在Master节点部署组件
在部署Kubernetes之前一定要确保etcd、?annel、docker是正常工作的,否则先解决问题再继续。
创建 CA 证书
mkdir -p /iba/master-cacd /iba/master-cacat > ca-config.json << EOF{ "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } }}EOFcat > ca-csr.json << EOF{ "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ]}EOFcfssl gencert -initca ca-csr.json | cfssljson -bare ca -# 生成了 ca.csr ca-key.pem ca.pem
生成 apiserver 证书:
cat > server-csr.json << EOF{ "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "192.168.0.205", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ]}EOFcfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server# 生成了 server.pem,server-key.pem,server.csr
生成 kube-proxy 证书:
cat > kube-proxy-csr.json << EOF{ "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ]}EOFcfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy# 生成了 kube-proxy.pem, kube-proxy-key.pem, kube-proxy.csr
部署 apiserver 组件
mkdir /opt/kubernetes/{bin,cfg,ssl} -pcd /iba/toolswget https://dl.k8s.io/v1.12.4/kubernetes-server-linux-amd64.tar.gztar zxvf kubernetes-server-linux-amd64.tar.gz cd kubernetes/server/bin/cp kube-apiserver kube-scheduler kube-controller-manager kubectl /opt/kubernetes/bin/# 创建token文件cd /opt/kubernetes/cfg/cat > token.csv<< EOF674c457d4dcf2eefe4920d7dbb6b0ddc,kubelet-bootstrap,10001,"system:kubelet-bootstrap"EOF# token文件说明 -- 第一列:随机字符串,自己可生成;第二列:用户名;第三列:UID ;第四列:用户组
创建apiserver配置文件
cat > /opt/kubernetes/cfg/kube-apiserver << EOFKUBE_APISERVER_OPTS="--logtostderr=true --v=4 --etcd-servers=https://192.168.0.205:2379,https://192.168.0.206:2379,https://192.168.0.207:2379 --bind-address=192.168.0.205 --secure-port=6443 --advertise-address=192.168.0.205 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --enable-bootstrap-token-auth --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/etcd/ssl/ca.pem --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pem"EOF
参数说明:
--logtostderr // 启用日志---v // 日志等级--etcd-servers // etcd集群地址--bind-address // 监听地址--secure-port // https安全端口--advertise-address // 集群通告地址--allow-privileged // 启用授权--service-cluster-ip-range // Service虚拟IP地址段--enable-admission-plugins // 准入控制模块--authorization-mode // 认证授权,启用RBAC授权和节点自管理--enable-bootstrap-token-auth // 启用TLS bootstrap功能,后面会讲到--token-auth-file // token文件--service-node-port-range Service // Node类型默认分配端口范围
systemd管理apiserver
cat > /usr/lib/systemd/system/kube-apiserver.service << -'EOF'[Unit]Description=Kubernetes API ServerDocumentation=https://github.com/kubernetes/kubernetes [Service]EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserverExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTSRestart=on-failure[Install]WantedBy=multi-user.target-EOF# 复制证书到指定的位置cd /iba/master-ca/cp server.pem server-key.pem ca.pem ca-key.pem /opt/kubernetes/ssl/systemctl daemon-reload systemctl enable kube-apiserversystemctl start kube-apiserversystemctl status kube-apiserver
部署 scheduler 组件
# 创建schduler配置文件cat > /opt/kubernetes/cfg/kube-scheduler << EOFKUBE_SCHEDULER_OPTS="--logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect"EOF# systemd管理schduler组件cat > /usr/lib/systemd/system/kube-scheduler.service << -'EOF'[Unit]Description=Kubernetes SchedulerDocumentation=https://github.com/kubernetes/kubernetes [Service]EnvironmentFile=-/opt/kubernetes/cfg/kube-schedulerExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTSRestart=on-failure [Install]WantedBy=multi-user.target-EOF# 启动 kube-schedulersystemctl daemon-reloadsystemctl enable kube-schedulersystemctl start kube-schedulersystemctl status kube-scheduler
部署 controller-manager 组件
# 创建controller-manager配置文件:cat > /opt/kubernetes/cfg/kube-controller-manager << EOFKUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect=true --address=127.0.0.1 --service-cluster-ip-range=10.0.0.0/24 --cluster-name=kubernetes --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem --root-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem"EOF# systemd管理controller-manager组件cat > /usr/lib/systemd/system/kube-controller-manager.service << -'EOF'[Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target-EOF# 启动 kube-schedulersystemctl daemon-reloadsystemctl enable kube-controller-manager systemctl start kube-controller-manager systemctl status kube-controller-manager
检查当前集群组件状态
/opt/kubernetes/bin/kubectl get cs
经验首页