部署单master集群
一、集群规划
master
主机名:k8s-master1
IP:192.168.31.63
worker1
主机名:k8s-node1
IP:192.168.31.65
worker1
主机名:k8s-node2
IP:192.168.31.66
k8s版本:1.16
安装方式:离线-二进制
操作系统版本:7.7
二、初始化服务器(把所有容器都打开,【查看】-【撰写】-【撰写栏】,在左下角,点击,【发送到全部会话】)
1 关闭防火墙
【所有主节点都执行】
[root@k8s-master1 ~]# systemctl stop firewalld
[root@k8s-master1 ~]# systemctl disable firewalld
2 关闭selinux,交换分区
【所有主节点都执行】
[root@k8s-master1 ~]# setenforce 0 临时关闭,什么也没返回就是关了。
# vim /etc/selinux/config
修改SELINUX=enforcing 为 SELINUX=disabled
3 配置主机名
【所有主节点都执行】
hostnamectl set-hostname 主机名
4 配置名称解析
【所有主节点都执行】
# vi /etc/hosts
添加如下四行
192.168.31.63 k8s-master1
192.168.31.64 k8s-master2
192.168.31.65 k8s-node1
192.168.31.66 k8s-node2
192.168.111.140 testmaster
192.168.111.143 testmaster2
192.168.111.141 testnode1
192.168.111.142 testnode2
5 配置时间同步
选择一个节点作为服务端,剩下的作为客户端
master1为时间服务器的服务端
其他的为时间服务器的客户端
1)配置k8s-master1
# yum install chrony -y
# vim /etc/chrony.config
修改三项
server 127.127.1.0 iburst
allow 192.168.31.0/24
local stratum 10
# systemctl start chronyd 启动
# systemctl enable chronyd 设置开机自动启动
# ss -unl | grep 123 查看是否已启动
UNCONN 0 0 *:123 *:*
2)配置k8s-node1 和k8s-node2
# yum install chrony -y
# vim /etc/chrony.conf
server 192.168.31.63 iburst
# systemctl start chronyd
# systemctl enable chronyd
# chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* k8s-master1 10 6 17 4 +11us[ +79us] +/- 95us
^*是表明时间同步了,^?是表明没有同步,配置错误。
6 关闭交换分区
【所有主节点都执行】
swapoff -a 这是临时关了,下次开机又启动,不用。
[root@k8s-master1 ~]# swapoff -a
[root@k8s-master1 ~]# vim /etc/fstab
删除一行:
检查是否关闭成功
[root@k8s-master1 ~]# free -m
total used free shared buff/cache available
Mem: 2827 157 2288 9 380 2514
Swap: 0 0 0
三、给etcd颁发证书
----------------------------------------------------------
加密:
对称加密:加密解密用相同的密钥。
非对称加密:用公钥~私钥的密钥对实现加解密。
单向加密:只能加密,不能解密。如MD5。
ssl证书来源:
网络第三方机构购买,通常这种证书是用于让外部用户访问使用。
自签证书,自己给自己发证书。通常用于内部环境。
签证机构(CA)
自建CA:
openssl
cfssl
用cfssl来自建CA,然后用CA来颁发证书。
----------------------------------------------------------
流程说简介
1)创建证书颁发机构
2)填写表单--写明etcd所在节点的IP
3)向证书颁发机构申请证书
第一步:上传TLS安装包
传到/root下
略
第二步:
# tar xvf /root/TLS.tar.gz
# cd /root/TLS
#./cfssl.sh
# cd etcd/
# vim server-csr.json
修改host中的IP地址,这里的IP是etcd所在节点的IP地址
{
"CN": "etcd",
"hosts": [
"192.168.31.63",
"192.168.31.65",
"192.168.31.66"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
[root@personalvm1 etcd]# cat generate_etcd_cert.sh
cfssl gencert -initca ca-csr.json | cfssljson -bare ca - //主要是执行这个命令,就自建 CA
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server //颁发证书
[root@personalvm1 etcd]# ls *pem
ca-key.pem ca.pem server-key.pem server.pem //ca开头是ca服务自己的证书,server开头是etcd的证书。
#cfssl下载
# ./generate_etcd_cert.sh
# ls *pem
ca-key.pem ca.pem server-key.pem server.pem
四、部署etcd
etcd需要三台虚拟机
在master、node1、node2上分别安装一个etcd
注意:
解压之后会生成一个文件和一个目录
# tar xvf etcd.tar.gz
# mv etcd.service /usr/lib/systemd/system
# mv etcd /opt
# vim /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.31.63:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.31.63:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.31.63:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.31.63:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.31.63:2380,etcd-2=https://192.168.31.65:2380,etcd-3=https://192.168.31.66:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
# rm -rf /opt/etcd/ssl/*
# \cp -fv ca.pem server.pem server-key.pem /opt/etcd/ssl/
将etc管理程序和程序目录发送到node1 和node2
# scp /usr/lib/systemd/system/etcd.service root@k8s-node1:/usr/lib/systemd/system/
# scp /usr/lib/systemd/system/etcd.service root@k8s-node2:/usr/lib/systemd/system/
# scp -r /opt/etcd/ root@k8s-node2:/opt/
# scp -r /opt/etcd/ root@k8s-node1:/opt/
在node1上修改etcd的配置文件
# vim /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-2"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.31.65:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.31.65:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.31.65:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.31.65:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.31.63:2380,etcd-2=https://192.168.31.65:2380,etcd-3=https://192.168.31.66:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
在node2上修改etcd的配置文件
# vim /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-3"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.31.66:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.31.66:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.31.66:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.31.66:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.31.63:2380,etcd-2=https://192.168.31.65:2380,etcd-3=https://192.168.31.66:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
在三个节点一次启动etcd服务
# systemctl start etcd
# systemctl enable etcd
检查是否启动成功
# /opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.31.63:2379,https://192.168.31.65:2379,https://192.168.31.66:2379" cluster-health
五、为api server签发证书
# cd /root/TLS/k8s/
# ./generate_k8s_cert.sh
六、部署master服务
# tar xvf k8s-master.tar.gz
# mv kube-apiserver.service kube-controller-manager.service kube-scheduler.service /usr/lib/systemd/system/
# mv kubernetes /opt/
# cp /root/TLS/k8s/{ca*pem,server.pem,server-key.pem} /opt/kubernetes/ssl/ -rvf
修改apiserver的配置文件
# vim /opt/kubernetes/cfg/kube-apiserver.conf
KUBE_APISERVER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/logs \
--etcd-servers=https://192.168.31.63:2379,https://192.168.31.65:2379,https://192.168.31.66:2379 \
--bind-address=192.168.31.63 \
--secure-port=6443 \
--advertise-address=192.168.31.63 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth=true \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-32767 \
--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \
--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
启动master
# systemctl start kube-apiserver
# systemctl enable kube-apiserver
# systemctl enable kube-scheduler
# systemctl start kube-scheduler
# systemctl start kube-controller-manager
# systemctl start kube-scheduler
# systemctl enable kube-controller-manager
# cp /opt/kubernetes/bin/kubectl /bin/
检查启动结果
# ps aux |grep kube
# ps aux |grep kube | wc -4
# kubectl get cs
NAME AGE
controller-manager <unknown>
scheduler <unknown>
etcd-1 <unknown>
etcd-2 <unknown>
etcd-0 <unknown>
配置tls 基于bootstrap自动颁发证书
# kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap
七、安装worker node节点
docker:启动容器
kubelet:接受apiserver的指令,然后控制docker容器
kube-proxy:为worker上的容器配置网络工作
第一步:安装配置docker
[root@k8s-node1 ~]# tar xvf k8s-node.tar.gz
[root@k8s-node1 ~]# mv docker.service /usr/lib/systemd/system
[root@k8s-node1 ~]# mkdir /etc/docker
[root@k8s-node1 ~]# cp daemon.json /etc/docker
[root@k8s-node1 ~]# tar xf docker-18.09.6.tgz
[root@k8s-node1 ~]# mv docker/* /bin/
[root@k8s-node1 ~]# systemctl start docker
[root@k8s-node1 ~]# systemctl enable docker
[root@k8s-node1 ~]# docker info
第二步:安装kubelet和kube-proxy
1)生成程序目录和管理脚本
[root@k8s-node1 ~]# tar xvf k8s-node.tar.gz
[root@k8s-node1 ~]# mv kubelet.service kube-proxy.service /usr/lib/systemd/system/
[root@k8s-node1 ~]# mv kubernetes /opt/
2)修改配置文件(4个)
[root@k8s-node1 ~]# vim /opt/kubernetes/cfg/kube-proxy.kubeconfig
修改一行:server: https://192.168.31.63:6443
这里指定的是master的ip地址
[root@k8s-node1 ~]# vi /opt/kubernetes/cfg/bootstrap.kubeconfig
修改一行:server: https://192.168.31.63:6443
这里指定的是master的ip地址
[root@k8s-node1 ~]# vim /opt/kubernetes/cfg/kube-proxy-config.yml
修改一行:hostnameOverride: k8s-node1
这里是指定当前主机的主机名
[root@k8s-node1 ~]# vim /opt/kubernetes/cfg/kubelet.conf
修改一行:--hostname-override=k8s-node1 \
这里是指定当前主机的主机名
3)从master节点复制证书到worker节点
[root@k8s-master1 ~]# cd /root/TLS/k8s/
[root@k8s-master1 k8s]# scp ca.pem kube-proxy.pem kube-proxy-key.pem root@k8s-node1:/opt/kubernetes/ssl/
4)启动kubelet和kube-proxy服务
[root@k8s-node1 ~]# systemctl start kube-proxy
[root@k8s-node1 ~]# systemctl start kubelet
[root@k8s-node1 ~]# systemctl enable kubelet
[root@k8s-node1 ~]# systemctl enable kube-proxy
[root@k8s-node1 ~]# tail -f /opt/kubernetes/logs/kubelet.INFO
如果看到最后一行信息是如下内容,就表示启动服务政策:
No valid private key and/or certificate found, reusing existing private key or creating a new one
5)在master节点为worker节点颁发证书
[root@k8s-master1 k8s]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-Uu61q1J1nAJ0AprrHc9rcSPVU0qSsD-Z4qDdapDvsWo 6m6s kubelet-bootstrap Pending
[root@k8s-master1 k8s]# kubectl certificate approve node-csr-Uu61q1J1nAJ0AprrHc9rcSPVU0qSsD-Z4qDdapDvsWo
注意:名称必须用自己的名称,不要抄我的
6)给worker节点颁发证书之后,就可以在master上看到worker节点了
[root@k8s-master1 k8s]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-node1 NotReady <none> 5h13m v1.16.0
k8s-node2 NotReady <none> 3s v1.16.0
第三步:安装网络插件
1)确认启用CNI
[root@k8s-node1 ~]# grep "cni" /opt/kubernetes/cfg/kubelet.conf
--network-plugin=cni \
2)安装CNI
[root@k8s-node1 ~]# mkdir -pv /opt/cni/bin /etc/cni/net.d
[root@k8s-node1 ~]# tar xf k8s-node.tar.gz
[root@k8s-node1 ~]# tar xf cni-plugins-linux-amd64-v0.8.2.tgz -C /opt/cni/bin
3)在master上执行yaml脚本,实现在worker节点安装启动网络插件功能
[root@k8s-master1 YAML]# kubectl apply -f kube-flannel.yaml
注意:
这个操作受限于网络,可能会需要5~10分钟才能执行成功
如果网上太慢,会导致超时
[root@k8s-master1 YAML]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
kube-flannel-ds-amd64-6h5dg 1/1 Running 0 2m29s
kube-flannel-ds-amd64-cgbqj 1/1 Running 0 2m29s
查看worker节点的状态
[root@k8s-master1 YAML]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-node1 Ready <none> 5h33m v1.16.0
k8s-node2 Ready <none> 19m v1.16.0
第四步:授权apiserver可以访问kubelet
[root@k8s-master1 YAML]# kubectl apply -f apiserver-to-kubelet-rbac.yaml
八、启动nginx容器
1)修改node1和node2的docker配置文件
[root@k8s-node1 ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": [
"https://mzxx8xy8.mirror.aliyuncs.com",
"http://bc437cce.m.daocloud.io"
],
"insecure-registries": ["192.168.31.70"]
}
2)重启服务
[root@k8s-node1 ~]# systemctl daemon-reload
[root@k8s-node1 ~]# systemctl restart docker
3)在master上启动nginx
创建deployment,通过deployment来创建和管理nginx容器
[root@k8s-master1 tmp]# kubectl create deployment myweb --image=nginx:1.8
deployment.apps/myweb created
查看一下deployment的状态
[root@k8s-master1 tmp]# kubectl get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
myweb 0/1 1 0 24s
查看pode的状态
[root@k8s-master1 tmp]# kubectl get pods
NAME READY STATUS RESTARTS AGE
myweb-5b79bf86d4-8kv4d 1/1 Running 0 119s
4)暴露myweb的端口到物理机
[root@k8s-master1 tmp]# kubectl expose deployment myweb --port=80 --type=NodePort
查看当前将80映射到了哪个端口
[root@k8s-master1 tmp]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
myweb NodePort 10.0.0.18 <none> 80:30828/TCP 23s
5)访问集群任意节点的30828来访问nginx
[root@k8s-master1 tmp]# yum install curl -y
[root@k8s-master1 tmp]# curl http://192.168.31.65:30828
九、配置web界面
两种
官方:kubernetes dashboard
第三方:kuboard
安装:dashboard
[root@k8s-master1 tmp]# kubectl apply -f /root/k8sFiles/YAML/dashboard.yaml
[root@k8s-master1 tmp]# kubectl get pods -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-566cddb686-mt2p6 1/1 Running 0 51s
kubernetes-dashboard-7b5bf5d559-hwfn9 1/1 Running 0 51s
[root@k8s-master1 tmp]# kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.0.0.4 <none> 8000/TCP 2m9s
kubernetes-dashboard NodePort 10.0.0.197 <none> 443:30001/TCP 2m9s
安装:kuboard
[root@k8s-master1 tmp]# vim start_kuboard.yaml
修改一行,指定希望kuboard运行在哪个节点:- name: kuboard
[root@k8s-master1 tmp]# kubectl apply -f start_kuboard.yaml
[root@k8s-master1 tmp]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
kuboard-c665d7966-w7q9m 1/1 Running 0 27s
查看一下kuboard的暴露的端口
[root@k8s-master1 tmp]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kube-dns ClusterIP 10.0.0.2 <none> 53/UDP,53/TCP 5h5m
kuboard NodePort 10.0.0.69 <none> 80:32567/TCP 2m22s