#证书自签名脚本 root@k8s-master: ~/k8s/k8s-cert 14:06:06 $ cat k8s-cert.sh cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #----------------------- #hosts内容slb节点ip,master节点ip,下边是node节点ip(node节点多写一写冗余IP地址为后续使用) cat > server-csr.json <<EOF { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "192.168.1.63", "192.168.1.64", "192.168.1.65", "192.168.1.66", "192.168.1.60", "192.168.1.61", "192.168.1.62", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server #----------------------- cat > admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin #----------------------- cat > kube-proxy-csr.json <<EOF { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy root@k8s-master: ~/k8s/k8s-cert 14:06:12 $ 1. kube-apiserver 2. kube-controller-manager 3. kube-scheduler 配置文件 -> systemd管理组件 -> 启动 ==================================================kube-apiserver==================================================
# 创建 TLS Bootstrapping Token
#BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008
cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
mv token.csv /opt/kubernetes/cfg
2,部署kube-apiserver (1)创建apiserver的文件存放目录 root@k8s-master: ~/soft 14:09:51 $ mkdir /opt/kubernetes/{bin,ssl,cfg} -p (2)解压tar包,将核心组件复制到/opt/kubernetes/bin下kube-apiserver,kube-controller-manager,kube-scheduler root@k8s-master: ~/soft 14:11:12 $ tar zxvf kubernetes-server-linux-amd64.tar.gz root@k8s-master: ~ 14:17:18 $ cd /root/soft/kubernetes/server/bin root@k8s-master: ~/soft/kubernetes/server/bin 14:19:23 $ cp kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/ (3)kube-apiserver配置文件脚本 root@k8s-master: ~/k8s 14:21:49 $ cat apiserver.sh #!/bin/bash #master主机节点ip地址,传入变量 MASTER_ADDRESS=$1 #etcd所有节点ip地址 ETCD_SERVERS=$2 cat <<EOF >/opt/kubernetes/cfg/kube-apiserver #true开启日志默认写到/var/log/messages,第二选项flase,并在下边指定log写入目录--logs-dir=/opt/kubernetes/logs KUBE_APISERVER_OPTS="--logtostderr=true \ #日志登记,登记越高日志越少 --v=4 \ --etcd-servers=${ETCD_SERVERS} \ --bind-address=${MASTER_ADDRESS} \ --secure-port=6443 \ --advertise-address=${MASTER_ADDRESS} \ --allow-privileged=true \ #负载均衡节点ip范文,下边是端口 --service-cluster-ip-range=10.0.0.0/24 \ --service-node-port-range=30000-50000 \ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \ --authorization-mode=RBAC,Node \ --kubelet-https=true \ #互相通信的token,身份认证标识 --enable-bootstrap-token-auth \ --token-auth-file=/opt/kubernetes/cfg/token.csv \ #apiserver的ssl自签名证书 --tls-cert-file=/opt/kubernetes/ssl/server.pem \ --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \ --client-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \ #下边是etcd的ssl自签名证书。因为都是https --etcd-cafile=/opt/etcd/ssl/ca.pem \ --etcd-certfile=/opt/etcd/ssl/server.pem \ --etcd-keyfile=/opt/etcd/ssl/server-key.pem" EOF #配置systemctl管理apiserver cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-apiserver systemctl restart kube-apiserver root@k8s-master: ~/k8s 14:21:51 $ (4)将apiserver自签名证书移动到/opt/kubernetes/ssl root@k8s-master: /opt/kubernetes/ssl 15:11:40 $ pwd /opt/kubernetes/ssl root@k8s-master: /opt/kubernetes/ssl 15:11:42 $ ls ca-key.pem ca.pem server-key.pem server.pem root@k8s-master: /opt/kubernetes/ssl 15:11:42 $ (5)复制apiserver自签名证书到/opt/kubernetes/ssl 执行脚本 root@k8s-master: ~/k8s 14:47:17 $ ./apiserver.sh 192.168.1.63 https://192.168.1.63:2379,https://192.168.1.65:2379,https://192.168.1.66:2379 (6)验证apiserver是否启动成功 root@k8s-master: /opt/kubernetes/ssl 15:12:50 $ netstat -lntup |grep 8080 tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 3972/kube-apiserver root@k8s-master: /opt/kubernetes/ssl 15:12:52 root@k8s-master: /opt/kubernetes/ssl 15:13:21 $ ps -ef|grep kube root 3972 1 1 11:57 ? 00:03:14 /opt/kubernetes/bin/kube-apiserver --logtostderr=true --v=4 --etcd-servers=https://192.168.1.63:2379,https://192.168.1.65:2379,https://192.168.1.66:2379 --bind-address=192.168.1.63 --secure-port=6443 --advertise-address=192.168.1.63 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/etcd/ssl/ca.pem --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pem root 4091 1 0 12:07 ? 00:01:00 /opt/kubernetes/bin/kube-scheduler --logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect root 4096 1 0 12:07 ? 00:01:32 /opt/kubernetes/bin/kube-controller-manager --logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect=true --address=127.0.0.1 --service-cluster-ip-range=10.0.0.0/24 --cluster-name=kubernetes --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem --root-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem --experimental-cluster-signing-duration=87600h0m0s root 5899 5763 0 15:13 pts/0 00:00:00 grep --color=auto kube root@k8s-master: /opt/kubernetes/ssl 15:13:26 $ ####报错排查方式 $ source /opt/kubernetes/cfg/kube-apiserver $ /opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS ==================================================kube-controller-manager================================================== root@k8s-master: ~/k8s 15:15:44 $ cat controller-manager.sh #!/bin/bash #传参master节点ip地址 MASTER_ADDRESS=$1 cat <<EOF >/opt/kubernetes/cfg/kube-controller-manager KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \ --v=4 \ #master-apiserver运行端口8080所有引用传参变量 --master=${MASTER_ADDRESS}:8080 \ #选举,自动做高可用 --leader-elect=true \ #这个服务只在本地运行所以能跟apiserver通信就可以了 --address=127.0.0.1 \ --service-cluster-ip-range=10.0.0.0/24 \ --cluster-name=kubernetes \ #颁发证书 --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \ --root-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ --experimental-cluster-signing-duration=87600h0m0s" EOF ##使用systemctl管理controller工具 cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-controller-manager systemctl restart kube-controller-manager root@k8s-master: ~/k8s 15:15:46 $ ==================================================kube-scheduler================================================== root@k8s-master: ~/k8s 15:46:04 $ cat scheduler.sh #!/bin/bash MASTER_ADDRESS=$1 ##scheduler四行,定义日志,指定masterip,自动选举 cat <<EOF >/opt/kubernetes/cfg/kube-scheduler KUBE_SCHEDULER_OPTS="--logtostderr=true \ --v=4 \ --master=${MASTER_ADDRESS}:8080 \ --leader-elect" EOF cat <<EOF >/usr/lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-scheduler systemctl restart kube-scheduler ==================================================kubectl================================================== 部署完成验证 root@k8s-master: ~/k8s 15:47:29 $ cp /root/soft/kubernetes/server/bin/kubectl /usr/bin/ #检查当前集群节点的健康状态 $ kubectl get cs NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-0 Healthy {"health":"true"} etcd-2 Healthy {"health":"true"} etcd-1 Healthy {"health":"true"} root@k8s-master: ~/k8s 15:48:14 $ ###ps:cs为缩写