二進制安裝K8S - NODE 節點的安裝
安裝系統
Linux node02 3.10.0-1062.el7.x86_64 #1 SMP Wed Aug 7 18:08:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
配置系統
關閉 防火牆
systemctl stop firewalld
systemctl disable firewalld
關閉 SeLinux
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
關閉 swap
swapoff -a
yes | cp /etc/fstab /etc/fstab_bak
cat /etc/fstab_bak |grep -v swap > /etc/fstab
yum epel源
yum install wget telnet -y
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache
修改 /etc/sysctl.conf
modprobe br_netfilter
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
vm.swappiness=0
EOF
sysctl -p /etc/sysctl.d/k8s.conf
開啓 ipvs
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4
安裝 docker
# 設置 yum repository
yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 安裝並啓動 docker
yum install -y docker-ce-18.09.7 docker-ce-cli-18.09.7 containerd.io
# 添加ipvs支持
yum install -y nfs-utils ipset ipvsadm
安裝 flannel(可選,flannel 可以用容器方式部署)
flannel 主節點安裝查看 二進制安裝k8s - MASTER 節點的安裝
這裏直接 複製已經生成的證書和啓動文件
# 複製主ca證書
scp ca* 192.168.100.57:/data/k8s/cert/
scp -r flannel/ 192.168.100.57:/data/k8s/
運行flannel
cp flanneld.service /etc/systemd/system/
systemctl daemon-reload
systemctl start flanneld.service
systemctl status flanneld.service
安裝 kubelet
:::master節點操作:::
# 創建 token
kubeadm token create \
--description kubelet-bootstrap-token \
--groups system:bootstrappers:node01 \
--kubeconfig ~/.kube/config
# 設置集羣參數
kubectl config set-cluster kubernetes \
--certificate-authority=/data/k8s/cert/ca.pem \
--embed-certs=true \
--server=https://192.168.100.58:6443 \
--kubeconfig=bootstrap.kubeconfig
# 設置客戶端認證參數
kubectl config set-credentials kubelet-bootstrap \
--token=這裏是上面生成的token \
--kubeconfig=bootstrap.kubeconfig
# 設置上下文參數
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=bootstrap.kubeconfig
# 設置默認上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
# kubelet授權
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --group=system:bootstrappers
# 複製生成的認證配置到節點
scp bootstrappers 192.168.100.59:/data/k8s/kubelet/
:::node 節點操作:::
配置文件
kubelet.config.json
{
"kind": "KubeletConfiguration",
"apiVersion": "kubelet.config.k8s.io/v1beta1",
"authentication": {
"x509": {
"clientCAFile": "/data/k8s/cert/ca.pem"
},
"webhook": {
"enabled": true,
"cacheTTL": "2m0s"
},
"anonymous": {
"enabled": false
}
},
"authorization": {
"mode": "Webhook",
"webhook": {
"cacheAuthorizedTTL": "5m0s",
"cacheUnauthorizedTTL": "30s"
}
},
"address": "這裏爲node節點IP",
"port": 10250,
"readOnlyPort": 0,
"cgroupDriver": "cgroupfs",
"hairpinMode": "promiscuous-bridge",
"serializeImagePulls": false,
"featureGates": {
"RotateKubeletClientCertificate": true,
"RotateKubeletServerCertificate": true
},
"clusterDomain": "cluster.local",
"clusterDNS": ["10.96.0.2"]
}
kubelet.service
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/data/k8s/kubelet
ExecStart=/data/k8s/bin/kubelet \
--bootstrap-kubeconfig=/data/k8s/kubelet/bootstrap.kubeconfig \
--cert-dir=/data/k8s/cert \
--kubeconfig=/data/k8s/kubelet/kubelet.kubeconfig \
--config=/data/k8s/kubelet/kubelet.config.json \
--hostname-override=node01(這裏是顯示的node名) \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 \
--alsologtostderr=true \
--logtostderr=false \
--log-dir=/data/k8s/logs \
--v=4
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
@注:
kubelet.kubeconfig 文件連接上master後會自動生成。
啓動
mkdir /data/k8s/logs
cp kubelet.service /etc/systemd/system/
systemctl daemon-reload
systemctl start kubelet
systemctl status kubelet
:::master 節點操作:::
手動認證 node節點
# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-TO3HPgCc_zkDPN3iZZs6q7wWbh2ZLc-JNftOsLZv0xE 53s system:bootstrap:0pmyt7 Pending
# kubectl certificate approve node-csr-TO3HPgCc_zkDPN3iZZs6q7wWbh2ZLc-JNftOsLZv0xE
certificatesigningrequest.certificates.k8s.io/node-csr-TO3HPgCc_zkDPN3iZZs6q7wWbh2ZLc-JNftOsLZv0xE approved
# kubectl get node
可以看到剛剛添加的node節點了
安裝 kube-proxy
:::master 操作:::
創建證書文件
kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "ChengDu",
"L": "ChengDu",
"O": "k8s",
"OU": "lswzw"
}
]
}
生成證書
cfssl gencert -ca=/opt/k8s/cert/ca.pem \
-ca-key=/opt/k8s/cert/ca-key.pem \
-config=/opt/k8s/cert/ca-config.json \
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
ls *kube-proxy*
kube-proxy.csr kube-proxy-csr.json kube-proxy-key.pem kube-proxy.pem
創建kubeconfig 文件
kube-proxy.kubeconfig
cfssl gencert -ca=/data/k8s/cert/ca.pem \
-ca-key=/data/k8s/cert/ca-key.pem \
-config=/data/k8s/cert/ca-config.json \
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
kubectl config set-cluster kubernetes \
--certificate-authority=/data/k8s/cert/ca.pem \
--embed-certs=true \
--server=https://192.168.100.58:6443 \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=/data/k8s/cert/kube-proxy.pem \
--client-key=/data/k8s/cert/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context kube-proxy@kubernetes \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context kube-proxy@kubernetes --kubeconfig=kube-proxy.kubeconfig
# 文件拷貝到NODE節點
scp kube-proxy.kubeconfig 192.168.100.59:/data/k8s/kube-proxy/
:::node節點操作:::
創建配置文件
kube-proxy.config.yaml
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 192.168.100.59
clientConnection:
kubeconfig: /data/k8s/kube-proxy/kube-proxy.kubeconfig
clusterCIDR: 10.44.0.0/16
healthzBindAddress: 192.168.100.59:10256
hostnameOverride: node01
kind: KubeProxyConfiguration
metricsBindAddress: 192.168.100.59:10249
mode: "ipvs"
@注:
上面所有ip均爲node節點IP hostname 不同節點須要改
kube-proxy.service
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
WorkingDirectory=/data/k8s/kube-proxy
ExecStart=/data/k8s/bin/kube-proxy \
--config=/data/k8s/kube-proxy/kube-proxy.config.yaml \
--alsologtostderr=true \
--logtostderr=false \
--log-dir=/data/k8s/logs \
--v=4
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
啓動
cp kube-proxy.service /etc/systemd/system/
systemctl daemon-reload
systemctl start kube-proxy
systemctl status kube-proxy
檢查狀態
:::master 操作:::
kubectl describe node