系统信息
| 角色 | 系统 | CPU Core | 内存 | 主机名称 | ip | 安装组件 |
|---|---|---|---|---|---|---|
| master | 18.04.1-Ubuntu | 4 | 8G | master | 192.168.0.107 | kubectl,kube-apiserver,kube-controller-manager,kube-scheduler,etcd,flannald |
| slave | 18.04.1-Ubuntu | 4 | 4G | slave | 192.168.0.114 | docker,flannald,kubelet,kube-proxy,coredns |
k8s&docker版本
| 软件 | 版本 |
|---|---|
| k8s | 1.17.2 |
| etcd | v3.3.18 |
| coredns | 1.6.6(docker镜像) |
| Flanel | v0.11.0 |
| docker | 18.09 |
安装前准备(主节点和从节点都需要执行)
-
关闭swap
sudo swapoff -a sudo sed -i '/ swap / s/^(.*)$/#1/g' /etc/fstab -
配置常用软件安装源
在/etc/apt/sources.list.d/ 追加system.list文件,内容如下deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted deb http://mirrors.aliyun.com/ubuntu/ bionic universe deb http://mirrors.aliyun.com/ubuntu/ bionic-updates universe deb http://mirrors.aliyun.com/ubuntu/ bionic multiverse deb http://mirrors.aliyun.com/ubuntu/ bionic-updates multiverse deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse执行
sudo apt-get update -
创建工作目录
mkdir -p /opt/k8s/{bin,work} /etc/{kubernetes,etcd}/cert -
将 /opt/k8s/bin追加到$PATH中
echo 'PATH=/opt/k8s/bin:$PATH' >>/root/.bashrc source /root/.bashrc -
安装ssh服务,并设置root可以执行
apt install openssh-server #编辑/etc/ssh/sshd_config文件,在#PermitRootLogin prohibit-password下追加PermitRootLogin yes ,重启ssh服务 systemctl restart ssh.service -
安装依赖工具包
apt install -y ipvsadm ipset curl jq socat -
设置主机名
cat >> /etc/hosts <<EOF 192.168.0.107 master 192.168.0.114 slave EOF -
添加节点信任关系,只用在master节点上执行
ssh-keygen -t rsa ssh-copy-id root@192.168.0.114
创建CA根证书和秘钥(在master节点上执行)
-
安装cfssl工具集
cd /opt/k8s/work wget https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl_1.4.1_linux_amd64 cp cfssl_1.4.1_linux_amd64 /opt/k8s/bin/cfssl wget https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssljson_1.4.1_linux_amd64 cp cfssljson_1.4.1_linux_amd64 /opt/k8s/bin/cfssljson wget https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl-certinfo_1.4.1_linux_amd64 cp cfssl-certinfo_1.4.1_linux_amd64 /opt/k8s/bin/cfssl-certinfo chmod +x /opt/k8s/bin/* -
创建CA配置文件
cd /opt/k8s/work cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } } EOF- signing:表示该证书可用于签名其它证书(生成的 ca.pem 证书中 CA=TRUE);
- server auth:表示 client 可以用该该证书对 server 提供的证书进行验证;
- client auth:表示 server 可以用该该证书对 client 提供的证书进行验证;
- expiry : "87600h":证书有效期设置为 10 年;
-
创建证书签名请求文件
cd /opt/k8s/work cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "NanJing", "L": "NanJing", "O": "k8s", "OU": "system" } ], "ca": { "expiry": "87600h" } } EOF -
生成证书
cd /opt/k8s/work cfssl gencert -initca ca-csr.json | cfssljson -bare ca ls ca* -
安装证书
cd /opt/k8s/work cp ca*.pem ca-config.json /etc/kubernetes/cert # 分发到从节点 export node_ip=192.168.0.114 scp ca*.pem ca-config.json root@${node_ip}:/etc/kubernetes/cert/