K8S二进制安装部署【待定etcd和kube-apiserver部署已完成】
2、部署ETCD集群节点名称IP地址etcd-1192.168.35.142/24etcd-2192.168.35.143/24etcd-3192.168.35.144/242.1、准备证书生成工具(cfssl)2.2 自定义证书的json文件2.3 生成证书 【ca-key.pemca.pem】2.4 使用自签证书签发ETCD HTTPS证书2.5 生成证书【 server-key.pemser
·
1、集群环境准备
容器引擎 | Docker CE 19 |
Kubernetes | Kubernetes v1.25 |
| 机器名称 | IP地址 | 机器配置 | |
| lle-k8s-master | 192.168.35.142/24 | 4C8g | kube-apiserver,kube-controller-manager,kube-scheduler,kubelet,kube-proxy,docker,etcd,nginx,keepalived |
| lle-k8s-node1 | 192.168.35.143/24 | 4C8g | kubelet,kube-proxy,docker,etcd |
| lle-k8s-node2 | 192.168.35.144/24 | 4C8g | kubelet,kube-proxy,docker,etcd |
初始化机器:关闭防火墙(每台机器都执行)
# 关闭防火墙
[root@lle-k8s-master ~]# systemctl stop firewalld
[root@lle-k8s-master ~]# systemctl disable firewalld
# 关闭selinux
[root@lle-k8s-master ~]# sed -i 's/enforcing/disabled/' /etc/selinux/config #永久
[root@lle-k8s-master ~]# setenforce 0
# 关闭swap
[root@lle-k8s-master ~]# swapoff -a
[root@lle-k8s-master ~]# free -m
# 添加hosts解析
[root@lle-k8s-master ~]# cat >> /etc/hosts <<EOF
192.168.35.142 lle-k8s-master
192.168.35.143 lle-k8s-node1
192.168.35.144 lle-k8s-node2
EOF
# 将桥接的IPv4流量传递到iptables的链
[root@lle-k8s-master ~]# cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
# 配置生效
[root@lle-k8s-master ~]# sysctl --system
# 配置阿里云源
[root@lle-k8s-master ~]# curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
# 时间同步
[root@lle-k8s-master ~]# yum install ntpdate -y
[root@lle-k8s-master ~]# ntpdate time.windows.com
2、部署ETCD集群
| 节点名称 | IP地址 |
| etcd-1 | 192.168.35.142/24 |
| etcd-2 | 192.168.35.143/24 |
| etcd-3 | 192.168.35.144/24 |
2.1、准备证书生成工具(cfssl)
[root@lle-k8s-master ]# mkdir lle_cfssl
[root@lle-k8s-master lle_cfssl]# cd lle_cfssl/
[root@lle-k8s-master lle_cfssl]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@lle-k8s-master lle_cfssl]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@lle-k8s-master lle_cfssl]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@lle-k8s-master lle_cfssl]# chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
[root@lle-k8s-master lle_cfssl]# mv cfssl_linux-amd64 /usr/local/bin/cfssl
[root@lle-k8s-master lle_cfssl]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
[root@lle-k8s-master lle_cfssl]# mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
2.2 自定义证书的json文件
[root@lle-k8s-master ~]# mkdir -p ~/TLS/{etcd,k8s}
[root@lle-k8s-master ~]# cd ~/TLS/etcd/
[root@lle-k8s-master etcd]# cat ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
[root@lle-k8s-master etcd]# cat ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "shanghai",
"ST": "shanghai"
}
]
}
2.3 生成证书 【ca-key.pem ca.pem】
[root@lle-k8s-master etcd]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2.4 使用自签证书签发ETCD HTTPS证书
# 创建证书申请文件
[root@lle-k8s-master etcd]# cat server-csr.json
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [
"192.168.35.142",
"192.168.35.143",
"192.168.35.144"
],
"names": [
{
"C": "CN",
"L": "shanghai",
"ST": "shanghai"
}
]
}
2.5 生成证书【 server-key.pem server.pem】
[root@lle-k8s-master etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2.6 下载etcd二进制文件(这需要上外网才能下载)
[root@lle-k8s-master etcd]# wget https://github.com/etcd-io/etcd/releases/download/v3.5.1/etcd-v3.5.1-linux-amd64.tar.gz
2.7 部署etcd集群
2.7.1 创建工作目录
[root@lle-k8s-master ~]# mkdir /opt/etcd/{bin,cfg,ssl} -p
[root@lle-k8s-master ~]# tar zxvf etcd-v3.5.1-linux-amd64.tar.gz
[root@lle-k8s-master ~]# mv etcd-v3.5.1-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
2.7.2 创建etcd配置文件
[root@lle-k8s-master ~]# cat > /opt/etcd/cfg/etcd.conf << EOF
> #[Member]
> ETCD_NAME="etcd-1"
> ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
> ETCD_LISTEN_PEER_URLS="https://192.168.35.142:2380"
> ETCD_LISTEN_CLIENT_URLS="https://192.168.35.142:2379"
>
> #[Clustering]
> ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.35.142:2380"
> ETCD_ADVERTISE_CLIENT_URLS="https://192.168.35.142:2379"
> ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.35.142:2380,etcd-2=https://192.168.35.143:2380,etcd-3=https://192.168.35.144:2380"
> ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
> ETCD_INITIAL_CLUSTER_STATE="new"
> EOF
- ETCD_NAME:节点名称,集群中唯一
- ETCD_DATA_DIR:数据目录
- ETCD_LISTEN_PEER_URLS:集群通信监听地址
- ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
- ETCD_INITIAL_ADVERTISE_PEERURLS:集群通告地址
- ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
- ETCD_INITIAL_CLUSTER:集群节点地址
- ETCD_INITIALCLUSTER_TOKEN:集群Token
- ETCD_INITIALCLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群
2.7.3 systemd管理etcd
[root@lle-k8s-master ~]# cat > /usr/lib/systemd/system/etcd.service << EOF
> [Unit]
> Description=Etcd Server
> After=network.target
> After=network-online.target
> Wants=network-online.target
>
> [Service]
> Type=notify
> EnvironmentFile=/opt/etcd/cfg/etcd.conf
> ExecStart=/opt/etcd/bin/etcd \
> --cert-file=/opt/etcd/ssl/server.pem \
> --key-file=/opt/etcd/ssl/server-key.pem \
> --peer-cert-file=/opt/etcd/ssl/server.pem \
> --peer-key-file=/opt/etcd/ssl/server-key.pem \
> --trusted-ca-file=/opt/etcd/ssl/ca.pem \
> --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
> --logger=zap
> Restart=on-failure
> LimitNOFILE=65536
>
> [Install]
> WantedBy=multi-user.target
> EOF
2.7.4 cp之前生成的证书
[root@lle-k8s-master ~]# cp ~/TLS/etcd/ca*pem ~/TLS/etcd/server*pem /opt/etcd/ssl/
2.7.5 加载并设置开机自启动etcd
[root@lle-k8s-master ~]# systemctl daemon-reload
[root@lle-k8s-master ~]# systemctl start etcd
[root@lle-k8s-master ~]# systemctl enable etcd
2.7.6 把配置copy到节点1和节点2上
[root@lle-k8s-master ~]# scp -r /opt/etcd/ root@192.168.35.143:/opt/
[root@lle-k8s-master ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.35.143:/usr/lib/systemd/system/
[root@lle-k8s-master ~]# scp -r /opt/etcd/ root@192.168.35.144:/opt/
[root@lle-k8s-master ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.35.144:/usr/lib/systemd/system/
2.7.7 修改etcd配置文件,并启动节点1和节点2上的etcd
[root@lle-k8s-node1 ~]# cat /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-2" #修改成etcd-2
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.35.143:2380" #修改为当前机器的ip
ETCD_LISTEN_CLIENT_URLS="https://192.168.35.143:2379" #修改为当前机器的ip
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.35.143:2380" #修改为当前机器的ip
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.35.143:2379" #修改为当前机器的ip
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.35.142:2380,etcd- ip2=https://192.168.35.143:2380,etcd-3=https://192.168.35.144:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
[root@lle-k8s-node2 ~]# cat /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-3" #修改成etcd-2
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.35.144:2380" #修改为当前机器的ip
ETCD_LISTEN_CLIENT_URLS="https://192.168.35.144:2379" #修改为当前机器的ip
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.35.144:2380" #修改为当前机器的ip
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.35.144:2379" #修改为当前机器的ip
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.35.142:2380,etcd-2=https://192.168.35.143:2380,etcd-3=https://192.168.35.144:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
# 启动etcd
systemctl daemon-reload
systemctl start etcd
systemctl enable etcd
2.7.8 查看etcd集群状态
[root@lle-k8s-master lle_cfssl]# /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.35.142:2379,https://192.168.35.143:2379,https://192.168.35.144:2379" endpoint health --write-out=table
3、部署 master 节点组件
3.1 安装docker(我这里用yum安装)每台机器都要安装
# 用的阿里云官网的安装docker
# step 1: 安装必要的一些系统工具
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
# Step 2: 添加软件源信息
sudo yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# Step 3
sudo sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
# Step 4: 更新并安装Docker-CE
sudo yum makecache fast
sudo yum -y install docker-ce
# Step 4: 开启Docker服务
sudo service docker start
sudo systemctl enable docker
# 注意:
# 官方软件源默认启用了最新的软件,您可以通过编辑软件源的方式获取各个版本的软件包。例如官方并没有将测试版本的软件源置为可用,您可以通过以下方式开启。同理可以开启各种测试版本等。
# vim /etc/yum.repos.d/docker-ce.repo
# 将[docker-ce-test]下方的enabled=0修改为enabled=1
#
# 安装指定版本的Docker-CE:
# Step 1: 查找Docker-CE的版本:
# yum list docker-ce.x86_64 --showduplicates | sort -r
# Loading mirror speeds from cached hostfile
# Loaded plugins: branch, fastestmirror, langpacks
# docker-ce.x86_64 17.03.1.ce-1.el7.centos docker-ce-stable
# docker-ce.x86_64 17.03.1.ce-1.el7.centos @docker-ce-stable
# docker-ce.x86_64 17.03.0.ce-1.el7.centos docker-ce-stable
# Available Packages
# Step2: 安装指定版本的Docker-CE: (VERSION例如上面的17.03.0.ce.1-1.el7.centos)
# sudo yum -y install docker-ce-[VERSION]
3.1.1 配置阿里云镜像加速器
[root@lle-k8s-master ~]# cat > /etc/docker/daemon.json << EOF
> {
> "registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"]
> }
> EOF
[root@lle-k8s-master ~]# systemctl daemon-reload
[root@lle-k8s-master ~]# systemctl start docker
[root@lle-k8s-master ~]# systemctl enable docker
3.2 生成kube-apiserver证书
3.2.1 自签证书颁发机构(CA)
[root@lle-k8s-master ~]# cd ~/TLS/k8s
[root@lle-k8s-master k8s]# cat ca-config.json
[root@lle-k8s-master k8s]# cat ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
[root@lle-k8s-master k8s]# cat ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "shanghai",
"ST": "shanghai",
"O": "k8s",
"OU": "System"
}
]
}
3.2.2 生成证书【ca-key.pem ca.pem】
[root@lle-k8s-master k8s]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
3.2.3 自签证书颁发机构(CA)
[root@lle-k8s-master k8s]# cat > server-csr.json << EOF
> {
> "CN": "kubernetes",
> "hosts": [
> "10.0.0.1",
> "127.0.0.1",
> "192.168.35.142",
> "192.168.35.143",
> "192.168.35.144",
> "kubernetes",
> "kubernetes.default",
> "kubernetes.default.svc",
> "kubernetes.default.svc.cluster",
> "kubernetes.default.svc.cluster.local"
> ],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "shanghai",
> "ST": "shanghai",
> "O": "k8s",
> "OU": "System"
> }
> ]
> }
> EOF
[root@lle-k8s-master k8s]#
[root@lle-k8s-master k8s]#
[root@lle-k8s-master k8s]#
[root@lle-k8s-master k8s]#
[root@lle-k8s-master k8s]#
[root@lle-k8s-master k8s]#
3.2.4 生成证书【server.pem和server-key.pem】
[root@lle-k8s-master k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
3.2.4 从Github下载二进制文件
下载地址:https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.25.md
注:打开链接你会发现里面有很多包,下载一个server包就够了,包含了Master和Worker Node二进制文件。
3.2.5 解压二进制包
[root@lle-k8s-master ~]# mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}
[root@lle-k8s-master ~]# tar zxvf kubernetes-server-linux-amd64.tar.gz
[root@lle-k8s-master bin]# cp kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bin
[root@lle-k8s-master bin]# cp kubectl /usr/bin/
3.3 部署kube-apiserver
3.3.1 创建配置文件
cat > /opt/kubernetes/cfg/kube-apiserver.conf << EOF
KUBE_APISERVER_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--etcd-servers=https://192.168.35.142:2379,https://192.168.35.143:2379,https://192.168.35.144:2379 \\
--bind-address=192.168.35.142 \\
--secure-port=6443 \\
--advertise-address=192.168.35.142 \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
--enable-admission-plugins=NodeRestriction \\
--authorization-mode=RBAC,Node \\
--enable-bootstrap-token-auth=true \\
--token-auth-file=/opt/kubernetes/cfg/token.csv \\
--service-node-port-range=30000-32767 \\
--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \\
--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \\
--tls-cert-file=/opt/kubernetes/ssl/server.pem \\
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--service-account-issuer=api \\
--service-account-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem \\
--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--proxy-client-cert-file=/opt/kubernetes/ssl/server.pem \\
--proxy-client-key-file=/opt/kubernetes/ssl/server-key.pem \\
--requestheader-allowed-names=kubernetes \\
--requestheader-extra-headers-prefix=X-Remote-Extra- \\
--requestheader-group-headers=X-Remote-Group \\
--requestheader-username-headers=X-Remote-User \\
--enable-aggregator-routing=true \\
--audit-log-maxage=30 \\
--audit-log-maxbackup=3 \\
--audit-log-maxsize=100 \\
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
EOF注:上面两个\ \ 第一个是转义符,第二个是换行符,使用转义符是为了使用EOF保留换行符。
- --logtostderr:启用日志
- ---v:日志等级
- --log-dir:日志目录
- --etcd-servers:etcd集群地址
- --bind-address:监听地址
- --secure-port:https安全端口
- --advertise-address:集群通告地址
- --allow-privileged:启用授权
- --service-cluster-ip-range:Service虚拟IP地址段
- --enable-admission-plugins:准入控制模块
- --authorization-mode:认证授权,启用RBAC授权和节点自管理
- --enable-bootstrap-token-auth:启用TLS bootstrap机制
- --token-auth-file:bootstrap token文件
- --service-node-port-range:Service nodeport类型默认分配端口范围
- --kubelet-client-xxx:apiserver访问kubelet客户端证书
- --tls-xxx-file:apiserver https证书
- 1.20版本必须加的参数:--service-account-issuer,--service-account-signing-key-file
- --etcd-xxxfile:连接Etcd集群证书
- --audit-log-xxx:审计日志
- 启动聚合层相关配置:--requestheader-client-ca-file,--proxy-client-cert-file,--proxy-client-key-file,--requestheader-allowed-names,--requestheader-extra-headers-prefix,--requestheader-group-headers,--requestheader-username-headers,--enable-aggregator-routing
3.3.2. 拷贝刚才生成的证书
[root@lle-k8s-master k8s]# cp ~/TLS/k8s/ca*pem ~/TLS/k8s/server*pem /opt/kubernetes/ssl/
3.3.3. 启用 TLS Bootstrapping 机制
TLS Bootstraping:Master apiserver启用TLS认证后,Node节点kubelet和kube-proxy要与kube-apiserver进行通信,必须使用CA签发的有效证书才可以,当Node节点很多时,这种客户端证书颁发需要大量工作,同样也会增加集群扩展复杂度。为了简化流程,Kubernetes引入了TLS bootstraping机制来自动颁发客户端证书,kubelet会以一个低权限用户自动向apiserver申请证书,kubelet的证书由apiserver动态签署。所以强烈建议在Node上使用这种方式,目前主要用于kubelet,kube-proxy还是由我们统一颁发一个证书。
TLS bootstraping 工作流程:
创建上述配置文件中token文件:
#自己生成一个token
[root@lle-k8s-master k8s]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
#创建上述配置文件中token文件 ,格式:token,用户名,UID,用户组
[root@lle-k8s-master k8s]# cat > /opt/kubernetes/cfg/token.csv << EOF
> 0cf99f5bc24f2d87cb1fc04242b7df5e,kubelet-bootstrap,10001,"system:node-bootstrapper"
> EOF
3.3.4 systemd管理apiserver
[root@lle-k8s-master k8s]# cat > /usr/lib/systemd/system/kube-apiserver.service << EOF
> [Unit]
> Description=Kubernetes API Server
> Documentation=https://github.com/kubernetes/kubernetes
>
> [Service]
> EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf
> ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
> Restart=on-failure
>
> [Install]
> WantedBy=multi-user.target
> EOF
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
13
0- 0
已为社区贡献4条内容
所有评论(0)