文章目錄
- Kubernetes二進制部署
- 環境準備
- 二:K8S部署
- 1、master操作
- 2、下載證書制作工具
- 3、開始制作證書
- 3.1、定義ca證書
- 3.2、實作證書簽名
- 3.3、生產證書,生成ca-key.pem ca.pem
- 3.4、指定etcd三個節點之間的通信驗證
- 3.5、生成ETCD證書 server-key.pem server.pem
- 4、ETCD 二進制包地址
- 4.1、證書拷貝
- 5、拷貝證書去其他節點
- 6、啟動腳本拷貝其他節點
- 7、在node01節點修改
- 8、在node02節點修改
- 9、檢查群集狀態
Kubernetes二進制部署
環境準備
官網地址:https://github.com/kubernetes/kubernetes/releases?after=v1.13.1
二:K8S部署
Master:192.168.162.10/24 kube-apiserver kube-controller-manager kube-scheduler etcd
Node01:192.168.162.30/24 kubelet kube-proxy docker flannel etcd
Node02:192.168.162.40/24 kubelet kube-proxy docker flannel etcd
1、master操作
[root@localhost ~]# mkdir k8s
[root@localhost ~]# cd k8s/
[root@localhost k8s]# ls //從宿主機拖進來
etcd-cert.sh etcd.sh
[root@localhost k8s]# mkdir etcd-cert
[root@localhost k8s]# mv etcd-cert.sh etcd-cert
2、下載證書制作工具
[root@localhost k8s]# vim cfssl.sh
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
//下載cfssl官方包
[root@localhost k8s]# bash cfssl.sh
[root@localhost k8s]# ls /usr/local/bin/
cfssl cfssl-certinfo cfssljson
3、開始制作證書
3.1、定義ca證書
[root@bogon ~/k8s/etcd-cert] # cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
3.2、實作證書簽名
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
3.3、生產證書,生成ca-key.pem ca.pem
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2020/01/13 16:32:56 [INFO] generating a new CA key and certificate from CSR
2020/01/13 16:32:56 [INFO] generate received request
2020/01/13 16:32:56 [INFO] received CSR
2020/01/13 16:32:56 [INFO] generating key: rsa-2048
2020/01/13 16:32:56 [INFO] encoded CSR
2020/01/13 16:32:56 [INFO] signed certificate with serial number 595395605361409801445623232629543954602649157326
3.4、指定etcd三個節點之間的通信驗證
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.162.10",
"192.168.162.30",
"192.168.162.40"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
3.5、生成ETCD證書 server-key.pem server.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2020/01/13 17:01:30 [INFO] generate received request
2020/01/13 17:01:30 [INFO] received CSR
2020/01/13 17:01:30 [INFO] generating key: rsa-2048
2020/01/13 17:01:30 [INFO] encoded CSR
2020/01/13 17:01:30 [INFO] signed certificate with serial number 202782620910318985225034109831178600652439985681
2020/01/13 17:01:30 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
4、ETCD 二進制包地址
https://github.com/etcd-io/etcd/releases #二進制包地址
將包復制到centos7中
[root@bogon ~/k8s] # ls
etcd-cert etcd.sh etcd-v3.3.10-linux-amd64.tar.gz
[root@bogon ~/k8s] # tar zxvf etcd-v3.3.10-linux-amd64.tar.gz
[root@localhost k8s]# ls etcd-v3.3.10-linux-amd64
Documentation etcd etcdctl README-etcdctl.md README.md READMEv2-etcdctl.md
[root@localhost k8s]# mkdir /opt/etcd/{cfg,bin,ssl} -p //組態檔,命令檔案,證書
[root@localhost k8s]# mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/
4.1、證書拷貝
[root@localhost k8s]# cp etcd-cert/*.pem /opt/etcd/ssl/
5、拷貝證書去其他節點
[root@localhost k8s]# scp -r /opt/etcd/ root@192.168.162.30:/opt/
[root@localhost k8s]# scp -r /opt/etcd/ root@192.168.162.40:/opt
6、啟動腳本拷貝其他節點
[root@localhost k8s]# scp /usr/lib/systemd/system/etcd.service root@192.168.162.30:/usr/lib/systemd/system/
[root@localhost k8s]# scp /usr/lib/systemd/system/etcd.service root@192.168.162.40:/usr/lib/systemd/system/
7、在node01節點修改
[root@localhost ~]# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.162.30:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.162.30:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.162.30:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.162.30:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.162.10:2380,etcd02=https://192.168.162.30:2380,etcd03=https://192.168.162.40:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
啟動
[root@localhost ssl]# systemctl start etcd
[root@localhost ssl]# systemctl status etcd
8、在node02節點修改
#[Member]
ETCD_NAME="etcd03"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.162.40:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.162.40:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.162.40:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.162.40:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.162.10:2380,etcd02=https://192.168.162.30:2380,etcd03=https://192.168.162.40:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
啟動
[root@localhost ssl]# systemctl start etcd
[root@localhost ssl]# systemctl status etcd
9、檢查群集狀態
[root@bogon /opt/etcd/ssl] # /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.162.10:2379,https://192.168.162.30:2379,https://192.168.162.40:2379" cluster-health
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/275122.html
標籤:其他
上一篇:當下最火的Docker容器(二)《Java-2021面試談資系列》
下一篇:scala學習筆記