CentOS 7二进制安装Kubernetes 1.10.5集群
一、集群规划 集群节点为1主2从,如下表如示: master:master:master(192.168.8.201)组件版本路径etcd3.3.8/usr/binflannel0.10.0/opt/flannel/bincni0.7.1/opt/cni/binkubernetes...
一、集群规划
集群节点为1主2从,如下表如示:
master:
master:master(192.168.8.201) | ||
组件 | 版本 | 路径 |
etcd | 3.3.8 | /usr/bin |
flannel | 0.10.0 | /opt/flannel/bin |
cni | 0.7.1 | /opt/cni/bin |
kubernetes | 1.10.5 | /usr/bin kube-apiserver、 kube-controller-manager、 kube-scheduler |
node:
node:slave-i(192.168.8.211),slave-ii(192.168.8.221) | ||
组件 | 版本 | 路径 |
etcd | 3.3.8 | /usr/bin |
docker | 18.03.1-ce | /usr/bin |
flannel | 0.10.0 | /opt/flannel/bin |
cni | 0.7.1 | /opt/cni/bin |
kubernetes | 1.10.5 | /usr/bin kubelet、 kube-proxy |
二、安装包下载
etcd:下载地址:https://github.com/coreos/etcd/releases/,下载3.3.8版本;
flannel:下载地址:https://github.com/coreos/flannel/releases/,下载v0.10.0版本;
cni:下载地址:https://github.com/containernetworking/plugins/releases,下载v0.7.1版本;
kubernetes:下载地地址:https://github.com/kubernetes/kubernetes/releases,下载1.10.5版本;
docker直接使用aliyun镜像安装,因此不用下载单独下载安装包。
三、服务器设置
1、主机名修改
将主节点主机名修改为master,两从机主机名修改为slave-i和slave-ii。分别在master(192.168.8.201),slave-i(192.168.8.211),slave-ii(192.168.8.221)执行以下命令永久修改主机名:
hostnamectl --static set-hostname master
hostnamectl --static set-hostname slave-i
hostnamectl --static set-hostname slave-ii
同时修改三个节点的/etc/hosts文件,增加以下三条:
192.168.8.201 master
192.168.8.211 slave-i
192.168.8.221 slave-ii
并增加127.0.0.1的主机名,master节点增加127.0.0.1 master,slave-i节点增加127.0.0.1 slave-i,slave-ii节点增加127.0.0.1 slave-ii,如下图如
master:
slave-i:
slave-ii:
2、防火墙设置
如主机中未安装iptables,在三个主机中执行以下命令安装:
yum install iptables-services
执行iptables -L -n -v命令可以查看iptables配置,执行以下命令永久关闭三个主机的iptables:
chkconfig iptables off
同时关闭三个主机的iptables和firewalld并设置开机不启动,执行以下命令:
systemctl stop iptables
systemctl disable iptables
systemctl stop firewalld
systemctl disable firewalld
执行systemctl status iptables和systemctl status firewalld可以查看防火墙已经关闭。
3、selinux配置
可以通过getenforce或/usr/sbin/sestatus命令查看SELINUX配置,通过修改/etc/selinux/config文件中的SELINUX配置项来关闭selinux。
SELINUX=disabled
如图:
4、关闭Swap分区
执行free -m命令可以查看swap分区情况。修改/etc/fstab配置文件,注释掉swap配置行。如图:
5、时钟同步
执行以下命令安装ntpdate:
yum install ntpdate
执行以下命令同步时针:
ntpdate us.pool.ntp.org
四、安装etcd集群
从https://github.com/coreos/etcd/releases/下载etcd3.3.8版本,将其解压,并将二进制文件拷贝到/usr/bin目录下:
cp etcd etcdctl /usr/bin
创建相关文件夹:
mkdir -p /var/lib/etcd /etc/etcd
以上两个命令在三个主机节点上都要执行。接下来配置三个主机节点的etcd配置文件,每个etcd服务器上只有两个配置文件:/usr/lib/systemd/system/etcd.service 和 /etc/etcd/etcd.conf
1、节点1(etcd-i)
/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd
[Install]
WantedBy=multi-user.target
/etc/etcd/etcd.conf
# [member]
# 节点名称
ETCD_NAME=etcd-i
# 数据存放位置
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
# 监听其他Etcd实例的地址
ETCD_LISTEN_PEER_URLS="http://192.168.8.201:2380"
# 监听客户端地址
ETCD_LISTEN_CLIENT_URLS="http://192.168.8.201:2379,http://127.0.0.1:2379"
#[cluster]
# 通知其他Etcd实例地址
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.8.201:2380"
# 初始化集群内节点地址
ETCD_INITIAL_CLUSTER="etcd-i=http://192.168.8.201:2380,etcd-ii=http://192.168.8.211:2380,etcd-iii=http://192.168.8.221:2380"
# 初始化集群状态,new表示新建
ETCD_INITIAL_CLUSTER_STATE="new"
# 初始化集群token
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-token"
# 通知客户端地址
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.8.201:2379,http://127.0.0.1:2379"
2、节点2(etcd-ii)
/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd
[Install]
WantedBy=multi-user.target
/etc/etcd/etcd.conf
# [member]
# 节点名称
ETCD_NAME=etcd-ii
# 数据存放位置
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
# 监听其他Etcd实例的地址
ETCD_LISTEN_PEER_URLS="http://192.168.8.211:2380"
# 监听客户端地址
ETCD_LISTEN_CLIENT_URLS="http://192.168.8.211:2379,http://127.0.0.1:2379"
#[cluster]
# 通知其他Etcd实例地址
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.8.211:2380"
# 初始化集群内节点地址
ETCD_INITIAL_CLUSTER="etcd-i=http://192.168.8.201:2380,etcd-ii=http://192.168.8.211:2380,etcd-iii=http://192.168.8.221:2380"
# 初始化集群状态,new表示新建
ETCD_INITIAL_CLUSTER_STATE="new"
# 初始化集群token
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-token"
# 通知客户端地址
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.8.211:2379,http://127.0.0.1:2379"
3、节点3(etcd-iii)
/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd
[Install]
WantedBy=multi-user.target
/etc/etcd/etcd.conf
# [member]
# 节点名称
ETCD_NAME=etcd-iii
# 数据存放位置
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
# 监听其他Etcd实例的地址
ETCD_LISTEN_PEER_URLS="http://192.168.8.221:2380"
# 监听客户端地址
ETCD_LISTEN_CLIENT_URLS="http://192.168.8.221:2379,http://127.0.0.1:2379"
#[cluster]
# 通知其他Etcd实例地址
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.8.221:2380"
# 初始化集群内节点地址
ETCD_INITIAL_CLUSTER="etcd-i=http://192.168.8.201:2380,etcd-ii=http://192.168.8.211:2380,etcd-iii=http://192.168.8.221:2380"
# 初始化集群状态,new表示新建
ETCD_INITIAL_CLUSTER_STATE="new"
# 初始化集群token
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-token"
# 通知客户端地址
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.8.221:2379,http://127.0.0.1:2379"
etcd集群的主从节点关系与kubernetes集群的主从节点关系不是同的,etcd的配置文件只是表示三个etcd节点,etcd集群在启动和运行过程中会选举出主节点。因此,配置文件中体现的只是三个节点etcd-i,etcd-ii,etcd-iii。配置好三个节点的配置文件后,便可以启动etcd集群了,执行以下命令启动集群:
systemctl daemon-reload
systemctl start etcd.service
执行命令时,不能等一台完全执行成功了再去下一台执行,因为etcd启动后会进行选举leader投票,如果各etcd启动间隔过大,会导致etcd集群启动失败。启动后可以执行以下命令检测集群:
etcdctl member list
etcdctl cluster-health
在node-i上执行etcdctl member list,输出如下,至此,etcd集群已经搭建完成
五、docker安装
docker安装参照阿里云教程安装,这里不再赘述,三个主机都安装。参照地址:https://yq.aliyun.com/articles/110806?spm=5176.8351553.0.0.44f01991b2jQwh
六、flannel安装
1、安装flannel
从https://github.com/coreos/flannel/releases/下载flannel v0.10.0版本,将其解压到/opt/flannel/bin/。执行如下命令:
mkdir -p /opt/flannel/bin/
tar -xzvf flannel-v0.10.0-linux-amd64.tar.gz -C /opt/flannel/bin/
flannel包含flanneld 和 mk-docker-opts.sh两个可执行文件,接下来配置flannel配置文件:
/usr/lib/systemd/system/flannel.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network.target
After=network-online.target
Wants=network-online.target
After=etcd.service
Before=docker.service
[Service]
Type=notify
ExecStart=/opt/flannel/bin/flanneld -etcd-endpoints=http://192.168.8.201:2379,http://192.168.8.211:2379,http://192.168.8.221:2379 -etcd-prefix=coreos.com/network
ExecStartPost=/opt/flannel/bin/mk-docker-opts.sh -d /etc/docker/flannel_net.env -c
Restart=on-failure
[Install]
WantedBy=multi-user.target
RequiredBy=docker.service
flannel服务依赖etcd,必须先安装好etcd,并配置etcd服务地址-etcd-endpoints,-etcd-prefix是etcd存储的flannel网络配置的键前缀,执行以下命令设置flannel网络配置:
etcdctl mk /coreos.com/network/config '{"Network":"172.18.0.0/16", "SubnetMin": "172.18.1.0", "SubnetMax": "172.18.254.0", "Backend": {"Type": "vxlan"}}'
flannel服务依赖flannel镜像,所以要先下载flannel镜像,执行以下命令从阿里云下载,并创建镜像tag:
docker pull registry.cn-beijing.aliyuncs.com/k8s_images/flannel:v0.10.0-amd64
docker tag registry.cn-beijing.aliyuncs.com/k8s_images/flannel:v0.10.0-amd64 quay.io/coreos/flannel:v0.10.0
接下来启动flannel服务,执行以下命令:
systemctl daemon-reload
systemctl start flannel.service
2、修改docker配置
在flannel配置文件中包含以下配置项:
ExecStartPost=/opt/flannel/bin/mk-docker-opts.sh -d /etc/docker/flannel_net.env -c
设置该配置后,会在flannel启动后执行mk-docker-opts.sh,并生成/etc/docker/flannel_net.env文件。flannel会修改docker网络,flannel_net.env是flannel生成的docker配置参数,因此,还要修改docker配置项。
docker的配置文件在/usr/lib/systemd/system/docker.service中,docker.service配置如下,修改的配置项如下:
After:flannel启动之后再启动docker;
EnvironmentFile:配置docker的启动参数,由flannel生成;
ExecStart:增加docker启动参数;
ExecStartPost:在docker启动之后执行,会修改主机的iptables路由规则。
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
# After=network-online.target firewalld.service
After=network-online.target flannel.service
Wants=network-online.target
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
EnvironmentFile=/etc/docker/flannel_net.env
ExecStart=/usr/bin/dockerd $DOCKER_OPTS
ExecReload=/bin/kill -s HUP $MAINPID
ExecStartPost=/usr/sbin/iptables -P FORWARD ACCEPT
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
修改好配置文件后,执行以下命令启动flannel,并重启docker。
systemctl daemon-reload
systemctl start flannel.service
systemctl restart docker.service
启动后可以执行ifconfig查看,已经多了flannel网络。
主节点和从节点都安装flannel和配置docker参数,并可以通过以下命令验证flannel和docker运行情况:
systemctl status flannel
systemctl status docker
etcd、flannel、docker安装完成之后,便可以开始安装kubernetes集群了,在安装kubernetes集群之前先安装ca证书。
七、CNI配置
从https://github.com/containernetworking/plugins/releases下载flannel v0.7.1版本,将其解压到/opt/cni/bin。执行如下命令:
mkdir -p /opt/cni/bin /etc/cni/net.d
tar -xzvf cni-plugins-amd64-v0.7.1.tgz -C /opt/cni/bin
增加cni配置文件/etc/cni/net.d/10-flannel.conflist,配置如下:
{
"name":"cni0",
"cniVersion":"0.3.1",
"plugins":[
{
"type":"flannel",
"delegate":{
"forceAddress":true,
"isDefaultGateway":true
}
},
{
"type":"portmap",
"capabilities":{
"portMappings":true
}
}
]
}
八、安装CA证书
(1)、为kube-apiserver生成一个数字证书,并用CA证书进行签名。
(2)、为kube-apiserver进程配置证书相关的启动参数,包括CA证书(用于验证客户端证书的签名真伪、自己的经过CA签名后的证书及私钥)。
(3)、为每个访问Kubernetes API Server的客户端(如kube-controller-manager、kube-scheduler、kubelet、kube-proxy及调用API Server的客户端程序kubectl等)进程生成自己的数字证书,也都用CA证书进行签名,在相关程序的启动参数中增加CA证书、自己的证书等相关参数。
要生成的证书如下表:
根证书和私钥 | ca.crt、ca.key |
kube-apiserver证书和私钥 | server.crt、server.key |
kube-controller-manager/kube-scheduler证书和私钥 | cs_client.crt、cs_client.key |
kubelet/kube-proxy证书和私钥 | kubelet_client.crt、kubelet_client.key |
1、master节点
创建证书目录:
mkdir -p /etc/kubernetes/ca
执行以下命令生成相关证书和私钥:
(1)、生成根证书和私钥
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=master" -days 5000 -out ca.crt
/CN为master 主机名
(2)、生成kube-apiserver证书和私钥
新建master_ssl.conf文件,配置如下:
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = master #master hostname
IP.1 = 172.18.0.1 #master clusterip 可通过kubectl get service获取
IP.2 = 192.168.8.201 #master ip
执行如下命令生成证书和私钥:
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=master" -config master_ssl.conf -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.conf -out server.crt
/CN为master 主机名
(3)、生成kube-controller-manager/kube-scheduler证书和私钥
openssl genrsa -out cs_client.key 2048
openssl req -new -key cs_client.key -subj "/CN=master" -out cs_client.csr
openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cs_client.crt -days 5000
/CN为master 主机名
2、node1节点(slave-i)
创建证书目录:
mkdir -p /etc/kubernetes/ca
将master节点的根证书和私钥拷贝到该目录下,执行以下命令生成证书和私钥:
openssl genrsa -out kubelet_client.key 2048
openssl req -new -key kubelet_client.key -subj "/CN=192.168.8.211" -out kubelet_client.csr
openssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000
/CN为slave-i 的IP地址
3、node2节点(slave-ii)
创建证书目录:
mkdir -p /etc/kubernetes/ca
将master节点的根证书和私钥拷贝到该目录下,执行以下命令生成证书和私钥:
openssl genrsa -out kubelet_client.key 2048
openssl req -new -key kubelet_client.key -subj "/CN=192.168.8.221" -out kubelet_client.csr
openssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000
/CN为slave-ii 的IP地址
九、安装kubernetes集群
安装好CA证书后,开始搭建kubernetes集群。
master节点安装kube-apiserver、kube-controller-manager、kube-scheduler;node节点安装kubelet、kube-proxy。
1、master节点
从https://github.com/kubernetes/kubernetes/releases下载kubernetes v1.10.5版本。如下图,点击CHANGELOG-1.10.md链接到下载页面。
下载kubernetes-server-linux-amd64.tar.gz服务端安装包,将其解压,并将kubernetes/server/bin下的二进制文件拷贝到/usr/bin目录下。
cp `ls|egrep -v "*.tar|*_tag"` /usr/bin/
创建日志目录
mkdir -p /var/log/kubernetes
(1)、配置kube-apiserver
/usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=etcd.service
Wants=etcd.service
[Service]
EnvironmentFile=/etc/kubernetes/apiserver.conf
ExecStart=/usr/bin/kube-apiserver $KUBE_API_ARGS
Restart=on-failure
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
/etc/kubernetes/apiserver.conf,--etcd-servers连接到etcd集群,关闭的非安全端口8080,并用secure-port开启安全端口6443,client-ca-file、tls-private-key-file、tls-cert-file配置CA证书,enable-admission-plugins开启准入权限,--anonymous-auth=false,不接受匿名访问,若为true,则表示接受,此处设置为false,便于dashboard访问。
KUBE_API_ARGS="\
--storage-backend=etcd3 \
--etcd-servers=http://192.168.8.201:2379,http://192.168.8.211:2379,http://192.168.8.221:2379 \
--bind-address=0.0.0.0 \
--secure-port=6443 \
--service-cluster-ip-range=172.18.0.0/16 \
--service-node-port-range=1-65535 \
--kubelet-port=10250 \
--advertise-address=192.168.8.201 \
--allow-privileged=false \
--anonymous-auth=false \
--client-ca-file=/etc/kubernetes/ca/ca.crt \
--tls-private-key-file=/etc/kubernetes/ca/server.key \
--tls-cert-file=/etc/kubernetes/ca/server.crt \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,NamespaceExists,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota \
--logtostderr=true \
--log-dir=/var/log/kubernets \
--v=2"
(2)、配置kube-controller-manager
配置kube-controller-config.yaml和kube-scheduler-config.yaml,分别在kube-controller-manager和kube-scheduler中引用该两文件,文件里配置了CA证书,配置如下:
kube-controller-config.yaml:
apiVersion: v1
kind: Config
users:
- name: controller
user:
client-certificate: /etc/kubernetes/ca/cs_client.crt
client-key: /etc/kubernetes/ca/cs_client.key
clusters:
- name: local
cluster:
certificate-authority: /etc/kubernetes/ca/ca.crt
contexts:
- context:
cluster: local
user: controller
name: default-context
current-context: default-context
kube-scheduler-config.yaml:
apiVersion: v1
kind: Config
users:
- name: scheduler
user:
client-certificate: /etc/kubernetes/ca/cs_client.crt
client-key: /etc/kubernetes/ca/cs_client.key
clusters:
- name: local
cluster:
certificate-authority: /etc/kubernetes/ca/ca.crt
contexts:
- context:
cluster: local
user: scheduler
name: default-context
current-context: default-context
/usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=kube-apiserver.service
Requires=kube-apiserver.service
[Service]
EnvironmentFile=/etc/kubernetes/controller-manager.conf
ExecStart=/usr/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_ARGS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
/etc/kubernetes/controller-manager.conf,master连接到master节点,service-account-private-key-file、root-ca-file、cluster-signing-cert-file、cluster-signing-key-file配置CA证书,kubeconfig是配置文件。
KUBE_CONTROLLER_MANAGER_ARGS="\
--master=https://192.168.8.201:6443 \
--service-account-private-key-file=/etc/kubernetes/ca/server.key \
--root-ca-file=/etc/kubernetes/ca/ca.crt \
--cluster-signing-cert-file=/etc/kubernetes/ca/ca.crt \
--cluster-signing-key-file=/etc/kubernetes/ca/ca.key \
--kubeconfig=/etc/kubernetes/kube-controller-config.yaml \
--logtostderr=true \
--log-dir=/var/log/kubernetes \
--v=2"
(3)、配置kube-scheduler
/usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=kube-apiserver.service
Requires=kube-apiserver.service
[Service]
User=root
EnvironmentFile=/etc/kubernetes/scheduler.conf
ExecStart=/usr/bin/kube-scheduler $KUBE_SCHEDULER_ARGS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
/etc/kubernetes/scheduler.conf,master连接到master节点,kubeconfig是配置文件。
KUBE_SCHEDULER_ARGS="\
--master=https://192.168.8.201:6443 \
--kubeconfig=/etc/kubernetes/kube-scheduler-config.yaml \
--logtostderr=true \
--log-dir=/var/log/kubernetes \
--v=2"
配置好配置文件后,执行以下命令启动master节点:
systemctl daemon-reload
systemctl start kube-apiserver.service
systemctl start kube-controller-manager.service
systemctl start kube-scheduler.service
启动后可执行以下命令查看启动日志信息:
journalctl -xeu kube-apiserver --no-pager
journalctl -xeu kube-controller-manager --no-pager
journalctl -xeu kube-scheduler --no-pager
2、node节点
在server安装包的bin目录下已经包含了node节点的二进制文件,执行以下命令将二进制文件拷贝到/usr/bin目录下:
cp kubectl kubelet kube-proxy /usr/bin/
创建日志目录
mkdir -p /var/log/kubernetes
创建/etc/sysctl.d/k8s.conf文件
touch /etc/sysctl.d/k8s.conf
配置k8s.conf文件如下
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
配置kubelet-config.yaml和proxy-config.yaml,分别在kubelet和kube-proxy中引用该两文件,文件里配置了CA证书,配置如下:
kubelet-config.yaml:
apiVersion: v1
kind: Config
users:
- name: kubelet
user:
client-certificate: /etc/kubernetes/ca/kubelet_client.crt
client-key: /etc/kubernetes/ca/kubelet_client.key
clusters:
- cluster:
certificate-authority: /etc/kubernetes/ca/ca.crt
server: https://192.168.0.11:6443
name: local
contexts:
- context:
cluster: local
user: kubelet
name: default-context
current-context: default-context
preferences: {}
proxy-config.yaml:
apiVersion: v1
kind: Config
users:
- name: proxy
user:
client-certificate: /etc/kubernetes/ca/kubelet_client.crt
client-key: /etc/kubernetes/ca/kubelet_client.key
clusters:
- cluster:
certificate-authority: /etc/kubernetes/ca/ca.crt
server: https://192.168.0.11:6443
name: local
contexts:
- context:
cluster: local
user: proxy
name: default-context
current-context: default-context
preferences: {}
(1)、配置kubelet
/usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubelet Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
[Service]
EnvironmentFile=/etc/kubernetes/kubelet.conf
ExecStart=/usr/bin/kubelet $KUBELET_ARGS
Restart=on-failure
[Install]
WantedBy=multi-user.target
/etc/kubernetes/kubelet.conf,hostname-override配置node我名称,这里使用node节点的IP,slave-i的IP为192.168.8.211,slave-ii的IP为192.168.8.221。pod-infra-container-image指定pause镜像,kubeconfig为配置文件。
KUBELET_ARGS="\
--kubeconfig=/etc/kubernetes/kubelet-config.yaml \
--pod-infra-container-image=gcr.io/google_containers/pause-amd64:3.0 \
--hostname-override=192.168.8.211 \
--network-plugin=cni \
--cni-conf-dir=/etc/cni/net.d \
--cni-bin-dir=/opt/cni/bin \
--logtostderr=true \
--log-dir=/var/log/kubernetes \
--v=2"
(2)、配置kube-proxy
/usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
Requires=network.service
[Service]
EnvironmentFile=/etc/kubernetes/proxy.conf
ExecStart=/usr/bin/kube-proxy $KUBE_PROXY_ARGS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
/etc/kubernetes/proxy.conf,hostname-override配置node我名称。要与kubelet对应,kubelet配置了,则kube-proxy也要配置。这里使用node节点的IP,slave-i的IP为192.168.8.211,slave-ii的IP为192.168.8.221。master连接master服务,kubeconfig为配置文件。
KUBE_PROXY_ARGS="\
--master=https://192.168.8.201:6443 \
--hostname-override=192.168.8.211 \
--kubeconfig=/etc/kubernetes/proxy-config.yaml \
--logtostderr=true \
--log-dir=/var/log/kubernetes \
--v=2"
kubelet服务依赖二pause镜像,在启动kubelet前先要下载该镜像,执行以下命令下载和创建镜像tag:
docker pull registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0
docker tag registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 gcr.io/google_containers/pause-amd64:3.0
配置好配置文件后,执行以下命令启动master节点:
systemctl daemon-reload
systemctl start kubelet.service
systemctl start kube-proxy.service
启动后可执行以下命令查看启动日志信息:
journalctl -xeu kubelet --no-pager
journalctl -xeu kube-proxy --no-pager
node节点启动后,可以在master节点查看node节点已经注册到集群里了,执行以下命令查看:
十、测试集群
这里启动了个nginx服务来测试集群。
1、创建rc
创建nginx-rc.yaml文件,配置如下,imagePullPolicy: IfNotPresent会下载nginx镜像:
apiVersion: v1
kind: ReplicationController
metadata:
name: nginx-rc
labels:
name: nginx-rc
spec:
replicas: 2
selector:
name: nginx-pod
template:
metadata:
labels:
name: nginx-pod
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
2、创建service
创建nginx-svc.yaml文件,配置如下,NodePort可以将服务端口映射到pod所在主机的端口上,因此可以在pod所在主机上访问服务:
apiVersion: v1
kind: Service
metadata:
name: nginx-service
labels:
name: nginx-service
spec:
type: NodePort
ports:
- port: 80
protocol: TCP
targetPort: 80
nodePort: 30081
selector:
name: nginx-pod
执行以下命令启动rc和service:
kubectl create -f nginx-rc.yaml
kubectl create -f nginx-svc.yaml
在master中执行以下命令,可以查看pod创建情况:
kubectl get pod -o wide
可以看到pod已经创建,并分配在node中
可以在集群外,访问slave-i和slave-ii的30081端口访问nginx。
http://192.168.8.211:30081/
http://192.168.8.221:30081/
返回nginx主页
更多推荐
所有评论(0)