K8S-二进制部署踩坑指南

二进制部署

整体步骤

-------etcd群集部署-------
1：自签ETCD证书
2：ETCD部署
3：Node安装docker
4：Flannel部署（先写入子网到etcd）
---------master----------
5：自签APIServer证书
6：部署APIServer组件（token，csv）
7：部署controller-manager（指定apiserver证书）和scheduler组件
----------node----------
8：生成kubeconfig（bootstrap，kubeconfig和kube-proxy.kubeconfig）
9：部署kubelet组件
10：部署kube-proxy组件
----------加入群集----------
11：kubectl get csr && kubectl certificate approve 允许办法证书，加入群集
12：添加一个node节点
13：查看kubectl get node 节点
————————————————

环境准备

master节点：
CentOS 7-1：192.168.217.130

node节点：
CentOS 7-3：192.168.217.132 docker
CentOS 7-4：192.168.217.133 docker

etcd 集群部署

关闭防火墙和安全功能
[root@localhost k8s]# systemctl stop firewalld.service 
[root@localhost k8s]# setenforce 0
[root@localhost ~]# mkdir k8s
[root@localhost ~]# cd k8s
[root@localhost k8s]# mkdir etcd-cert
[root@localhost k8s]# mv etcd-cert.sh etcd-cert
[root@localhost k8s]# ls
etcd-cert  etcd.sh
[root@localhost k8s]# vim cfssl.sh
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
//下载cfssl官方包
[root@localhost k8s]# bash cfssl.sh
[root@localhost k8s]# ls /usr/local/bin/
cfssl  cfssl-certinfo  cfssljson
//cfssl 生成证书工具   cfssljson通过传入json文件生成证书
  cfssl-certinfo查看证书信息
[root@localhost k8s]# cd etcd-cert/
//定义CA证书
[root@localhost etcd-cert]# cat > ca-config.json < ca-csr.json < server-csr.json <

上传三个压缩包,上面三个本次需要的安装包。第4个是1.18版本，未测试

image.png

链接：https://pan.baidu.com/s/1y5JNsXURz4Ii2VkfqYLggA 
提取码：3g1k 
复制这段内容后打开百度网盘手机App，操作更方便哦--来自百度网盘超级会员V1的分享

继续在master操作

[root@localhost k8s]# tar zxvf etcd-*-linux-amd64.tar.gz 

[root@localhost k8s]# ls etcd-v3.2.32-linux-amd64
Documentation  etcdctl            README.md
etcd           README-etcdctl.md  READMEv2-etcdctl.md
[root@localhost k8s]# mkdir /opt/etcd/{cfg,bin,ssl} -p
[root@localhost k8s]# mv etcd-v3.2.32-linux-amd64/etcd etcd-v3.2.32-linux-amd64/etcdctl /opt/etcd/bin/
//证书拷贝
[root@localhost k8s]#  cp etcd-cert/*.pem /opt/etcd/ssl/
//进入卡住状态等待其他节点加入
//编写etcd的脚本
#---------------------------------------------------------
vim etcd.sh    ##etcd的执行脚本，生成etcd的配置文件和执行脚本
#!/bin/bash
# example: ./etcd.sh etcd01 192.168.191.130 etcd02=https://192.168.191.131:2380,etcd03=https://192.168.191.132:2380
ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3

#WORK_DIR=/k8s/etcd
WORK_DIR=/opt/etcd

cat <$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/home/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
cat </usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd
————————————————
[root@localhost k8s]# bash etcd.sh etcd01 192.168.217.130 etcd02=https://192.168.217.132:2380,etcd03=https://192.168.217.133:2380

//使用另外一个会话打开，会发现etcd进程已经开启
[root@master ~]# ps -ef | grep etcd
root       3479   1780  0 11:48 pts/0    00:00:00 bash etcd.sh etcd01 192.168.18.128 etcd02=https://192.168.195.148:2380,etcd03=https://192.168.217.130:2380
root       3530   3479  0 11:48 pts/0    00:00:00 systemctl restart etcd
root       3540      1  1 11:48 ?        00:00:00 /opt/etcd/bin/etcd 

//拷贝证书去其他节点
[root@localhost k8s]# scp -r /opt/etcd/ [email protected]:/opt/
[root@localhost k8s]# scp -r /opt/etcd/ [email protected]:/opt/
[root@localhost ~]# scp /usr/lib/systemd/system/etcd.service [email protected]:/usr/lib/systemd/system/
[root@localhost ~]# scp /usr/lib/systemd/system/etcd.service [email protected]:/usr/lib/systemd/system/

在node1 节点进行修改

[root@localhost ~]# vim /opt/etcd/cfg/etcd

#[Member]
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.217.132:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.217.132:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.217.132:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.217.132:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.217.130:2380,etcd02=https://192.168.217.132:2380,etcd03=https://192.168.217.133:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
//关闭防火墙和安全功能
[root@localhost ~]# systemctl stop firewalld.service 
[root@localhost ~]# setenforce 0
//启动
[root@localhost ~]# systemctl start etcd

在node2 节点进行修改

[root@localhost ~]# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd03"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.217.133:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.217.133:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.217.133:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.217.133:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.217.130:2380,etcd02=https://192.168.217.132:2380,etcd03=https://192.168.217.133:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
//关闭防火墙和安全功能
[root@localhost ~]# systemctl stop firewalld.service 
[root@localhost ~]# setenforce 0
//启动
[root@localhost ~]# systemctl start etcd

在master节点查看集群状态

/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.217.130:2379,https://192.168.217.132:2379,https://192.168.217.133:2379" cluster-health

image.png

其他笔记

journalctl -xe      查看报错
systemctl daemon-reload     若配置文件发生修改，需从新加载

docker 引擎部署，注意要各节点版本保持一致

#安装依懒包
yum install -y yum-utils device-mapper-persistent-data lvm2
#设置阿里云镜像版
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
#安装docker-ce
yum install -y docker-ce
#关闭防火墙和安全功能
systemctl stop firewalld.service
setenforce 0
#开启docker，并设置为开机自启
systemctl start docker.service
systemctl enable docker.service
#镜像加速，加速服务在阿里云平台上获取
tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://dticwlxc.mirror.aliyuncs.com"]
}
EOF
systemctl daemon-reload
systemctl restart docker
-----网络优化---
vim /etc/sysctl.conf
net.ipv4.ip_forward=1
sysctl -p
service network restart
systemctl restart docker

flanner网络配置 在master节点上

//写入分配的子网段到ETCD中，供flannel使用
[root@localhost etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.217.130:2379,https://192.168.217.132:2379,https://192.168217.133:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}

//查看写入的信息
[root@localhost etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.217.130:2379,https://192.168.217.132:2379,https://192.168.217.133:2379" get /coreos.com/network/config
{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}
//拷贝到所有node节点（只需要部署在node节点即可）
[root@localhost k8s]# scp flannel-v0.10.0-linux-amd64.tar.gz [email protected]:/root
[root@localhost k8s]# scp flannel-v0.10.0-linux-amd64.tar.gz [email protected]:/root

node节点的操作

把flannel.sh包拷贝到node节点上

//所有node节点操作解压
[root@localhost ~]# tar zxvf flannel-v0.10.0-linux-amd64.tar.gz 
flanneld
mk-docker-opts.sh
README.md
//创建k8s工作目录
[root@localhost ~]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p
[root@localhost ~]# mv mk-docker-opts.sh flanneld /opt/kubernetes/bin/
[root@localhost ~]# vim flannel.sh
#!/bin/bash

ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}

cat </opt/kubernetes/cfg/flanneld

FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"

EOF

cat </usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service

[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure

[Install]
WantedBy=multi-user.target

EOF

systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld

//开启flannel网络功能
[root@localhost ~]# bash flannel.sh https://192.168.217.130:2379,https://192.168.217.132:2379,https://192.168.217.133:2379

Created symlink from /etc/systemd/system/multi-user.target.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.

//配置docker连接flannel
[root@localhost ~]# vim /usr/lib/systemd/system/docker.service
#service段落做如下改动
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
EnvironmentFile=/run/flannel/subnet.env   
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always

[root@localhost ~]# cat /run/flannel/subnet.env
DOCKER_OPT_BIP="--bip=172.17.24.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=false"
DOCKER_OPT_MTU="--mtu=1450"
//说明：bip指定启动时的子网
DOCKER_NETWORK_OPTIONS=" --bip=172.17.24.1/24 --ip-masq=false --mtu=1450" 

//重启docker服务
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker


//查看flannel网络
[root@localhost ~]# ifconfig
flannel.1: flags=4163  mtu 1450
        inet 172.17.42.0  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 fe80::fc7c:e1ff:fe1d:224  prefixlen 64  scopeid 0x20
        ether fe:7c:e1:1d:02:24  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 26 overruns 0  carrier 0  collisions 0

//测试ping通对方docker0网卡 证明flannel起到路由作用

//安装docker容器
[root@localhost ~]# docker run -it centos:7 /bin/bash

[root@5f9a65565b53 /]# yum install net-tools -y

//再次测试ping通两个node中的centos:7容器

部署master主键-配置apiserver

//在master上操作，api-server生成证书
[root@localhost k8s]# unzip master.zip
Archive:  master.zip
  inflating: apiserver.sh
  inflating: controller-manager.sh
  inflating: scheduler.sh
[root@localhost k8s]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p
[root@localhost k8s]# mkdir k8s-cert
[root@localhost k8s]# cd k8s-cert/
[root@localhost k8s-cert]# ls  #需要上传k8s-cert.sh到此目录下
k8s-cert.sh
[root@localhost k8s-cert]# vim k8s-cert.sh 
cat > ca-config.json < ca-csr.json < server-csr.json < admin-csr.json < kube-proxy-csr.json <

node 节点部署 （kubelet/kube-proxy）

//master上操作
//把 kubelet、kube-proxy拷贝到node节点上去

[root@localhost bin]# scp kubelet kube-proxy [email protected]:/opt/kubernetes/bin/
[email protected]'s password: 
kubelet                                            100%  168MB  17.4MB/s   00:09    
kube-proxy                                         100%   48MB  15.7MB/s   00:03    
[root@localhost bin]# scp kubelet kube-proxy [email protected]:/opt/kubernetes/bin/
[email protected]'s password: 
kubelet                                            100%  168MB  33.7MB/s   00:05    
kube-proxy                                         100%   48MB  48.0MB/s   00:01  
  
//在node1上操作（复制node.zip到/root目录下再解压）
[root@localhost ~]#  unzip node.zip
Archive:  node.zip
  inflating: proxy.sh                
  inflating: kubelet.sh

//在master上操作
[root@localhost bin]# cd /root/k8s/
[root@localhost k8s]# mkdir kubeconfig
[root@localhost k8s]# cd kubeconfig/
[root@localhost kubeconfig]# vim kubeconfi.sh
#!/bin/bash

NODE_ADDRESS=$1
DNS_SERVER_IP=${2:-"10.0.0.2"}

cat </opt/kubernetes/cfg/kubelet

KUBELET_OPTS="--logtostderr=true \\
--v=4 \\
--hostname-override=${NODE_ADDRESS} \\
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\
--config=/opt/kubernetes/cfg/kubelet.config \\
--cert-dir=/opt/kubernetes/ssl \\
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"

EOF

cat </opt/kubernetes/cfg/kubelet.config

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: ${NODE_ADDRESS}
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- ${DNS_SERVER_IP} 
clusterDomain: cluster.local.
failSwapOn: false
authentication:
  anonymous:
    enabled: true
EOF

cat </usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
KillMode=process

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet
### --------------------------------分割线  --------------------------------------------
//获取token信息
[root@localhost kubeconfig]# cat /opt/kubernetes/cfg/token.csv
00e6bc07f3ba1318785bfa2942e55ec2,kubelet-bootstrap,10001,"system:kubelet-bootstrap"

//配置文件修改为tokenID
[root@localhost kubeconfig]# vim kubeconfi
# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
  --token=00e6bc07f3ba1318785bfa2942e55ec2 \
  --kubeconfig=bootstrap.kubeconfig

//设置环境变量（可以写入到/etc/profile中
[root@localhost kubeconfig]# export PATH=$PATH:/opt/kubernetes/bin/
[root@localhost kubeconfig]#  kubectl get cs
NAME                 STATUS    MESSAGE             ERROR
controller-manager   Healthy   ok                  
scheduler            Healthy   ok                  
etcd-0               Healthy   {"health":"true"}   
etcd-2               Healthy   {"health":"true"}   
etcd-1               Healthy   {"health":"true"}  
 
//生成配置文件
[root@localhost kubeconfig]# bash kubeconfi 192.168.217.130 /root/k8s/k8s-cert/
Cluster "kubernetes" set.
User "kubelet-bootstrap" set.
Context "default" created.
Switched to context "default".
Cluster "kubernetes" set.
User "kube-proxy" set.
Context "default" created.
Switched to context "default".
[root@localhost kubeconfig]# ls
bootstrap.kubeconfig  kubeconfi  kubeconfig  kube-proxy.kubeconfig

//拷贝配置文件到node节点
[root@localhost kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/

[root@localhost kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/
  
 //创建bootstrap角色赋予权限用于连接apiserver请求签名（关键
[root@localhost kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created

node1节点部署

 //    在node1节点上操作         
[root@localhost ~]# bash kubelet.sh 192.168.217.132
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
//检查kubelet服务启动
[root@localhost ~]# ps aux | grep kube
root      45482  0.0  0.8 300512 16120 ?        Ssl  12:47   0:01 /opt/kubernetes/bin/flanneld --ip-masq --etcd-endpoints=https://192.168.217.130:2379,https://192.168.217.132:2379,https://192.168.217.133:2379 -etcd-cafile=/opt/etcd/ssl/ca.pem -etcd-certfile=/opt/etcd/ssl/server.pem -etcd-keyfile=/opt/etcd/ssl/server-key.pem
root      51094  3.8  2.3 370688 43796 ?        Ssl  13:51   0:00 /opt/kubernetes/bin/kubelet --logtostderr=true --v=4 --hostname-override=192.168.217.132 --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig --config=/opt/kubernetes/cfg/kubelet.config --cert-dir=/opt/kubernetes/ssl --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0
root      51126  0.0  0.0 112676   980 pts/1    R+   13:51   0:00 grep --color=auto kube


//在master上操作
//检查到node01节点的请求
[root@localhost kubeconfig]# kubectl get csr
NAME                                                   AGE   REQUESTOR           CONDITION
node-csr-gqmSZ0G1gKFEY_-riyJr0oPnZ7LrrN45VGgHLsmFNuE   42s   kubelet-bootstrap   Pending    #等待集群给该节点颁发证书

[root@localhost kubeconfig]# kubectl certificate approve node-csr-gqmSZ0G1gKFEY_-riyJr0oPnZ7LrrN45VGgHLsmFNuE
certificatesigningrequest.certificates.k8s.io/node-csr-gqmSZ0G1gKFEY_-riyJr0oPnZ7LrrN45VGgHLsmFNuE approved
//继续查看证书状态
[root@localhost kubeconfig]# kubectl get csr
NAME                                                   AGE   REQUESTOR           CONDITION
node-csr-gqmSZ0G1gKFEY_-riyJr0oPnZ7LrrN45VGgHLsmFNuE   79s   kubelet-bootstrap   Approved,Issued   （已经被允许加入群集


//查看群集节点，成功加入node01节点
[root@localhost kubeconfig]# kubectl get node
NAME              STATUS   ROLES    AGE   VERSION
192.168.217.132   Ready       51s   v1.12.3


//在node01节点操作，启动proxy服务
[root@localhost ~]# bash proxy.sh 192.168.217.132
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[root@localhost ~]# systemctl status kube-proxy.service
● kube-proxy.service - Kubernetes Proxy
   Loaded: loaded (/usr/lib/systemd/system/kube-proxy.service; enabled; vendor preset: disabled)
   Active: active (running) since 日 2020-02-09 13:54:00 CST; 14s ago
 Main PID: 51694 (kube-proxy)
   Memory: 9.3M
   CGroup: /system.slice/kube-proxy.service
           ‣ 51694 /opt/kubernetes/bin/kube-proxy --logtostderr=true --v=4 --hostn...

2月 09 13:54:04 localhost.localdomain kube-proxy[51694]: I0209 13:54:04.951041   ...
2月 09 13:54:05 localhost.localdomain kube-proxy[51694]: I0209 13:54:05.150004   ...
2月 09 13:54:06 localhost.localdomain kube-proxy[51694]: I0209 13:54:06.961409   ...
2月 09 13:54:07 localhost.localdomain kube-proxy[51694]: I0209 13:54:07.162451   ...
2月 09 13:54:08 localhost.localdomain kube-proxy[51694]: I0209 13:54:08.973883   ...
2月 09 13:54:09 localhost.localdomain kube-proxy[51694]: I0209 13:54:09.173205   ...
2月 09 13:54:11 localhost.localdomain kube-proxy[51694]: I0209 13:54:11.012830   ...
2月 09 13:54:11 localhost.localdomain kube-proxy[51694]: I0209 13:54:11.184843   ...
2月 09 13:54:13 localhost.localdomain kube-proxy[51694]: I0209 13:54:13.026319   ...
2月 09 13:54:13 localhost.localdomain kube-proxy[51694]: I0209 13:54:13.196327   ...
Hint: Some lines were ellipsized, use -l to show in full.

node2 节点部署

//在node01节点操作
//把现成的/opt/kubernetes目录复制到其他节点进行修改即可
[root@localhost ~]# scp -r /opt/kubernetes/ [email protected]:/opt/
The authenticity of host '192.168.217.133 (192.168.217.133)' can't be established.
ECDSA key fingerprint is SHA256:AL1Fr3wJ/6yfYqW2lPhp7nUAVx+RiyeOKTTgyCralGE.
ECDSA key fingerprint is MD5:c9:45:35:f9:b6:bd:80:2b:8e:88:b4:01:38:ac:3c:87.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.217.133' (ECDSA) to the list of known hosts.
[email protected]'s password: 
flanneld                                           100%  241   387.7KB/s   00:00    
bootstrap.kubeconfig                               100% 2169     2.1MB/s   00:00    
kube-proxy.kubeconfig                              100% 6271     1.3MB/s   00:00    
kubelet                                            100%  379   154.8KB/s   00:00    
kubelet.config                                     100%  269   106.7KB/s   00:00    
kubelet.kubeconfig                                 100% 2298     1.3MB/s   00:00    
kube-proxy                                         100%  191   147.2KB/s   00:00    
mk-docker-opts.sh                                  100% 2139     1.6MB/s   00:00    
scp: /opt//kubernetes/bin/flanneld: Text file busy
kubelet                                            100%  168MB  44.3MB/s   00:03    
kube-proxy                                         100%   48MB  57.5MB/s   00:00    
kubelet.crt                                        100% 2197   134.4KB/s   00:00    
kubelet.key                                        100% 1675   173.8KB/s   00:00    
kubelet-client-2020-02-09-13-52-42.pem             100% 1277   882.3KB/s   00:00    
kubelet-client-current.pem                         100% 1277     1.1MB/s   00:00  

 //把kubelet，kube-proxy的service文件拷贝到node2中
[root@localhost ~]# scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service [email protected]:/usr/lib/systemd/system/
[email protected]'s password: 
kubelet.service                                    100%  264   113.5KB/s   00:00    
kube-proxy.service                                 100%  231   149.8KB/s   00:00    


//在node2 节点上操作，进行修改
[root@localhost ~]# unzip node.zip 
Archive:  node.zip
  inflating: proxy.sh                
  inflating: kubelet.sh
  
//首先删除复制过来的证书，等会node02会自行申请证书
[root@localhost ~]# cd /opt/kubernetes/ssl/
[root@localhost ssl]# rm -rf *
[root@localhost ssl]# cd ../cfg/

//修改配置文件kubelet  kubelet.config kube-proxy（三个配置文件）
[root@localhost cfg]#  vim kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.217.133 \
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"

[root@localhost cfg]# vim kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.217.133
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
  anonymous:
    enabled: true

[root@localhost cfg]# vim kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.217.133 \
--cluster-cidr=10.0.0.0/24 \
--proxy-mode=ipvs \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"

//启动服务
[root@localhost cfg]#  systemctl start kubelet.service
[root@localhost cfg]# systemctl enable kubelet.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[root@localhost cfg]# systemctl start kube-proxy.service
[root@localhost cfg]# systemctl enable kube-proxy.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.

//在master节点上操作
[root@localhost kubeconfig]#  kubectl get csr
NAME                                                   AGE   REQUESTOR           CONDITION
node-csr-DvP9rsDUlQAVuYDoirb-0KomiLAPK88AjyH07um-H70   42s   kubelet-bootstrap   Pending
node-csr-gqmSZ0G1gKFEY_-riyJr0oPnZ7LrrN45VGgHLsmFNuE   10m   kubelet-bootstrap   Approved,Issued

//授权许可加入群集
[root@localhost kubeconfig]# kubectl certificate approve node-csr-DvP9rsDUlQAVuYDoirb-0KomiLAPK88AjyH07um-H70
certificatesigningrequest.certificates.k8s.io/node-csr-DvP9rsDUlQAVuYDoirb-0KomiLAPK88AjyH07um-H70 approved

//查看群集中的节点
[root@localhost kubeconfig]# kubectl get node
NAME              STATUS     ROLES    AGE     VERSION
192.168.217.132   Ready         9m39s   v1.12.3
192.168.217.133   NotReady      6s      v1.12.3

在rancher 中导入该集群

image.png

参考文档
K8S部署之Flannel网络--2018-05-12
Kubernetes（K8S）二进制部署详细步骤--2021-04-10
kubernetes二进制部署---单节点和多节点--2020-10-03
K8s完整单节点二进制部署-- 2020-02-09
K8S 二进制集群部署--2020-05-05
Kubernetes集群二进制部署2020-05-05