博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
linux运维、架构之路-Kubernetes1.13离线集群部署双向认证
阅读量:4599 次
发布时间:2019-06-09

本文共 8558 字,大约阅读时间需要 28 分钟。

一、部署环境

1、服务器规划

IP地址

主机名

CPU

内存

10.0.0.100

k8s-master01

2C

2G

10.0.0.101

k8s-node01

2C

2G

10.0.0.102

k8s-node02

2C

2G

2、Kubernetes 1.13包下载

https://github.com/kubernetes/kubernetes/releases

所用到包的版本:

3、Kubernetes工作流程

4、Kubernetes部署前准备

①系统环境

[root@k8s-master01 ~]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) [root@k8s-master01 ~]# uname -r3.10.0-957.21.3.el7.x86_64[root@k8s-master01 ~]# systemctl status firewalld.service ● firewalld.service - firewalld - dynamic firewall daemon   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)   Active: inactive (dead)     Docs: man:firewalld(1)[root@k8s-master01 ~]# getenforceDisabled

②关闭Swap

swapoff -a && sysctl -w vm.swappiness=0vim /etc/fstabUUID=b6ff8dda-f2db-49ad-a091-bdd4e82cdace /                       xfs     defaults        0 0UUID=f4eaa64a-f9c7-4e11-a78b-13d423ac65d2 /boot                   xfs     defaults        0 0#UUID=bc4d148a-56e0-4fa8-96a2-d10e5470963c swap                    swap    defaults        0 0

③设置Docker所需参数

cat << EOF | tee /etc/sysctl.d/k8s.confnet.ipv4.ip_forward = 1net.bridge.bridge-nf-call-ip6tables = 1net.bridge.bridge-nf-call-iptables = 1EOFsysctl -p /etc/sysctl.d/k8s.conf

 二、部署 Docker(所有节点)

1、安装

yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repoyum list docker-ce --showduplicates | sort -ryum install docker-ce -ysystemctl start docker && systemctl enable docker

2、创建安装所需目录

mkdir /k8s/etcd/{bin,cfg,ssl} -pmkdir /k8s/kubernetes/{bin,cfg,ssl} -p

3、安装生成证书工具CFSSL(Master节点)

mkdir tools && cd toolswget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64mv cfssl_linux-amd64 /usr/local/bin/cfsslmv cfssljson_linux-amd64 /usr/local/bin/cfssljsonmv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

4、创建认证证书(Master节点)

①创建 ETCD 证书

cat << EOF | tee ca-config.json{  "signing": {    "default": {      "expiry": "87600h"    },    "profiles": {      "www": {         "expiry": "87600h",         "usages": [            "signing",            "key encipherment",            "server auth",            "client auth"        ]      }    }  }}EOF

创建 ETCD CA 配置文件  

cat << EOF | tee ca-csr.json{    "CN": "etcd CA",    "key": {        "algo": "rsa",        "size": 2048    },    "names": [        {            "C": "CN",            "L": "Shenzhen",            "ST": "Shenzhen"        }    ]}EOF

创建 ETCD Server 证书

cat << EOF | tee server-csr.json{    "CN": "etcd",    "hosts": [    "10.0.0.100",    "10.0.0.101",    "10.0.0.102"    ],    "key": {        "algo": "rsa",        "size": 2048    },    "names": [        {            "C": "CN",            "L": "Shenzhen",            "ST": "Shenzhen"        }    ]}EOF

生成 ETCD CA 证书和私钥

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

②创建 Kubernetes CA 证书

cat << EOF | tee ca-config.json{  "signing": {    "default": {      "expiry": "87600h"    },    "profiles": {      "kubernetes": {         "expiry": "87600h",         "usages": [            "signing",            "key encipherment",            "server auth",            "client auth"        ]      }    }  }}EOF
cat << EOF | tee ca-csr.json{    "CN": "kubernetes",    "key": {        "algo": "rsa",        "size": 2048    },    "names": [        {            "C": "CN",            "L": "Shenzhen",            "ST": "Shenzhen",            "O": "k8s",            "OU": "System"        }    ]}EOF

生成Kubernetes 证书和秘钥

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

③生成API_SERVER证书

cat << EOF | tee server-csr.json{    "CN": "kubernetes",    "hosts": [      "10.0.0.1",      "127.0.0.1",      "10.0.0.100",      "kubernetes",      "kubernetes.default",      "kubernetes.default.svc",      "kubernetes.default.svc.cluster",      "kubernetes.default.svc.cluster.local"    ],    "key": {        "algo": "rsa",        "size": 2048    },    "names": [        {            "C": "CN",            "L": "Shenzhen",            "ST": "Shenzhen",            "O": "k8s",            "OU": "System"        }    ]}EOF

生成API_SERVER证书和秘钥

 

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

 

④创建 Kubernetes Proxy 证书

cat << EOF | tee kube-proxy-csr.json{  "CN": "system:kube-proxy",  "hosts": [],  "key": {    "algo": "rsa",    "size": 2048  },  "names": [    {      "C": "CN",      "L": "Shenzhen",      "ST": "Shenzhen",      "O": "k8s",      "OU": "System"    }  ]}EOF

生成Kubernetes Proxy 证书和秘钥

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

5、ssh-key免秘钥认证

ssh-keygen

ssh-copy-id 10.0.0.101ssh-copy-id 10.0.0.102

三、部署ETCD服务

1、上传解压文件

tar xf etcd-v3.3.10-linux-amd64.tar.gzcd etcd-v3.3.10-linux-amd64/cp etcd etcdctl /k8s/etcd/bin/

2、创建ETCD配置文件

vim /k8s/etcd/cfg/etcd#[Member]ETCD_NAME="etcd01"ETCD_DATA_DIR="/var/lib/etcd/default.etcd"ETCD_LISTEN_PEER_URLS="https://10.0.0.100:2380"ETCD_LISTEN_CLIENT_URLS="https://10.0.0.100:2379"#[Clustering]ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.0.0.100:2380"ETCD_ADVERTISE_CLIENT_URLS="https://10.0.0.100:2379"ETCD_INITIAL_CLUSTER="etcd01=https://10.0.0.100:2380,etcd02=https://10.0.0.101:2380,etcd03=https://10.0.0.102:2380"ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"ETCD_INITIAL_CLUSTER_STATE="new"

创建 etcd的 systemd unit 文件

vim /usr/lib/systemd/system/etcd.service [Unit]Description=Etcd ServerAfter=network.targetAfter=network-online.targetWants=network-online.target[Service]Type=notifyEnvironmentFile=/k8s/etcd/cfg/etcdExecStart=/k8s/etcd/bin/etcd \--name=${ETCD_NAME} \--data-dir=${ETCD_DATA_DIR} \--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \--initial-cluster=${ETCD_INITIAL_CLUSTER} \--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \--initial-cluster-state=new \--cert-file=/k8s/etcd/ssl/server.pem \--key-file=/k8s/etcd/ssl/server-key.pem \--peer-cert-file=/k8s/etcd/ssl/server.pem \--peer-key-file=/k8s/etcd/ssl/server-key.pem \--trusted-ca-file=/k8s/etcd/ssl/ca.pem \--peer-trusted-ca-file=/k8s/etcd/ssl/ca.pemRestart=on-failureLimitNOFILE=65536[Install]WantedBy=multi-user.target

拷贝证书文件

cd toolscp ca*pem server*pem /k8s/etcd/ssl

将启动文件、配置文件分发到 节点1、节点2

cd /k8sscp -r etcd 10.0.0.101:/k8s/scp -r etcd 10.0.0.102:/k8s/scp /usr/lib/systemd/system/etcd.service  10.0.0.101:/usr/lib/systemd/system/etcd.servicescp /usr/lib/systemd/system/etcd.service  10.0.0.102:/usr/lib/systemd/system/etcd.service

修改节点1、节点2配置文件

vim /k8s/etcd/cfg/etcd#[Member]ETCD_NAME="etcd02"ETCD_DATA_DIR="/var/lib/etcd/default.etcd"ETCD_LISTEN_PEER_URLS="https://10.0.0.101:2380"ETCD_LISTEN_CLIENT_URLS="https://10.0.0.101:2379"#[Clustering]ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.0.0.101:2380"ETCD_ADVERTISE_CLIENT_URLS="https://10.0.0.101:2379"ETCD_INITIAL_CLUSTER="etcd01=https://10.0.0.100:2380,etcd02=https://10.0.0.101:2380,etcd03=https://10.0.0.102:2380"ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"ETCD_INITIAL_CLUSTER_STATE="new"
vim /k8s/etcd/cfg/etcd#[Member]ETCD_NAME="etcd03"ETCD_DATA_DIR="/var/lib/etcd/default.etcd"ETCD_LISTEN_PEER_URLS="https://10.0.0.102:2380"ETCD_LISTEN_CLIENT_URLS="https://10.0.0.102:2379"#[Clustering]ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.0.0.102:2380"ETCD_ADVERTISE_CLIENT_URLS="https://10.0.0.102:2379"ETCD_INITIAL_CLUSTER="etcd01=https://10.0.0.100:2380,etcd02=https://10.0.0.101:2380,etcd03=https://10.0.0.102:2380"ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"ETCD_INITIAL_CLUSTER_STATE="new"

3、启动ETCD服务

systemctl daemon-reloadsystemctl enable etcdsystemctl start etcd

4、验证集群是否正常运行

/k8s/etcd/bin/etcdctl \--ca-file=/k8s/etcd/ssl/ca.pem \--cert-file=/k8s/etcd/ssl/server.pem \--key-file=/k8s/etcd/ssl/server-key.pem \--endpoints="https://10.0.0.100:2379,\https://10.0.0.101:2379,\https://10.0.0.102:2379" cluster-health
member 5db3ea816863435 is healthy: got healthy result from https://10.0.0.102:2379member 991b5845cecb31b is healthy: got healthy result from https://10.0.0.101:2379member c67ee2780d64a0d4 is healthy: got healthy result from https://10.0.0.100:2379cluster is healthy注意:启动ETCD集群同时启动二个节点,启动一个节点集群是无法正常启动的;

 

转载于:https://www.cnblogs.com/yanxinjiang/p/11247834.html

你可能感兴趣的文章
Matlab画图-非常具体,非常全面
查看>>
365. Water and Jug Problem
查看>>
SQL数据库数据检索top和distinct
查看>>
平衡搜索树--红黑树 RBTree
查看>>
sqlite驱动下载
查看>>
让IE6/IE7/IE8浏览器支持CSS3属性
查看>>
队列实现霍夫曼树
查看>>
【Java】图片高质量缩放类
查看>>
Python :类中设置默认属性并修改
查看>>
磁盘管理综合测试
查看>>
Unity3d Shader开发(三)Pass(Pass Tags,Name,BindChannels )
查看>>
UMLet
查看>>
从父控件移除控件
查看>>
calc()制作自适应布局
查看>>
Markdown-写作必备
查看>>
关于在Java中 a!=a 值为真的解释(摘抄)
查看>>
C#串口小助手
查看>>
详解定位与定位应用
查看>>
【前端开发】 5分钟创建 Mock Server
查看>>
一个Tomcat配置参数引发的血案
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2024-10-19 05:17:35   当前IP: 3.147.195.146   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我