2.k8s基础环境部署
2.1 准备工作
[1-2云主机可忽略]
1.yum源准备
# curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
# sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
# yum makecache
2.关墙
# systemctl stop firewalld
# systemctl disable firewalld
# sed -ir '/^SELINUX=/s/=.+/=disabled/' /etc/selinux/config
# getenforce
Disabled
3.安装Ops必备包
# yum install tree nmap dos2unix lrzsz nc lsof psmisc net-tools bash-completion bash-completion-extras vim-enhanced \
wget tcpdump unzip htop iftop iotop sysstat nethogs telnet nmap sysstat lrzsz dos2unix bind-utils vim less -y
2.2 DNS服务安装
#主机域host.com 业务域od.com
#主辅同步(10.0.0.12主、10.0.0.15辅)
#客户端配置指向自建DNS
#安装Bind服务
-----------------------------------------------------------------------------------------------
> k8s0-12安装bind
~]# yum install bind -y
/etc/named.conf # 确保以下配置正确
listen-on port 53 { 10.0.0.12; };
directory "/var/named";
allow-query { any; };
forwarders { 10.0.0.254; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
#配置区域文件
# 增加两个zone配置,od.com为业务域,host.com.zone为主机域
/etc/named.rfc1912.zones
zone "host.com" IN {
type master;
file "host.com.zone";
allow-update { 10.0.0.12; };
};
zone "od.com" IN {
type master;
file "od.com.zone";
allow-update { 10.0.0.12; };
};
#配置主机域文件
~]# cat /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.host.com. dnsadmin.host.com. (
2020070801 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.host.com.
$TTL 60 ; 1 minute
dns A 10.0.0.12
k8s0-12 A 10.0.0.12
k8s0-15 A 10.0.0.15
k8s0-2 A 10.0.0.2
k8s0-6 A 10.0.0.6
k8s0-8 A 10.0.0.8
#业务域文件
# /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2020070801 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 10.0.0.12
#启动bind服务,并测试
~]# named-checkconf # 检查配置文件
~]# systemctl start named && systemctl enable named.service
~]# netstat -lntup |grep 53
tcp 0 0 10.4.7.11:53 0.0.0.0:* LISTEN 24139/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 24139/named
tcp6 0 0 ::1:53 :::* LISTEN 24139/named
tcp6 0 0 ::1:953 :::* LISTEN 24139/named
udp 0 0 10.4.7.11:53 0.0.0.0:* 24139/named
udp6 0 0 ::1:53 :::* 24139/named
~]# dig -t A k8s0-2.host.com @10.0.0.12 +short
10.0.0.2
修改所有主机的dns服务器地址指向10.0.0.12
同时修改win server本地dns指向k8s0-12.host.com 测试是否正常通信
2.3 准备证书签发环境
安装CFSSL
1.k8s0-8 下载工具
curl -s -L -o /usr/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o /usr/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
curl -s -L -o /usr/bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x /usr/bin/cfssl*
签发根证书
~]# mkdir /opt/certs/ && cd /opt/certs/
# 根证书配置:
# CN 一般写域名,浏览器会校验
# names 为地区和公司信息
# expiry 为过期时间
/opt/certs/ca-csr.json
{
"CN": "Datacloak",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
查看签发的证书,生成ca.pem、ca.csr、ca-key.pem(CA私钥,需妥善保管)
certs]# ls -l ca*
-rw-r--r-- 1 root root 985 Jun 22 16:17 ca.csr
-rw-r--r-- 1 root root 322 Jun 22 16:14 ca-csr.json
-rw------- 1 root root 1675 Jun 22 16:17 ca-key.pem
-rw-r--r-- 1 root root 1330 Jun 22 16:17 ca.pem
2.3 Docker环境[2,6,8]
~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
~]# yum install -y docker-ce
~]# mkdir /etc/docker/
# 不安全的registry中增加了harbor地址
# 各个机器上bip网段不一致,bip中间两段与宿主机最后两段相同,目的是方便定位问题
/etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
"registry-mirrors": ["https://registry.docker-cn.com"],
"bip": "172.7.2.1/24",
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
~]# mkdir /data/docker
~]# systemctl start docker && systemctl enable docker
2.4 Harbor私有仓库部署[8]
# 目录说明:
# /opt/src : 源码、文件下载目录
# /opt : 各个版本软件存放位置
# /opt/apps : 各个软件当前版本的软链接
1.下载软件二进制包并解压
# wget https://github.com/goharbor/harbor/releases/download/v1.10.4/harbor-offline-installer-v1.10.4.tgz
[root@k8s0-8.host.com /opt/src]# tar xf harbor-offline-installer-v1.10.4.tgz -C /opt/
# ln -s /opt/harbor-v1.10.4 /opt/harbor
vim /opt/harbor/harbor.yml
hostname: harbor.od.com
http:
port: 180
data_volume: /data/harbor
location: /data/harbor/logs
]# yum install -y docker-compose
[root@k8s0-8.host.com /opt/harbor]# pwd
/opt/harbor
[root@k8s0-8.host.com /opt/harbor]# ./install.sh
。。。。。。。。
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at http://harbor.od.com.
For more details, please visit https://github.com/goharbor/harbor .
检查harbor启动情况
harbor]# docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------
harbor-core /harbor/harbor_core Up
harbor-db /docker-entrypoint.sh Up 5432/tcp
harbor-jobservice /harbor/harbor_jobservice ... Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up 8080/tcp
nginx nginx -g daemon off; Up 0.0.0.0:180->8080/tcp
redis redis-server /etc/redis.conf Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up 5000/tcp
registryctl /harbor/start.sh Up
2.配置harbor开机启动
编辑/etc/rc.d/rc.local
# start harbor
cd /opt/apps/harbor
/usr/bin/docker-compose stop
/usr/bin/docker-compose start
2.5 Nginx配置反代
1.安装配置Nginx反向代理harbor [8]
yum install nginx -y
/etc/nginx/conf.d/harbor.conf
server {
listen 80;
server_name harbor.od.com;
# 避免出现上传失败的情况
client_max_body_size 1000m;
location / {
proxy_pass http://127.0.0.1:180;
}
}
2.k8s0-12 配置DNS解析
~]# cat /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2020070801 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 10.0.0.12
harbor A 10.0.0.8
~]# systemctl restart named.service
[root@k8s0-12 ~]# host harbor.od.com
harbor.od.com has address 10.0.0.8
自行测试Harbor仓库 push pull
呼啦呼啦。。。。。。。。。
3.ETCD集群部署[2,6,15]
1.签发ETCD证书 [8]
• server 表示服务端连接客户端时携带的证书,用于客户端验证服务端身份
• client 表示客户端连接服务端时携带的证书,用于服务端验证客户端身份
• peer 表示相互之间连接时使用的证书,如etcd节点之间验证
创建ca的json配置: /opt/certs/ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
创建etcd证书配置:/opt/certs/etcd-peer-csr.json
[root@k8s0-8.host.com /opt/certs]# cat etcd-peer-csr.json
{
"CN": "k8s-etcd",
"hosts": [
"10.0.0.12",
"10.0.0.15",
"10.0.0.2",
"10.0.0.6"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
签发证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json | cfssl-json -bare etcd-peer
/opt/certs]# ll etcd-peer*
-rw-r--r-- 1 root root 1062 Jul 8 22:22 etcd-peer.csr
-rw-r--r-- 1 root root 361 Jul 8 22:20 etcd-peer-csr.json
-rw------- 1 root root 1679 Jul 8 22:22 etcd-peer-key.pem
-rw-r--r-- 1 root root 1419 Jul 8 22:22 etcd-peer.pem
安装etcd[演示一台15,其他照搬]
~]# useradd -s /sbin/nologin -M etcd
tar xf etcd-v3.1.20-linux-amd64.tar.gz -C /opt/
mv etcd-v3.1.20-linux-amd64 etcd-v3.1.20
ln -s /opt/etcd-v3.1.20 /opt/etcd
mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server
下发证书到3个节点
for i in 15 2 6;do scp ca.pem etcd-peer.pem etcd-peer-key.pem k8s0-${i}:/opt/etcd/certs/ ;done
创建启动脚本(部分参数每台机器不同)
[root@k8s0-15 ~]# cat /opt/etcd/etcd-server-startup.sh
#!/bin/sh
# listen-peer-urls etcd节点之间通信端口
# listen-client-urls 客户端与etcd通信端口
# quota-backend-bytes 配额大小
# 需要修改的参数:name,listen-peer-urls,listen-client-urls,initial-advertise-peer-urls
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/etcd/etcd --name etcd-server-0-15 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://10.0.0.15:2380 \
--listen-client-urls https://10.0.0.15:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://10.0.0.15:2380 \
--advertise-client-urls https://10.0.0.15:2379,http://127.0.0.1:2379 \
--initial-cluster etcd-server-0-15=https://10.0.0.15:2380,etcd-server-0-2=https://10.0.0.2:2380,etcd-server-0-6=https://10.0.0.6:2380 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
#chmod u+x /opt/etcd/etcd-server-startup.sh
#chown -R etcd.etcd /opt/etcd/ /data/etcd/ /data/logs/etcd-server/
启动etcd
因为这些进程都是要启动为后台进程,要么手动启动,要么采用后台进程管理工具,实验中使用后台管理工具
[root@k8s0-15 ~]# yum install supervisor -y
~]# systemctl start supervisord && systemctl enable supervisord
cat /etc/supervisord.d/etcd-server.ini
[program:etcd-server-0-15]
command=/opt/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/etcd ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=etcd ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=5 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
[root@k8s0-15 etcd-server]# supervisorctl status
etcd-server-0-15 RUNNING pid 18099, uptime 0:02:13
[root@k8s0-15 etcd-server]# netstat -lntup|grep etcd
tcp 0 0 10.0.0.15:2379 0.0.0.0:* LISTEN 18103/etcd
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 18103/etcd
tcp 0 0 10.0.0.15:2380 0.0.0.0:* LISTEN 18103/etcd
验证集群
[root@k8s0-15 etcd]# /opt/etcd/etcdctl member list
fde9dd315b6d0b2: name=etcd-server-0-2 peerURLs=https://10.0.0.2:2380 clientURLs=http://127.0.0.1:2379,https://10.0.0.2:2379 isLeader=false
40e0ff5ee27c98d0: name=etcd-server-0-6 peerURLs=https://10.0.0.6:2380 clientURLs=http://127.0.0.1:2379,https://10.0.0.6:2379 isLeader=false
a484cc703f2837a4: name=etcd-server-0-15 peerURLs=https://10.0.0.15:2380 clientURLs=http://127.0.0.1:2379,https://10.0.0.15:2379 isLeader=true
健康状态:
[root@k8s0-15 etcd]# /opt/etcd/etcdctl cluster-health
member fde9dd315b6d0b2 is healthy: got healthy result from http://127.0.0.1:2379
member 40e0ff5ee27c98d0 is healthy: got healthy result from http://127.0.0.1:2379
member a484cc703f2837a4 is healthy: got healthy result from http://127.0.0.1:2379
cluster is healthy
4.kube-apiserver集群部署[2,6]
这里10.0.0.12和10.0.0.15使用nginx做4层负载均衡器,用keepalived跑一个vip:10.0.0.10,代理两个kube-apiserver,实现高可用
[root@k8s0-2 ~]# tar xf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/
[root@k8s0-2 opt]# mv kubernetes /opt/kubernetes-v1.15.2
[root@k8s0-2 opt]# ln -s /opt/kubernetes-v1.15.2 /opt/kubernetes
# rm -f kubernetes-src.tar.gz
bin]# rm -f *.tar *_tag
[root@k8s0-2 bin]# ll
total 884636
-rwxr-xr-x 1 root root 43534816 Aug 5 2019 apiextensions-apiserver
-rwxr-xr-x 1 root root 100548640 Aug 5 2019 cloud-controller-manager
-rwxr-xr-x 1 root root 200648416 Aug 5 2019 hyperkube
-rwxr-xr-x 1 root root 40182208 Aug 5 2019 kubeadm
-rwxr-xr-x 1 root root 164501920 Aug 5 2019 kube-apiserver
-rwxr-xr-x 1 root root 116397088 Aug 5 2019 kube-controller-manager
-rwxr-xr-x 1 root root 42985504 Aug 5 2019 kubectl
-rwxr-xr-x 1 root root 119616640 Aug 5 2019 kubelet
-rwxr-xr-x 1 root root 36987488 Aug 5 2019 kube-proxy
-rwxr-xr-x 1 root root 38786144 Aug 5 2019 kube-scheduler
-rwxr-xr-x 1 root root 1648224 Aug 5 2019 mounter
签发client证书[运维主机 8
[root@k8s0-8.host.com /opt/certs]# cat /opt/certs/client-csr.json
{
"CN": "k8s-node",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
# ls client* -l
-rw-r--r-- 1 root root 993 Jul 17 20:48 client.csr
-rw-r--r-- 1 root root 280 Jul 17 20:47 client-csr.json
-rw------- 1 root root 1675 Jul 17 20:48 client-key.pem
-rw-r--r-- 1 root root 1354 Jul 17 20:48 client.pem
签发kube-apiserver证书
1.签发server证书(apiserver和其它k8s组件通信使用)
# hosts中将所有可能作为apiserver的ip添加进去,VIP也要加入
创建生成证书签名请求(csr)的JSON配置文件
[root@k8s0-8.host.com /opt/certs]# cat apiserver-csr.json
{
"CN": "k8s-apiserver",
"hosts": [
"127.0.0.1",
"192.168.0.1",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"10.0.0.10",
"10.0.0.2",
"10.0.0.6",
"10.0.0.7"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
[root@k8s0-8.host.com /opt/certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver
[root@k8s0-8.host.com /opt/certs]# ls apiserver* -l
-rw-r--r-- 1 root root 1249 Jul 17 20:52 apiserver.csr
-rw-r--r-- 1 root root 563 Jul 17 20:51 apiserver-csr.json
-rw------- 1 root root 1679 Jul 17 20:52 apiserver-key.pem
-rw-r--r-- 1 root root 1590 Jul 17 20:52 apiserver.pem
下发证书
#for i in 2 6;do echo k8s0-$i;ssh k8s0-$i "mkdir /opt/kubernetes/server/bin/certs";scp apiserver-key.pem apiserver.pem ca-key.pem ca.pem client-key.pem client.pem k8s0-$i:/opt/kubernetes/server/bin/certs/;done
配置apiserver日志审计
# mkdir /opt/kubernetes/conf
# cat /opt/kubernetes/conf/audit.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
[root@k8s0-2 ~]# cat /opt/kubernetes/server/bin/kube-apiserver-startup.sh
#!/bin/bash
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/kubernetes/server/bin/kube-apiserver \
--apiserver-count 2 \
--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
--audit-policy-file ../../conf/audit.yaml \
--authorization-mode RBAC \
--client-ca-file ./certs/ca.pem \
--requestheader-client-ca-file ./certs/ca.pem \
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
--etcd-cafile ./certs/ca.pem \
--etcd-certfile ./certs/client.pem \
--etcd-keyfile ./certs/client-key.pem \
--etcd-servers https://10.0.0.15:2379,https://10.0.0.2:2379,https://10.0.0.6:2379 \
--service-account-key-file ./certs/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--service-node-port-range 3000-29999 \
--target-ram-mb=1024 \
--kubelet-client-certificate ./certs/client.pem \
--kubelet-client-key ./certs/client-key.pem \
--log-dir /data/logs/kubernetes/kube-apiserver \
--tls-cert-file ./certs/apiserver.pem \
--tls-private-key-file ./certs/apiserver-key.pem \
--v 2
[root@k8s0-2 bin]# chmod u+x kube-apiserver-startup.sh
[root@k8s0-2 bin]# mkdir -p /data/logs/kubernetes/kube-apiserver
创建supervisor启动配置
[root@k8s0-2 bin]# cat /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-0-2]
command=/opt/kubernetes/server/bin/kube-apiserver-startup.sh
numprocs=1
directory=/opt/kubernetes/server/bin
autostart=true
autorestart=true
startsecs=30
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=root
redirect_stderr=true
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log
stdout_logfile_maxbytes=64MB
stdout_logfile_backups=5
stdout_capture_maxbytes=1MB
stdout_events_enabled=false
[root@k8s0-2 certs]# supervisorctl status
etcd-server-0-2 RUNNING pid 18400, uptime 0:49:11
kube-apiserver-0-2 RUNNING pid 24694, uptime 0:00:51
[root@k8s0-2 certs]# netstat -lntp|grep api
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 24698/kube-apiserve
tcp6 0 0 :::6443 :::* LISTEN 24698/kube-apiserve
配置apiserver L4代理
L4 代理涉及的服务器:k8s0-12 k8s0-15
[root@k8s0-12 ~]# yum install nginx -y
# 末尾加上以下内容,stream 只能加在 main 中
# 此处只是简单配置下nginx,实际生产中,建议进行更合理的配置
stream {
log_format proxy '$time_local|$remote_addr|$upstream_addr|$protocol|$status|'
'$session_time|$upstream_connect_time|$bytes_sent|$bytes_received|'
'$upstream_bytes_sent|$upstream_bytes_received' ;
upstream kube-apiserver {
server 10.0.0.2:6443 max_fails=3 fail_timeout=30s;
server 10.0.0.6:6443 max_fails=3 fail_timeout=30s;
}
server {
listen 7443;
proxy_connect_timeout 2s;
proxy_timeout 900s;
proxy_pass kube-apiserver;
access_log /var/log/nginx/proxy.log proxy;
}
}
[root@k8s0-12 ~]# curl 127.0.0.1:7443
Client sent an HTTP request to an HTTPS server.
[root@k8s0-12 ~]# cat /var/log/nginx/proxy.log
17/Jul/2020:21:27:49 +0800|127.0.0.1|10.0.0.2:6443|TCP|200|0.001|0.000|76|78|78|76
17/Jul/2020:21:28:24 +0800|127.0.0.1|10.0.0.6:6443|TCP|200|0.001|0.000|76|78|78|76
17/Jul/2020:21:28:24 +0800|127.0.0.1|10.0.0.2:6443|TCP|200|0.001|0.000|76|78|78|76
keepalived配置
aipserver L4 代理涉及的服务器:k8s0-12 k8s0-15
[root@k8s0-12 ~]# cat /etc/keepalived/keepalived.conf
主节点中,必须加上 nopreempt
因为一旦因为网络抖动导致VIP漂移,不能让它自动飘回来,必须要分析原因后手动迁移VIP到主节点!如主节点确认正常后,重启备节点的keepalive,让VIP飘到主节点.
keepalived 的日志输出配置此处省略,生产中需要进行处理。
! Configuration File for keepalived
global_defs {
router_id 10.0.0.12
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 251
priority 100
advert_int 1
mcast_src_ip 10.0.0.12
nopreempt
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.0.0.10
}
}
备节点:
[root@k8s0-15 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 10.0.0.15
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 251
mcast_src_ip 10.0.0.15
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.0.0.10
}
}
check脚本:
[root@k8s0-12 ~]# cat /etc/keepalived/check_port.sh
#!/bin/bash
#keepalived 监控端口脚本
#使用方法:
#在keepalived的配置文件中
#vrrp_script check_port {#创建一个vrrp_script脚本,检查配置
# script "/etc/keepalived/check_port.sh 6379" #配置监听的端口
# interval 2 #检查脚本的频率,单位(秒)
#}
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
PORT_PROCESS=`ss -lt|grep $CHK_PORT|wc -l`
if [ $PORT_PROCESS -eq 0 ];then
echo "Port $CHK_PORT Is Not Used,End."
exit 1
fi
else
echo "Check Port Cant Be Empty!"
fi
# chmod +x /etc/keepalived/check_port.sh
启动keepalived服务测试高可用
[root@k8s0-12 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 52:54:00:42:c0:b2 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.12/16 brd 10.0.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.0.0.10/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe42:c0b2/64 scope link
valid_lft forever preferred_lft forever
- controller-manager部署[2,6]
controller-manager 涉及的服务器:2,6
controller-manager 设置为只调用当前机器的 apiserver,走127.0.0.1网卡,因此不配制SSL证书
[root@k8s0-2 bin]# cat kube-controller-manager-startup.sh
#!/bin/sh
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/kubernetes/server/bin/kube-controller-manager \
--cluster-cidr 172.7.0.0/16 \
--leader-elect true \
--log-dir /data/logs/kubernetes/kube-controller-manager \
--master http://127.0.0.1:8080 \
--service-account-private-key-file ./certs/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--root-ca-file ./certs/ca.pem \
--v 2
[root@k8s0-2 bin]# chmod +x kube-controller-manager-startup.sh
[root@k8s0-2 bin]# mkdir -p /data/logs/kubernetes/kube-controller-manager
[root@k8s0-2 bin]# cat /etc/supervisord.d/kube-controller-manager.ini
[program:kube-controller-manager-0-2]
command=/opt/kubernetes/server/bin/kube-controller-manager-startup.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-controller-manager/controller.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
检查服务
[root@k8s0-2 bin]# supervisorctl status
etcd-server-0-2 RUNNING pid 18400, uptime 3:01:05
kube-apiserver-0-2 RUNNING pid 24694, uptime 2:12:45
kube-controller-manager-0-2 RUNNING pid 8253, uptime 0:03:39
6.kube-scheduler部署[2,6]
创建启动脚本
[root@k8s0-2 bin]# cat kube-scheduler-startup.sh
#!/bin/sh
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/kubernetes/server/bin/kube-scheduler \
--leader-elect \
--log-dir /data/logs/kubernetes/kube-scheduler \
--master http://127.0.0.1:8080 \
--v 2
调整文件权限,创建目录
# chmod +x kube-scheduler-startup.sh
# mkdir -p /data/logs/kubernetes/kube-scheduler
创建supervisor配置
[root@k8s0-2 bin]# cat /etc/supervisord.d/kube-scheduler.ini
[program:kube-scheduler-0-2]
command=/opt/kubernetes/server/bin/kube-scheduler-startup.sh
numprocs=1
directory=/opt/kubernetes/server/bin
autostart=true
autorestart=true
startsecs=30
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=root
redirect_stderr=true
stdout_logfile=/data/logs/kubernetes/kube-scheduler/scheduler.stdout.log
stdout_logfile_maxbytes=64MB
stdout_logfile_backups=4
stdout_capture_maxbytes=1MB
stdout_events_enabled=false
检查主控节点状态
[root@k8s0-2 bin]# supervisorctl status
etcd-server-0-2 RUNNING pid 18400, uptime 3:07:44
kube-apiserver-0-2 RUNNING pid 24694, uptime 2:19:24
kube-controller-manager-0-2 RUNNING pid 8253, uptime 0:10:18
kube-scheduler-0-2 RUNNING pid 9303, uptime 0:02:38
[root@k8s0-2 bin]# ln -s /opt/kubernetes/server/bin/kubectl /usr/local/bin/
[root@k8s0-2 bin]# kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-1 Healthy {"health": "true"}
etcd-0 Healthy {"health": "true"}
etcd-2 Healthy {"health": "true"}
7.kubelet部署[2,6]
签发kubelet证书
[root@k8s0-8.host.com /opt/certs]# cat kubelet-csr.json
{
"CN": "k8s-kubelet",
"hosts": [
"127.0.0.1",
"10.0.0.10",
"10.0.0.2",
"10.0.0.6",
"10.0.0.7",
"10.0.0.9",
"10.0.0.25",
"10.0.0.26",
"10.0.0.27",
"10.0.0.28"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
#cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server kubelet-csr.json |cfssl-json -bare kubelet
[root@k8s0-8.host.com /opt/certs]# ls kubelet* -l
-rw-r--r-- 1 root root 1115 Jul 17 23:56 kubelet.csr
-rw-r--r-- 1 root root 448 Jul 17 23:55 kubelet-csr.json
-rw------- 1 root root 1679 Jul 17 23:56 kubelet-key.pem
-rw-r--r-- 1 root root 1460 Jul 17 23:56 kubelet.pem
拷贝证书至各运算节点
#scp kubelet.pem kubelet-key.pem k8s0-2:/opt/kubernetes/server/bin/certs/
#scp kubelet.pem kubelet-key.pem k8s0-6:/opt/kubernetes/server/bin/certs/
创建kubelet配置
1. set-cluster # 创建需要连接的集群信息,可以创建多个k8s集群信息
[root@k8s0-2 conf]# kubectl config set-cluster myk8s \
--certificate-authority=/opt/kubernetes/server/bin/certs/ca.pem \
--embed-certs=true \
--server=https://10.0.0.10:7443 \
--kubeconfig=/opt/kubernetes/conf/kubelet.kubeconfig
Cluster "myk8s" set.
2. set-credentials # 创建用户账号,即用户登陆使用的客户端私有和证书,可以创建多个证书
[root@k8s0-2 conf]# kubectl config set-credentials k8s-node \
--client-certificate=/opt/kubernetes/server/bin/certs/client.pem \
--client-key=/opt/kubernetes/server/bin/certs/client-key.pem \
--embed-certs=true \
--kubeconfig=/opt/kubernetes/conf/kubelet.kubeconfig
User "k8s-node" set.
3. set-context # 设置context,即确定账号和集群对应关系
[root@k8s0-2 conf]# kubectl config set-context myk8s-context \
--cluster=myk8s \
--user=k8s-node \
--kubeconfig=/opt/kubernetes/conf/kubelet.kubeconfig
Context "myk8s-context" created.
4. use-context # 设置当前使用哪个context
[root@k8s0-2 conf]# kubectl config use-context myk8s-context --kubeconfig=/opt/kubernetes/conf/kubelet.kubeconfig
Switched to context "myk8s-context".
授权k8s-node用户
此步骤只需要在一台master节点执行
授权 k8s-node 用户绑定集群角色 system:node ,让 k8s-node 成为具备运算节点的权限
1.创建资源配置文件
~]# cat k8s-node.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-node
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: k8s-node
[root@k8s0-2 ~]# kubectl create -f k8s-node.yaml
clusterrolebinding.rbac.authorization.k8s.io/k8s-node created
[root@k8s0-2 ~]# kubectl get clusterrolebinding k8s-node
NAME AGE
k8s-node 22s
[root@k8s0-2 conf]# kubectl get clusterrolebinding k8s-node -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2020-07-17T16:10:23Z"
name: k8s-node
resourceVersion: "4520"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/k8s-node
uid: 91623207-cb3b-4827-8934-c1c4b217d88a
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: k8s-node
下载pause镜像
将pause镜像放入到harbor私有仓库中,仅在 运维主机 操作
docker pull kubernetes/pause
[root@k8s0-8.host.com ~]# docker image tag kubernetes/pause:latest harbor.od.com/public/pause:latest
[root@k8s0-8.host.com ~]# docker login -u admin harbor.od.com
创建kubelet启动脚本
[root@k8s0-2 bin]# cat kubelet-startup.sh
#!/bin/sh
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/kubernetes/server/bin/kubelet \
--anonymous-auth=false \
--cgroup-driver systemd \
--cluster-dns 192.168.0.2 \
--cluster-domain cluster.local \
--runtime-cgroups=/systemd/system.slice \
--kubelet-cgroups=/systemd/system.slice \
--fail-swap-on="false" \
--client-ca-file ./certs/ca.pem \
--tls-cert-file ./certs/kubelet.pem \
--tls-private-key-file ./certs/kubelet-key.pem \
--hostname-override k8s0-2.host.com \
--image-gc-high-threshold 20 \
--image-gc-low-threshold 10 \
--kubeconfig ../../conf/kubelet.kubeconfig \
--log-dir /data/logs/kubernetes/kube-kubelet \
--pod-infra-container-image harbor.od.com/public/pause:latest \
--root-dir /data/kubelet
[root@k8s0-2 bin]# chmod +x kubelet-startup.sh
[root@k8s0-2 bin]# mkdir -p /data/logs/kubernetes/kube-kubelet /data/kubelet
创建supervisor配置
[root@k8s0-2 bin]# cat /etc/supervisord.d/kube-kubelet.ini
[program:kube-kubelet-0-2]
command=/opt/kubernetes/server/bin/kubelet-startup.sh
numprocs=1
directory=/opt/kubernetes/server/bin
autostart=true
autorestart=true
startsecs=30
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=root
redirect_stderr=true
stdout_logfile=/data/logs/kubernetes/kube-kubelet/kubelet.stdout.log
stdout_logfile_maxbytes=64MB
stdout_logfile_backups=5
stdout_capture_maxbytes=1MB
stdout_events_enabled=false
[root@k8s0-2 bin]# supervisorctl status
etcd-server-0-2 RUNNING pid 18400, uptime 3:54:09
kube-apiserver-0-2 RUNNING pid 24694, uptime 3:05:49
kube-controller-manager-0-2 RUNNING pid 8253, uptime 0:56:43
kube-kubelet-0-2 RUNNING pid 15348, uptime 0:01:22
kube-scheduler-0-2 RUNNING pid 9303, uptime 0:49:03
检查运算节点
[root@k8s0-2 ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s0-2.host.com Ready <none> 6m48s v1.15.2
k8s0-6.host.com Ready <none> 7m6s v1.15.2
打标签
~]# kubectl label node k8s0-2.host.com node-role.kubernetes.io/node=
~]# kubectl label node k8s0-2.host.com node-role.kubernetes.io/master=
~]# kubectl label node k8s0-6.host.com node-role.kubernetes.io/master=
~]# kubectl label node k8s0-6.host.com node-role.kubernetes.io/node=
[root@k8s0-2 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s0-2.host.com Ready master,node 20m v1.15.2
k8s0-6.host.com Ready master,node 21m v1.15.2
8.kube-proxy部署[2,6]
功能:主要连接Pod网络和集群网络
签发kube-proxy证书
1.创建生成证书签名请求(csr)的JSON配置文件
[root@k8s0-8.host.com /opt/certs]# cat kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client kube-proxy-csr.json |cfssl-json -bare kube-proxy-client
[root@k8s0-8.host.com /opt/certs]# ls kube-proxy-c* -l
-rw-r--r-- 1 root root 1005 Jul 18 22:11 kube-proxy-client.csr
-rw------- 1 root root 1675 Jul 18 22:11 kube-proxy-client-key.pem
-rw-r--r-- 1 root root 1367 Jul 18 22:11 kube-proxy-client.pem
-rw-r--r-- 1 root root 267 Jul 18 22:11 kube-proxy-csr.json
下发证书
# scp kube-proxy-client-key.pem kube-proxy-client.pem k8s0-2.host.com:/opt/kubernetes/server/bin/certs/
# scp kube-proxy-client-key.pem kube-proxy-client.pem k8s0-6.host.com:/opt/kubernetes/server/bin/certs/
创建kube-proxy配置
注意:在conf目录下
1.set-cluster
~]# kubectl config set-cluster myk8s \
--certificate-authority=/opt/kubernetes/server/bin/certs/ca.pem \
--embed-certs=true \
--server=https://10.0.0.10:7443 \
--kubeconfig=/opt/kubernetes/conf/kube-proxy.kubeconfig
2.set-credentials
~]# kubectl config set-credentials kube-proxy \
--client-certificate=/opt/kubernetes/server/bin/certs/kube-proxy-client.pem \
--client-key=/opt/kubernetes/server/bin/certs/kube-proxy-client-key.pem \
--embed-certs=true \
--kubeconfig=/opt/kubernetes/conf/kube-proxy.kubeconfig
3.set-context
~]# kubectl config set-context myk8s-context \
--cluster=myk8s \
--user=kube-proxy \
--kubeconfig=/opt/kubernetes/conf/kube-proxy.kubeconfig
4.use-context
~]# kubectl config use-context myk8s-context --kubeconfig=/opt/kubernetes/conf/kube-proxy.kubeconfig
拷贝至6
# scp -rp kube-proxy.kubeconfig k8s0-6:/opt/kubernetes/conf/
加载ipvs模块[2,6]
# for i in $(ls /usr/lib/modules/$(uname -r)/kernel/net/netfilter/ipvs|grep -o "^[^.]*");do echo $i; /sbin/modinfo -F filename $i >/dev/null 2>&1 && /sbin/modprobe $i;done
创建启动脚本
1.创建kube-proxy启动脚本
/opt/kubernetes/server/bin/kube-proxy-startup.sh
#!/bin/sh
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/kubernetes/server/bin/kube-proxy \
--cluster-cidr 172.7.0.0/16 \
--hostname-override k8s0-2.host.com \
--proxy-mode=ipvs \
--ipvs-scheduler=nq \
--kubeconfig ../../conf/kube-proxy.kubeconfig
[root@k8s0-2 bin]# chmod +x kube-proxy-startup.sh
[root@k8s0-2 bin]# mkdir -p /data/logs/kubernetes/kube-proxy
[root@k8s0-2 bin]# cat /etc/supervisord.d/kube-proxy.ini
[program:kube-proxy-0-2]
command=/opt/kubernetes/server/bin/kube-proxy-startup.sh
numprocs=1
directory=/opt/kubernetes/server/bin
autostart=true
autorestart=true
startsecs=30
startretries=3
exitcodes=0,2
stopsignal=QUIT
stopwaitsecs=10
user=root
redirect_stderr=true
stdout_logfile=/data/logs/kubernetes/kube-proxy/proxy.stdout.log
stdout_logfile_maxbytes=64MB
stdout_logfile_backups=5
stdout_capture_maxbytes=1MB
stdout_events_enabled=false
#yum install ipvsadm -y
[root@k8s0-2 bin]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.1:443 nq
-> 10.0.0.2:6443 Masq 1 0 0
-> 10.0.0.6:6443 Masq 1 0 0
#验证kubernetes集群
在任意一个运算节点,创建一个资源配置清单
[root@k8s0-2 ~]# cat nginx-ds.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: nginx-ds
labels:
addonmanager.kubernetes.io/mode: Reconcile
spec:
template:
metadata:
labels:
app: nginx-ds
spec:
containers:
- name: my-nginx
image: harbor.od.com/public/nginx:v1.7.9
ports:
- containerPort: 80
kubectl create -f nginx-ds.yaml
[root@k8s0-2 ~]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-ds-6lx2z 1/1 Running 0 13s 172.7.6.2 k8s0-6.host.com <none> <none>
nginx-ds-lc9dn 1/1 Running 0 13s 172.7.2.2 k8s0-2.host.com <none> <none>
[root@k8s0-2 ~]# curl -I 172.7.2.2
HTTP/1.1 200 OK
Server: nginx/1.13.12
Date: Sun, 19 Jul 2020 03:29:45 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Mon, 09 Apr 2018 16:01:09 GMT
Connection: keep-alive
ETag: "5acb8e45-264"
Accept-Ranges: bytes
[root@k8s0-2 ~]# curl -I 172.7.6.2 # 缺少网络插件,无法跨节点通信
9.flannel部署[2,6]
CNI网络插件
kubernetes设计了网络模型,但是pod之间通信的具体实现交给了CNI往插件。常用的CNI网络插件有:Flannel 、Calico、Canal、Contiv等,其中Flannel和Calico占比接近80%,Flannel占比略多于Calico。本次部署使用Flannel作为网络插件
[root@k8s0-2 opt]# mkdir -p /opt/flannel-v0.11.0
[root@k8s0-2 opt]# tar xf flannel-v0.11.0-linux-amd64.tar.gz -C /opt/flannel-v0.11.0/
[root@k8s0-2 opt]# ln -s /opt/flannel-v0.11.0/ /opt/flannel
拷贝证书[8]
scp ca.pem client-key.pem client.pem k8s0-2:/opt/flannel/certs/
# cat subnet.env
FLANNEL_NETWORK=172.7.0.0/16
FLANNEL_SUBNET=172.7.2.1/24
FLANNEL_MTU=1500
FLANNEL_IPMASQ=false
# public-ip 为本机IP,iface 为当前宿主机对外网卡
[root@k8s0-2 flannel]# cat flannel-startup.sh
#!/bin/sh
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/flannel/flanneld \
--public-ip=10.0.0.2 \
--etcd-endpoints=https://10.0.0.15:2379,https://10.0.0.2:2379,https://10.0.0.6:2379 \
--etcd-keyfile=./certs/client-key.pem \
--etcd-certfile=./certs/client.pem \
--etcd-cafile=./certs/ca.pem \
--iface=eth0 \
--subnet-file=./subnet.env \
--healthz-port=2401
#chmod +x flannel-startup.sh
#mkdir -p /data/logs/flanneld
[root@k8s0-2 opt]# /opt/etcd/etcdctl set /coreos.com/network/config '{"Network": "172.7.0.0/16", "Backend": {"Type": "host-gw"}}'
{"Network": "172.7.0.0/16", "Backend": {"Type": "host-gw"}}
# cat /etc/supervisord.d/flannel.ini
[program:flanneld-0-2]
command=/opt/flannel/flanneld-startup.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/flannel ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/flanneld/flanneld.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=5 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)