二进制包部署单节点K8S

二进制包部署单节点K8S

单节点可用于测试环境、学习源码等

一、版本说明

  • VMware : VMware Workstation 16 Player
  • Linux:CentOs 8 : 4.18.0-80.el8.x86_64
  • Container runtimes : docker-20.10.9
  • ETCD : v3.5.1
  • Kubernetes : v1.23.1
  • 签名工具:
    • cfssl
    • cfssljson
    • cfssl-certinfo

可以先下载好相关软件,或者后面使用命令下载


说明:本文中命令前的 $ 符号只是做命令标记,在复制命令时请忽略


二、系统初始化准备

安装好虚拟机后需要对系统进行一些参数处理:

#1.关闭防火墙
$systemctl stop firewalld  && systemctl disable firewalld

#2.关闭selinux
$setenforce 0 && sed -i 's/enforcing/disabled/' /etc/selinux/config

# 3.关闭swap分区
$swapoff -a && sed -ri 's/.*swap.*/#&/' /etc/fstab

# 4.设置主机名
$hostnamectl set-hostname 

#5、配置映射主机ip以及主机名
$cat >> /etc/hosts << EOF
192.168.91.132 alone
EOF

#6、将桥接的IPv4 流量传递到iptables 的链:
$cat <| sudo tee /etc/modules-load.d/k8s.conf
br_netfilter
EOF

$cat <| sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF

$sudo sysctl --system

#7. 时间同步  (可忽略)
$yum install ntpdate -y
$ntpdate time.windows.com

#重启
$reboot
#或
$shutdown -r now

三、部署二进制包

3.1、部署docker

3.1.1、卸载旧版本docker

#卸载旧版本
$yum remove -y docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine \
docker-ce*

$rm -rf /var/lib/docker

3.1.2、下载二进制包

#创建一个目录放置所有包文件
$mkdir /usr/local/k8s -p

$cd /usr/local/k8s
#下载docker  如果在本地已全部下载好相关软件包,可直接用ftp工具上传到该目录,然后跳过此下载过程
$wget https://download.docker.com/linux/static/stable/x86_64/docker-20.10.9.tgz
#解压包
$tar zxvf docker-20.10.9.tgz
#复制docker二进制包到运行目录
$cp docker/* /usr/bin

3.1.3、systemd管理docker

$cat > /usr/lib/systemd/system/docker.service<< EOF
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
EOF

3.1.4、创建docker配置文件,配置阿里云镜像仓库;配置容器的 cgroup

#创建docker默认配置文件目录
$mkdir /etc/docker
#创建docker配置,可配置其他可用的镜像仓库地址,docker默认的cgroupdriver是cgroups, 将cgroupdriver设置为systemd可以减少很多不必要的麻烦
$cat > /etc/docker/daemon.json<< EOF
{
"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
  "log-opts": {
    "max-size": "100m"
  },
  "storage-driver": "overlay2"
}
EOF

3.1.5、启动docker,并设置开机启动

$systemctl daemon-reload && systemctl start docker && systemctl enable docker

3.2、部署Etcd

3.2.1、生成证书

证书工具有很多种,这里使用cfssl,使用json文件生成证书,相比openssl更方便使用,在任一节点操作生成即可。

3.2.1.1、下载cfssl
$cd /usr/local/k8s

$wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
$wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
$wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

#赋予可执行权限
$chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64

$cp cfssl_linux-amd64 /usr/local/bin/cfssl
$cp cfssljson_linux-amd64 /usr/local/bin/cfssljson
$cp cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
3.2.1.2、生成etcd证书
3.2.1.2.1、创建自签证书颁发机构(CA)的配置文件
#创建证书生成的工作目录(后面相关证书的生成都在此目录下操作)
$mkdir -p ~/TLS/{etcd,k8s}

$cd ~/TLS/etcd
#CA配置文件
$cat > ca-config.json<{
	"signing":{ 
		"default":{
			"expiry":"87600h"
		},
		"profiles":{
			"www":{
				"expiry":"87600h",
				"usages":[
					"signing",
					"key encipherment",
					"server auth",
					"client auth"
				]
			}
		}
	}
}
EOF

$cat > ca-csr.json<< EOF
{
	"CN":"etcd CA",
	"key":{
		"algo": "rsa",
		"size": 2048
	},
	"names":[
		{
			"C":"CN",
			"L":"BeiJing",
			"ST":"BeiJing"
		}
	]
}
EOF
3.2.1.2.2、生成证书
$cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

[root@alone etcd]#  cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2022/01/03 16:51:30 [INFO] generating a new CA key and certificate from CSR
2022/01/03 16:51:30 [INFO] generate received request
2022/01/03 16:51:30 [INFO] received CSR
2022/01/03 16:51:30 [INFO] generating key: rsa-2048
2022/01/03 16:51:31 [INFO] encoded CSR
2022/01/03 16:51:31 [INFO] signed certificate with serial number 107961181349217207358501084957161849161003339379
[root@alone etcd]# 

#查看证书
[root@alone etcd]# ls *pem
ca-key.pem  ca.pem
[root@alone etcd]# 
3.2.1.2.3、使用自签CA进行签发etcd HTTPS证书

创建证书申请文件:

$cat > server-csr.json<< EOF
{
	"CN": "etcd",
	"hosts": [
		"192.168.91.132"
	],
	"key": {
		"algo": "rsa",
		"size": 2048
	},
	"names": [
		{
			"C": "CN",
			"L": "BeiJing",
			"ST": "BeiJing"
		}
	]
}
EOF

生成HTTPS证书:

$cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

[root@alone etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2022/01/03 17:07:05 [INFO] generate received request
2022/01/03 17:07:05 [INFO] received CSR
2022/01/03 17:07:05 [INFO] generating key: rsa-2048
2022/01/03 17:07:05 [INFO] encoded CSR
2022/01/03 17:07:05 [INFO] signed certificate with serial number 28596260620932286485100787888546272944026219205
2022/01/03 17:07:05 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@alone etcd]# 

#查看http证书
[root@alone etcd]# ls server*pem
server-key.pem  server.pem
[root@alone etcd]#
3.2.1.3、部署ETCD
3.2.1.3.1、下载etcd二进制包文件
$cd /usr/local/k8s

$wget https://github.com/etcd-io/etcd/releases/download/v3.5.1/etcd-v3.5.1-linux-amd64.tar.gz

#创建etcd的工作目录
$mkdir /opt/etcd/{bin,cfg,ssl} -p
#解压
$tar zxvf etcd-v3.5.1-linux-amd64.tar.gz
#将二进制文件复制到工作目录
$cp etcd-v3.5.1-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
3.2.1.3.2、创建etcd 配置文件
$cat > /opt/etcd/cfg/etcd.conf<< EOF
#[Member]
ETCD_NAME="etcd"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.91.132:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.91.132:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.91.132:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.91.132:2379"
ETCD_INITIAL_CLUSTER="etcd=https://192.168.91.132:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_ENABLE_V2="true"  
EOF

ETCD_NAME:节点名称,集群中唯一
ETCD_DATA_DIR:数据目录
ETCD_LISTEN_PEER_URLS:集群通信监听地址
ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址
ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
ETCD_INITIAL_CLUSTER:集群节点地址
ETCD_INITIAL_CLUSTER_TOKEN:集群Token
ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new 是新集群,existing 表示加入已有集群
ETCD_ENABLE_V2=“true” 支持api v2 ,否则与flannel不兼容(如果不计划使用flannel作为网络插件的话请忽略)

3.2.1.3.3、systemd 管理etcd
#将之前生成的证书复制到etcd的工作目录
$cp ~/TLS/etcd/ca*pem ~/TLS/etcd/server*pem /opt/etcd/ssl

$cat > /usr/lib/systemd/system/etcd.service<< EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
3.2.1.3.4、启动ETCD并设置开机启动
$systemctl daemon-reload && systemctl start etcd && systemctl enable etcd
3.2.1.3.5、检查etcd的状态
$ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.91.132:2379" endpoint health

在这里插入图片描述
如果节点失败可以查看日志

/var/log/message 或 journalctl -u etcd

3.3、部署Master Node

单机部署就是master节点和worker节点都在同一台机器,这里只是为了区分各个组件的部署流程

3.3.1、部署kube-apiserver

3.3.1.1、生成kube-apiserver证书

1、创建自签证书颁发机构(CA)配置

$cd /root/TLS/k8s
$cat > ca-config.json<< EOF
{
    "signing":{
        "default":{
            "expiry":"87600h"
        },
        "profiles":{
            "kubernetes":{
                "expiry":"87600h",
                "usages":[
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
EOF


$cat > ca-csr.json<< EOF
{
    "CN":"kubernetes",
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"Beijing",
            "ST":"Beijing",
            "O":"system:masters",
            "OU":"System"
        }
    ]
}
EOF

2、生成证书

$cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

$ls *pem

[root@alone k8s]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2022/01/03 19:11:54 [INFO] generating a new CA key and certificate from CSR
2022/01/03 19:11:54 [INFO] generate received request
2022/01/03 19:11:54 [INFO] received CSR
2022/01/03 19:11:54 [INFO] generating key: rsa-2048
2022/01/03 19:11:55 [INFO] encoded CSR
2022/01/03 19:11:55 [INFO] signed certificate with serial number 15425745809170517626505445891964674368336024021
[root@bin-master k8s]# ls *pem
ca-key.pem  ca.pem
[root@alone k8s]# 

3、使用自签证书签发kube-apiserver HTTPS证书

创建证书申请文件;配置相关节点ip

$cd /root/TLS/k8s
$cat > server-csr.json<< EOF
{
    "CN":"kubernetes",
    "hosts":[
        "10.0.0.1",
        "127.0.0.1",
        "192.168.91.132",
        "kubernetes",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluster.local"
    ],
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"BeiJing",
            "ST":"BeiJing",
            "O":"system:masters",
            "OU":"System"
        }
    ]
}
EOF

生成HTTPS证书

$cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

$ls server*pem

[root@alone k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
2022/01/03 19:17:46 [INFO] generate received request
2022/01/03 19:17:46 [INFO] received CSR
2022/01/03 19:17:46 [INFO] generating key: rsa-2048
2022/01/03 19:17:46 [INFO] encoded CSR
2022/01/03 19:17:46 [INFO] signed certificate with serial number 259446606240024715961485465717458568968042823581
2022/01/03 19:17:46 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@alone k8s]# ls server*pem
server-key.pem  server.pem
[root@alone k8s]# 
 
3.3.1.2、下载二进制文件

master节点所需包:kube-apiserver,kube-controller-manager,kube-scheduler,docker,etcd,kubectl

node节点所需包:kubelet,kube-proxy,docker,etcd

server 包 包含了Master 和Worker Node 二进制文件。

$cd /usr/local/k8s

$wget https://dl.k8s.io/v1.23.1/kubernetes-server-linux-amd64.tar.gz
#解压二进制文件
$tar zxvf kubernetes-server-linux-amd64.tar.gz
#创建k8s工作目录
$mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}

$cd /usr/local/k8s/kubernetes/server/bin
$cp kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bin
$cp kubectl /usr/bin/
3.3.1.3、生成token文件
echo $(head -c 16 /dev/urandom | od -An -t x | tr -d ' '),kubelet-bootstrap,10001,"system:kubelet-bootstrap" > /opt/kubernetes/cfg/token.csv
3.3.1.4、配置kube-apiserver

1、创建配置文件

$cat > /opt/kubernetes/cfg/kube-apiserver.conf<< EOF
KUBE_APISERVER_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--etcd-servers=https://192.168.91.132:2379 \\
--bind-address=192.168.91.132 \\
--secure-port=6443 \\
--advertise-address=192.168.91.132 \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
--authorization-mode=RBAC,Node \\
--enable-bootstrap-token-auth=true \\
--token-auth-file=/opt/kubernetes/cfg/token.csv \\
--service-node-port-range=30000-32767 \\
--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \\
--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \\
--tls-cert-file=/opt/kubernetes/ssl/server.pem \\
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-issuer=https://kubernetes.default.svc.cluster.local \\
--service-account-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem \\
--audit-log-maxage=30 \\
--audit-log-maxbackup=3 \\
--audit-log-maxsize=100 \\
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
EOF

–logtostderr:启用日志
—v:日志等级
–log-dir:日志目录
–etcd-servers:etcd 集群地址
–bind-address:监听地址
–secure-port:https 安全端口
–advertise-address:集群通告地址
–allow-privileged:启用授权
–service-cluster-ip-range:Service 虚拟IP 地址段
–enable-admission-plugins:准入控制模块
–authorization-mode:认证授权,启用RBAC 授权和节点自管理
–enable-bootstrap-token-auth:启用TLS bootstrap 机制
–token-auth-file:bootstrap token 文件
–service-node-port-range:Service nodeport 类型默认分配端口范围
–kubelet-client-xxx:apiserver 访问kubelet 客户端证书
–tls-xxx-file:apiserver https 证书
–etcd-xxxfile:连接Etcd 集群证书
–audit-log-xxx:审计日志
–service-account-issuer=string 指定service account token issuer的标识符 ;该issuer将在iss声明中分发Token以使标识符生效;该参数的值为字符串或URL
–service-account-signing-key-file=string 含有当前service account token issuer私钥的文件路径 ;该issuer将以此私钥签名发布的ID token(需开启TokenRequest特性

2、拷贝之前生成的k8s证书

$cp ~/TLS/k8s/ca*pem ~/TLS/k8s/server*pem /opt/kubernetes/ssl/

3、systemd管理

$cat > /usr/lib/systemd/system/kube-apiserver.service<< EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF

4、启动kube-apiserver并设置开机启动

$systemctl daemon-reload && systemctl start kube-apiserver && systemctl enable kube-apiserver
3.3.2、配置kubectl

为kubectl创建认证文件,方便后面命令操作

3.3.2.1、生成kubectl证书
$cd /root/TLS/k8s

$cat > kubectl-csr.json<{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF
#生成证书
$cfssl gencert -ca=ca.pem -ca-key=ca-key.pem  -config=ca-config.json -profile=kubernetes kubectl-csr.json | cfssljson -bare kubectl

$cp ~/TLS/k8s/kubectl*.pem /opt/kubernetes/ssl
3.3.2.2、生成kubectl.kubeconfig配置文件
$cd /opt/kubernetes/ssl

# 生成kubelet.kubeconfig 配置文件
$kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://192.168.91.132:6443 \
--kubeconfig=kubectl.kubeconfig

$kubectl config set-credentials admin \
--client-certificate=/opt/kubernetes/ssl/kubectl.pem \
--embed-certs=true \
--client-key=/opt/kubernetes/ssl/kubectl-key.pem  \
--kubeconfig=kubectl.kubeconfig

$kubectl config set-context default \
--cluster=kubernetes \
--user=admin \
--kubeconfig=kubectl.kubeconfig

$kubectl config use-context default --kubeconfig=kubectl.kubeconfig

$mkdir ~/.kube -p

$cp kubectl.kubeconfig ~/.kube/config

#查看kubernetes状态
$kubectl cluster-info

二进制包部署单节点K8S_第1张图片

3.3.3、部署kube-controller-manager

3.3.3.1、生成证书
$cd /root/TLS/k8s
$cat > kube-controller-csr.json<{
  "CN": "system:kube-controller-manager",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "KUBERNETES",
      "OU": "System"
    }
  ]
}
EOF
#生成证书
$cfssl gencert -ca=ca.pem -ca-key=ca-key.pem  -config=ca-config.json -profile=kubernetes kube-controller-csr.json | cfssljson -bare kube-controller-manager

$cp ~/TLS/k8s/kube-controller-manager*.pem /opt/kubernetes/ssl
3.3.3.2、生成kube-controller-manager.kubeconfig配置文件
$cd /opt/kubernetes/ssl

# 生成kube-controller-manager.kubeconfig配置文件
$kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://192.168.91.132:6443 \
--kubeconfig=kube-controller-manager.kubeconfig

$kubectl config set-credentials kube-controller-manager \
--client-certificate=/opt/kubernetes/ssl/kube-controller-manager.pem \
--embed-certs=true \
--client-key=/opt/kubernetes/ssl/kube-controller-manager-key.pem  \
--kubeconfig=kube-controller-manager.kubeconfig

$kubectl config set-context default \
--cluster=kubernetes \
--user=kube-controller-manager \
--kubeconfig=kube-controller-manager.kubeconfig

$kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig

3.3.3.3、systemd管理kube-controller-manager

1、配置文件

$cat > /opt/kubernetes/cfg/kube-controller-manager.conf<< EOF
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \\
--v=2 \\
--cluster-name=kubernetes \\
--log-dir=/opt/kubernetes/logs \\
--leader-elect=true \\
--bind-address=127.0.0.1 \\
--allocate-node-cidrs=true \\
--cluster-cidr=10.244.0.0/16 \\
--service-cluster-ip-range=10.0.0.0/24 \\
--leader-elect=true \\
--controllers=*,bootstrapsigner,tokencleaner \\
--kubeconfig=/opt/kubernetes/ssl/kube-controller-manager.kubeconfig \\
--tls-cert-file=/opt/kubernetes/ssl/kube-controller-manager.pem \\
--tls-private-key-file=/opt/kubernetes/ssl/kube-controller-manager-key.pem \\
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--use-service-account-credentials=true \\
--experimental-cluster-signing-duration=87600h0m0s"
EOF

2、启动文件

$cat > /usr/lib/systemd/system/kube-controller-manager.service<< EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF

3、启动kube-controller-manager并设置开机启动

$systemctl daemon-reload && systemctl start kube-controller-manager && systemctl enable kube-controller-manager

#查看状态controller-manager已经OK
$kubectl get componentstatuses

在这里插入图片描述

3.3.4、部署kube-scheduler

3.3.4.1、生成kube-scheduler证书
$cd /root/TLS/k8s

$cat > kube-scheduler-csr.json<{
  "CN": "system:kube-scheduler",
  "hosts": [
  	"127.0.0.1",
  	"192.168.91.132"
  	],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "KUBERNETES",
      "OU": "System"
    }
  ]
}
EOF

#生成证书
$cfssl gencert -ca=ca.pem -ca-key=ca-key.pem  -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler

$cp ~/TLS/k8s/kube-scheduler*.pem /opt/kubernetes/ssl
3.3.4.2、生成kube-scheduler.kubeconfig配置文件
$cd /opt/kubernetes/ssl

# 生成kube-scheduler.kubeconfig配置文件
$kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://192.168.91.132:6443 \
--kubeconfig=kube-scheduler.kubeconfig

$kubectl config set-credentials kube-scheduler \
--client-certificate=/opt/kubernetes/ssl/kube-scheduler.pem \
--embed-certs=true \
--client-key=/opt/kubernetes/ssl/kube-scheduler-key.pem  \
--kubeconfig=kube-scheduler.kubeconfig

$kubectl config set-context default \
--cluster=kubernetes \
--user=kube-scheduler \
--kubeconfig=kube-scheduler.kubeconfig

$kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
3.3.4.3、systemd管理kube-scheduler

、配置文件

$cat > /opt/kubernetes/cfg/kube-scheduler.conf<< EOF
KUBE_SCHEDULER_OPTS="--logtostderr=false \\
--v=2 \\
--kubeconfig=/opt/kubernetes/ssl/kube-scheduler.kubeconfig \\
--log-dir=/opt/kubernetes/logs \\
--leader-elect=true \\
--tls-cert-file=/opt/kubernetes/ssl/kube-scheduler.pem \\
--tls-private-key-file=/opt/kubernetes/ssl/kube-scheduler-key.pem \\
--bind-address=127.0.0.1"
EOF

2、启动文件

$cat > /usr/lib/systemd/system/kube-scheduler.service<< EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf
ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF

3、启动

$systemctl daemon-reload && systemctl start kube-scheduler && systemctl enable kube-scheduler

#验证kube-scheduler状态
$kubectl get cs

二进制包部署单节点K8S_第2张图片

3.4、 部署Worker Node

3.4.1、部署Kubelet

3.4.1.1、复制二进制文件
#复制文件
$ cp /usr/local/k8s/kubernetes/server/bin/kubelet /opt/kubernetes/bin
3.4.1.2、生成kubelet.kubeconfig配置文件
$cd /opt/kubernetes/ssl

#允许用户请求证书
$kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap

# 生成kubelet.kubeconfig配置文件
$export KUBE_APISERVER="https://192.168.91.132:6443" # apiserver IP:PORT
$export TOKEN="fa752d92837853b0dd11889d7eafbf9f" # 与token.csv 里保持一致

$kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kubelet-bootstrap.kubeconfig


$kubectl config set-credentials kubelet-bootstrap \
--token=${TOKEN} \
--kubeconfig=kubelet-bootstrap.kubeconfig

$kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=kubelet-bootstrap.kubeconfig

$kubectl config use-context default --kubeconfig=kubelet-bootstrap.kubeconfig
3.4.1.3、创建kubelet.conf配置文件
$cat > /opt/kubernetes/cfg/kubelet.conf<< EOF
KUBELET_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--hostname-override=alone \\
--network-plugin=cni \\
--kubeconfig=/opt/kubernetes/ssl/kubelet.kubeconfig \\
--bootstrap-kubeconfig=/opt/kubernetes/ssl/kubelet-bootstrap.kubeconfig \\
--config=/opt/kubernetes/cfg/kubelet-config.yml \\
--cert-dir=/opt/kubernetes/ssl \\
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2"
EOF

$cat > /opt/kubernetes/cfg/kubelet-config.yml<< EOF
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
cgroupDriver: systemd
clusterDNS: ["10.0.0.2"]
clusterDomain: cluster.local.
failSwapOn: false
authentication:
  anonymous:
   enabled: false
  webhook:
   cacheTTL: 2m0s
   enabled: true
  x509:
   clientCAFile: /opt/kubernetes/ssl/ca.pem
authorization:
  mode: Webhook
  webhook:
   cacheAuthorizedTTL: 5m0s
   cacheUnauthorizedTTL: 30s
evictionHard:
  imagefs.available: 15%
  memory.available: 100Mi
  nodefs.available: 10%
  nodefs.inodesFree: 5%
maxOpenFiles: 1000000
maxPods: 110
EOF
3.4.1.4、systemd管理kubelet
$cat > /usr/lib/systemd/system/kubelet.service<< EOF
[Unit]
Description=Kubernetes Kubelet
After=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet.conf
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF

$systemctl daemon-reload && systemctl start kubelet && systemctl enable kubelet
3.4.1.5、批准授权申请

worker node向master node申请授权

$kubectl get csr

$kubectl certificate approve  

此时的节点状态仍是NotReady,因为还没连通内部网络

3.4.2、部署kube-proxy

3.4.2.1、生成kube-proxy证书
#复制文件
$ cp /usr/local/k8s/kubernetes/server/bin/kube-proxy /opt/kubernetes/bin


$cd /root/TLS/k8s
$cat > kube-proxy-csr.json<{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "KUBERNETES",
      "OU": "System"
    }
  ]
}
EOF

#生成证书
$cfssl gencert -ca=ca.pem -ca-key=ca-key.pem  -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

$cp ~/TLS/k8s/kube-proxy*.pem /opt/kubernetes/ssl
3.4.2.2、生成kube-proxy.kubeconfig配置文件
$cd /opt/kubernetes/ssl

# 生成kube-scheduler.kubeconfig配置文件
$kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://192.168.91.132:6443 \
--kubeconfig=kube-proxy.kubeconfig

$kubectl config set-credentials kube-proxy \
--client-certificate=/opt/kubernetes/ssl/kube-proxy.pem \
--embed-certs=true \
--client-key=/opt/kubernetes/ssl/kube-proxy-key.pem  \
--kubeconfig=kube-proxy.kubeconfig

$kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig

$kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
3.4.2.3、systemd管理kube-proxy

1、创建配置文件

$cat > /opt/kubernetes/cfg/kube-proxy.conf<< EOF
KUBE_PROXY_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--config=/opt/kubernetes/cfg/kube-proxy-config.yml \\
--hostname-override=alone"
EOF

$cat > /opt/kubernetes/cfg/kube-proxy-config.yml<< EOF
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
healthzBindAddress: 0.0.0.0:10256
metricsBindAddress: 0.0.0.0:10249
clientConnection:
  kubeconfig: /opt/kubernetes/ssl/kube-proxy.kubeconfig
clusterCIDR: 10.244.0.0/16
EOF

2、创建启动文件

$cat > /usr/lib/systemd/system/kube-proxy.service<< EOF
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-proxy.conf
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF

3、启动kube-proxy 并设置开机启动

$systemctl daemon-reload && systemctl start kube-proxy && systemctl enable kube-proxy

3.4.3、部署Calico

#创建组件目录
$mkdir /opt/plugins/calico -p
$cd /opt/plugins/calico
#下载yaml文件
$wget https://docs.projectcalico.org/v3.20/manifests/calico.yaml

#修改calico.yaml 属性 CALICO_IPV4POOL_CIDR
- name: CALICO_IPV4POOL_CIDR
  value: "10.244.0.0/16"
#与kube-controller-manager.config中的--cluster-cidr=10.244.0.0/16
#与kube-proxy-config.yml中clusterCIDR: 10.244.0.0/16一致


#应用yaml文件
$kubectl apply -f calico.yaml


#使用命令查看 yaml中包含的镜像
$ cat calico.yaml |grep image
#在apply或create命令无法下载镜像时通过docker pull 来拉取镜像
#验证
$kubectl get pods -n kube-system

#-w可以实时查看
$kubectl get pods -n kube-system -w

$kubectl get node


#清理网络环境
$kubectl delete -f calico.yaml
$rm -rf /run/calico \
/sys/fs/bpf/calico \
/var/lib/calico \
/var/log/calico \
/opt/cluster/plugins/calico \
/opt/cni/bin/calico

#查看是否还有残留的calico的pod
$kubectl get pods -n kube-system

#强制删除Pod
$kubectl delete pod   -n kube-system --force --grace-period=0

此时节点状态已经是Ready

你可能感兴趣的:(后端,容器,docker,linux,kubernetes)