k8s 二进制安装 1.11.0

本篇安装单个etcd,然后进行扩容etcd节点至2个、3个

二进制安装k8s 1.11.0

实验架构
master: 192.168.0.91   etcd
node2: 192.168.0.92
node3: 192.168.0.93

1、环境配置

如下操作在所有节点操作

配置hosts解析
[[email protected]-10-1-1-8 k8s]# hostnamectl set-hostname master
[[email protected]-10-1-1-68 ~]# hostnamectl set-hostname node2
[[email protected]-10-1-1-111 ~]# hostnamectl set-hostname node3

cat >>/etc/hosts<<EOF
192.168.0.91 master
192.168.0.92 node2
192.168.0.93 node3
EOF

禁用selinux
sed -i ‘s/SELINUX=permissive/SELINUX=disabled/‘ /etc/sysconfig/selinux

关闭swap
注释/etc/fstab文件里swap相关的行

所有节点都重启

开启forward
iptables -P FORWARD ACCEPT

配置转发相关参数
cat >> /etc/sysctl.d/k8s.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness=0
EOF
sysctl --system

加载ipvs相关内核模块
如果重新开机,需要重新加载
modprobe ip_vs
modprobe ip_vs_rr
modprobe ip_vs_wrr
modprobe ip_vs_sh
modprobe nf_conntrack_ipv4
lsmod | grep ip_vs

3、安装CFSSL证书生成工具

只在master节点操作

mkdir -pv /server/software/k8s
cd /server/software/k8s

wget下载cfssl工具

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

安装cfssl工具

只要把安装包改下名字,移动到usr/local/bin/下,加上授权即可

mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssl*

4、创建CA配置文件:生成其他组件ca证书时需要用到(除了根证书)

只在master节点操作

mkdir -p $HOME/ssl && cd $HOME/ssl

cat >ca-config.json<<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}
EOF

5、生成 ca 根证书和私钥: 生成其他组件ca证书时需要用到

只在master节点操作

cd $HOME/ssl

cat >ca-csr.json<<EOF
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ],
  "ca": {
     "expiry": "87600h"
  }
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

查看生成的证书和私钥

ca-key.pem  ca.pem

把根证书和私钥复制到一个目录里面

mkdir -p /etc/kubernetes/cert/
cp ca*.pem /etc/kubernetes/cert/

6、安装、配置、启动etcd

只在master节点上操作

6.1、生成etcd的ca证书和私钥

cd $HOME/ssl

cat >etcd-csr.json<<EOF
{
    "CN": "etcd",
    "hosts": [
      "127.0.0.1",
      "192.168.0.91",
      "192.168.0.92",
      "192.168.0.93"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "etcd",
            "OU": "Etcd Security"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd

查看生成的证书和私钥

etcd-key.pem  etcd.pem   

把etcd证书复制到一个目录里面

mkdir -p /etc/etcd/cert/
cp etcd*.pem /etc/etcd/cert/

6.2、安装etcd

mkdir -p /server/software/k8s
mkdir -p /opt/k8s/bin
cd /server/software/k8s
wget https://github.com/coreos/etcd/releases/download/v3.2.18/etcd-v3.2.18-linux-amd64.tar.gz
tar -xf etcd-v3.2.18-linux-amd64.tar.gz
mv etcd-v3.2.18-linux-amd64/etcd* /opt/k8s/bin
chmod +x /opt/k8s/bin/*
ln -s /opt/k8s/bin/etcd /usr/bin/etcd
etcd --version

6.3 配置etcd启动脚本

注意:经过多次尝试,没有 --force-new-claster 就无法添加成功,这句话意思是强制生成新的节点

cat >> /etc/profile << EOF
export ETCD_NAME=$(hostname)
export INTERNAL_IP=$(hostname -i | awk ‘{print $NF}‘)
export ECTD_CLUSTER=‘master=https://192.168.0.91:2380‘
EOF

source /etc/profile

mkdir -p /data/etcd

cat > /etc/systemd/system/etcd.service <<EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos

[Service]
Type=notify
WorkingDirectory=/data/etcd
EnvironmentFile=-/etc/etcd/etcd.conf
ExecStart=/opt/k8s/bin/etcd \  --name $ETCD_NAME \  --cert-file=/etc/etcd/cert/etcd.pem \  --key-file=/etc/etcd/cert/etcd-key.pem \  --peer-cert-file=/etc/etcd/cert/etcd.pem \  --peer-key-file=/etc/etcd/cert/etcd-key.pem \  --trusted-ca-file=/etc/kubernetes/cert/ca.pem \  --peer-trusted-ca-file=/etc/kubernetes/cert/ca.pem \  --initial-advertise-peer-urls https://${INTERNAL_IP}:2380 \  --listen-peer-urls https://${INTERNAL_IP}:2380 \  --listen-client-urls https://${INTERNAL_IP}:2379,http://127.0.0.1:2379 \  --advertise-client-urls https://${INTERNAL_IP}:2379 \  --initial-cluster-token my-etcd-token \  --initial-cluster $ECTD_CLUSTER \  --initial-cluster-state new \  --force-new-claster \  --data-dir=/data/etcd
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

6.4、启动etctd、设置开机启动

systemctl daemon-reload      #一定要执行,否则报错
systemctl start etcd
systemctl status etcd
systemctl enable etcd
systemctl stop etcd

6.5、查看单个etcd集群状态

[[email protected] ~]# etcdctl cluster-health
member 42f7141ed6110de1 is healthy: got healthy result from https://192.168.0.91:2379
cluster is healthy

提前分发k8s所有组件二进制文件、顺便安装kubectl工具

# 安装包解压后包括 kubectl 工具,所以不需要单独使用kubernetes-server-client-amd64.tar.gz 安装包分发 kubectl 工具

下载、解压安装包

cd /server/software/k8s

wget https://dl.k8s.io/v1.11.0/kubernetes-server-linux-amd64.tar.gz

tar -xf kubernetes-server-linux-amd64.tar.gz

# 分发所有组件二进制文件,
# 后面配置 kube-apiserver 等组件启动文件里面需要带上二进制文件路径
mkdir -p /usr/local/kubernetes/bin
cd /server/software/k8s/kubernetes/server/bin
cp kube-apiserver kube-controller-manager kube-scheduler kube-proxy kubelet kubectl /usr/local/kubernetes/bin    #这一步很关键

# 安装kubectl工具

# 后面创建 admin kubeconfig等配置文件时候需要用到;
# admin.conf = ~/.kube/config,因为是复制过来的 ;
# kubectl作用:当kubelet组件通过bootstrap token 认证后,kubectl默认从 ~/.kube/config 文件读取 kube-apiserver 地址、证书、用户名等信息;

cp /usr/local/kubernetes/bin/kubectl /usr/local/bin/kubectl

# 查看 kubectl 版本,
# 出现下面的情况就是正确的。did you specify the right host or port? 这个报错忽略,因为还没有安装kubelet服务

kubectl version

[[email protected] bin]# kubectl version
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T20:17:28Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"linux/amd64"}
The connection to the server localhost:8080 was refused - did you specify the right host or port?

cd $HOME

6、生成admin的ca证书和私钥   

(kubectl 作为集群的管理工具,需要被授予最高权限。这里创建具有最高权限的 admin 证书、admin kubeconfig)

注意:后面只有apiserver和kubelet这两个服务启动参数会用到admin的ca证书;kubectl工具和kubelet服务不是一回事

cd $HOME/ssl

cat >admin-csr.json<<EOF
{
    "CN": "admin",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "system:masters",
            "OU": "System"
        }
    ]
}
EOF

# 生成 admin ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

# 查看生成的admin ca
ls admin*.pem

7、配置 kube-apiserver ca

# 10.96.0.1 是 kube-apiserver 指定的 service-cluster-ip-range 网段的第一个IP

cd $HOME/ssl

cat >kube-apiserver-csr.json<<EOF
{
    "CN": "kube-apiserver",
    "hosts": [
      "127.0.0.1",
      "192.168.0.91",
      "10.96.0.1",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

# 生成 kube-apiserver ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-apiserver-csr.json | cfssljson -bare kube-apiserver

# 查看生成的kube-apiserver ca
ls kube-apiserver*.pem

8、配置 kube-controller-manager ca

cd $HOME/ssl

cat >kube-controller-manager-csr.json<<EOF
{
    "CN": "system:kube-controller-manager",
    "hosts": [
      "127.0.0.1",
      "192.168.0.91"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "system:kube-controller-manager",
            "OU": "System"
        }
    ]
}
EOF

# 生成 kube-controller-manager ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager

# 查看生成的kube-controller-manager ca
ls kube-controller-manager*.pem

9、配置 kube-scheduler ca

cd $HOME/ssl

cat >kube-scheduler-csr.json<<EOF
{
    "CN": "system:kube-scheduler",
    "hosts": [
      "127.0.0.1",
      "192.168.0.91"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "system:kube-scheduler",
            "OU": "System"
        }
    ]
}
EOF

# 生成 kube-scheduler ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler

# 查看生成的kube-scheduler ca
ls kube-scheduler*.pem

10、配置 kube-proxy ca

# 只是node节点需要用到

cd $HOME/ssl

cat >kube-proxy-csr.json<<EOF
{
    "CN": "system:kube-proxy",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "system:kube-proxy",
            "OU": "System"
        }
    ]
}
EOF

# 生成 kube-proxy ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

# 查看生成的kube-proxy ca
ls kube-proxy*.pem

11、复制所有的ca 到一个目录里面,方便管理
cd $HOME/ssl
mkdir -p /etc/kubernetes/pki
cp ca*.pem admin*.pem kube-proxy*.pem kube-scheduler*.pem kube-controller-manager*.pem kube-apiserver*.pem /etc/kubernetes/pki
cp etcd.pem etcd-key.pem /etc/kubernetes/pki/etcd/

开启 bootstrap token 认证 ,kubelet TLS Boostrap机制 

# kube-apiserver、kubelet启动文件需要用到token,
# token中包含kubelet-bootstrap用户
# 后面kubelet组件启动参数中需要使用 kubelet-bootstrap.conf 文件向 kube-apiserver 发送 CSR 请求,
# 请求通过后,kubectl才会从 ~/.kube/config 文件读取 kube-apiserver 地址、证书、用户名等信息

# 静态获取token
# 还有一种是用 kubeadm 动态获取token,kubeadm token create,这样可以使用 TLS bootstrap 机制自动生成 client 和 server 证书,过期后自动轮转。
# 本实验采用静态获取,一天后过期

export BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ‘ ‘)

# 创建token.csv文件
# 只有kube-apiserver 启动文件中需要用到

cat > /etc/kubernetes/token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF

# 创建kubelet-bootstrap.conf

# 只有kubelet启动文件需要用到
cd /etc/kubernetes
export KUBE_APISERVER="https://192.168.0.91:6443"
kubectl config set-cluster kubernetes   --certificate-authority=/etc/kubernetes/pki/ca.pem   --embed-certs=true   --server=${KUBE_APISERVER}   --kubeconfig=kubelet-bootstrap.conf

kubectl config set-credentials kubelet-bootstrap   --token=${BOOTSTRAP_TOKEN}   --kubeconfig=kubelet-bootstrap.conf

kubectl config set-context default   --cluster=kubernetes   --user=kubelet-bootstrap   --kubeconfig=kubelet-bootstrap.conf

kubectl config use-context default --kubeconfig=kubelet-bootstrap.conf

# 给kubelet-bootstrap用户授权
# 创建一个 clusterrolebinding,将 bootstrap token 文件中的 kubelet-bootstrap 用户赋予 system:node-bootstrapper cluster 角色
# 默认情况下,bootstrap这个 user 和 group 没有创建 CSR 的权限,kubelet 会启动失败,所以要给kubelet-bootstrap角色授权

kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap

# 如果没有授权会出现下面错误:
[[email protected] kubernetes]# journalctl -u kubelet |tail
failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "kubelet-bootstrap" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope

12、创建 admin kubeconfig 

# 只有kubelet服务启动参数需要用到admin kubeconfig,
# admin.conf = ~/.kube/config,因为复制过来的 ;kubectl 默认从 ~/.kube/config 文件读取 kube-apiserver 地址、证书、用户名等信息,

cd /etc/kubernetes

export KUBE_APISERVER="https://192.168.0.91:6443"

#设置集群参数

kubectl config set-cluster kubernetes   --certificate-authority=/etc/kubernetes/pki/ca.pem   --embed-certs=true   --server=${KUBE_APISERVER}   --kubeconfig=admin.conf

#设置客户端认证参数

kubectl config set-credentials admin   --client-certificate=/etc/kubernetes/pki/admin.pem   --client-key=/etc/kubernetes/pki/admin-key.pem   --embed-certs=true   --kubeconfig=admin.conf

#设置上下文参数

kubectl config set-context default   --cluster=kubernetes   --user=admin   --kubeconfig=admin.conf

#设置默认上下文

kubectl config use-context default --kubeconfig=admin.conf

13、创建 kube-controller-manager kubeconfig

cd /etc/kubernetes

export KUBE_APISERVER="https://192.168.0.91:6443"

kubectl config set-cluster kubernetes   --certificate-authority=/etc/kubernetes/pki/ca.pem   --embed-certs=true   --server=${KUBE_APISERVER}   --kubeconfig=kube-controller-manager.conf

kubectl config set-credentials kube-controller-manager   --client-certificate=/etc/kubernetes/pki/kube-controller-manager.pem   --client-key=/etc/kubernetes/pki/kube-controller-manager-key.pem   --embed-certs=true   --kubeconfig=kube-controller-manager.conf

kubectl config set-context default   --cluster=kubernetes   --user=kube-controller-manager   --kubeconfig=kube-controller-manager.conf

kubectl config use-context default --kubeconfig=kube-controller-manager.conf

14、创建 kube-scheduler kubeconfig

cd /etc/kubernetes

export KUBE_APISERVER="https://192.168.0.91:6443"

kubectl config set-cluster kubernetes   --certificate-authority=/etc/kubernetes/pki/ca.pem   --embed-certs=true   --server=${KUBE_APISERVER}   --kubeconfig=kube-scheduler.conf

kubectl config set-credentials kube-scheduler   --client-certificate=/etc/kubernetes/pki/kube-scheduler.pem   --client-key=/etc/kubernetes/pki/kube-scheduler-key.pem   --embed-certs=true   --kubeconfig=kube-scheduler.conf

kubectl config set-context default   --cluster=kubernetes   --user=kube-scheduler   --kubeconfig=kube-scheduler.conf

kubectl config use-context default --kubeconfig=kube-scheduler.conf

15、创建 kube-proxy kubeconfig

# 只是node节点需要用到kube-proxy kubeconfig

cd /etc/kubernetes

export KUBE_APISERVER="https://192.168.0.91:6443"

kubectl config set-cluster kubernetes   --certificate-authority=/etc/kubernetes/pki/ca.pem   --embed-certs=true   --server=${KUBE_APISERVER}   --kubeconfig=kube-proxy.conf

kubectl config set-credentials kube-proxy   --client-certificate=/etc/kubernetes/pki/kube-proxy.pem   --client-key=/etc/kubernetes/pki/kube-proxy-key.pem   --embed-certs=true   --kubeconfig=kube-proxy.conf

kubectl config set-context default   --cluster=kubernetes   --user=kube-proxy   --kubeconfig=kube-proxy.conf

kubectl config use-context default --kubeconfig=kube-proxy.conf

cd $HOME

17、配置启动kube-apiserver

# 复制 etcd ca
mkdir -pv /etc/kubernetes/pki/etcd
cd /etc/etcd/ssl
cp etcd.pem ca-key.pem ca.pem /etc/kubernetes/pki/etcd

# 生成 service account key
cd /etc/kubernetes/pki/
openssl genrsa -out /etc/kubernetes/pki/sa.key 2048
openssl rsa -in /etc/kubernetes/pki/sa.key -pubout -out /etc/kubernetes/pki/sa.pub
ls /etc/kubernetes/pki/sa.*
cd $HOME

# 启动文件

cat >/etc/systemd/system/kube-apiserver.service<<EOF
[Unit]
Description=Kubernetes API Service
Documentation=https://github.com/kubernetes/kubernetes
After=network.target

[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/apiserver
ExecStart=/usr/local/kubernetes/bin/kube-apiserver \        \$KUBE_LOGTOSTDERR \        \$KUBE_LOG_LEVEL \        \$KUBE_ETCD_ARGS \        \$KUBE_API_ADDRESS \        \$KUBE_SERVICE_ADDRESSES \        \$KUBE_ADMISSION_CONTROL \        \$KUBE_APISERVER_ARGS
Restart=on-failure
Type=notify
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

# 配置参数变量文件
# 下面 kube-apiserver、kube-controller-manager、kube-scheduler、kube-proxy这些服务 都需要用到,这里只配置一次,以后重复利用,后面的也写了变量文件,只是为了知道怎么回事

cat >/etc/kubernetes/config<<EOF
KUBE_LOGTOSTDERR="--logtostderr=true"
KUBE_LOG_LEVEL="--v=2"
EOF

# 配置apiserver
# 注意参数--token-auth-file=/etc/kubernetes/token.csv 表示在 apiserver 中静态配置bootstrap token,和后面开启 bootstrap token 认证步骤相呼应,不是动态的,所以有过期时间,
# 后面kubelet组件启动参数中需要使用 kubelet-bootstrap.conf 文件向 kube-apiserver 发送 CSR 请求,--bootstrap-kubeconfig 文件里面包含token和apiserver里面的token是一样的,
cat >/etc/kubernetes/apiserver<<EOF
KUBE_API_ADDRESS="--advertise-address=192.168.0.91"
KUBE_ETCD_ARGS="--etcd-servers=https://192.168.0.91:2379 --etcd-cafile=/etc/kubernetes/pki/ca.pem --etcd-certfile=/etc/kubernetes/pki/etcd/etcd.pem --etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-key.pem"
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.96.0.0/12"
KUBE_ADMISSION_CONTROL="--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"
KUBE_APISERVER_ARGS="--allow-privileged=true --authorization-mode=Node,RBAC --enable-bootstrap-token-auth=true --token-auth-file=/etc/kubernetes/token.csv --service-node-port-range=30000-32767 --tls-cert-file=/etc/kubernetes/pki/kube-apiserver.pem --tls-private-key-file=/etc/kubernetes/pki/kube-apiserver-key.pem --client-ca-file=/etc/kubernetes/pki/ca.pem --service-account-key-file=/etc/kubernetes/pki/sa.pub --enable-swagger-ui=true --secure-port=6443 --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --anonymous-auth=false --kubelet-client-certificate=/etc/kubernetes/pki/admin.pem --kubelet-client-key=/etc/kubernetes/pki/admin-key.pem"
EOF

# 启动
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl start kube-apiserver
systemctl status kube-apiserver
systemctl stop kube-apiserver

# 通过浏览器访问测试
# 报错正常,不影响,以后解决
curl https://192.168.0.91:6443/swaggerapi

18、配置启动kube-controller-manager

# 配置启动文件
cat >/etc/systemd/system/kube-controller-manager.service<<EOF
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
After=network.target

[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/controller-manager
ExecStart=/usr/local/kubernetes/bin/kube-controller-manager \        \$KUBE_LOGTOSTDERR \        \$KUBE_LOG_LEVEL \        \$KUBECONFIG \        \$KUBE_CONTROLLER_MANAGER_ARGS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

# 配置参数变量文件
# 配置kube-apiserver启动文件时已经配置过参数变量文件,这里就不需要再做,写在这里只是为了知道下面配置文件里的参数怎么回事

cat >/etc/kubernetes/config<<EOF
KUBE_LOGTOSTDERR="--logtostderr=true"
KUBE_LOG_LEVEL="--v=2"
EOF

# 配置controller-manager文件
cat >/etc/kubernetes/controller-manager<<EOF
KUBECONFIG="--kubeconfig=/etc/kubernetes/kube-controller-manager.conf"
KUBE_CONTROLLER_MANAGER_ARGS="--address=127.0.0.1 --cluster-cidr=10.244.0.0/16 --cluster-name=kubernetes --cluster-signing-cert-file=/etc/kubernetes/pki/ca.pem --cluster-signing-key-file=/etc/kubernetes/pki/ca-key.pem --service-account-private-key-file=/etc/kubernetes/pki/sa.key --root-ca-file=/etc/kubernetes/pki/ca.pem --leader-elect=true --use-service-account-credentials=true --node-monitor-grace-period=10s --pod-eviction-timeout=10s --allocate-node-cidrs=true --controllers=*,bootstrapsigner,tokencleaner"
EOF

启动
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl start kube-controller-manager
systemctl status kube-controller-manager

19、配置启动kube-scheduler

# 配置启动文件
cat >/etc/systemd/system/kube-scheduler.service<<EOF
[Unit]
Description=Kubernetes Scheduler Plugin
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/scheduler
ExecStart=/usr/local/kubernetes/bin/kube-scheduler \            \$KUBE_LOGTOSTDERR \            \$KUBE_LOG_LEVEL \            \$KUBECONFIG \            \$KUBE_SCHEDULER_ARGS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

# 配置参数变量文件
# 配置kube-apiserver启动文件时已经配置过参数变量文件,这里就不需要再做,写在这里只是为了知道下面配置文件里的参数怎么回事
cat >/etc/kubernetes/config<<EOF
KUBE_LOGTOSTDERR="--logtostderr=true"
KUBE_LOG_LEVEL="--v=2"
EOF

# 配置scheduler文件
cat >/etc/kubernetes/scheduler<<EOF
KUBECONFIG="--kubeconfig=/etc/kubernetes/kube-scheduler.conf"
KUBE_SCHEDULER_ARGS="--leader-elect=true --address=127.0.0.1"
EOF

启动
systemctl daemon-reload
systemctl enable kube-scheduler
systemctl start kube-scheduler
systemctl status kube-scheduler

21、单独配置node2 相关组件

21.1、安装docker

注意:docker和flannel是一体的,哪个节点上需要安装flannel,哪个节点上就需要安装docker

v1.11.0版本推荐使用docker v17.03,
v1.11,v1.12,v1.13, 也可以使用,再高版本的docker可能无法正常使用。
测试发现17.09无法正常使用,不能使用资源限制(内存CPU)

卸载自带docker
yum remove -y docker-ce docker-ce-selinux container-selinux

配置Docker仓库镜像

wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-ce-17.03.2.ce-1.el7.centos.x86_64.rpm 

wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-ce-selinux-17.03.2.ce-1.el7.centos.noarch.rpm 

安装 Docker 和依赖包
yum install -y docker-ce-*.rpm 

开机启动
systemctl enable docker 

启动 docker 服务
systemctl start docker

21.2、部署 kubelet组件

# 下载、解压安装包
mkdir -p /server/software/k8s
cd /server/software/k8s
wget https://dl.k8s.io/v1.11.0/kubernetes-server-linux-amd64.tar.gz
tar -xf kubernetes-server-linux-amd64.tar.gz

分发kubelet二进制文件
# 后面kubelet启动文件需要用到kubelet二进制文件路径
mkdir -p /usr/local/kubernetes/bin
cp /server/software/k8s/kubernetes/server/bin/kubelet /usr/local/kubernetes/bin    #这一步很关键

# 安装kubectl工具
# kubecctl工具和kubelet服务不是一回事。安装包解压后包括 kubectl 工具,所以不需要单独使用kubernetes-server-client-amd64.tar.gz 安装包分发 kubectl 工具
# kubectl作用:当kubelet组件通过bootstrap token 认证后,kubectl 默认会从 ~/.kube/config 文件读取 kube-apiserver 地址、证书、用户名等信息;
# admin.conf = ~/.kube/config,因为复制过来的 ;
cp /server/software/k8s/kubernetes/server/bin/kubectl /usr/local/bin/kubectl

# 查看 kubectl 版本,
# 出现下面的情况就是正确的。did you specify the right host or port? 这个报错忽略,因为还没有安装kubelet服务
kubectl version
[[email protected] bin]# kubectl version
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T20:17:28Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"linux/amd64"}
The connection to the server localhost:8080 was refused - did you specify the right host or port?

cd $HOME

# 从master上复制admin.conf到node节点
scp /etc/kubernetes/admin.conf [email protected]:/etc/kubernetes/

# 复制 admin.conf 到 /.kube/config
# kubectl 默认从 ~/.kube/config 文件读取 kube-apiserver 地址、证书、用户名等信息,如果没有配置,执行 kubectl 命令时可能会出错:

rm -rf $HOME/.kube
mkdir -p $HOME/.kube
cp /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config

或者:
export KUBECONFIG=/etc/kubernetes/admin.conf

# 从masters上复制 bootstrap.conf 到node节点
# 后面kubelet服务启动参数中需要使用 kubelet-bootstrap.conf 向 kube-apiserver 发送 CSR 请求,
# 当kubelet服务通过bootstrap token 认证后,kubectl 默认会从 ~/.kube/config 文件读取 kube-apiserver 地址、证书、用户名等信息;

scp /etc/kubernetes/kubelet-bootstrap.conf [email protected]:/etc/kubernetes/

# 查看组件状态
kubectl get componentstatuses

[[email protected] ~]# kubectl get componentstatuses
Unable to connect to the server: x509: certificate signed by unknown authority

# 安装cni
# kubelet 的启动参数需要用到
cd /server/software/k8s
wget https://github.com/containernetworking/plugins/releases/download/v0.7.1/cni-plugins-amd64-v0.7.1.tgz
mkdir -p /opt/cni/bin
tar -xf cni-plugins-amd64-v0.7.1.tgz -C /opt/cni/bin
ls -l /opt/cni/bin
cd $HOME

报错:network plugin is not ready: cni config uninitialized

原因是因为kubelet配置了network-plugin=cni,但是还没安装,所以状态会是NotReady,会报上面的错误,不想看这个报错或者不需要网络,就修改kubelet配置文件,去掉network-plugin=cni 就可以了

# 配置启动kubelet

# 创建数据目录
mkdir -p /data/kubelet

# 配置kubelet启动文件
cat >/etc/systemd/system/kubelet.service<<EOF
[Unit]
Description=Kubernetes Kubelet Server
Documentation=https://github.com/kubernetes/kubernetes
After=docker.service
Requires=docker.service

[Service]
WorkingDirectory=/data/kubelet
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/kubelet
ExecStart=/usr/local/kubernetes/bin/kubelet \            \$KUBE_LOGTOSTDERR \            \$KUBE_LOG_LEVEL \            \$KUBELET_CONFIG \            \$KUBELET_HOSTNAME \            \$KUBELET_POD_INFRA_CONTAINER \            \$KUBELET_ARGS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

# 配置参数变量文件
cat >/etc/kubernetes/config<<EOF
KUBE_LOGTOSTDERR="--logtostderr=true"
KUBE_LOG_LEVEL="--v=2"
EOF

# 配置kubelet.conf 文件
# 从master节点复制admin.conf过来,改成kubelet.conf即可;kubelet组件启动参数需要用到kubelet.conf
scp /etc/kubernetes/admin.conf 192.168.0.92:/etc/kubernetes/kubelet.conf

# 配置kubelet文件
# 注意修改相关ip   node节点也配置,node节点改成对应的nodeip

cat >/etc/kubernetes/kubelet<<EOF
KUBELET_HOSTNAME="--hostname-override=192.168.0.92"
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.1"
KUBELET_CONFIG="--config=/etc/kubernetes/kubelet-config.yml"
KUBELET_ARGS="--bootstrap-kubeconfig=/etc/kubernetes/kubelet-bootstrap.conf --kubeconfig=/etc/kubernetes/kubelet.conf --cert-dir=/etc/kubernetes/pki --network-plugin=cni --cni-bin-dir=/opt/cni/bin --cni-conf-dir=/etc/cni/net.d"
EOF

# 复制ca证书
# 从master节点复制 ca 证书,kubelet-config.yml 文件参数需要用到
scp $HOME/ssl/ca.pem 192.168.0.92:/etc/kubernetes/pki/

# 配置kubelet-config.yml文件
# 注意修改kubelet-config.yml相关ip,master node2 node3 使用各自ip

cat >/etc/kubernetes/kubelet-config.yml<<EOF
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.0.92
port: 10250
cgroupDriver: cgroupfs
clusterDNS:
  - 10.96.0.10
clusterDomain: cluster.local.
hairpinMode: promiscuous-bridge
serializeImagePulls: false
authentication:
  x509:
    clientCAFile: /etc/kubernetes/pki/ca.pem
EOF

# 启动
systemctl daemon-reload
systemctl enable kubelet
systemctl start kubelet
systemctl status kubelet

21.3、通过证书请求

# 在配置了kubectl的节点上执行如下操作

# 查看
kubectl get csr

# 通过,下面的长字符串填写在所有节点执行上一步的结果,包括master
kubectl certificate approve node-csr-Yiiv675wUCvQl3HH11jDr0cC9p3kbrXWrxvG3EjWGoE

# 查看节点
# 此时节点状态为 NotReady,需要操作完后面才可以ready
kubectl get nodes

# 在node节点查看生成的文件
ls -l /etc/kubernetes/kubelet.conf
ls -l /etc/kubernetes/pki/kubelet*

21.4、配置启动kube-proxy 

# 安装
yum install -y conntrack-tools

# 复制kube-proxy.conf
把master节点上的kube-proxy.conf复制到node节点/etc/kubernetes/下
scp /etc/kubernetes/pki/kube-proxy*.pem 192.168.0.92:/etc/kubernetes/pki

# 复制ca证书
mkdir -p /etc/kubernetes/pki
把master节点上的kube-proxy的ca证书复制到node节点/etc/kubernetes/pki 下

# 配置启动文件
cat >/etc/systemd/system/kube-proxy.service<<EOF
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/kubernetes/kubernetes
After=network.target

[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/proxy
ExecStart=/usr/local/kubernetes/bin/kube-proxy \        \$KUBE_LOGTOSTDERR \        \$KUBE_LOG_LEVEL \        \$KUBECONFIG \        \$KUBE_PROXY_ARGS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

# 配置参数变量文件:
cat >/etc/kubernetes/config<<EOF
KUBE_LOGTOSTDERR="--logtostderr=true"
KUBE_LOG_LEVEL="--v=2"
EOF

# 配置proxy文件
# 注意修改相关ip,master node2 node3 使用各自ip
# 看下面proxy文件‘--proxy-mode=iptables‘,由于采用iptables模式,因为 ipvs 模式在centos7上有bug无法正常使用,1.11.0 以后的版本就可使用 ipvs 模式了,

# 本实验采用centos7.5、kubernetes 1.11.0 版本,所以使用iptables模式,
cat >/etc/kubernetes/proxy<<EOF
KUBECONFIG="--kubeconfig=/etc/kubernetes/kube-proxy.conf"
KUBE_PROXY_ARGS="--bind-address=192.168.0.92 --proxy-mode=iptables --hostname-override=192.168.0.92 --cluster-cidr=10.244.0.0/16"
EOF

# 启动
systemctl daemon-reload
systemctl enable kube-proxy
systemctl start kube-proxy
systemctl status kube-proxy

21.5、设置集群角色

# 设置 master 为 master
kubectl label nodes 192.168.0.91 node-role.kubernetes.io/master=

# 设置 node2 node3 为 node
kubectl label nodes 192.168.0.92 node-role.kubernetes.io/node=

# 设置 master 一般情况下不接受负载
kubectl taint nodes 192.168.0.91 node-role.kubernetes.io/master=true:NoSchedule

master运行pod
kubectl taint nodes master.k8s node-role.kubernetes.io/master-
master不运行pod
kubectl taint nodes master.k8s node-role.kubernetes.io/master=:NoSchedule

# 查看节点,此时节点状态为 NotReady
kubectl get no

21.6、配置使用flannel网络

# 只有在安装了docker的节点上才可以安装flannel

# 注意下面的网卡名称要填写对应的网卡名称

# 下载配置
mkdir flannel && cd flannel
wget https://raw.githubusercontent.com/coreos/flannel/v0.10.0/Documentation/kube-flannel.yml

# 修改配置
# 此处的ip配置要与上面kubeadm的pod-network一致
  net-conf.json: |
    {
      "Network": "10.244.0.0/16",
      "Backend": {
        "Type": "vxlan"
      }
    }

# 如果Node有多个网卡的话,参考flannel issues 39701,https://github.com/kubernetes/kubernetes/issues/39701
# 目前需要在kube-flannel.yml中使用--iface参数指定集群主机内网网卡的名称,否则可能会出现dns无法解析。容器无法通信的情况,
# 修改镜像 image: registry.cn-shanghai.aliyuncs.com/gcr-k8s/flannel:v0.10.0-amd64
# flanneld启动参数加上--iface=<iface-name>
    containers:
      - name: kube-flannel
        image: registry.cn-shanghai.aliyuncs.com/gcr-k8s/flannel:v0.10.0-amd64
        command:
        - /opt/bin/flanneld
        args:
        - --ip-masq
        - --kube-subnet-mgr
        - --iface=ens33

# 启动
kubectl apply -f kube-flannel.yml

# 查看
kubectl get pods -n kube-system
kubectl get svc -n kube-system

# 查看节点状态
# 当 flannel pod 全部启动之后,节点状态为 Ready
kubectl get no

配置使用coredns

# 在master操作,注意下面用的 1.2.0  

# 10.96.0.10 是 kubelet中配置的dns
cd $HOME && mkdir coredns && cd coredns
wget https://raw.githubusercontent.com/coredns/deployment/master/kubernetes/coredns.yaml.sed
wget https://raw.githubusercontent.com/coredns/deployment/master/kubernetes/deploy.sh
chmod +x deploy.sh
./deploy.sh -i 10.96.0.10 > coredns.yaml
kubectl apply -f coredns.yml

注意: 查看10.96.0.10 是否添加到文档里面

# 查看
kubectl get pods -n kube-system
kubectl get svc -n kube-system

测试
启动
kubectl run nginx --replicas=2 --image=nginx:alpine --port=80
kubectl expose deployment nginx --type=NodePort --name=example-service-nodeport
kubectl expose deployment nginx --name=example-service
kubectl scale --replicas=3 deployment/nginx
查看状态
kubectl get deploy -o wide
kubectl get pods -o wide
kubectl get svc -o wide
kubectl describe svc example-service

DNS解析
kubectl run -it --rm --image=infoblox/dnstools dns-client
nslookup kubernetes
nslookup example-service
curl example-service

访问测试
# 10.96.59.56 为查看svc时获取到的clusterip
curl "10.107.91.153:80"

# 32223 为查看svc时获取到的 nodeport
http://192.168.0.91:32223/
http://192.168.0.92:32223/
http://192.168.0.93:32223/

清理
kubectl delete svc example-service example-service-nodeport
kubectl delete deploy nginx curl

原文地址:https://www.cnblogs.com/effortsing/p/10306684.html

时间: 2024-10-24 13:27:52

k8s 二进制安装 1.11.0的相关文章

K8S二进制安装

k8s二进制安装先记录下安装步骤 部署前所有节点关闭firewalld(systemctl stop firewalld),并同步互联网时间.1.自签ETCD证书2.ETCD部署3.Node安装Docker4.Flannel部署(先写入子网到etcd)5.自签APIServer证书6.部署APIServer组件(token.csv)7.部署controller-manager(指定apiserver证书)和scheduler组件8.生成kubeconfig(bootstrap.kubeconfi

图解VC++2012编译安装GDAL1.11.0和入门例子

相关下载 http://pan.baidu.com/s/1o7OEMc6 gdal1.rar - 入门例子 GDAL书籍代码及数据.rar gdal1110.zip - 下载的源码 GDAL.rar - 构建成功后的内容 1 进入如下目录执行vcvars32.bat 2 切换到解压目录执行命令 nmake /f makefile.vc,进行编译:时间比较长:可能10几分钟: 完成编译: 3.设置输出目录 找到下载目录中的nmake.opt文件,例如本文的中的文件路径为: D:\gdal-1.11

win10 环境安装 jdk 11.0.2

WIN10 安装java developer kit 11.0.2和其他windows环境不太一样 首先到oracle 官网下安装包 注意的是这个版本没有单独的jre 安装包了,应该是集成到jdk安装包下 安装路径可以默认,也可以选择其他路径,安装完毕后,配置环境变量 系统环境变量下新建,变量名JAVA_HOME 然后可以浏览jdk安装的路径,比如我的为c:\java\jdk_11.0.2 然后向下找到path变量,选择编辑,然后新建,输入 %JAVA_HOME%\bin 方法二:直接在此处新建

安装Loadrunner 11.0时,弹出缺少2.8 sp1组件--解决方案(win7)

这是因为注册表缺少FullInstallVer和Version,归根到底是madc安装的的问题 以下是解决方法: 1.运行regedit,打开注册表,进入HKEY_LOCAL_MACHINE\SOFTWARE\WOw6432Node\Microsoft\DataAccess, 2.具体如下图,新建->字符串值 "FullInstallVer"="2.82.3959.0" (注:由于各个win7的版本可能不同,这个数字也会不同)"Version&quo

k8s二进制安装之etcd

etcd 安装etcd wget https://github.com/etcd-io/etcd/releases/download/v3.3.9/etcd-v3.3.9-linux-amd64.tar.gz tar -xvf etcd-v3.3.9-linux-amd64.tar.gz mv etcd-v3.3.9-linux-amd64/etcd* /usr/local/bin/ 创建etcd启动文件 cat > /usr/lib/systemd/system/etcd.service <

MySQL8.0.11 for linux7.2 二进制安装

MySQL8.0安装官方文档: https://dev.mysql.com/doc/refman/8.0/en/binary-installation.html 安装前注意: MySQL8.0和MySQL5.7和之前的版本还是有区别的,第一点就是在安装MySQL的时候 密码认证方式:默认的密码加密方式是:caching_sha2_password,而现在很多客户端工具还不支持这种加密认证方式,可以在配置文件中加入:default_authentication_plugin=mysql_nativ

二进制安装K8S集群

centos linux7.5 cat > /etc/hosts << EOF 192.168.199.221 master 192.168.199.222 node1 192.168.199.223 node2 EOF 1.关闭防火墙.关闭selinux.关闭swapoff -a systemctl stop firewalldselinux=disabledswapoff -a 2.安装docker 1)常用方法 a.配置yum源 阿里镜像源 yum-config-manager -

MySQL 8.0.13 二进制安装

MySQL 8.0 二进制安装大致与MySQL 5.7 类似 1.查询删除原有mysql使用rpm -qa | grep mysql 或mariadb 搜索 mysql,如果存在,使用rpm -e --nodeps mariadb-全部删除,或使用yum remove mysql mysql-server mysql-libs compat-mysql51全部删除:2.下载所需依赖包yum remove libnuma.so.1yum install make cmake libaio wget

我的淘宝:Ubuntu 14.04.5上安装 Oracle 11.2.0.4 RAC

进入淘宝店铺 教程:Ubuntu 14.04.5上安装 Oracle 11.2.0.4 RAC 请支持下.价格好商量!