(三)k8s之 flanned網絡

#（1）在跳板機上生成flanneld證書

#cd /temp/ssl/
cat > flanneld-csr.json <<EOF
{
    "CN": "flanneld",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "Hangzhou",
            "L": "Hangzhou",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json  -profile=kubernetes flanneld-csr.json | cfssljson -bare flanneld

#（2）選擇一臺etcd集羣節點機器, 向etcd註冊flannel相關信息並驗證

配置環境變量

export CLUSTER_CIDR="172.30.0.0/16"
export ETCD_ENDPOINTS="https://192.168.19.128:2379,https://192.168.19.129:2379,https://192.168.19.130:2379"
export FLANNEL_ETCD_PREFIX="/kubernetes/network"

向etcd註冊flannel相關信息

etcdctl \
--endpoints=${ETCD_ENDPOINTS} \
--ca-file=/opt/kubernetes/ssl/ca.pem \
--cert-file=/opt/kubernetes/ssl/flanneld.pem \
--key-file=/opt/kubernetes/ssl/flanneld-key.pem \
set ${FLANNEL_ETCD_PREFIX}/config '{"Network":"'${CLUSTER_CIDR}'", "SubnetLen": 24, "Backend": {"Type": "vxlan"}}'

驗證

etcdctl \
--endpoints=${ETCD_ENDPOINTS} \
--ca-file=/opt/kubernetes/ssl/ca.pem \
--cert-file=/opt/kubernetes/ssl/flanneld.pem \
--key-file=/opt/kubernetes/ssl/flanneld-key.pem \
get ${FLANNEL_ETCD_PREFIX}/config

#（3）在跳板機上下載flanneld

cd /tools
wget  https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz
tar xf flannel-v0.10.0-linux-amd64.tar.gz

#（4）在跳板機上準備flanneld配置文件

#cat  >/temp/ssl/flanneld<<EOF
FLANNEL_OPTIONS="-etcd-cafile=/opt/kubernetes/ssl/ca.pem   -etcd-certfile=/opt/kubernetes/ssl/flanneld.pem   -etcd-keyfile=/opt/kubernetes/ssl/flanneld-key.pem   -etcd-endpoints=https://192.168.19.128:2379,https://192.168.19.129:2379,https://192.168.19.130:2379   -etcd-prefix=/kubernetes/network"
EOF

#（5）在跳板機上準備flanneld啓動腳本

cat >/temp/ssl/flanneld.service<<EOF
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service

[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure

[Install]
WantedBy=multi-user.target

#（6）在跳板機上準備docker啓動腳本文件

cat > /temp/ssl/docker.service <<EOF

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd  \$DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP \$MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target
EOF

#（7）在跳板機上把flanneld證書和私鑰文件, flanneld配置文件, flanneld啓動腳本文件, docker的啓動配置文件發送給master和node節點

ansible k8s -m copy -a 'src=/temp/ssl/flanneld-key.pem,dest=/opt/kubernetes/ssl/flanneld-key.pem' 
ansible k8s -m copy -a 'src=/temp/ssl/flanneld.pem,dest=/opt/kubernetes/ssl/flanneld.pem' 
ansible k8s -m copy -a 'src=/temp/ssl/flanneld dest=/opt/kubernetes/cfg/flanneld'
ansible k8s -m copy -a 'src=/temp/ssl/flanneld.service dest=/usr/lib/systemd/system/flanneld.service'
ansible k8s -m copy -a 'src=/temp/ssl/docker.service dest=/usr/lib/systemd/system/docker.service'
ansible k8s -m copy -a 'src=/tools/flanneld dest=/opt/kubernetes/bin/flanneld'
ansible k8s -m copy -a 'src=/tools/mk-docker-opts.sh dest=/opt/kubernetes/bin/mk-docker-opts.sh'

#（8）在master和node節點重啓flanend和docker服務

systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld
systemctl restart docker

#（9）驗證

獲取flannel在每個節點的網段信息

export CLUSTER_CIDR="172.30.0.0/16"
export ETCD_ENDPOINTS="https://192.168.19.128:2379,https://192.168.19.129:2379,https://192.168.19.130:2379"
export FLANNEL_ETCD_PREFIX="/kubernetes/network"
etcdctl    --endpoints=${ETCD_ENDPOINTS}    --ca-file=/opt/kubernetes/ssl/ca.pem    --cert-file=/opt/kubernetes/ssl/flanneld.pem    --key-file=/opt/kubernetes/ssl/flanneld-key.pem  ls ${FLANNEL_ETCD_PREFIX}/subnets

在master和node節點上查看路由表: 在每個節點上都能看到其他節點的路由

master節點和node節點, docker0的ip地址使用的是flannel網段地址範圍, 也是pod容器的網關

master節點和node節點之間的flannel網段之間都能ping通, 說明flannel網絡部署完成