环境准备:
演练暂时用单节点一台master和一台node节点来进行部署搭建(kubernetes 1.19版本)
| 角色 | IP | 组件 |
|---|---|---|
| master | 10.129.246.114 | kube-apiserver,kube-controller-manager,kube -scheduler,etcd |
| node | 10.129.244.229 | kubelet,kube-proxy,docker etcd |
操作系统初始化
# 关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
# 关闭 selinux
sed -i 's/enforcing/disabled/' /etc/selinux/config # 永久
setenforce 0 # 临时
# 关闭 swap
swapoff -a # 临时
sed -ri 's/.*swap.*/#&/' /etc/fstab # 永久
# 根据规划设置主机名
hostnamectl set-hostname <hostname>
# 在 master 添加 hosts
cat >> /etc/hosts << EOF
192.168.44.147 master
192.168.44.148 node
EOF
# 将桥接的 IPv4 流量传递到 iptables 的链
cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system # 生效
# 时间同步
yum install ntpdate -y ntp
ntpdate time.windows.com
部署ETCD集群
Etcd 是一个分布式键值存储系统,Kubernetes 使用 Etcd 进行数据存储,所以先准备 一个 Etcd 数据库,为解决 Etcd 单点故障,应采用集群方式部署,这里使用 2 台组建集群
注:为了节省机器,这里与 K8s 节点机器复用。也可以独立于 k8s 集群之外部署,只要 apiserver 能连接到就行
准备 cfssl 证书生成工具
cfssl 是一个开源的证书管理工具,使用 json 文件生成证书,相比 openssl 更方便使用。 找任意一台服务器操作,这里用 Master 节点
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
生成 Etcd 证书
自签证书颁发机构(CA)
#创建工作目录
#mkdir -p /root/etcd
自签CA:
#进入工作目录/root/etcd/下
#cat > ca-config.json<< CFY
{
"signing":{
"default":{
"expiry":"87600h"
},
"profiles":{
"www":{
"expiry":"87600h",
"usages":[
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
CFY
生成证书
#cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#ls *.pem
ca-key.pem ca.pem
使用自签 CA 签发 Etcd HTTPS 证书
创建证书申请文件:
#cat > server-csr.json>> CFY
{
"CN":"etcd",
"hosts":[
"10.129.246.114",
"10.129.244.229"
],
"key":{
"algo":"rsa",
"size":2048
},
"names":[
{
"C":"CN",
"L":"BeiJing",
"ST":"BeiJing"
}
]
}
CFY
生产证书
#cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json - profile=www server-csr.json | cfssljson -bare server
#ls server*pem
server-key.pem server.pem
下载二进制文件
官方地址:https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm/ 二进制包
部署ETCD集群
以下在节点master上操作,为简化操作,待会将master节点生成的所有文件拷贝到node节点
解压二进制包:
# mkdir /opt/etcd/{bin,cfg,ssl} -p
# tar zxvf etcd-v3.2.12-linux-amd64.tar.gz
# mv etcd-v3.2.12-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
创建etcd配置文件
#cat > /opt/etcd/cfg/etcd.conf >> CFY
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://10.129.246.114:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.129.246.114:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.129.246.114:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://10.129.246.114:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://10.129.246.114:2380,etcd02=https://10.129.244.229:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
CFY
---------------------------------------------------------------
ETCE_NAME: 节点名称
ETCD_DATE_DIR: 数据目录
ETCD_LISTEN_PEER_URLS: 集群通信监听地址
ETCD_LISTEN_CLIENT_URLS: 客户端访问监听地址
ETCD_INITIAL_ADVERTISE_PEER_URLS: 集群通告地址
ETCD_ADVERTISE_CLIENT_URLS: 客户端通告地址
ETCD_INITIAL_CLUSTER: 集群节点地址
ETCD_INITIAL_CLUSTER_TOKEN: 集群Token
ETCD_INITIAL_CLUSTER_STATE: 加入集群当前状态,new是新集群,existing表示加入已有集群
systemd管理etcd配置启动文件
#cat > /usr/lib/systemd/system/etcd.service >> CFY
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd
--name=${ETCD_NAME}
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS}
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS}
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS}
--initial-cluster=${ETCD_INITIAL_CLUSTER}
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN}
--initial-cluster-state=new
--cert-file=/opt/etcd/ssl/server.pem
--key-file=/opt/etcd/ssl/server-key.pem
--peer-cert-file=/opt/etcd/ssl/server.pem
--peer-key-file=/opt/etcd/ssl/server-key.pem
--trusted-ca-file=/opt/etcd/ssl/ca.pem
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
CFY
拷贝刚才生成的证书
把刚才生成的证书拷贝到配置文件中的路径:
#cp /root/etcd/ca*pem server*pem /opt/etcd/ssl
将上面master节点所有生成的文件拷贝到node节点
scp -r /opt/etcd/ root@10.129.244.229:/opt/
scp /usr/lib/systemd/system/etcd.service root@10.129.244.229:/usr/lib/systemd/system/
修改node节点中etcd.conf配置文件中的etcd_name和IP
#[Member]
ETCD_NAME="etcd02" # 修改此处,node改为etcd02
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://10.129.244.229:2380" # 修改此处为当前服务器 IP
ETCD_LISTEN_CLIENT_URLS="https://10.129.244.229:2379" # 修改此处为当前服务器 IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.129.244.229:2380" # 修改此处为当前服务器 IP
ETCD_ADVERTISE_CLIENT_URLS="https://10.129.244.229:2379" # 修改此处为当前服务器 IP
ETCD_INITIAL_CLUSTER="etcd01=https://10.129.246.114:2380,etcd02=https://10.129.244.229:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
启动etcd集群
启动集群并设置开机自启动(先启动node节点在启动master节点同时进行)
#systemctl daemon-reload
# systemctl start etcd
# systemctl enable etcd
署完成检查etcd集群状态
#./etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key114:2379,https://10.129.244.229:2379" cluster-health
member 2ea4f7be04a16167 is healthy: got healthy result from https://10.129.246.114:2
member a849ee1eb498b9b2 is healthy: got healthy result from https://10.129.244.229:2
cluster is healthy
#如果输出上面信息,就说明集群部署成功,如果有问题第一步先看日志:/var/log/message 或 journalctl -u etcd(如果提示timeout 则检查防火墙)
node节点安装Docker
未完。。。。。。。。。。。
内容来源于网络如有侵权请私信删除
文章来源: 博客园
- 还没有人评论,欢迎说说您的想法!
客服
