该文档采用二进制方式在所有节点上安装docker
下载docker安装包 https://download.docker.com/linux/static/stable/x86_64/ [root@master01 etcd]# cd [root@master01 ~]# wget https://download.docker.com/linux/static/stable/x86_64/docker-19.03.11.tgz [root@master01 ~]# tar -zxvf docker-19.03.11.tgz [root@master01 ~]# cp docker/* /usr/local/bin/ [root@master01 ~]# docker --version Docker version 19.03.11, build 42e35e61f3 发送到其他所有node节点上 [root@master01 ~]# for i in 1 2;do scp docker/* root@node0$i:/usr/local/bin/;done systemd管理docker [root@master01 ~]# cat > /usr/lib/systemd/system/docker.service << EOF [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com After=network-online.target firewalld.service Wants=network-online.target [Service] Type=notify ExecStart=http://www.likecs.com/usr/local/bin/dockerd --data-root /apps/docker ExecReload=http://www.likecs.com/bin/kill -s HUP \$MAINPID LimitNOFILE=infinity LimitNPROC=infinity TimeoutStartSec=0 Delegate=yes KillMode=process Restart=on-failure StartLimitBurst=3 StartLimitInterval=60s [Install] WantedBy=multi-user.target EOF 发送到其他所有node节点上 [root@master01 ~]# for i in 1 2;do scp /usr/lib/systemd/system/docker.service root@node0$i:/usr/lib/systemd/system/docker.service;done 修改docker文件驱动(所有节点修改) [root@master01 ~]# for i in {1..3};do ssh root@192.168.1.2$i mkdir /etc/docker/;done [root@master01 ~]# cat > /etc/docker/daemon.json << EOF { "registry-mirrors" : [ "https://registry.docker-cn.com", "https://docker.mirrors.ustc.edu.cn", "http://hub-mirror.c.163.com", "https://cr.console.aliyun.com/", "https://0trl8ny5.mirror.aliyuncs.com" ], "exec-opts": ["native.cgroupdriver=systemd"] } EOF [root@master01 ~]# for i in 1 2;do scp /etc/docker/daemon.json root@node0$i:/etc/docker/;done 所有节点启动docker systemctl daemon-reload systemctl start docker && systemctl enable docker 所有节点确认 [root@master01 ~]# for i in {1..3};do systemctl status docker | grep "Active";done [root@master01 ~]# for i in {1..3};do docker info | grep "Cgroup Driver";done 部署Master 节点 生成kube-apiserver证书 自签证书颁发机构(CA) [root@master01 ~]# cd /k8s/k8s/ssl/ [root@master01 ssl]# cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "175200h" }, "profiles": { "kubernetes": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF 制作颁发证书请求文件 [root@master01 ~]# cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Guangzhou", "L": "Guangzhou", "O": "wangzha" } ], "ca": { "expiry": "175200h" } } EOF 生成证书: [root@master01 ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - [root@master01 ssl]# ll -rw-r--r-- 1 root root 296 7月 7 22:00 ca-config.json -rw-r--r-- 1 root root 1033 7月 7 22:00 ca.csr -rw-r--r-- 1 root root 291 7月 7 22:00 ca-csr.json -rw------- 1 root root 1679 7月 7 22:00 ca-key.pem -rw-r--r-- 1 root root 1285 7月 7 22:00 ca.pem 使用自签CA签发kube-apiserver HTTPS证书 [root@master01 ssl]# pwd /k8s/k8s/ssl 制作颁发证书请求文件 [root@master01 ssl]# cat > server-csr.json << EOF { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "192.168.1.1", "192.168.1.21", "192.168.1.22", "192.168.1.23", "192.168.1.24", "192.168.1.25", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Guangzhou", "ST": "Guangzhou", "O": "k8s", "OU": "System" } ] } EOF 注:上述文件hosts字段中IP为所有k8s集群服务器的地址,为了方便后期扩容可多写几个作为预留IP #生成证书 [root@master01 ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server [root@master01 ssl]# ll -rw-r--r-- 1 root root 296 7月 7 22:00 ca-config.json -rw-r--r-- 1 root root 1033 7月 7 22:00 ca.csr -rw-r--r-- 1 root root 291 7月 7 22:00 ca-csr.json -rw------- 1 root root 1679 7月 7 22:00 ca-key.pem -rw-r--r-- 1 root root 1285 7月 7 22:00 ca.pem -rw-r--r-- 1 root root 1289 7月 7 22:02 server.csr -rw-r--r-- 1 root root 623 7月 7 22:02 server-csr.json -rw------- 1 root root 1679 7月 7 22:02 server-key.pem -rw-r--r-- 1 root root 1647 7月 7 22:02 server.pem 配置 k8s组件