Kubernetes1.26.3 高可用集群

Kubernetes1.26.3 高可用集群

Kubernetes1.26.3 高可用集群_第1张图片

0、服务器信息

服务器为腾讯云服务器(按需计费,按流量计费,并且将IP转换为弹性IP,使用结束可关机仅收取硬盘等固定资源费用)

服务器名称 IP 描述 组件信息
Kubernetes1 124.223.218.159 master1 etcd、apiserver、contorller-manager、scheduler、kubelet、kube-proxy
Kubernetes2 124.222.44.181 master2 etcd、apiserver、contorller-manager、scheduler、kubelet、kube-proxy
Kubernetes3 124.223.197.142 master3 etcd、apiserver、contorller-manager、scheduler、kubelet、kube-proxy
Kubernetes4 124.222.142.13 node1 kubelet、kube-proxy
Kubernetes5 124.223.208.10 node2 kubelet、kube-proxy
Kubernetes6 124.221.179.182 node3 kubelet、kube-proxy
Kuernetes7 49.234.50.98 负载均衡器 nginx
网段 描述
10.19.0.0/16 机器内网
10.96.0.0/16 service
192.168.0.0/16 pod

1、环境准备

如未特别标注,均为所有机器都需执行

1.1、host配置

hostnamectl set-hostname "Kubernetes1" --static
echo "127.0.0.1   $(hostname)" >> /etc/hosts
/etc/init.d/network restart
cat>>/etc/hosts<< EOF
10.19.0.5  Kubernetes1
10.19.0.9  Kubernetes2
10.19.0.11 Kubernetes3
10.19.0.2  Kubernetes4
10.19.0.4  Kubernetes5
10.19.0.12 Kubernetes6
EOF

1.2、ssh免密链接

# 生成ssh密钥
[root@Kubernetes1 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:5T64EqJDkJMHYMXBs4OqQGWKjtPbF5yvTfh0V3Ynpso root@Kubernetes1
The key's randomart image is:
+---[RSA 2048]----+
|o.+o.            |
|o  *             |
|.+= o     .      |
|*+.o     o       |
|==  .. .S .   = o|
|=.o . =. o   = o.|
|oo + ..++ + o    |
|. + . o=.+ +     |
|   . ..o+ E      |
+----[SHA256]-----+
# 拷贝id_rsa.pub到目标机器,下次即可直接访问(第一次需要输入密码)
[root@Kubernetes1 ~]# for i in Kubernetes2 Kubernetes3 Kubernetes4 Kubernetes5 Kubernetes6;do ssh-copy-id -i .ssh/id_rsa.pub $i;done
······
# 测试免密连接
[root@Kubernetes1 ~]# ssh root@Kuernetes-2
Last login: Tue May  9 22:54:58 2023 from 183.195.73.137
[root@Kubernetes2 ~]# hostname
Kuernetes-2
[root@Kubernetes2 ~]# exit
logout
Connection to Kubernetes2 closed.

1.3、升级内核

# 查看内核(3.10内核在大规模集群具有不稳定性,需将内核升级到4.19+)
[root@Kubernetes1 ~]# uname -sr
Linux 3.10.0-1160.88.1.el7.x86_64
# 升级软件包
[root@Kubernetes1 ~]# yum update -y --exclude=kernel*
······
# 导入ELRepo软件仓库的公共秘钥
[root@Kubernetes1 ~]# rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
[root@Kubernetes1 ~]# rpm -Uvh https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
Retrieving https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:elrepo-release-7.0-6.el7.elrepo  ################################# [100%]
# 镜像加速
[root@Kubernetes1 ~]# yum install -y yum-plugin-fastestmirror
······
# 查看当前可升级到的版本
[root@Kubernetes1 ~]# yum --disablerepo="*" --enablerepo="elrepo-kernel" list available
······
# 升级内核(需要一定时间)
[root@Kubernetes1 ~]# yum --enablerepo=elrepo-kernel install -y kernel-lt
······
# 查看当前系统已安装内核
[root@Kubernetes1 ~]# awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
0 : CentOS Linux 7 Rescue 95a46ad0ee7f4772b6251edf4514b358 (5.4.242-1.el7.elrepo.x86_64)
1 : CentOS Linux (5.4.242-1.el7.elrepo.x86_64) 7 (Core)
2 : CentOS Linux (3.10.0-1160.88.1.el7.x86_64) 7 (Core)
3 : CentOS Linux (0-rescue-ba63ad6a0c7246dd8b30c727aae0e195) 7 (Core)
# 重构内核
[root@Kubernetes1 ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.4.242-1.el7.elrepo.x86_64
Found initrd image: /boot/initramfs-5.4.242-1.el7.elrepo.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-1160.88.1.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-1160.88.1.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-95a46ad0ee7f4772b6251edf4514b358
Found initrd image: /boot/initramfs-0-rescue-95a46ad0ee7f4772b6251edf4514b358.img
Found linux image: /boot/vmlinuz-0-rescue-ba63ad6a0c7246dd8b30c727aae0e195
Found initrd image: /boot/initramfs-0-rescue-ba63ad6a0c7246dd8b30c727aae0e195.img
done
# 再次查看当前系统已安装内核
[root@Kuernetes-6 ~]# awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
0 : CentOS Linux (5.4.242-1.el7.elrepo.x86_64) 7 (Core)
1 : CentOS Linux (3.10.0-1160.88.1.el7.x86_64) 7 (Core)
2 : CentOS Linux (0-rescue-92581b1e8bfc4373a10654f47c8911f3) 7 (Core)
3 : CentOS Linux (0-rescue-ba63ad6a0c7246dd8b30c727aae0e195) 7 (Core)
# 修改默认内核(GRUB_DEFAULT=0)
[root@Kubernetes1 ~]# vi /etc/default/grub
[root@Kubernetes1 ~]# cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=0
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL="serial console"
GRUB_TERMINAL_OUTPUT="serial console"
GRUB_CMDLINE_LINUX="crashkernel=2G-8G:256M,8G-16G:512M,16G-:768M console=ttyS0,115200 console=tty0 panic=5 net.ifnames=0 biosdevname=0 intel_idle.max_cstate=1 intel_pstate=disable processor.max_cstate=1 amd_iommu=on iommu=pt"
GRUB_DISABLE_RECOVERY="true"
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
# 再次重构内核
[root@Kubernetes1 ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.4.242-1.el7.elrepo.x86_64
Found initrd image: /boot/initramfs-5.4.242-1.el7.elrepo.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-1160.88.1.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-1160.88.1.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-95a46ad0ee7f4772b6251edf4514b358
Found initrd image: /boot/initramfs-0-rescue-95a46ad0ee7f4772b6251edf4514b358.img
Found linux image: /boot/vmlinuz-0-rescue-ba63ad6a0c7246dd8b30c727aae0e195
Found initrd image: /boot/initramfs-0-rescue-ba63ad6a0c7246dd8b30c727aae0e195.img
done
# 重启
[root@Kubernetes1 ~]# reboot
# 检查重启后的内核
[root@Kubernetes1 ~]# uname -sr
Linux 5.4.242-1.el7.elrepo.x86_64

1.4、安装cfssl

仅主节点即可

https://github.com/cloudflare/cfssl/releases

[root@Kubernetes1 ~]# wget https://github.com/cloudflare/cfssl/releases/download/v1.6.4/cfssl_1.6.4_linux_amd64
······
[root@Kubernetes1 ~]# wget https://github.com/cloudflare/cfssl/releases/download/v1.6.4/cfssljson_1.6.4_linux_amd64
······
[root@Kubernetes1 ~]# wget https://github.com/cloudflare/cfssl/releases/download/v1.6.4/cfssl-certinfo_1.6.4_linux_amd64
······
[root@Kubernetes1 ~]# ls
cfssl_1.6.4_linux_amd64  cfssl-certinfo_1.6.4_linux_amd64  cfssljson_1.6.4_linux_amd64
[root@Kubernetes1 ~]# chmod +x cfssl*
[root@Kubernetes1 ~]# mv cfssl_1.6.4_linux_amd64 cfssl
[root@Kubernetes1 ~]# mv cfssl-certinfo_1.6.4_linux_amd64 cfssl-certinfo
[root@Kubernetes1 ~]# mv cfssljson_1.6.4_linux_amd64 cfssljson
[root@Kubernetes1 ~]# ls -l
total 28572
-rwxr-xr-x 1 root root 12054528 Apr 11 03:07 cfssl
-rwxr-xr-x 1 root root  9560064 Apr 11 03:08 cfssl-certinfo
-rwxr-xr-x 1 root root  7643136 Apr 11 03:07 cfssljson
[root@Kubernetes1 ~]# mv cfssl* /usr/bin/
[root@Kubernetes1 ~]# cfssl
No command is given.
Usage:
Available commands:
	revoke
	bundle
	certinfo
	sign
	genkey
	ocspserve
	info
	crl
	serve
	gencert
	gencsr
	scan
	gencrl
	ocspdump
	ocspsign
	print-defaults
	version
	ocsprefresh
	selfsign
Top-level flags:

1.5、系统设置

#!/bin/bash
# set SELinux permissive(disable)
sudo setenforce 0
sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
# close swap
swapoff -a && sysctl -w vm.swappiness=0
sed -ri 's/.*swap.*/#&/' /etc/fstab

1.6、ipvs组件

cat <<EOF | sudo tee /etc/modules-load.d/ipvs.conf
ip_vs
ip_vs_lc
ip_vs_wlc
ip_vs_rr
ip_vs_wrr
ip_vs_lblc
ip_vs_lblcr
ip_vs_dh
ip_vs_sh
ip_vs_fo
ip_vs_nq
ip_vs_sed
ip_vs_ftp
ip_vs_sh
nf_conntrack
ip_tables
ip_set
xt_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
EOF
# 安装ipvs组件
[root@Kubernetes1 ~]# yum install ipvsadm ipset sysstat conntrack libseccomp -y
······
# 修改ipvs配置
[root@Kubernetes1 ~]# cat <
> ip_vs
> ip_vs_lc
> ip_vs_wlc
> ip_vs_rr
> ip_vs_wrr
> ip_vs_lblc
> ip_vs_lblcr
> ip_vs_dh
> ip_vs_sh
> ip_vs_fo
> ip_vs_nq
> ip_vs_sed
> ip_vs_ftp
> ip_vs_sh
> nf_conntrack
> ip_tables
> ip_set
> xt_set
> ipt_set
> ipt_rpfilter
> ipt_REJECT
> ipip
> EOF
# 重启
[root@Kubernetes1 ~]# systemctl enable --now systemd-modules-load.service
Job for systemd-modules-load.service failed because the control process exited with error code. See "systemctl status systemd-modules-load.service" and "journalctl -xe" for details.
# 查看ipvs模块是否加载
[root@Kubernetes1 ~]# lsmod | grep -e ip_vs -e nf_conntrack
ip_vs_ftp              16384  0 
nf_nat                 45056  1 ip_vs_ftp
ip_vs_sed              16384  0 
ip_vs_nq               16384  0 
ip_vs_fo               16384  0 
ip_vs_sh               16384  0 
ip_vs_dh               16384  0 
ip_vs_lblcr            16384  0 
ip_vs_lblc             16384  0 
ip_vs_wrr              16384  0 
ip_vs_rr               16384  0 
ip_vs_wlc              16384  0 
ip_vs_lc               16384  0 
ip_vs                 155648  24 ip_vs_wlc,ip_vs_rr,ip_vs_dh,ip_vs_lblcr,ip_vs_sh,ip_vs_fo,ip_vs_nq,ip_vs_lblc,ip_vs_wrr,ip_vs_lc,ip_vs_sed,ip_vs_ftp
nf_conntrack          147456  2 nf_nat,ip_vs
nf_defrag_ipv6         24576  2 nf_conntrack,ip_vs
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  3 nf_conntrack,nf_nat,ip_vs

1.7、docker

#!/bin/bash
# remove old docker
yum remove docker \
        docker-client \
        docker-client-latest \
        docker-common \
        docker-latest \
        docker-latest-logrotate \
        docker-logrotate \
        docker-engine

# install dependents
yum install -y yum-utils

# set yum repo
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

# install docker
yum -y install docker-ce-20.10.9-3.el7 docker-ce-cli-20.10.9-3.el7 containerd.io

# start
systemctl enable docker --now

# docker config
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://12sotewv.mirror.aliyuncs.com"],
  "exec-opts": ["native.cgroupdriver=systemd"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m"
  },
  "storage-driver": "overlay2"
}
EOF

sudo systemctl daemon-reload
sudo systemctl restart docker

1.8、cri-docker

cat > /lib/systemd/system/cri-docker.service <<EOF
[Unit]
Description=CRI Interface for Docker Application Container Engine
Documentation=https://docs.mirantis.com
After=network-online.target firewalld.service docker.service
Wants=network-online.target
Requires=cri-docker.socket

[Service]
Type=notify
ExecStart=/usr/bin/cri-dockerd --network-plugin=cni --pod-infra-container-image=imaxun/pause:3.9
ExecReload=/bin/kill -s HUP
TimeoutSec=0
RestartSec=2
Restart=always

StartLimitBurst=3

StartLimitInterval=60s

LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity

TasksMax=infinity
Delegate=yes
KillMode=process

[Install]
WantedBy=multi-user.target
EOF


cat > /lib/systemd/system/cri-docker.socket <<EOF
[Unit]
Description=CRI Docker Socket for the API
PartOf=cri-docker.service

[Socket]
ListenStream=%t/cri-dockerd.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker

[Install]
WantedBy=sockets.target
EOF
# 启动服务
systemctl daemon-reload
systemctl enable cri-docker --now
[root@Kubernetes1 ~]# wget https://github.com/Mirantis/cri-dockerd/releases/download/v0.3.0/cri-dockerd-0.3.0.amd64.tgz
······
[root@Kubernetes1 ~]# tar -zxvf cri-dockerd.tgz 
cri-dockerd/
cri-dockerd/._cri-dockerd
tar: Ignoring unknown extended header keyword `LIBARCHIVE.xattr.com.apple.quarantine'
tar: Ignoring unknown extended header keyword `LIBARCHIVE.xattr.com.apple.metadata:kMDItemWhereFroms'
cri-dockerd/cri-dockerd
[root@Kubernetes1 ~]# chmod +x cri-dockerd/cri-dockerd
[root@Kubernetes1 ~]# mv cri-dockerd/cri-dockerd /usr/bin/
[root@Kubernetes1 ~]# vi cri-docker.sh 
[root@Kubernetes1 ~]# sh cri-docker.sh 
Created symlink from /etc/systemd/system/multi-user.target.wants/cri-docker.service to /usr/lib/systemd/system/cri-docker.service.
[root@Kubernetes1 ~]# systemctl status cri-docker
● cri-docker.service - CRI Interface for Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/cri-docker.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2023-05-14 13:11:35 CST; 18s ago
     Docs: https://docs.mirantis.com
 Main PID: 9600 (cri-dockerd)
    Tasks: 8
   Memory: 17.4M
   CGroup: /system.slice/cri-docker.service
           └─9600 /usr/bin/cri-dockerd --network-plugin=cni --pod-infra-container-image=imaxun/pause:3.9

May 14 13:11:35 Kubernetes4 cri-dockerd[9600]: time="2023-05-14T13:11:35+08:00" level=info msg="Start docker client with request timeout 0s"
May 14 13:11:35 Kubernetes4 cri-dockerd[9600]: time="2023-05-14T13:11:35+08:00" level=info msg="Hairpin mode is set to none"
May 14 13:11:35 Kubernetes4 cri-dockerd[9600]: time="2023-05-14T13:11:35+08:00" level=info msg="Loaded network plugin cni"
May 14 13:11:35 Kubernetes4 cri-dockerd[9600]: time="2023-05-14T13:11:35+08:00" level=info msg="Docker cri networking managed by network plugin cni"
May 14 13:11:35 Kubernetes4 cri-dockerd[9600]: time="2023-05-14T13:11:35+08:00" level=info msg="Docker Info: &{ID:HBZS:RXZJ:YZ6F:ZDEX:3R3S:AYDP:BH2I:6RT2:TC2K:7LSK:KG5Q:R4EX Containers:0 ContainersRunning:0 ContainersPaused:0 ContainersStopped:0 Images:0 Driver:overlay2 DriverStatus:[[Backing Filesystem extfs] [Supports d_type true] [Nati
May 14 13:11:35 Kubernetes4 systemd[1]: Started CRI Interface for Docker Application Container Engine.
May 14 13:11:35 Kubernetes4 cri-dockerd[9600]: time="2023-05-14T13:11:35+08:00" level=info msg="Setting cgroupDriver systemd"
May 14 13:11:35 Kubernetes4 cri-dockerd[9600]: time="2023-05-14T13:11:35+08:00" level=info msg="Docker cri received runtime config &RuntimeConfig{NetworkConfig:&NetworkConfig{PodCidr:,},}"
May 14 13:11:35 Kubernetes4 cri-dockerd[9600]: time="2023-05-14T13:11:35+08:00" level=info msg="Starting the GRPC backend for the Docker CRI interface."
May 14 13:11:35 Kubernetes4 cri-dockerd[9600]: time="2023-05-14T13:11:35+08:00" level=info msg="Start cri-dockerd grpc backend"

1.9、证书

仅主节点即可

kubernetes证书机构配置(ca-config.json)相关名词解释

  • “ca-config.json”:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile
    • server:服务端证书
    • client:客户端证书
    • peer:对等证书
  • “signing”:表示该证书可用于签名其它证书
  • “server auth”:表示client可以用该 CA 对 server 提供的证书进行验证
  • “client auth”:表示server可以用该CA对client提供的证书进行验证

证书申请(ca-csr.json)相关名词解释

  • CN:域名
  • C:国家
  • ST:省份
  • L:城市
  • O:组织名
  • OU:部门
sudo tee /etc/kubernetes/pki/ca-config.json <<-'EOF'
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "server": {
        "expiry": "87600h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth"
        ]
      },
      "client": {
        "expiry": "87600h",
        "usages": [
          "signing",
          "key encipherment",
          "client auth"
        ]
      },
      "peer": {
        "expiry": "87600h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ]
      },
      "kubernetes": {
        "expiry": "87600h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ]
      },
      "etcd": {
        "expiry": "87600h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ]
      }
    }
  }
}
EOF
sudo tee /etc/kubernetes/pki/ca-csr.json <<-'EOF'
{
  "CN": "Ialso",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "kubernetes",
      "OU": "kubernetes"
    }
  ],
  "ca": {
    "expiry": "87600h"
  }
}
EOF
# 创建存放证书文件夹
[root@Kubernetes1 ~]# mkdir -p /etc/kubernetes/pki
# kubernetes证书机构配置
[root@Kubernetes1 pki]# sudo tee /etc/kubernetes/pki/ca-config.json <<-'EOF'
> {
>   "signing": {
>     "default": {
>       "expiry": "87600h"
>     },
>     "profiles": {
>       "server": {
>         "expiry": "87600h",
>         "usages": [
>           "signing",
>           "key encipherment",
>           "server auth"
>         ]
>       },
>       "client": {
>         "expiry": "87600h",
>         "usages": [
>           "signing",
>           "key encipherment",
>           "client auth"
>         ]
>       },
>       "peer": {
>         "expiry": "87600h",
>         "usages": [
>           "signing",
>           "key encipherment",
>           "server auth",
>           "client auth"
>         ]
>       },
>       "kubernetes": {
>         "expiry": "87600h",
>         "usages": [
>           "signing",
>           "key encipherment",
>           "server auth",
>           "client auth"
>         ]
>       },
>       "etcd": {
>         "expiry": "87600h",
>         "usages": [
>           "signing",
>           "key encipherment",
>           "server auth",
>           "client auth"
>         ]
>       }
>     }
>   }
> }
> EOF
······
# kubernetes证书机构证书申请
[root@Kubernetes1 pki]# sudo tee /etc/kubernetes/pki/ca-csr.json <<-'EOF'
> {
>   "CN": "Ialso",
>   "key": {
>     "algo": "rsa",
>     "size": 2048
>   },
>   "names": [
>     {
>       "C": "CN",
>       "ST": "Shanghai",
>       "L": "Shanghai",
>       "O": "kubernetes",
>       "OU": "kubernetes"
>     }
>   ],
>   "ca": {
>     "expiry": "87600h"
>   }
> }
> EOF
······
# 生成kubernetes机构证书
[root@Kubernetes1 pki]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2023/05/10 22:24:22 [INFO] generating a new CA key and certificate from CSR
2023/05/10 22:24:22 [INFO] generate received request
2023/05/10 22:24:22 [INFO] received CSR
2023/05/10 22:24:22 [INFO] generating key: rsa-2048
2023/05/10 22:24:22 [INFO] encoded CSR
2023/05/10 22:24:22 [INFO] signed certificate with serial number 613017233483743397580047557677682512319581508456
# 查看证书 ca-key.pem私钥;ca.pem公钥
[root@Kubernetes1 pki]# ls
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem

1.10、复制文件到其他节点

for i in Kubernetes2 Kubernetes3 Kubernetes4 Kubernetes5 Kubernetes6;do scp -r /root/abc.txt root@$i:/root/abc.txt;done

1.11、clash

[root@Kubernetes1 ~]# mkdir /usr/local/clash
[root@Kubernetes1 ~]# cd /usr/local/clash
[root@Kubernetes1 clash]# wget https://github.com/Dreamacro/clash/releases/download/v1.7.1/clash-linux-amd64-v1.7.1.gz
[root@Kubernetes1 clash]# gunzip clash-linux-amd64-v1.7.1.gz
[root@Kubernetes1 clash]# chmod +x clash-linux-amd64-v1.7.1
[root@Kubernetes1 clash]# ln -s /usr/local/clash/clash-linux-amd64-v1.7.1 clash
[root@Kubernetes1 clash]# wget -O /usr/local/clash/config.yaml "https://mymonocloud.com/clash/760582/cZsa28nlyvsV" --no-check-certificate
[root@Kubernetes1 clash]# wget -O Country.mmdb https://github.com/Dreamacro/maxmind-geoip/releases/latest/download/Country.mmdb
[root@Kubernetes1 clash]# ll
total 14524
lrwxrwxrwx 1 root root      41 May 16 22:40 clash -> /usr/local/clash/clash-linux-amd64-v1.7.1
-rwxr-xr-x 1 root root 8990720 May 16 22:38 clash-linux-amd64-v1.7.1
-rw-r--r-- 1 root root   44361 May 16 22:41 config.yaml
-rw-r--r-- 1 root root 5833460 May 16 22:41 Country.mmdb
[root@Kubernetes1 clash]# vim /usr/lib/systemd/system/clash.service
# /usr/lib/systemd/system/clash.service
[Unit]
Description=Clash
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
 
[Service]
Type=simple
ExecStartPre=/usr/local/clash/clash -t -f /usr/local/clash/config.yaml
ExecStart=/usr/local/clash/clash -d /usr/local/clash
ExecStop=/bin/kill -s QUIT $MAINPID
LimitNOFILE=65535
 
[Install]
WantedBy=multi-user.target
[root@Kubernetes1 clash]# systemctl enable --now clash.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/clash.service to /usr/lib/systemd/system/clash.service.
[root@Kubernetes1 clash]# systemctl status clash.service 
● clash.service - Clash
   Loaded: loaded (/usr/lib/systemd/system/clash.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2023-05-16 22:43:28 CST; 13s ago
  Process: 7268 ExecStartPre=/usr/local/clash/clash -t -f /usr/local/clash/config.yaml (code=exited, status=0/SUCCESS)
 Main PID: 7426 (clash)
    Tasks: 6
   Memory: 14.6M
   CGroup: /system.slice/clash.service
           └─7426 /usr/local/clash/clash -d /usr/local/clash

May 16 22:43:28 Kubernetes1 clash[7268]: time="2023-05-16T22:43:28+08:00" level=info msg="Start initial compatible provider Streaming"
May 16 22:43:28 Kubernetes1 clash[7268]: configuration file /usr/local/clash/config.yaml test is successful
May 16 22:43:28 Kubernetes1 systemd[1]: Started Clash.
May 16 22:43:28 Kubernetes1 clash[7426]: time="2023-05-16T22:43:28+08:00" level=info msg="Start initial compatible provider Proxy"
May 16 22:43:28 Kubernetes1 clash[7426]: time="2023-05-16T22:43:28+08:00" level=info msg="Start initial compatible provider StreamingSE"
May 16 22:43:28 Kubernetes1 clash[7426]: time="2023-05-16T22:43:28+08:00" level=info msg="Start initial compatible provider Streaming"
May 16 22:43:28 Kubernetes1 clash[7426]: time="2023-05-16T22:43:28+08:00" level=info msg="Start initial compatible provider MATCH"
May 16 22:43:28 Kubernetes1 clash[7426]: time="2023-05-16T22:43:28+08:00" level=info msg="HTTP proxy listening at: 127.0.0.1:7890"
May 16 22:43:28 Kubernetes1 clash[7426]: time="2023-05-16T22:43:28+08:00" level=info msg="RESTful API listening at: 127.0.0.1:9090"
May 16 22:43:28 Kubernetes1 clash[7426]: time="2023-05-16T22:43:28+08:00" level=info msg="SOCKS proxy listening at: 127.0.0.1:7891"

2、etcd安装

2.1、安装

# 下载etcd:https://github.com/etcd-io/etcd/releases
[root@Kubernetes1 ~]# wget https://github.com/etcd-io/etcd/releases/download/v3.5.6/etcd-v3.5.6-linux-amd64.tar.gz
······
# 拷贝etcd安装包至其他master节点
[root@Kubernetes1 pki]# for i in Kubernetes2 Kubernetes3;do scp etcd-* root@$i:/root/;done 
etcd-v3.5.6-linux-amd64.tar.gz                                                                                                                                100%   19MB 118.2KB/s   02:41    
etcd-v3.5.6-linux-amd64.tar.gz                                                                                                                                100%   19MB 114.7KB/s   02:46
# 解压安装包
[root@Kubernetes1 ~]# tar -zxvf etcd-v3.5.6-linux-amd64.tar.gz
[root@Kubernetes1 ~]# mv /root/etcd-v3.5.6-linux-amd64/etcd /usr/bin/
[root@Kubernetes1 ~]# mv /root/etcd-v3.5.6-linux-amd64/etcdctl /usr/bin/
# 验证etcd
[root@Kubernetes1 ~]# etcdctl
······

2.2、证书

etcd是独立的机构,自己用自己的证书

sudo tee /etc/kubernetes/pki/etcd/etcd-ca-csr.json <<-'EOF'
{
  "CN": "Ialso",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "etcd",
      "OU": "etcd"
    }
  ],
  "ca": {
    "expiry": "87600h"
  }
}
EOF
sudo tee /etc/kubernetes/pki/etcd/etcd-csr.json <<-'EOF'
{
  "CN": "etcd",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "hosts": [
    "10.19.0.5",
    "10.19.0.9",
    "10.19.0.11",
    "10.19.0.2",
    "10.19.0.4",
    "10.19.0.12",
    "10.19.0.7"
  ],
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "etcd",
      "OU": "etcd-colony"
    }
  ]
}
EOF
cfssl gencert \
   -ca=/etc/kubernetes/pki/etcd/ca.pem \
   -ca-key=/etc/kubernetes/pki/etcd/ca-key.pem \
   -config=/etc/kubernetes/pki/ca-config.json \
   -profile=etcd \
   etcd-csr.json | cfssljson -bare /etc/kubernetes/pki/etcd/etcd
# etcd机构证书申请
[root@Kubernetes1 pki]# sudo tee /etc/kubernetes/pki/etcd/ca-csr.json <<-'EOF'
> {
>   "CN": "Ialso",
>   "key": {
>     "algo": "rsa",
>     "size": 2048
>   },
>   "names": [
>     {
>       "C": "CN",
>       "ST": "Shanghai",
>       "L": "Shanghai",
>       "O": "etcd",
>       "OU": "etcd"
>     }
>   ],
>   "ca": {
>     "expiry": "87600h"
>   }
> }
> EOF
······
# 生成etcd机构证书
[root@Kubernetes1 etcd]# cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare ca -
2023/05/11 01:04:38 [INFO] generating a new CA key and certificate from CSR
2023/05/11 01:04:38 [INFO] generate received request
2023/05/11 01:04:38 [INFO] received CSR
2023/05/11 01:04:38 [INFO] generating key: rsa-2048
2023/05/11 01:04:38 [INFO] encoded CSR
2023/05/11 01:04:38 [INFO] signed certificate with serial number 638045234947858116581635552444821777926630480846
# 查看证书 ca-key.pem私钥;ca.pem公钥
[root@Kubernetes1 etcd]# ls
ca.csr  ca-key.pem  ca.pem
# 申请证书
[root@Kubernetes1 etcd]# sudo tee /etc/kubernetes/pki/etcd/etcd-ialso-csr.json <<-'EOF'
> {
>   "CN": "etcd-ialso",
>   "key": {
>     "algo": "rsa",
>     "size": 2048
>   },
>   "hosts": [
>     "10.19.0.5",
>     "10.19.0.9",
>     "10.19.0.11",
>     "10.19.0.2",
>     "10.19.0.4",
>     "10.19.0.12",
>     "10.19.0.7"
>   ],
>   "names": [
>     {
>       "C": "CN",
>       "ST": "Shanghai",
>       "L": "Shanghai",
>       "O": "etcd",
>       "OU": "etcd-colony"
>     }
>   ]
> }
> EOF
# 从etcd机构签发证书
[root@Kubernetes1 etcd]# cfssl gencert \
>    -ca=/etc/kubernetes/pki/etcd/ca.pem \
>    -ca-key=/etc/kubernetes/pki/etcd/ca-key.pem \
>    -config=/etc/kubernetes/pki/ca-config.json \
>    -profile=etcd \
>    etcd-ialso-csr.json | cfssljson -bare /etc/kubernetes/pki/etcd/etcd
2023/05/11 01:27:09 [INFO] generate received request
2023/05/11 01:27:09 [INFO] received CSR
2023/05/11 01:27:09 [INFO] generating key: rsa-2048
2023/05/11 01:27:09 [INFO] encoded CSR
2023/05/11 01:27:09 [INFO] signed certificate with serial number 547412799563394483789087934200510450231255257959
# 查看证书 etcd-key.pem私钥;etcd.pem公钥
[root@Kubernetes1 etcd]# ls
ca.csr  ca-key.pem  ca.pem  etcd-ca-csr.json  etcd.csr  etcd-ialso-csr.json  etcd-key.pem  etcd.pem
# 拷贝证书至其他将要安装etcd的节点
[root@Kubernetes1 etcd]# for i in Kubernetes2 Kubernetes3;do scp -r /etc/kubernetes/pki/etcd/*.pem root@$i:/etc/kubernetes/pki/;done
······

2.3、启动

etcd配置文件:https://doczhcn.gitbook.io/etcd/index/index-1/configuration

name: 'etcd1' # 节点名称
data-dir: /etc/kubernetes/data/etcd/data
wal-dir: /etc/kubernetes/data/etcd/wal
snapshot-count: 5000
heartbeat-interval: 100
election-timeout: 1000
quota-backend-bytes: 0
listen-peer-urls: 'https://10.19.0.5:2380' # 本机ip+2380端口
listen-client-urls: 'https://10.19.0.510.19.0.5:2379,http://127.0.0.1:2379' # 本机ip+2379端口
max-snapshots: 3
max-wals: 5
cors:
initial-advertise-peer-urls: 'https://10.19.0.5:2380' # 本机ip+2380端口
advertise-client-urls: 'https://10.19.0.5:2379' # 本机ip+2379端口
discovery:
discovery-fallback: 'proxy'
discovery-proxy:
discovery-srv:
initial-cluster: 'etcd1=https://10.19.0.5:2380,etcd2=https://10.19.0.9:2380,etcd3=https://10.19.0.11:2380' # etcd集群所有节点名称+ip
initial-cluster-token: 'etcd-cluster'
initial-cluster-state: 'new'
strict-reconfig-check: false
enable-v2: true
enable-pprof: true
proxy: 'off'
proxy-failure-wait: 5000
proxy-refresh-interval: 30000
proxy-dial-timeout: 1000
proxy-write-timeout: 5000
proxy-read-timeout: 0
client-transport-security:
  cert-file: '/etc/kubernetes/pki/etcd/etcd.pem'
  key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem'
  client-cert-auth: true
  trusted-ca-file: '/etc/kubernetes/pki/etcd/ca.pem'
  auto-tls: true
peer-transport-security:
  cert-file: '/etc/kubernetes/pki/etcd/etcd.pem'
  key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem'
  peer-client-cert-auth: true
  trusted-ca-file: '/etc/kubernetes/pki/etcd/ca.pem'
  auto-tls: true
debug: false
log-package-levels:
log-outputs: [default]
force-new-cluster: false
cat > /usr/lib/systemd/system/etcd.service  <<EOF
[Unit]
Description=Etcd Service
Documentation=https://coreos.com/etcd/docs/latest
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
ExecStart=/usr/bin/etcd --config-file=/etc/kubernetes/conf/etcd/etcd1-conf.yaml
Restart=on-failure
RestartSec=10
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF
systemctl enable --now etcd.service
[root@Kubernetes1 ~]# systemctl enable --now etcd.service
[root@Kubernetes1 etcd]# systemctl status etcd.service
● etcd.service - Etcd Service
   Loaded: loaded (/usr/lib/systemd/system/etcd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2023-05-12 00:07:20 CST; 1min 15s ago
     Docs: https://coreos.com/etcd/docs/latest
 Main PID: 14647 (etcd)
    Tasks: 8
   Memory: 38.4M
   CGroup: /system.slice/etcd.service
           └─14647 /usr/bin/etcd --config-file=/etc/kubernetes/etcd/etcd-conf.yaml

May 12 00:08:29 Kubernetes1 etcd[14647]: {"level":"warn","ts":"2023-05-12T00:08:29.792+0800","caller":"rafthttp/probing_status.go:68","msg":"prober detected unhealthy sta...
May 12 00:08:29 Kubernetes1 etcd[14647]: {"level":"warn","ts":"2023-05-12T00:08:29.793+0800","caller":"rafthttp/probing_status.go:68","msg":"prober detected unhealthy sta...
May 12 00:08:32 Kubernetes1 etcd[14647]: {"level":"warn","ts":"2023-05-12T00:08:32.808+0800","caller":"etcdserver/cluster_util.go:288","msg":"failed to reach the peer URL...
May 12 00:08:32 Kubernetes1 etcd[14647]: {"level":"warn","ts":"2023-05-12T00:08:32.808+0800","caller":"etcdserver/cluster_util.go:155","msg":"failed to get version","remo...
May 12 00:08:32 Kubernetes1 etcd[14647]: {"level":"warn","ts":"2023-05-12T00:08:32.811+0800","caller":"etcdserver/cluster_util.go:288","msg":"failed to reach the peer URL...
May 12 00:08:32 Kubernetes1 etcd[14647]: {"level":"warn","ts":"2023-05-12T00:08:32.811+0800","caller":"etcdserver/cluster_util.go:155","msg":"failed to get version","remo...
May 12 00:08:34 Kubernetes1 etcd[14647]: {"level":"warn","ts":"2023-05-12T00:08:34.793+0800","caller":"rafthttp/probing_status.go:68","msg":"prober detected unhealthy sta...
May 12 00:08:34 Kubernetes1 etcd[14647]: {"level":"warn","ts":"2023-05-12T00:08:34.793+0800","caller":"rafthttp/probing_status.go:68","msg":"prober detected unhealthy sta...
May 12 00:08:34 Kubernetes1 etcd[14647]: {"level":"warn","ts":"2023-05-12T00:08:34.793+0800","caller":"rafthttp/probing_status.go:68","msg":"prober detected unhealthy sta...
May 12 00:08:34 Kubernetes1 etcd[14647]: {"level":"warn","ts":"2023-05-12T00:08:34.794+0800","caller":"rafthttp/probing_status.go:68","msg":"prober detected unhealthy sta...
Hint: Some lines were ellipsized, use -l to show in full.

2.4、测试

# 查看集群节点
[root@Kubernetes1 etcd]# etcdctl member list --write-out=table
+------------------+---------+-------+-------------------------+-------------------------+------------+
|        ID        | STATUS  | NAME  |       PEER ADDRS        |      CLIENT ADDRS       | IS LEARNER |
+------------------+---------+-------+-------------------------+-------------------------+------------+
| 452bb92b6cddd036 | started | etcd3 | https://10.19.0.11:2380 | https://10.19.0.11:2379 |      false |
| 8f871fbc55399fbc | started | etcd1 |  https://10.19.0.5:2380 |  https://10.19.0.5:2379 |      false |
| b7c44b92b36f66fd | started | etcd2 |  https://10.19.0.9:2380 |  https://10.19.0.9:2379 |      false |
+------------------+---------+-------+-------------------------+-------------------------+------------+
# 检查节点健康状态
[root@Kubernetes1 etcd]# ETCDCTL_API=3 etcdctl --cacert=/etc/kubernetes/pki/etcd/ca.pem --cert=/etc/kubernetes/pki/etcd/etcd.pem --key=/etc/kubernetes/pki/etcd/etcd-key.pem --endpoints="https://10.19.0.5:2379,https://10.19.0.9:2379,https://10.19.0.11:2379" endpoint health --write-out=table
+-------------------------+--------+-------------+-------+
|        ENDPOINT         | HEALTH |    TOOK     | ERROR |
+-------------------------+--------+-------------+-------+
| https://10.19.0.11:2379 |   true | 11.620977ms |       |
|  https://10.19.0.9:2379 |   true | 12.017392ms |       |
|  https://10.19.0.5:2379 |   true | 12.167674ms |       |
+-------------------------+--------+-------------+-------+

3、其他组件

3.1、下载

https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md

[root@Kubernetes1 ~]# wget https://dl.k8s.io/v1.26.3/kubernetes-server-linux-amd64.tar.gz
[root@Kubernetes1 bin]# chmod +x kubernetes/server/bin/kube{let,ctl,-apiserver,-controller-manager,-scheduler,-proxy}
# master节点执行
[root@Kubernetes1 bin]# cp kubernetes/server/bin/kube{let,ctl,-apiserver,-controller-manager,-scheduler,-proxy} /usr/bin/
# node节点执行
[root@Kubernetes1 bin]# cp kubernetes/server/bin/kube{let,ctl,-proxy} /usr/bin/

3.2、apiserver

1、证书
sudo tee /etc/kubernetes/pki/apiserver/apiserver-csr.json <<-'EOF'
{
  "CN": "Ialso",
  "hosts": [
    "10.96.0.1",
    "127.0.0.1",
    "10.19.0.5",
    "10.19.0.9",
    "10.19.0.11",
    "10.19.0.2",
    "10.19.0.4",
    "10.19.0.12",
    "10.19.0.7",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "kube-apiserver",
      "OU": "kube-apiserver"
    }
  ]
}
EOF
cfssl gencert \
    -ca=/etc/kubernetes/pki/ca.pem \
    -ca-key=/etc/kubernetes/pki/ca-key.pem \
    -config=/etc/kubernetes/pki/ca-config.json \
    -profile=kubernetes \
    apiserver-csr.json | cfssljson -bare /etc/kubernetes/pki/apiserver/apiserver
[root@Kubernetes1 pki]# pwd
/etc/kubernetes/pki
[root@Kubernetes1 pki]# mkdir apiserver
[root@Kubernetes1 pki]# cd apiserver
[root@Kubernetes1 apiserver]# sudo tee /etc/kubernetes/pki/apiserver/apiserver-csr.json <<-'EOF'
> {
>     "CN": "Ialso",
>     "hosts": [
>       "10.96.0.1",
>       "127.0.0.1",
>       "10.19.0.5",
>       "10.19.0.9"
>       "10.19.0.11"
>       "10.19.0.2"
>       "10.19.0.4"
>       "10.19.0.12"
>       "10.19.0.7"
>       "kubernetes",
>       "kubernetes.default",
>       "kubernetes.default.svc",
>       "kubernetes.default.svc.cluster",
>       "kubernetes.default.svc.cluster.local"
>     ],
>     "key": {
>         "algo": "rsa",
>         "size": 2048
>     },
>     "names": [
>         {
>             "C": "CN",
>       	  "ST": "Shanghai",
>       	  "L": "Shanghai",
>             "O": "kube-apiserver",
>             "OU": "kube-apiserver"
>         }
>     ]
> }
> EOF
······
# 从kubernetes机构签发证书
[root@Kubernetes1 apiserver]# cfssl gencert \
>     -ca=/etc/kubernetes/pki/ca.pem \
>     -ca-key=/etc/kubernetes/pki/ca-key.pem \
>     -config=/etc/kubernetes/pki/ca-config.json \
>     -profile=kubernetes \
>     apiserver-csr.json | cfssljson -bare /etc/kubernetes/pki/apiserver/apiserver
2023/05/11 23:10:48 [INFO] generate received request
2023/05/11 23:10:48 [INFO] received CSR
2023/05/11 23:10:48 [INFO] generating key: rsa-2048
2023/05/11 23:10:48 [INFO] encoded CSR
2023/05/11 23:10:48 [INFO] signed certificate with serial number 280635780381735908251327798136801705964318780365
[root@Kubernetes1 apiserver]# ls
apiserver.csr  apiserver-csr.json  apiserver-key.pem  apiserver.pem
2、负载均衡
wget http://nginx.org/download/nginx-1.21.1.tar.gz
tar -zxvf nginx-1.21.1.tar.gz
cd nginx-1.21.1/
./configure --prefix=/usr/local/nginx --with-stream
make
make install
# 重新编辑配置文件
cat > /usr/local/nginx/conf/nginx.conf <<EOF
worker_processes 1;

events {
    worker_connections  1024;
}

stream {
    upstream backend {
        server 10.19.0.5:6443;
        server 10.19.0.9:6443;
        server 10.19.0.11:6443;
    }

    server {
        listen 6443;
        proxy_pass backend;
    }
}
EOF
# 待apiserver部署完成后可以尝试访问,会提示需要证书
curl https://10.19.0.7:6443/api/v1/namsspace
[Unit]
# 描述服务
Description=nginx web service
Documentation=https://nginx.org/en/docs/
After=network.target
[Service]
# 后台运行
Type=forking
# 启动nginx
ExecStart=/usr/local/nginx/sbin/nginx
# 重新加载nginx配置
ExecReload=/usr/local/nginx/sbin/nginx -s reload
# 停止nginx
ExecStop=/usr/local/nginx/sbin/nginx -s stop
PrivateTmp=true
[Install]
WantedBy=default.target
[root@Kubernetes7 nginx-1.21.1]# vim /usr/lib/systemd/system/nginx.service
[root@Kubernetes7 nginx-1.21.1]# systemctl daemon-reload
[root@Kubernetes7 nginx-1.21.1]# systemctl enable --now nginx.service 
Created symlink from /etc/systemd/system/default.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
[root@Kubernetes7 nginx-1.21.1]# systemctl status nginx.service 
● nginx.service - nginx web service
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2023-05-13 21:36:30 CST; 7s ago
     Docs: https://nginx.org/en/docs/
  Process: 17955 ExecStart=/usr/local/nginx/sbin/nginx (code=exited, status=0/SUCCESS)
 Main PID: 17956 (nginx)
   CGroup: /system.slice/nginx.service
           ├─17956 nginx: master process /usr/local/nginx/sbin/nginx
           └─17957 nginx: worker process

May 13 21:36:30 Kubernetes7 systemd[1]: Starting nginx web service...
May 13 21:36:30 Kubernetes7 systemd[1]: Started nginx web service.

3.3、front-proxy

front-proxy是独立的机构,自己用自己的证书

1、证书
sudo tee /etc/kubernetes/pki/front-proxy/front-proxy-ca-csr.json <<-'EOF'
{
  "CN": "front-proxy",
  "key": {
     "algo": "rsa",
     "size": 2048
  }
}
EOF
sudo tee /etc/kubernetes/pki/front-proxy/front-proxy-client-csr.json <<-'EOF'
{
  "CN": "front-proxy-client",
  "key": {
     "algo": "rsa",
     "size": 2048
  }
}
EOF
cfssl gencert \
    -ca=/etc/kubernetes/pki/front-proxy/ca.pem \
    -ca-key=/etc/kubernetes/pki/front-proxy/ca-key.pem \
    -config=/etc/kubernetes/pki/ca-config.json \
    -profile=kubernetes \
    front-proxy-client-csr.json | cfssljson -bare /etc/kubernetes/pki/front-proxy/front-proxy-client
[root@Kubernetes1 pki]# pwd
/etc/kubernetes/pki
[root@Kubernetes1 pki]# mkdir front-proxy
[root@Kubernetes1 pki]# cd front-proxy
[root@Kubernetes1 front-proxy]# sudo tee /etc/kubernetes/pki/front-proxy/front-proxy-ca-csr.json <<-'EOF'
> {
>   "CN": "front-proxy",
>   "key": {
>      "algo": "rsa",
>      "size": 2048
>   }
> }
> EOF
······
# # 生成front-proxy机构证书
[root@Kubernetes1 front-proxy]# cfssl gencert -initca front-proxy-ca-csr.json | cfssljson -bare ca -
2023/05/11 22:53:38 [INFO] generating a new CA key and certificate from CSR
2023/05/11 22:53:38 [INFO] generate received request
2023/05/11 22:53:38 [INFO] received CSR
2023/05/11 22:53:38 [INFO] generating key: rsa-2048
2023/05/11 22:53:38 [INFO] encoded CSR
2023/05/11 22:53:38 [INFO] signed certificate with serial number 148643445013453340427358824714242815412407601930
[root@Kubernetes1 front-proxy]# ls
ca.csr  ca-key.pem  ca.pem  front-proxy-ca-csr.json
# 从front-proxy机构签发证书
[root@Kubernetes1 front-proxy]# cfssl gencert \
>     -ca=/etc/kubernetes/pki/front-proxy/ca.pem \
>     -ca-key=/etc/kubernetes/pki/front-proxy/ca-key.pem \
>     -config=/etc/kubernetes/pki/ca-config.json \
>     -profile=kubernetes \
>     front-proxy-client-csr.json | cfssljson -bare /etc/kubernetes/pki/front-proxy/front-proxy-client
2023/05/11 23:05:21 [INFO] generate received request
2023/05/11 23:05:21 [INFO] received CSR
2023/05/11 23:05:21 [INFO] generating key: rsa-2048
2023/05/11 23:05:21 [INFO] encoded CSR
2023/05/11 23:05:21 [INFO] signed certificate with serial number 147045670994628444945849373210876597044401355992
2023/05/11 23:05:21 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@Kubernetes1 front-proxy]# ls
ca.csr  ca-key.pem  ca.pem  front-proxy-ca-csr.json  front-proxy-client.csr  front-proxy-client-csr.json  front-proxy-client-key.pem  front-proxy-client.pem

3.4、controller-manager

1、证书
sudo tee /etc/kubernetes/pki/controller-manager/controller-manager-csr.json <<-'EOF'
{
  "CN": "system:kube-controller-manager",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "system:kube-controller-manager",
      "OU": "Kubernetes"
    }
  ]
}
EOF
cfssl gencert \
    -ca=/etc/kubernetes/pki/ca.pem \
    -ca-key=/etc/kubernetes/pki/ca-key.pem \
    -config=/etc/kubernetes/pki/ca-config.json \
    -profile=kubernetes \
    controller-manager-csr.json | cfssljson -bare /etc/kubernetes/pki/controller-manager/controller-manager
[root@Kubernetes1 pki]# pwd
/etc/kubernetes/pki
[root@Kubernetes1 pki]# mkdir controller-manager
[root@Kubernetes1 pki]# cd controller-manager
[root@Kubernetes1 controller-manager]# sudo tee /etc/kubernetes/pki/controller-manager/controller-manager-csr.json <<-'EOF'
> {
>   "CN": "system:kube-controller-manager",
>   "key": {
>     "algo": "rsa",
>     "size": 2048
>   },
>   "names": [
>     {
>       "C": "CN",
>       "ST": "Shanghai",
>       "L": "Shanghai",
>       "O": "system:kube-controller-manager",
>       "OU": "Kubernetes"
>     }
>   ]
> }
> EOF
······
# 从kubernetes机构签发证书
[root@Kubernetes1 controller-manager]# cfssl gencert \
>     -ca=/etc/kubernetes/pki/ca.pem \
>     -ca-key=/etc/kubernetes/pki/ca-key.pem \
>     -config=/etc/kubernetes/pki/ca-config.json \
>     -profile=kubernetes \
>     controller-manager-csr.json | cfssljson -bare /etc/kubernetes/pki/controller-manager/controller-manager
2023/05/11 23:12:55 [INFO] generate received request
2023/05/11 23:12:55 [INFO] received CSR
2023/05/11 23:12:55 [INFO] generating key: rsa-2048
2023/05/11 23:12:55 [INFO] encoded CSR
2023/05/11 23:12:55 [INFO] signed certificate with serial number 394145345286971060997019421386376897335831738853
2023/05/11 23:12:55 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@Kubernetes1 controller-manager]# ls
controller-manager.csr  controller-manager-csr.json  controller-manager-key.pem  controller-manager.pem
2、配置文件
# 生成配置文件
kubectl config set-cluster kubernetes \
    --certificate-authority=/etc/kubernetes/pki/ca.pem \
    --embed-certs=true \
    --server=https://10.19.0.7:6443 \
    --kubeconfig=/etc/kubernetes/conf/controller-manager/controller-manager.conf
# 设置环境
kubectl config set-context system:kube-controller-manager@kubernetes \
    --cluster=kubernetes \
    --user=system:kube-controller-manager \
    --kubeconfig=/etc/kubernetes/conf/controller-manager/controller-manager.conf
# 设置用户
kubectl config set-credentials system:kube-controller-manager \
    --client-certificate=/etc/kubernetes/pki/controller-manager/controller-manager.pem \
    --client-key=/etc/kubernetes/pki/controller-manager/controller-manager-key.pem \
    --embed-certs=true \
    --kubeconfig=/etc/kubernetes/conf/controller-manager/controller-manager.conf
# 设置默认环境
kubectl config use-context system:kube-controller-manager@kubernetes \
    --kubeconfig=/etc/kubernetes/conf/controller-manager/controller-manager.conf
[root@Kubernetes1 controller-manager]# kubectl config set-cluster kubernetes \
>     --certificate-authority=/etc/kubernetes/pki/ca.pem \
>     --embed-certs=true \
>     --server=https://10.19.0.7:6443 \
>     --kubeconfig=/etc/kubernetes/pki/controller-manager/controller-manager.conf
Cluster "kubernetes" set.
[root@Kubernetes1 controller-manager]# ls
controller-manager.conf  controller-manager.csr  controller-manager-csr.json  controller-manager-key.pem  controller-manager.pem
[root@Kubernetes1 controller-manager]# kubectl config set-context system:kube-controller-manager@kubernetes \
>     --cluster=kubernetes \
>     --user=system:kube-controller-manager \
>     --kubeconfig=/etc/kubernetes/pki/controller-manager/controller-manager.conf
Context "system:kube-controller-manager@kubernetes" created.
[root@Kubernetes1 controller-manager]# kubectl config set-credentials system:kube-controller-manager \
>     --client-certificate=/etc/kubernetes/pki/controller-manager/controller-manager.pem \
>     --client-key=/etc/kubernetes/pki/controller-manager/controller-manager-key.pem \
>     --embed-certs=true \
>     --kubeconfig=/etc/kubernetes/pki/controller-manager/controller-manager.conf
User "system:kube-controller-manager" set.
[root@Kubernetes1 controller-manager]# kubectl config use-context system:kube-controller-manager@kubernetes \
>     --kubeconfig=/etc/kubernetes/pki/controller-manager/controller-manager.conf
Switched to context "system:kube-controller-manager@kubernetes".

3.5、scheduler

1、证书
sudo tee /etc/kubernetes/pki/scheduler/scheduler-csr.json <<-'EOF'
{
  "CN": "system:kube-scheduler",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "system:kube-scheduler",
      "OU": "Kubernetes"
    }
  ]
}
EOF
# 从kubernetes机构签发证书
cfssl gencert \
    -ca=/etc/kubernetes/pki/ca.pem \
    -ca-key=/etc/kubernetes/pki/ca-key.pem \
    -config=/etc/kubernetes/pki/ca-config.json \
    -profile=kubernetes \
    scheduler-csr.json | cfssljson -bare /etc/kubernetes/pki/scheduler/scheduler
[root@Kubernetes1 pki]# pwd
/etc/kubernetes/pki
[root@Kubernetes1 pki]# mkdir scheduler
[root@Kubernetes1 pki]# cd scheduler
[root@Kubernetes1 scheduler]# sudo tee /etc/kubernetes/pki/scheduler/scheduler-csr.json <<-'EOF'
> {
>   "CN": "system:kube-scheduler",
>   "key": {
>     "algo": "rsa",
>     "size": 2048
>   },
>   "names": [
>     {
>       "C": "CN",
>       "ST": "Shanghai",
>       "L": "Shanghai",
>       "O": "system:kube-scheduler",
>       "OU": "Kubernetes"
>     }
>   ]
> }
> EOF
······
# 从kubernetes机构签发证书
[root@Kubernetes1 scheduler]# cfssl gencert \
>     -ca=/etc/kubernetes/pki/ca.pem \
>     -ca-key=/etc/kubernetes/pki/ca-key.pem \
>     -config=/etc/kubernetes/pki/ca-config.json \
>     -profile=kubernetes \
>     scheduler-csr.json | cfssljson -bare /etc/kubernetes/pki/scheduler/scheduler
2023/05/11 23:39:55 [INFO] generate received request
2023/05/11 23:39:55 [INFO] received CSR
2023/05/11 23:39:55 [INFO] generating key: rsa-2048
2023/05/11 23:39:55 [INFO] encoded CSR
2023/05/11 23:39:55 [INFO] signed certificate with serial number 314965323806286191266675207723457512925777497135
2023/05/11 23:39:55 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@Kubernetes1 scheduler]# ls
scheduler.csr  scheduler-csr.json  scheduler-key.pem  scheduler.pem
2、配置文件
kubectl config set-cluster kubernetes \
    --certificate-authority=/etc/kubernetes/pki/ca.pem \
    --embed-certs=true \
    --server=https://10.19.0.7:6443 \
    --kubeconfig=/etc/kubernetes/conf/scheduler/scheduler.conf

kubectl config set-credentials system:kube-scheduler \
    --client-certificate=/etc/kubernetes/pki/scheduler/scheduler.pem \
    --client-key=/etc/kubernetes/pki/scheduler/scheduler-key.pem \
    --embed-certs=true \
    --kubeconfig=/etc/kubernetes/conf/scheduler/scheduler.conf
    
kubectl config set-context system:kube-scheduler@kubernetes \
    --cluster=kubernetes \
    --user=system:kube-scheduler \
    --kubeconfig=/etc/kubernetes/conf/scheduler/scheduler.conf

kubectl config use-context system:kube-scheduler@kubernetes \
     --kubeconfig=/etc/kubernetes/conf/scheduler/scheduler.conf
[root@Kubernetes1 scheduler]# kubectl config set-cluster kubernetes \
>     --certificate-authority=/etc/kubernetes/pki/ca.pem \
>     --embed-certs=true \
>     --server=https://10.19.0.7:6443 \
>     --kubeconfig=/etc/kubernetes/scheduler/scheduler.conf
Cluster "kubernetes" set.
[root@Kubernetes1 scheduler]# kubectl config set-credentials system:kube-scheduler \
>     --client-certificate=/etc/kubernetes/pki/scheduler/scheduler.pem \
>     --client-key=/etc/kubernetes/pki/scheduler/scheduler-key.pem \
>     --embed-certs=true \
>     --kubeconfig=/etc/kubernetes/scheduler/scheduler.conf
User "system:kube-scheduler" set.
[root@Kubernetes1 scheduler]# kubectl config set-context system:kube-scheduler@kubernetes \
>     --cluster=kubernetes \
>     --user=system:kube-scheduler \
>     --kubeconfig=/etc/kubernetes/scheduler/scheduler.conf
Context "system:kube-scheduler@kubernetes" created.
[root@Kubernetes1 scheduler]# kubectl config use-context system:kube-scheduler@kubernetes \
>      --kubeconfig=/etc/kubernetes/scheduler/scheduler.conf
Switched to context "system:kube-scheduler@kubernetes".

3.6、admin

1、证书
sudo tee /etc/kubernetes/pki/admin/admin-csr.json <<-'EOF'
{
  "CN": "admin",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "system:masters",
      "OU": "Kubernetes"
    }
  ]
}
EOF
# 从kubernetes机构签发证书
cfssl gencert \
    -ca=/etc/kubernetes/pki/ca.pem \
    -ca-key=/etc/kubernetes/pki/ca-key.pem \
    -config=/etc/kubernetes/pki/ca-config.json \
    -profile=kubernetes \
    admin-csr.json | cfssljson -bare /etc/kubernetes/pki/admin/admin
[root@Kubernetes1 pki]# pwd
/etc/kubernetes/pki
[root@Kubernetes1 pki]# mkdir admin
[root@Kubernetes1 pki]# cd admin
[root@Kubernetes1 admin]# sudo tee /etc/kubernetes/pki/admin/admin-csr.json <<-'EOF'
> {
>   "CN": "admin",
>   "key": {
>     "algo": "rsa",
>     "size": 2048
>   },
>   "names": [
>     {
>       "C": "CN",
>       "ST": "Shanghai",
>       "L": "Shanghai",
>       "O": "system:masters",
>       "OU": "Kubernetes"
>     }
>   ]
> }
> EOF
······
[root@Kubernetes1 admin]# cfssl gencert \
>     -ca=/etc/kubernetes/pki/ca.pem \
>     -ca-key=/etc/kubernetes/pki/ca-key.pem \
>     -config=/etc/kubernetes/pki/ca-config.json \
>     -profile=kubernetes \
>     admin-csr.json | cfssljson -bare /etc/kubernetes/pki/admin/admin
2023/05/12 00:53:47 [INFO] generate received request
2023/05/12 00:53:47 [INFO] received CSR
2023/05/12 00:53:47 [INFO] generating key: rsa-2048
2023/05/12 00:53:47 [INFO] encoded CSR
2023/05/12 00:53:47 [INFO] signed certificate with serial number 467431895743927380971732871897145819854357096178
2023/05/12 00:53:47 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@Kubernetes1 admin]# ls
admin.csr  admin-csr.json  admin-key.pem  admin.pem
2、配置文件
kubectl config set-cluster kubernetes \
    --certificate-authority=/etc/kubernetes/pki/ca.pem \
    --embed-certs=true \
    --server=https://10.19.0.7:6443 \
    --kubeconfig=/etc/kubernetes/conf/admin/admin.conf

kubectl config set-credentials kubernetes-admin \
    --client-certificate=/etc/kubernetes/pki/admin/admin.pem \
    --client-key=/etc/kubernetes/pki/admin/admin-key.pem \
    --embed-certs=true \
    --kubeconfig=/etc/kubernetes/conf/admin/admin.conf

kubectl config set-context kubernetes-admin@kubernetes \
    --cluster=kubernetes \
    --user=kubernetes-admin \
    --kubeconfig=/etc/kubernetes/conf/admin/admin.conf

kubectl config use-context kubernetes-admin@kubernetes \
    --kubeconfig=/etc/kubernetes/conf/admin/admin.conf
[root@Kubernetes1 admin]# kubectl config set-cluster kubernetes \
>     --certificate-authority=/etc/kubernetes/pki/ca.pem \
>     --embed-certs=true \
>     --server=https://10.19.0.7:6443 \
>     --kubeconfig=/etc/kubernetes/admin/admin.conf
Cluster "kubernetes" set.
[root@Kubernetes1 admin]# kubectl config set-credentials kubernetes-admin \
>     --client-certificate=/etc/kubernetes/pki/admin/admin.pem \
>     --client-key=/etc/kubernetes/pki/admin/admin-key.pem \
>     --embed-certs=true \
>     --kubeconfig=/etc/kubernetes/admin/admin.conf
User "kubernetes-admin" set.
[root@Kubernetes1 admin]# kubectl config set-context kubernetes-admin@kubernetes \
>     --cluster=kubernetes \
>     --user=kubernetes-admin \
>     --kubeconfig=/etc/kubernetes/admin/admin.conf
Context "kubernetes-admin@kubernetes" created.
[root@Kubernetes1 admin]# kubectl config use-context kubernetes-admin@kubernetes \
>     --kubeconfig=/etc/kubernetes/admin/admin.conf
Switched to context "kubernetes-admin@kubernetes".
# 复制证书到/root/.kube/config
[root@Kubernetes1 admin]# mkdir -p /root/.kube/
[root@Kubernetes1 admin]# cp /etc/kubernetes/conf/admin/admin.conf /root/.kube/config

3.7、kubelet

1、证书

apiserver会自动为kubelet颁发证书

2、配置文件
kubectl config set-cluster kubernetes \
    --certificate-authority=/etc/kubernetes/pki/ca.pem \
    --embed-certs=true \
    --server=https://10.19.0.7:6443 \
    --kubeconfig=/etc/kubernetes/conf/kubelet/bootstrap-kubelet.conf

kubectl config set-credentials tls-bootstrap-token-user \
    --token=xumeng.d683399b7a553977 \
    --kubeconfig=/etc/kubernetes/conf/kubelet/bootstrap-kubelet.conf

kubectl config set-context tls-bootstrap-token-user@kubernetes \
    --cluster=kubernetes \
    --user=tls-bootstrap-token-user \
    --kubeconfig=/etc/kubernetes/conf/kubelet/bootstrap-kubelet.conf

kubectl config use-context tls-bootstrap-token-user@kubernetes \
    --kubeconfig=/etc/kubernetes/conf/kubelet/bootstrap-kubelet.conf
[root@Kubernetes1 kubelet]# kubectl config set-cluster kubernetes \
>     --certificate-authority=/etc/kubernetes/pki/ca.pem \
>     --embed-certs=true \
>     --server=https://10.19.0.7:6443 \
>     --kubeconfig=/etc/kubernetes/kubelet/bootstrap-kubelet.conf
Cluster "kubernetes" set.
[root@Kubernetes1 kubelet]# kubectl config set-credentials tls-bootstrap-token-user \
>     --token=xumeng.d683399b7a553977 \
>     --kubeconfig=/etc/kubernetes/kubelet/bootstrap-kubelet.conf
User "tls-bootstrap-token-user" set.
[root@Kubernetes1 kubelet]# kubectl config set-context tls-bootstrap-token-user@kubernetes \
>     --cluster=kubernetes \
>     --user=tls-bootstrap-token-user \
>     --kubeconfig=/etc/kubernetes/kubelet/bootstrap-kubelet.conf
Context "tls-bootstrap-token-user@kubernetes" created.
[root@Kubernetes1 kubelet]# kubectl config use-context tls-bootstrap-token-user@kubernetes \
>     --kubeconfig=/etc/kubernetes/kubelet/bootstrap-kubelet.conf
Switched to context "tls-bootstrap-token-user@kubernetes".

3.8、kube-proxy

1、证书
sudo tee /etc/kubernetes/pki/kube-proxy/kube-proxy-csr.json <<-'EOF'
{
  "CN": "system:kube-proxy",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "system:kube-proxy",
      "OU": "Kubernetes"
    }
  ]
}
EOF
# 从kubernetes机构签发证书
cfssl gencert \
    -ca=/etc/kubernetes/pki/ca.pem \
    -ca-key=/etc/kubernetes/pki/ca-key.pem \
    -config=/etc/kubernetes/pki/ca-config.json \
    -profile=kubernetes \
    kube-proxy-csr.json | cfssljson -bare /etc/kubernetes/pki/kube-proxy/kube-proxy
[root@Kubernetes1 kubernetes]# sudo tee /etc/kubernetes/pki/kube-proxy/kube-proxy-csr.json <<-'EOF'
> {
>   "CN": "system:kube-proxy",
>   "key": {
>     "algo": "rsa",
>     "size": 2048
>   },
>   "names": [
>     {
>       "C": "CN",
>       "ST": "Shanghai",
>       "L": "Shanghai",
>       "O": "system:kube-proxy",
>       "OU": "Kubernetes"
>     }
>   ]
> }
> EOF
······
[root@Kubernetes1 kube-proxy]# cfssl gencert \
>     -ca=/etc/kubernetes/pki/ca.pem \
>     -ca-key=/etc/kubernetes/pki/ca-key.pem \
>     -config=/etc/kubernetes/pki/ca-config.json \
>     -profile=kubernetes \
>     kube-proxy-csr.json | cfssljson -bare /etc/kubernetes/pki/kube-proxy/kube-proxy
2023/05/14 15:09:12 [INFO] generate received request
2023/05/14 15:09:12 [INFO] received CSR
2023/05/14 15:09:12 [INFO] generating key: rsa-2048
2023/05/14 15:09:12 [INFO] encoded CSR
2023/05/14 15:09:12 [INFO] signed certificate with serial number 85466608013210076838833194009546651541147806751
2023/05/14 15:09:12 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@Kubernetes1 kube-proxy]# ls
kube-proxy.csr  kube-proxy-csr.json  kube-proxy-key.pem  kube-proxy.pem
2、配置文件
kubectl config set-cluster kubernetes \
    --certificate-authority=/etc/kubernetes/pki/ca.pem \
    --embed-certs=true \
    --server=https://10.19.0.7:6443 \
    --kubeconfig=/etc/kubernetes/conf/kube-proxy/kube-proxy.conf

kubectl config set-credentials system:kube-proxy \
    --client-certificate=/etc/kubernetes/pki/kube-proxy/kube-proxy.pem \
    --client-key=/etc/kubernetes/pki/kube-proxy/kube-proxy-key.pem \
    --embed-certs=true \
    --kubeconfig=/etc/kubernetes/conf/kube-proxy/kube-proxy.conf

kubectl config set-context default \
    --cluster=kubernetes \
    --user=system:kube-proxy \
    --kubeconfig=/etc/kubernetes/conf/kube-proxy/kube-proxy.conf

kubectl config use-context default \
    --kubeconfig=/etc/kubernetes/conf/kube-proxy/kube-proxy.conf
[root@Kubernetes1 kube-proxy]# kubectl config set-cluster kubernetes \
>     --certificate-authority=/etc/kubernetes/pki/ca.pem \
>     --embed-certs=true \
>     --server=https://10.19.0.7:6443 \
>     --kubeconfig=/etc/kubernetes/kube-proxy/kube-proxy.conf
Cluster "kubernetes" set.
[root@Kubernetes1 kube-proxy]# kubectl config set-credentials system:kube-proxy \
>     --client-certificate=/etc/kubernetes/pki/kube-proxy/kube-proxy.pem \
>     --client-key=/etc/kubernetes/pki/kube-proxy/kube-proxy-key.pem \
>     --embed-certs=true \
>     --kubeconfig=/etc/kubernetes/kube-proxy/kube-proxy.conf
User "system:kube-proxy" set.
[root@Kubernetes1 kube-proxy]# kubectl config set-context default \
>     --cluster=kubernetes \
>     --user=system:kube-proxy \
>     --kubeconfig=/etc/kubernetes/kube-proxy/kube-proxy.conf
Context "default" created.
[root@Kubernetes1 kube-proxy]# kubectl config use-context default \
>     --kubeconfig=/etc/kubernetes/kube-proxy/kube-proxy.conf
Switched to context "default".

3.9、ServiceAccount

k8s创建ServiceAccount分配一个Secret(会被私钥加密,其他节点会使用公钥解密)

[root@Kubernetes1 pki]# pwd
/etc/kubernetes/pki
[root@Kubernetes1 pki]# mkdir service-account
[root@Kubernetes1 pki]# cd service-account
# 生成私钥
[root@Kubernetes1 service-account]# openssl genrsa -out /etc/kubernetes/pki/service-account/sa.key 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++
..............................+++
e is 65537 (0x10001)
# 生成公钥
[root@Kubernetes1 service-account]# ls
sa.key
[root@Kubernetes1 service-account]# openssl rsa -in /etc/kubernetes/pki/service-account/sa.key -pubout -out /etc/kubernetes/pki/service-account/sa.pub
writing RSA key

3.10、证书复制到其他节点

[root@Kubernetes1 ~]# for i in Kubernetes2 Kubernetes3 Kubernetes4 Kubernetes5 Kubernetes6;do scp -r /etc/kubernetes/* root@$i:/etc/kubernetes/;done
······

4、主节点组件启动

4.1、apiserver

1、启动
# 参数说明 https://kubernetes.io/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/ 
# 需更改--advertise-address、--etcd-servers、
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
After=network.target

[Service]
ExecStart=/usr/bin/kube-apiserver \
      --v=2  \
      --allow-privileged=true  \
      --bind-address=0.0.0.0  \
      --secure-port=6443  \
      --advertise-address=10.19.0.5 \
      --service-cluster-ip-range=10.96.0.0/16  \
      --service-node-port-range=30000-32767  \
      --etcd-servers=https://10.19.0.5,https://10.19.0.9:2379,https://10.19.0.11:2379 \
      --etcd-cafile=/etc/kubernetes/pki/etcd/ca.pem  \
      --etcd-certfile=/etc/kubernetes/pki/etcd/etcd.pem  \
      --etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-key.pem  \
      --client-ca-file=/etc/kubernetes/pki/ca.pem  \
      --tls-cert-file=/etc/kubernetes/pki/apiserver/apiserver.pem  \
      --tls-private-key-file=/etc/kubernetes/pki/apiserver/apiserver-key.pem  \
      --kubelet-client-certificate=/etc/kubernetes/pki/apiserver/apiserver.pem  \
      --kubelet-client-key=/etc/kubernetes/pki/apiserver/apiserver-key.pem  \
      --service-account-key-file=/etc/kubernetes/pki/service-account/sa.pub  \
      --service-account-signing-key-file=/etc/kubernetes/pki/service-account/sa.key  \
      --service-account-issuer=https://kubernetes.default.svc.cluster.local \
      --kubelet-preferred-address-types=Hostname,InternalDNS,InternalIP,ExternalDNS,ExternalIP \
      --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota  \
      --authorization-mode=Node,RBAC  \
      --enable-bootstrap-token-auth=true  \
      --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy/ca.pem  \
      --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy/front-proxy-client.pem  \
      --proxy-client-key-file=/etc/kubernetes/pki/front-proxy/front-proxy-client-key.pem  \
      --requestheader-allowed-names=aggregator,front-proxy-client  \
      --requestheader-group-headers=X-Remote-Group  \
      --requestheader-extra-headers-prefix=X-Remote-Extra-  \
      --requestheader-username-headers=X-Remote-User
      --enable-aggregator-routing=true"

Restart=on-failure
RestartSec=10s
LimitNOFILE=65535

[Install]
WantedBy=multi-user.target
[root@Kubernetes1 ~]# mkdir -p /etc/kubernetes/manifests/ /etc/systemd/system/kubelet.service.d /var/lib/kubelet /var/log/kubernetes
[root@Kubernetes1 ~]# vi /usr/lib/systemd/system/kube-apiserver.service
[root@Kubernetes1 ~]# systemctl daemon-reload
[root@Kubernetes1 ~]# systemctl enable --now kube-apiserver.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-apiserver.service to /usr/lib/systemd/system/kube-apiserver.service.
systemctl status kube-apiserver.service
[root@Kubernetes1 front-proxy]# systemctl status kube-apiserver.service
● kube-apiserver.service - Kubernetes API Server
   Loaded: loaded (/usr/lib/systemd/system/kube-apiserver.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2023-05-13 11:42:28 CST; 24s ago
     Docs: https://github.com/kubernetes/kubernetes
 Main PID: 30396 (kube-apiserver)
    Tasks: 8
   Memory: 220.8M
   CGroup: /system.slice/kube-apiserver.service
           └─30396 /usr/bin/kube-apiserver --v=2 --allow-privileged=true --bind-address=0.0.0.0 --secure-port=6443 --advertise-address=10.19.0.5 --service-cluster-ip-rang...

May 13 11:42:30 Kubernetes1 kube-apiserver[30396]: I0513 11:42:30.720292   30396 apf_controller.go:444] "Update CurrentCL" plName="workload-high" seatDemandHigh...stop=false
May 13 11:42:30 Kubernetes1 kube-apiserver[30396]: I0513 11:42:30.720331   30396 apf_controller.go:444] "Update CurrentCL" plName="workload-low" seatDemandHighW...stop=false
May 13 11:42:30 Kubernetes1 kube-apiserver[30396]: I0513 11:42:30.720379   30396 apf_controller.go:444] "Update CurrentCL" plName="system" seatDemandHighWaterma...stop=false
May 13 11:42:30 Kubernetes1 kube-apiserver[30396]: I0513 11:42:30.720399   30396 apf_controller.go:444] "Update CurrentCL" plName="node-high" seatDemandHighWate...stop=false
May 13 11:42:30 Kubernetes1 kube-apiserver[30396]: I0513 11:42:30.720416   30396 apf_controller.go:444] "Update CurrentCL" plName="catch-all" seatDemandHighWate...stop=false
May 13 11:42:30 Kubernetes1 kube-apiserver[30396]: I0513 11:42:30.720433   30396 apf_controller.go:444] "Update CurrentCL" plName="leader-election" seatDemandHi...stop=false
May 13 11:42:30 Kubernetes1 kube-apiserver[30396]: I0513 11:42:30.723801   30396 strategy.go:236] "Successfully created PriorityLevelConfiguration" type="sugges...kload-low"
May 13 11:42:30 Kubernetes1 kube-apiserver[30396]: I0513 11:42:30.732897   30396 apf_controller.go:854] Retaining queues for priority level "workload-low": config={"type"...
May 13 11:42:30 Kubernetes1 kube-apiserver[30396]: I0513 11:42:30.732929   30396 apf_controller.go:846] Introducing queues for priority level "global-default": config={"t...
May 13 11:42:30 Kubernetes1 kube-apiserver[30396]: I0513 11:42:30.732942   30396 apf_controller.go:854] Retaining queues for priority level "system": config={"type":"Limi...
Hint: Some lines were ellipsized, use -l to show in full.
2、排错
# 启动日志
journalctl -xeu kube-apiserver
# 查看kube-apiserver日志
cat /var/log/messages|grep kube-apiserver|grep -i error

4.2、controller-manager

1、启动
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
After=network.target

[Service]
ExecStart=/usr/bin/kube-controller-manager \
      --v=2 \
      --bind-address=127.0.0.1 \
      --root-ca-file=/etc/kubernetes/pki/ca.pem \
      --cluster-signing-cert-file=/etc/kubernetes/pki/ca.pem \
      --cluster-signing-key-file=/etc/kubernetes/pki/ca-key.pem \
      --service-account-private-key-file=/etc/kubernetes/pki/service-account/sa.key \
      --kubeconfig=/etc/kubernetes/conf/controller-manager/controller-manager.conf \
      --leader-elect=true \
      --use-service-account-credentials=true \
      --node-monitor-grace-period=40s \
      --node-monitor-period=5s \
      --pod-eviction-timeout=2m0s \
      --controllers=*,bootstrapsigner,tokencleaner \
      --allocate-node-cidrs=true \
      --cluster-cidr=192.168.0.0/16 \
      --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy/ca.pem \
      --node-cidr-mask-size=24
      
Restart=always
RestartSec=10s

[Install]
WantedBy=multi-user.target
[root@Kubernetes1 ~]# vi /usr/lib/systemd/system/kube-controller-manager.service
[root@Kubernetes1 ~]# systemctl daemon-reload
[root@Kubernetes1 ~]# systemctl enable --now kube-controller-manager.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /usr/lib/systemd/system/kube-controller-manager.service.
[root@Kubernetes1 ~]# systemctl status kube-controller-manager
● kube-controller-manager.service - Kubernetes Controller Manager
   Loaded: loaded (/usr/lib/systemd/system/kube-controller-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2023-05-13 15:28:15 CST; 37s ago
     Docs: https://github.com/kubernetes/kubernetes
 Main PID: 21567 (kube-controller)
    Tasks: 5
   Memory: 24.5M
   CGroup: /system.slice/kube-controller-manager.service
           └─21567 /usr/bin/kube-controller-manager --v=2 --bind-address=127.0.0.1 --root-ca-file=/etc/kubernetes/pki/ca.pem --cluster-signing-cert-file=/etc/kubernetes/p...

May 13 15:28:16 Kubernetes1 kube-controller-manager[21567]: I0513 15:28:16.492630   21567 tlsconfig.go:200] "Loaded serving cert" certName="Generated self signed cert" ce...
May 13 15:28:16 Kubernetes1 kube-controller-manager[21567]: I0513 15:28:16.492763   21567 named_certificates.go:53] "Loaded SNI cert" index=0 certName="self-signed loopba...
May 13 15:28:16 Kubernetes1 kube-controller-manager[21567]: I0513 15:28:16.492781   21567 secure_serving.go:210] Serving securely on 127.0.0.1:10257
May 13 15:28:16 Kubernetes1 kube-controller-manager[21567]: I0513 15:28:16.492971   21567 leaderelection.go:248] attempting to acquire leader lease kube-system/k...anager...
May 13 15:28:16 Kubernetes1 kube-controller-manager[21567]: I0513 15:28:16.493275   21567 dynamic_cafile_content.go:157] "Starting controller" name="request-head...y/ca.pem"
May 13 15:28:16 Kubernetes1 kube-controller-manager[21567]: I0513 15:28:16.493406   21567 tlsconfig.go:240] "Starting DynamicServingCertificateController"
May 13 15:28:21 Kubernetes1 kube-controller-manager[21567]: E0513 15:28:21.493666   21567 leaderelection.go:330] error retrieving resource lock kube-system/kube-controlle...
May 13 15:28:29 Kubernetes1 kube-controller-manager[21567]: E0513 15:28:29.682041   21567 leaderelection.go:330] error retrieving resource lock kube-system/kube-controlle...
May 13 15:28:37 Kubernetes1 kube-controller-manager[21567]: E0513 15:28:37.206671   21567 leaderelection.go:330] error retrieving resource lock kube-system/kube-controlle...
May 13 15:28:45 Kubernetes1 kube-controller-manager[21567]: E0513 15:28:45.658338   21567 leaderelection.go:330] error retrieving resource lock kube-system/kube-controlle...
Hint: Some lines were ellipsized, use -l to show in full.
2、排错
# 启动日志
journalctl -xeu kube-controller-manager
# 查看kube-apiserver日志
cat /var/log/messages|grep kube-controller-manager|grep -i error

4.3、scheduler

1、启动
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
After=network.target

[Service]
ExecStart=/usr/bin/kube-scheduler \
      --v=2 \
      --bind-address=127.0.0.1 \
      --leader-elect=true \
      --kubeconfig=/etc/kubernetes/conf/scheduler/scheduler.conf

Restart=always
RestartSec=10s

[Install]
WantedBy=multi-user.target
[root@Kubernetes1 ~]# vi /usr/lib/systemd/system/kube-scheduler.service
[root@Kubernetes1 ~]# systemctl daemon-reload
[root@Kubernetes1 ~]# systemctl enable --now kube-scheduler.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-scheduler.service to /usr/lib/systemd/system/kube-scheduler.service.
[root@Kubernetes3 ~]# systemctl status kube-scheduler.service
● kube-scheduler.service - Kubernetes Scheduler
   Loaded: loaded (/usr/lib/systemd/system/kube-scheduler.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2023-05-13 17:58:09 CST; 6s ago
     Docs: https://github.com/kubernetes/kubernetes
 Main PID: 22850 (kube-scheduler)
    Tasks: 7
   Memory: 19.3M
   CGroup: /system.slice/kube-scheduler.service
           └─22850 /usr/bin/kube-scheduler --v=2 --bind-address=127.0.0.1 --leader-elect=true --kubeconfig=/etc/kubernetes/scheduler/scheduler.conf

May 13 17:58:09 Kubernetes3 kube-scheduler[22850]: I0513 17:58:09.351165   22850 flags.go:64] FLAG: --tls-private-key-file=""
May 13 17:58:09 Kubernetes3 kube-scheduler[22850]: I0513 17:58:09.351169   22850 flags.go:64] FLAG: --tls-sni-cert-key="[]"
May 13 17:58:09 Kubernetes3 kube-scheduler[22850]: I0513 17:58:09.351175   22850 flags.go:64] FLAG: --v="2"
May 13 17:58:09 Kubernetes3 kube-scheduler[22850]: I0513 17:58:09.351181   22850 flags.go:64] FLAG: --version="false"
May 13 17:58:09 Kubernetes3 kube-scheduler[22850]: I0513 17:58:09.351190   22850 flags.go:64] FLAG: --vmodule=""
May 13 17:58:09 Kubernetes3 kube-scheduler[22850]: I0513 17:58:09.351198   22850 flags.go:64] FLAG: --write-config-to=""
May 13 17:58:09 Kubernetes3 kube-scheduler[22850]: I0513 17:58:09.641245   22850 serving.go:348] Generated self-signed cert in-memory
May 13 17:58:09 Kubernetes3 kube-scheduler[22850]: W0513 17:58:09.811156   22850 authentication.go:320] No authentication-kubeconfig provided in order to lookup...on't work.
May 13 17:58:09 Kubernetes3 kube-scheduler[22850]: W0513 17:58:09.811189   22850 authentication.go:344] No authentication-kubeconfig provided in order to lookup...on't work.
May 13 17:58:09 Kubernetes3 kube-scheduler[22850]: W0513 17:58:09.811202   22850 authorization.go:194] No authorization-kubeconfig provided, so SubjectAccessRev...on't work.
Hint: Some lines were ellipsized, use -l to show in full.
2、排错
# 启动日志
journalctl -xeu kube-scheduler
# 查看kube-apiserver日志
cat /var/log/messages|grep kube-scheduler|grep -i error
3、测试
[root@Kubernetes1 ~]# kubectl get nodes
No resources found
[root@Kubernetes3 ~]# kubectl get cs
Warning: v1 ComponentStatus is deprecated in v1.19+
NAME                 STATUS    MESSAGE                         ERROR
scheduler            Healthy   ok                              
controller-manager   Healthy   ok                              
etcd-1               Healthy   {"health":"true","reason":""}   
etcd-0               Healthy   {"health":"true","reason":""}   
etcd-2               Healthy   {"health":"true","reason":""}

4.4、kubelet

1、集群引导权限文件
apiVersion: v1
kind: Secret
metadata:
  # 此处需更换为自己的tokenid
  name: bootstrap-token-xumeng
  namespace: kube-system
type: bootstrap.kubernetes.io/token
stringData:
  description: "The default bootstrap token generated by 'kubelet '."
  # 此处需更换为自己的tokenid
  token-id: xumeng
  # 此处需更换为自己的token
  token-secret: d683399b7a553977
  usage-bootstrap-authentication: "true"
  usage-bootstrap-signing: "true"
  auth-extra-groups:  system:bootstrappers:default-node-token,system:bootstrappers:worker,system:bootstrappers:ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubelet-bootstrap
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:node-bootstrapper
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:bootstrappers:default-node-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: node-autoapprove-bootstrap
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:bootstrappers:default-node-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: node-autoapprove-certificate-rotation
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:nodes
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:kube-apiserver-to-kubelet
rules:
  - apiGroups:
      - ""
    resources:
      - nodes/proxy
      - nodes/stats
      - nodes/log
      - nodes/spec
      - nodes/metrics
    verbs:
      - "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: system:kube-apiserver
  namespace: ""
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:kube-apiserver-to-kubelet
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: kube-apiserver
[root@Kubernetes1 kubelet]# vi /etc/kubernetes/pki/kubelet/bootstrap.secret.yaml
[root@Kubernetes1 kubelet]# kubectl apply -f bootstrap.secret.yaml
secret/bootstrap-token-xumeng created
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
clusterrolebinding.rbac.authorization.k8s.io/node-autoapprove-bootstrap created
clusterrolebinding.rbac.authorization.k8s.io/node-autoapprove-certificate-rotation created
clusterrole.rbac.authorization.k8s.io/system:kube-apiserver-to-kubelet created
clusterrolebinding.rbac.authorization.k8s.io/system:kube-apiserver created
2、启动
# 参数说明 https://kubernetes.io/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 2m0s
    enabled: true
  x509:
    clientCAFile: /etc/kubernetes/pki/ca.pem
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 5m0s
    cacheUnauthorizedTTL: 30s
cgroupDriver: systemd
cgroupsPerQOS: true
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
containerLogMaxFiles: 5
containerLogMaxSize: 10Mi
contentType: application/vnd.kubernetes.protobuf
cpuCFSQuota: true
cpuManagerPolicy: none
cpuManagerReconcilePeriod: 10s
enableControllerAttachDetach: true
enableDebuggingHandlers: true
enforceNodeAllocatable:
- pods
eventBurst: 10
eventRecordQPS: 5
evictionHard:
  imagefs.available: 15%
  memory.available: 100Mi
  nodefs.available: 10%
  nodefs.inodesFree: 5%
evictionPressureTransitionPeriod: 5m0s
failSwapOn: true
fileCheckFrequency: 20s
hairpinMode: promiscuous-bridge
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 20s
imageGCHighThresholdPercent: 85
imageGCLowThresholdPercent: 80
imageMinimumGCAge: 2m0s
iptablesDropBit: 15
iptablesMasqueradeBit: 14
kubeAPIBurst: 10
kubeAPIQPS: 5
makeIPTablesUtilChains: true
maxOpenFiles: 1000000
maxPods: 110
nodeStatusUpdateFrequency: 10s
oomScoreAdj: -999
podPidsLimit: -1
registryBurst: 10
registryPullQPS: 5
resolvConf: /etc/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 2m0s
serializeImagePulls: true
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 4h0m0s
syncFrequency: 1m0s
volumeStatsAggPeriod: 1m0s
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes

[Service]
ExecStart=/usr/bin/kubelet \
    --v=2 \
    --bootstrap-kubeconfig=/etc/kubernetes/conf/kubelet/bootstrap-kubelet.conf \
    --kubeconfig=/etc/kubernetes/conf/kubelet/kubelet.conf \
    --config=/etc/kubernetes/conf/kubelet/kubelet-conf.yaml \
    --container-runtime-endpoint=unix:///run/cri-dockerd.sock \
    --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9 \

[Install]
WantedBy=multi-user.target
[root@Kubernetes1 ~]# vi /etc/kubernetes/conf/kubelet/kubelet-conf.yaml
[root@Kubernetes1 ~]# vi /usr/lib/systemd/system/kubelet.service
[root@Kubernetes1 ~]# systemctl daemon-reload
[root@Kubernetes1 ~]# systemctl enable --now kubelet.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[root@Kubernetes1 ~]# systemctl status kubelet.service 
3、排错
# 启动日志
journalctl -xeu kubelet
# 查看kube-apiserver日志
cat /var/log/messages|grep kubelet|grep -i error

4.5、kube-proxy

1、启动
#配置说明https://kubernetes.io/zh-cn/docs/reference/config-api/kube-proxy-config.v1alpha1/
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
clientConnection:
  acceptContentTypes: ''
  burst: 10
  contentType: application/vnd.kubernetes.protobuf
  kubeconfig: /etc/kubernetes/conf/kube-proxy/kube-proxy.conf
  qps: 5
clusterCIDR: 192.168.0.0/16
configSyncPeriod: 15m0s
conntrack:
  maxPerCore: 32768
  min: 131072
  tcpCloseWaitTimeout: 1h0m0s
  tcpEstablishedTimeout: 24h0m0s
enableProfiling: false
healthzBindAddress: 0.0.0.0:10256
iptables:
  masqueradeAll: false
  masqueradeBit: 14
  minSyncPeriod: 5s
  syncPeriod: 30s
ipvs:
  minSyncPeriod: 5s
  scheduler: "rr"
  syncPeriod: 30s
kind: KubeProxyConfiguration
metricsBindAddress: 127.0.0.1:10249
mode: "ipvs"
nodePortAddresses: null
oomScoreAdj: -999
portRange: ""
[Unit]
Description=Kubernetes kube-proxy
Documentation=https://github.com/kubernetes/kubernetes

[Service]
ExecStart=/usr/bin/kube-proxy \
    --v=2  \
	--hostname-override=Kubernetes1 \
    --config=/etc/kubernetes/conf/kube-proxy/kube-proxy-conf.yaml

Restart=always
RestartSec=10s

[Install]
WantedBy=multi-user.target
[root@Kubernetes1 ~]# vim /etc/kubernetes/conf/kube-proxy/kube-proxy-conf.yaml
[root@Kubernetes1 ~]# vim /usr/lib/systemd/system/kube-proxy.service
[root@Kubernetes1 ~]# systemctl daemon-reload
[root@Kubernetes1 ~]# systemctl enable --now kube-proxy.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[root@Kubernetes1 ~]# systemctl status kube-proxy.service

4.6、测试

如果过程中不想小心把csr删除了的话,把kubelet相关文件移除后重新启动kubelet会重新申请csr

[root@Kubernetes1 kubelet]# kubectl get csr
NAME        AGE   SIGNERNAME                                    REQUESTOR                 REQUESTEDDURATION   CONDITION
csr-2rdjv   77s   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:xumeng   <none>              Approved,Issued
csr-bwm58   77s   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:xumeng   <none>              Approved,Issued
csr-gvfbh   77s   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:xumeng   <none>              Approved,Issued
csr-nmlmz   77s   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:xumeng   <none>              Approved,Issued
csr-vrtb6   77s   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:xumeng   <none>              Approved,Issued
csr-w2r6d   77s   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:xumeng   <none>              Approved,Issued
[root@Kubernetes1 kubelet]# kubectl get nodes
NAME          STATUS     ROLES    AGE   VERSION
kubernetes1   NotReady   <none>   9s    v1.26.3
kubernetes2   NotReady   <none>   9s    v1.26.3
kubernetes3   NotReady   <none>   9s    v1.26.3
kubernetes4   NotReady   <none>   9s    v1.26.3
kubernetes5   NotReady   <none>   9s    v1.26.3
kubernetes6   NotReady   <none>   9s    v1.26.3

5、从节点组件启动

5.1、kubelet

参照4.4

5.2、kube-proxy

参照4.5

5.3、测试

如果过程中不想小心把csr删除了的话,把kubelet相关文件移除后重新启动kubelet会重新申请csr

[root@Kubernetes1 kubelet]# kubectl get csr
NAME        AGE   SIGNERNAME                                    REQUESTOR                 REQUESTEDDURATION   CONDITION
csr-2rdjv   77s   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:xumeng   <none>              Approved,Issued
csr-bwm58   77s   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:xumeng   <none>              Approved,Issued
csr-gvfbh   77s   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:xumeng   <none>              Approved,Issued
csr-nmlmz   77s   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:xumeng   <none>              Approved,Issued
csr-vrtb6   77s   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:xumeng   <none>              Approved,Issued
csr-w2r6d   77s   kubernetes.io/kube-apiserver-client-kubelet   system:bootstrap:xumeng   <none>              Approved,Issued
[root@Kubernetes1 kubelet]# kubectl get nodes
NAME          STATUS     ROLES    AGE   VERSION
kubernetes1   NotReady   <none>   9s    v1.26.3
kubernetes2   NotReady   <none>   9s    v1.26.3
kubernetes3   NotReady   <none>   9s    v1.26.3
kubernetes4   NotReady   <none>   9s    v1.26.3
kubernetes5   NotReady   <none>   9s    v1.26.3
kubernetes6   NotReady   <none>   9s    v1.26.3

6、网络组件

[root@Kubernetes1 kubelet]# curl https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/calico-etcd.yaml -o calico.yaml
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  232k  100  232k    0     0   201k      0  0:00:01  0:00:01 --:--:--  201k
# 修改etcd集群地址
[root@Kubernetes1 ~]# sed -i 's#etcd_endpoints: "http://:"#etcd_endpoints: "https://10.19.0.5:2379,https://10.19.0.9:2379,https://10.19.0.11:2379"#g' calico.yaml
# 设置证书信息
[root@Kubernetes1 ~]# ETCD_CA=`cat /etc/kubernetes/pki/etcd/ca.pem | base64 -w 0 `
[root@Kubernetes1 ~]# ETCD_CERT=`cat /etc/kubernetes/pki/etcd/etcd.pem | base64 -w 0 `
[root@Kubernetes1 ~]# ETCD_KEY=`cat /etc/kubernetes/pki/etcd/etcd-key.pem | base64 -w 0 `
[root@Kubernetes1 ~]# sed -i "s@# etcd-key: null@etcd-key: ${ETCD_KEY}@g; s@# etcd-cert: null@etcd-cert: ${ETCD_CERT}@g; s@# etcd-ca: null@etcd-ca: ${ETCD_CA}@g" calico.yaml
# 打开etcd_ca
[root@Kubernetes1 ~]# sed -i 's#etcd_ca: ""#etcd_ca: "/calico-secrets/etcd-ca"#g; s#etcd_cert: ""#etcd_cert: "/calico-secrets/etcd-cert"#g; s#etcd_key: "" #etcd_key: "/calico-secrets/etcd-key" #g' calico.yaml
# 修改Pod网段(192.168.0.0/16),这里是默认的网段,无需修改
#!/bin/bash
docker pull registry.cn-hangzhou.aliyuncs.com/ialso/calico-cni:v3.25.0
docker pull registry.cn-hangzhou.aliyuncs.com/ialso/calico-node:v3.25.0
docker pull registry.cn-hangzhou.aliyuncs.com/ialso/calico-kube-controllers:v3.25.0
docker tag registry.cn-hangzhou.aliyuncs.com/ialso/calico-cni:v3.25.0 calico/cni:v3.25.0
docker tag registry.cn-hangzhou.aliyuncs.com/ialso/calico-node:v3.25.0 calico/node:v3.25.0
docker tag registry.cn-hangzhou.aliyuncs.com/ialso/calico-kube-controllers:v3.25.0 calico/kube-controllers:v3.25.0
[root@Kubernetes1 ~]# kubectl apply -f calico.yaml
poddisruptionbudget.policy/calico-kube-controllers created
serviceaccount/calico-kube-controllers created
serviceaccount/calico-node created
secret/calico-etcd-secrets created
configmap/calico-config created
clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrole.rbac.authorization.k8s.io/calico-node created
clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrolebinding.rbac.authorization.k8s.io/calico-node created
daemonset.apps/calico-node created
deployment.apps/calico-kube-controllers created
[root@Kubernetes1 ~]# kubectl get pods -A
NAMESPACE     NAME                                       READY   STATUS    RESTARTS   AGE
kube-system   calico-kube-controllers-56ff66f86d-cswt8   1/1     Running   0          31s
kube-system   calico-node-68hck                          1/1     Running   0          31s
kube-system   calico-node-hcbsh                          1/1     Running   0          30s
kube-system   calico-node-nmvxr                          1/1     Running   0          30s
kube-system   calico-node-p5xj2                          1/1     Running   0          30s
kube-system   calico-node-t4mpr                          1/1     Running   0          30s
kube-system   calico-node-v76v7                          1/1     Running   0          30s
[root@Kubernetes1 ~]# kubectl get nodes
NAME          STATUS   ROLES    AGE     VERSION
kubernetes1   Ready    <none>   3h10m   v1.26.3
kubernetes2   Ready    <none>   3h10m   v1.26.3
kubernetes3   Ready    <none>   3h10m   v1.26.3
kubernetes4   Ready    <none>   3h10m   v1.26.3
kubernetes5   Ready    <none>   3h10m   v1.26.3
kubernetes6   Ready    <none>   3h10m   v1.26.3

7、coreDNS

[root@Kubernetes6 kubelet]# docker pull registry.aliyuncs.com/google_containers/coredns:1.9.4
1.9.4: Pulling from google_containers/coredns
c6824c7a0594: Pull complete 
8f16f0bc6a9b: Pull complete 
Digest: sha256:b82e294de6be763f73ae71266c8f5466e7e03c69f3a1de96efd570284d35bb18
Status: Downloaded newer image for registry.aliyuncs.com/google_containers/coredns:1.9.4
registry.aliyuncs.com/google_containers/coredns:1.9.4
[root@Kubernetes1 ~]# git clone https://github.com/coredns/deployment.git
Cloning into 'deployment'...
remote: Enumerating objects: 974, done.
remote: Counting objects: 100% (115/115), done.
remote: Compressing objects: 100% (66/66), done.
remote: Total 974 (delta 63), reused 92 (delta 43), pack-reused 859
Receiving objects: 100% (974/974), 268.93 KiB | 240.00 KiB/s, done.
Resolving deltas: 100% (531/531), done.
[root@Kubernetes1 ~]# cd deployment/kubernetes
[root@Kubernetes1 ~]# ./deploy.sh -s -i 10.96.0.10 | kubectl apply -f -
[root@Kubernetes1 kubernetes]# ./deploy.sh -s -i 10.96.0.10 | kubectl apply -f -
serviceaccount/coredns created
clusterrole.rbac.authorization.k8s.io/system:coredns created
clusterrolebinding.rbac.authorization.k8s.io/system:coredns created
configmap/coredns created
deployment.apps/coredns created
service/kube-dns created
[root@Kubernetes1 kubernetes]# kubectl get pods -A
NAMESPACE     NAME                                       READY   STATUS    RESTARTS   AGE
kube-system   calico-kube-controllers-56ff66f86d-cswt8   1/1     Running   0          71m
kube-system   calico-node-68hck                          1/1     Running   0          71m
kube-system   calico-node-hcbsh                          1/1     Running   0          71m
kube-system   calico-node-nmvxr                          1/1     Running   0          71m
kube-system   calico-node-p5xj2                          1/1     Running   0          71m
kube-system   calico-node-t4mpr                          1/1     Running   0          71m
kube-system   calico-node-v76v7                          1/1     Running   0          71m
kube-system   coredns-85b5646f88-p6nwl                   1/1     Running   0          6m49s

8、设置标签

[root@kubernetes1 kubelet]# kubectl get nodes
NAME          STATUS   ROLES    AGE     VERSION
kubernetes1   Ready    <none>   3h40m   v1.26.3
kubernetes2   Ready    <none>   3h40m   v1.26.3
kubernetes3   Ready    <none>   3h40m   v1.26.3
kubernetes4   Ready    <none>   3h40m   v1.26.3
kubernetes5   Ready    <none>   3h40m   v1.26.3
kubernetes6   Ready    <none>   3h40m   v1.26.3
[root@Kubernetes1 kubelet]# kubectl label node kubernetes1 node-role.kubernetes.io/master=''
node/kubernetes1 labeled
[root@Kubernetes1 kubelet]# kubectl label node kubernetes2 node-role.kubernetes.io/master=''
node/kubernetes2 labeled
[root@Kubernetes1 kubelet]# kubectl label node kubernetes3 node-role.kubernetes.io/master=''
node/kubernetes3 labeled
[root@Kubernetes1 kubelet]# kubectl label node kubernetes2 node-role.kubernetes.io/worker=''
node/kubernetes2 labeled
[root@Kubernetes1 kubelet]# kubectl label node kubernetes3 node-role.kubernetes.io/worker=''
node/kubernetes3 labeled
[root@Kubernetes1 kubelet]# kubectl label node kubernetes4 node-role.kubernetes.io/worker=''
node/kubernetes4 labeled
[root@Kubernetes1 kubelet]# kubectl label node kubernetes5 node-role.kubernetes.io/worker=''
node/kubernetes5 labeled
[root@Kubernetes1 kubelet]# kubectl label node kubernetes6 node-role.kubernetes.io/worker=''
node/kubernetes6 labeled
[root@Kubernetes1 kubelet]# kubectl get nodes
NAME          STATUS   ROLES           AGE     VERSION
kubernetes1   Ready    master          3h44m   v1.26.3
kubernetes2   Ready    master,worker   3h44m   v1.26.3
kubernetes3   Ready    master,worker   3h44m   v1.26.3
kubernetes4   Ready    worker          3h44m   v1.26.3
kubernetes5   Ready    worker          3h44m   v1.26.3
kubernetes6   Ready    worker          3h44m   v1.26.3
[root@Kubernetes1 kubelet]# kubectl taint nodes kubernetes1 node-role.kubernetes.io/master=:NoSchedule
node/kubernetes1 tainted
[root@Kubernetes1 kubernetes]# kubectl describe node kubernetes1|grep "Taints"
Taints:             node-role.kubernetes.io/master:NoSchedule

9、metrics

指标监控组件

kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.6.3/components.yaml
# 如果镜像下载不下来,更换一下阿里云镜像
registry.cn-hangzhou.aliyuncs.com/google_containers/metrics-server:v0.6.3
[root@Kubernetes1 ~]# kubectl get pods -A
NAMESPACE     NAME                                       READY   STATUS    RESTARTS   AGE
kube-system   calico-kube-controllers-56ff66f86d-cswt8   1/1     Running   0          3h47m
kube-system   calico-node-68hck                          1/1     Running   0          3h47m
kube-system   calico-node-hcbsh                          1/1     Running   0          3h47m
kube-system   calico-node-nmvxr                          1/1     Running   0          3h47m
kube-system   calico-node-p5xj2                          1/1     Running   0          3h47m
kube-system   calico-node-t4mpr                          1/1     Running   0          3h47m
kube-system   calico-node-v76v7                          1/1     Running   0          3h47m
kube-system   coredns-85b5646f88-p6nwl                   1/1     Running   0          162m
kube-system   metrics-server-75c748dd7b-7b945            0/1     Running   0          45s

10、ingress

10.1、标签设置

[root@Kubernetes1 ~]# kubectl label node kubernetes2 node-role=ingress
node/kubernetes2 labeled
[root@Kubernetes1 ~]# kubectl label node kubernetes3 node-role=ingress
node/kubernetes3 labeled

10.2、ingress.yaml

apiVersion: v1
kind: Namespace
metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx
  namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx-admission
  namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx
  namespace: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
      - endpoints
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resourceNames:
      - ingress-controller-leader
    resources:
      - configmaps
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - coordination.k8s.io
    resourceNames:
      - ingress-controller-leader
    resources:
      - leases
    verbs:
      - get
      - update
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx-admission
  namespace: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
      - namespaces
    verbs:
      - list
      - watch
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - networking.k8s.io
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx-admission
rules:
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
    verbs:
      - get
      - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx-admission
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx-admission
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---
apiVersion: v1
data:
  allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx-controller
  namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  ports:
    - appProtocol: http
      name: http
      port: 80
      protocol: TCP
      targetPort: http
    - appProtocol: https
      name: https
      port: 443
      protocol: TCP
      targetPort: https
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: NodePort
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
spec:
  ports:
    - appProtocol: https
      name: https-webhook
      port: 443
      targetPort: webhook
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
  type: ClusterIP
---
apiVersion: apps/v1
# kind: Deployment
kind: DaemonSet
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  minReadySeconds: 0
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/component: controller
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/name: ingress-nginx
  template:
    metadata:
      labels:
        app.kubernetes.io/component: controller
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
    spec:
      containers:
        - args:
            - /nginx-ingress-controller
            - --election-id=ingress-controller-leader
            - --controller-class=k8s.io/ingress-nginx
            - --ingress-class=nginx
            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: LD_PRELOAD
              value: /usr/local/lib/libmimalloc.so
          # image: registry.k8s.io/ingress-nginx/controller:v1.3.1@sha256:54f7fe2c6c5a9db9a0ebf1131797109bb7a4d91f56b9b362bde2abd237dd1974
          image: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.3.1
          imagePullPolicy: IfNotPresent
          lifecycle:
            preStop:
              exec:
                command:
                  - /wait-shutdown
          livenessProbe:
            failureThreshold: 5
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          name: controller
          ports:
            - containerPort: 80
              name: http
              protocol: TCP
            - containerPort: 443
              name: https
              protocol: TCP
            - containerPort: 8443
              name: webhook
              protocol: TCP
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 100m
              memory: 90Mi
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              add:
                - NET_BIND_SERVICE
              drop:
                - ALL
            runAsUser: 101
          volumeMounts:
            - mountPath: /usr/local/certificates/
              name: webhook-cert
              readOnly: true
      # dnsPolicy: ClusterFirst
      dnsPolicy: ClusterFirstWithHostNet
      # 开放的为node端口
      hostNetwork: true
      nodeSelector:
        # 选择节点角色为ingress的
        # kubernetes.io/os: linux
        node-role: ingress
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300
      volumes:
        - name: webhook-cert
          secret:
            secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx-admission-create
  namespace: ingress-nginx
spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-webhook
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.3.1
      name: ingress-nginx-admission-create
    spec:
      containers:
        - args:
            - create
            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
            - --namespace=$(POD_NAMESPACE)
            - --secret-name=ingress-nginx-admission
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          # image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.3.0@sha256:549e71a6ca248c5abd51cdb73dbc3083df62cf92ed5e6147c780e30f7e007a47
          image: registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.3.0
          imagePullPolicy: IfNotPresent
          name: create
          securityContext:
            allowPrivilegeEscalation: false
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      securityContext:
        fsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
      serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx-admission-patch
  namespace: ingress-nginx
spec:
  template:
    metadata:
      labels:
        app.kubernetes.io/component: admission-webhook
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
        app.kubernetes.io/version: 1.3.1
      name: ingress-nginx-admission-patch
    spec:
      containers:
        - args:
            - patch
            - --webhook-name=ingress-nginx-admission
            - --namespace=$(POD_NAMESPACE)
            - --patch-mutating=false
            - --secret-name=ingress-nginx-admission
            - --patch-failure-policy=Fail
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.3.0@sha256:549e71a6ca248c5abd51cdb73dbc3083df62cf92ed5e6147c780e30f7e007a47
          imagePullPolicy: IfNotPresent
          name: patch
          securityContext:
            allowPrivilegeEscalation: false
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: OnFailure
      securityContext:
        fsGroup: 2000
        runAsNonRoot: true
        runAsUser: 2000
      serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: nginx
spec:
  controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    app.kubernetes.io/component: admission-webhook
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.3.1
  name: ingress-nginx-admission
webhooks:
  - admissionReviewVersions:
      - v1
    clientConfig:
      service:
        name: ingress-nginx-controller-admission
        namespace: ingress-nginx
        path: /networking/v1/ingresses
    failurePolicy: Fail
    matchPolicy: Equivalent
    name: validate.nginx.ingress.kubernetes.io
    rules:
      - apiGroups:
          - networking.k8s.io
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - ingresses
    sideEffects: None

11、dashboard

https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml

# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: Namespace
metadata:
  name: kubernetes-dashboard

---

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kubernetes-dashboard
type: Opaque

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kubernetes-dashboard
type: Opaque
data:
  csrf: ""

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kubernetes-dashboard
type: Opaque

---

kind: ConfigMap
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
  namespace: kubernetes-dashboard

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.7.0
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
            - --namespace=kubernetes-dashboard
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 8000
      targetPort: 8000
  selector:
    k8s-app: dashboard-metrics-scraper

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: dashboard-metrics-scraper
  template:
    metadata:
      labels:
        k8s-app: dashboard-metrics-scraper
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: dashboard-metrics-scraper
          image: kubernetesui/metrics-scraper:v1.0.8
          ports:
            - containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8000
            initialDelaySeconds: 30
            timeoutSeconds: 30
          volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
      volumes:
        - name: tmp-volume
          emptyDir: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: admin-user
    namespace: kubernetes-dashboard
[root@Kubernetes1 ~]# kubectl apply -f dashboard.yaml
# 新版需要手动生成token
[root@Kubernetes1 ~]# kubectl -n kubernetes-dashboard create token admin-user

12、存储系统

在Kubernetes2-Kubernetes6上都挂载了一个20GI的通用SSD硬盘

12.1、安装krew

(
  set -x; cd "$(mktemp -d)" &&
  OS="$(uname | tr '[:upper:]' '[:lower:]')" &&
  ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')" &&
  KREW="krew-${OS}_${ARCH}" &&
  tar zxvf "${KREW}.tar.gz" &&
  ./"${KREW}" install krew
)
# 如果下载不下来 可以自己下载下来,把安装包放在对应位置
[root@Kubernetes1 ~]# wget https://github.com/kubernetes-sigs/krew/releases/download/v0.4.3/krew-linux_amd64.tar.gz
······
[root@Kubernetes1 ~]# tar zxvf krew-linux_amd64.tar.gz
./LICENSE
./krew-linux_amd64
# 安装 Krew
[root@Kubernetes1 ~]# ./krew-linux_amd64 install krew
Updated the local copy of plugin index.
Installing plugin: krew
Installed plugin: krew
\
 | Use this plugin:
 | 	kubectl krew
 | Documentation:
 | 	https://krew.sigs.k8s.io/
 | Caveats:
 | \
 |  | krew is now installed! To start using kubectl plugins, you need to add
 |  | krew's installation directory to your PATH:
 |  | 
 |  |   * macOS/Linux:
 |  |     - Add the following to your ~/.bashrc or ~/.zshrc:
 |  |         export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"
 |  |     - Restart your shell.
 |  | 
 |  |   * Windows: Add %USERPROFILE%\.krew\bin to your PATH environment variable
 |  | 
 |  | To list krew commands and to get help, run:
 |  |   $ kubectl krew
 |  | For a full list of available plugins, run:
 |  |   $ kubectl krew search
 |  | 
 |  | You can find documentation at
 |  |   https://krew.sigs.k8s.io/docs/user-guide/quickstart/.
 | /
/
[root@Kubernetes1 ~]# kubectl krew list
PLUGIN  VERSION
krew    v0.4.3

12.2、directpv

1、文档

https://github.com/minio/directpv

2、安装
# 安装 DirectPV Krew 插件
[root@Kubernetes1 ~]# kubectl krew install directpv
Updated the local copy of plugin index.
Installing plugin: directpv
Installed plugin: directpv
\
 | Use this plugin:
 | 	kubectl directpv
 | Documentation:
 | 	https://github.com/minio/directpv
/
WARNING: You installed plugin "directpv" from the krew-index plugin repository.
   These plugins are not audited for security by the Krew maintainers.
   Run them at your own risk.
# 在 kubernetes 集群中安装 DirectPV
[root@Kubernetes1 ~]# kubectl directpv install
Installing on unsupported Kubernetes v1.26

 ███████████████████████████████████████████████████████████████████████████ 100%

┌──────────────────────────────────────┬──────────────────────────┐
│ NAME                                 │ KIND                     │
├──────────────────────────────────────┼──────────────────────────┤
│ directpv                             │ Namespace                │
│ directpv-min-io                      │ ServiceAccount           │
│ directpv-min-io                      │ ClusterRole              │
│ directpv-min-io                      │ ClusterRoleBinding       │
│ directpv-min-io                      │ Role                     │
│ directpv-min-io                      │ RoleBinding              │
│ directpvdrives.directpv.min.io       │ CustomResourceDefinition │
│ directpvvolumes.directpv.min.io      │ CustomResourceDefinition │
│ directpvnodes.directpv.min.io        │ CustomResourceDefinition │
│ directpvinitrequests.directpv.min.io │ CustomResourceDefinition │
│ directpv-min-io                      │ CSIDriver                │
│ directpv-min-io                      │ StorageClass             │
│ node-server                          │ Daemonset                │
│ controller                           │ Deployment               │
└──────────────────────────────────────┴──────────────────────────┘

DirectPV installed successfully
# 获取安装信息
[root@Kubernetes1 ~]# kubectl directpv info
┌───────────────┬──────────┬───────────┬─────────┬────────┐
│ NODE          │ CAPACITY │ ALLOCATED │ VOLUMES │ DRIVES │
├───────────────┼──────────┼───────────┼─────────┼────────┤
│ • kubernetes2 │ -        │ -         │ -       │ -      │
│ • kubernetes3 │ -        │ -         │ -       │ -      │
│ • kubernetes4 │ -        │ -         │ -       │ -      │
│ • kubernetes5 │ -        │ -         │ -       │ -      │
│ • kubernetes6 │ -        │ -         │ -       │ -      │
└───────────────┴──────────┴───────────┴─────────┴────────┘
# 发现并添加用于卷调度的驱动器
[root@Kubernetes1 ~]# kubectl directpv discover

 Discovered node 'kubernetes2' ✔
 Discovered node 'kubernetes3' ✔
 Discovered node 'kubernetes4' ✔
 Discovered node 'kubernetes5' ✔
 Discovered node 'kubernetes6' ✔

┌─────────────────────┬─────────────┬───────┬────────┬────────────┬──────┬───────────┬─────────────┐
│ ID                  │ NODE        │ DRIVE │ SIZE   │ FILESYSTEM │ MAKE │ AVAILABLE │ DESCRIPTION │
├─────────────────────┼─────────────┼───────┼────────┼────────────┼──────┼───────────┼─────────────┤
│ 253:16$d2uMWDyPb... │ kubernetes2 │ vdb   │ 20 GiB │ -          │ -    │ YES       │ -           │
│ 253:16$ovvgHRyMY... │ kubernetes3 │ vdb   │ 20 GiB │ -          │ -    │ YES       │ -           │
│ 253:16$xDrmDCNCN... │ kubernetes4 │ vdb   │ 20 GiB │ -          │ -    │ YES       │ -           │
│ 253:16$RGTqsADLo... │ kubernetes5 │ vdb   │ 20 GiB │ -          │ -    │ YES       │ -           │
│ 253:16$t1YI26qa6... │ kubernetes6 │ vdb   │ 20 GiB │ -          │ -    │ YES       │ -           │
└─────────────────────┴─────────────┴───────┴────────┴────────────┴──────┴───────────┴─────────────┘

Generated 'drives.yaml' successfully.
[root@Kubernetes1 ~]# kubectl directpv init drives.yaml --dangerous

 ███████████████████████████████████████████████████████████████████████████ 100%

 Processed initialization request '96b43a89-b667-4035-a7a3-0238e7a76920' for node 'kubernetes2' ✔
 Processed initialization request '084444ef-02a4-405f-afb7-587bc213e559' for node 'kubernetes3' ✔
 Processed initialization request 'e9b0afa7-e5fa-4b48-8a11-afd8780fcd56' for node 'kubernetes4' ✔
 Processed initialization request '5cfb8367-6bc1-48ae-b2b1-dde36fac919a' for node 'kubernetes5' ✔
 Processed initialization request 'e28ac09c-8dd5-46e6-bf7b-5f2b81ed237a' for node 'kubernetes6' ✔

┌──────────────────────────────────────┬─────────────┬───────┬─────────┐
│ REQUEST_ID                           │ NODE        │ DRIVE │ MESSAGE │
├──────────────────────────────────────┼─────────────┼───────┼─────────┤
│ 96b43a89-b667-4035-a7a3-0238e7a76920 │ kubernetes2 │ vdb   │ Success │
│ 084444ef-02a4-405f-afb7-587bc213e559 │ kubernetes3 │ vdb   │ Success │
│ e9b0afa7-e5fa-4b48-8a11-afd8780fcd56 │ kubernetes4 │ vdb   │ Success │
│ 5cfb8367-6bc1-48ae-b2b1-dde36fac919a │ kubernetes5 │ vdb   │ Success │
│ e28ac09c-8dd5-46e6-bf7b-5f2b81ed237a │ kubernetes6 │ vdb   │ Success │
└──────────────────────────────────────┴─────────────┴───────┴─────────┘
# 获取添加的驱动器列表
[root@Kubernetes1 ~]# kubectl directpv list drives
┌─────────────┬──────┬──────┬────────┬────────┬─────────┬────────┐
│ NODE        │ NAME │ MAKE │ SIZE   │ FREE   │ VOLUMES │ STATUS │
├─────────────┼──────┼──────┼────────┼────────┼─────────┼────────┤
│ kubernetes2 │ vdb  │      │ 20 GiB │ 20 GiB │ -       │ Ready  │
│ kubernetes3 │ vdb  │      │ 20 GiB │ 20 GiB │ -       │ Ready  │
│ kubernetes4 │ vdb  │      │ 20 GiB │ 20 GiB │ -       │ Ready  │
│ kubernetes5 │ vdb  │      │ 20 GiB │ 20 GiB │ -       │ Ready  │
│ kubernetes6 │ vdb  │      │ 20 GiB │ 20 GiB │ -       │ Ready  │
└─────────────┴──────┴──────┴────────┴────────┴─────────┴────────┘
3、测试

这里要十分注意,sc-directpv.min.io的默认回收策略是Delete,修改为Retain不生效,感觉directpv.min.io像是不支持这种模式,但是可以手动修改pv的回收策略,仍是生效的

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc1
spec:
  storageClassName: directpv-min-io # Directpv使用的SC,安装directpv时自动创建
  accessModes:
    - ReadWriteOnce # directpv不支持多节点写入模式
  resources:
    requests:
      storage: 1024Mi # 申请PV空间大小
[root@Kubernetes1 ~]# kubectl apply -f pv.yaml 
persistentvolumeclaim/pvc1 created
[root@Kubernetes1 ~]# kubectl get pvc
NAME   STATUS    VOLUME   CAPACITY   ACCESS MODES   STORAGECLASS      AGE
pvc1   Pending                                      directpv-min-io   9s
apiVersion: v1
kind: Pod
metadata:
  name: pod-minio
spec:
  volumes:
  - name: minio-pvc
    persistentVolumeClaim:
      claimName: pvc1 # 指定使用刚刚创建的PVC:pvc1
  containers:
  - image: busybox:1.28
    name: box
    args: [/bin/sh, -c, while true; do echo "$(date)" >> /tmp/1.log && sleep 1000; done]
    resources:
      requests:
        cpu: 100m
    volumeMounts:
    - name: minio-pvc
      mountPath: /tmp # PV挂载至容器里的/tmp目录
[root@Kubernetes1 ~]# kubectl apply -f pod-pv.yaml 
pod/pod-minio created
[root@Kubernetes1 ~]# kubectl get pods,pvc,pv
NAME                                READY   STATUS    RESTARTS       AGE
pod/deploy-nginx-85f8fcc944-8mctq   1/1     Running   1 (29h ago)    29h
pod/deploy-nginx-85f8fcc944-kvh8q   1/1     Running   1 (29h ago)    29h
pod/deploy-nginx-85f8fcc944-r6s4l   1/1     Running   2 (152m ago)   29h
pod/pod-minio                       1/1     Running   0              13s

NAME                         STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS      AGE
persistentvolumeclaim/pvc1   Bound    pvc-b1bd3d3f-f617-4b72-a915-46ca8fb205fa   1Gi        RWO            directpv-min-io   105s

NAME                                                        CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM          STORAGECLASS      REASON   AGE
persistentvolume/pvc-b1bd3d3f-f617-4b72-a915-46ca8fb205fa   1Gi        RWO            Delete           Bound    default/pvc1   directpv-min-io            13s
# 手动修改pv回收策略为Retain
[root@Kubernetes1 ~]# kubectl edit persistentvolume/pvc-b1bd3d3f-f617-4b72-a915-46ca8fb205fa 
persistentvolume/pvc-b1bd3d3f-f617-4b72-a915-46ca8fb205fa edited
[root@Kubernetes1 ~]# kubectl get pv
NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM          STORAGECLASS      REASON   AGE
pvc-b1bd3d3f-f617-4b72-a915-46ca8fb205fa   1Gi        RWO            Retain           Bound    default/pvc1   directpv-min-io            96s
# 测试,删除了pvc后,pv仍旧存在
[root@Kubernetes1 ~]# kubectl get pv,pvc
NAME                                                        CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS     CLAIM          STORAGECLASS      REASON   AGE
persistentvolume/pvc-b1bd3d3f-f617-4b72-a915-46ca8fb205fa   1Gi        RWO            Retain           Released   default/pvc1   directpv-min-io            3m33s

你可能感兴趣的:(devops,kubernetes)