centos8部署k8s1.19.1(etcd外设,高可用,纯手动)
注意!:cfssl cfssljson etcd etcdctl需先安装好,本文已经安装不做演示 etcd-v3.4.3#三台均创建目录,证书仅在一台节点上创建#拷贝etcd工具。
·
节点 | ip |
k8s-1(master) | 192.168.200.132 |
k8s-2(master)后加入 | 192.168.200.135 |
k8s-3(master)后加入 | 192.168.200.148 |
要求:
- etcd外设
- 高可用节点配置
- master节点可加入集群
etcd部署
本文前置环境依赖包部署包工具包均已配置好,省略下载步骤直接开始部署。
centos8已经不再维护很多依赖包缺失,文章采用了阿里云与bclinux8.2源。建议使用bclinux8.2源
创建自定义目录
注意!:cfssl cfssljson etcd etcdctl需先安装好,本文已经安装不做演示 etcd-v3.4.3
mkdir -p /data/etcd/bin
mkdir -p /data/etcd/ssl
cd /data/etcd/ssl
#三台均创建目录,证书仅在一台节点上创建
mkdir -p /data/etcd
创建ca证书
vim ca-config.json
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"server": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
},
"client": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
创建证书签名请求ca-csr.json
vim ca-csr.json
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
}
}
#生成CA证书和私钥
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
#生成出以下证书
ca.csr
ca-key.pem
ca.pem
生成客户端证书
vim client.json
{
"CN": "client",
"key": {
"algo": "ecdsa",
"size": 256
}
}
#生成client证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client -
#获得以下证书
client.csr
client-key.pem
client.pem
ca与client整体证书
ca-config.json
ca.csr
ca-csr.json
ca-key.pem
ca.pem
client.csr
client.json
client-key.pem
client.pem
#三个json是自己手动创建,其他非json为工具生成的证书
生成server,peer证书
vim etcd.json
{
"CN": "etcd",
"hosts": [
"192.168.200.132",
"192.168.200.135",
"192.168.200.148"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "CN",
"L": "BJ",
"ST": "BJ"
}
]
}
#生成peer跟server证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server etcd.json | cfssljson -bare server
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd.json | cfssljson -bare peer
证书总览
ca-config.json
ca.csr
ca-csr.json
ca-key.pem
ca.pem
client.csr
client.json
client-key.pem
client.pem
etcd.json
peer.csr
peer-key.pem
peer.pem
server.csr
server-key.pem
server.pem
ca证书 client证书 peer证书 server证书
ca-config.json ca-csr.json client.json etcd.json为手动创建
将证书同步到另外两台节点
scp -r /data/etcd 192.168.200.135:/data/
scp -r /data/etcd 192.168.200.148:/data/
#拷贝etcd工具
scp etcd etcdctl root@192.168.200.148:/data/etcd/bin/
scp etcd etcdctl root@192.168.200.135:/data/etcd/bin/
systemd管理etcd
vim /usr/lib/systemd/system/etcd.service(记得删除注释)
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos
[Service]
Type=notify
WorkingDirectory=/data/etcd/
ExecStart=/data/etcd/bin/etcd --name=etcd1 --cert-file=/data/etcd/ssl/server.pem --key-file=/data/etcd/ssl/server-key.pem --peer-cert-file=/data/etcd/ssl/peer.pem --peer-key-file=/data/etcd/ssl/peer-key.pem --trusted-ca-file=/data/etcd/ssl/ca.pem --peer-trusted-ca-file=/data/etcd/ssl/ca.pem --initial-advertise-peer-urls=https://192.168.200.132:2380 --listen-peer-urls=https://192.168.200.132:2380 --listen-client-urls=https://192.168.200.132:2379 --advertise-client-urls=https://192.168.200.132:2379 --initial-cluster-token=etcd-cluster-0 --initial-cluster=etcd1=https://192.168.200.132:2380,etcd2=https://192.168.200.135:2380,etcd3=https://192.168.200.148:2380 --initial-cluster-state=new --data-dir=/data/etcd --snapshot-count=50000 --auto-compaction-retention=1 --max-request-bytes=10485760 --quota-backend-bytes=8589934592
Restart=always
RestartSec=15
LimitNOFILE=65536
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target
#注意:需要修改的内容
--name=etcd1 #对应etcd节点修改
--initial-advertise-peer-urls=https://192.168.200.132:2380 #本机ip
--listen-peer-urls=https://192.168.200.132:2380 #本机ip
--listen-client-urls=https://192.168.200.132:2379 #本机ip
--advertise-client-urls=https://192.168.200.132:2379 #本机ip
--initial-cluster=etcd1=https://192.168.200.132:2380,etcd2=https://192.168.200.135:2380,etcd3=https://192.168.200.148:2380 #集群地址
启动etcd
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
systemctl status etcd
配置haproxy+keepalived高可用
安装 keepalived 和 haproxy
dnf -y install keepalived haproxy
keepalived,haproxy配置apiserver高可用
参考:
【云原生-K8s-2】kubeadm搭建k8s高可用集群(三主两从一VIP)完整教程_kubeadm高可用集群-CSDN博客
k8s1.19.1部署
#查看镜像
kubeadm config images list
k8s.gcr.io/kube-apiserver:v1.19.16
k8s.gcr.io/kube-controller-manager:v1.19.16
k8s.gcr.io/kube-scheduler:v1.19.16
k8s.gcr.io/kube-proxy:v1.19.16
k8s.gcr.io/pause:3.2
k8s.gcr.io/etcd:3.4.13-0
k8s.gcr.io/coredns:1.7.0
#镜像提前下载可更换国内地址
registry.cn-hangzhou.aliyuncs.com/google_containers
初始化master
#配置apiserver证书etcd证书
mkdir -p /etc/kubernetes/pki/etcd/
\cp -rf /data/etcd/ssl/ca.pem /etc/kubernetes/pki/etcd/
\cp -rf /data/etcd/ssl/client.pem /etc/kubernetes/pki/apiserver-etcd-client.pem
\cp -rf /data/etcd/ssl/client-key.pem /etc/kubernetes/pki/apiserver-etcd-client-key.pem
#检查etcd状态
systemctl status etcd
配置kubeadm配置文件
kubeadm config print init-defaults > kubeadm-init.yaml
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 192.168.200.132 #本机ip
bindPort: 6443
nodeRegistration:
criSocket: /var/run/dockershim.sock
name: k8s-1
taints:
- effect: NoSchedule
key: node-role.kubernetes.io/master
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
# local:
#dataDir: /var/lib/etcd
external:
endpoints:
- https://192.168.200.132:2379
- https://192.168.200.135:2379
- https://192.168.200.148:2379
caFile: /etc/kubernetes/pki/etcd/ca.pem #搭建etcd集群时生成的ca证书
certFile: /etc/kubernetes/pki/apiserver-etcd-client.pem #搭建etcd集群时生成的客户端证书
keyFile: /etc/kubernetes/pki/apiserver-etcd-client-key.pem #搭建etcd集群时生成的客户端密钥
imageRepository: k8s.gcr.io #镜像提前下载
kind: ClusterConfiguration
kubernetesVersion: v1.19.1 #版本要与k8s版本保持一致
controlPlaneEndpoint: 192.168.200.66:16443
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: "ipvs"
初始化k8s节点
kubeadm init --config=kubeadm-init.yaml --upload-certs
另外两台master节点加入集群
kubeadm join 192.168.200.66:16443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:4cfeb2347878e4505d272b8d4bc924164c86b1541ec8e47a460a6adaeaf965a0 \
--control-plane --certificate-key 57944fbbcd3af8dae151bccccd0957c7dbcaaacb70e64c0ae7bed23b84ee1a40
证书过期如何加入master
kubeadm init phase upload-certs --upload-certs
kubeadm token create --print-join-command
添加命令
kubeadm join 192.168.206.138:6443 --token iw6jit.m5fp5ftpmzd5qw14 --discovery-token-ca-cert-hash sha256:af0bd61b3323d6ccf692706f9be2b0d89eb7f0c4ed79ae3ef874b4b1690b1c85 --control-plane --certificate-key 272fb136b903ee039690d2cc8fef37b60da6506f59377560d04ffc7cbc722bff
部署calico配置集群网络
vim calico.yaml
#CALICO_IPV4POOL_CIDR配置为podip
#IP_AUTODETECTION_METHOD配置为节点网卡
- name: CALICO_IPV4POOL_CIDR
value: "10.244.0.0/16"
- name: IP_AUTODETECTION_METHOD
value: "interface=(enp.*)|(eth.*)|(eno1.*)|(bo.*)|(ens.*)"
#生成calico
kubectl apply -f calico.yaml
更多推荐
已为社区贡献2条内容
所有评论(0)