机器信息
主机名称 |
IP地址 |
etcd名称 |
k8s-master01 |
172.16.50.180 |
etcd1 |
k8s-master02 |
172.16.50.181 |
etcd2 |
k8s-master03 |
172.16.50.182 |
etcd3 |
系统初始化
# 关闭防火墙
systemctl stop firewalld
systemctl disabled firewalld
# 关闭selinux
sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/sysconfig/selinux
setenforce 0
getenforce
# 三台机器分别创建用户
useradd -s /sbin/nologin -M etcd
生成证书
# k8s-master01上创建/usr/local/kubernetes/cert/etcd-csr.json文件
cat > /usr/local/kubernetes/cert/etcd-csr.json EOF
{
"CN": "etcd",
"hosts": ["127.0.0.1", "172.16.50.180", "172.16.50.181", "172.16.50.182"],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "GuangDong",
"O": "ws",
"OU": "ops",
"ST": "ShenZhen"
}
]
}
EOF
# 执行生成证书命令
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssl-json -bare etcd
# 拷贝证书到所有机器
scp ca.pem ca-key.pem etcd.pem etcd-key.pem root@172.16.50.180:/usr/local/kubernetes/cert/
scp ca.pem ca-key.pem etcd.pem etcd-key.pem root@172.16.50.181:/usr/local/kubernetes/cert/
scp ca.pem ca-key.pem etcd.pem etcd-key.pem root@172.16.50.182:/usr/local/kubernetes/cert/
下载解压
# 三台机器执行如下操作
cd /usr/local/src && wget https://mirrors.huaweicloud.com/etcd/v3.4.14/etcd-v3.4.14-linux-amd64.tar.gz
tar xf etcd-v3.4.14-linux-amd64.tar.gz
mkdir -p /usr/local/kubernetes/{bin,cert,conf}
mv ./etcd-v3.4.14-linux-amd64/etcd* /usr/local/kubernetes/bin/
echo 'export PATH=$PATH:/usr/local/kubernetes/bin' > /etc/profile.d/kube.sh
source /etc/profie
编写配置文件
# 三台机器进入到/usr/local/kubernetes/conf目录下
# etcd01
cat /usr/local/kubernetes/conf/etcd.conf
# [member]
ETCD_NAME="etcd1"
ETCD_DATA_DIR="/var/lib/etcd"
ETCD_LISTEN_PEER_URLS="https://172.16.50.180:2380"
ETCD_LISTEN_CLIENT_URLS="https://172.16.50.180:2379,http://127.0.0.1:2379"
# [cluster]
ETCD_ADVERTISE_CLIENT_URLS="https://172.16.50.180:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.50.180:2380"
ETCD_INITIAL_CLUSTER="etcd1=https://172.16.50.180:2380,etcd2=https://172.16.50.181:2380,etcd3=https://172.16.50.182:2380"
ETCD_INITIAL_CLUSTER_STATE=new
ETCD_INITIAL_CLUSTER_TOKEN=kubernetes-etcd-cluster
ETCD_ENABLE_V2="false"
# etcd02
cat /usr/local/kubernetes/conf/etcd.conf
# [member]
ETCD_NAME="etcd2"
ETCD_DATA_DIR="/var/lib/etcd"
ETCD_LISTEN_PEER_URLS="https://172.16.50.181:2380"
ETCD_LISTEN_CLIENT_URLS="https://172.16.50.181:2379,http://127.0.0.1:2379"
# [cluster]
ETCD_ADVERTISE_CLIENT_URLS="https://172.16.50.181:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.50.181:2380"
ETCD_INITIAL_CLUSTER="etcd1=https://172.16.50.180:2380,etcd2=https://172.16.50.181:2380,etcd3=https://172.16.50.182:2380"
ETCD_INITIAL_CLUSTER_STATE=new
ETCD_INITIAL_CLUSTER_TOKEN=kubernetes-etcd-cluster
ETCD_ENABLE_V2="false"
# etcd03
cat /usr/local/kubernetes/conf/etcd.conf
# [member]
ETCD_NAME="etcd3"
ETCD_DATA_DIR="/var/lib/etcd"
ETCD_LISTEN_PEER_URLS="https://172.16.50.182:2380"
ETCD_LISTEN_CLIENT_URLS="https://172.16.50.182:2379,http://127.0.0.1:2379"
# [cluster]
ETCD_ADVERTISE_CLIENT_URLS="https://172.16.50.182:2379"
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.50.182:2380"
ETCD_INITIAL_CLUSTER="etcd1=https://172.16.50.180:2380,etcd2=https://172.16.50.181:2380,etcd3=https://172.16.50.182:2380"
ETCD_INITIAL_CLUSTER_STATE=new
ETCD_INITIAL_CLUSTER_TOKEN=kubernetes-etcd-cluster
ETCD_ENABLE_V2="false"
# 创建数据存储目录,修改属组属主
mkdir /var/lib/etcd
chown -R etcd. /var/lib/etcd
# 创建etcd.service
cat /etc/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
User=etcd
EnvironmentFile=/usr/local/kubernetes/conf/etcd.conf
ExecStart=/usr/local/kubernetes/bin/etcd \
--cert-file=/usr/local/kubernetes/cert/etcd.pem \
--key-file=/usr/local/kubernetes/cert/etcd-key.pem \
--peer-cert-file=/usr/local/kubernetes/cert/etcd.pem \
--peer-key-file=/usr/local/kubernetes/cert/etcd-key.pem \
--trusted-ca-file=/usr/local/kubernetes/cert/ca.pem \
--peer-trusted-ca-file=/usr/local/kubernetes/cert/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
# 重载systemctl
systemctl deamon-reload
systemctl start etcd
systemctl status etcd
# 查看集群曾缘
etcdctl --endpoints=https://172.16.50.180:2379 --cacert="/usr/local/kubernetes/cert/ca.pem" --cert="/usr/local/kubernetes/cert/etcd.pem" --key="/usr/local/kubernetes/cert/etcd-key.pem" member list
# 检查集群是否健康
etcdctl --endpoints=https://172.16.50.180:2379 --cacert="/usr/local/kubernetes/cert/ca.pem" --cert="/usr/local/kubernetes/cert/etcd.pem" --key="/usr/local/kubernetes/cert/etcd-key.pem" endpoint health
etcdctl --endpoints=https://172.16.50.181:2379 --cacert="/usr/local/kubernetes/cert/ca.pem" --cert="/usr/local/kubernetes/cert/etcd.pem" --key="/usr/local/kubernetes/cert/etcd-key.pem" endpoint health
etcdctl --endpoints=https://172.16.50.182:2379 --cacert="/usr/local/kubernetes/cert/ca.pem" --cert="/usr/local/kubernetes/cert/etcd.pem" --key="/usr/local/kubernetes/cert/etcd-key.pem" endpoint health