Kubernetes部署方式與平臺規劃
- 官方提供三種部署方式
- monikubu(僅用於測試使用)
Minikube是一個工具,可以在本地快速運行一個單點
的Kubernetes,僅用於嘗試Kubernetes或日常開發的用戶使用
部署地址 - kubeadm
Kubeadm也是一個工具,提供kubeadm init和kubeadm join,用於快速部署Kubenetes集羣
部署地址
不推薦:證書默認只分配一年;一鍵部署,內部運行機制不瞭解;目前是測試版本 - 二進制包
推薦,從官方下載發行版的二進制包,手動部署每個組件,組成Kubenetes集羣
下載地址
- 平臺環境規劃
官方發佈最新穩定版。
- 單節點master
- 多節點master
- 單節點master集羣部署
- 自籤SSL證書
etcd-cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h", # 過期時間,10年
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
#etcd域名證書
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.33.6",
"192.168.33.7",
"192.168.33.8"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
cfssl.sh
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
執行:bash cfssl.sh
bash etcd-cert.sh
- 部署etcd
- 三個節點均執行一下配置
mkdir /opt/etcd/{bin,cfg,ssl} -p
tar zxvf etcd-v3.2.12-linux-amd64.tar.gz
mv etcd-v3.2.12-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
- 創建etcd配置文件:
# vim /opt/etcd/cfg/etcd
#[Member]
# ETCD_NAME 節點名稱
ETCD_NAME="etcd01"
# ETCD_DATA_DIR 數據目錄
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
# ETCD_LISTEN_PEER_URLS 集羣通信監聽地址
ETCD_LISTEN_PEER_URLS="https://192.168.33.7:2380"
# ETCD_LISTEN_CLIENT_URLS 客戶端訪問監聽地址
ETCD_LISTEN_CLIENT_URLS="https://192.168.33.7:2379"
#[Clustering]
# ETCD_INITIAL_ADVERTISE_PEER_URLS 集羣通告地址
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.33.7:2380"
# ETCD_ADVERTISE_CLIENT_URLS 客戶端通告地址
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.33.7:2379"
# ETCD_INITIAL_CLUSTER 集羣所有節點地址
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.33.7:2380,etcd02=https://192.168.33.6:2380,etcd03=https://192.168.33.8:2380"
# ETCD_INITIAL_CLUSTER_TOKEN 集羣Token
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
# ETCD_INITIAL_CLUSTER_STATE 加入集羣的當前狀態,new是新集羣,existing表示加入已有集羣
ETCD_INITIAL_CLUSTER_STATE="new"
- 使用systemd管理etcd,創建服務腳本
# vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd
ExecStart=/opt/etcd/bin/etcd --name=${ETCD_NAME} --data-dir=${ETCD_DATA_DIR} --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} --initial-cluster=${ETCD_INITIAL_CLUSTER} --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} --initial-cluster-state=new --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
- 將/opt/etcd目錄和服務啓動腳本拷貝至其他兩個節點,修改cfg/etcd中的IP
scp -r /opt/etcd node1:/opt/ node2:/opt/
scp -r /usr/lib/systemd/system/etcd.service node1:/usr/lib/systemd/system/etcd.service node2:/usr/lib/systemd/system/etcd.service
- 啓動etcd(啓動失敗的話檢查IP是否配置正確,檢查無誤再重啓多幾次)
systemctl start etcd
systemctl enable etcd
- 檢查集羣健康狀態
/opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.33.7:2379,https://192.168.33.6:2379,https://192.168.33.8:2379" cluster-health
# 正常輸出
member 181e3b7279fd8ef6 is healthy: got healthy result from https://192.168.33.6:2379
member 9fb608799130aa7f is healthy: got healthy result from https://192.168.33.7:2379
member ff9d0db82e0b0c3f is healthy: got healthy result from https://192.168.33.8:2379
cluster is healthy
- 在Node安裝Docker
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install docker-ce -y
curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://bc437cce.m.daocloud.io # 安裝鏡像加速
systemctl start docker
systemctl enable docker
-
部署Flannel網絡
Flannel只需部署到node節點即可。
CNI(Container Network Interface):容器網絡接口
Kubernetes網絡模型設計基本要求:- 一個Pod一個IP
- 每個Pod獨立IP,Pod內所有容器共享網絡(同一個IP)
- 所有容器都可以與所有其他容器通信
- 所有節點都可以與所有容器通信
Overlay Network:覆蓋網絡,在基礎網絡上疊加的一種虛擬網絡技術模式,該網絡中的主機通過虛擬鏈路連接起來。
Flannel:是Overlay網絡的一種,也是講數據包封裝在另一種網絡包裏面進行路由轉發和通信,目前已經支持UDP、VXLAN、Host-GW、AWS VPC和GCE路由等數據轉發方式。
Falnnel要用etcd存儲自身一個子網信息,所以要保證能成功連接Etcd- 寫入預定義子網段:在master執行
/opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.33.7:2379,https://192.168.33.6:2379,https://192.168.33.8:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}' # 正常輸出 { "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}} # 查看是否正確配置 /opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.33.7:2379,https://192.168.33.6:2379,https://192.168.33.8:2379" get /coreos.com/network/config
- 每個node節點操作:
下載二進制包
wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0- linux-amd64.tar.gz tar zxvf flannel-v0.9.1-linux-amd64.tar.gz mkdir /opt/kubernetes/{bin,cfg,ssl} -p mv flanneld mk-docker-opts.sh /opt/kubernetes/bin
配置Flannel
# vim /opt/kubernetes/cfg/flanneld FLANNEL_OPTIONS="--etcd- endpoints=https://192.168.33.7:2379,https://192.168.33.8:2379,https://192.168.33.9:2379 -etcd-cafile=/opt/etcd/ssl/ca.pem -etcd-certfile=/opt/etcd/ssl/server.pem -etcd- keyfile=/opt/etcd/ssl/server-key.pem"
systemd管理Flannel:
# vim /usr/lib/systemd/system/flanneld.service [Unit] Description=Flanneld overlay address etcd agent After=network-online.target network.target Before=docker.service [Service] Type=notify EnvironmentFile=/opt/kubernetes/cfg/flanneld ExecStart=/opt/kubernetes/bin/flanneld --ip-masq $FLANNEL_OPTIONS ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env Restart=on-failure [Install] WantedBy=multi-user.target
配置Docker啓動指定子網段:
# vim /usr/lib/systemd/system/docker.service [Unit] ... ... [Service] Type=notify EnvironmentFile=/run/flannel/subnet.env ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS ... ...
重啓flannel和docker:
# systemctl daemon-reload # systemctl start flanneld # systemctl enable flanneld # systemctl restart docker # 驗證 # ps -ef |grep docker root 11425 1 2 15:15 ? 00:00:00 /usr/bin/dockerd --bip=172.17.87.1/24 --ip-masq=false --mtu=1450 15:15 pts/0 00:00:00 grep --color=auto docker # ip a ... ... 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN link/ether 02:42:02:e5:d8:2f brd ff:ff:ff:ff:ff:ff inet 172.17.87.1/24 brd 172.17.87.255 scope global docker0 valid_lft forever preferred_lft forever 5: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN link/ether 86:1a:b9:ea:35:d1 brd ff:ff:ff:ff:ff:ff inet 172.17.87.0/32 scope global flannel.1 valid_lft forever preferred_lft forever # 確保docker0與flannel.1在同一網段。 測試不同節點互通,在當前節點訪問另一個Node節點docker0 IP # ping 172.17.87.1
-
在Master節點部署組件
在部署Kubernetes之前一定要確保etcd、flannel、docker是正常工作的,否則先解決問題再繼續。
4.1 創建CA證書:
# vim k8s-cert.sh cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #----------------------- cat > server-csr.json <<EOF { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "192.168.33.7", "192.168.33.8", "192.168.33.9", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server #----------------------- cat > admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin #----------------------- cat > kube-proxy-csr.json <<EOF { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
生成證書:
# sh k8s-cert.sh # mkdir -p /opt/kubernetes/{ssl,cfg,bin} # cp ca-key.pem ca.pem server-key.pem server.pem /opt/kubernetes/ssl/
4.2 部署apiserver組件
下載二進制包kubernetes-server-linux-amd64.tar.gz,包含了所需的所有組件。
github下載k8s二進制包kubernetes-server-linux-amd64.tar.gz
解壓,提取可執行文件kube-apiserver、kube-controller-manager 、kube-scheduler# tar zxvf kubernetes-server-linux-amd64.tar.gz # cd kubernetes/server/bin # cp kube-apiserver kube-scheduler kube-controller-manager kubectl /opt/kubernetes/bin
創建token文件,用途後面會講到:
# cd /opt/kubernetes/cfg # BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008 # cat > token.csv <<EOF ${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap" EOF
創建apiserver配置文件:
# cat /opt/kubernetes/cfg/kube-apiserver KUBE_APISERVER_OPTS="--logtostderr=false \ --log-dir=/opt/kubernetes/logs \ --v=4 \ --etcd-servers=https://192.168.33.7:2379,https://192.168.33.9:2379,https://192.168.33.8:2379 \ --bind-address=192.168.33.7 \ --secure-port=6443 \ --advertise-address=192.168.33.7 \ --allow-privileged=true \ --service-cluster-ip-range=10.0.0.0/24 \ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \ --authorization-mode=RBAC,Node \ --kubelet-https=true \ --enable-bootstrap-token-auth \ --token-auth-file=/opt/kubernetes/cfg/token.csv \ --service-node-port-range=30000-50000 \ --tls-cert-file=/opt/kubernetes/ssl/server.pem \ --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \ --client-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \ --etcd-cafile=/opt/etcd/ssl/ca.pem \ --etcd-certfile=/opt/etcd/ssl/server.pem \ --etcd-keyfile=/opt/etcd/ssl/server-key.pem"
參數說明:
–logtostderr 啓用日誌
—v 日誌等級
–etcd-servers etcd集羣地址
–bind-address 監聽地址
–secure-port https安全端口
–advertise-address 集羣通告地址
–allow-privileged 啓用授權
–service-cluster-ip-range Service虛擬IP地址段
–enable-admission-plugins 准入控制模塊
–authorization-mode 認證授權,啓用RBAC授權和節點自管理
–enable-bootstrap-token-auth 啓用TLS bootstrap功能,後面會講到
–token-auth-file token文件
–service-node-port-range Service Node類型默認分配端口範圍配置systemd管理apiserver
# cat /usr/lib/systemd/system/kube-apiserver.service [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target
啓動:
# systemctl daemon-reload # systemctl enable kube-apiserver # systemctl restart kube-apiserver # 檢查端口監聽情況 # ss -antpu |grep 8080 # ss -antpu |grep 6443
4.3 部署scheduler組件
創建schduler配置文件:# cat /opt/kubernetes/cfg/kube-scheduler KUBE_SCHEDULER_OPTS="--logtostderr=true \ --v=4 \ --master=127.0.0.1:8080 \ --leader-elect"
參數說明:
–master 連接本地apiserver
–leader-elect 當該組件啓動多個時,自動選舉(HA)systemd管理schduler組件:
# cat /usr/lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target
啓動:
# systemctl daemon-reload # systemctl enable kube-apiserver # systemctl restart kube-apiserver
4.4 部署controller-manager組件
創建controller-manager配置文件和systemd管理組件並啓動:# cat /opt/kubernetes/cfg/kube-controller-manager KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \ --v=4 \ --master=127.0.0.1:8080 \ --leader-elect=true \ --address=127.0.0.1 \ --service-cluster-ip-range=10.0.0.0/24 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \ --root-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ --experimental-cluster-signing-duration=87600h0m0s" # cat /usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target # systemctl daemon-reload # systemctl enable kube-controller-manager # systemctl restart kube-controller-manager
所有組件都已經啓動成功,通過kubectl工具查看當前集羣組件狀態:
# /opt/kubernetes/bin/kubectl get cs # 正常輸出:組件正常 NAME STATUS MESSAGE ERROR controller-manager Healthy ok scheduler Healthy ok etcd-1 Healthy {"health":"true"} etcd-2 Healthy {"health":"true"} etcd-0 Healthy {"health":"true"}
-
在Node節點部署組件
Master apiserver啓用TLS認證後,Node節點kubelet組件想要加入集羣,必須使用CA簽發的有效證書才能與
apiserver通信,當Node節點很多時,簽署證書是一件很繁瑣的事情,因此有了TLS Bootstrapping機制,kubelet
會以一個低權限用戶自動向apiserver申請證書,kubelet的證書由apiserver動態簽署。
認證大致工作流程如圖所示:
5.1 將kubelet-bootstrap用戶綁定到系統集羣角色
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
# cat kubeconfig.sh # 創建 TLS Bootstrapping Token #BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ') BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008 #cat > token.csv <<EOF #${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap" #EOF #---------------------- APISERVER=$1 SSL_DIR=$2 # 創建kubelet bootstrapping kubeconfig export KUBE_APISERVER="https://$APISERVER:6443" # 設置集羣參數 kubectl config set-cluster kubernetes \ --certificate-authority=$SSL_DIR/ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=bootstrap.kubeconfig # 設置客戶端認證參數 kubectl config set-credentials kubelet-bootstrap \ --token=${BOOTSTRAP_TOKEN} \ --kubeconfig=bootstrap.kubeconfig # 設置上下文參數 kubectl config set-context default \ --cluster=kubernetes \ --user=kubelet-bootstrap \ --kubeconfig=bootstrap.kubeconfig # 設置默認上下文 kubectl config use-context default --kubeconfig=bootstrap.kubeconfig #---------------------- # 創建kube-proxy kubeconfig文件 kubectl config set-cluster kubernetes \ --certificate-authority=$SSL_DIR/ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-credentials kube-proxy \ --client-certificate=$SSL_DIR/kube-proxy.pem \ --client-key=$SSL_DIR/kube-proxy-key.pem \ --embed-certs=true \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-context default \ --cluster=kubernetes \ --user=kube-proxy \ --kubeconfig=kube-proxy.kubeconfig kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
執行:
sh kubeconfig.sh 192.168.33.7 /data/k8s/k8s-cert/
將bootstrap.kubeconfig、kube-proxy.kubeconfig拷貝到Node節點/opt/kubernetes/cfg目錄下。# scp bootstrap.kubeconfig kube-proxy.kubeconfig slave2:/opt/kubernetes/cfg/ # scp bootstrap.kubeconfig kube-proxy.kubeconfig slave3:/opt/kubernetes/cfg/
5.2 部署kubelet組件
將前面下載的二進制包中的kubelet和kube-proxy拷貝到/opt/kubernetes/bin目錄下。
scp kubelet kube-proxy slave2:/opt/kubernetes/bin/
scp kubelet kube-proxy slave3:/opt/kubernetes/bin/
執行創建kubelet配置文件腳本:sh kubelet.sh 192.168.33.8# vim kubelet.sh #!/bin/bash NODE_ADDRESS=$1 DNS_SERVER_IP=${2:-"10.0.0.2"} cat <<EOF >/opt/kubernetes/cfg/kubelet KUBELET_OPTS="--logtostderr=true \\ --v=4 \\ --hostname-override=${NODE_ADDRESS} \\ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\ --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\ --config=/opt/kubernetes/cfg/kubelet.config \\ --cert-dir=/opt/kubernetes/ssl \\ --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0" EOF cat <<EOF >/opt/kubernetes/cfg/kubelet.config kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: ${NODE_ADDRESS} port: 10250 readOnlyPort: 10255 cgroupDriver: cgroupfs clusterDNS: - ${DNS_SERVER_IP} clusterDomain: cluster.local. failSwapOn: false authentication: anonymous: enabled: true EOF cat <<EOF >/usr/lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet After=docker.service Requires=docker.service [Service] EnvironmentFile=/opt/kubernetes/cfg/kubelet ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS Restart=on-failure KillMode=process [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kubelet systemctl restart kubelet
# cat /opt/kubernetes/cfg/kubelet KUBELET_OPTS="--logtostderr=false \ --log-dir=/opt/kubernetes/logs \ --v=4 \ --hostname-override=192.168.33.8 \ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \ --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \ --config=/opt/kubernetes/cfg/kubelet.config \ --cert-dir=/opt/kubernetes/ssl \ --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
參數說明:
–hostname-override 在集羣中顯示的主機名
–kubeconfig 指定kubeconfig文件位置,會自動生成
–bootstrap-kubeconfig 指定剛纔生成的bootstrap.kubeconfig文件
–cert-dir 頒發證書存放位置
–pod-infra-container-image 管理Pod網絡的鏡像# cat /opt/kubernetes/cfg/kubelet.config kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: 192.168.33.8 port: 10250 readOnlyPort: 10255 cgroupDriver: cgroupfs clusterDNS: - 10.0.0.2 clusterDomain: cluster.local. failSwapOn: false authentication: anonymous: enabled: true
# cat /usr/lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet After=docker.service Requires=docker.service [Service] EnvironmentFile=/opt/kubernetes/cfg/kubelet ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS Restart=on-failure KillMode=process [Install] WantedBy=multi-user.target
啓動:
# systemctl daemon-reload # systemctl enable kubelet # systemctl restart kubelet # ps -ef | grep kubelet
5.3 部署kube-proxy組件
執行創建kube-proxy配置文件腳本:sh proxy.sh 192.168.33.8# vim proxy.sh #!/bin/bash NODE_ADDRESS=$1 cat <<EOF >/opt/kubernetes/cfg/kube-proxy KUBE_PROXY_OPTS="--logtostderr=true \\ --v=4 \\ --hostname-override=${NODE_ADDRESS} \\ --cluster-cidr=10.0.0.0/24 \\ --proxy-mode=ipvs \\ --kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig" EOF cat <<EOF >/usr/lib/systemd/system/kube-proxy.service [Unit] Description=Kubernetes Proxy After=network.target [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-proxy systemctl restart kube-proxy
檢查是否正常啓動:
ps aux | grep proxy
在Master審批Node加入集羣:
啓動後還沒加入到集羣中,需要手動允許該節點纔可以。 在Master節點查看請求籤名的Node:[root@Fone7 bin]# kubectl get csr NAME AGE REQUESTOR CONDITION node-csr-7w1OwWM2l_mbkRz7AIK_KquZcYkeqQYYFjmsUqUHEDg 108s kubelet-bootstrap Pending node-csr-ACzd6QlSRWU6ouFznLCmU-saHoFR8boKwJwrxudRhMM 3m11s kubelet-bootstrap Pending [root@Fone7 bin]# kubectl certificate approve node-csr-7w1OwWM2l_mbkRz7AIK_KquZcYkeqQYYFjmsUqUHEDg certificatesigningrequest.certificates.k8s.io/node-csr-7w1OwWM2l_mbkRz7AIK_KquZcYkeqQYYFjmsUqUHEDg approved [root@Fone7 bin]# kubectl certificate approve node-csr-ACzd6QlSRWU6ouFznLCmU-saHoFR8boKwJwrxudRhMM certificatesigningrequest.certificates.k8s.io/node-csr-ACzd6QlSRWU6ouFznLCmU-saHoFR8boKwJwrxudRhMM approved [root@Fone7 bin]# kubectl get node NAME STATUS ROLES AGE VERSION 192.168.33.8 Ready <none> 8s v1.12.3 192.168.33.9 Ready <none> 45s v1.12.3 [root@Fone7 bin]# kubectl get cs NAME STATUS MESSAGE ERROR etcd-0 Healthy {"health":"true"} etcd-2 Healthy {"health":"true"} scheduler Healthy ok controller-manager Healthy ok etcd-1 Healthy {"health":"true"}
-
運行一個測試示例
創建一個Nginx Web,測試集羣是否正常工作:# kubectl run nginx --image=nginx --replicas=3 # kubectl expose deployment nginx --port=88 --target-port=80 --type=NodePort
查看Pod,Service:
# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 3h31m nginx NodePort 10.0.0.186 <none> 88:37361/TCP 14m [root@Fone7 bin]# kubectl get pods NAME READY STATUS RESTARTS AGE nginx-dbddb74b8-78jfp 1/1 Running 1 13m nginx-dbddb74b8-rglmf 1/1 Running 1 13m nginx-dbddb74b8-z4fwb 1/1 Running 0 13m [root@Fone7 bin]# kubectl get pods -o wide # 查看具體運行在哪個節點 NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE nginx-dbddb74b8-78jfp 1/1 Running 1 14m 172.17.87.3 192.168.33.9 <none> nginx-dbddb74b8-rglmf 1/1 Running 1 14m 172.17.87.2 192.168.33.9 <none> nginx-dbddb74b8-z4fwb 1/1 Running 0 14m 172.17.87.2 192.168.33.8 <none>
在node節點訪問
curl 10.0.0.186:88
外部訪問集羣中部署的Nginx,打開瀏覽器輸入node IP:端口:http://192.168.33.8:37361
- 在master授權用戶,用以查看日誌
# kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous
clusterrolebinding.rbac.authorization.k8s.io/cluster-system-anonymous created
# 動態查看打印日誌,刷新瀏覽器,查看日誌輸出
# kubectl logs nginx-dbddb74b8-z4fwb -f
- 雜七雜八
- 注意時間同步
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime - 有問題先查日誌(運行日誌,系統日誌/var/log/messages等),無法解決再baidu谷歌
- 注意時間同步