kubernetes/k8s之master和node单节点的部署
kubernetes之单节点的部署文章目录kubernetes之单节点的部署一、项目环境二、master组件的部署【1】生成api-server证书(1)ca证书配置(2)ca证书签名(3)ca证书的生成(4)服务端证书生成(5)客户端代理证书生成(6)管理账户证书生成(7)查看证书是否存在【2】拷贝证书到/opt/kubernetes/ssl/下【3】解压kubernetes压缩包,拷贝kube
·
kubernetes之单节点的部署
一、项目环境
负载均衡
Nginx01:192.168.60.40/24
Nginx02:192.168.60.50/24
Master节点
master01:192.168.60.10/24
master02:192.168.60.20/24
Node节点
node01:192.168.60.60/24
node02:192.168.60.100/24
Harbor私有仓库
192.168.60.80/24
集群的vip地址
192.168.60.201
二、master组件的部署
【1】生成api-server证书
[root@master k8s]# mkdir master
[root@master master]# unzip master.zip
[root@master master]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p
[root@master master]# mkdir k8s-cert
[root@master master]# cd k8s-cert
(1)ca证书配置
[root@master k8s-cert]# cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
(2)ca证书签名
[root@master k8s-cert]# cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
(3)ca证书的生成
[root@master k8s-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
(4)服务端证书生成
[root@master k8s-cert]# cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.60.10", //master1
"192.168.60.20", //master2
"192.168.60.201", //vip
"192.168.60.40", //lvs (master)
"192.168.60.50", //lvs (backup)
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
[root@master k8s-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
(5)客户端代理证书生成
[root@master k8s-cert]# cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
[root@master k8s-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
(6)管理账户证书生成
[root@master k8s-cert]# cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
[root@master k8s-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
(7)查看证书是否存在
[root@master k8s-cert]# ls *.pem
admin-key.pem ca-key.pem kube-proxy-key.pem server-key.pem
admin.pem ca.pem kube-proxy.pem server.pem
【2】拷贝证书到/opt/kubernetes/ssl/下
[root@master k8s-cert]#cp ca*pem server*pem /opt/kubernetes/ssl/
【3】解压kubernetes压缩包,拷贝kube-apiserver kubectl kube-controller-manager kube-scheduler到/opt/kubernetes/bin/下
[root@master master]#tar zxvf kubernetes-server-linux-amd64.tar.gz
[root@master master]# cd kubernetes/server/bin/
[root@master bin]#cp kube-apiserver kubectl kube-controller-manager kube-scheduler /opt/kubernetes/bin/
【4】随机生成序列号,生成令牌配置文件
[root@master master]#head -c 16 /dev/urandom | od -An -t x | tr -d ' '
231531b45710fdef3ed9a698a6ed41e4
[root@master bin]# cd /opt/kubernetes/cfg/
[root@master cfg]# vim token.csv
231531b45710fdef3ed9a698a6ed41e4,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
// 序列号,用户名,ID,角色
【5】启动master上的三个组件
[root@master master]# bash apiserver.sh 192.168.60.10 https://192.168.60.10:2379,https://192.168.60.60:2379,https://192.168.60.100:2379
[root@master master]#./scheduler.sh 127.0.0.1
[root@master master]# ./controller-manager.sh 127.0.0.1
【6】查看组件状态信息
[root@master master]#/opt/kubernetes/bin/kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
etcd-1 Healthy {"health":"true"}
controller-manager Healthy ok
etcd-2 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}
三、node1节点的部署
【1】复制kubelet kube-proxy到节点中
[root@master master]# cd kubernetes/server/bin/
[root@master master]#scp kubelet kube-proxy root@192.168.60.60:/opt/kubernetes/bin/
[root@master master]#scp kubelet kube-proxy root@192.168.60.100:/opt/kubernetes/bin/
【2】创建kubeconfig文件
//在master上面操作
[root@master k8s]#mkdir kubeconfig
[root@master k8s]#cd kubeconfig
kubeconfig.sh //拷贝上去
[root@master kubeconfig]#mv kubeconfig.sh kubeconfig
(1)修改kubeconfig配置
[root@master kubeconfig]#vim kubeconfig
----------------删除以下部分---------------------------------
#创建 TLS Bootstrapping Token
#BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008
cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
[root@master kubeconfig]# cat /opt/kubernetes/cfg/token.csv
231531b45710fdef3ed9a698a6ed41e4,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
[root@master kubeconfig]#vim kubeconfig
#设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
#需要修改的
--token=231531b45710fdef3ed9a698a6ed41e4 \
--kubeconfig=bootstrap.kubeconfig
(2)设置环境变量
[root@master kubeconfig]# export PATH=$PATH:/opt/kubernetes/bin/
(3)生成配置文件
[root@master kubeconfig]#bash kubeconfig 192.168.195.149 /root/k8s/master/k8s-cert/
[root@master kubeconfig]# ls
bootstrap.kubeconfig kubeconfig kube-proxy.kubeconfig
(4)拷贝配置文件到node节点
[root@master kubeconfig]#scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.60.60:/opt/kubernetes/cfg/
[root@master kubeconfig]#scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.60.100:/opt/kubernetes/cfg/
【3】创建bootstrap角色赋予权限用于连接apiserver请求签名(关键)
[root@master kubeconfig]#kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
//在node1节点上面操作
[root@master master]#unzip node.zip
kubelet.sh proxy.sh
[root@node1 ~]# sh kubelet.sh 192.168.60.60
【4】检查到node1节点的请求
//在master上面操作
[root@master kubeconfig]#kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-q_IjVrvUOoMbsZa0arpIrc9N8Gmdz2aJRYzJJzjOeIM 13h kubelet-bootstrap Pending
//颁发证书
[root@master kubeconfig]#kubectl certificate approve node-csr-q_IjVrvUOoMbsZa0arpIrc9N8Gmdz2aJRYzJJzjOeIM
//查看群集节点
[root@master kubeconfig]#kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.60.60 Ready <none> 13h v1.12.3
【5】在node1节点操作,启动proxy服务和kubelet
[root@node1 ~]# sh proxy.sh 192.168.60.60
[root@node1 ~]# systemctl status kube-proxy.service
[root@node1 ~]# systemctl enable kube-proxy.service
[root@node1 ~]# systemctl start kubelet.service
[root@node1 ~]#systemctl enable kubelet.service
四、node2节点部署
【1】把现成的/opt/kubernetes目录复制到其他节点进行修改即可
[root@node1 ~]# scp -r /opt/kubernetes/ root@192.168.60.100:/opt/
[root@node1 ~]# scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@192.168.60.100:/usr/lib/systemd/system/
【2】在node02上操作,进行修改
(1)首先删除复制过来的证书,等会node02会自行申请证书
[root@node2 ~]#cd /opt/kubernetes/ssl/
[root@node2 ssl]# rm -rf *
(2)修改配置文件kubelet kubelet.config kube-proxy(三个配置文件)
[root@node2 ssl]# cd /opt/kubernetes/cfg/
//修改kubelet配置文件
[root@node2 cfg]# vim kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.60.100 \
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
//修改kubelet.config配置文件
[root@node2 cfg]# vim kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.60.100
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
anonymous:
enabled: true
//修改kube-proxy配置文件
[root@node2 cfg]# vim kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.60.100 \
--cluster-cidr=10.0.0.0/24 \
--proxy-mode=ipvs \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
【2】启动kubelet和proxy服务
[root@node2 cfg]#systemctl start kubelet.service
[root@node2 cfg]#systemctl enable kubelet.service
[root@node2 cfg]#systemctl start kube-proxy.service
[root@node2 cfg]#systemctl enable kube-proxy.service
【3】在master上操作查看请求
[root@master ~]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-q_IjVrvUOoMbsZa0arpIrc9N8Gmdz2aJRYzJJzjOeIM 13h kubelet-bootstrap Pending
node-csr-w3eIQj2skOJLpa_HmRecvNRl8bbQxBuAGJD4bc1q_DU 13h kubelet-bootstrap Approved,Issued
【4】授权许可加入群集
[root@master ~]# kubectl certificate approve node-csr-q_IjVrvUOoMbsZa0arpIrc9N8Gmdz2aJRYzJJzjOeIM
【5】查看群集中的节点
[root@master ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.60.100 Ready <none> 14h v1.12.3
192.168.60.60 Ready <none> 14h v1.12.3
更多推荐
已为社区贡献5条内容
所有评论(0)