6

Kubernetes部署master服务-rllt

 4 years ago
source link: https://blog.51cto.com/11742478/2484941
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Kubernetes部署master服务

一、初始化服务器

1 关闭防火墙

​ 【所有主节点都执行】

[root@k8s-master1 ~]# systemctl stop firewalld
[root@k8s-master1 ~]# systemctl disable firewalld
2 关闭selinux

​ 【所有主节点都执行】

# setenforce 0
# vim /etc/selinux/config
修改SELINUX=enforcing 为 SELINUX=disabled
3 配置主机名

​ 【所有主节点都执行】
​ hostnamectl set-hostname 主机名

4 配置名称解析

​ 【所有主节点都执行】

vim /etc/hosts

​ 添加如下四行

192.168.31.63    k8s-master1
192.168.31.64    k8s-master2
192.168.31.65    k8s-node1
192.168.31.66    k8s-node2
5 配置时间同步

​ 选择一个节点作为服务端,剩下的作为客户端
​ master1为时间服务器的服务端
​ 其他的为时间服务器的客户端

​ 1)配置k8s-master1 

# yum install chrony -y
# vim /etc/chrony.config
    #修改三项
    server 127.127.1.0 iburst
    allow 192.168.31.0/24
    local stratum 10

# systemctl start chronyd
# systemctl enable chronyd
# ss -unl | grep 123
        UNCONN     0      0            *:123                      *:*


​ 2)配置k8s-node1 和k8s-node2

# yum install chrony -y
# vim /etc/chrony.conf
            server 192.168.31.63 iburst

# systemctl start chronyd
# systemctl enable chronyd
# chronyc sources

            210 Number of sources = 1
            MS Name/IP address         Stratum Poll Reach LastRx Last sample               
            ============================================================
^* k8s-master1                  10   6    17     4    +11us[  +79us] +/-   95us

6 关闭交换分区
【所有主节点都执行】

[root@k8s-master1 ~]# swapoff -a
[root@k8s-master1 ~]# vim /etc/fstab

​ 删除一行:
​ 检查是否关闭成功

[root@k8s-master1 ~]# free -m
                  total        used        free      shared  buff/cache   available
    Mem:           2827         157        2288           9         380        2514
    Swap:             0           0           0

三、给etcd颁发证书

1)创建证书颁发机构
2)填写表单--写明etcd所在节点的IP
3)向证书颁发机构申请证书

    第一步:上传TLS安装包
        传到/root下
        略
    第二步:
        # tar xvf /root/TLS.tar.gz
        # cd /root/TLS
        # vim server-csr.json 
            修改host中的IP地址,这里的IP是etcd所在节点的IP地址
            {
                "CN": "etcd",
                "hosts": [
                    "192.168.31.63",
                    "192.168.31.65",
                    "192.168.31.66"
                    ],
                "key": {
                    "algo": "rsa",
                    "size": 2048
                },
                "names": [
                    {
                        "C": "CN",
                        "L": "BeiJing",
                        "ST": "BeiJing"
                    }
                ]
            }
        # ./generate_etcd_cert.sh
        # ls *pem
            ca-key.pem  ca.pem  server-key.pem  server.pem

四、部署etcd

etcd需要三台虚拟机
在master、node1、node2上分别安装一个etcd

注意:
    解压之后会生成一个文件和一个目录

    # tar xvf etcd.tar.gz 
    # mv etcd.service /usr/lib/systemd/system
    # vim /opt/etcd/cfg/etcd.conf
        #[Member]
        ETCD_NAME="etcd-1"
        ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
        ETCD_LISTEN_PEER_URLS="https://192.168.31.63:2380"
        ETCD_LISTEN_CLIENT_URLS="https://192.168.31.63:2379"

        #[Clustering]
        ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.31.63:2380"
        ETCD_ADVERTISE_CLIENT_URLS="https://192.168.31.63:2379"
        ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.31.63:2380,etcd-2=https://192.168.31.65:2380,etcd-3=https://192.168.31.66:2380"
        ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
        ETCD_INITIAL_CLUSTER_STATE="new"
    # rm -rf /opt/etcd/ssl/*
    # \cp -fv ca.pem server.pem server-key.pem /opt/etcd/ssl/ 

    将etc管理程序和程序目录发送到node1 和node2
    # scp /usr/lib/systemd/system/etcd.service root@k8s-node1:/usr/lib/systemd/system/
    # scp /usr/lib/systemd/system/etcd.service root@k8s-node2:/usr/lib/systemd/system/
    # scp -r /opt/etcd/ root@k8s-node2:/opt/
    # scp -r /opt/etcd/ root@k8s-node1:/opt/

    在node1上修改etcd的配置文件
    # vim /opt/etcd/cfg/etcd.conf
    #[Member]
    ETCD_NAME="etcd-2"
    ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
    ETCD_LISTEN_PEER_URLS="https://192.168.31.65:2380"
    ETCD_LISTEN_CLIENT_URLS="https://192.168.31.65:2379"

    #[Clustering]
    ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.31.65:2380"
    ETCD_ADVERTISE_CLIENT_URLS="https://192.168.31.65:2379"
    ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.31.63:2380,etcd-2=https://192.168.31.65:2380,etcd-3=https://192.168.31.66:2380"
    ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
    ETCD_INITIAL_CLUSTER_STATE="new"

    在node2上修改etcd的配置文件
    # vim /opt/etcd/cfg/etcd.conf
    #[Member]
    ETCD_NAME="etcd-3"
    ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
    ETCD_LISTEN_PEER_URLS="https://192.168.31.66:2380"
    ETCD_LISTEN_CLIENT_URLS="https://192.168.31.66:2379"

    #[Clustering]
    ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.31.66:2380"
    ETCD_ADVERTISE_CLIENT_URLS="https://192.168.31.66:2379"
    ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.31.63:2380,etcd-2=https://192.168.31.65:2380,etcd-3=https://192.168.31.66:2380"
    ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
    ETCD_INITIAL_CLUSTER_STATE="new"
    在三个节点一次启动etcd服务
    # systemctl start etcd
    # systemctl enable etcd

    检查是否启动成功
    # /opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.31.63:2379,https://192.168.31.65:2379,https://192.168.31.66:2379" cluster-health

五、为api server签发证书

cd /root/TLS/k8s/
./generate_k8s_cert.sh

六、部署master服务

# tar xvf k8s-master.tar.gz 
# mv kube-apiserver.service kube-controller-manager.service kube-scheduler.service /usr/lib/systemd/system/
# mv kubernetes /opt/
# cp /root/TLS/k8s/{ca*pem,server.pem,server-key.pem} /opt/kubernetes/ssl/ -rvf
修改apiserver的配置文件
# vim /opt/kubernetes/cfg/kube-apiserver.conf 
    KUBE_APISERVER_OPTS="--logtostderr=false \
    --v=2 \
    --log-dir=/opt/kubernetes/logs \
    --etcd-servers=https://192.168.31.63:2379,https://192.168.31.65:2379,https://192.168.31.66:2379 \
    --bind-address=192.168.31.63 \
    --secure-port=6443 \
    --advertise-address=192.168.31.63 \
    --allow-privileged=true \
    --service-cluster-ip-range=10.0.0.0/24 \
    --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
    --authorization-mode=RBAC,Node \
    --enable-bootstrap-token-auth=true \
    --token-auth-file=/opt/kubernetes/cfg/token.csv \
    --service-node-port-range=30000-32767 \
    --kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \
    --kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \
    --tls-cert-file=/opt/kubernetes/ssl/server.pem  \
    --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
    --client-ca-file=/opt/kubernetes/ssl/ca.pem \
    --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
    --etcd-cafile=/opt/etcd/ssl/ca.pem \
    --etcd-certfile=/opt/etcd/ssl/server.pem \
    --etcd-keyfile=/opt/etcd/ssl/server-key.pem \
    --audit-log-maxage=30 \
    --audit-log-maxbackup=3 \
    --audit-log-maxsize=100 \
    --audit-log-path=/opt/kubernetes/logs/k8s-audit.log"

启动master
    # systemctl start kube-apiserver
    # systemctl enable kube-apiserver
    # systemctl enable kube-scheduler
    # systemctl start kube-scheduler
    # systemctl start kube-controller-manager
    # systemctl start kube-scheduler
    # systemctl enable kube-controller-manager
    # cp /opt/kubernetes/bin/kubectl /bin/
检查启动结果
    # ps aux |grep kube
    # ps aux |grep kube | wc -4

    # kubectl get cs
    NAME                 AGE
    controller-manager   <unknown>
    scheduler            <unknown>
    etcd-1               <unknown>
    etcd-2               <unknown>
    etcd-0               <unknown>

配置tls 基于bootstrap自动颁发证书
    # kubectl create clusterrolebinding kubelet-bootstrap \
    --clusterrole=system:node-bootstrapper \
    --user=kubelet-bootstrap

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK