获取二进制文件
所有操作都在master结点上执行
获取安装文件
1 2 3 4 5
| wget https://dl.k8s.io/v1.15.5/kubernetes-server-linux-amd64.tar.gz tar xf kubernetes-server-linux-amd64.tar.gz cd kubernetes/server/bin cp kube-apiserver kube-controller-manager kubectl /usr/bin cp kube-scheduler kubelet kube-proxy /usr/bin
|
TLS Bootstrapping Token
1 2 3 4 5
| # head -c 16 /dev/urandom | od -An -t x | tr -d ' ' 449bbeb0ea7e50f321087a123a509a19
# vim /cloud/k8s/kubernetes/cfg/token.csv 449bbeb0ea7e50f321087a123a509a19,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
|
kubernetes机器提供HTTPS服务
安装配置CFSSL
创建证书工具,用于提供https服务
1 2 3 4 5 6 7
| wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
|
cs根证书
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| cat << EOF | tee /etc/kubernetes/ssl/ca-config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| cat << EOF | tee /etc/kubernetes/ssl/ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Shanghai", "ST": "Shanghai", "O": "k8s", "OU": "System" } ] } EOF
|
1 2 3
| # 生成根证书 cd /etc/kubernetes/ssl cfssl gencert -initca /etc/kubernetes/ssl/ca-csr.json | cfssljson -bare ca -
|
kube-apiserver证书
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
| # master结点主机名 cat << EOF | tee /etc/kubernetes/ssl/server-csr.json { "CN": "kubernetes", "hosts": [ "127.0.0.1", "${master_ip}", "10.40.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Shanghai", "ST": "Shanghai", "O": "k8s", "OU": "System" } ] } EOF
|
1 2 3 4
| # 生成apiserver的证书 cd /etc/kubernetes/ssl/ cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem -config=/etc/kubernetes/ssl/ca-config.json -profile=kubernetes \ /etc/kubernetes/ssl/server-csr.json | cfssljson -bare server
|
kube-proxy证书
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| cat << EOF | tee /etc/kubernetes/ssl/kube-proxy-csr.json { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Shanghai", "ST": "Shanghai", "O": "k8s", "OU": "System" } ] } EOF
|
1 2 3 4 5 6 7
| # 生成kube-proxy证书 cd /etc/kubernetes/ssl/ cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \ -ca-key=/etc/kubernetes/ssl/ca-key.pem \ -config=/etc/kubernetes/ssl/ca-config.json \ -profile=kubernetes /etc/kubernetes/ssl/kube-proxy-csr.json \ | cfssljson -bare kube-proxy
|
kube-apiserver服务
配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| # vim /etc/kubernetes/kube-apiserver.conf KUBE_APISERVER_OPTS="--logtostderr=false \ --log-dir=/var/log/kubernetes \ --v=4 \ --etcd-servers=http://${etcd_cluster_ip}:2379 \ --bind-address=${master_ip} \ --secure-port=6443 \ --advertise-address=${master_ip} \ --allow-privileged=true \ --service-cluster-ip-range=10.40.0.0/24 \ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \ --authorization-mode=RBAC,Node \ --enable-bootstrap-token-auth \ --token-auth-file=/etc/kubernetes/token.csv \ --service-node-port-range=30000-50000 \ --tls-cert-file=/etc/kubernetes/ssl/server.pem \ --tls-private-key-file=/etc/kubernetes/ssl/server-key.pem \ --client-ca-file=/etc/kubernetes/ssl/ca.pem \ --service-account-key-file=/etc/kubernetes/ssl/ca-key.pem"
|
systemctl service文件
1 2 3 4 5 6 7 8 9 10 11 12
| cat << \EOF > /lib/systemd/system/kube-apiserver.service [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes After=flannld.service [Service] EnvironmentFile=/etc/kubernetes/kube-apiserver.conf ExecStart=/usr/bin/kube-apiserver $KUBE_APISERVER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF
|
启动kube-apiserver服务
1 2 3
| systemctl daemon-reload systemctl enable kube-apiserver systemctl start kube-apiserver
|
kube-controller-manager服务
配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13
| # vim /etc/kubernetes/kube-controller-manager.conf KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \ --log-dir=/var/log/kubernetes \ --v=4 \ --master=127.0.0.1:8080 \ --leader-elect=true \ --address=127.0.0.1 \ --service-cluster-ip-range=10.40.0.0/24 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \ --root-ca-file=/etc/kubernetes/ssl/ca.pem \ --service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem"
|
systemctl service文件
1 2 3 4 5 6 7 8 9 10 11 12
| cat << \EOF > /lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes After=kube-apiserver.service [Service] EnvironmentFile=-/etc/kubernetes/kube-controller-manager.conf ExecStart=/usr/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF
|
启动kube-controller-manager服务
1 2 3
| systemctl daemon-reload systemctl enable kube-controller-manager systemctl start kube-controller-manager
|
kube-scheduler服务
配置文件
1 2 3
| # vim /etc/kubernetes/kube-scheduler.conf KUBE_SCHEDULER_OPTS="--logtostderr=false --log-dir=/var/log/kubernetes \ --v=4 --master=127.0.0.1:8080 --leader-elect"
|
systemctl service文件
1 2 3 4 5 6 7 8 9 10 11 12
| cat << \EOF > /lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes After=kube-apiserver.service [Service] EnvironmentFile=-/etc/kubernetes/kube-scheduler.conf ExecStart=/usr/bin/kube-scheduler $KUBE_SCHEDULER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF
|
启动kube-scheduler服务
1 2 3
| systemctl daemon-reload systemctl enable kube-scheduler systemctl start kube-scheduler
|
创建 kubelet bootstrap kubeconfig 文件
kubeconfig
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
| BOOTSTRAP_TOKEN=449bbeb0ea7e50f321087a123a509a19 KUBE_APISERVER="https://${master_ip}:6443" # 设置集群参数 kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=bootstrap.kubeconfig # 设置客户端认证参数 kubectl config set-credentials kubelet-bootstrap \ --token=${BOOTSTRAP_TOKEN} \ --kubeconfig=bootstrap.kubeconfig # 设置上下文参数 kubectl config set-context default \ --cluster=kubernetes \ --user=kubelet-bootstrap \ --kubeconfig=bootstrap.kubeconfig # 设置默认上下文 kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
# 创建kube-proxy kubeconfig文件 kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-credentials kube-proxy \ --client-certificate=/etc/kubernetes/ssl/kube-proxy.pem \ --client-key=/etc/kubernetes/ssl/kube-proxy-key.pem \ --embed-certs=true \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-context default \ --cluster=kubernetes \ --user=kube-proxy \ --kubeconfig=kube-proxy.kubeconfig kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
|
kubelet服务
配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13
| # node-labels=node-role.kubernetes.io/master, master结点使用该参数 # node-labels=node-role.kubernetes.io/node, node结点使用该参数 # vim /etc/kubernetes/kubelet.conf KUBELET_OPTS="--logtostderr=false \ --log-dir=/var/log/kubernetes \ --v=4 \ --node-labels=node-role.kubernetes.io/master \ --hostname-override=k8s-master \ --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \ --bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \ --config=/etc/kubernetes/kubelet.config \ --cert-dir=/etc/kubernetes/ssl \ --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
|
kubelet配置模板
1 2 3 4 5 6 7 8 9 10 11 12
| # vim /etc/kubernetes/kubelet.config kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: ${node_ip} port: 10250 readOnlyPort: 10255 cgroupDriver: systemd clusterDomain: cluster.local. failSwapOn: false authentication: anonymous: enabled: true
|
systemctl service文件
1 2 3 4 5 6 7 8 9 10 11 12 13
| cat << \EOF > /lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet After=docker.service Requires=docker.service [Service] EnvironmentFile=/etc/kubernetes/kubelet.conf ExecStart=/usr/bin/kubelet $KUBELET_OPTS Restart=on-failure KillMode=process [Install] WantedBy=multi-user.target EOF
|
启动kubelet服务
1 2 3
| systemctl daemon-reload systemctl enable kubelet systemctl start kubelet
|
kube-proxy服务
配置文件
1 2 3 4 5 6
| # vim /etc/kubernetes/kube-proxy.conf KUBE_PROXY_OPTS="--logtostderr=true \ --v=4 \ --hostname-override=k8s-master \ --cluster-cidr=10.40.0.0/24 \ --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig"
|
systemctl service文件
1 2 3 4 5 6 7 8 9 10 11
| cat << \EOF > /lib/systemd/system/kube-proxy.service [Unit] Description=Kubernetes Proxy After=network.target [Service] EnvironmentFile=-/etc/kubernetes/kube-proxy.conf ExecStart=/usr/bin/kube-proxy $KUBE_PROXY_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF
|
启动kube-proxy服务
1 2 3
| systemctl daemon-reload systemctl enable kube-proxy systemctl start kube-proxy
|
绑定kubelet-bootstrap用户到集群
1 2 3
| kubectl create clusterrolebinding kubelet-bootstrap \ --clusterrole=system:node-bootstrapper \ --user=kubelet-bootstrap
|
CoreDns
1 2 3 4
| git clone https://github.com/coredns/deployment.git cd kubernetes yum -y install jq ./deploy.sh -r 10.40.0.0/24 -i 10.40.0.5 -d cluster.local |kubectl apply -f -
|
kubernetes node部署
更新kube-proxy、kubelet配置文件, hostname-override是当前机器主机名
kubelet配置文件: node-labels=node-role.kubernetes.io/master 更新为node-labels=node-role.kubernetes.io/node
更新docker service文件,从flannel获取网桥信息
1 2 3 4 5 6 7 8 9 10 11 12 13
| scp /etc/kubernetes/ssl/* root@node:/etc/kubernetes/ssl scp /etc/kubernetes/*.kubeconfig root@node:/etc/kubernetes scp /etc/kubernetes/kube-proxy.conf root@node:/etc/kubernetes scp /etc/kubernetes/kubelet.conf root@node:/etc/kubernetes scp /usr/bin/kube-proxy root@node:/usr/bin scp /usr/bin/kubelet root@node:/usr/bin scp /lib/systemd/system/kubelet.service root@node:/lib/systemd/system scp /lib/systemd/system/kube-proxy.service root@node:/lib/systemd/system
mkdir /etc/flannel scp /usr/bin/flanneld /usr/bin/mk-docker-opts.sh root@node:/usr/bin/ scp /lib/systemd/system/flanneld.service root@node:/lib/systemd/system/ scp /etc/flannel/flannel.conf root@node:/etc/flannel/
|
启动服务
1 2 3 4 5 6
| systemctl daemon-reload mkdir /var/lib/kubelet systemctl enable kubelet systemctl start kubelet systemctl enable kube-proxy systemctl start kube-proxy
|
node结点加入集群
1 2 3
| kubectl get csr # 手动接收认证 kubectl certificate approve $NAME
|