k8s--单点部署

环境

master 192.168.188.30
node01 192.168.188.40
node02 192.168.188.50

master操作

[root@server3 ~]# mkdir k8s
[root@server3 ~]# cd k8s/
[root@server3 k8s]# ls  #从宿主机拖进来
etcd-cert.sh  etcd.sh
[root@server3 k8s]# mkdir etcd-cert
[root@server3 k8s]# mv etcd-cert.sh etcd-cert

下载证书制作工具

[root@localhost k8s]# vim cfssl.sh
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo

下载cfssl官方包

[root@localhost k8s]# bash cfssl.sh
[root@localhost k8s]# ls /usr/local/bin/
cfssl  cfssl-certinfo  cfssljson

开始制作证书

cfssl 生成证书工具 cfssljson通过传入json文件生成证书
cfssl-certinfo查看证书信息

定义ca证书


[root@master01 etcd-cert]# cat > ca-config.json <<EOF  //证书格式json格式
 {
    "signing": {
      "default": {
        "expiry": "87600h"  //证书有效期十年
      },
       "profiles": {      //属性
         "www": {          //具体的名称
            "expiry": "87600h",    //定义有效期为十年
             "usages": [
                :signing",
                  "key encipherment",    //非对称密钥
                   "server auth",   //验证类型
                   "client auth"
              ]
             }
           }
          }
    }
 EOF
[root@master01 etcd-cert]# ls
ca-config.json

实现证书签名
[root@master01 etcd-cert]# cat > ca-csr.json <<EOF 
{   
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",   //rsa算法
        "size": 2048   //2048密钥长度
    },
    "names": [
        {
            "C": "CN",    //中国就是CN
            "L": "Beijing",   //城市时北京
            "ST": "Beijing"
        }
    ]
}
EOF
[root@master01 etcd-cert]# ls
ca-config.json  ca-csr.json

生产证书,生成ca-key.pem  ca.pem 
[root@server3 etcd-cert]# chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
[root@server3 etcd-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2021/03/22 15:22:36 [INFO] generating a new CA key and certificate from CSR
2021/03/22 15:22:36 [INFO] generate received request
2021/03/22 15:22:36 [INFO] received CSR
2021/03/22 15:22:36 [INFO] generating key: rsa-2048
2021/03/22 15:22:36 [INFO] encoded CSR
2021/03/22 15:22:36 [INFO] signed certificate with serial number 381281636830950354066986288092219166044436804910
[root@server3 etcd-cert]# ls
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem  etcd-cert.sh

指定etcd三个节点之间的通信验证
[root@server3 etcd-cert]# cat > server-csr.json <<EOF
{
    "CN": "etcd",
    "hosts": [
    "192.168.188.30",  //master
    "192.168.188.40",  //node01
    "192.168.188.50"  //node02
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        }
    ]
}
EOF
[root@server3 etcd-cert]# ls
ca-config.json  ca-csr.json  ca.pem        server-csr.json
ca.csr          ca-key.pem   etcd-cert.sh
 
 
生成ETCD证书 server-key.pem   server.pem
[root@server3 etcd-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2021/03/22 16:58:52 [INFO] generate received request
2021/03/22 16:58:52 [INFO] received CSR
2021/03/22 16:58:52 [INFO] generating key: rsa-2048
2021/03/22 16:58:52 [INFO] encoded CSR
2021/03/22 16:58:52 [INFO] signed certificate with serial number 575141609468116665705606235547182625369667839412
2021/03/22 16:58:52 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@server3 etcd-cert]# ls
ca-config.json  ca-csr.json  ca.pem        server.csr       server-key.pem
ca.csr          ca-key.pem   etcd-cert.sh  server-csr.json  server.pem

ETCD 二进制包
[root@server3 etcd-cert]# cd ..
[root@server3 k8s]# ls
etcd-cert  etcd.sh
[root@server3 k8s]# ls
etcd-cert  etcd.sh  etcd-v3.3.10-linux-amd64.tar.gz  //从宿主目录拉下来

[root@server3 k8s]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz 

在/opt/etcd/创建cfg,bin,ssl目录 把etcd和etcdctl文件放入bin目录里
[root@server3 k8s]# ls
etcd-cert  etcd-v3.3.10-linux-amd64
etcd.sh    etcd-v3.3.10-linux-amd64.tar.gz
[root@server3 k8s]# cd etcd-v3.3.10-linux-amd64/
[root@server3 etcd-v3.3.10-linux-amd64]# ls
Documentation  etcdctl            README.md
etcd           README-etcdctl.md  READMEv2-etcdctl.md
[root@server3 etcd-v3.3.10-linux-amd64]# 
[root@server3 etcd-v3.3.10-linux-amd64]# 
[root@server3 etcd-v3.3.10-linux-amd64]# mkdir -p /opt/etcd/{cfg,bin,ssl} 
[root@server3 etcd-v3.3.10-linux-amd64]# ls /opt/etcd/
bin  cfg  ssl
[root@server3 etcd-v3.3.10-linux-amd64]# mv etcd etcdctl /opt/etcd/bin/
[root@server3 etcd-v3.3.10-linux-amd64]# ls
Documentation  README-etcdctl.md  README.md  READMEv2-etcdctl.md
[root@server3 etcd-v3.3.10-linux-amd64]# ls /opt/etcd/bin/
etcd  etcdctl


证书拷贝
[root@server3 etcd-v3.3.10-linux-amd64]# cd ..
[root@server3 k8s]# cp etcd-cert//*.pem /opt/etcd/ssl/
[root@server3 k8s]# ls /opt/etcd/ssl/
ca-key.pem  ca.pem  server-key.pem  server.pem


拷贝证书去其他节点
[root@server3 bin]# scp -r /opt/etcd/ root@192.168.188.40:/opt/
The authenticity of host '192.168.188.40 (192.168.188.40)' can't be established.
ECDSA key fingerprint is SHA256:QAN5N44clhXAwTVeXkW5uPUjmq5ugcYBOlqQ5yZT/AE.
ECDSA key fingerprint is MD5:fe:91:02:6e:b3:fe:fa:a3:c5:6b:e9:10:7d:71:a3:7f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.188.40' (ECDSA) to the list of known hosts.
root@192.168.188.40's password: 
etcd                                    100%  516     1.3MB/s   00:00    
etcd                                    100%   18MB  75.9MB/s   00:00    
etcdctl                                 100%   15MB  81.2MB/s   00:00    
ca-key.pem                              100% 1679     2.6MB/s   00:00    
ca.pem                                  100% 1265     1.3MB/s   00:00    
server-key.pem                          100% 1679     2.8MB/s   00:00    
server.pem                              100% 1338     3.5MB/s   00:00    
[root@server3 bin]# scp -r /opt/etcd/ root@192.168.188.50:/opt/
The authenticity of host '192.168.188.50 (192.168.188.50)' can't be established.
ECDSA key fingerprint is SHA256:wAcqk/TBiiofR+EeUwdTTPdsPerfoNlENEcXbZIGlc0.
ECDSA key fingerprint is MD5:10:d1:dc:b3:44:7f:b6:dd:b1:4b:24:5e:ed:3a:81:27.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.188.50' (ECDSA) to the list of known hosts.
root@192.168.188.50's password: 
etcd                                    100%  516   721.8KB/s   00:00    
etcd                                    100%   18MB  99.7MB/s   00:00    
etcdctl                                 100%   15MB  72.9MB/s   00:00    
ca-key.pem                              100% 1679   742.4KB/s   00:00    
ca.pem                                  100% 1265     2.7MB/s   00:00    
server-key.pem                          100% 1679     2.4MB/s   00:00    
server.pem                              100% 1338     3.2MB/s   00:00    
[root@server3 bin]# 

启动脚本拷贝其他节点

[root@server3 bin]# scp /usr/lib/systemd/system/etcd.service root@192.168.188.40:/usr/lib/systemd/system/
root@192.168.188.40's password: 
etcd.service                                      100%  923     1.3MB/s   00:00    
[root@server3 bin]# scp /usr/lib/systemd/system/etcd.service root@192.168.188.50:/usr/lib/systemd/system/
root@192.168.188.50's password: 
etcd.service                                      100%  923     2.0MB/s   00:00

node节点(node02和node01 修改的一样)

[root@node01 ~]# cd /opt/
[root@node01 opt]# ls
etcd  rh
[root@node01 opt]# cd etcd/
[root@node01 etcd]# ls
bin  cfg  ssl
[root@node01 etcd]# yum -y tree
[root@node01 etcd]# tree /opt/etcd/
/opt/etcd/
├── bin
│   ├── etcd
│   └── etcdctl
├── cfg
│   └── etcd
└── ssl
    ├── ca-key.pem
    ├── ca.pem
    ├── server-key.pem
    └── server.pem

[root@node01 etcd]# vim /opt/etcd/cfg/etcd 

#[Member]
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.188.40:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.188.40:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.188.40:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.188.40:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.188.30:2380,etcd02=https://192.168.188.40:2380,etcd03=https://192.168.188.50:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

[root@node02 ~]# systemctl start etcd
[root@node02 ~]# systemctl status etcd

在这里插入图片描述
在这里插入图片描述

检查群集状态

[root@server3 ssl]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.188.30:2379,https://192.168.188.40:2379,https://192.168.188.50:2379" cluster-health
member 2026c249d23291ef is healthy: got healthy result from https://192.168.188.50:2379
member 4a11bcb7afdbe4ec is healthy: got healthy result from https://192.168.188.40:2379
member 97e9308adfaab653 is healthy: got healthy result from https://192.168.188.30:2379
cluster is healthy
# k8s
Logo
K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 |  韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号​前言台湾作家林清玄在接受记者采访的时候,如此评价自己 30 多年写作生涯:“第一个十年我才华横溢,‘贼光闪现’,令周边黯然失色;第二个十年,我终于‘宝光现形’,不再去抢风头,反而与身边的美丽相得益彰;进入第三个十年,繁华落尽见真醇,我进入了‘醇光初现’的阶段,真正体味到了境界之美”。​长夜有穷,真水无香。领略过了 K8s“身在江

avatar K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台?

作者 | 孙健波(天元)导读:当前云原生 DevOps 体系现状如何?面临哪些挑战?如何通过 OAM 解决云原生 DevOps 场景下的诸多问题?云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答,并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps?为什么基于 Kub

avatar K8S/Kubernetes

k8s 火了!

2020,上云之年,产品云端化成为一种趋势。在一线城市,很多公司都已经构建了自己的私有云环境,比如阿里云、网易云、华为云等。而Kubernetes 作为基于容器编排领域的王者,具备扩展...

avatar K8S/Kubernetes