k8s 二进制安装
环境规划参考:
各个组件证书依赖
1、安装证书工具:
2、etcd安装
3、flanneld 安装
4、docker配置
5、配置k8s组件证书
6、安装master组件
7、安装node组件
8 增加节点
1、安装证书工具:
cd /opt/ssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x *
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
2、etcd安装
采用最新的etcd安装包
wget https://github.com/etcd-io/etcd/releases/download/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz
mkdir -p /opt/etcd/{bin,cfg,ssl}
cp etcd-v3.3.10-linux-amd64/etcd* /opt/etcd/bin
之前装过的需要将/var/lib/etcd删掉,不然会报错。
配置etcd证书:
[root@k8s-master01 ssl]# cat etcd-cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
-----------------------
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.1.6",
"192.168.1.7",
"192.168.1.8"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
运行该脚本,然后将ca和server相关的pem拷贝到指定路径
cp ca.pem /opt/etcd/ssl/
cp server.pem /opt/etcd/ssl/
编写安装脚本:
vim etcd.sh
!/bin/bash
example: ./etcd.sh etcd01 192.168.1.10 etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380
ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3
WORK_DIR=/opt/etcd
cat <
[Member]
ETCD_NAME="\({ETCD_NAME}"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://\){ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"
[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://\({ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://\){ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://\({ETCD_IP}:2380,\){ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
cat <
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=\({WORK_DIR}/cfg/etcd
ExecStart=\){WORK_DIR}/bin/etcd
--name=${ETCD_NAME}
--data-dir=${ETCD_DATA_DIR}
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS}
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS}
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS}
--initial-cluster=${ETCD_INITIAL_CLUSTER}
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN}
--initial-cluster-state=new
--cert-file=\({WORK_DIR}/ssl/server.pem \
--key-file=\){WORK_DIR}/ssl/server-key.pem
--peer-cert-file=\({WORK_DIR}/ssl/server.pem \
--peer-key-file=\){WORK_DIR}/ssl/server-key.pem
--trusted-ca-file=\({WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=\){WORK_DIR}/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd
运行脚本:
chmod +x etcd.sh
./etcd.sh etcd01 192.168.1.6 etcd02=https://192.168.1.7:2380,etcd03=https://192.168.1.8:2380
检测:
ps aux |grep ecd
分发文件到另外2个节点:
scp -r etcd 192.168.1.7:/opt/
scp -r etcd 192.168.1.8:/opt/
scp /usr/lib/systemd/system/etcd.service 192.168.1.7:/usr/lib/systemd/system/
scp /usr/lib/systemd/system/etcd.service 192.168.1.8:/usr/lib/systemd/system/
将/opt/etcd/cfg/etcd配置文件修改成对应的ip,ETCD_NAME改成对应的名字,不懂的参考1.10.7安装etcd
将节点的etcd启动:
systemctl enable etcd
systemctl start etcd
检测etcd健康:
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379" cluster-health
如果健康检测通过了,但是systemctl status etcd出现了证书相关的问题,不用理会,例如:
3、flanneld 安装
我们先在master上面操作,即192.168.1.6
下载二进制包:
此处我们用的比较新的0.10版本
wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz
将解压后得到的可执行文件放入我们之定义的路径下面
cp flanneld mk-docker-opts.sh /opt/kubernetes/bin/
分配自网段:
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379" set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
测试:
/opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379" get /coreos.com/network/config
配置flannel文件
[root@k8s-master01 shell]# cat flannel.sh
!/bin/bash
./flannel.sh https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379
ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"}
cat <
FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS}
-etcd-cafile=/opt/etcd/ssl/ca.pem
-etcd-certfile=/opt/etcd/ssl/server.pem
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF
cat <
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq $FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
cat <
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable flanneld
systemctl restart flanneld
systemctl restart dockerd
运行该脚本:
后面参数是etcd集群地址
./flannel.sh https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379
启动:
systemctl enable flanneld
systemctl start flanneld
测试flanneld:
cat /run/flannel/subnet.env
systemctl status flanneld.service
然后将文件分发下去,其他节点也装上flannel,不用做任何变动:
scp -r /opt/kubernetes 192.168.1.6:/opt/
scp -r /opt/kubernetes 192.168.1.7:/opt/
scp -r /usr/lib/systemd/system/flanneld.service 192.168.1.6:/usr/lib/systemd/system/
scp -r /usr/lib/systemd/system/flanneld.service 192.168.1.7:/usr/lib/systemd/system/
4、docker配置
docker和1.10.7一样,这一块没有变动
cat <
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl restart docker
查看ifconfig 中 会出现一个flannel 网络,并且flannel和docker0 网络段会相同
查看docker进程可以检测:
[root@k8s-master01 shell]# ps -ef |grep docker
root 8548 1 0 11:59 ? 00:00:31 /usr/bin/dockerd --bip=172.17.56.1/24 --ip-masq=false --mtu=1450
root 8555 8548 0 11:59 ? 00:00:51 docker-containerd --config /var/run/docker/containerd/containerd.toml
root 22005 7466 0 15:02 pts/1 00:00:00 grep --color=auto docker
所有节点都进行此操作
5、配置k8s组件证书
生成证书脚本:
[root@k8s-master01 k8s-crt]# cat k8s-cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
-----------------------
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.1.6",
"192.168.1.7",
"192.168.1.8",
"192.168.1.9",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
-----------------------
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
-----------------------
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
运行该脚本会生成一堆证书,我们可以将需要的证书放置指定路径,其中的ip是我们需要的各个与k8s相关的脚本
sh k8s-cert.sh
[root@k8s-master01 k8s-crt]# ls
admin.csr admin-key.pem ca-config.json ca-csr.json ca.pem kube-proxy.csr kube-proxy-key.pem server.csr server-key.pem
admin-csr.json admin.pem ca.csr ca-key.pem k8s-cert.sh kube-proxy-csr.json kube-proxy.pem server-csr.json server.pem
拷贝证书到指定路径
cp *.pem /opt/kubernetes/ssl
6、安装master组件
下载最新包:
wget https://storage.googleapis.com/kubernetes-release/release/v1.12.1/kubernetes-server-linux-amd64.tar.gz
tar xvf kubernetes-server-linux-amd64.tar.gz
将需要的包拷贝到指定路径:
cp kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/
生成k8s需要的token
[root@k8s-master01 shell]# cat token.sh
token=$(head -c 10 /dev/urandom |od -An -t x|tr -d ' ')
cat <
${token},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
运行该脚本会在/opt/kubernetes/cfg/ 生产一个token文件
配置kube-apiserver
[root@k8s-master01 shell]# cat apiserver.sh
!/bin/bash
./apiserver.sh 192.168.1.6 https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379
MASTER_ADDRESS=$1
ETCD_SERVERS=$2
cat <
KUBE_APISERVER_OPTS="--logtostderr=true \
--v=4 \
--etcd-servers=\({ETCD_SERVERS} \\
--bind-address=\){MASTER_ADDRESS} \
--secure-port=6443 \
--advertise-address=${MASTER_ADDRESS} \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--kubelet-https=true \
--enable-bootstrap-token-auth \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF
cat <
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-apiserver
systemctl restart kube-apiserver
运行该脚本:
./apiserver.sh 192.168.1.6 https://192.168.1.6:2379,https://192.168.1.7:2379,https://192.168.1.8:2379
其中第一个参数代表本机ip,第二个代表etcd ip组
检测:systemctl status kube-apiserver
配置kube-controller-manager
[root@k8s-master01 shell]# cat controller-manager.sh
!/bin/bash
./controller-manager.sh 127.0.0.1
MASTER_ADDRESS=$1
cat <
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \
--v=4 \
--master=${MASTER_ADDRESS}:8080 \
--leader-elect=true \
--address=127.0.0.1 \
--service-cluster-ip-range=10.0.0.0/24 \
--cluster-name=kubernetes \
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \
--root-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \
--experimental-cluster-signing-duration=87600h0m0s"
EOF
cat <
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl restart kube-controller-manager
运行该脚本:
./controller-manager.sh 127.0.0.1
检测:systemctl status kube-controller-manager.service
配置:kube-scheduler
[root@k8s-master01 shell]# cat scheduler.sh
!/bin/bash
./scheduler.sh 127.0.0.1
MASTER_ADDRESS=$1
cat <
KUBE_SCHEDULER_OPTS="--logtostderr=true \
--v=4 \
--master=${MASTER_ADDRESS}:8080 \
--leader-elect"
EOF
cat <
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler
ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler
执行该脚本:
./scheduler.sh 127.0.0.1
检测:
systemctl status kube-scheduler.service
netstat -lnp |grep 8080
7、安装node组件
a、首先我们在master上面创建用户认证:
将kubelete-bootstrap用户绑定在集群角色上
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
如果有可以先删除:
kubectl delete clusterrolebinding kubelet-bootstrap
如果有缺少对system:anonymous用户的授权,kubelet启动的时候会报错如下:
error: failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User “system:anonymous” cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope
我们还需要对 system:anonymous用户的授权,不然以后node阶节点匿名向主节点传递信息的时候会有问题:
kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=system:anonymous
将node节点需要的执行文件分发下去:
从我们解压的安装包获取相关文件
cd /root/kubernetes/server/bin
scp kubelet kube-proxy 192.168.1.7:/opt/kubernetes/bin/
scp kubelet kube-proxy 192.168.1.8:/opt/kubernetes/bin/
b、创建kubeconfig 文件
注意:这里的BOOTSTRAP_TOKEN 的值需要用我们之前生成的值,就是token.scv里面的值
[root@k8s-master01 shell]# cat kubeconfig.sh
创建 TLS Bootstrapping Token
BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008
cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
----------------------
APISERVER=$1
SSL_DIR=$2
./kubeconfig.sh 192.168.1.6 /opt/k8s-crt
创建kubelet bootstrapping kubeconfig
export KUBE_APISERVER="https://:6443$APISERVER"
设置集群参数
kubectl config set-cluster kubernetes
--certificate-authority=\(SSL_DIR/ca.pem \
--embed-certs=true \
--server=\){KUBE_APISERVER}
--kubeconfig=bootstrap.kubeconfig
设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap
--token=${BOOTSTRAP_TOKEN}
--kubeconfig=bootstrap.kubeconfig
设置上下文参数
kubectl config set-context default
--cluster=kubernetes
--user=kubelet-bootstrap
--kubeconfig=bootstrap.kubeconfig
设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
----------------------
创建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes
--certificate-authority=\(SSL_DIR/ca.pem \
--embed-certs=true \
--server=\){KUBE_APISERVER}
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy
--client-certificate=\(SSL_DIR/kube-proxy.pem \
--client-key=\)SSL_DIR/kube-proxy-key.pem
--embed-certs=true
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default
--cluster=kubernetes
--user=kube-proxy
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
执行该脚本:
./kubeconfig.sh 192.168.1.6 /opt/k8s-crt
将生成的2个配置文件分发到node节点上去
rsync -avPz bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.1.8:/opt/kubernetes/cfg/
rsync -avPz bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.1.7:/opt/kubernetes/cfg/
c、安装node组件
编辑kubelet安装脚本:
[root@k8s-node01 shell]# cat kubelet.sh
!/bin/bash
./kubelet.sh 192.168.1.7 10.0.0.2
NODE_ADDRESS=\(1 DNS_SERVER_IP=\){2:-"10.0.0.2"}
cat <
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--address=\({NODE_ADDRESS} \\
--hostname-override=\){NODE_ADDRESS} \
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
EOF
cat <
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: ${NODE_ADDRESS}
port: 10250
cgroupDriver: cgroupfs
clusterDNS:
- ${DNS_SERVER_IP}
clusterDomain: cluster.local.
failSwapOn: false
readOnlyPort: 10255
authentication:
anonymous:
enabled: true
EOF
cat <
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet
运行次脚本:
./kubelet.sh 192.168.1.7 10.0.0.2
此时会在ssl下面生成一些证书相关的文件,
检测:
ps -ef |grep kubelet
安装proxy文件脚本
[root@k8s-node01 shell]# cat proxy.sh
!/bin/bash
./proxy.sh 192.168.1.7
NODE_ADDRESS=$1
cat <
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=${NODE_ADDRESS} \
--cluster-cidr=10.0.0.0/24 \
--proxy-mode=ipvs \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
EOF
cat <
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
ExecStart=/opt/kubernetes/bin/kube-proxy $KUBE_PROXY_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable kube-proxy
systemctl restart kube-proxy
运行次脚本:
./proxy.sh 192.168.1.7
检测:
systemctl status kube-proxy.service
此时我们第一台node已经安装好,我们可以在master上检测是否有节点信息请求注册:
[root@k8s-master01 shell]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-lYZU4lw685vTnpaIEMNF4vCfttB07CJvZMOxBuYT4DQ 10m system:kubelet-bootstrapPending
通过请求:
[root@k8s-master01 shell]# kubectl certificate approve node-csr-lYZU4lw685vTnpaIEMNF4vCfttB07CJvZMOxBuYT4DQ
此时状态已经改变:
[root@k8s-master01 shell]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-lYZU4lw685vTnpaIEMNF4vCfttB07CJvZMOxBuYT4DQ 16m system:kubelet-bootstrap Approved,Issued
查看k8s节点:
[root@k8s-master01 shell]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.1.7 Ready
8 增加节点:
此时我们加入另一台就显得非常简单:
首先kubelet.kubeconfig,kube-proxy.kubeconfig,这2个配置文件必须之前已经分发过来
我们加入安装脚本:
./kubelet.sh 192.168.1.8 10.0.0.2
./proxy.sh 192.168.1.8
运行脚本,然后去master :
kubectl get csr 查看节点是否自动注册过来,然后加入便可
本星球包含了海量运维、安全、设计微服务k8s、Python干货分享、提供最完整的指引,帮助你轻松掌握ChatGPT理论和实战应用场景、如何变现、如何正确使用AI!!时代赋予的机遇,你可躺平,但生活从不手软,你赚的每一分钱都是成长的变现!!赶紧抓住这个巨大的风口红利,建议跟着这个课程来学习,相信能带你成为ChatGPT、技术大师!
