在Master节点部署组件
在部署Kubernetes之前一定要确保etcd、flannel、docker是正常工作的,否则先解决问题再继续。
创建 CA 证书 mkdir -p /iba/master-ca cd /iba/master-ca cat > ca-config.json << EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json << EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca - # 生成了 ca.csr ca-key.pem ca.pem 生成 apiserver 证书: cat > server-csr.json << EOF { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "192.168.0.205", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server # 生成了 server.pem,server-key.pem,server.csr 生成 kube-proxy 证书: cat > kube-proxy-csr.json << EOF { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy # 生成了 kube-proxy.pem, kube-proxy-key.pem, kube-proxy.csr 部署 apiserver 组件 mkdir /opt/kubernetes/{bin,cfg,ssl} -p cd /iba/tools wget https://dl.k8s.io/v1.12.4/kubernetes-server-linux-amd64.tar.gz tar zxvf kubernetes-server-linux-amd64.tar.gz cd kubernetes/server/bin/ cp kube-apiserver kube-scheduler kube-controller-manager kubectl /opt/kubernetes/bin/ # 创建token文件 cd /opt/kubernetes/cfg/ cat > token.csv<< EOF 674c457d4dcf2eefe4920d7dbb6b0ddc,kubelet-bootstrap,10001,"system:kubelet-bootstrap" EOF # token文件说明 -- 第一列:随机字符串,自己可生成;第二列:用户名;第三列:UID ;第四列:用户组 创建apiserver配置文件 cat > /opt/kubernetes/cfg/kube-apiserver << EOF KUBE_APISERVER_OPTS="--logtostderr=true --v=4 \ --etcd-servers=https://192.168.0.205:2379,https://192.168.0.206:2379,https://192.168.0.207:2379 \ --bind-address=192.168.0.205 \ --secure-port=6443 \ --advertise-address=192.168.0.205 \ --allow-privileged=true \ --service-cluster-ip-range=10.0.0.0/24 \ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \ --authorization-mode=RBAC,Node \ --enable-bootstrap-token-auth \ --token-auth-file=/opt/kubernetes/cfg/token.csv \ --service-node-port-range=30000-50000 \ --tls-cert-file=/opt/kubernetes/ssl/server.pem \ --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \ --client-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \ --etcd-cafile=/opt/etcd/ssl/ca.pem \ --etcd-certfile=/opt/etcd/ssl/server.pem \ --etcd-keyfile=/opt/etcd/ssl/server-key.pem" EOF参数说明:
--logtostderr // 启用日志 ---v // 日志等级 --etcd-servers // etcd集群地址 --bind-address // 监听地址 --secure-port // https安全端口 --advertise-address // 集群通告地址 --allow-privileged // 启用授权 --service-cluster-ip-range // Service虚拟IP地址段 --enable-admission-plugins // 准入控制模块 --authorization-mode // 认证授权,启用RBAC授权和节点自管理 --enable-bootstrap-token-auth // 启用TLS bootstrap功能,后面会讲到 --token-auth-file // token文件 --service-node-port-range Service // Node类型默认分配端口范围 systemd管理apiserver cat > /usr/lib/systemd/system/kube-apiserver.service << -'EOF' [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target -EOF # 复制证书到指定的位置 cd /iba/master-ca/ cp server.pem server-key.pem ca.pem ca-key.pem /opt/kubernetes/ssl/ systemctl daemon-reload systemctl enable kube-apiserver systemctl start kube-apiserver systemctl status kube-apiserver 部署 scheduler 组件 # 创建schduler配置文件 cat > /opt/kubernetes/cfg/kube-scheduler << EOF KUBE_SCHEDULER_OPTS="--logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect" EOF # systemd管理schduler组件 cat > /usr/lib/systemd/system/kube-scheduler.service << -'EOF' [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target -EOF # 启动 kube-scheduler systemctl daemon-reload systemctl enable kube-scheduler systemctl start kube-scheduler systemctl status kube-scheduler 部署 controller-manager 组件 # 创建controller-manager配置文件: cat > /opt/kubernetes/cfg/kube-controller-manager << EOF KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect=true --address=127.0.0.1 --service-cluster-ip-range=10.0.0.0/24 --cluster-name=kubernetes --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem --root-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem" EOF # systemd管理controller-manager组件 cat > /usr/lib/systemd/system/kube-controller-manager.service << -'EOF' [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target -EOF # 启动 kube-scheduler systemctl daemon-reload systemctl enable kube-controller-manager systemctl start kube-controller-manager systemctl status kube-controller-manager 检查当前集群组件状态 /opt/kubernetes/bin/kubectl get cs