zoukankan      html  css  js  c++  java

  • 二进制安装 kubernetes 1.12(三)

    在Master节点部署组件

    在部署Kubernetes之前一定要确保etcd、flannel、docker是正常工作的,否则先解决问题再继续。

    创建 CA 证书

    mkdir -p /iba/master-ca
cd /iba/master-ca

cat > ca-config.json << EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "expiry": "87600h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ]
      }
    }
  }
}
EOF

cat > ca-csr.json << EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "Beijing",
      "ST": "Beijing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
# 生成了 ca.csr ca-key.pem  ca.pem

    生成 apiserver 证书:

    cat > server-csr.json << EOF
{
  "CN": "kubernetes",
  "hosts": [
    "10.0.0.1",
    "127.0.0.1",
    "192.168.0.205",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

# 生成了 server.pem,server-key.pem,server.csr

    生成 kube-proxy 证书:

    cat > kube-proxy-csr.json << EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "Beijing",
      "ST": "Beijing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

# 生成了 kube-proxy.pem, kube-proxy-key.pem, kube-proxy.csr

    部署 apiserver 组件

    mkdir /opt/kubernetes/{bin,cfg,ssl} -p
cd /iba/tools
wget https://dl.k8s.io/v1.12.4/kubernetes-server-linux-amd64.tar.gz
tar zxvf kubernetes-server-linux-amd64.tar.gz 
cd kubernetes/server/bin/
cp kube-apiserver kube-scheduler kube-controller-manager kubectl /opt/kubernetes/bin/

# 创建token文件
cd /opt/kubernetes/cfg/

cat > token.csv<< EOF
674c457d4dcf2eefe4920d7dbb6b0ddc,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF

# token文件说明 -- 第一列:随机字符串,自己可生成;第二列:用户名;第三列:UID ;第四列:用户组

    创建apiserver配置文件

    cat > /opt/kubernetes/cfg/kube-apiserver << EOF
KUBE_APISERVER_OPTS="--logtostderr=true 
--v=4 
--etcd-servers=https://192.168.0.205:2379,https://192.168.0.206:2379,https://192.168.0.207:2379 
--bind-address=192.168.0.205 
--secure-port=6443 
--advertise-address=192.168.0.205 
--allow-privileged=true 
--service-cluster-ip-range=10.0.0.0/24 
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction 
--authorization-mode=RBAC,Node 
--enable-bootstrap-token-auth 
--token-auth-file=/opt/kubernetes/cfg/token.csv 
--service-node-port-range=30000-50000 
--tls-cert-file=/opt/kubernetes/ssl/server.pem  
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem 
--client-ca-file=/opt/kubernetes/ssl/ca.pem 
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem 
--etcd-cafile=/opt/etcd/ssl/ca.pem 
--etcd-certfile=/opt/etcd/ssl/server.pem 
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF

    参数说明:

    --logtostderr                       // 启用日志
---v                                // 日志等级
--etcd-servers                      // etcd集群地址
--bind-address                      // 监听地址
--secure-port                       // https安全端口
--advertise-address                 // 集群通告地址
--allow-privileged                  // 启用授权
--service-cluster-ip-range          // Service虚拟IP地址段
--enable-admission-plugins          // 准入控制模块
--authorization-mode                // 认证授权,启用RBAC授权和节点自管理
--enable-bootstrap-token-auth       // 启用TLS bootstrap功能,后面会讲到
--token-auth-file                   // token文件
--service-node-port-range Service   // Node类型默认分配端口范围
    systemd管理apiserver
    cat > /usr/lib/systemd/system/kube-apiserver.service << -'EOF'
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
 
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
-EOF

# 复制证书到指定的位置
cd /iba/master-ca/
cp server.pem server-key.pem ca.pem ca-key.pem /opt/kubernetes/ssl/

systemctl daemon-reload 
systemctl enable kube-apiserver
systemctl start kube-apiserver
systemctl status kube-apiserver

    部署 scheduler 组件

    # 创建schduler配置文件
cat > /opt/kubernetes/cfg/kube-scheduler << EOF
KUBE_SCHEDULER_OPTS="--logtostderr=true 
--v=4 
--master=127.0.0.1:8080 
--leader-elect"
EOF

# systemd管理schduler组件
cat > /usr/lib/systemd/system/kube-scheduler.service << -'EOF'
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
 
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
 
[Install]
WantedBy=multi-user.target
-EOF

# 启动 kube-scheduler
systemctl daemon-reload
systemctl enable kube-scheduler
systemctl start kube-scheduler
systemctl status kube-scheduler

    部署 controller-manager 组件

    # 创建controller-manager配置文件:
cat > /opt/kubernetes/cfg/kube-controller-manager << EOF
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true 
--v=4 
--master=127.0.0.1:8080 
--leader-elect=true 
--address=127.0.0.1 
--service-cluster-ip-range=10.0.0.0/24 
--cluster-name=kubernetes 
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem 
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem 
--root-ca-file=/opt/kubernetes/ssl/ca.pem 
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem"
EOF

# systemd管理controller-manager组件
cat > /usr/lib/systemd/system/kube-controller-manager.service << -'EOF'
[Unit] 
Description=Kubernetes Controller Manager 
Documentation=https://github.com/kubernetes/kubernetes 
 
[Service] 
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager 
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS 
Restart=on-failure 
 
[Install] 
WantedBy=multi-user.target
-EOF

# 启动 kube-scheduler
systemctl daemon-reload
systemctl enable kube-controller-manager 
systemctl start kube-controller-manager 
systemctl status kube-controller-manager 

# 注意,如果服务器重启可能会出现下面错误
k8smaster kube-controller-manager: error creating self-signed certificates: mkdir /var/run/kubernetes: permission denied
k8smaster systemd: kube-controller-manager.service: main process exited, code=exited, status=1/FAILURE
# 需要手动创建,并赋予权限
mkdir /var/run/kubernetes/
chown -R kube.kube /var/run/kubernetes/
systemctl start kube-controller-manager

    检查当前集群组件状态

    /opt/kubernetes/bin/kubectl get cs
  • 相关阅读:
    时间单位转化
    快速排序算法
    用virtualenv建立Python独立开发环境
    Shell正则表达式之grep、sed、awk实操笔记
    Objective-C 30分钟入门教程
    base64加密后字符串长度
    error: synthesized property 'name' must either be named the same as a compatible instance variable or must explicitly name an instance variable问题解决
    Ubuntu系统下通过Clang编译器编写Objective-C
    MongoDB 聚合Group(二)
    MongoDB聚合(单一用途的聚合方法)
  • 原文地址:https://www.cnblogs.com/klvchen/p/10306343.html
Copyright © 2011-2022 走看看