链接地址 https://www.cnblogs.com/leleyao/p/10453848.html 安装etcd
证书制作
apiserver 证书
[root@master01 ssl]# ls *json
ca-config.json ca-csr.json server-csr.json
[root@master01 ssl]# cat *json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "cnpc",
"OU": "RF"
}
]
}
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"172.16.8.100",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "cnpc",
"OU": "RF"
}
]
}
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
kube-proxy 的证书
[root@master01 ssl]# cat proxy-csr.json
{
"CN": "kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "cnpc",
"OU": "RF"
}
]
}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes proxy-csr.json | cfssljson -bare kube-proxy
配置flannel 服务
etcdctl --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints=https://192.168.141.135:2379,https://192.168.141.136:2379,https://192.168.141.137:2379 put /coreos.com/network/config '{ "Network": "172.18.0.0/16", "Backend": {"Type": "vxlan"}}
flanneld 当前版本 (v0.10.0) 不支持 etcd v3,故使用 etcd v2 API 写入配置 key 和网段数据
修改配置文件
通过yum方式获取默认 systemd 文件
[root@master01 ~]# cat /usr/lib/systemd/system/flanneld.service [Unit] Description=Flanneld overlay address etcd agent After=network.target After=network-online.target Wants=network-online.target After=etcd.service Before=docker.service [Service] Type=notify EnvironmentFile=/etc/sysconfig/flanneld EnvironmentFile=-/etc/sysconfig/docker-network ExecStart=/bin/flanneld-start $FLANNEL_OPTIONS #注意启动命令的位置 ExecStartPost=/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/docker #博主nc,写错了路径 flannel 重启了 1000次 Restart=on-failure [Install] WantedBy=multi-user.target WantedBy=docker.service
[root@master01 ~]# cat /usr/lib/systemd/system/docker.service.d/flannel.conf
[Service]
EnvironmentFile=-/run/flannel/docker
[root@master01 ~]# rpm -ql flannel /etc/sysconfig/flanneld /run/flannel /usr/bin/flanneld /usr/bin/flanneld-start /usr/lib/systemd/system/docker.service.d/flannel.conf /usr/lib/systemd/system/flanneld.service /usr/lib/tmpfiles.d/flannel.conf /usr/libexec/flannel /usr/libexec/flannel/mk-docker-opts.sh /usr/share/doc/flannel-0.7.1 /usr/share/doc/flannel-0.7.1/CONTRIBUTING.md /usr/share/doc/flannel-0.7.1/DCO /usr/share/doc/flannel-0.7.1/LICENSE /usr/share/doc/flannel-0.7.1/MAINTAINERS /usr/share/doc/flannel-0.7.1/NOTICE /usr/share/doc/flannel-0.7.1/README.md
保留 /etc/flanne/usr/lib/systemd/system/docker.service.d/flannel.conf/usr/lib/systemd/system/flanneld.service
[root@master01 ~]# cd /etc/kubernetes/
[root@master01 kubernetes]# mkdir flannel
[root@master01 flannel]# cp /usr/lib/systemd/system/docker.service.d/flannel.conf .
[root@master01 flannel]# cp /etc/sysconfig/flanneld .
[root@master01 flannel]# cp /usr/lib/systemd/system/flanneld.service .
[root@master01 flannel]# vim /etc/sysconfig/flanneld
# Flanneld configuration options
# etcd url location. Point this to the server where etcd runs
FLANNEL_ETCD_ENDPOINTS=FLANNEL_ETCD_ENDPOINTS=FLANNEL_ETCD_ENDPOINTS="-etcd-cafile=/etc/etcd/ssl/ca.pem -etcd-certfile=/etc/etcd/ssl/etcd.pem -etcd-keyfile=/etc/etcd/ssl/etcd-key.pem -etcd-endpoints=https://192.168.141.135:2379,https://192.168.141.136:2379,https://192.168.141.137:2379"
# etcd config key. This is the configuration key that flannel queries
# For address range assignment
FLANNEL_ETCD_PREFIX="/coreos.com/network"
# Any additional options that you want to pass
#FLANNEL_OPTIONS=""
[root@master01 flannel]# ansible all -m copy -a 'src=/etc/sysconfig/flanneld dest=/etc/sysconfig/flanneld'
192.168.141.135 | SUCCESS => {
"changed": false,
"checksum": "d45252d0c4214ef41743ae03ef0efa2668b84add",
"gid": 0,
"group": "root",
"mode": "0644",
"owner": "root",
"path": "/etc/sysconfig/flanneld",
"size": 536,
"state": "file",
"uid": 0
}
192.168.141.137 | SUCCESS => {
"changed": true,
"checksum": "d45252d0c4214ef41743ae03ef0efa2668b84add",
"dest": "/etc/sysconfig/flanneld",
"gid": 0,
"group": "root",
"md5sum": "3da1d82f18fda0747be4565ea1f426f7",
"mode": "0644",
"owner": "root",
"size": 536,
"src": "/root/.ansible/tmp/ansible-tmp-1558088021.59-228568509248759/source",
"state": "file",
"uid": 0
}
192.168.141.136 | SUCCESS => {
"changed": true,
"checksum": "d45252d0c4214ef41743ae03ef0efa2668b84add",
"dest": "/etc/sysconfig/flanneld",
"gid": 0,
"group": "root",
"md5sum": "3da1d82f18fda0747be4565ea1f426f7",
"mode": "0644",
"owner": "root",
"size": 536,
"src": "/root/.ansible/tmp/ansible-tmp-1558088021.57-153282686622293/source",
"state": "file",
"uid": 0
}
mk-docker-opts.sh 脚本将分配给 flanneld 的 Pod 子网网段信息写入 /run/flannel/docker 文件,后续 docker 启动时 使用这个文件中的环境变量配置 docker0 网桥;
flanneld 使用系统缺省路由所在的接口与其它节点通信,对于有多个网络接口(如内网和公网)的节点,可以用 -iface 参数指定通信接口,如上面的 eth0 接口;
flanneld 运行时需要 root 权限
确定 etcd状态
[root@master02 yum.repos.d]# etcdctl --ca-file=/etc/etcd/ssl/ca.pem --cert-file=/etc/etcd/ssl/etcd.pem --key-file=/etc/etcd/ssl/etcd-key.pem --endpoints='https://192.168.141.135:2379,https://192.168.141.136:2379,https://192.168.141.137:2379' ls /coreos.com/network/subnets/
/coreos.com/network/subnets/172.18.62.0-24
/coreos.com/network/subnets/172.18.80.0-24
/coreos.com/network/subnets/172.18.53.0-24