安装部署 kubernetes 第一集 上
引子
第一章:kubernetes概述
第二章:kubernetes快速入门
1.四组基本概念
1.Pod/Pod控制器
2.Name/Namespace
3.Label/Label选择器
4.Service/Ingress
2.K8S的组成
3.K8S三条网络详解
第三章:实验部署集群架构详解
第四章:部署k8s集群前准备工作
1.准备虚拟机
2.调整操作系统
3.DNS服务初始化
1.安装bind9软件
2.配置bind9
3.启动bind9
4.检查
5.配置dns客户端
6.检查
4.准备自签证书
1.安装CFSSL
2.创建生成CA证书签名请求(csr)的JSON配置文件
3.生成CA证书和私钥
5.部署docker环境
1.安装
2.配置
3.启动
6、部署docker镜像私有仓库harbor
1.下载软件二进制包并解压
2.配置
3.安装docker-compose
4.安装harbor
5.检查harbor启动情况
6.配置harbor的dns内网解析
7.安装nginx并配置
8.浏览器打开 http://harbor.od.com
9.检查
第五章:部署主控节点服务
1.部署etcd集群
1.集群规划
2.创建基于根证书的config配置文件
3.创建生成自签证书签名请求(csr)的JSON配置文件
4.生成etcd证书和私钥
5.检查生成的证书、私钥
6.创建etcd用户
7.下载软件,解压,做软连接
8.创建目录,拷贝证书,私钥
9.创建etcd服务启动脚本
10.调整权限
11.安装supervisor软件
12.创建etcd-server的启动配置
13.启动etcd服务并检查
14.安装部署启动检查所有集群规划的etcd服务
15.检查集群状态
2.部署kube-apiserver集群
1.集群规划
2.下载软件,解压,做软链
3.签发client证书
1.创建生成证书请求(csr)的JSON配置文件
2.生成client证书和私钥
3.检查生成的证书和私钥
4.签发kube-apiserver证书
1.创建生成证书签名请求(csr)的josn配置文件
2.生成kube-apiserver证书和私钥
3.检查生成的证书和私钥
5.拷贝证书至各个运算节点,并创建配置
6.创建启动脚本
7.调整权限和目录
8.创建supervisor配置
9.启动服务并检查
10.安装部署启动检查所有集群规划机器
11.配四层反向代理
1.部署nginx
2.配置4层代理
3.启动nginx
4.部署keepalived服务
5.配置keepalived服务
6.启动keepalived
7.检查VIP
12.启动代理并检查
3.部署controller-manager
1.集群规划
2.创建启动脚本
3.调整文件权限,创建目录
4.创建supervisor配置
5.启动服务并检查
6.安装部署启动检查所有集群规划主机的kube-controller-manager服务
4.部署kube-scheduler
1.集群规划
2.创建启动脚本
3.调整文件权限,创建目录
4.创建supervisor配置
5.启动服务并检查
6.kubect1命令自动补全
7.安装部署启动检查所有集群规划主机的kube-controller-manager服务
5.检查主控节点
第六章:部署运算节点服务
1.部署kubelet
1.集群规划
2.签发kubelet证书
1.创建生成正事签名请求(csr)的JSON配置文件
2.生成kubelet证书和私钥
3.检查生成证书的证书、私钥
3.拷贝证书至各运算节点,并创建配置
1.拷贝证书,私钥,注意私钥文件属性600
2.创建配置
1.set-cluster
2.set-credentials
3.set-context
4.use-context
5.k8s-node.yaml
4.准备pause基础镜像
1.下载
2.打标签
3.推送私有仓库(harbor)中
5.创建kubelet启动脚本
6.检查配置,权限,创建日志目录
7.创建supervisor配置
8.启动服务并检查
9.检查运算节点
10.安装部署启动检查所有集群规划主机的kube-kubelet服务
11.检查所有运算节点
2.部署kube-proxy
1.集群规划
2.签发kube-proxy证书
1.创建生成证书签名请求(csr)的JSON文件
2.生成kubelet证书和私钥
3.检查生成证书的证书、私钥
3.拷贝证书至各个运算节点,并创建配置
1.拷贝kube-proxy-client-key.pem和kube-proxy-client.pem至运算节点
2.创建配置
1.set-cluster
2.set-credentials
3.set-context
4.use-context
4.创建kube-proxy启动脚本
5.检查配置,权限,创建日志目录
6.创建supervisor配置
7.启动服务并检查
第七章:完成部署并验证集群
第八章:资源需求说明
引子
http://www.sunrisenan.com/docs/kubernetes/docker.html
1.docker容器化封装应用的意义(好处)
Docker引擎统一了基础设施环境 - docker环境
- 硬件的配置
- 操作系统的版本
- 运行时环境的异构
Docker引擎统一了程序打包(装箱)方式 - docker镜像
- java程序
- python程序
- nodejs程序
- …
Docker引擎统一了程序部署(运行)
- java -jar … -> docker run …
- python manage.py runserver … -> docker run …
- npm run dev -> docker run …
客户端/服务器 C/S
浏览器/服务器 B/S
移动端/服务器
小程序/服务器
2.Docker容器化封装应用程序的缺点(坏处)
- 单机使用,无法有效集群
- 随着容器数量的上升,管理成本攀升
- 没有有效的容灾\自愈机制
- 没有预设编排模板,无法实现快速、大规模容器调度
- 没有统一的配置管理中心工具
- 没有容器生命周期的管理工具
- 没有图形化运维管理工具 (个人开发的web界面)
….
因此我们需要一套容器编排工具!
3.Docker容器引擎的开源容器编排工具目前市场上主要有:
- docker compose、docker swarm
- Mesosphere + Marathon
- Kubernetes(K8S)
-
第一章:kubernetes概述
官网:https://kubernetes.io
GitHub:https://github.com/kubernetes/kubernetes
由来:谷歌的Borg系统,后经Go语言重写并捐给CNCF基金会开源
含义:词根源于希腊语:舵手/飞行员。K8S -> K12345678S
重要作用:开源的容器编排框架工具(生态极其丰富)
学习的意义:解决跑裸docker的若干痛点kubernetes优势:
自动装箱,水平扩展,自我修复 服务发现和负载均衡 自动发布(默认滚动发布模式)和回滚 集中化配置管理和秘钥管理 存储编排 任务批量处理运行 ....
第二章:kubernetes快速入门
1.四组基本概念
1.Pod/Pod控制器
Pod
Pod是K8S里能够被运行的最小的逻辑单元(原子单元) 1个Pod里面可以运行多个容器,他们共享UTS+NET+IPC名称空间 可以把Pod理解成豌豆荚,而同一个Pod内的每个容器是一颗颗豌豆 一个Pod里运行多个容器,又叫:边车(SideCar)模式
Pod控制器
Pod控制器是Pod启动的一种模板,用来保证在K8S里启动的Pod应始终按照人们的预期运行(副本数、生命周期、健康状态检查...) K8S内提供了众多的Pod控制器,常用的有以下几种: Deployment DaemonSet ReplicaSet StatefulSet Job Cronjob
2.Name/Namespace
Name
由于K8S内部,使用“资源”来定义每一种逻辑概念(功能)故每种“资源”,都应该有自己的“名称” “资源”有api版本(apiVersion)类别(Kind)、元数据(matadata)、定义清单(spec)、状态(status)等配置信息 “名称”通常定义在“资源”的“元数据”信息里
Namespace
随着项目增多、人员增加、集群规模的扩大,需要一种能够隔离K8S内各种“资源”的方法,这就是名称空间 名称空间可以理解为K8S内部的虚拟集群组 不同名称空间内的“资源”,名称可以相同,相同名称空间内的同种“资源”,“名称”不能相同 合理的使用K8S的名称空间,使得集群管理员能够更好的对交付到K8S里的服务进行分类管理和浏览 K8S里默认存在的名称空间有:default、kube-system、kube-public 查询K8S里特定“资源”要带上相应的名称空间
3.Label/Label选择器
Label
标签是k8s特色的管理方式,便于分类管理资源对象。 一个标签可以对应多个资源,一个资源也可以有多个标签,它们是多对多的关系。 一个资源拥有多个标签,可以实现不同维度的管理。 标签的组成:key=value 与标签类似的,还有一种“注解”(annotations)
Label选择器
给资源打上标签后,可以使用标签选择器过滤指定的标签 标签选择器目前有两个:基于等值关系(等于、不等于)和基于集合关系(属于、不属于,存在) 许多资源支持内嵌标签选择器字段 matchLabels matchExpressions
4.Service/Ingress
Service
在K8S的世界里,虽然每个Pod都会被分配一个单独的IP地址,但这个IP地址会随着Pod的销毁而消失 Service(服务)就是用来解决这个问题的核心概念 一个Service可以看作一组提供相同服务的Pod的对外访问接口 Service作用于哪些Pod是通过标签选择器来定义的
Ingress
Ingress是K8S集群里工作在OSI网络参考模型下,第7层的应用,对外暴露的接口 Service只能进行L4流量调度,表现形式是ip+port Ingress则可以调度不同业务域,不同URL访问路径的业务流量
2.K8S的组成
核心组件 配置存储中心 -> etcd服务 (可以理解为一种非关系型数据库) 主控(Master)节点 kube-apiserver服务 (k8s的大脑) kube-controller-manager服务 kube-scheduler服务 运算(node)节点 kube-kubelet服务 kube-proxy服务 CLI客户端 kubectl 核心附件 CNI网络插件 -> flannel/calico 服务发现用插件 -> coredns 服务暴露用插件 -> traefik GUI管理插件 -> Dashboard
apiserver:
提供了集群管理的REST API接口(包括鉴权、数据校验及集群状态变更) 负责其他模块之间的数据交互,承担通信枢纽功能 是资源配额控制的入口 提供完备的集群安全机制
controller-manager:
由一系列控制器组成,通过apiserver监控整个集群的状态,并确保集群处于预期的工作状态 Node Controller 节点控制 Deployment Controller pod控制器 Service Controller 服务控制器 Volume Controller 存储卷控制器 Endpoint Controller 接入点控制器 Garbage Controller 垃圾控制器 Namespace Controller 名称空间控制器 Job Controller 任务控制器 Resource quta Controller 资源配额控制器 ...
scheduler:
主要功能是接收调度pod到适合的运算节点上 预算策略(predict) 优选策略(priorities)
kubelet:
简单的说,kubelet的主要功能就是定时从某个地方获取节点上pod的期望状态(运行什么容器、运行副本数量、网络或者存储如何配置等等),并调用对应的容器平台接口达到这个状态。 定时汇报当前节点的状态给apiserver,以供调度的时候使用 镜像和容器的清理工作,保证节点上的镜像不会占满磁盘空间,退出的容器不会占用太多资源
kube-proxy:
是K8S在每个节点上运行网络代理,service资源的载体,不直接给pod 提供网络 建立了pod网络和集群网络的关系(clusterip -> podip) 是一种虚拟网络 常用的三种流量调度模式: Userspace(废弃) Iptables(濒临泛滥) Ipvs(推荐) 负责建立和删除包括更新调度规则、通知apiserver自己的更新,或者从apiserver的调度规则变化来更新自己的。
-
3.K8S三条网络详解
-
第三章:实验部署集群架构详解
-
-
常见的K8S安装部署方式:
1. Minikube单节点微型K8S(仅供学习、预览使用)
2. 二进制安装部署(生产首选,新手推荐)
3. 使用Kuberadmin进行部署,K8S的部署工具,跑在K8S里(相对简单,熟手推荐)
第一章:部署k8s集群前准备工作
https://blog.stanley.wang/ #王导
https://toscode.gitee.com/liangshengqi/smart-admin #光明总会在不远的地方
https://gitee.com/john881123/dubbo-demo-web/tree/master/ #徐保真
https://gitee.com/stanleywang/dubbo-demo-service #王导
https://www.cnblogs.com/sseban/p/13042633.html #地铁昌平线
1.准备虚拟机
- 5台vm,每台4C8G
主机名 | 角色 | ip | 配置 | 部署服务 |
---|---|---|---|---|
shkf6-241.host.com | k8s1代理节点1 | 192.168.6.241 | 4C8G | bind9,nginx(四层代理),keeplived,supervisor |
shkf6-242.host.com | k8s1代理节点2 | 192.168.6.242 | 4C8G | etcd,nginx(四层代理),keeplived,supervisor |
shkf6-243.host.com | k8s运算节点1 | 192.168.6.243 | 4C8G | etcd,kube-apiserver,kube-controller-manager,kube-scheduler,kube-kubelet,kube-proxy,supervisor |
shkf6-244.host.com | k8s运算节点2 | 192.168.6.244 | 4C8G | etcd,kube-apiserver,kube-controller-manager,kube-scheduler,kube-kubelet,kube-proxy,supervisor |
shkf6-245.host.com | k8s运维节点(docker仓库) | 192.168.6.245 | 4C8G | 证书服务,docker私有仓库harbor,nginx代理harbor,pause |
查看系统版本,内核必须是3.8 以上版本
~]# uname -a
Linux shkf6-241.host.com 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
2.调整操作系统
所有机器上:
1.设置主机名
~]# hostnamectl set-hostname shkf6-241.host.com
~]# hostnamectl set-hostname shkf6-242.host.com
~]# hostnamectl set-hostname shkf6-243.host.com
~]# hostnamectl set-hostname shkf6-244.host.com
~]# hostnamectl set-hostname shkf6-245.host.com
2.关闭selinux和关闭防火墙
~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
~]# setenforce 0
~]# systemctl stop firewalld
3.安装epel-release
~]# yum install -y epel-release
4.安装必工具
~]# yum install wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils -y
3.DNS服务初始化
shkf6-241.host.com上:
1.安装bind9软件
[root@shkf6-241 ~]# yum install bind -y
=====================================================================================================================================
Package Arch Version Repository Size
=====================================================================================================================================
Installing:
bind x86_64 32:9.11.4-9.P2.el7 base 2.3 M
2.配置bind9
主配置文件
[root@shkf6-241 ~]# vim /etc/named.conf
listen-on port 53 { 192.168.6.241; };
allow-query { any; };
forwarders { 192.168.6.254; }; #向上查询(增加一条)
dnssec-enable no;
dnssec-validation no;
[root@shkf6-241 ~]# named-checkconf #检查配置文件
区域配置文件
[root@shkf6-241 ~]# vim /etc/named.rfc1912.zones
[root@shkf6-241 ~]# tail -12 /etc/named.rfc1912.zones
zone "host.com" IN {
type master;
file "host.com.zone";
allow-update { 192.168.6.241; };
};
zone "od.com" IN {
type master;
file "od.com.zone";
allow-update { 192.168.6.241; };
};
配置区域数据文件
- 配置主机域数据文件
[root@shkf6-241 ~]# vim /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.host.com. dnsadmin.host.com. (
2019111201 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.host.com.
$TTL 60 ; 1 minute
dns A 192.168.6.241
SHKF6-241 A 192.168.6.241
SHKF6-242 A 192.168.6.242
SHKF6-243 A 192.168.6.243
SHKF6-244 A 192.168.6.244
SHKF6-245 A 192.168.6.245
[root@shkf6-241 ~]# vim /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2019111201 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 192.168.6.241
3.启动bind9
[root@shkf6-241 ~]# named-checkconf
[root@shkf6-241 ~]# systemctl start named
[root@shkf6-241 ~]# systemctl enable named
4.检查
[root@shkf6-245 ~]# dig -t A shkf6-244.host.com @192.168.6.241 +short
192.168.6.244
[root@shkf6-245 ~]# dig -t A shkf6-241.host.com @192.168.6.241 +short
192.168.6.241
[root@shkf6-245 ~]# dig -t A shkf6-242.host.com @192.168.6.241 +short
192.168.6.242
[root@shkf6-245 ~]# dig -t A shkf6-243.host.com @192.168.6.241 +short
192.168.6.243
[root@shkf6-245 ~]# dig -t A shkf6-244.host.com @192.168.6.241 +short
192.168.6.244
[root@shkf6-245 ~]# dig -t A shkf6-245.host.com @192.168.6.241 +short
192.168.6.245
5.配置dns客户端
- Linux主机上
~]# cat /etc/resolv.conf
# Generated by NetworkManager
search host.com
nameserver 192.168.6.241
- windows主机上
网络和共享中心 -> 网卡设置 -> 设置DNS服务器
如有必要,还应设置虚拟网卡的接口地跃点数为:10
6.检查
[root@shkf6-245 ~]# ping shkf6-241
PING SHKF6-241.host.com (192.168.6.241) 56(84) bytes of data.
64 bytes from node1.98yz.cn (192.168.6.241): icmp_seq=1 ttl=64 time=0.213 ms
^C
--- SHKF6-241.host.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.213/0.213/0.213/0.000 ms
[root@shkf6-245 ~]# ping shkf6-241.host.com
PING SHKF6-241.host.com (192.168.6.241) 56(84) bytes of data.
64 bytes from node1.98yz.cn (192.168.6.241): icmp_seq=1 ttl=64 time=0.136 ms
^C
--- SHKF6-241.host.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.136/0.136/0.136/0.000 ms
[C:\Users\mcake]$ ping dns.od.com
正在 Ping dns.od.com [192.168.6.241] 具有 32 字节的数据:
来自 192.168.6.241 的回复: 字节=32 时间<1ms TTL=63
来自 192.168.6.241 的回复: 字节=32 时间<1ms TTL=63
4.准备自签证书
运维主机shkf6-245.host.com上:
1.安装CFSSL
- 证书签发工具CFSSL:R1.2
[root@shkf6-245 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
[root@shkf6-245 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
[root@shkf6-245 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
[root@shkf6-245 ~]# chmod +x /usr/bin/cfssl*
2.创建生成CA证书签名请求(csr)的JSON配置文件
[root@shkf6-245 ~]# mkdir /opt/certs [root@shkf6-245 ~]# vim /opt/certs/ca-csr.json [root@shkf6-245 ~]# cat /opt/certs/ca-csr.json { "CN": "OldboyEdu", "hosts": [ ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ], "ca": { "expiry": "175200h" } }
CN:Common Name,浏览器使用该字段验证网站是否合法,一般写的是域名。非常重要。
C:Country。国家
ST:State,州,省
L:Locality,城区,城市
O:Organization Name,组织名称,公司名称
OU:Organization Unit Name。组织单位名称,公司部门
3.生成CA证书和私钥
/opt/certs [root@shkf6-245 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca 2019/11/12 16:31:15 [INFO] generating a new CA key and certificate from CSR 2019/11/12 16:31:15 [INFO] generate received request 2019/11/12 16:31:15 [INFO] received CSR 2019/11/12 16:31:15 [INFO] generating key: rsa-2048 2019/11/12 16:31:16 [INFO] encoded CSR 2019/11/12 16:31:16 [INFO] signed certificate with serial number 165156553242987548447967502951541624956409280173 [root@shkf6-245 certs]# ll total 16 -rw-r--r-- 1 root root 993 Nov 12 16:31 ca.csr -rw-r--r-- 1 root root 328 Nov 12 16:06 ca-csr.json -rw------- 1 root root 1679 Nov 12 16:31 ca-key.pem -rw-r--r-- 1 root root 1346 Nov 12 16:31 ca.pem
5.部署docker环境
在shkf6-243、shkf6-244、shkf6-245上:
1.安装
1.安装
[root@shkf6-243 ~]# curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
[root@shkf6-244 ~]# curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
[root@shkf6-245 ~]# curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
2.配置
[root@shkf6-243 ~]# mkdir /etc/docker [root@shkf6-243 ~]# vim /etc/docker/daemon.json { "graph": "/data/docker", "storage-driver": "overlay2", "insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"], "registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"], "bip": "172.6.243.1/24", "exec-opts": ["native.cgroupdriver=systemd"], "live-restore": true } [root@shkf6-244 ~]# mkdir /etc/docker [root@shkf6-244 ~]# vim /etc/docker/daemon.json { "graph": "/data/docker", "storage-driver": "overlay2", "insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"], "registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"], "bip": "172.6.244.1/24", "exec-opts": ["native.cgroupdriver=systemd"], "live-restore": true } [root@shkf6-245 ~]# mkdir /etc/docker [root@shkf6-245 ~]# vim /etc/docker/daemon.json { "graph": "/data/docker", "storage-driver": "overlay2", "insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"], "registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"], "bip": "172.6.245.1/24", "exec-opts": ["native.cgroupdriver=systemd"], "live-restore": true }
3.启动
在shkf6-243、shkf6-244、shkf6-245上操作
~]# systemctl start docker
~]# systemctl enable docker
6、部署docker镜像私有仓库harbor
shkf6-245上:
1.下载软件二进制包并解压
1 [root@shkf6-245 ~]# mkdir -p /opt/src/harbor 2 [root@shkf6-245 ~]# cd /opt/src/harbor 3 [root@shkf6-245 harbor]# wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.3.tgz 4 [root@shkf6-245 harbor]# tar xvf harbor-offline-installer-v1.8.3.tgz -C /opt 5 harbor/harbor.v1.8.3.tar.gz 6 harbor/prepare 7 harbor/LICENSE 8 harbor/install.sh 9 harbor/harbor.yml 10 11 [root@shkf6-245 harbor]# mv /opt/harbor /opt/harbor-v1.8.3 12 [root@shkf6-245 harbor]# ln -s /opt/harbor-v1.8.3 /opt/harbor
2.配置
/opt/harbor/harbor.yml
hostname: harbor.od.com
http:
port: 180
harbor_admin_password: Harbor12345
data_volume: /data/harbor
log:
level: info
rotate_count: 50
rotate_size: 200M
location: /data/harbor/logs
mkdir -p /data/harbor/logs
3.安装docker-compose
运维主机shkf6-245.host.com上:
[root@shkf6-245 harbor]# yum install docker-compose -y
[root@shkf6-245 harbor]# rpm -qa docker-compose
docker-compose-1.18.0-4.el7.noarch
4.安装harbor
[root@shkf6-245 harbor]# ll
total 569632
-rw-r--r-- 1 root root 583269670 Sep 16 11:53 harbor.v1.8.3.tar.gz
-rw-r--r-- 1 root root 4526 Nov 13 11:35 harbor.yml
-rwxr-xr-x 1 root root 5088 Sep 16 11:53 install.sh
-rw-r--r-- 1 root root 11347 Sep 16 11:53 LICENSE
-rwxr-xr-x 1 root root 1654 Sep 16 11:53 prepare
[root@shkf6-245 harbor]# sh install.sh
5.检查harbor启动情况
[root@shkf6-245 harbor]# docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------
harbor-core /harbor/start.sh Up
harbor-db /entrypoint.sh postgres Up 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up 80/tcp
nginx nginx -g daemon off; Up 0.0.0.0:180->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up 5000/tcp
registryctl /harbor/start.sh Up
6.配置harbor的dns内网解析
在shkf6-241上:
[root@shkf6-241 ~]# /var/named/od.com.zone
harbor A 192.168.6.245
# 注意serial前滚一个序号
重启named
[root@shkf6-241 ~]# systemctl restart named
测试
[root@shkf6-241 ~]# dig -t A harbor.od.com +short
192.168.6.245
7.安装nginx并配置
用nginx代理180端口:
1 [root@shkf6-245 harbor]# yum install nginx -y 2 [root@shkf6-245 harbor]# rpm -qa nginx 3 nginx-1.16.1-1.el7.x86_64 4 5 [root@shkf6-245 harbor]# vim /etc/nginx/conf.d/harbor.od.com.conf 6 server { 7 listen 80; 8 server_name harbor.od.com; 9 10 client_max_body_size 1000m; 11 12 location / { 13 proxy_pass http://127.0.0.1:180; 14 } 15 } 16 17 [root@shkf6-245 harbor]# nginx -t 18 nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 19 nginx: configuration file /etc/nginx/nginx.conf test is successful 20 [root@shkf6-245 harbor]# systemctl start nginx 21 [root@shkf6-245 harbor]# systemctl enable nginx
8.浏览器打开http://harbor.od.com
9.检查
1.登录harbor,创建public仓库
2.从docker.io下载镜像nginx:1.7.9
[root@shkf6-245 ~]# docker pull nginx:1.7.9 1.7.9: Pulling from library/nginx Image docker.io/library/nginx:1.7.9 uses outdated schema1 manifest format. Please upgrade to a schema2 image for better future compatibility. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/ a3ed95caeb02: Pull complete 6f5424ebd796: Pull complete d15444df170a: Pull complete e83f073daa67: Pull complete a4d93e421023: Pull complete 084adbca2647: Pull complete c9cec474c523: Pull complete Digest: sha256:e3456c851a152494c3e4ff5fcc26f240206abac0c9d794affb40e0714846c451 Status: Downloaded newer image for nginx:1.7.9 docker.io/library/nginx:1.7.9
3.打tag
[root@shkf6-245 ~]# docker images|grep 1.7.9
nginx 1.7.9 84581e99d807 4 years ago 91.7MB
[root@shkf6-245 ~]# docker tag 84581e99d807 harbor.od.com/public/nginx:v1.7.9
4.登录私有仓库,并推送镜像nginx
[root@shkf6-245 ~]# docker login harbor.od.com
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@shkf6-245 ~]# docker push harbor.od.com/public/nginx:v1.7.9
The push refers to repository [harbor.od.com/public/nginx]
5f70bf18a086: Pushed
4b26ab29a475: Pushed
ccb1d68e3fb7: Pushed
e387107e2065: Pushed
63bf84221cce: Pushed
e02dce553481: Pushed
dea2e4984e29: Pushed
v1.7.9: digest: sha256:b1f5935eb2e9e2ae89c0b3e2e148c19068d91ca502e857052f14db230443e4c2 size: 3012
5.查看仓库
第五章:部署主控节点服务
1.部署etcd集群
1.集群规划
主机名 | 角色 | ip |
---|---|---|
shkf6-242.host.com | etcd lead | 192.168.6.242 |
shkf6-243.host.com | etcd foolow | 192.168.6.243 |
shkf6-244.host.com | etcd foolow | 192.168.6.244 |
注意:这里部署文档以shkf6-242.host.com
主机为例,另外两台主机安装部署方法类似
2.创建基于根证书的config配置文件
[root@shkf6-245 certs]# cd /opt/certs/ [root@shkf6-245 certs]# vim /opt/certs/ca-config.json { "signing": { "default": { "expiry": "175200h" }, "profiles": { "server": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "client auth" ] }, "peer": { "expiry": "175200h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } }
证书类型
client certificate:客户端使用,用于服务端认证客户端,例如etcdctl、etcd proxy、fleetctl、docker客户端
server certificate:服务器端使用,客户端已验证服务端身份,例如docker服务端、kube-apiserver
peer certificate:双向证书,用于etcd集群成员间通信
3.创建生成自签证书签名请求(csr)的JSON配置文件
运维主机shkf6-245.host.com
上:
[root@shkf6-245 certs]# vi etcd-peer-csr.json { "CN": "k8s-etcd", "hosts": [ "192.168.6.241", "192.168.6.242", "192.168.6.243", "192.168.6.244" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ] }
4.生成etcd证书和私钥
[root@shkf6-245 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json|cfssl-json -bare etcd-peer 2019/11/13 17:00:03 [INFO] generate received request 2019/11/13 17:00:03 [INFO] received CSR 2019/11/13 17:00:03 [INFO] generating key: rsa-2048 2019/11/13 17:00:04 [INFO] encoded CSR 2019/11/13 17:00:04 [INFO] signed certificate with serial number 69997016866371968425072677347883174107938471757 2019/11/13 17:00:04 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
证书类型
client certificate:客户端使用,用于服务端认证客户端,例如etcdctl、etcd proxy、fleetctl、docker客户端
server certificate:服务器端使用,客户端已验证服务端身份,例如docker服务端、kube-apiserver
peer certificate:双向证书,用于etcd集群成员间通信
3.创建生成自签证书签名请求(csr)的JSON配置文件
运维主机shkf6-245.host.com
上:
[root@shkf6-245 certs]# vi etcd-peer-csr.json { "CN": "k8s-etcd", "hosts": [ "192.168.6.241", "192.168.6.242", "192.168.6.243", "192.168.6.244" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ] }
4.生成etcd证书和私钥
1 [root@shkf6-245 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json|cfssl-json -bare etcd-peer 2 2019/11/13 17:00:03 [INFO] generate received request 3 2019/11/13 17:00:03 [INFO] received CSR 4 2019/11/13 17:00:03 [INFO] generating key: rsa-2048 5 2019/11/13 17:00:04 [INFO] encoded CSR 6 2019/11/13 17:00:04 [INFO] signed certificate with serial number 69997016866371968425072677347883174107938471757 7 2019/11/13 17:00:04 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for 8 websites. For more information see the Baseline Requirements for the Issuance and Management 9 of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); 10 specifically, section 10.2.3 ("Information Requirements").
5.检查生成的证书、私钥
[root@shkf6-245 certs]# ll
total 36
-rw-r--r-- 1 root root 836 Nov 13 16:32 ca-config.json
-rw-r--r-- 1 root root 993 Nov 12 16:31 ca.csr
-rw-r--r-- 1 root root 328 Nov 12 16:06 ca-csr.json
-rw------- 1 root root 1679 Nov 12 16:31 ca-key.pem
-rw-r--r-- 1 root root 1346 Nov 12 16:31 ca.pem
-rw-r--r-- 1 root root 1062 Nov 13 17:00 etcd-peer.csr
-rw-r--r-- 1 root root 379 Nov 13 16:34 etcd-peer-csr.json
-rw------- 1 root root 1679 Nov 13 17:00 etcd-peer-key.pem
-rw-r--r-- 1 root root 1428 Nov 13 17:00 etcd-peer.pem
6.创建etcd用户
在shkf6-242机器上:
[root@shkf6-242 ~]# useradd -s /sbin/nologin -M etcd
7.下载软件,解压,做软连接
在shkf6-242机器上:
[root@shkf6-242 ~]# cd /opt/src/
[root@shkf6-242 src]# wget https://github.com/etcd-io/etcd/releases/download/v3.1.20/etcd-v3.1.20-linux-amd64.tar.gz
[root@shkf6-242 src]# tar xf etcd-v3.1.20-linux-amd64.tar.gz -C /opt
[root@shkf6-242 src]# cd /opt/
[root@shkf6-242 opt]# mv etcd-v3.1.20-linux-amd64/ etcd-v3.1.20
[root@shkf6-242 opt]# ln -s /opt/etcd-v3.1.20/ /opt/etcd
[root@shkf6-242 src]# ls -l /opt/
total 0
lrwxrwxrwx 1 root root 18 Nov 13 17:30 etcd -> /opt/etcd-v3.1.20/
drwxr-xr-x 3 478493 89939 123 Oct 11 2018 etcd-v3.1.20
drwxr-xr-x 2 root root 45 Nov 13 17:27 src
8.创建目录,拷贝证书,私钥
在shkf6-242机器上:
- 创建目录
[root@shkf6-242 src]# mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server
- 拷贝证书
[root@shkf6-242 src]# cd /opt/etcd/certs
[root@shkf6-242 certs]# scp -P52113 shkf6-245:/opt/certs/ca.pem /opt/etcd/certs/
root@shkf6-245's password:
ca.pem 100% 1346 133.4KB/s 00:00
[root@shkf6-242 certs]# scp -P52113 shkf6-245:/opt/certs/etcd-peer.pem /opt/etcd/certs/
root@shkf6-245's password:
etcd-peer.pem 100% 1428 208.6KB/s 00:00
[root@shkf6-242 certs]# scp -P52113 shkf6-245:/opt/certs/etcd-peer-key.pem /opt/etcd/certs/
root@shkf6-245's password:
etcd-peer-key.pem
将运维主机上生成的ca.pem,etcd-peer-key.pem,etcd-peer.pem拷贝到/ope/etcd/certs目录中,注意私钥权限600
- 修改权限
/opt/etcd/certs
[root@shkf6-242 certs]# chown -R etcd.etcd /opt/etcd/certs /data/etcd /data/logs/etcd-server
[root@shkf6-242 certs]# ls -l
total 12
-rw-r--r-- 1 etcd etcd 1346 Nov 13 17:45 ca.pem
-rw------- 1 etcd etcd 1679 Nov 13 17:46 etcd-peer-key.pem
-rw-r--r-- 1 etcd etcd 1428 Nov 13 17:45 etcd-peer.pem
9.创建etcd服务启动脚本
在shkf6-242机器上:
[root@shkf6-242 certs]# vim /opt/etcd/etcd-server-startup.sh #!/bin/sh ./etcd --name etcd-server-6-242 \ --data-dir /data/etcd/etcd-server \ --listen-peer-urls https://192.168.6.242:2380 \ --listen-client-urls https://192.168.6.242:2379,http://127.0.0.1:2379 \ --quota-backend-bytes 8000000000 \ --initial-advertise-peer-urls https://192.168.6.242:2380 \ --advertise-client-urls https://192.168.6.242:2379,http://127.0.0.1:2379 \ --initial-cluster etcd-server-6-242=https://192.168.6.242:2380,etcd-server-6-243=https://192.168.6.243:2380,etcd-server-6-244=https://192.168.6.244:2380 \ --ca-file ./certs/ca.pem \ --cert-file ./certs/etcd-peer.pem \ --key-file ./certs/etcd-peer-key.pem \ --client-cert-auth \ --trusted-ca-file ./certs/ca.pem \ --peer-ca-file ./certs/ca.pem \ --peer-cert-file ./certs/etcd-peer.pem \ --peer-key-file ./certs/etcd-peer-key.pem \ --peer-client-cert-auth \ --peer-trusted-ca-file ./certs/ca.pem \ --log-output stdout
注意:etcd集群各主机的启动脚本略有不同,部署其他节点是需要注意。
10.调整权限
在shkf6-242机器上:
[root@shkf6-242 certs]# cd ../
[root@shkf6-242 etcd]# chmod +x etcd-server-startup.sh
[root@shkf6-242 etcd]# ll etcd-server-startup.sh
-rwxr-xr-x 1 root root 1013 Nov 14 08:52 etcd-server-startup.sh
11.安装supervisor软件
在shkf6-242机器上:
[root@shkf6-242 etcd]# yum install supervisor -y
[root@shkf6-242 etcd]# systemctl start supervisord.service
[root@shkf6-242 etcd]# systemctl enable supervisord.service
12.创建etcd-server的启动配置
在shkf6-242机器上:
[root@shkf6-242 etcd]# vim /etc/supervisord.d/etcd-server.ini [root@shkf6-242 etcd]# cat /etc/supervisord.d/etcd-server.ini [program:etcd-server-6-242] command=/opt/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/etcd ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=etcd ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) killasgroup=true ; kill all process in a group stopasgroup=true ; stop all process in a group stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false)
注意:etcd集群各主机启动配置略有不同,配置其他节点时注意修改。
13.启动etcd服务并检查
在shkf6-242机器上:
[root@shkf6-242 etcd]# supervisorctl update
etcd-server-6-242: added process group
[root@shkf6-242 etcd]# supervisorctl status
etcd-server-6-242 RUNNING pid 10375, uptime 0:00:43
[root@shkf6-242 etcd]# netstat -lntup|grep etcd
tcp 0 0 192.168.6.242:2379 0.0.0.0:* LISTEN 10376/./etcd
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 10376/./etcd
tcp 0 0 192.168.6.242:2380 0.0.0.0:* LISTEN 10376/./etcd
14.安装部署启动检查所有集群规划的etcd服务
在shkf6-243机器上:
[root@shkf6-243 ~]# useradd -s /sbin/nologin -M etcd [root@shkf6-243 ~]# mkdir /opt/src [root@shkf6-243 ~]# cd /opt/src [root@shkf6-243 src]# wget https://github.com/etcd-io/etcd/releases/download/v3.1.20/etcd-v3.1.20-linux-amd64.tar.gz [root@shkf6-243 src]# tar xf etcd-v3.1.20-linux-amd64.tar.gz -C /opt [root@shkf6-243 src]# cd /opt/ [root@shkf6-243 opt]# mv etcd-v3.1.20-linux-amd64/ etcd-v3.1.20 [root@shkf6-243 opt]# ln -s /opt/etcd-v3.1.20/ /opt/etcd total 0 drwx--x--x 4 root root 28 Nov 13 10:33 containerd lrwxrwxrwx 1 root root 18 Nov 14 09:28 etcd -> /opt/etcd-v3.1.20/ drwxr-xr-x 3 478493 89939 123 Oct 11 2018 etcd-v3.1.20 drwxr-xr-x. 2 root root 6 Sep 7 2017 rh drwxr-xr-x 2 root root 45 Nov 14 09:26 src [root@shkf6-243 opt]# rm -fr rh containerd/ containerd/ [root@shkf6-243 opt]# mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server [root@shkf6-243 opt]# cd /opt/etcd/certs [root@shkf6-243 certs]# scp -P52113 shkf6-245:/opt/certs/ca.pem /opt/etcd/certs/ [root@shkf6-243 certs]# scp -P52113 shkf6-245:/opt/certs/etcd-peer.pem /opt/etcd/certs/ [root@shkf6-243 certs]# scp -P52113 shkf6-245:/opt/certs/etcd-peer-key.pem /opt/etcd/certs/ [root@shkf6-243 certs]# chown -R etcd.etcd /opt/etcd/certs /data/etcd /data/logs/etcd-server [root@shkf6-243 certs]# vim /opt/etcd/etcd-server-startup.sh [root@shkf6-243 certs]# cat /opt/etcd/etcd-server-startup.sh #!/bin/sh ./etcd --name etcd-server-6-243 \ --data-dir /data/etcd/etcd-server \ --listen-peer-urls https://192.168.6.243:2380 \ --listen-client-urls https://192.168.6.243:2379,http://127.0.0.1:2379 \ --quota-backend-bytes 8000000000 \ --initial-advertise-peer-urls https://192.168.6.243:2380 \ --advertise-client-urls https://192.168.6.243:2379,http://127.0.0.1:2379 \ --initial-cluster etcd-server-6-242=https://192.168.6.242:2380,etcd-server-6-243=https://192.168.6.243:2380,etcd-server-6-244=https://192.168.6.244:2380 \ --ca-file ./certs/ca.pem \ --cert-file ./certs/etcd-peer.pem \ --key-file ./certs/etcd-peer-key.pem \ --client-cert-auth \ --trusted-ca-file ./certs/ca.pem \ --peer-ca-file ./certs/ca.pem \ --peer-cert-file ./certs/etcd-peer.pem \ --peer-key-file ./certs/etcd-peer-key.pem \ --peer-client-cert-auth \ --peer-trusted-ca-file ./certs/ca.pem \ --log-output stdout [root@shkf6-243 certs]# chmod +x /opt/etcd/etcd-server-startup.sh [root@shkf6-243 certs]# yum install supervisor -y [root@shkf6-243 certs]# systemctl start supervisord.service [root@shkf6-243 certs]# systemctl enable supervisord.service [root@shkf6-243 certs]# vim /etc/supervisord.d/etcd-server.ini [root@shkf6-243 certs]# cat /etc/supervisord.d/etcd-server.ini [program:etcd-server-6-243] command=/opt/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/etcd ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=etcd ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) killasgroup=true ; kill all process in a group stopasgroup=true ; stop all process in a group stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) [root@shkf6-243 certs]# supervisorctl update etcd-server-6-243: added process group [root@shkf6-243 certs]# supervisorctl status etcd-server-6-243 STARTING [root@shkf6-243 certs]# netstat -lntup|grep etcd tcp 0 0 192.168.6.243:2379 0.0.0.0:* LISTEN 12113/./etcd tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 12113/./etcd tcp 0 0 192.168.6.243:2380 0.0.0.0:* LISTEN 12113/./etcd
在shkf6-244机器上:
[root@shkf6-244 ~]# useradd -s /sbin/nologin -M etcd [root@shkf6-244 ~]# mkdir /opt/src [root@shkf6-244 ~]# cd /opt/src [root@shkf6-244 src]# wget https://github.com/etcd-io/etcd/releases/download/v3.1.20/etcd-v3.1.20-linux-amd64.tar.gz [root@shkf6-244 src]# useradd -s /sbin/nologin -M etcd useradd: user 'etcd' already exists [root@shkf6-244 src]# tar xf etcd-v3.1.20-linux-amd64.tar.gz -C /opt [root@shkf6-244 src]# cd /opt/ [root@shkf6-244 opt]# mv etcd-v3.1.20-linux-amd64/ etcd-v3.1.20 [root@shkf6-244 opt]# ln -s /opt/etcd-v3.1.20/ /opt/etcd [root@shkf6-244 opt]# mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server [root@shkf6-244 opt]# cd /opt/etcd/certs [root@shkf6-244 certs]# scp -P52113 shkf6-245:/opt/certs/ca.pem /opt/etcd/certs/ [root@shkf6-244 certs]# scp -P52113 shkf6-245:/opt/certs/etcd-peer.pem /opt/etcd/certs/ [root@shkf6-244 certs]# scp -P52113 shkf6-245:/opt/certs/etcd-peer-key.pem /opt/etcd/certs/ [root@shkf6-244 certs]# chown -R etcd.etcd /opt/etcd/certs /data/etcd /data/logs/etcd-server [root@shkf6-244 certs]# vim /opt/etcd/etcd-server-startup.sh [root@shkf6-244 etcd]# cat /opt/etcd/etcd-server-startup.sh #!/bin/sh ./etcd --name etcd-server-6-244 \ --data-dir /data/etcd/etcd-server \ --listen-peer-urls https://192.168.6.244:2380 \ --listen-client-urls https://192.168.6.244:2379,http://127.0.0.1:2379 \ --quota-backend-bytes 8000000000 \ --initial-advertise-peer-urls https://192.168.6.244:2380 \ --advertise-client-urls https://192.168.6.244:2379,http://127.0.0.1:2379 \ --initial-cluster etcd-server-6-242=https://192.168.6.242:2380,etcd-server-6-243=https://192.168.6.243:2380,etcd-server-6-244=https://192.168.6.244:2380 \ --ca-file ./certs/ca.pem \ --cert-file ./certs/etcd-peer.pem \ --key-file ./certs/etcd-peer-key.pem \ --client-cert-auth \ --trusted-ca-file ./certs/ca.pem \ --peer-ca-file ./certs/ca.pem \ --peer-cert-file ./certs/etcd-peer.pem \ --peer-key-file ./certs/etcd-peer-key.pem \ --peer-client-cert-auth \ --peer-trusted-ca-file ./certs/ca.pem \ --log-output stdout [root@shkf6-244 certs]# cd ../ [root@shkf6-244 etcd]# chmod +x etcd-server-startup.sh [root@shkf6-244 etcd]# yum install supervisor -y [root@shkf6-244 etcd]# systemctl start supervisord.service [root@shkf6-244 etcd]# systemctl enable supervisord.service [root@shkf6-244 etcd]# vim /etc/supervisord.d/etcd-server.ini [root@shkf6-244 etcd]# cat /etc/supervisord.d/etcd-server.ini [program:etcd-server-6-244] command=/opt/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/etcd ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=etcd ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) killasgroup=true ; kill all process in a group stopasgroup=true ; stop all process in a group stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) [root@shkf6-244 etcd]# supervisorctl update [root@shkf6-244 etcd]# supervisorctl status etcd-server-6-244 RUNNING pid 11748, uptime 0:00:33 [root@shkf6-244 etcd]# netstat -lntup|grep etcd tcp 0 0 192.168.6.244:2379 0.0.0.0:* LISTEN 11749/./etcd tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 11749/./etcd tcp 0 0 192.168.6.244:2380 0.0.0.0:* LISTEN 11749/./etcd [root@shkf6-244 etcd]# ./etcdctl cluster-health member 4244d625c76d5482 is healthy: got healthy result from http://127.0.0.1:2379 member aa911af67b8285a2 is healthy: got healthy result from http://127.0.0.1:2379 member c751958d48e7e127 is healthy: got healthy result from http://127.0.0.1:2379 cluster is healthy
15.检查集群状态
三个etcd节点都起来后
在shkf6-242机器上:
[root@shkf6-242 etcd]# ./etcdctl cluster-health member 4244d625c76d5482 is healthy: got healthy result from http://127.0.0.1:2379 member aa911af67b8285a2 is healthy: got healthy result from http://127.0.0.1:2379 member c751958d48e7e127 is healthy: got healthy result from http://127.0.0.1:2379 cluster is healthy [root@shkf6-242 etcd]# ./etcdctl member list 4244d625c76d5482: name=etcd-server-6-242 peerURLs=https://192.168.6.242:2380 clientURLs=http://127.0.0.1:2379,https://192.168.6.242:2379 isLeader=true aa911af67b8285a2: name=etcd-server-6-243 peerURLs=https://192.168.6.243:2380 clientURLs=http://127.0.0.1:2379,https://192.168.6.243:2379 isLeader=false c751958d48e7e127: name=etcd-server-6-244 peerURLs=https://192.168.6.244:2380 clientURLs=http://127.0.0.1:2379,https://192.168.6.244:2379 isLeader=false
2.部署kube-apiserver集群
1.集群规划
主机名 | 角色 | ip |
---|---|---|
shkf6-243.host.com | kube-apiserver | 192.168.6.243 |
shkf6-244.host.com | kube-apiserver | 192.168.6.244 |
shkf6-241.host.com | 4层负载均衡 | 192.168.6.241 |
shkf6-242.host.com | 4层负载均衡 | 192.168.6.242 |
注意:这里192.168.6.241
和192.168.6.242
使用nginx做4层负载均衡器,用keepalived跑一个vip:192.168.6.66
,代理两个kube-apiserver,实现高可用
这里部署文档以shkf6-243.host.com
主机为例,另外一台运算节点安装部署方法类似
2.下载软件,解压,做软链
shkf6-243.host.com
主机上:
kubernetes官方Github地址
kubernetes下地址
[root@shkf6-243 src]# cd /opt/src/
[root@shkf6-243 src]# wget http://down.sunrisenan.com/k8s/kubernetes/kubernetes-server-linux-amd64-v1.15.2.tar.gz
[root@shkf6-243 src]# tar xf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/
[root@shkf6-243 src]# cd /opt/
[root@shkf6-243 opt]# mv kubernetes/ kubernetes-v1.15.2
[root@shkf6-243 opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes
删除源码
[root@shkf6-243 opt]# cd kubernetes
[root@shkf6-243 kubernetes]# rm -f kubernetes-src.tar.gz
[root@shkf6-243 kubernetes]# ll
total 1180
drwxr-xr-x 2 root root 6 Aug 5 18:01 addons
-rw-r--r-- 1 root root 1205293 Aug 5 18:01 LICENSES
drwxr-xr-x 3 root root 17 Aug 5 17:57 server
删除docker镜像
[root@shkf6-243 kubernetes]# cd server/bin [root@shkf6-243 bin]# ll total 1548800 -rwxr-xr-x 1 root root 43534816 Aug 5 18:01 apiextensions-apiserver -rwxr-xr-x 1 root root 100548640 Aug 5 18:01 cloud-controller-manager -rw-r--r-- 1 root root 8 Aug 5 17:57 cloud-controller-manager.docker_tag -rw-r--r-- 1 root root 144437760 Aug 5 17:57 cloud-controller-manager.tar -rwxr-xr-x 1 root root 200648416 Aug 5 18:01 hyperkube -rwxr-xr-x 1 root root 40182208 Aug 5 18:01 kubeadm -rwxr-xr-x 1 root root 164501920 Aug 5 18:01 kube-apiserver -rw-r--r-- 1 root root 8 Aug 5 17:57 kube-apiserver.docker_tag -rw-r--r-- 1 root root 208390656 Aug 5 17:57 kube-apiserver.tar -rwxr-xr-x 1 root root 116397088 Aug 5 18:01 kube-controller-manager -rw-r--r-- 1 root root 8 Aug 5 17:57 kube-controller-manager.docker_tag -rw-r--r-- 1 root root 160286208 Aug 5 17:57 kube-controller-manager.tar -rwxr-xr-x 1 root root 42985504 Aug 5 18:01 kubectl -rwxr-xr-x 1 root root 119616640 Aug 5 18:01 kubelet -rwxr-xr-x 1 root root 36987488 Aug 5 18:01 kube-proxy -rw-r--r-- 1 root root 8 Aug 5 17:57 kube-proxy.docker_tag -rw-r--r-- 1 root root 84282368 Aug 5 17:57 kube-proxy.tar -rwxr-xr-x 1 root root 38786144 Aug 5 18:01 kube-scheduler -rw-r--r-- 1 root root 8 Aug 5 17:57 kube-scheduler.docker_tag -rw-r--r-- 1 root root 82675200 Aug 5 17:57 kube-scheduler.tar -rwxr-xr-x 1 root root 1648224 Aug 5 18:01 mounter [root@shkf6-243 bin]# rm -f *.tar [root@shkf6-243 bin]# rm -f *_tag [root@shkf6-243 bin]# ll total 884636 -rwxr-xr-x 1 root root 43534816 Aug 5 18:01 apiextensions-apiserver -rwxr-xr-x 1 root root 100548640 Aug 5 18:01 cloud-controller-manager -rwxr-xr-x 1 root root 200648416 Aug 5 18:01 hyperkube -rwxr-xr-x 1 root root 40182208 Aug 5 18:01 kubeadm -rwxr-xr-x 1 root root 164501920 Aug 5 18:01 kube-apiserver -rwxr-xr-x 1 root root 116397088 Aug 5 18:01 kube-controller-manager -rwxr-xr-x 1 root root 42985504 Aug 5 18:01 kubectl -rwxr-xr-x 1 root root 119616640 Aug 5 18:01 kubelet -rwxr-xr-x 1 root root 36987488 Aug 5 18:01 kube-proxy -rwxr-xr-x 1 root root 38786144 Aug 5 18:01 kube-scheduler -rwxr-xr-x 1 root root 1648224 Aug 5 18:01 mounter
3.签发client证书
在运维机shkf6.245.host.com
上:
1.创建生成证书请求(csr)的JSON配置文件
vim /opt/certs/client-csr.json { "CN": "k8s-node", "hosts": [ ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ] }
2.生成client证书和私钥
[root@shkf6-245 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client 2019/11/14 13:59:24 [INFO] generate received request 2019/11/14 13:59:24 [INFO] received CSR 2019/11/14 13:59:24 [INFO] generating key: rsa-2048 2019/11/14 13:59:24 [INFO] encoded CSR 2019/11/14 13:59:24 [INFO] signed certificate with serial number 71787071397684874048844497862502145400133190813 2019/11/14 13:59:24 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
3.检查生成的证书和私钥
[root@shkf6-245 certs]# ll client*
-rw-r--r-- 1 root root 993 Nov 14 13:59 client.csr
-rw-r--r-- 1 root root 280 Nov 14 13:59 client-csr.json
-rw------- 1 root root 1679 Nov 14 13:59 client-key.pem
-rw-r--r-- 1 root root 1363 Nov 14 13:59 client.pem
4.签发kube-apiserver证书
在运维机shkf6.245.host.com
上:
1.创建生成证书签名请求(csr)的josn配置文件
[root@shkf6-245 certs]# vim /opt/certs/apiserver-csr.json [root@shkf6-245 certs]# cat /opt/certs/apiserver-csr.json { "CN": "k8s-apiserver", "hosts": [ "127.0.0.1", "10.96.0.1", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local", "192.168.6.66", "192.168.6.243", "192.168.6.244", "192.168.6.245" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ] }
2.生成kube-apiserver证书和私钥
[root@shkf6-245 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver 2019/11/14 14:10:01 [INFO] generate received request 2019/11/14 14:10:01 [INFO] received CSR 2019/11/14 14:10:01 [INFO] generating key: rsa-2048 2019/11/14 14:10:02 [INFO] encoded CSR 2019/11/14 14:10:02 [INFO] signed certificate with serial number 531358145467350237994138515547646071524442824033 2019/11/14 14:10:02 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
3.检查生成的证书和私钥
[root@shkf6-245 certs]# ll apiserver*
-rw-r--r-- 1 root root 1249 Nov 14 14:10 apiserver.csr
-rw-r--r-- 1 root root 581 Nov 14 14:09 apiserver-csr.json
-rw------- 1 root root 1679 Nov 14 14:10 apiserver-key.pem
-rw-r--r-- 1 root root 1598 Nov 14 14:10 apiserver.pem
5.拷贝证书至各个运算节点,并创建配置
在运维机shkf6.243.host.com
上:
拷贝证书
[root@shkf6-243 bin]# pwd
/opt/kubernetes/server/bin
[root@shkf6-243 bin]# mkdir cert
[root@shkf6-243 bin]# scp -P52113 shkf6-245:/opt/certs/apiserver-key.pem /opt/kubernetes/server/bin/cert/
[root@shkf6-243 bin]# scp -P52113 shkf6-245:/opt/certs/apiserver.pem /opt/kubernetes/server/bin/cert/
[root@shkf6-243 bin]# scp -P52113 shkf6-245:/opt/certs/ca-key.pem /opt/kubernetes/server/bin/cert/
[root@shkf6-243 bin]# scp -P52113 shkf6-245:/opt/certs/ca.pem /opt/kubernetes/server/bin/cert/
[root@shkf6-243 bin]# scp -P52113 shkf6-245:/opt/certs/client-key.pem /opt/kubernetes/server/bin/cert/
[root@shkf6-243 bin]# scp -P52113 shkf6-245:/opt/certs/client.pem /opt/kubernetes/server/bin/cert/
创建配置文件
[root@shkf6-243 bin]# mkdir conf [root@shkf6-243 bin]# vi conf/audit.yaml [root@shkf6-243 bin]# cat conf/audit.yaml apiVersion: audit.k8s.io/v1beta1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages: - "RequestReceived" rules: # Log pod changes at RequestResponse level - level: RequestResponse resources: - group: "" # Resource "pods" doesn't match requests to any subresource of pods, # which is consistent with the RBAC policy. resources: ["pods"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata resources: - group: "" resources: ["pods/log", "pods/status"] # Don't log requests to a configmap called "controller-leader" - level: None resources: - group: "" resources: ["configmaps"] resourceNames: ["controller-leader"] # Don't log watch requests by the "system:kube-proxy" on endpoints or services - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" # core API group resources: ["endpoints", "services"] # Don't log authenticated requests to certain non-resource URL paths. - level: None userGroups: ["system:authenticated"] nonResourceURLs: - "/api*" # Wildcard matching. - "/version" # Log the request body of configmap changes in kube-system. - level: Request resources: - group: "" # core API group resources: ["configmaps"] # This rule only applies to resources in the "kube-system" namespace. # The empty string "" can be used to select non-namespaced resources. namespaces: ["kube-system"] # Log configmap and secret changes in all other namespaces at the Metadata level. - level: Metadata resources: - group: "" # core API group resources: ["secrets", "configmaps"] # Log all other resources in core and extensions at the Request level. - level: Request resources: - group: "" # core API group - group: "extensions" # Version of group should NOT be included. # A catch-all rule to log all other requests at the Metadata level. - level: Metadata # Long-running requests like watches that fall under this rule will not # generate an audit event in RequestReceived. omitStages: - "RequestReceived"
6.创建启动脚本
在运维机shkf6.243.host.com
上:
[root@shkf6-243 bin]# vim /opt/kubernetes/server/bin/kube-apiserver.sh [root@shkf6-243 bin]# cat /opt/kubernetes/server/bin/kube-apiserver.sh #!/bin/bash ./kube-apiserver \ --apiserver-count 2 \ --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \ --audit-policy-file ./conf/audit.yaml \ --authorization-mode RBAC \ --client-ca-file ./cert/ca.pem \ --requestheader-client-ca-file ./cert/ca.pem \ --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \ --etcd-cafile ./cert/ca.pem \ --etcd-certfile ./cert/client.pem \ --etcd-keyfile ./cert/client-key.pem \ --etcd-servers https://192.168.6.242:2379,https://192.168.6.243:2379,https://192.168.6.244:2379 \ --service-account-key-file ./cert/ca-key.pem \ --service-cluster-ip-range 10.96.0.0/22 \ --service-node-port-range 3000-29999 \ --target-ram-mb=1024 \ --kubelet-client-certificate ./cert/client.pem \ --kubelet-client-key ./cert/client-key.pem \ --log-dir /data/logs/kubernetes/kube-apiserver \ --tls-cert-file ./cert/apiserver.pem \ --tls-private-key-file ./cert/apiserver-key.pem \ --v 2
7.调整权限和目录
在运维机shkf6.243.host.com
上:
[root@shkf6-243 bin]# chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh
[root@shkf6-243 bin]# mkdir -p /data/logs/kubernetes/kube-apiserver
8.创建supervisor配置
在运维机shkf6.243.host.com
上:
[root@shkf6-243 bin]# vi /etc/supervisord.d/kube-apiserver.ini [root@shkf6-243 bin]# cat /etc/supervisord.d/kube-apiserver.ini [program:kube-apiserver-6-243] command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) killasgroup=true ; kill all process in a group stopasgroup=true ; stop all process in a group stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false)
9.启动服务并检查
[root@shkf6-243 bin]# supervisorctl update
kube-apiserver-6-243: added process group
[root@shkf6-243 bin]# supervisorctl status
etcd-server-6-243 RUNNING pid 12112, uptime 5:06:23
kube-apiserver-6-243 RUNNING pid 12824, uptime 0:00:46
[root@shkf6-243 bin]# netstat -lntup|grep kube-apiser
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 12825/./kube-apiser
tcp6 0 0 :::6443 :::* LISTEN 12825/./kube-apiser
10.安装部署启动检查所有集群规划机器
[root@shkf6-244 src]# tar xf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/ [root@shkf6-244 src]# cd /opt/ [root@shkf6-244 opt]# mv kubernetes kubernetes-v1.15.2 [root@shkf6-244 opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes [root@shkf6-244 opt]# cd kubernetes [root@shkf6-244 kubernetes]# rm -f kubernetes-src.tar.gz [root@shkf6-244 kubernetes]# cd server/bin [root@shkf6-244 bin]# rm -f *.tar [root@shkf6-244 bin]# rm -f *_tag [root@shkf6-244 bin]# mkdir cert [root@shkf6-244 bin]# scp -P52113 shkf6-245:/opt/certs/apiserver-key.pem /opt/kubernetes/server/bin/cert/ [root@shkf6-244 bin]# scp -P52113 shkf6-245:/opt/certs/apiserver.pem /opt/kubernetes/server/bin/cert/ [root@shkf6-244 bin]# scp -P52113 shkf6-245:/opt/certs/ca-key.pem /opt/kubernetes/server/bin/cert/ [root@shkf6-244 bin]# scp -P52113 shkf6-245:/opt/certs/ca.pem /opt/kubernetes/server/bin/cert/ [root@shkf6-244 bin]# scp -P52113 shkf6-245:/opt/certs/client-key.pem /opt/kubernetes/server/bin/cert/ [root@shkf6-244 bin]# scp -P52113 shkf6-245:/opt/certs/client.pem /opt/kubernetes/server/bin/cert/ [root@shkf6-244 bin]# mkdir conf [root@shkf6-244 bin]# vi conf/audit.yaml [root@shkf6-244 bin]# cat conf/audit.yaml apiVersion: audit.k8s.io/v1beta1 # This is required. kind: Policy # Don't generate audit events for all requests in RequestReceived stage. omitStages: - "RequestReceived" rules: # Log pod changes at RequestResponse level - level: RequestResponse resources: - group: "" # Resource "pods" doesn't match requests to any subresource of pods, # which is consistent with the RBAC policy. resources: ["pods"] # Log "pods/log", "pods/status" at Metadata level - level: Metadata resources: - group: "" resources: ["pods/log", "pods/status"] # Don't log requests to a configmap called "controller-leader" - level: None resources: - group: "" resources: ["configmaps"] resourceNames: ["controller-leader"] # Don't log watch requests by the "system:kube-proxy" on endpoints or services - level: None users: ["system:kube-proxy"] verbs: ["watch"] resources: - group: "" # core API group resources: ["endpoints", "services"] # Don't log authenticated requests to certain non-resource URL paths. - level: None userGroups: ["system:authenticated"] nonResourceURLs: - "/api*" # Wildcard matching. - "/version" # Log the request body of configmap changes in kube-system. - level: Request resources: - group: "" # core API group resources: ["configmaps"] # This rule only applies to resources in the "kube-system" namespace. # The empty string "" can be used to select non-namespaced resources. namespaces: ["kube-system"] # Log configmap and secret changes in all other namespaces at the Metadata level. - level: Metadata resources: - group: "" # core API group resources: ["secrets", "configmaps"] # Log all other resources in core and extensions at the Request level. - level: Request resources: - group: "" # core API group - group: "extensions" # Version of group should NOT be included. # A catch-all rule to log all other requests at the Metadata level. - level: Metadata # Long-running requests like watches that fall under this rule will not # generate an audit event in RequestReceived. omitStages: - "RequestReceived" [root@shkf6-244 bin]# vi /opt/kubernetes/server/bin/kube-apiserver.sh [root@shkf6-244 bin]# cat /opt/kubernetes/server/bin/kube-apiserver.sh #!/bin/bash ./kube-apiserver \ --apiserver-count 2 \ --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \ --audit-policy-file ./conf/audit.yaml \ --authorization-mode RBAC \ --client-ca-file ./cert/ca.pem \ --requestheader-client-ca-file ./cert/ca.pem \ --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \ --etcd-cafile ./cert/ca.pem \ --etcd-certfile ./cert/client.pem \ --etcd-keyfile ./cert/client-key.pem \ --etcd-servers https://192.168.6.242:2379,https://192.168.6.243:2379,https://192.168.6.244:2379 \ --service-account-key-file ./cert/ca-key.pem \ --service-cluster-ip-range 10.96.0.0/22 \ --service-node-port-range 3000-29999 \ --target-ram-mb=1024 \ --kubelet-client-certificate ./cert/client.pem \ --kubelet-client-key ./cert/client-key.pem \ --log-dir /data/logs/kubernetes/kube-apiserver \ --tls-cert-file ./cert/apiserver.pem \ --tls-private-key-file ./cert/apiserver-key.pem \ --v 2 [root@shkf6-244 bin]# chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh [root@shkf6-244 bin]# mkdir -p /data/logs/kubernetes/kube-apiserver [root@shkf6-244 bin]# vi /etc/supervisord.d/kube-apiserver.ini [root@shkf6-244 bin]# cat /etc/supervisord.d/kube-apiserver.ini [program:kube-apiserver-6-244] command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) killasgroup=true ; kill all process in a group stopasgroup=true ; stop all process in a group stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false) [root@shkf6-244 bin]# supervisorctl update kube-apiserver-6-244: added process group [root@shkf6-244 bin]# supervisorctl status etcd-server-6-244 RUNNING pid 11748, uptime 5:10:52 kube-apiserver-6-244 RUNNING pid 12408, uptime 0:00:43
11.配四层反向代理
1.部署nginx
在shkf6-241
和shkf6-242
上:
~]# yum install nginx -y
2.配置4层代理
在shkf6-241
和shkf6-242
上:
~]# vim /etc/nginx/nginx.conf stream { upstream kube-apiserver { server 192.168.6.243:6443 max_fails=3 fail_timeout=30s; server 192.168.6.244:6443 max_fails=3 fail_timeout=30s; } server { listen 7443; proxy_connect_timeout 2s; proxy_timeout 900s; proxy_pass kube-apiserver; } }
3.启动nginx
在shkf6-241
和shkf6-242
上:
~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
~]# systemctl start nginx
~]# systemctl enable nginx
4.部署keepalived服务
在shkf6-241
和shkf6-242
上:
[root@shkf6-241 ~]# yum install keepalived -y
5.配置keepalived服务
在shkf6-241
和shkf6-242
上:
[root@shkf6-241 ~]# vi /etc/keepalived/check_port.sh [root@shkf6-241 ~]# chmod +x /etc/keepalived/check_port.sh [root@shkf6-241 ~]# cat /etc/keepalived/check_port.sh #!/bin/bash #keepalived 监控端口脚本 #使用方法: #在keepalived的配置文件中 #vrrp_script check_port {#创建一个vrrp_script脚本,检查配置 # script "/etc/keepalived/check_port.sh 6379" #配置监听的端口 # interval 2 #检查脚本的频率,单位(秒) #} CHK_PORT=$1 if [ -n "$CHK_PORT" ];then PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l` if [ $PORT_PROCESS -eq 0 ];then echo "Port $CHK_PORT Is Not Used,End." exit 1 fi else echo "Check Port Cant Be Empty!" fi
在shkf6-241
上:
配置keepalived主:
[root@shkf6-241 ~]# vim /etc/keepalived/keepalived.conf [root@shkf6-241 ~]# cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { router_id 192.168.6.241 } vrrp_script chk_nginx { script "/etc/keepalived/check_port.sh 7443" interval 2 weight -20 } vrrp_instance VI_1 { state MASTER interface eth0 virtual_router_id 251 priority 100 advert_int 1 mcast_src_ip 192.168.6.241 nopreempt authentication { auth_type PASS auth_pass 11111111 } track_script { chk_nginx } virtual_ipaddress { 192.168.6.66 } }
在shkf6-242
上:
配置keepalived备:
[root@shkf6-242 ~]# vim /etc/keepalived/keepalived.conf [root@shkf6-242 ~]# cat /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { router_id 192.168.6.242 } vrrp_script chk_nginx { script "/etc/keepalived/check_port.sh 7443" interval 2 weight -20 } vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 251 mcast_src_ip 192.168.6.242 priority 90 advert_int 1 authentication { auth_type PASS auth_pass 11111111 } track_script { chk_nginx } virtual_ipaddress { 192.168.6.66 } }
6.启动keepalived
在shkf6-241
和shkf6-242
上:
~]# systemctl start keepalived.service
~]# systemctl enable keepalived.service
7.检查VIP
[root@shkf6-241 ~]# ip a |grep eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
inet 192.168.6.241/24 brd 192.168.6.255 scope global eth0
inet 192.168.6.66/32 scope global eth0
12.启动代理并检查
[root@shkf6-243 bin]# netstat -lntup|grep kube-apiser
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 12825/./kube-apiser
tcp6 0 0 :::6443 :::* LISTEN 12825/./kube-apiser
[root@shkf6-244 bin]# netstat -lntup|grep kube-apiser
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 12409/./kube-apiser
tcp6 0 0 :::6443 :::* LISTEN 12409/./kube-apiser
[root@shkf6-241 ~]# netstat -lntup|grep 7443
tcp 0 0 0.0.0.0:7443 0.0.0.0:* LISTEN 12936/nginx: master
[root@shkf6-242 ~]# netstat -lntup|grep 7443
tcp 0 0 0.0.0.0:7443 0.0.0.0:* LISTEN 11254/nginx: master
3.部署controller-manager
1.集群规划
主机名 | 角色 | ip |
---|---|---|
shkf6-243.host.com | controller-manager | 192.168.6.243 |
shkf6-244.host.com | controller-manager | 192.168.6.244 |
注意:这里部署文档以shkf6-243.host.com
主机为例,另外一台运算节点安装部署方法类似
2.创建启动脚本
shkf6-243上和shkf6-244:
[root@shkf6-243 bin]# cat /opt/kubernetes/server/bin/kube-controller-manager.sh #!/bin/sh ./kube-controller-manager \ --cluster-cidr 172.6.0.0/16 \ --leader-elect true \ --log-dir /data/logs/kubernetes/kube-controller-manager \ --master http://127.0.0.1:8080 \ --service-account-private-key-file ./cert/ca-key.pem \ --service-cluster-ip-range 10.96.0.0/22 \ --root-ca-file ./cert/ca.pem \ --v 2
3.调整文件权限,创建目录
shkf6-243上和shkf6-244:
[root@shkf6-243 bin]# chmod +x /opt/kubernetes/server/bin/kube-controller-manager.sh
[root@shkf6-243 bin]# mkdir -p /data/logs/kubernetes/kube-controller-manager
4.创建supervisor配置
shkf6-243上和shkf6-244:
[root@shkf6-243 bin]# vi /etc/supervisord.d/kube-conntroller-manager.ini [root@shkf6-243 bin]# cat /etc/supervisord.d/kube-conntroller-manager.ini [program:kube-controller-manager-6.243] command=/opt/kubernetes/server/bin/kube-controller-manager.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) killasgroup=true ; kill all process in a group stopasgroup=true ; stop all process in a group stdout_logfile=/data/logs/kubernetes/kube-controller-manager/controller.stdout.log ; stderr log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false)
5.启动服务并检查
shkf6-243上和shkf6-244:
[root@shkf6-243 bin]# supervisorctl update
kube-controller-manager-6.243: added process group
[root@shkf6-243 bin]# supervisorctl status
etcd-server-6-243 RUNNING pid 12112, uptime 23:36:23
kube-apiserver-6-243 RUNNING pid 12824, uptime 18:30:46
kube-controller-manager-6.243 RUNNING pid 14952, uptime 0:01:00
6.安装部署启动检查所有集群规划主机的kube-controller-manager服务
略
4.部署kube-scheduler
1.集群规划
主机名 | 角色 | ip |
---|---|---|
shkf6-243.host.com | kube-controller-manager | 192.168.6.243 |
shkf6-244.host.com | kube-controller-manager | 192.168.6.244 |
注意:这里部署文档以shkf6-243.host.com
主机为例,另外一台运算节点安装部署方法类似
2.创建启动脚本
在shkf6-243和shkf6-244上:
[root@shkf6-243 bin]# vi /opt/kubernetes/server/bin/kube-scheduler.sh [root@shkf6-243 bin]# cat /opt/kubernetes/server/bin/kube-scheduler.sh #!/bin/sh ./kube-scheduler \ --leader-elect \ --log-dir /data/logs/kubernetes/kube-scheduler \ --master http://127.0.0.1:8080 \ --v 2
3.调整文件权限,创建目录
在shkf6-243和shkf6-244上:
[root@shkf6-243 bin]# chmod +x /opt/kubernetes/server/bin/kube-scheduler.sh
[root@shkf6-243 bin]# mkdir -p /data/logs/kubernetes/kube-scheduler
4.创建supervisor配置
在shkf6-243和shkf6-244上:
[root@shkf6-243 bin]# vi /etc/supervisord.d/kube-scheduler.ini [root@shkf6-243 bin]# cat /etc/supervisord.d/kube-scheduler.ini [program:kube-scheduler-6-243] command=/opt/kubernetes/server/bin/kube-scheduler.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) killasgroup=true ; kill all process in a group stopasgroup=true ; stop all process in a group stdout_logfile=/data/logs/kubernetes/kube-scheduler/scheduler.stdout.log ; stderr log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false)
5.启动服务并检查
在shkf6-243和shkf6-244上:
[root@shkf6-243 bin]# supervisorctl update
kube-scheduler-6-243: added process group
[root@shkf6-243 bin]# supervisorctl status
etcd-server-6-243 RUNNING pid 12112, uptime 23:52:01
kube-apiserver-6-243 RUNNING pid 12824, uptime 18:46:24
kube-controller-manager-6.243 RUNNING pid 14952, uptime 0:16:38
kube-scheduler-6-243 RUNNING pid 15001, uptime 0:01:39
[root@shkf6-243 bin]# ln -s /opt/kubernetes/server/bin/kubectl /usr/bin/kubectl
6.kubect1命令自动补全
各运算节点上:
~]# yum install bash-completion -y
~]# kubectl completion bash > /etc/bash_completion.d/kubectl
重新登录终端即可
7.安装部署启动检查所有集群规划主机的kube-controller-manager服务
略
5.检查主控节点
在shkf6-243和shkf6-244上:
[root@shkf6-243 bin]# which kubectl
/usr/bin/kubectl
[root@shkf6-243 bin]# kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-1 Healthy {"health": "true"}
etcd-0 Healthy {"health": "true"}
etcd-2 Healthy {"health": "true"}