kubernetes之单节点的部署

一、项目环境

负载均衡
Nginx01:192.168.60.40/24
Nginx02:192.168.60.50/24
Master节点
master01:192.168.60.10/24
master02:192.168.60.20/24
Node节点
node01:192.168.60.60/24
node02:192.168.60.100/24
Harbor私有仓库
192.168.60.80/24
集群的vip地址
192.168.60.201

二、master组件的部署

【1】生成api-server证书
[root@master k8s]# mkdir master
[root@master master]# unzip master.zip
[root@master master]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p
[root@master master]# mkdir k8s-cert
[root@master master]# cd k8s-cert
(1)ca证书配置
[root@master k8s-cert]# cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
(2)ca证书签名
[root@master k8s-cert]#  cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
      	    "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF
(3)ca证书的生成
[root@master k8s-cert]#  cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
(4)服务端证书生成
[root@master k8s-cert]#  cat > server-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "192.168.60.10",           //master1
      "192.168.60.20",           //master2
      "192.168.60.201",         //vip
      "192.168.60.40",           //lvs (master)
      "192.168.60.50",           //lvs (backup)
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF
[root@master k8s-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
(5)客户端代理证书生成
[root@master k8s-cert]# cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF
[root@master k8s-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
(6)管理账户证书生成
[root@master k8s-cert]# cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF
[root@master k8s-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
(7)查看证书是否存在
[root@master k8s-cert]# ls *.pem
admin-key.pem  ca-key.pem  kube-proxy-key.pem  server-key.pem
admin.pem      ca.pem      kube-proxy.pem      server.pem
【2】拷贝证书到/opt/kubernetes/ssl/下
[root@master k8s-cert]#cp ca*pem server*pem /opt/kubernetes/ssl/
【3】解压kubernetes压缩包,拷贝kube-apiserver kubectl kube-controller-manager kube-scheduler到/opt/kubernetes/bin/下
[root@master master]#tar zxvf kubernetes-server-linux-amd64.tar.gz
[root@master master]# cd kubernetes/server/bin/
[root@master bin]#cp kube-apiserver kubectl kube-controller-manager kube-scheduler /opt/kubernetes/bin/
【4】随机生成序列号,生成令牌配置文件
[root@master master]#head -c 16 /dev/urandom | od -An -t x | tr -d ' '
231531b45710fdef3ed9a698a6ed41e4
[root@master bin]# cd /opt/kubernetes/cfg/
[root@master cfg]# vim token.csv 
231531b45710fdef3ed9a698a6ed41e4,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
// 序列号,用户名,ID,角色
【5】启动master上的三个组件
[root@master master]# bash apiserver.sh 192.168.60.10 https://192.168.60.10:2379,https://192.168.60.60:2379,https://192.168.60.100:2379
[root@master master]#./scheduler.sh 127.0.0.1
[root@master master]# ./controller-manager.sh 127.0.0.1
【6】查看组件状态信息
[root@master master]#/opt/kubernetes/bin/kubectl get cs
NAME                          STATUS                 MESSAGE             ERROR
scheduler                       Healthy                    ok                  
etcd-1                          Healthy            {"health":"true"}   
controller-manager             Healthy                     ok                  
etcd-2                          Healthy             {"health":"true"}   
etcd-0                          Healthy             {"health":"true"}   

三、node1节点的部署

【1】复制kubelet kube-proxy到节点中
[root@master master]# cd kubernetes/server/bin/
[root@master master]#scp kubelet kube-proxy root@192.168.60.60:/opt/kubernetes/bin/
[root@master master]#scp kubelet kube-proxy root@192.168.60.100:/opt/kubernetes/bin/
【2】创建kubeconfig文件
//在master上面操作
[root@master k8s]#mkdir  kubeconfig
[root@master k8s]#cd kubeconfig
kubeconfig.sh   //拷贝上去
[root@master kubeconfig]#mv kubeconfig.sh kubeconfig
(1)修改kubeconfig配置
[root@master kubeconfig]#vim kubeconfig 
----------------删除以下部分---------------------------------
#创建 TLS Bootstrapping Token
#BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008
cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
[root@master kubeconfig]# cat /opt/kubernetes/cfg/token.csv
231531b45710fdef3ed9a698a6ed41e4,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
[root@master kubeconfig]#vim kubeconfig 
#设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
#需要修改的
  --token=231531b45710fdef3ed9a698a6ed41e4 \
  --kubeconfig=bootstrap.kubeconfig
(2)设置环境变量
[root@master kubeconfig]# export PATH=$PATH:/opt/kubernetes/bin/
(3)生成配置文件
[root@master kubeconfig]#bash kubeconfig 192.168.195.149 /root/k8s/master/k8s-cert/
[root@master kubeconfig]# ls
bootstrap.kubeconfig  kubeconfig  kube-proxy.kubeconfig
(4)拷贝配置文件到node节点
[root@master kubeconfig]#scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.60.60:/opt/kubernetes/cfg/
[root@master kubeconfig]#scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.60.100:/opt/kubernetes/cfg/
【3】创建bootstrap角色赋予权限用于连接apiserver请求签名(关键)
[root@master kubeconfig]#kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
//在node1节点上面操作
[root@master master]#unzip node.zip
 kubelet.sh      proxy.sh
[root@node1 ~]# sh kubelet.sh 192.168.60.60
【4】检查到node1节点的请求

//在master上面操作

[root@master kubeconfig]#kubectl get csr
NAME                                                   AGE   REQUESTOR           CONDITION
node-csr-q_IjVrvUOoMbsZa0arpIrc9N8Gmdz2aJRYzJJzjOeIM   13h   kubelet-bootstrap   Pending

//颁发证书

[root@master kubeconfig]#kubectl certificate approve node-csr-q_IjVrvUOoMbsZa0arpIrc9N8Gmdz2aJRYzJJzjOeIM

//查看群集节点

[root@master kubeconfig]#kubectl get node
NAME             STATUS   ROLES    AGE   VERSION
192.168.60.60    Ready    <none>   13h   v1.12.3
【5】在node1节点操作,启动proxy服务和kubelet
[root@node1 ~]# sh proxy.sh 192.168.60.60
[root@node1 ~]# systemctl status kube-proxy.service 
[root@node1 ~]# systemctl enable kube-proxy.service
[root@node1 ~]# systemctl start kubelet.service 
[root@node1 ~]#systemctl enable kubelet.service 

四、node2节点部署

【1】把现成的/opt/kubernetes目录复制到其他节点进行修改即可
[root@node1 ~]# scp -r /opt/kubernetes/ root@192.168.60.100:/opt/
[root@node1 ~]# scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@192.168.60.100:/usr/lib/systemd/system/
【2】在node02上操作,进行修改
(1)首先删除复制过来的证书,等会node02会自行申请证书
[root@node2 ~]#cd /opt/kubernetes/ssl/
[root@node2 ssl]# rm -rf *
(2)修改配置文件kubelet kubelet.config kube-proxy(三个配置文件)
[root@node2 ssl]# cd /opt/kubernetes/cfg/
//修改kubelet配置文件
[root@node2 cfg]# vim kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.60.100 \
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
//修改kubelet.config配置文件
[root@node2 cfg]# vim kubelet.config 
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.60.100
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
  anonymous:
    enabled: true
//修改kube-proxy配置文件
[root@node2 cfg]# vim kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.60.100 \
--cluster-cidr=10.0.0.0/24 \
--proxy-mode=ipvs \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
【2】启动kubelet和proxy服务
[root@node2 cfg]#systemctl start kubelet.service 
[root@node2 cfg]#systemctl enable kubelet.service
[root@node2 cfg]#systemctl start kube-proxy.service
[root@node2 cfg]#systemctl enable kube-proxy.service 
【3】在master上操作查看请求
[root@master ~]# kubectl get csr
NAME                                                   AGE   REQUESTOR           CONDITION
node-csr-q_IjVrvUOoMbsZa0arpIrc9N8Gmdz2aJRYzJJzjOeIM   13h   kubelet-bootstrap   Pending
node-csr-w3eIQj2skOJLpa_HmRecvNRl8bbQxBuAGJD4bc1q_DU   13h   kubelet-bootstrap   Approved,Issued
【4】授权许可加入群集
[root@master ~]# kubectl certificate approve node-csr-q_IjVrvUOoMbsZa0arpIrc9N8Gmdz2aJRYzJJzjOeIM
【5】查看群集中的节点
[root@master ~]# kubectl get node
NAME             STATUS   ROLES    AGE   VERSION
192.168.60.100   Ready    <none>   14h   v1.12.3
192.168.60.60    Ready    <none>   14h   v1.12.3
Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐