetes/ssl/ca.pem   --cert-file=/etc/kubernetes/ssl/kubernetes.pem   --key-file=/etc/kubernetes/ssl/kubernetes-key.pem   set /usr/local/flannel/network/config '{"Network":"10.9.0.0/16","Backend":{"Type":"vxlan"}}'

  

 

 核对信息

    声明变量:

ETCD_ENDPOINTS=‘https://10.8.8.21:2379,https://10.8.8.22:2379,https://10.8.8.23:2379,https://10.8.8.24:2379’
etcdctl --endpoints=${ETCD_ENDPOINTS} \
--ca-file=/etc/kubernetes/ssl/ca.pem \
--cert-file=/etc/kubernetes/ssl/kubernetes.pem \
--key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
ls /kube-centos/network/subnets

 

[root@docker-02 /]# etcdctl --endpoints=https://10.8.8.21:2379,https://10.8.8.22:2379,https://10.8.8.23:2379,https://10.8.8.24:2379 --ca-file=/etc/kubernetes/ssl/ca.pem --cert-file=/etc/kubernetes/ssl/kubernetes.pem --key-file=/etc/kubernetes/ssl/kubernetes-key.pem get /usr/local/flannel/network/config
{"Network":"10.9.0.0/16","SubnetLen":24,"Backend":{"Type":"host-gw"}}

  

 

 

  

 

 

 

 

感谢:

https://www.cnblogs.com/zhenyuyaodidiao/p/6500830.html

GO:

https://blog.csdn.net/xianchanghuang/article/details/82722064

k8s:

https://www.cnblogs.com/netsa/p/8126155.html

https://blog.csdn.net/qq_36207775/article/details/82343807

https://www.cnblogs.com/xuchenCN/p/9479737.html

etcd:

https://www.jianshu.com/p/98b8fa3e3596

flannel:

https://www.cnblogs.com/ZisZ/p/9212820.html

docker:

https://www.cnblogs.com/ZisZ/p/8962194.html

 

转载于:https://www.cnblogs.com/jackyzm/p/10489261.html

你可能感兴趣的:(运维,开发工具,json)