Bootstrap

Kubernetes 集群部署 ------ 二进制部署(一)

一:环境部署

负载均衡:
lb1(192.168.50.142/24)
lb2(192.168.50.143/24)

Master节点:
master1(192.168.50.139/24)
master2(192.168.50.150/24)

Node节点:
node1(192.168.50.140/24)
node2(192.168.50.141/24)

VIP:
192.168.50.100

二:K8S部署——单节点部署

Master:192.168.50.139/24kube-apiserver kube-controller-manager kube-scheduler etcd
Node01:192.168.50.140/24kubelet kube-proxy docker flannel etcd
Node02:192.168.50.141/24kubelet kube-proxy docker flannel etcd
需要的软件包:

k8s官网地址:https://github.com/kubernetes/kubernetes/releases?after=v1.13.1
在这里插入图片描述
在这里插入图片描述

1、master部署

先准备两个shell脚本
第一个脚本 etcd-cert.sh

vim etcd-cert.sh
##定义ca证书:
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
##实现证书签名
cat > ca-csr.json <<EOF
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------
##指定etcd三个节点之间的通信验证
cat > server-csr.json <<EOF
{
    "CN": "etcd",
    "hosts": [
    "192.168.220.131",
    "192.168.220.140",
    "192.168.220.136"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        }
    ]
}
EOF
##生成 ETCD证书 server-key.pem 和 server.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

第二个脚本etcd.sh

vim etcd.sh
#!/bin/bash
# example: ./etcd.sh etcd01 192.168.1.10 etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380

ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3

WORK_DIR=/opt/etcd

cat <<EOF >$WORK_DIR/cfg/etcd
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF

cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=${WORK_DIR}/cfg/etcd
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd
[root@localhost ~]# mkdir k8s
[root@localhost ~]# cd k8s/
[root@localhost k8s]# ls    //从宿主机将准备的两个脚本拖进来
etcd-cert.sh  etcd.sh
[root@localhost k8s]# mkdir etcd-cert
[root@localhost k8s]# mv etcd-cert.sh etcd-cert

[root@localhost k8s]# vim cfssl.sh
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo  #下载cfssl官方包
[root@localhost k8s]# bash cfssl.sh
[root@localhost k8s]# ls /usr/local/bin/
cfssl  cfssl-certinfo  cfssljson
//cfssl 生成证书工具   cfssljson通过传入json文件生成证书
  cfssl-certinfo查看证书信息

定义ca证书

cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"     
        ]  
      } 
    }         
  }
}
EOF

实现证书签名

cat > ca-csr.json <<EOF 
{   
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

生产证书,生成ca-key.pem ca.pem

[root@localhost k8s]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

2020/01/13 16:32:56 [INFO] generating a new CA key and certificate from CSR
2020/01/13 16:32:56 [INFO] generate received request
2020/01/13 16:32:56 [INFO] received CSR
2020/01/13 16:32:56 [INFO] generating key: rsa-2048
2020/01/13 16:32:56 [INFO] encoded CSR
2020/01/13 16:32:56 [INFO] signed certificate with serial number 595395605361409801445623232629543954602649157326

指定etcd三个节点之间的通信验证

cat > server-csr.json <<EOF
{
    "CN": "etcd",
    "hosts": [
    "192.168.50.139",
    "192.168.50.140",
    "192.168.50.141"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        }
    ]
}
EOF

生成ETCD证书 server-key.pem server.pem

[root@localhost k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

2020/01/13 17:01:30 [INFO] generate received request
2020/01/13 17:01:30 [INFO] received CSR
2020/01/13 17:01:30 [INFO] generating key: rsa-2048
2020/01/13 17:01:30 [INFO] encoded CSR
2020/01/13 17:01:30 [INFO] signed certificate with serial number 202782620910318985225034109831178600652439985681
2020/01/13 17:01:30 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

ETCD 二进制包地址

https://github.com/etcd-io/etcd/releases
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

//复制到centos7中
[root@localhost etcd-cert]# ls
ca-config.json  etcd-cert.sh                          server-csr.json
ca.csr          etcd-v3.3.10-linux-amd64.tar.gz       server-key.pem
ca-csr.json     flannel-v0.10.0-linux-amd64.tar.gz    server.pem
ca-key.pem      kubernetes-server-linux-amd64.tar.gz
ca.pem          server.csr

[root@localhost etcd-cert]# mv *.tar.gz ../
[root@localhost k8s]# ls
cfssl.sh   etcd.sh                          flannel-v0.10.0-linux-amd64.tar.gz
etcd-cert  etcd-v3.3.10-linux-amd64.tar.gz  kubernetes-server-linux-amd64.tar.gz

[root@localhost k8s]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz

[root@localhost k8s]# ls etcd-v3.3.10-linux-amd64
Documentation  etcd  etcdctl  README-etcdctl.md  README.md  READMEv2-etcdctl.md

[root@localhost k8s]# mkdir /opt/etcd/{cfg,bin,ssl} -p    //配置文件,命令文件,证书

[root@localhost k8s]# mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/
//证书拷贝
[root@localhost k8s]# cp etcd-cert/*.pem /opt/etcd/ssl/

//进入卡住状态等待其他节点加入
[root@localhost k8s]# bash etcd.sh etcd01 192.168.50.139 etcd02=https://192.168.50.140:2380,etcd03=https://192.168.50.141:2380

//使用另外一个会话打开,会发现etcd进程已经开启
[root@localhost ~]# ps -ef | grep etcd


//拷贝证书去其他节点
[root@localhost k8s]# scp -r /opt/etcd/ [email protected]:/opt/
[root@localhost k8s]# scp -r /opt/etcd/ [email protected]:/opt

//启动脚本拷贝其他节点
[root@localhost k8s]# scp /usr/lib/systemd/system/etcd.service [email protected]:/usr/lib/systemd/system/
[root@localhost k8s]# scp /usr/lib/systemd/system/etcd.service [email protected]:/usr/lib/systemd/system/

2、node1节点

[root@localhost ~]# vim /opt/etcd/cfg/etcd

#[Member]
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.50.140:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.50.140:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.50.140:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.50.140:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.50.139:2380,etcd02=https://192.168.50.140:2380,etcd03=https://192.168.50.141:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
//启动
[root@localhost ssl]# systemctl start etcd
[root@localhost ssl]# systemctl status etcd

3、node2节点

[root@localhost ~]# vim /opt/etcd/cfg/etcd

#[Member]
ETCD_NAME="etcd03"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.50.141:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.50.141:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.50.141:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.50.141:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.50.139:2380,etcd02=https://192.168.50.140:2380,etcd03=https://192.168.50.141:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

//启动
[root@localhost ssl]# systemctl start etcd
[root@localhost ssl]# systemctl status etcd

master1中检查群集状态

[root@localhost ~]# cd k8s/etcd-cert
[root@localhost etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.50.139:2379,https://192.168.50.140:2379,https://192.168.50.141:2379" cluster-health
member 77f789e98544c480 is healthy: got healthy result from https://192.168.50.141:2379
member 85ea5ca067fb3fe3 is healthy: got healthy result from https://192.168.50.140:2379
member 8c03cfa0cc484b0d is healthy: got healthy result from https://192.168.50.139:2379
cluster is healthy

4、node1、node2中部署docker引擎

一键部署docker
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install -y docker-ce
systemctl start docker.service 
systemctl enable docker.service 
systemctl stop firewalld.service
setenforce 0
mkdir -p /etc/docker
tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://e596b3cc.mirror.aliyuncs.com"]
}
EOF
systemctl daemon-reload
systemctl restart docker

5、flannel网络配置

写入分配的子网段到ETCD中,供flannel使用

[root@localhost etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.50.139:2379,https://192.168.50.140:2379,https://192.168.50.141:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'

{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}

查看写入的信息

[root@localhost etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.50.139:2379,https://192.168.50.140:2379,https://192.168.50.141:2379" get /coreos.com/network/config
{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}

拷贝到所有node节点(只需要部署在node节点即可)

[root@localhost k8s]# scp flannel-v0.10.0-linux-amd64.tar.gz [email protected]:/root
[root@localhost k8s]# scp flannel-v0.10.0-linux-amd64.tar.gz [email protected]:/root

所有node节点操作解压

[root@localhost ~]# tar zxvf flannel-v0.10.0-linux-amd64.tar.gz 
flanneld
mk-docker-opts.sh
README.md
//k8s工作目录
[root@localhost ~]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p
[root@localhost ~]# mv mk-docker-opts.sh flanneld /opt/kubernetes/bin/

[root@localhost ~]# vim flannel.sh
#!/bin/bash

ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}

cat <<EOF >/opt/kubernetes/cfg/flanneld

FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"

EOF

cat <<EOF >/usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service

[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure

[Install]
WantedBy=multi-user.target

EOF

systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld

开启flannel网络功能

[root@localhost ~]# bash flannel.sh https://192.168.50.139:2379,https://192.168.50.140:2379,https://192.168.50.141:2379

Created symlink from /etc/systemd/system/multi-user.target.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.

配置docker连接flannel

[root@localhost ~]# vim /usr/lib/systemd/system/docker.service

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always

[root@localhost ~]# cat /run/flannel/subnet.env
DOCKER_OPT_BIP="--bip=172.17.42.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=false"
DOCKER_OPT_MTU="--mtu=1450"
//说明:bip指定启动时的子网
DOCKER_NETWORK_OPTIONS=" --bip=172.17.42.1/24 --ip-masq=false --mtu=1450" 

重启docker服务

[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker

查看flannel网络

[root@localhost ~]# ifconfig
flannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 172.17.84.0  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 fe80::fc7c:e1ff:fe1d:224  prefixlen 64  scopeid 0x20<link>
        ether fe:7c:e1:1d:02:24  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 26 overruns 0  carrier 0  collisions 0

测试ping通对方docker0网卡 证明flannel起到路由作用

[root@localhost ~]# docker run -it centos:7 /bin/bash

[root@5f9a65565b53 /]# yum install net-tools -y

[root@5f9a65565b53 /]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 172.17.84.2  netmask 255.255.255.0  broadcast 172.17.84.255
        ether 02:42:ac:11:54:02  txqueuelen 0  (Ethernet)
        RX packets 18192  bytes 13930229 (13.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6179  bytes 337037 (329.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

//再次测试ping通两个node中的centos:7容器

6、部署master组件

在master上操作,api-server生成证书

[root@localhost k8s]# unzip master.zip
[root@localhost k8s]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p
[root@localhost k8s]# mkdir k8s-cert    //apiserver自签证书目录
[root@localhost k8s]# cd k8s-cert/
[root@localhost k8s-cert]# ls
k8s-cert.sh

cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
      	    "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------

cat > server-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "192.168.50.139",  //master1
      "192.168.50.150",  //master2
      "192.168.50.100",  //vip
      "192.168.50.142",  //lb (master)
      "192.168.50.143",  //lb (backup)
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

#-----------------------

cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

#-----------------------

cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

生成k8s证书

[root@localhost k8s-cert]# bash k8s-cert.sh 

2020/01/15 23:31:03 [INFO] generating a new CA key and certificate from CSR
2020/01/15 23:31:03 [INFO] generate received request
2020/01/15 23:31:03 [INFO] received CSR
2020/01/15 23:31:03 [INFO] generating key: rsa-2048
2020/01/15 23:31:03 [INFO] encoded CSR
2020/01/15 23:31:03 [INFO] signed certificate with serial number 149957285008634365032949076461783766565292979186
2020/01/15 23:31:03 [INFO] generate received request
2020/01/15 23:31:03 [INFO] received CSR
2020/01/15 23:31:03 [INFO] generating key: rsa-2048
2020/01/15 23:31:03 [INFO] encoded CSR
2020/01/15 23:31:03 [INFO] signed certificate with serial number 531833477097469967316212525772159687029821034128
2020/01/15 23:31:03 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
2020/01/15 23:31:04 [INFO] generate received request
2020/01/15 23:31:04 [INFO] received CSR
2020/01/15 23:31:04 [INFO] generating key: rsa-2048
2020/01/15 23:31:04 [INFO] encoded CSR
2020/01/15 23:31:04 [INFO] signed certificate with serial number 684040931566157342098288079791465097738732990534
2020/01/15 23:31:04 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
2020/01/15 23:31:04 [INFO] generate received request
2020/01/15 23:31:04 [INFO] received CSR
2020/01/15 23:31:04 [INFO] generating key: rsa-2048
2020/01/15 23:31:04 [INFO] encoded CSR
2020/01/15 23:31:04 [INFO] signed certificate with serial number 681469506930419424853732902538890426797365900103
2020/01/15 23:31:04 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

[root@localhost k8s-cert]# ls *pem
admin-key.pem  ca-key.pem  kube-proxy-key.pem  server-key.pem
admin.pem      ca.pem      kube-proxy.pem      server.pem

[root@localhost k8s-cert]# cp ca*pem server*pem /opt/kubernetes/ssl/
[root@localhost k8s-cert]# cd ..

//解压kubernetes压缩包
[root@localhost k8s]# tar zxvf kubernetes-server-linux-amd64.tar.gz
[root@localhost k8s]# cd /root/k8s/kubernetes/server/bin

//复制关键命令文件
[root@localhost bin]# cp kube-apiserver kubectl kube-controller-manager kube-scheduler /opt/kubernetes/bin/
[root@localhost k8s]# cd /root/k8s
[root@localhost k8s]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
0fb61c46f8991b718eb38d27b605b008
[root@localhost k8s]# vim /opt/kubernetes/cfg/token.csv
0fb61c46f8991b718eb38d27b605b008,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
序列号,用户名,id,角色
//使用 head -c 16 /dev/urandom | od -An -t x | tr -d ' ' 可以随机生成序列号

二进制文件,token,证书都准备好,开启apiserver

[root@localhost k8s]# bash apiserver.sh 192.168.50.139 https://192.168.50.139:2379,https://192.168.50.140:2379,https://192.168.50.141:2379

Created symlink from /etc/systemd/system/multi-user.target.wants/kube-apiserver.service to /usr/lib/systemd/system/kube-apiserver.service.

检查进程是否启动成功

[root@localhost k8s]# ps aux | grep kube

查看配置文件

[root@localhost k8s]# cat /opt/kubernetes/cfg/kube-apiserver 

KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=https://192.168.50.139:2379,https://192.168.50.140:2379,https://192.168.50.141:2379 \
--bind-address=192.168.50.139 \
--secure-port=6443 \
--advertise-address=192.168.50.139 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--kubelet-https=true \
--enable-bootstrap-token-auth \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/opt/kubernetes/ssl/server.pem  \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"

监听的https端口

[root@localhost k8s]# netstat -ntap | grep 6443
tcp        0      0 192.168.50.139:6443    0.0.0.0:*               LISTEN      46459/kube-apiserve 
tcp        0      0 192.168.50.139:6443    192.168.50.139:36806   ESTABLISHED 46459/kube-apiserve 
tcp        0      0 192.168.50.139:36806   192.168.50.139:6443    ESTABLISHED 46459/kube-apiserve 
[root@localhost k8s]# netstat -ntap | grep 8080
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      46459/kube-apiserve 

启动scheduler服务

[root@localhost k8s]# ./scheduler.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-scheduler.service to /usr/lib/systemd/system/kube-scheduler.service.
[root@localhost k8s]# ps aux | grep ku
[root@localhost k8s]# chmod +x controller-manager.sh 

启动controller-manager

[root@localhost k8s]# ./controller-manager.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /usr/lib/systemd/system/kube-controller-manager.service.

查看master 节点状态

[root@localhost k8s]# /opt/kubernetes/bin/kubectl get cs
NAME                 STATUS    MESSAGE             ERROR
scheduler            Healthy   ok                  
controller-manager   Healthy   ok                  
etcd-2               Healthy   {"health":"true"}   
etcd-1               Healthy   {"health":"true"}   
etcd-0               Healthy   {"health":"true"} 

7、node节点部署

master1上操作
把 kubelet、kube-proxy 拷贝到node节点上去

[root@localhost bin]# scp kubelet kube-proxy [email protected]:/opt/kubernetes/bin/
root@192.168.50.140's password: 
kubelet                                                           100%  168MB  27.9MB/s   00:06    
kube-proxy                                                        100%   48MB  31.5MB/s   00:01    
[root@localhost bin]# scp kubelet kube-proxy [email protected]:/opt/kubernetes/bin/
root@192.168.50.141's password: 
kubelet                                                           100%  168MB  56.1MB/s   00:03    
kube-proxy                                                        100%   48MB  37.3MB/s   00:01    

nod01节点操作(复制node.zip到/root目录下再解压)

[root@localhost ~]# ls
anaconda-ks.cfg  flannel-v0.10.0-linux-amd64.tar.gz  node.zip   公共  视频  文档  音乐
flannel.sh       initial-setup-ks.cfg                README.md  模板  图片  下载  桌面

解压node.zip,获得kubelet.sh proxy.sh

[root@localhost ~]# unzip node.zip 

在master1上操作

[root@localhost k8s]# mkdir kubeconfig
[root@localhost k8s]# cd kubeconfig/

拷贝kubeconfig.sh文件进行重命名

[root@localhost kubeconfig]# mv kubeconfig.sh kubeconfig
[root@localhost kubeconfig]# vim kubeconfig 
#-----------------------删除以下部分--------------------------------
# 创建 TLS Bootstrapping Token
#BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008

cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
#-----------------------------------------------------------------

//获取token信息
[root@localhost ~]# cat /opt/kubernetes/cfg/token.csv 
6351d652249951f79c33acdab329e4c4,kubelet-bootstrap,10001,"system:kubelet-bootstrap"

//配置文件修改为tokenID
# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
  --token=6351d652249951f79c33acdab329e4c4 \
  --kubeconfig=bootstrap.kubeconfig

设置环境变量(可以写入到/etc/profile中)

[root@localhost kubeconfig]# export PATH=$PATH:/opt/kubernetes/bin/
[root@localhost kubeconfig]# kubectl get cs
NAME                 STATUS    MESSAGE             ERROR
scheduler            Healthy   ok                  
controller-manager   Healthy   ok                  
etcd-1               Healthy   {"health":"true"}   
etcd-0               Healthy   {"health":"true"}   
etcd-2               Healthy   {"health":"true"}   

生成配置文件

[root@localhost kubeconfig]# bash kubeconfig 192.168.50.139 /root/k8s/k8s-cert/
Cluster "kubernetes" set.
User "kubelet-bootstrap" set.
Context "default" created.
Switched to context "default".
Cluster "kubernetes" set.
User "kube-proxy" set.
Context "default" created.
Switched to context "default".
[root@localhost kubeconfig]# ls
bootstrap.kubeconfig  kubeconfig  kube-proxy.kubeconfig

拷贝配置文件到node节点

[root@localhost kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/
root@192.168.50.140's password: 
bootstrap.kubeconfig                                              100% 2169     2.1MB/s   00:00    
kube-proxy.kubeconfig                                             100% 6275     4.2MB/s   00:00    
[root@localhost kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig [email protected]:/opt/kubernetes/cfg/
root@192.168.50.141's password: 
bootstrap.kubeconfig                                              100% 2169     1.8MB/s   00:00    
kube-proxy.kubeconfig                                             100% 6275     5.3MB/s   00:00    

创建bootstrap角色赋予权限用于连接apiserver请求签名(关键)

[root@localhost kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created

在node01节点上操作

[root@localhost ~]# bash kubelet.sh 192.168.50.140
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.

检查kubelet服务启动

[root@localhost ~]# ps aux | grep kube
root     106845  1.4  1.1 371744 44780 ?        Ssl  00:34   0:01 /opt/kubernetes/bin/kubelet --logtostderr=true --v=4 --hostname-override=192.168.195.150 --kubeconfig=/opt/kubernetes/cfg/kubelet.kubconfig --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig --config=/opt/kubernetes/cfgkubelet.config --cert-dir=/opt/kubernetes/ssl --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0
root     106876  0.0  0.0 112676   984 pts/0    S+   00:35   0:00 grep --color=auto kube

master1上操作
检查到node01节点的请求

[root@localhost kubeconfig]# kubectl get csr
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-NOI-9vufTLIqJgMWq4fHPNPHKbjCXlDGHptj7FqTa8A   4m27s   kubelet-bootstrap   Pending(等待集群给该节点颁发证书)

[root@localhost kubeconfig]# kubectl certificate approve node-csr-NOI-9vufTLIqJgMWq4fHPNPHKbjCXlDGHptj7FqTa8A
certificatesigningrequest.certificates.k8s.io/node-csr-NOI-9vufTLIqJgMWq4fHPNPHKbjCXlDGHptj7FqTa8A approved

//继续查看证书状态
[root@localhost kubeconfig]# kubectl get csr
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-NOI-9vufTLIqJgMWq4fHPNPHKbjCXlDGHptj7FqTa8A   8m56s   kubelet-bootstrap   Approved,Issued(已经被允许加入群集)

查看群集节点,成功加入node01节点

[root@localhost kubeconfig]# kubectl get node
NAME              STATUS   ROLES    AGE    VERSION
192.168.50.140   Ready    <none>   118s   v1.12.3

在node01节点操作,启动proxy服务

[root@localhost ~]# bash proxy.sh 192.168.50.140
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[root@localhost ~]# systemctl status kube-proxy.service 
● kube-proxy.service - Kubernetes Proxy
   Loaded: loaded (/usr/lib/systemd/system/kube-proxy.service; enabled; vendor preset: disabled)
   Active: active (running) since 日 2020-02-02 00:47:29 CST; 11s ago
 Main PID: 108006 (kube-proxy)
   Memory: 7.5M
   CGroup: /system.slice/kube-proxy.service
           ‣ 108006 /opt/kubernetes/bin/kube-proxy --logtostderr=true --v=4 --hostname-override=1...

202 00:47:32 localhost.localdomain kube-proxy[108006]: I0202 00:47:32.040427  108006 config...te
202 00:47:32 localhost.localdomain kube-proxy[108006]: I0202 00:47:32.057419  108006 config...te
202 00:47:34 localhost.localdomain kube-proxy[108006]: I0202 00:47:34.059627  108006 config...te
202 00:47:34 localhost.localdomain kube-proxy[108006]: I0202 00:47:34.076914  108006 config...te
202 00:47:36 localhost.localdomain kube-proxy[108006]: I0202 00:47:36.091570  108006 config...te
202 00:47:36 localhost.localdomain kube-proxy[108006]: I0202 00:47:36.105162  108006 config...te
202 00:47:38 localhost.localdomain kube-proxy[108006]: I0202 00:47:38.103518  108006 config...te
202 00:47:38 localhost.localdomain kube-proxy[108006]: I0202 00:47:38.115902  108006 config...te
202 00:47:40 localhost.localdomain kube-proxy[108006]: I0202 00:47:40.113628  108006 config...te
202 00:47:40 localhost.localdomain kube-proxy[108006]: I0202 00:47:40.125818  108006 config...te
Hint: Some lines were ellipsized, use -l to show in full.

8、node02节点部署

在node01节点操作
把现成的/opt/kubernetes目录复制到其他节点进行修改即可

[root@localhost ~]# scp -r /opt/kubernetes/ [email protected]:/opt/
The authenticity of host '192.168.50.141 (192.168.50.141)' can't be established.
ECDSA key fingerprint is SHA256:HyV9L/xOcN5435t9zCPMCC63XiwMwgBLIa7L++Gea0k.
ECDSA key fingerprint is MD5:4b:01:0f:c3:cb:3e:3a:4c:f0:51:85:fc:c1:6b:c5:fe.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.50.141' (ECDSA) to the list of known hosts.
root@192.168.50.141's password: 
flanneld                                                          100%  241   471.1KB/s   00:00    
bootstrap.kubeconfig                                              100% 2169     2.9MB/s   00:00    
kube-proxy.kubeconfig                                             100% 6275    10.3MB/s   00:00    
kubelet                                                           100%  379   130.7KB/s   00:00    
kubelet.config                                                    100%  269   420.0KB/s   00:00    
kubelet.kubeconfig                                                100% 2298     3.5MB/s   00:00    
kube-proxy                                                        100%  191   353.2KB/s   00:00    
mk-docker-opts.sh                                                 100% 2139     4.5MB/s   00:00    
flanneld                                                          100%   35MB  50.5MB/s   00:00    
kubelet                                                           100%  168MB  84.9MB/s   00:01    
kube-proxy                                                        100%   48MB  94.7MB/s   00:00    
kubelet.crt                                                       100% 2197   902.9KB/s   00:00    
kubelet.key                                                       100% 1679     2.3MB/s   00:00    
kubelet-client-2020-02-02-00-42-27.pem                            100% 1277   493.9KB/s   00:00    
kubelet-client-current.pem                                        100% 1277   429.5KB/s   00:00    

//把kubelet,kube-proxy的service文件拷贝到node2中
[root@localhost ~]# scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service [email protected]:/usr/lib/systemd/system/
root@192.168.50.141's password: 
kubelet.service                                                   100%  264   303.9KB/s   00:00    
kube-proxy.service                                                100%  231   209.1KB/s   00:00    

在node02上操作,进行修改
首先删除复制过来的证书,等会node02会自行申请证书

[root@localhost ~]# cd /opt/kubernetes/ssl/
[root@localhost ssl]# rm -rf *

修改配置文件kubelet kubelet.config kube-proxy(三个配置文件)

[root@localhost ssl]# cd ../cfg/
[root@localhost cfg]# vim kubelet

KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.50.141 \
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"

[root@localhost cfg]# vim kubelet.config 
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.50.141
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
  anonymous:
    enabled: true
~                                  
[root@localhost cfg]# vim kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.50.141 \
--cluster-cidr=10.0.0.0/24 \
--proxy-mode=ipvs \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"

启动服务

[root@localhost cfg]# systemctl start kubelet.service 
[root@localhost cfg]# systemctl enable kubelet.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[root@localhost cfg]# systemctl start kube-proxy.service 
[root@localhost cfg]# systemctl enable kube-proxy.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.

在master1上操作查看请求

[root@localhost k8s]# kubectl get csr
NAME                                                   AGE   REQUESTOR           CONDITION
node-csr-OaH9HpIKh6AKlfdjEKm4C6aJ0UT_1YxNaa70yEAxnsU   15s   kubelet-bootstrap   Pending

授权许可加入群集

[root@localhost k8s]# kubectl certificate approve node-csr-OaH9HpIKh6AKlfdjEKm4C6aJ0UT_1YxNaa70yEAxnsU

certificatesigningrequest.certificates.k8s.io/node-csr-OaH9HpIKh6AKlfdjEKm4C6aJ0UT_1YxNaa70yEAxnsU approved

查看群集中的节点

[root@localhost k8s]# kubectl get node
NAME              STATUS   ROLES    AGE   VERSION
192.168.50.140   Ready    <none>   21h   v1.12.3
192.168.50.141   Ready    <none>   37s   v1.12.3
;