演练暂时用单节点一台master和一台node节点来进行部署搭建(kubernetes 1.19版本)
角色 IP 组件master 10.129.246.114 kube-apiserver,kube-controller-manager,kube -scheduler,etcd
node 10.129.244.229 kubelet,kube-proxy,docker etcd
操作系统初始化 # 关闭防火墙 systemctl stop firewalld systemctl disable firewalld # 关闭 selinux sed -i 's/enforcing/disabled/' /etc/selinux/config # 永久 setenforce 0 # 临时 # 关闭 swap swapoff -a # 临时 sed -ri 's/.*swap.*/#&/' /etc/fstab # 永久 # 根据规划设置主机名 hostnamectl set-hostname <hostname> # 在 master 添加 hosts cat >> /etc/hosts << EOF 192.168.44.147 master 192.168.44.148 node EOF # 将桥接的 IPv4 流量传递到 iptables 的链 cat > /etc/sysctl.d/k8s.conf << EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF sysctl --system # 生效 # 时间同步 yum install ntpdate -y ntp ntpdate time.windows.com 部署ETCD集群
Etcd 是一个分布式键值存储系统,Kubernetes 使用 Etcd 进行数据存储,所以先准备 一个 Etcd 数据库,为解决 Etcd 单点故障,应采用集群方式部署,这里使用 2 台组建集群
注:为了节省机器,这里与 K8s 节点机器复用。也可以独立于 k8s 集群之外部署,只要 apiserver 能连接到就行
自签证书颁发机构(CA)
#创建工作目录 #mkdir -p /root/etcd自签CA:
#进入工作目录/root/etcd/下 #cat > ca-config.json<< CFY { "signing":{ "default":{ "expiry":"87600h" }, "profiles":{ "www":{ "expiry":"87600h", "usages":[ "key encipherment", "server auth", "client auth" ] } } } } CFY 生成证书 #cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #ls *.pem ca-key.pem ca.pem 使用自签 CA 签发 Etcd HTTPS 证书创建证书申请文件:
#cat > server-csr.json>> CFY { "CN":"etcd", "hosts":[ "10.129.246.114", "10.129.244.229" ], "key":{ "algo":"rsa", "size":2048 }, "names":[ { "C":"CN", "L":"BeiJing", "ST":"BeiJing" } ] } CFY 生产证书 #cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json - profile=www server-csr.json | cfssljson -bare server #ls server*pem server-key.pem server.pem下载二进制文件
官方地址:https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm/ 二进制包
部署ETCD集群以下在节点master上操作,为简化操作,待会将master节点生成的所有文件拷贝到node节点
解压二进制包:
# mkdir /opt/etcd/{bin,cfg,ssl} -p # tar zxvf etcd-v3.2.12-linux-amd64.tar.gz # mv etcd-v3.2.12-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/ 创建etcd配置文件 #cat > /opt/etcd/cfg/etcd.conf >> CFY #[Member] ETCD_NAME="etcd01" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://10.129.246.114:2380" ETCD_LISTEN_CLIENT_URLS="https://10.129.246.114:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.129.246.114:2380" ETCD_ADVERTISE_CLIENT_URLS="https://10.129.246.114:2379" ETCD_INITIAL_CLUSTER="etcd01=https://10.129.246.114:2380,etcd02=https://10.129.244.229:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" CFY --------------------------------------------------------------- ETCE_NAME: 节点名称 ETCD_DATE_DIR: 数据目录 ETCD_LISTEN_PEER_URLS: 集群通信监听地址 ETCD_LISTEN_CLIENT_URLS: 客户端访问监听地址 ETCD_INITIAL_ADVERTISE_PEER_URLS: 集群通告地址 ETCD_ADVERTISE_CLIENT_URLS: 客户端通告地址 ETCD_INITIAL_CLUSTER: 集群节点地址 ETCD_INITIAL_CLUSTER_TOKEN: 集群Token ETCD_INITIAL_CLUSTER_STATE: 加入集群当前状态,new是新集群,existing表示加入已有集群 systemd管理etcd配置启动文件 #cat > /usr/lib/systemd/system/etcd.service >> CFY [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=http://www.likecs.com/opt/etcd/cfg/etcd.conf ExecStart=http://www.likecs.com/opt/etcd/bin/etcd \ --name=${ETCD_NAME} \ --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \ --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},:2379 \ --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \ --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \ --initial-cluster=${ETCD_INITIAL_CLUSTER} \ --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \ --initial-cluster-state=new \ --cert-file=http://www.likecs.com/opt/etcd/ssl/server.pem \ --key-file=http://www.likecs.com/opt/etcd/ssl/server-key.pem \ --peer-cert-file=http://www.likecs.com/opt/etcd/ssl/server.pem \ --peer-key-file=http://www.likecs.com/opt/etcd/ssl/server-key.pem \ --trusted-ca-file=http://www.likecs.com/opt/etcd/ssl/ca.pem \ --peer-trusted-ca-file=http://www.likecs.com/opt/etcd/ssl/ca.pem Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target CFY拷贝刚才生成的证书