文章目录
- 1. k8s架构
- 2. k8s安装
- 2.1 颁发证书
- 2.2 部署etcd集群
- 2.3 master节点安装
- 2.3.1 api-server服务安装
- 2.3.2 controller-manager服务安装
- 2.3.3 scheduler服务安装
- 2.4 node节点安装
- 2.5 配置flannel网络
1. k8s架构
2. k8s安装
# 增加免密操作
[root@k8s-node3 ~]# ssh-keygen
[root@k8s-node3 ~]# ssh-copy-id root@10.0.0.11
[root@k8s-node3 ~]# ssh-copy-id root@10.0.0.12
[root@k8s-node3 ~]# ssh-copy-id root@10.0.0.13
2.1 颁发证书
etcd–etcd–etcd
apiserver–etcd
flanneld–etcd
apiserver–kubelet
apiserver–kubeproxy
6443 https
api-server–controller-manager
api-server–scheduler
8080 http 172.0.0.1
# (1) 上传生成证书的软件, https://github.com/cloudflare/cfssl/releases下载
[root@k8s-node3 softs]# ls
cfssl cfssl-certinfo cfssl-json
[root@k8s-node3 softs]# chmod +x *# (2) 创建配置文件,peer节点与节点直接的通讯,etcd与etcd之间进行通讯时使用
[root@k8s-node3 certs]# cat ca-config.json
{"signing": {"default": {"expiry": "175200h"},"profiles": {"server": {"expiry": "175200h","usages": ["signing","key encipherment","server auth"]},"client": {"expiry": "175200h","usages": ["signing","key encipherment","client auth"]},"peer": {"expiry": "175200h","usages": ["signing","key encipherment","server auth","client auth"]}}}
}[root@k8s-node3 certs]# cat ca-csr.json
{"CN": "kubernetes-ca","hosts": [],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "bejing","L": "beijing","O": "od","OU": "ops"}],"ca": {"expiry": "175200h"}
}# (3) 生成CA证书和私钥
[root@k8s-node3 certs]# sudo cfssl gencert -initca ca-csr.json | /opt/softs/cfssl-json -bare ca -
[root@k8s-node3 certs]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem2.2 部署etcd集群
# 1. 创建etcd-peer-csr.json文件
[root@k8s-node3 certs]# cat etcd-peer-csr.json
{"CN": "etcd-peer","hosts": ["10.0.0.11","10.0.0.12","10.0.0.13"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "bejing","L": "beijing","O": "od","OU": "ops"}]
}
# 2. 生成密钥对
[root@k8s-node3 certs]# sudo cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json | /opt/softs/cfssl-json -bare etcd-peer# 3.安装etcd,修改配置
[root@k8s-master etcd]# sudo yum install etcd-3.3.11-2.el7.centos -y
[root@k8s-master etcd]# cat etcd.conf
ETCD_DATA_DIR="/var/lib/etcd/"
ETCD_LISTEN_PEER_URLS="https://10.0.0.11:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.0.0.11:2379,http://127.0.0.1:2379"
ETCD_NAME="node1"ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.0.0.11:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://10.0.0.11:2379,http://127.0.0.1:2379"
ETCD_INITIAL_CLUSTER="node1=https://10.0.0.11:2380,node2=https://10.0.0.12:2380,node3=https://10.0.0.13:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"ETCD_CERT_FILE="/etc/etcd/etcd-peer.pem"
ETCD_KEY_FILE="/etc/etcd/etcd-peer-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ca.pem"
ETCD_AUTO_TLS="true"
ETCD_PEER_CERT_FILE="/etc/etcd/etcd-peer.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/etcd-peer-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ca.pem"
ETCD_PEER_AUTO_TLS="true"[root@k8s-node1 etcd]# sudo yum install etcd-3.3.11-2.el7.centos -y
[root@k8s-node1 etcd]# cat etcd.conf
ETCD_DATA_DIR="/var/lib/etcd/"
ETCD_LISTEN_PEER_URLS="https://10.0.0.12:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.0.0.12:2379,http://127.0.0.1:2379"
ETCD_NAME="node2"ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.0.0.12:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://9.0.0.12:2379,http://127.0.0.1:2379"
ETCD_INITIAL_CLUSTER="node1=https://10.0.0.11:2380,node2=https://10.0.0.12:2380,node3=https://10.0.0.13:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"ETCD_CERT_FILE="/etc/etcd/etcd-peer.pem"
ETCD_KEY_FILE="/etc/etcd/etcd-peer-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ca.pem"
ETCD_AUTO_TLS="true"
ETCD_PEER_CERT_FILE="/etc/etcd/etcd-peer.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/etcd-peer-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ca.pem"
ETCD_PEER_AUTO_TLS="true"[root@k8s-node2 etcd]# sudo yum install etcd-3.3.11-2.el7.centos -y
[root@k8s-node2 etcd]# cat etcd.conf
ETCD_DATA_DIR="/var/lib/etcd/"
ETCD_LISTEN_PEER_URLS="https://10.0.0.13:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.0.0.13:2379,http://127.0.0.1:2379"
ETCD_NAME="node3"ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.0.0.13:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://10.0.0.13:2379,http://127.0.0.1:2379"
ETCD_INITIAL_CLUSTER="node1=https://10.0.0.11:2380,node2=https://10.0.0.12:2380,node3=https://10.0.0.13:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"ETCD_CERT_FILE="/etc/etcd/etcd-peer.pem"
ETCD_KEY_FILE="/etc/etcd/etcd-peer-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ca.pem"
ETCD_AUTO_TLS="true"
ETCD_PEER_CERT_FILE="/etc/etcd/etcd-peer.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/etcd-peer-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ca.pem"
ETCD_PEER_AUTO_TLS="true"# 4. 分发密钥对
[root@k8s-node3 certs]# scp -rp *.pem root@10.0.0.11:/etc/etcd/
[root@k8s-node3 certs]# scp -rp *.pem root@10.0.0.12:/etc/etcd/
[root@k8s-node3 certs]# scp -rp *.pem root@10.0.0.13:/etc/etcd/# 5. 给密钥对授权
[root@k8s-master etcd]# chown -R etcd:etcd *.pem
[root@k8s-node1 etcd]# chown -R etcd:etcd *.pem
[root@k8s-node2 etcd]# chown -R etcd:etcd *.pem# 6. master、node1、node2同时启动etcd服务并加入开机自启
systemctl start etcd
systemctl enable etcd# 7. 验证etcd集群
[root@k8s-master ~]# etcdctl member list
55fcbe0adaa45350: name=node3 peerURLs=https://10.0.0.13:2380 clientURLs=http://127.0.0.1:2379,https://10.0.0.13:2379 isLeader=false
cebdf10928a06f3c: name=node1 peerURLs=https://10.0.0.11:2380 clientURLs=http://127.0.0.1:2379,https://10.0.0.11:2379 isLeader=true
f7a9c20602b8532e: name=node2 peerURLs=https://10.0.0.12:2380 clientURLs=http://127.0.0.1:2379,https://9.0.0.12:2379 isLeader=false
