0
点赞
收藏
分享

微信扫一扫

Kubernetes-v1.15 二进制部署安装

Sky飞羽 2021-09-24 阅读 44
DevOps

2.k8s基础环境部署

2.1 准备工作

[1-2云主机可忽略]
1.yum源准备
# curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
# sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
# yum makecache
 
2.关墙
# systemctl stop firewalld
# systemctl disable firewalld
 
# sed -ir '/^SELINUX=/s/=.+/=disabled/' /etc/selinux/config
# getenforce
Disabled
 
3.安装Ops必备包
# yum install tree nmap dos2unix lrzsz nc lsof  psmisc net-tools bash-completion bash-completion-extras vim-enhanced \
wget tcpdump unzip htop iftop iotop sysstat nethogs telnet nmap sysstat lrzsz dos2unix bind-utils vim less -y

2.2 DNS服务安装

#主机域host.com       业务域od.com
#主辅同步(10.0.0.12主、10.0.0.15辅)
#客户端配置指向自建DNS
#安装Bind服务
-----------------------------------------------------------------------------------------------
> k8s0-12安装bind
~]# yum install bind -y
 
/etc/named.conf  # 确保以下配置正确
  listen-on port 53 { 10.0.0.12; };
  directory   "/var/named";
  allow-query     { any; };
  forwarders      { 10.0.0.254; };
  recursion yes;
  dnssec-enable no;
  dnssec-validation no;
 
#配置区域文件
# 增加两个zone配置,od.com为业务域,host.com.zone为主机域
/etc/named.rfc1912.zones 
zone "host.com" IN {
        type  master;
        file  "host.com.zone";
        allow-update { 10.0.0.12; };
};
 
zone "od.com" IN {
        type  master;
        file  "od.com.zone";
        allow-update { 10.0.0.12; };
};
 
#配置主机域文件
~]# cat /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600  ; 10 minutes
@       IN SOA  dns.host.com. dnsadmin.host.com. (
        2020070801 ; serial
        10800      ; refresh (3 hours)
        900        ; retry (15 minutes)
        604800     ; expire (1 week)
        86400      ; minimum (1 day)
        )
      NS   dns.host.com.
$TTL 60 ; 1 minute
dns              A    10.0.0.12
k8s0-12          A    10.0.0.12
k8s0-15          A    10.0.0.15
k8s0-2           A    10.0.0.2
k8s0-6           A    10.0.0.6
k8s0-8           A    10.0.0.8
 
#业务域文件
# /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600  ; 10 minutes
@       IN SOA  dns.od.com. dnsadmin.od.com. (
        2020070801 ; serial
        10800      ; refresh (3 hours)
        900        ; retry (15 minutes)
        604800     ; expire (1 week)
        86400      ; minimum (1 day)
        )
        NS   dns.od.com.
$TTL 60 ; 1 minute
dns                A    10.0.0.12
 
#启动bind服务,并测试
~]# named-checkconf  # 检查配置文件
~]# systemctl start named && systemctl enable named.service
~]# netstat -lntup |grep 53
tcp        0      0 10.4.7.11:53            0.0.0.0:*               LISTEN      24139/named        
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      24139/named        
tcp6       0      0 ::1:53                  :::*                    LISTEN      24139/named        
tcp6       0      0 ::1:953                 :::*                    LISTEN      24139/named        
udp        0      0 10.4.7.11:53            0.0.0.0:*                           24139/named        
udp6       0      0 ::1:53                  :::*                                24139/named  
 
 
~]# dig -t A k8s0-2.host.com @10.0.0.12 +short
10.0.0.2
 
修改所有主机的dns服务器地址指向10.0.0.12
同时修改win server本地dns指向k8s0-12.host.com  测试是否正常通信

2.3 准备证书签发环境

安装CFSSL
1.k8s0-8 下载工具
 
curl -s -L -o /usr/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o /usr/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
curl -s -L -o /usr/bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x /usr/bin/cfssl*
 
签发根证书
~]# mkdir /opt/certs/ && cd /opt/certs/
# 根证书配置:
# CN 一般写域名,浏览器会校验
# names 为地区和公司信息
# expiry 为过期时间
/opt/certs/ca-csr.json
{
    "CN": "Datacloak",
    "hosts": [
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ],
    "ca": {
        "expiry": "175200h"
    }
}
 
# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
 
查看签发的证书,生成ca.pem、ca.csr、ca-key.pem(CA私钥,需妥善保管)
certs]# ls -l ca*
-rw-r--r-- 1 root root  985 Jun 22 16:17 ca.csr
-rw-r--r-- 1 root root  322 Jun 22 16:14 ca-csr.json
-rw------- 1 root root 1675 Jun 22 16:17 ca-key.pem
-rw-r--r-- 1 root root 1330 Jun 22 16:17 ca.pem

2.3 Docker环境[2,6,8]

~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
~]# yum install -y docker-ce
~]# mkdir /etc/docker/
# 不安全的registry中增加了harbor地址
# 各个机器上bip网段不一致,bip中间两段与宿主机最后两段相同,目的是方便定位问题
 
/etc/docker/daemon.json
{
  "graph": "/data/docker",
  "storage-driver": "overlay2",
  "insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
  "registry-mirrors": ["https://registry.docker-cn.com"],
  "bip": "172.7.2.1/24",
  "exec-opts": ["native.cgroupdriver=systemd"],
  "live-restore": true
}
 
~]# mkdir /data/docker
~]# systemctl start docker && systemctl enable docker

2.4 Harbor私有仓库部署[8]

# 目录说明:
# /opt/src : 源码、文件下载目录
# /opt : 各个版本软件存放位置
# /opt/apps : 各个软件当前版本的软链接
 
1.下载软件二进制包并解压
# wget https://github.com/goharbor/harbor/releases/download/v1.10.4/harbor-offline-installer-v1.10.4.tgz
[root@k8s0-8.host.com /opt/src]# tar xf harbor-offline-installer-v1.10.4.tgz -C /opt/
# ln -s /opt/harbor-v1.10.4 /opt/harbor
 
vim /opt/harbor/harbor.yml
hostname: harbor.od.com
http:
  port: 180
data_volume: /data/harbor
location: /data/harbor/logs

]# yum install -y docker-compose
[root@k8s0-8.host.com /opt/harbor]# pwd
/opt/harbor
[root@k8s0-8.host.com /opt/harbor]# ./install.sh 
。。。。。。。。
✔ ----Harbor has been installed and started successfully.----
 
Now you should be able to visit the admin portal at http://harbor.od.com.
For more details, please visit https://github.com/goharbor/harbor .
 
检查harbor启动情况
harbor]# docker-compose ps
      Name                     Command               State             Ports         
--------------------------------------------------------------------------------------
harbor-core         /harbor/harbor_core              Up                              
harbor-db           /docker-entrypoint.sh            Up      5432/tcp                
harbor-jobservice   /harbor/harbor_jobservice  ...   Up                              
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up      127.0.0.1:1514->10514/tcp
harbor-portal       nginx -g daemon off;             Up      8080/tcp                
nginx               nginx -g daemon off;             Up      0.0.0.0:180->8080/tcp   
redis               redis-server /etc/redis.conf     Up      6379/tcp                
registry            /entrypoint.sh /etc/regist ...   Up      5000/tcp                
registryctl         /harbor/start.sh                 Up   
 
2.配置harbor开机启动
编辑/etc/rc.d/rc.local
# start harbor
cd /opt/apps/harbor
/usr/bin/docker-compose stop
/usr/bin/docker-compose start

2.5 Nginx配置反代

1.安装配置Nginx反向代理harbor [8]
yum install nginx -y
 
/etc/nginx/conf.d/harbor.conf
server {
    listen       80;
    server_name  harbor.od.com;
    # 避免出现上传失败的情况
    client_max_body_size 1000m;
 
    location / {
        proxy_pass http://127.0.0.1:180;
    }
}
 
2.k8s0-12 配置DNS解析
~]# cat /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600  ; 10 minutes
@       IN SOA  dns.od.com. dnsadmin.od.com. (
        2020070801 ; serial
        10800      ; refresh (3 hours)
        900        ; retry (15 minutes)
        604800     ; expire (1 week)
        86400      ; minimum (1 day)
        )
        NS   dns.od.com.
$TTL 60 ; 1 minute
dns                A    10.0.0.12
harbor         A    10.0.0.8
 
~]# systemctl restart named.service 
[root@k8s0-12 ~]# host harbor.od.com
harbor.od.com has address 10.0.0.8
 
 
自行测试Harbor仓库 push pull
呼啦呼啦。。。。。。。。。

3.ETCD集群部署[2,6,15]

1.签发ETCD证书 [8]
• server 表示服务端连接客户端时携带的证书,用于客户端验证服务端身份
• client 表示客户端连接服务端时携带的证书,用于服务端验证客户端身份
• peer 表示相互之间连接时使用的证书,如etcd节点之间验证
创建ca的json配置: /opt/certs/ca-config.json
{
    "signing": {
        "default": {
            "expiry": "175200h"
        },
        "profiles": {
            "server": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
 
创建etcd证书配置:/opt/certs/etcd-peer-csr.json
[root@k8s0-8.host.com /opt/certs]# cat etcd-peer-csr.json
{
    "CN": "k8s-etcd",
    "hosts": [
        "10.0.0.12",
        "10.0.0.15",
        "10.0.0.2",
        "10.0.0.6"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}
 
 
签发证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json | cfssl-json -bare etcd-peer
/opt/certs]# ll etcd-peer*
-rw-r--r-- 1 root root 1062 Jul  8 22:22 etcd-peer.csr
-rw-r--r-- 1 root root  361 Jul  8 22:20 etcd-peer-csr.json
-rw------- 1 root root 1679 Jul  8 22:22 etcd-peer-key.pem
-rw-r--r-- 1 root root 1419 Jul  8 22:22 etcd-peer.pem
 
 
安装etcd[演示一台15,其他照搬]
~]# useradd -s /sbin/nologin -M etcd
tar xf etcd-v3.1.20-linux-amd64.tar.gz -C /opt/
mv etcd-v3.1.20-linux-amd64 etcd-v3.1.20
ln -s /opt/etcd-v3.1.20 /opt/etcd
mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server
 
下发证书到3个节点
for i in 15 2 6;do scp ca.pem etcd-peer.pem etcd-peer-key.pem k8s0-${i}:/opt/etcd/certs/ ;done
 
创建启动脚本(部分参数每台机器不同)
[root@k8s0-15 ~]# cat /opt/etcd/etcd-server-startup.sh
#!/bin/sh
# listen-peer-urls etcd节点之间通信端口
# listen-client-urls 客户端与etcd通信端口
# quota-backend-bytes 配额大小
# 需要修改的参数:name,listen-peer-urls,listen-client-urls,initial-advertise-peer-urls
 
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit

/opt/etcd/etcd --name etcd-server-0-15 \
    --data-dir /data/etcd/etcd-server \
    --listen-peer-urls https://10.0.0.15:2380 \
    --listen-client-urls https://10.0.0.15:2379,http://127.0.0.1:2379 \
    --quota-backend-bytes 8000000000 \
    --initial-advertise-peer-urls https://10.0.0.15:2380 \
    --advertise-client-urls https://10.0.0.15:2379,http://127.0.0.1:2379 \
    --initial-cluster  etcd-server-0-15=https://10.0.0.15:2380,etcd-server-0-2=https://10.0.0.2:2380,etcd-server-0-6=https://10.0.0.6:2380 \
    --ca-file ./certs/ca.pem \
    --cert-file ./certs/etcd-peer.pem \
    --key-file ./certs/etcd-peer-key.pem \
    --client-cert-auth  \
    --trusted-ca-file ./certs/ca.pem \
    --peer-ca-file ./certs/ca.pem \
    --peer-cert-file ./certs/etcd-peer.pem \
    --peer-key-file ./certs/etcd-peer-key.pem \
    --peer-client-cert-auth \
    --peer-trusted-ca-file ./certs/ca.pem \
    --log-output stdout
 
 
#chmod u+x /opt/etcd/etcd-server-startup.sh
#chown -R etcd.etcd /opt/etcd/ /data/etcd/ /data/logs/etcd-server/
 
 
启动etcd
因为这些进程都是要启动为后台进程,要么手动启动,要么采用后台进程管理工具,实验中使用后台管理工具
[root@k8s0-15 ~]# yum install supervisor -y
~]# systemctl start supervisord && systemctl enable supervisord

cat /etc/supervisord.d/etcd-server.ini
[program:etcd-server-0-15]
command=/opt/etcd/etcd-server-startup.sh         ; the program (relative uses PATH, can take args)
numprocs=1                                            ; number of processes copies to start (def 1)
directory=/opt/etcd                              ; directory to cwd to before exec (def no cwd)
autostart=true                                        ; start at supervisord start (default: true)
autorestart=true                                      ; retstart at unexpected quit (default: true)
startsecs=30                                          ; number of secs prog must stay running (def. 1)
startretries=3                                        ; max # of serial start failures (default 3)
exitcodes=0,2                                         ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                       ; signal used to kill process (default TERM)
stopwaitsecs=10                                       ; max num secs to wait b4 SIGKILL (default 10)
user=etcd                                             ; setuid to this UNIX account to run the program
redirect_stderr=true                                  ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                          ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=5                              ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                           ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                           ; emit events on stdout writes (default false)
 
 
[root@k8s0-15 etcd-server]# supervisorctl status
etcd-server-0-15                 RUNNING   pid 18099, uptime 0:02:13
 
 
[root@k8s0-15 etcd-server]# netstat -lntup|grep etcd
tcp        0      0 10.0.0.15:2379          0.0.0.0:*               LISTEN      18103/etcd         
tcp        0      0 127.0.0.1:2379          0.0.0.0:*               LISTEN      18103/etcd         
tcp        0      0 10.0.0.15:2380          0.0.0.0:*               LISTEN      18103/etcd

验证集群
[root@k8s0-15 etcd]# /opt/etcd/etcdctl member list
fde9dd315b6d0b2: name=etcd-server-0-2 peerURLs=https://10.0.0.2:2380 clientURLs=http://127.0.0.1:2379,https://10.0.0.2:2379 isLeader=false
40e0ff5ee27c98d0: name=etcd-server-0-6 peerURLs=https://10.0.0.6:2380 clientURLs=http://127.0.0.1:2379,https://10.0.0.6:2379 isLeader=false
a484cc703f2837a4: name=etcd-server-0-15 peerURLs=https://10.0.0.15:2380 clientURLs=http://127.0.0.1:2379,https://10.0.0.15:2379 isLeader=true
 
 
健康状态:
[root@k8s0-15 etcd]# /opt/etcd/etcdctl cluster-health
member fde9dd315b6d0b2 is healthy: got healthy result from http://127.0.0.1:2379
member 40e0ff5ee27c98d0 is healthy: got healthy result from http://127.0.0.1:2379
member a484cc703f2837a4 is healthy: got healthy result from http://127.0.0.1:2379
cluster is healthy

4.kube-apiserver集群部署[2,6]

这里10.0.0.12和10.0.0.15使用nginx做4层负载均衡器,用keepalived跑一个vip:10.0.0.10,代理两个kube-apiserver,实现高可用
[root@k8s0-2 ~]# tar xf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/
[root@k8s0-2 opt]# mv kubernetes /opt/kubernetes-v1.15.2
[root@k8s0-2 opt]# ln -s /opt/kubernetes-v1.15.2 /opt/kubernetes
# rm -f kubernetes-src.tar.gz
bin]# rm -f *.tar *_tag
[root@k8s0-2 bin]# ll
total 884636
-rwxr-xr-x 1 root root  43534816 Aug  5  2019 apiextensions-apiserver
-rwxr-xr-x 1 root root 100548640 Aug  5  2019 cloud-controller-manager
-rwxr-xr-x 1 root root 200648416 Aug  5  2019 hyperkube
-rwxr-xr-x 1 root root  40182208 Aug  5  2019 kubeadm
-rwxr-xr-x 1 root root 164501920 Aug  5  2019 kube-apiserver
-rwxr-xr-x 1 root root 116397088 Aug  5  2019 kube-controller-manager
-rwxr-xr-x 1 root root  42985504 Aug  5  2019 kubectl
-rwxr-xr-x 1 root root 119616640 Aug  5  2019 kubelet
-rwxr-xr-x 1 root root  36987488 Aug  5  2019 kube-proxy
-rwxr-xr-x 1 root root  38786144 Aug  5  2019 kube-scheduler
-rwxr-xr-x 1 root root   1648224 Aug  5  2019 mounter
 
 
签发client证书[运维主机 8
[root@k8s0-8.host.com /opt/certs]# cat /opt/certs/client-csr.json
{
    "CN": "k8s-node",
    "hosts": [
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}
 
 
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
# ls client* -l
-rw-r--r-- 1 root root  993 Jul 17 20:48 client.csr
-rw-r--r-- 1 root root  280 Jul 17 20:47 client-csr.json
-rw------- 1 root root 1675 Jul 17 20:48 client-key.pem
-rw-r--r-- 1 root root 1354 Jul 17 20:48 client.pem

签发kube-apiserver证书
1.签发server证书(apiserver和其它k8s组件通信使用)
# hosts中将所有可能作为apiserver的ip添加进去,VIP也要加入
创建生成证书签名请求(csr)的JSON配置文件
[root@k8s0-8.host.com /opt/certs]# cat apiserver-csr.json
{
    "CN": "k8s-apiserver",
    "hosts": [
        "127.0.0.1",
        "192.168.0.1",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluster.local",
        "10.0.0.10",
        "10.0.0.2",
        "10.0.0.6",
        "10.0.0.7"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}
 
 
[root@k8s0-8.host.com /opt/certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver

[root@k8s0-8.host.com /opt/certs]# ls apiserver* -l
-rw-r--r-- 1 root root 1249 Jul 17 20:52 apiserver.csr
-rw-r--r-- 1 root root  563 Jul 17 20:51 apiserver-csr.json
-rw------- 1 root root 1679 Jul 17 20:52 apiserver-key.pem
-rw-r--r-- 1 root root 1590 Jul 17 20:52 apiserver.pem
 
 
下发证书
#for i in 2 6;do echo k8s0-$i;ssh k8s0-$i "mkdir /opt/kubernetes/server/bin/certs";scp apiserver-key.pem apiserver.pem ca-key.pem ca.pem client-key.pem client.pem k8s0-$i:/opt/kubernetes/server/bin/certs/;done

配置apiserver日志审计
# mkdir  /opt/kubernetes/conf
# cat /opt/kubernetes/conf/audit.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      # Resource "pods" doesn't match requests to any subresource of pods,
      # which is consistent with the RBAC policy.
      resources: ["pods"]
  # Log "pods/log", "pods/status" at Metadata level
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]
 
  # Don't log requests to a configmap called "controller-leader"
  - level: None
    resources:
    - group: ""
      resources: ["configmaps"]
      resourceNames: ["controller-leader"]
 
  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # core API group
      resources: ["endpoints", "services"]
 
  # Don't log authenticated requests to certain non-resource URL paths.
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*" # Wildcard matching.
    - "/version"
 
  # Log the request body of configmap changes in kube-system.
  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    # This rule only applies to resources in the "kube-system" namespace.
    # The empty string "" can be used to select non-namespaced resources.
    namespaces: ["kube-system"]
 
  # Log configmap and secret changes in all other namespaces at the Metadata level.
  - level: Metadata
    resources:
    - group: "" # core API group
      resources: ["secrets", "configmaps"]
 
  # Log all other resources in core and extensions at the Request level.
  - level: Request
    resources:
    - group: "" # core API group
    - group: "extensions" # Version of group should NOT be included.
 
  # A catch-all rule to log all other requests at the Metadata level.
  - level: Metadata
    # Long-running requests like watches that fall under this rule will not
    # generate an audit event in RequestReceived.
    omitStages:
      - "RequestReceived"

[root@k8s0-2 ~]# cat /opt/kubernetes/server/bin/kube-apiserver-startup.sh
#!/bin/bash
 
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
 
/opt/kubernetes/server/bin/kube-apiserver \
    --apiserver-count 2 \
    --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
    --audit-policy-file ../../conf/audit.yaml \
    --authorization-mode RBAC \
    --client-ca-file ./certs/ca.pem \
    --requestheader-client-ca-file ./certs/ca.pem \
    --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
    --etcd-cafile ./certs/ca.pem \
    --etcd-certfile ./certs/client.pem \
    --etcd-keyfile ./certs/client-key.pem \
    --etcd-servers https://10.0.0.15:2379,https://10.0.0.2:2379,https://10.0.0.6:2379 \
    --service-account-key-file ./certs/ca-key.pem \
    --service-cluster-ip-range 192.168.0.0/16 \
    --service-node-port-range 3000-29999 \
    --target-ram-mb=1024 \
    --kubelet-client-certificate ./certs/client.pem \
    --kubelet-client-key ./certs/client-key.pem \
    --log-dir  /data/logs/kubernetes/kube-apiserver \
    --tls-cert-file ./certs/apiserver.pem \
    --tls-private-key-file ./certs/apiserver-key.pem \
    --v 2
 
 
[root@k8s0-2 bin]# chmod u+x kube-apiserver-startup.sh
[root@k8s0-2 bin]# mkdir -p /data/logs/kubernetes/kube-apiserver
 
创建supervisor启动配置
[root@k8s0-2 bin]# cat /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-0-2]
command=/opt/kubernetes/server/bin/kube-apiserver-startup.sh
numprocs=1
directory=/opt/kubernetes/server/bin
autostart=true
autorestart=true
startsecs=30
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=root
redirect_stderr=true
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log
stdout_logfile_maxbytes=64MB
stdout_logfile_backups=5
stdout_capture_maxbytes=1MB
stdout_events_enabled=false

[root@k8s0-2 certs]# supervisorctl status
etcd-server-0-2                  RUNNING   pid 18400, uptime 0:49:11
kube-apiserver-0-2               RUNNING   pid 24694, uptime 0:00:51
 
[root@k8s0-2 certs]# netstat -lntp|grep api
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      24698/kube-apiserve
tcp6       0      0 :::6443                 :::*                    LISTEN      24698/kube-apiserve
 
配置apiserver L4代理
L4 代理涉及的服务器:k8s0-12 k8s0-15
[root@k8s0-12 ~]# yum install nginx -y
# 末尾加上以下内容,stream 只能加在 main 中
# 此处只是简单配置下nginx,实际生产中,建议进行更合理的配置
stream {
    log_format proxy '$time_local|$remote_addr|$upstream_addr|$protocol|$status|'
                     '$session_time|$upstream_connect_time|$bytes_sent|$bytes_received|'
                     '$upstream_bytes_sent|$upstream_bytes_received' ;
 
    upstream kube-apiserver {
        server 10.0.0.2:6443     max_fails=3 fail_timeout=30s;
        server 10.0.0.6:6443     max_fails=3 fail_timeout=30s;
    }
    server {
        listen 7443;
        proxy_connect_timeout 2s;
        proxy_timeout 900s;
        proxy_pass kube-apiserver;
        access_log /var/log/nginx/proxy.log proxy;
    }
}
 
 
 
[root@k8s0-12 ~]# curl 127.0.0.1:7443
Client sent an HTTP request to an HTTPS server.
[root@k8s0-12 ~]# cat /var/log/nginx/proxy.log
17/Jul/2020:21:27:49 +0800|127.0.0.1|10.0.0.2:6443|TCP|200|0.001|0.000|76|78|78|76
17/Jul/2020:21:28:24 +0800|127.0.0.1|10.0.0.6:6443|TCP|200|0.001|0.000|76|78|78|76
17/Jul/2020:21:28:24 +0800|127.0.0.1|10.0.0.2:6443|TCP|200|0.001|0.000|76|78|78|76
 
 
 
keepalived配置
aipserver L4 代理涉及的服务器:k8s0-12 k8s0-15
[root@k8s0-12 ~]# cat /etc/keepalived/keepalived.conf
主节点中,必须加上 nopreempt
因为一旦因为网络抖动导致VIP漂移,不能让它自动飘回来,必须要分析原因后手动迁移VIP到主节点!如主节点确认正常后,重启备节点的keepalive,让VIP飘到主节点.
keepalived 的日志输出配置此处省略,生产中需要进行处理。
! Configuration File for keepalived
global_defs {
   router_id 10.0.0.12
}
vrrp_script chk_nginx {
    script "/etc/keepalived/check_port.sh 7443"
    interval 2
    weight -20
}
vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 251
    priority 100
    advert_int 1
    mcast_src_ip 10.0.0.12
    nopreempt
 
    authentication {
        auth_type PASS
        auth_pass 11111111
    }
    track_script {
         chk_nginx
    }
    virtual_ipaddress {
        10.0.0.10
    }
}

备节点:
[root@k8s0-15 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
    router_id 10.0.0.15
}
vrrp_script chk_nginx {
    script "/etc/keepalived/check_port.sh 7443"
    interval 2
    weight -20
}
vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    virtual_router_id 251
    mcast_src_ip 10.0.0.15
    priority 90
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 11111111
    }
    track_script {
        chk_nginx
    }
    virtual_ipaddress {
        10.0.0.10
    }
}
 
 
check脚本:
[root@k8s0-12 ~]# cat /etc/keepalived/check_port.sh
#!/bin/bash
#keepalived 监控端口脚本
#使用方法:
#在keepalived的配置文件中
#vrrp_script check_port {#创建一个vrrp_script脚本,检查配置
#    script "/etc/keepalived/check_port.sh 6379" #配置监听的端口
#    interval 2 #检查脚本的频率,单位(秒)
#}
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
        PORT_PROCESS=`ss -lt|grep $CHK_PORT|wc -l`
        if [ $PORT_PROCESS -eq 0 ];then
                echo "Port $CHK_PORT Is Not Used,End."
                exit 1
        fi
else
        echo "Check Port Cant Be Empty!"
fi
 
# chmod +x /etc/keepalived/check_port.sh
 
 
启动keepalived服务测试高可用
 
 
[root@k8s0-12 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 52:54:00:42:c0:b2 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.12/16 brd 10.0.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.0.0.10/32 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe42:c0b2/64 scope link
       valid_lft forever preferred_lft forever

  1. controller-manager部署[2,6]
controller-manager 涉及的服务器:2,6
controller-manager 设置为只调用当前机器的 apiserver,走127.0.0.1网卡,因此不配制SSL证书
[root@k8s0-2 bin]# cat kube-controller-manager-startup.sh
#!/bin/sh
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
 
/opt/kubernetes/server/bin/kube-controller-manager \
    --cluster-cidr 172.7.0.0/16 \
    --leader-elect true \
    --log-dir /data/logs/kubernetes/kube-controller-manager \
    --master http://127.0.0.1:8080 \
    --service-account-private-key-file ./certs/ca-key.pem \
    --service-cluster-ip-range 192.168.0.0/16 \
    --root-ca-file ./certs/ca.pem \
    --v 2
 
 
 
[root@k8s0-2 bin]# chmod +x kube-controller-manager-startup.sh
[root@k8s0-2 bin]# mkdir -p /data/logs/kubernetes/kube-controller-manager

[root@k8s0-2 bin]# cat /etc/supervisord.d/kube-controller-manager.ini
[program:kube-controller-manager-0-2]
command=/opt/kubernetes/server/bin/kube-controller-manager-startup.sh                     ; the program (relative uses PATH, can take args)
numprocs=1                                                                        ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin                                              ; directory to cwd to before exec (def no cwd)
autostart=true                                                                    ; start at supervisord start (default: true)
autorestart=true                                                                  ; retstart at unexpected quit (default: true)
startsecs=30                                                                      ; number of secs prog must stay running (def. 1)
startretries=3                                                                    ; max # of serial start failures (default 3)
exitcodes=0,2                                                                     ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                                                   ; signal used to kill process (default TERM)
stopwaitsecs=10                                                                   ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                                         ; setuid to this UNIX account to run the program
redirect_stderr=true                                                              ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-controller-manager/controller.stdout.log  ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                                      ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                                                          ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                                       ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                                                       ; emit events on stdout writes (default false)
 
检查服务
[root@k8s0-2 bin]# supervisorctl status
etcd-server-0-2                  RUNNING   pid 18400, uptime 3:01:05
kube-apiserver-0-2               RUNNING   pid 24694, uptime 2:12:45
kube-controller-manager-0-2      RUNNING   pid 8253, uptime 0:03:39

6.kube-scheduler部署[2,6]

创建启动脚本
[root@k8s0-2 bin]# cat kube-scheduler-startup.sh
#!/bin/sh
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
 
/opt/kubernetes/server/bin/kube-scheduler \
    --leader-elect  \
    --log-dir /data/logs/kubernetes/kube-scheduler \
    --master http://127.0.0.1:8080 \
    --v 2
 
调整文件权限,创建目录
# chmod +x kube-scheduler-startup.sh
# mkdir -p /data/logs/kubernetes/kube-scheduler
 
 
创建supervisor配置
[root@k8s0-2 bin]# cat /etc/supervisord.d/kube-scheduler.ini
[program:kube-scheduler-0-2]
command=/opt/kubernetes/server/bin/kube-scheduler-startup.sh                    
numprocs=1                                                              
directory=/opt/kubernetes/server/bin                                    
autostart=true                                                          
autorestart=true                                                        
startsecs=30                                                            
startretries=3                                                          
exitcodes=0,2                                                           
stopsignal=QUIT                                                         
stopwaitsecs=10                                                         
user=root                                                               
redirect_stderr=true                                                    
stdout_logfile=/data/logs/kubernetes/kube-scheduler/scheduler.stdout.log
stdout_logfile_maxbytes=64MB                                            
stdout_logfile_backups=4                                                
stdout_capture_maxbytes=1MB                                             
stdout_events_enabled=false
 
 
检查主控节点状态
[root@k8s0-2 bin]# supervisorctl status
etcd-server-0-2                  RUNNING   pid 18400, uptime 3:07:44
kube-apiserver-0-2               RUNNING   pid 24694, uptime 2:19:24
kube-controller-manager-0-2      RUNNING   pid 8253, uptime 0:10:18
kube-scheduler-0-2               RUNNING   pid 9303, uptime 0:02:38
[root@k8s0-2 bin]# ln -s /opt/kubernetes/server/bin/kubectl /usr/local/bin/
[root@k8s0-2 bin]# kubectl get cs
NAME                 STATUS    MESSAGE              ERROR
controller-manager   Healthy   ok                  
scheduler            Healthy   ok                  
etcd-1               Healthy   {"health": "true"}  
etcd-0               Healthy   {"health": "true"}  
etcd-2               Healthy   {"health": "true"}

7.kubelet部署[2,6]

签发kubelet证书
[root@k8s0-8.host.com /opt/certs]# cat kubelet-csr.json
{
    "CN": "k8s-kubelet",
    "hosts": [
    "127.0.0.1",
    "10.0.0.10",
    "10.0.0.2",
    "10.0.0.6",
    "10.0.0.7",
    "10.0.0.9",
    "10.0.0.25",
    "10.0.0.26",
    "10.0.0.27",
    "10.0.0.28"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}
 
 
#cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server kubelet-csr.json |cfssl-json -bare kubelet

[root@k8s0-8.host.com /opt/certs]# ls kubelet* -l
-rw-r--r-- 1 root root 1115 Jul 17 23:56 kubelet.csr
-rw-r--r-- 1 root root  448 Jul 17 23:55 kubelet-csr.json
-rw------- 1 root root 1679 Jul 17 23:56 kubelet-key.pem
-rw-r--r-- 1 root root 1460 Jul 17 23:56 kubelet.pem
 
拷贝证书至各运算节点
#scp kubelet.pem kubelet-key.pem k8s0-2:/opt/kubernetes/server/bin/certs/
#scp kubelet.pem kubelet-key.pem k8s0-6:/opt/kubernetes/server/bin/certs/
 
创建kubelet配置
1. set-cluster  # 创建需要连接的集群信息,可以创建多个k8s集群信息
[root@k8s0-2 conf]# kubectl config set-cluster myk8s \
--certificate-authority=/opt/kubernetes/server/bin/certs/ca.pem \
--embed-certs=true \
--server=https://10.0.0.10:7443 \
--kubeconfig=/opt/kubernetes/conf/kubelet.kubeconfig
Cluster "myk8s" set.
 
2. set-credentials  # 创建用户账号,即用户登陆使用的客户端私有和证书,可以创建多个证书
[root@k8s0-2 conf]# kubectl config set-credentials k8s-node \
--client-certificate=/opt/kubernetes/server/bin/certs/client.pem \
--client-key=/opt/kubernetes/server/bin/certs/client-key.pem \
--embed-certs=true \
--kubeconfig=/opt/kubernetes/conf/kubelet.kubeconfig
User "k8s-node" set.

3. set-context  # 设置context,即确定账号和集群对应关系
[root@k8s0-2 conf]# kubectl config set-context myk8s-context \
--cluster=myk8s \
--user=k8s-node \
--kubeconfig=/opt/kubernetes/conf/kubelet.kubeconfig
Context "myk8s-context" created.
 
 
4. use-context  # 设置当前使用哪个context
[root@k8s0-2 conf]# kubectl config use-context myk8s-context --kubeconfig=/opt/kubernetes/conf/kubelet.kubeconfig
Switched to context "myk8s-context".
 
 
授权k8s-node用户
此步骤只需要在一台master节点执行
授权 k8s-node 用户绑定集群角色 system:node ,让 k8s-node 成为具备运算节点的权限
1.创建资源配置文件
~]# cat k8s-node.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: k8s-node
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:node
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: k8s-node
 
[root@k8s0-2 ~]# kubectl create -f k8s-node.yaml
clusterrolebinding.rbac.authorization.k8s.io/k8s-node created

[root@k8s0-2 ~]# kubectl get clusterrolebinding k8s-node
NAME       AGE
k8s-node   22s
 
 
[root@k8s0-2 conf]# kubectl get clusterrolebinding k8s-node -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2020-07-17T16:10:23Z"
  name: k8s-node
  resourceVersion: "4520"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/k8s-node
  uid: 91623207-cb3b-4827-8934-c1c4b217d88a
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:node
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: k8s-node

下载pause镜像
将pause镜像放入到harbor私有仓库中,仅在 运维主机 操作
docker pull kubernetes/pause
[root@k8s0-8.host.com ~]# docker image tag kubernetes/pause:latest harbor.od.com/public/pause:latest
[root@k8s0-8.host.com ~]# docker login -u admin harbor.od.com
 
 
创建kubelet启动脚本
[root@k8s0-2 bin]# cat kubelet-startup.sh
#!/bin/sh
 
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
 
/opt/kubernetes/server/bin/kubelet \
    --anonymous-auth=false \
    --cgroup-driver systemd \
    --cluster-dns 192.168.0.2 \
    --cluster-domain cluster.local \
    --runtime-cgroups=/systemd/system.slice \
    --kubelet-cgroups=/systemd/system.slice \
    --fail-swap-on="false" \
    --client-ca-file ./certs/ca.pem \
    --tls-cert-file ./certs/kubelet.pem \
    --tls-private-key-file ./certs/kubelet-key.pem \
    --hostname-override k8s0-2.host.com \
    --image-gc-high-threshold 20 \
    --image-gc-low-threshold 10 \
    --kubeconfig ../../conf/kubelet.kubeconfig \
    --log-dir /data/logs/kubernetes/kube-kubelet \
    --pod-infra-container-image harbor.od.com/public/pause:latest \
    --root-dir /data/kubelet
 
 
[root@k8s0-2 bin]# chmod +x kubelet-startup.sh
[root@k8s0-2 bin]# mkdir -p /data/logs/kubernetes/kube-kubelet /data/kubelet
 
创建supervisor配置
[root@k8s0-2 bin]# cat /etc/supervisord.d/kube-kubelet.ini
[program:kube-kubelet-0-2]
command=/opt/kubernetes/server/bin/kubelet-startup.sh
numprocs=1
directory=/opt/kubernetes/server/bin
autostart=true
autorestart=true
startsecs=30
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=root
redirect_stderr=true
stdout_logfile=/data/logs/kubernetes/kube-kubelet/kubelet.stdout.log
stdout_logfile_maxbytes=64MB
stdout_logfile_backups=5
stdout_capture_maxbytes=1MB
stdout_events_enabled=false
 
[root@k8s0-2 bin]# supervisorctl status
etcd-server-0-2                  RUNNING   pid 18400, uptime 3:54:09
kube-apiserver-0-2               RUNNING   pid 24694, uptime 3:05:49
kube-controller-manager-0-2      RUNNING   pid 8253, uptime 0:56:43
kube-kubelet-0-2                 RUNNING   pid 15348, uptime 0:01:22
kube-scheduler-0-2               RUNNING   pid 9303, uptime 0:49:03
 
检查运算节点
[root@k8s0-2 ~]# kubectl get node
NAME              STATUS   ROLES    AGE     VERSION
k8s0-2.host.com   Ready    <none>   6m48s   v1.15.2
k8s0-6.host.com   Ready    <none>   7m6s    v1.15.2
 
打标签
~]# kubectl label node k8s0-2.host.com node-role.kubernetes.io/node=
~]# kubectl label node k8s0-2.host.com node-role.kubernetes.io/master=
~]# kubectl label node k8s0-6.host.com node-role.kubernetes.io/master=
~]# kubectl label node k8s0-6.host.com node-role.kubernetes.io/node=
 
 
[root@k8s0-2 ~]# kubectl get nodes
NAME              STATUS   ROLES         AGE   VERSION
k8s0-2.host.com   Ready    master,node   20m   v1.15.2
k8s0-6.host.com   Ready    master,node   21m   v1.15.2

8.kube-proxy部署[2,6]

功能:主要连接Pod网络和集群网络
签发kube-proxy证书
1.创建生成证书签名请求(csr)的JSON配置文件
[root@k8s0-8.host.com /opt/certs]# cat kube-proxy-csr.json
{
    "CN": "system:kube-proxy",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}
 
 
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client kube-proxy-csr.json |cfssl-json -bare kube-proxy-client
 
 
 
[root@k8s0-8.host.com /opt/certs]# ls kube-proxy-c* -l
-rw-r--r-- 1 root root 1005 Jul 18 22:11 kube-proxy-client.csr
-rw------- 1 root root 1675 Jul 18 22:11 kube-proxy-client-key.pem
-rw-r--r-- 1 root root 1367 Jul 18 22:11 kube-proxy-client.pem
-rw-r--r-- 1 root root  267 Jul 18 22:11 kube-proxy-csr.json
 
 
下发证书
# scp kube-proxy-client-key.pem kube-proxy-client.pem k8s0-2.host.com:/opt/kubernetes/server/bin/certs/
# scp kube-proxy-client-key.pem kube-proxy-client.pem k8s0-6.host.com:/opt/kubernetes/server/bin/certs/
 
 
创建kube-proxy配置
注意:在conf目录下
 
1.set-cluster
~]# kubectl config set-cluster myk8s \
--certificate-authority=/opt/kubernetes/server/bin/certs/ca.pem \
--embed-certs=true \
--server=https://10.0.0.10:7443 \
--kubeconfig=/opt/kubernetes/conf/kube-proxy.kubeconfig
   
2.set-credentials 
~]# kubectl config set-credentials kube-proxy \
--client-certificate=/opt/kubernetes/server/bin/certs/kube-proxy-client.pem \
--client-key=/opt/kubernetes/server/bin/certs/kube-proxy-client-key.pem \
--embed-certs=true \
--kubeconfig=/opt/kubernetes/conf/kube-proxy.kubeconfig
 
3.set-context 
~]# kubectl config set-context myk8s-context \
--cluster=myk8s \
--user=kube-proxy \
--kubeconfig=/opt/kubernetes/conf/kube-proxy.kubeconfig
   
4.use-context 
~]# kubectl config use-context myk8s-context --kubeconfig=/opt/kubernetes/conf/kube-proxy.kubeconfig
 
 
拷贝至6
# scp -rp kube-proxy.kubeconfig k8s0-6:/opt/kubernetes/conf/
 
 加载ipvs模块[2,6]
# for i in $(ls /usr/lib/modules/$(uname -r)/kernel/net/netfilter/ipvs|grep -o "^[^.]*");do echo $i; /sbin/modinfo -F filename $i >/dev/null 2>&1 && /sbin/modprobe $i;done
 
创建启动脚本
1.创建kube-proxy启动脚本
/opt/kubernetes/server/bin/kube-proxy-startup.sh
#!/bin/sh
 
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
 
/opt/kubernetes/server/bin/kube-proxy \
  --cluster-cidr 172.7.0.0/16 \
  --hostname-override k8s0-2.host.com \
  --proxy-mode=ipvs \
  --ipvs-scheduler=nq \
  --kubeconfig ../../conf/kube-proxy.kubeconfig

[root@k8s0-2 bin]# chmod +x kube-proxy-startup.sh
[root@k8s0-2 bin]# mkdir -p /data/logs/kubernetes/kube-proxy
 
[root@k8s0-2 bin]# cat /etc/supervisord.d/kube-proxy.ini
[program:kube-proxy-0-2]
command=/opt/kubernetes/server/bin/kube-proxy-startup.sh               
numprocs=1                                                     
directory=/opt/kubernetes/server/bin                           
autostart=true                                                 
autorestart=true                                               
startsecs=30                                                   
startretries=3                                                 
exitcodes=0,2                                                  
stopsignal=QUIT                                                
stopwaitsecs=10                                                
user=root                                                      
redirect_stderr=true                                           
stdout_logfile=/data/logs/kubernetes/kube-proxy/proxy.stdout.log
stdout_logfile_maxbytes=64MB                                   
stdout_logfile_backups=5                                      
stdout_capture_maxbytes=1MB                                    
stdout_events_enabled=false
 
#yum install ipvsadm -y
[root@k8s0-2 bin]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  192.168.0.1:443 nq
  -> 10.0.0.2:6443                Masq    1      0          0        
  -> 10.0.0.6:6443                Masq    1      0          0        
 
#验证kubernetes集群
在任意一个运算节点,创建一个资源配置清单
[root@k8s0-2 ~]# cat nginx-ds.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: nginx-ds
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
spec:
  template:
    metadata:
      labels:
        app: nginx-ds
    spec:
      containers:
      - name: my-nginx
        image: harbor.od.com/public/nginx:v1.7.9
        ports:
        - containerPort: 80

kubectl create -f nginx-ds.yaml
 
[root@k8s0-2 ~]# kubectl get pod -o wide
NAME             READY   STATUS    RESTARTS   AGE   IP          NODE              NOMINATED NODE   READINESS GATES
nginx-ds-6lx2z   1/1     Running   0          13s   172.7.6.2   k8s0-6.host.com   <none>           <none>
nginx-ds-lc9dn   1/1     Running   0          13s   172.7.2.2   k8s0-2.host.com   <none>           <none>
 
[root@k8s0-2 ~]# curl -I 172.7.2.2
HTTP/1.1 200 OK
Server: nginx/1.13.12
Date: Sun, 19 Jul 2020 03:29:45 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Mon, 09 Apr 2018 16:01:09 GMT
Connection: keep-alive
ETag: "5acb8e45-264"
Accept-Ranges: bytes
 
[root@k8s0-2 ~]# curl -I 172.7.6.2    # 缺少网络插件,无法跨节点通信

9.flannel部署[2,6]

CNI网络插件
kubernetes设计了网络模型,但是pod之间通信的具体实现交给了CNI往插件。常用的CNI网络插件有:Flannel 、Calico、Canal、Contiv等,其中Flannel和Calico占比接近80%,Flannel占比略多于Calico。本次部署使用Flannel作为网络插件
 
[root@k8s0-2 opt]# mkdir -p /opt/flannel-v0.11.0
[root@k8s0-2 opt]# tar xf flannel-v0.11.0-linux-amd64.tar.gz -C /opt/flannel-v0.11.0/
[root@k8s0-2 opt]# ln -s /opt/flannel-v0.11.0/  /opt/flannel
 
拷贝证书[8]
scp ca.pem client-key.pem client.pem k8s0-2:/opt/flannel/certs/
 
# cat subnet.env
FLANNEL_NETWORK=172.7.0.0/16
FLANNEL_SUBNET=172.7.2.1/24
FLANNEL_MTU=1500
FLANNEL_IPMASQ=false
 
# public-ip 为本机IP,iface 为当前宿主机对外网卡
[root@k8s0-2 flannel]# cat flannel-startup.sh
#!/bin/sh
 
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
 
/opt/flannel/flanneld \
    --public-ip=10.0.0.2 \
    --etcd-endpoints=https://10.0.0.15:2379,https://10.0.0.2:2379,https://10.0.0.6:2379 \
    --etcd-keyfile=./certs/client-key.pem \
    --etcd-certfile=./certs/client.pem \
    --etcd-cafile=./certs/ca.pem \
    --iface=eth0 \
    --subnet-file=./subnet.env \
    --healthz-port=2401

#chmod +x flannel-startup.sh
#mkdir -p /data/logs/flanneld
 
[root@k8s0-2 opt]# /opt/etcd/etcdctl set /coreos.com/network/config '{"Network": "172.7.0.0/16", "Backend": {"Type": "host-gw"}}'
{"Network": "172.7.0.0/16", "Backend": {"Type": "host-gw"}}
 
# cat /etc/supervisord.d/flannel.ini
[program:flanneld-0-2]
command=/opt/flannel/flanneld-startup.sh                 ; the program (relative uses PATH, can take args)
numprocs=1                                                   ; number of processes copies to start (def 1)
directory=/opt/flannel                                  ; directory to cwd to before exec (def no cwd)
autostart=true                                               ; start at supervisord start (default: true)
autorestart=true                                             ; retstart at unexpected quit (default: true)
startsecs=30                                                 ; number of secs prog must stay running (def. 1)
startretries=3                                               ; max # of serial start failures (default 3)
exitcodes=0,2                                                ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                              ; signal used to kill process (default TERM)
stopwaitsecs=10                                              ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                    ; setuid to this UNIX account to run the program
redirect_stderr=true                                         ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/flanneld/flanneld.stdout.log       ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                 ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=5                                     ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                  ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                                  ; emit events on stdout writes (default false)
举报

相关推荐

0 条评论