1.12我将采用更加优化的部署方式,方便维护管理
环境规划参考:

各个组件证书依赖
1、安装证书工具:
2、etcd安装
3、flanneld 安装
4、docker配置
5、配置k8s组件证书
6、安装master组件
7、安装node组件
8 增加节点

1、安装证书工具:

cd /opt/ssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x *
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

2、etcd安装

采用最新的etcd安装包

wget https://github.com/etcd-io/etcd/releases/download/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz
mkdir -p /opt/etcd/{bin,cfg,ssl}
cp etcd-v3.3.10-linux-amd64/etcd* /opt/etcd/bin

之前装过的需要将/var/lib/etcd删掉,不然会报错。
配置etcd证书:

[root@k8s-master01 ssl]# cat etcd-cert.sh
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat > ca-csr.json <<EOF
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------

cat > server-csr.json <<EOF
{
    "CN": "etcd",
    "hosts": [
    "192.168.1.6",
    "192.168.1.7",
    "192.168.1.8"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

运行该脚本,然后将ca和server相关的pem拷贝到指定路径

cp ca*.pem /opt/etcd/ssl/
cp server*.pem /opt/etcd/ssl/

编写安装脚本:

vim etcd.sh

#!/bin/bash
# example: ./etcd.sh etcd01 192.168.1.10 etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380

ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3

WORK_DIR=/opt/etcd

cat <<EOF >$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF

cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd

运行脚本:

chmod +x etcd.sh
./etcd.sh etcd01 192.168.1.6 etcd02=https://192.168.1.7:2380,etcd03=https://192.168.1.8:2380

检测:
ps aux |grep ecd
分发文件到另外2个节点:

scp -r etcd 192.168.1.7:/opt/
scp -r etcd 192.168.1.8:/opt/
scp /usr/lib/systemd/system/etcd.service 192.168.1.7:/usr/lib/systemd/system/
scp /usr/lib/systemd/system/etcd.service 192.168.1.8:/usr/lib/systemd/system/

将/opt/etcd/cfg/etcd配置文件修改成对应的ip,ETCD_NAME改成对应的名字,不懂的参考1.10.7安装etcd
将节点的etcd启动:

systemctl enable etcd
systemctl start etcd

检测etcd健康:

/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379" cluster-health

在这里插入图片描述

如果健康检测通过了,但是systemctl status etcd出现了证书相关的问题,不用理会,例如:
在这里插入图片描述

3、flanneld 安装
我们先在master上面操作,即192.168.1.6
下载二进制包:
此处我们用的比较新的0.10版本

wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz

将解压后得到的可执行文件放入我们之定义的路径下面

cp flanneld mk-docker-opts.sh /opt/kubernetes/bin/

分配自网段:

/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'

测试:

 /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379" get /coreos.com/network/config

配置flannel文件

[root@k8s-master01 shell]# cat flannel.sh
#!/bin/bash
# ./flannel.sh https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379

ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}

cat <<EOF >/opt/kubernetes/cfg/flanneld

FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"

EOF

cat <<EOF >/usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service

[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure

[Install]
WantedBy=multi-user.target

EOF

cat <<EOF >/usr/lib/systemd/system/dockerd.service

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd \$DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP \$MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target

EOF

systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld
systemctl restart dockerd

运行该脚本:
后面参数是etcd集群地址

./flannel.sh https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379

启动:

systemctl enable flanneld
systemctl start flanneld

测试flanneld:

cat /run/flannel/subnet.env
systemctl status flanneld.service

然后将文件分发下去,其他节点也装上flannel,不用做任何变动:

scp -r /opt/kubernetes 192.168.1.6:/opt/
scp -r /opt/kubernetes 192.168.1.7:/opt/
scp -r /usr/lib/systemd/system/flanneld.service 192.168.1.6:/usr/lib/systemd/system/
scp -r /usr/lib/systemd/system/flanneld.service 192.168.1.7:/usr/lib/systemd/system/

4、docker配置

docker和1.10.7一样,这一块没有变动

cat <<EOF >/usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd  \$DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP \$MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s

[Install]
WantedBy=multi-user.target

EOF

systemctl daemon-reload
systemctl restart docker

查看ifconfig 中 会出现一个flannel 网络,并且flannel和docker0 网络段会相同
查看docker进程可以检测:

[root@k8s-master01 shell]# ps -ef |grep docker
root       8548      1  0 11:59 ?        00:00:31 /usr/bin/dockerd --bip=172.17.56.1/24 --ip-masq=false --mtu=1450
root       8555   8548  0 11:59 ?        00:00:51 docker-containerd --config /var/run/docker/containerd/containerd.toml
root      22005   7466  0 15:02 pts/1    00:00:00 grep --color=auto docker

所有节点都进行此操作

5、配置k8s组件证书

生成证书脚本:

[root@k8s-master01 k8s-crt]# cat k8s-cert.sh
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
      	    "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------

cat > server-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "192.168.1.6",
      "192.168.1.7",
      "192.168.1.8",
      "192.168.1.9",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

#-----------------------

cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

#-----------------------

cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

运行该脚本会生成一堆证书,我们可以将需要的证书放置指定路径,其中的ip是我们需要的各个与k8s相关的脚本

sh k8s-cert.sh
[root@k8s-master01 k8s-crt]# ls
admin.csr       admin-key.pem  ca-config.json  ca-csr.json  ca.pem       kube-proxy.csr       kube-proxy-key.pem  server.csr       server-key.pem
admin-csr.json  admin.pem      ca.csr          ca-key.pem   k8s-cert.sh  kube-proxy-csr.json  kube-proxy.pem      server-csr.json  server.pem

拷贝证书到指定路径

cp *.pem /opt/kubernetes/ssl

6、安装master组件
下载最新包:

wget https://storage.googleapis.com/kubernetes-release/release/v1.12.1/kubernetes-server-linux-amd64.tar.gz
tar xvf kubernetes-server-linux-amd64.tar.gz

将需要的包拷贝到指定路径:

cp kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/

生成k8s需要的token

[root@k8s-master01 shell]# cat token.sh
token=$(head -c 10 /dev/urandom |od -An -t x|tr -d ' ')

cat <<EOF >/opt/kubernetes/cfg/token.csv
${token},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF

运行该脚本会在/opt/kubernetes/cfg/ 生产一个token文件

配置kube-apiserver

[root@k8s-master01 shell]# cat apiserver.sh
#!/bin/bash
#./apiserver.sh 192.168.1.6 https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379

MASTER_ADDRESS=$1
ETCD_SERVERS=$2

cat <<EOF >/opt/kubernetes/cfg/kube-apiserver

KUBE_APISERVER_OPTS="--logtostderr=true \\
--v=4 \\
--etcd-servers=${ETCD_SERVERS} \\
--bind-address=${MASTER_ADDRESS} \\
--secure-port=6443 \\
--advertise-address=${MASTER_ADDRESS} \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
--authorization-mode=RBAC,Node \\
--kubelet-https=true \\
--enable-bootstrap-token-auth \\
--token-auth-file=/opt/kubernetes/cfg/token.csv \\
--service-node-port-range=30000-50000 \\
--tls-cert-file=/opt/kubernetes/ssl/server.pem  \\
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"

EOF

cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-apiserver
systemctl restart kube-apiserver

运行该脚本:

./apiserver.sh 192.168.1.6 https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379

其中第一个参数代表本机ip,第二个代表etcd ip组
检测:systemctl status kube-apiserver

配置kube-controller-manager

[root@k8s-master01 shell]# cat controller-manager.sh
#!/bin/bash
#./controller-manager.sh 127.0.0.1

MASTER_ADDRESS=$1

cat <<EOF >/opt/kubernetes/cfg/kube-controller-manager


KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \\
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\
--leader-elect=true \\
--address=127.0.0.1 \\
--service-cluster-ip-range=10.0.0.0/24 \\
--cluster-name=kubernetes \\
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem  \\
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--experimental-cluster-signing-duration=87600h0m0s"

EOF

cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl restart kube-controller-manager

运行该脚本:

 ./controller-manager.sh 127.0.0.1

检测:systemctl status kube-controller-manager.service

配置:kube-scheduler

[root@k8s-master01 shell]# cat scheduler.sh
#!/bin/bash
#./scheduler.sh 127.0.0.1

MASTER_ADDRESS=$1

cat <<EOF >/opt/kubernetes/cfg/kube-scheduler

KUBE_SCHEDULER_OPTS="--logtostderr=true \\
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\
--leader-elect"

EOF

cat <<EOF >/usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler

执行该脚本:

./scheduler.sh 127.0.0.1

检测:
systemctl status kube-scheduler.service
netstat -lnp |grep 8080

7、安装node组件
a、首先我们在master上面创建用户认证:
将kubelete-bootstrap用户绑定在集群角色上

kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap

如果有可以先删除:

kubectl delete clusterrolebinding kubelet-bootstrap

如果有缺少对system:anonymous用户的授权,kubelet启动的时候会报错如下:
error: failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User “system:anonymous” cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope

我们还需要对 system:anonymous用户的授权,不然以后node阶节点匿名向主节点传递信息的时候会有问题:

kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous

将node节点需要的执行文件分发下去:
从我们解压的安装包获取相关文件

cd /root/kubernetes/server/bin
scp kubelet kube-proxy 192.168.1.7:/opt/kubernetes/bin/
scp kubelet kube-proxy 192.168.1.8:/opt/kubernetes/bin/

b、创建kubeconfig 文件
注意:这里的BOOTSTRAP_TOKEN 的值需要用我们之前生成的值,就是token.scv里面的值

[root@k8s-master01 shell]# cat kubeconfig.sh
# 创建 TLS Bootstrapping Token
#BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008

#cat > token.csv <<EOF
#${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
#EOF

#----------------------
APISERVER=$1
SSL_DIR=$2
#  ./kubeconfig.sh 192.168.1.6 /opt/k8s-crt

# 创建kubelet bootstrapping kubeconfig
export KUBE_APISERVER="https://$APISERVER:6443"

# 设置集群参数
kubectl config set-cluster kubernetes \
  --certificate-authority=$SSL_DIR/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=bootstrap.kubeconfig

# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
  --token=${BOOTSTRAP_TOKEN} \
  --kubeconfig=bootstrap.kubeconfig

# 设置上下文参数
kubectl config set-context default \
  --cluster=kubernetes \
  --user=kubelet-bootstrap \
  --kubeconfig=bootstrap.kubeconfig

# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig

#----------------------

# 创建kube-proxy kubeconfig文件

kubectl config set-cluster kubernetes \
  --certificate-authority=$SSL_DIR/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=kube-proxy.kubeconfig

kubectl config set-credentials kube-proxy \
  --client-certificate=$SSL_DIR/kube-proxy.pem \
  --client-key=$SSL_DIR/kube-proxy-key.pem \
  --embed-certs=true \
  --kubeconfig=kube-proxy.kubeconfig

kubectl config set-context default \
  --cluster=kubernetes \
  --user=kube-proxy \
  --kubeconfig=kube-proxy.kubeconfig

kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

执行该脚本:

./kubeconfig.sh 192.168.1.6 /opt/k8s-crt

将生成的2个配置文件分发到node节点上去

rsync -avPz bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.1.8:/opt/kubernetes/cfg/
rsync -avPz bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.1.7:/opt/kubernetes/cfg/

c、安装node组件
编辑kubelet安装脚本:

[root@k8s-node01 shell]# cat kubelet.sh
#!/bin/bash

#./kubelet.sh 192.168.1.7 10.0.0.2

NODE_ADDRESS=$1
DNS_SERVER_IP=${2:-"10.0.0.2"}

cat <<EOF >/opt/kubernetes/cfg/kubelet

KUBELET_OPTS="--logtostderr=true \\
--v=4 \\
--address=${NODE_ADDRESS} \\
--hostname-override=${NODE_ADDRESS} \\
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\
--experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\
--config=/opt/kubernetes/cfg/kubelet.config \\
--cert-dir=/opt/kubernetes/ssl \\
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"

EOF

cat <<EOF >/opt/kubernetes/cfg/kubelet.config

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: ${NODE_ADDRESS}
port: 10250
cgroupDriver: cgroupfs
clusterDNS:
- ${DNS_SERVER_IP}
clusterDomain: cluster.local.
failSwapOn: false
readOnlyPort: 10255
authentication:
  anonymous:
    enabled: true

EOF

cat <<EOF >/usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
KillMode=process

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet

运行次脚本:

./kubelet.sh 192.168.1.7 10.0.0.2
此时会在ssl下面生成一些证书相关的文件,

检测:
ps -ef |grep kubelet

安装proxy文件脚本

[root@k8s-node01 shell]# cat proxy.sh
#!/bin/bash
#./proxy.sh 192.168.1.7
NODE_ADDRESS=$1

cat <<EOF >/opt/kubernetes/cfg/kube-proxy

KUBE_PROXY_OPTS="--logtostderr=true \\
--v=4 \\
--hostname-override=${NODE_ADDRESS} \\
--cluster-cidr=10.0.0.0/24 \\
--proxy-mode=ipvs \\
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"

EOF

cat <<EOF >/usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-proxy
systemctl restart kube-proxy

运行次脚本:
./proxy.sh 192.168.1.7
检测:
systemctl status kube-proxy.service

此时我们第一台node已经安装好,我们可以在master上检测是否有节点信息请求注册:

[root@k8s-master01 shell]# kubectl get csr
NAME                                                   AGE       REQUESTOR          CONDITION
node-csr-lYZU4lw685vTnpaIEMNF4vCfttB07CJvZMOxBuYT4DQ   10m       system:kubelet-bootstrapPending

通过请求:

[root@k8s-master01 shell]# kubectl certificate approve node-csr-lYZU4lw685vTnpaIEMNF4vCfttB07CJvZMOxBuYT4DQ

此时状态已经改变:

[root@k8s-master01 shell]# kubectl get csr
NAME                                                   AGE       REQUESTOR          CONDITION
node-csr-lYZU4lw685vTnpaIEMNF4vCfttB07CJvZMOxBuYT4DQ   16m       system:kubelet-bootstrap  Approved,Issued

查看k8s节点:

[root@k8s-master01 shell]# kubectl get node
NAME          STATUS    ROLES     AGE       VERSION
192.168.1.7   Ready     <none>    13s       v1.12.1

8 增加节点:
此时我们加入另一台就显得非常简单:
首先kubelet.kubeconfig,kube-proxy.kubeconfig,这2个配置文件必须之前已经分发过来
我们加入安装脚本:

./kubelet.sh 192.168.1.8 10.0.0.2
./proxy.sh 192.168.1.8

运行脚本,然后去master :
kubectl get csr 查看节点是否自动注册过来,然后加入便可

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐