1、單節點組織架構:
代碼實作:
實驗環境的設定:
k8s資料包
master:14.0.0.10
node1:14.0.0.11 (有dokcer環境)
node2:14.0.0.13 (有dokcer環境)
所有節點:iptables -F
setenforce 0
實驗步驟:
在master:14.0.0.10上:
mkdir k8s
cd k8s
從k8s資料包中,將etcd-cert.sh(創建證書的腳本) etcd.sh(創建服務的腳本)拖進來到k8s下
mkdir etcd-cert(證書群)
cd etcd-cert
從k8s資料包中,將檔案夾etcd-cert里面的cfssl、cfssljson、cfssl-certinfo直接拖進來!!
mv * /usr/local/bin/
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
1、定義ca證書:
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
2、實作證書簽名:
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca - “生成ca-key.pem ca.pem證書!!!”
注意: ls etcd-cert >>> 有5個檔案: 1、ca-config.json 、 2、ca.csr(生成證書的中間件) 、3、ca-csr.json 、4、ca-key.pem 、5、ca.pem
3、指定etcd三個節點之間的通信驗證:
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"14.0.0.10",
"14.0.0.11",
"14.0.0.13"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
4、生成ETCD證書 server-key.pem server.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
注意:此時下面應該有9個檔案
cd k8s >>
將kubernetes-server-linux-amd64.tar.gz 、etcd-v3.3.10-linux-amd64.tar.gz 拖進來 ,此時目錄下有:etcd-cert.sh、etcd.sh、etcd-cert和兩個壓縮包
tar zxvf etcd-v3.3.10-linux-amd64.tar.gz
mkdir /opt/etcd/{cfg,bin,ssl} -p //cfg:組態檔,bin:命令檔案,ssl:證書
mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/
cp etcd-cert/*.pem /opt/etcd/ssl/
bash etcd.sh etcd01 14.0.0.10 etcd02=https://14.0.0.11:2380,etcd03=https://14.0.0.13:2380 宣告群集名稱
vim /opt/etcd/cfg/etcd ????
scp -r /opt/etcd/ root@14.0.0.11:/opt/
scp -r /opt/etcd/ root@14.0.0.13:/opt/
scp -r /usr/lib/systemd/system/etcd.service root@14.0.0.11:/usr/lib/systemd/system/
scp -r /usr/lib/systemd/system/etcd.service root@14.0.0.13:/usr/lib/systemd/system/
在node節點上:
ls /opt/ 有三個檔案夾:bin(etcd、etcdctl)、cfg(etcd)、ssl(4.pem)
在node01、02節點上:
vim /opt/etcd/cfg/etcd 修改IP地址!!!
#[Member]
ETCD_NAME="etcd02" ******etcd03
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://14.0.0.11:2380" ******14.0.0.13
ETCD_LISTEN_CLIENT_URLS="https://14.0.0.11:2379" ******14.0.0.13
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://14.0.0.11:2380" ******14.0.0.13
ETCD_ADVERTISE_CLIENT_URLS="https://14.0.0.11:2379" ******14.0.0.13
ETCD_INITIAL_CLUSTER="etcd01=https://14.0.0.10:2380,etcd02=https://14.0.0.11:2380,etcd03=https://14.0.0.13:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
systemctl start etcd
systemctl status etcd
檢查:systemctl status etcd "running" 既是成功!!
注意:在主節點的etcd-cert目錄下檢查群集狀態!!!
[root@localhost etcd-cert]#/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://14.0.0.10:2379,https://14.0.0.11:2379,https://14.00.13:2379" cluster-health
顯示“cluster is healthy!“既是成功!!!
在主節點etcd-cert目錄下做flannel網路配置:
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://14.0.0.10:2379,https://14.0.0.11:2379,https://14.0.0.13:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
在子節點cd /opt/etcd/ssl目錄下檢查:
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://14.0.0.10:2379,https://14.0.0.11:2379,https://14.0.0.13:2379" get /coreos.com/network/config
兩次都有{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}顯示,說明成功!!
在兩個node節點上:
將資料包中的flannel-v0.10.0-linux-amd64.tar.gz拖進來!!
tar zxvf flannel-v0.10.0-linux-amd64.tar.gz 有3個檔案出來!!
mkdir /opt/kubernetes/{cfg,bin,ssl} -p
mv mk-docker-opts.sh flanneld /opt/kubernetes/bin/
將資料包里面的 flannel.sh 拖進來!!!啟動flannel
bash flannel.sh https://14.0.0.10:2379,https://14.0.0.11:2379,https://14.0.0.13:2379
配置docker連接flannel
vim /usr/lib/systemd/system/docker.service
13# for containers run by docker
14 EnvironmentFile=/run/flannel/subnet.env 添加
15 ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS -H fd:// --containerd=/run/containerd/containerd.sock
cat /run/flannel/subnet.env //說明:容器的網卡的號碼
systemctl daemon-reload
systemctl restart docker
ifconfig >> 會有一個”flannel.1: “網卡!! docker0 對接 flannel.1
創建容器檢查ip地址的正確性:
docker run -it centos:7 /bin/bash
yum install net-tools -y
ifconfig
在查出來的IP地址相互ping,看是否能夠通??
flannel容器集群網路部署
- Overlay Network:覆寫網路,在基礎網路上疊加的一種虛擬化網路技術模式,該網路中的主機通過虛擬鏈路連接起來
- VXLAN:將源資料包封裝到UDP中,并使用基礎網路的IP/MAC作為外層報文頭進行封裝,然后在以太網上進行傳輸,到達目的地后由隧道端點解封裝并將資料發送給目標地址
- Flannel:是Overlay網路的一種,也是將源資料包封裝在另一種網路包里面進行路由轉發和通信,目前已經支持UDP、VXLAN、AWS VPC和GCE路由等資料轉發方式
------------------------------------部署master組件-----------------------------
1、生成api-server證書,在master節點的k8s目錄下:
將master.zip拖進來
unzip master.zip
mkdir /opt/kubernetes/{cfg,bin,ssl} -p
mkdir k8s-cert
cd k8s-cert/ >>將k8s-cert.sh 拖進來
注意修改cat > server-csr.json <<EOF >>里面的部分代碼:IP地址群:2個master、1個飄逸地址、2個nginx反向代理master地址(負載均衡器)
bash k8s-cert.sh
ls *.pem >>會有8個、4組的證書:2個admin、2個ca、2個kube-proxy、2個server
cp ca*pem server*pem /opt/kubernetes/ssl/
cd .. >>在k8s目錄下將kubernetes-server-linux-amd64.tar.gz拖進來!!!
tar zxvf kubernetes-server-linux-amd64.tar.gz
cd /root/k8s/kubernetes/server/bin
cp kube-apiserver kubectl kube-controller-manager kube-scheduler /opt/kubernetes/bin/
head -c 16 /dev/urandom | od -An -t x | tr -d ' ' >>生成的碼字xxxxxxxxx
vim /opt/kubernetes/cfg/token.csv >>添加下面的欄位!!!!
xxxxxxxxxxxxxxxxxxx,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
cd /root/k8s/
bash apiserver.sh 14.0.0.10 https://14.0.0.10,https://14.0.0.11:2379,https://14.0.0.13:2379
cat /opt/kubernetes/cfg/kube-apiserver >>檢查相關引數是否正常???
netstat -ntap | grep 6443 https >>>這里就是一個坎,必須正確才能往后做
netstat -ntap | grep 8080 http
./scheduler.sh 127.0.0.1
chmod +x controller-manager.sh
./controller-manager.sh 127.0.0.1
/opt/kubernetes/bin/kubectl get cs >>查看master節點狀態:必須都是健康狀態!!!
------------------------------------node節點部署------------------------------------------
在master的bin目錄下:
scp kubelet kube-proxy root@14.0.0.11:/opt/kubernetes/bin/
scp kubelet kube-proxy root@14.0.0.13:/opt/kubernetes/bin/
在兩個node的~下:將node.zip拖進來
unzip node.zip
在master的k8s目錄下:
mkdir kubeconfig
cd kubeconfig/
mv kubeconfig.sh kubeconfig
vim kubeconfig
>> 洗掉前面8行,在17行修改: --token=6351d652249951f79c33acdab329e4c4 \ (前面生成的隨機碼)
vim /etc/profile
在末尾添加 export PATH=$PATH:/opt/kubernetes/bin/
source /etc/profile
kubectl get cs >>檢查群集的健康狀態!!!
bash kubeconfig 14.0.0.10 /root/k8s/k8s-cert/
scp bootstrap.kubeconfig kube-proxy.kubeconfig root@14.0.0.11:/opt/kubernetes/cfg/
scp bootstrap.kubeconfig kube-proxy.kubeconfig root@14.0.0.13:/opt/kubernetes/cfg/
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
在node1的~下:
bash kubelet.sh 14.0.0.11
ps aux | grep kube
在master的kubeconfig目錄下:
kubectl get csr >>檢查到node的請求,有個識別碼用于下面!!
kubectl certificate approve +XXXXXXXXXXXXXXXX >>給予建立的權限
kubectl get csr >>Approved,Issued 既是成功!!
kubectl get node >>有一個節點出現并是Ready狀態!!
bash proxy.sh 14.0.0.11
systemctl status kube-proxy.service >>running既是成功!!!
scp -r /opt/kubernetes/ root@14.0.0.13:/opt/
scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@14.0.0.13:/usr/lib/systemd/system/
在node2的~下:
cd /opt/kubernetes/ssl/
rm -rf *
cd ../cfg
vim kubelet
--hostname-override=14.0.0.13 \
vim kubelet.config
address: 14.0.0.13
vim kube-proxy
--hostname-override=14.0.0.13 \
systemctl start kubelet.service
systemctl enable kubelet.service
systemctl start kube-proxy.service
systemctl enable kube-proxy.service
kubectl get csr 》》生成授權碼
kubectl certificate approve +xxxxxxxxxxx(上面生成的授權碼)
kubectl get node
全集里面的所有節點都是ready既是成功!!!!
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/141974.html
標籤:其他