k8s——etcd部署

文章目录一、实验准备master节点一、实验准备主机名IP服务master1192.168.111.10/24kube-apiserver kube-controller-manager kube-scheduler etcdnode1192.168.111.30/24etcd docker kubelet kube-proxyflannelnode2192.168.111.40/24etcd d

栖息温暖晚霞

528人浏览 · 2021-04-15 09:49:42

栖息温暖晚霞 · 2021-04-15 09:49:42 发布

文章目录

一、实验准备
- master节点

一、实验准备

主机名	IP	服务
master1	192.168.111.10/24	kube-apiserver kube-controller-manager kube-scheduler etcd
node1	192.168.111.30/24	etcd docker kubelet kube-proxyflannel
node2	192.168.111.40/24	etcd docker kubelet kube-proxyflannel

iptables -F
setenforce 0
systemctl stop firewalld.service

master节点

[root@localhost ~]# mkdir k8s
[root@localhost ~]# cd k8s/
[root@localhost k8s]# ls   						 #从宿主机拖进来
etcd-cert.sh  etcd.sh
[root@localhost k8s]# mkdir etcd-cert
[root@localhost k8s]# mv etcd-cert.sh etcd-cert

下载证书制作工具

 vim cfssl.sh
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
[root@localhost k8s]# bash cfssl.sh				#下载cfssl官方包

在这里插入图片描述

[root@localhost k8s]# ls /usr/local/bin/			
cfssl  cfssl-certinfo  cfssljson

开始制作证书
cfssl 生成证书工具 cfssljson通过传入json文件生成证书 cfssl-certinfo查看证书信息

[root@localhost k8s]# cat > ca-config.json <<EOF			#定义ca证书
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"     
        ]  
      } 
    }         
  }
}
EOF 

cat > ca-csr.json <<EOF 			#实现证书签名
{   
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -     #生产证书，生成ca-key.pem  ca.pem

cat > server-csr.json <<EOF							#指定etcd三个节点之间的通信验证
{
    "CN": "etcd",
    "hosts": [
    "192.168.111.10",
    "192.168.111.30",
    "192.168.111.40"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server				#生成ETCD证书 server-key.pem   server.pem

在这里插入图片描述

源码安装etcd

[root@localhost k8s]# ls
ca-config.json  ca.pem     etcd-v3.3.10-linux-amd64.tar.gz       server-csr.json
ca.csr          cfssl.sh   flannel-v0.10.0-linux-amd64.tar.gz    server-key.pem
ca-csr.json     etcd-cert  kubernetes-server-linux-amd64.tar.gz  server.pem
ca-key.pem      etcd.sh    server.csr


[root@localhost k8s]# ls etcd-v3.3.10-linux-amd64
Documentation  etcd  etcdctl  README-etcdctl.md  README.md  READMEv2-etcdctl.md

[root@localhost k8s]# mkdir /opt/etcd/{cfg,bin,ssl} -p    //配置文件，命令文件，证书

[root@localhost k8s]# mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/
//证书拷贝
mv *.pem etcd-cert/
[root@localhost k8s]# cp etcd-cert/*.pem /opt/etcd/ssl/

//进入卡住状态等待其他节点加入
[root@localhost k8s]# bash etcd.sh etcd01 192.168.111.10 etcd02=https://192.168.111.30:2380,etcd03=https://192.168.111.40:2380

//使用另外一个会话打开，会发现etcd进程已经开启
[root@localhost ~]# ps -ef | grep etcd


//拷贝证书去其他节点

[root@localhost k8s]# scp -r /opt/etcd/ root@192.168.111.30:/opt/
[root@localhost k8s]# scp -r /opt/etcd/ root@192.168.111.40:/opt
//启动脚本拷贝其他节点
[root@localhost k8s]# scp /usr/lib/systemd/system/etcd.service root@192.168.111.30:/usr/lib/systemd/system/
[root@localhost k8s]# scp /usr/lib/systemd/system/etcd.service root@192.168.111.40:/usr/lib/systemd/system/

node节点

[root@localhost ~]# vim /opt/etcd/cfg/etcd

#[Member]
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.111.30:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.111.30:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.111.30:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.111.30:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.111.10:2380,etcd02=https://192.168.111.30:2380,etcd03=https://192.168.111.40:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
//启动
[root@localhost ssl]# systemctl start etcd
[root@localhost ssl]# systemctl status etcd

检查群集状态

cd etcd-cert
[root@localhost etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.111.10:2379,https://192.168.111.30:2379,https://192.168.111.40:2379" cluster-health

在这里插入图片描述

K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 | 韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号前言台湾作家林清玄在接受记者采访的时候，如此评价自己 30 多年写作生涯：“第一个十年我才华横溢，‘贼光闪现’，令周边黯然失色；第二个十年，我终于‘宝光现形’，不再去抢风头，反而与身边的美丽相得益彰；进入第三个十年，繁华落尽见真醇，我进入了‘醇光初现’的阶段，真正体味到了境界之美”。长夜有穷，真水无香。领略过了 K8s“身在江

K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台？

作者 | 孙健波（天元）导读：当前云原生 DevOps 体系现状如何？面临哪些挑战？如何通过 OAM 解决云原生 DevOps 场景下的诸多问题？云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答，并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps？为什么基于 Kub