kubernetes(六)

发布时间:2024年01月07日

1. k8s架构

在这里插入图片描述
在这里插入图片描述

2. k8s安装

在这里插入图片描述

# 增加免密操作
[root@k8s-node3 ~]# ssh-keygen
[root@k8s-node3 ~]# ssh-copy-id root@10.0.0.11
[root@k8s-node3 ~]# ssh-copy-id root@10.0.0.12
[root@k8s-node3 ~]# ssh-copy-id root@10.0.0.13

2.1 颁发证书

etcd–etcd–etcd
apiserver–etcd
flanneld–etcd
apiserver–kubelet
apiserver–kubeproxy
6443 https

api-server–controller-manager
api-server–scheduler
8080 http 172.0.0.1

# (1) 上传生成证书的软件, https://github.com/cloudflare/cfssl/releases下载
[root@k8s-node3 softs]# ls
cfssl  cfssl-certinfo  cfssl-json
[root@k8s-node3 softs]# chmod +x *


# (2) 创建配置文件,peer节点与节点直接的通讯,etcd与etcd之间进行通讯时使用
[root@k8s-node3 certs]# cat ca-config.json
{
    "signing": {
        "default": {
            "expiry": "175200h"
        },
        "profiles": {
            "server": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
             "peer": {
                 "expiry": "175200h",
                 "usages": [
                     "signing",
                     "key encipherment",
                     "server auth",
                     "client auth"
                ]
            }
        }
    }
}

[root@k8s-node3 certs]# cat ca-csr.json
{
    "CN": "kubernetes-ca",
    "hosts": [
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "bejing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ],
    "ca": {
        "expiry": "175200h"
    }
}


# (3) 生成CA证书和私钥
[root@k8s-node3 certs]# sudo cfssl gencert -initca ca-csr.json | /opt/softs/cfssl-json -bare ca -
[root@k8s-node3 certs]# ls
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem

2.2 部署etcd集群

# 1. 创建etcd-peer-csr.json文件
[root@k8s-node3 certs]# cat etcd-peer-csr.json
{
    "CN": "etcd-peer",
    "hosts": [
            "10.0.0.11",
            "10.0.0.12",
            "10.0.0.13"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "bejing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}
# 2. 生成密钥对
[root@k8s-node3 certs]# sudo cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json | /opt/softs/cfssl-json -bare etcd-peer


# 3.安装etcd,修改配置
[root@k8s-master etcd]# sudo yum install etcd-3.3.11-2.el7.centos -y
[root@k8s-master etcd]# cat etcd.conf
ETCD_DATA_DIR="/var/lib/etcd/"
ETCD_LISTEN_PEER_URLS="https://10.0.0.11:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.0.0.11:2379,http://127.0.0.1:2379"
ETCD_NAME="node1"

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.0.0.11:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://10.0.0.11:2379,http://127.0.0.1:2379"
ETCD_INITIAL_CLUSTER="node1=https://10.0.0.11:2380,node2=https://10.0.0.12:2380,node3=https://10.0.0.13:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

ETCD_CERT_FILE="/etc/etcd/etcd-peer.pem"
ETCD_KEY_FILE="/etc/etcd/etcd-peer-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ca.pem"
ETCD_AUTO_TLS="true"
ETCD_PEER_CERT_FILE="/etc/etcd/etcd-peer.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/etcd-peer-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ca.pem"
ETCD_PEER_AUTO_TLS="true"

[root@k8s-node1 etcd]# sudo yum install etcd-3.3.11-2.el7.centos -y
[root@k8s-node1 etcd]# cat etcd.conf
ETCD_DATA_DIR="/var/lib/etcd/"
ETCD_LISTEN_PEER_URLS="https://10.0.0.12:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.0.0.12:2379,http://127.0.0.1:2379"
ETCD_NAME="node2"

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.0.0.12:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://9.0.0.12:2379,http://127.0.0.1:2379"
ETCD_INITIAL_CLUSTER="node1=https://10.0.0.11:2380,node2=https://10.0.0.12:2380,node3=https://10.0.0.13:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

ETCD_CERT_FILE="/etc/etcd/etcd-peer.pem"
ETCD_KEY_FILE="/etc/etcd/etcd-peer-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ca.pem"
ETCD_AUTO_TLS="true"
ETCD_PEER_CERT_FILE="/etc/etcd/etcd-peer.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/etcd-peer-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ca.pem"
ETCD_PEER_AUTO_TLS="true"

[root@k8s-node2 etcd]# sudo yum install etcd-3.3.11-2.el7.centos -y
[root@k8s-node2 etcd]# cat etcd.conf
ETCD_DATA_DIR="/var/lib/etcd/"
ETCD_LISTEN_PEER_URLS="https://10.0.0.13:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.0.0.13:2379,http://127.0.0.1:2379"
ETCD_NAME="node3"

ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.0.0.13:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://10.0.0.13:2379,http://127.0.0.1:2379"
ETCD_INITIAL_CLUSTER="node1=https://10.0.0.11:2380,node2=https://10.0.0.12:2380,node3=https://10.0.0.13:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

ETCD_CERT_FILE="/etc/etcd/etcd-peer.pem"
ETCD_KEY_FILE="/etc/etcd/etcd-peer-key.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ca.pem"
ETCD_AUTO_TLS="true"
ETCD_PEER_CERT_FILE="/etc/etcd/etcd-peer.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/etcd-peer-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ca.pem"
ETCD_PEER_AUTO_TLS="true"

# 4. 分发密钥对
[root@k8s-node3 certs]# scp -rp *.pem root@10.0.0.11:/etc/etcd/
[root@k8s-node3 certs]# scp -rp *.pem root@10.0.0.12:/etc/etcd/
[root@k8s-node3 certs]# scp -rp *.pem root@10.0.0.13:/etc/etcd/

# 5. 给密钥对授权
[root@k8s-master etcd]# chown -R etcd:etcd *.pem
[root@k8s-node1 etcd]# chown -R etcd:etcd *.pem
[root@k8s-node2 etcd]# chown -R etcd:etcd *.pem

# 6. master、node1、node2同时启动etcd服务并加入开机自启
systemctl start etcd
systemctl enable etcd

# 7. 验证etcd集群
[root@k8s-master ~]# etcdctl member list
55fcbe0adaa45350: name=node3 peerURLs=https://10.0.0.13:2380 clientURLs=http://127.0.0.1:2379,https://10.0.0.13:2379 isLeader=false
cebdf10928a06f3c: name=node1 peerURLs=https://10.0.0.11:2380 clientURLs=http://127.0.0.1:2379,https://10.0.0.11:2379 isLeader=true
f7a9c20602b8532e: name=node2 peerURLs=https://10.0.0.12:2380 clientURLs=http://127.0.0.1:2379,https://9.0.0.12:2379 isLeader=false

2.3 master节点安装

2.3.1 api-server服务安装
2.3.2 controller-manager服务安装
2.3.3 scheduler服务安装

2.4 node节点安装

2.5 配置flannel网络

文章来源:https://blog.csdn.net/weixin_46818279/article/details/135425365
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。