四、部署Kubernetes-master组件
4.1 master节点生成kube-apiserver证书
1)master节点创建自签CA根证书
# 在master节点上,生成另一套独立的自签ca证书
cd ~/TLS/k8s
cat >ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
# 生成CA证书和私钥
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
# 目录下会生成ca.pem和ca-key.pem文件。
2)master节点使用自签CA根证书签发kube-apiserver 证书
# 创建证书申请文件
cat > server-csr.json << EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.10.131",
"192.168.10.132",
"192.168.10.133",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
注:上述文件hosts字段中IP为所有master/node,一个都不能少!为了方便后期扩容可以多写几个预留的IP地址。
# 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
# 目录下会生成server.pem和server-key.pem文件。
4.2 master节点下载kubernetes二进制文件
下载地址:https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.20.md
注意:只需要下载一个server包就够了,包含了master和node二进制文件。
4.3 master节点解压二进制包
mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}
tar zxvf kubernetes-server-linux-amd64.tar.gz
cd kubernetes/server/bin
cp kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bin
cp kubectl /usr/bin/
4.4 master节点部署kube-apiserver
1)master节点创建kube-apiserver配置文件
cat > /opt/kubernetes/cfg/kube-apiserver.conf <<EOF
KUBE_APISERVER_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--etcd-servers=https://192.168.10.131:2379,https://192.168.10.132:2379,https://192.168.10.133:2379 \\
--bind-address=192.168.10.131 \\
--secure-port=6443 \\
--advertise-address=192.168.10.131 \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
--authorization-mode=RBAC,Node \\
--enable-bootstrap-token-auth=true \\
--token-auth-file=/opt/kubernetes/cfg/token.csv \\
--service-node-port-range=30000-32767 \\
--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \\
--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \\
--tls-cert-file=/opt/kubernetes/ssl/server.pem \\
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--service-account-issuer=api \\
--service-account-signing-key-file=/opt/kubernetes/ssl/server-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem \\
--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--proxy-client-cert-file=/opt/kubernetes/ssl/server.pem \\
--proxy-client-key-file=/opt/kubernetes/ssl/server-key.pem \\
--requestheader-allowed-names=kubernetes \\
--requestheader-extra-headers-prefix=X-Remote-Extra- \\
--requestheader-group-headers=X-Remote-Group \\
--requestheader-username-headers=X-Remote-User \\
--enable-aggregator-routing=true \\
--audit-log-maxage=30 \\
--audit-log-maxbackup=3 \\
--audit-log-maxsize=100 \\
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
EOF
2)master节点拷贝刚才生成的证书
# 把刚才生成的证书拷贝到配置文件中的路径(共4个文件)
cp ~/TLS/k8s/ca*pem /opt/kubernetes/ssl/
cp ~/TLS/k8s/server*pem /opt/kubernetes/ssl/
3)master节点启用 TLS Bootstrapping 机制
当k8s集群工作节点数量较多时,为每个工作节点手动颁发kubelet证书非常不方便,k8s引入了bootstraping引导机制来简化证书颁发流程。
TLS Bootstraping:作用是简化管理员配置kubelet与apiserver双向加密通信的步骤。当master apiserver启用TLS认证后,node节点kubelet和kube-proxy要与kube-apiserver进行通信,必须使用CA签发的有效证书才可以,当Node节点很多时,为组件颁发证书需要大量工作,同样也会增加集群扩展复杂度。为了简化流程,Kubernetes引入了TLS bootstraping机制来自动颁发客户端证书,kubelet会以一个低权限用户自动向apiserver申请证书,kubelet的证书由apiserver动态签署。所以强烈建议在Node上使用这种方式,目前主要用于kubelet,kube-proxy还是由我们统一颁发一个证书。
TLS bootstraping 工作流程:
当node节点启动kubelet,会自动加载bootstrap.kubeconfig文件,文件中定义的kubelet-bootstrap用户使用token向apiserver发起CSR证书请求,apiserver会去验证这个token是不是可信任的,是否有权限,ca证书是不是正确的,通过之后才会为其颁发证书,最后kubelet就启动成功了。
创建上述配置文件中token文件
cat > /opt/kubernetes/cfg/token.csv <<EOF
c47ffb939f5ca36231d9e3121a252940,kubelet-bootstrap,10001,"system:node-bootstrapper"
EOF
# 格式:token,用户名,UID,用户组(系统自带)
4)master节点创建管理kube-apiserver的服务文件
cat > /usr/lib/systemd/system/kube-apiserver.service <<EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
5)master节点启动kube-apiserver并设置开机自启动
systemctl daemon-reload
systemctl start kube-apiserver
systemctl enable kube-apiserver
systemctl status kube-apiserver
4.5 master节点部署kube-controller-manager
1)master节点创建kube-controller-manager配置文件
cat > /opt/kubernetes/cfg/kube-controller-manager.conf <<EOF
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--leader-elect=true \\
--kubeconfig=/opt/kubernetes/cfg/kube-controller-manager.kubeconfig \\
--bind-address=127.0.0.1 \\
--allocate-node-cidrs=true \\
--cluster-cidr=10.244.0.0/16 \\
--service-cluster-ip-range=10.0.0.0/24 \\
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--cluster-signing-duration=87600h0m0s"
EOF
解释:
--kubeconfig:连接apiserver配置文件
--leader-elect:当该组件启动多个时,自动选举(HA)
--cluster-signing-cert-file和--cluster-signing-key-file:自动为controller-manager颁发证书的CA,与apiserver保持一致
2)master节点生成kube-controller-manager证书
cd ~/TLS/k8s
# 创建证书请求文件
cat > kube-controller-manager-csr.json <<EOF
{
"CN": "system:kube-controller-manager",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
# 生成证书和私钥
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
3)master节点生成kube-controller-manager加入集群的引导文件
kube-controller-manager.kubeconfig文件用于配置kube-controller-manager与kube-apiserver之间的通信。这个文件保存了关于集群、用户、命名空间和认证的信息,使得kube-controller-manager能够连接到kube-apiserver并执行控制器任务。
# 指定apiserver和连接集群文件
KUBE_CONFIG="/opt/kubernetes/cfg/kube-controller-manager.kubeconfig"
KUBE_APISERVER="https://192.168.10.131:6443"
# 设置集群
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
# 设置客户端认证
kubectl config set-credentials kube-controller-manager \
--client-certificate=/root/TLS/k8s/kube-controller-manager.pem \
--client-key=/root/TLS/k8s/kube-controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
# 设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-controller-manager \
--kubeconfig=${KUBE_CONFIG}
# 设置默认上下文
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
4)master节点创建管理kube-controller-manager的服务文件
cat > /usr/lib/systemd/system/kube-controller-manager.service <<EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
5)master节点启动kube-controller-manager并设置开机自启动
systemctl daemon-reload
systemctl start kube-controller-manager
systemctl enable kube-controller-manager
systemctl status kube-controller-manager
4.6 master节点部署kube-scheduler
1)master节点创建kube-scheduler配置文件
cat > /opt/kubernetes/cfg/kube-scheduler.conf <<EOF
KUBE_SCHEDULER_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--leader-elect \\
--kubeconfig=/opt/kubernetes/cfg/kube-scheduler.kubeconfig \
--bind-address=127.0.0.1"
EOF
2)master节点生成kube-scheduler证书
# 切换工作目录
cd ~/TLS/k8s
# 创建证书请求文件
cat >kube-scheduler-csr.json <<EOF
{
"CN": "system:kube-scheduler",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
# 生成证书和私钥
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
3)master节点生成 kube-scheduler加入集群的引导文件
KUBE_CONFIG="/opt/kubernetes/cfg/kube-scheduler.kubeconfig"
KUBE_APISERVER="https://192.168.10.131:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials kube-scheduler \
--client-certificate=/root/TLS/k8s/kube-scheduler.pem \
--client-key=/root/TLS/k8s/kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-scheduler \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
4)master节点创建管理kube-scheduler的服务文件
cat > /usr/lib/systemd/system/kube-scheduler.service <<EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf
ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
5)master节点启动kube-scheduler并设置开机自启动
systemctl daemon-reload
systemctl start kube-scheduler
systemctl enable kube-scheduler
systemctl status kube-scheduler
4.7 master节点查看集群状态
1)master节点生成kubectl证书
cd ~/TLS/k8s
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
# 生成证书和私钥
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2)master节点生成kubectl加入集群的引导文件
config文件是kubectl工具用于访问Kubernetes集群的配置文件。该文件包含了连接到Kubernetes集群所需的认证信息、集群信息和上下文信息。
mkdir /root/.kube
KUBE_CONFIG="/root/.kube/config"
KUBE_APISERVER="https://192.168.10.131:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials cluster-admin \
--client-certificate=/root/TLS/k8s/admin.pem \
--client-key=/root/TLS/k8s/admin-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user=cluster-admin \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
# 会生成/root/.kube/config文件
3)master节点查看当前节点组件状态
kubectl get cs
# 组件状态全部为Healthy,说明master01节点组件运行正常。
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-2 Healthy {"health":"true"}
etcd-1 ealthy {"health":"true"}
etcd-0 Healthy {"health":"true"}
4.8 master节点授权kubelet-bootstrap用户允许请求证书
# 创建node必备,否则node节点的kubelet服务无法启动,其实就是创建一个可以申请证书的用户
kubectl create clusterrolebinding kubelet-bootstrap \
--clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap
4.9 master节点安装kubectl命令补全命令
yum install bash-completion -y
source /usr/share/bash-completion/bash_completion
source <(kubectl completion bash)
echo "source <(kubectl completion bash)" >> ~/.bashrc
source ~/.bashrc
五、部署Kubernetes-node组件
5.1 创建工作目录并拷贝二进制文件
1)所有node节点分别创建工作目录
mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}
2)master节点将文件分别同步到所有node节点
cd /root/kubernetes/server/bin
scp kubelet kube-proxy root@192.168.10.132:/opt/kubernetes/bin/
scp /opt/kubernetes/ssl/ca.pem root@192.168.10.132:/opt/kubernetes/ssl/
scp /usr/bin/kubectl root@192.168.10.132:/usr/bin/kubectl
scp kubelet kube-proxy root@192.168.10.133:/opt/kubernetes/bin/
scp /opt/kubernetes/ssl/ca.pem root@192.168.10.133:/opt/kubernetes/ssl/
scp /usr/bin/kubectl root@192.168.10.133:/usr/bin/kubectl
5.2 node01节点部署kubelet
1)node01节点创建kubelet配置文件
cat > /opt/kubernetes/cfg/kubelet.conf <<EOF
KUBELET_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/logs \
--hostname-override=k8s-node01 \
--network-plugin=cni \
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet-config.yml \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.2"
EOF
2)node01节点配置kubelet参数文件
cat > /opt/kubernetes/cfg/kubelet-config.yml <<EOF
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
cgroupDriver: systemd
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local
failSwapOn: false
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 2m0s
enabled: true
x509:
clientCAFile: /opt/kubernetes/ssl/ca.pem
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 5m0s
cacheUnauthorizedTTL: 30s
evictionHard:
imagefs.available: 15%
memory.available: 100Mi
nodefs.available: 10%
nodefs.inodesFree: 5%
maxOpenFiles: 1000000
maxPods: 110
EOF
3)node01节点生成kubelet加入集群的引导文件
当kubelet加入集群时,kubelet 会使用一个预先提供的“bootstrap”证书来向ApiServer 发送一个证书签名请求 (CSR) ,从而自动生成 kubelet 的证书。
KUBE_CONFIG="/opt/kubernetes/cfg/bootstrap.kubeconfig"
KUBE_APISERVER="https://192.168.10.131:6443"
TOKEN="c47ffb939f5ca36231d9e3121a252940" # 与/opt/kubernetes/cfg/token.csv里保持一致
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials "kubelet-bootstrap" \
--token=${TOKEN} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user="kubelet-bootstrap" \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
# 会生成/opt/kubernetes/cfg/bootstrap.kubeconfig文件
4)node01节点创建管理kubelet的服务文件
cat > /usr/lib/systemd/system/kubelet.service <<EOF
[Unit]
Description=Kubernetes Kubelet
After=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet.conf
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
5)node01节点启动kubelet并设置开机启动
systemctl daemon-reload
systemctl start kubelet
systemctl enable kubelet
systemctl status kubelet
5.3 master节点批准node01节点证书申请并加入集群
# 查看kubelet证书请求
kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
node-csr-uCEGPOIiDdlLODKts8J658HrFq9CZ--K6M4G7bjhk8A 6m3s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending(等待状态)
# 批准申请证书
kubectl certificate approve node-csr-uCEGPOIiDdlLODKts8J658HrFq9CZ--K6M4G7bjhk8A(对应修改)
# 删除证书请求(省略)
kubectl delete csr node-csr-JsvCE-ElsOTnPRROiBAwopSWiyBnZ1M6cCqr5ut6RkY
# 查看证书详情(省略)
kubectl describe csr node-csr-JsvCE-ElsOTnPRROiBAwopSWiyBnZ1M6cCqr5ut6RkY
# 查看节点信息和状态
kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-node01 NotReady <none> 7s v1.20.15
注意:由于网络插件还没有部署,节点并没有准备就绪,出现 NotReady状态!
5.4 node01节点部署kube-proxy
1)node01节点创建kube-proxy配置文件
cat > /opt/kubernetes/cfg/kube-proxy.conf << EOF
KUBE_PROXY_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/logs \
--config=/opt/kubernetes/cfg/kube-proxy-config.yml"
EOF
2)node01节点配置kube-proxy参数文件
cat > /opt/kubernetes/cfg/kube-proxy-config.yml << EOF
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
metricsBindAddress: 0.0.0.0:10249
clientConnection:
kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig
hostnameOverride: k8s-node01
clusterCIDR: 10.0.0.0/24
EOF
3)master节点生成kube-proxy证书
# 切换工作目录
cd ~/TLS/k8s
# 创建证书请求文件
cat > kube-proxy-csr.json << EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
# 生成kube-proxy证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
# master节点把证书复制到所有node节点(共2个文件)
scp ~/TLS/k8s/kube-proxy*pem root@192.168.10.132:/opt/kubernetes/ssl
scp ~/TLS/k8s/kube-proxy*pem root@192.168.10.133:/opt/kubernetes/ssl
4)node01节点生成kube-proxy加入集群的引导文件
KUBE_CONFIG="/opt/kubernetes/cfg/kube-proxy.kubeconfig"
KUBE_APISERVER="https://192.168.10.131:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials kube-proxy \
--client-certificate=/opt/kubernetes/ssl/kube-proxy.pem \
--client-key=/opt/kubernetes/ssl/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
5)node01节点创建管理kube-proxy的服务文件
cat > /usr/lib/systemd/system/kube-proxy.service << EOF
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-proxy.conf
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
6)node01节点启动kube-proxy并设置开机启动
systemctl daemon-reload
systemctl start kube-proxy
systemctl enable kube-proxy
systemctl status kube-proxy
5.5 部署网络组件
Calico是一个纯三层的虚拟网络方案,是目前Kubernetes主流的网络方案。支持 IP 路由和 ACL,可以在大规模的集群中提供高效的网络连接。它利用了Linux内核的IPv4/IPv6路由功能和BGP协议来实现容器间的通信和跨主机网络连接。
1)master节点部署Calico
kubectl apply -f calico.yaml
kubectl get pods -n kube-system
2)master节点查看Node节点状态
kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-node01 Ready <none> 37m v1.20.15
5.6 master节点授权kube-apiserver访问kubelet
在 Kubernetes 集群中,apiserver 需要能够安全地访问各个节点上的 kubelet 服务,以便执行诸如 Pod 管理、日志收集等操作。为了实现这一访问,通常需要使用认证和授权机制。
cd /root
cat > apiserver-to-kubelet-rbac.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-apiserver-to-kubelet
rules:
- apiGroups:
- ""
resources:
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
- nodes/metrics
- pods/log
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:kube-apiserver
namespace: ""
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-apiserver-to-kubelet
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubernetes
EOF
kubectl apply -f apiserver-to-kubelet-rbac.yaml
5.7 添加Node02节点
1)node01节点将文件拷贝到新节点node02上
scp -r /opt/kubernetes root@192.168.10.133:/opt/
scp -r /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@192.168.10.133:/usr/lib/systemd/system
2)node02节点删除kubelet证书和kubeconfig文件
rm -f /opt/kubernetes/cfg/kubelet.kubeconfig
rm -f /opt/kubernetes/ssl/kubelet*
# 注意:这几个文件是证书申请审批后自动生成的,每个Node不同,必须删除!
3)node02节点修改配置文件
vim /opt/kubernetes/cfg/kubelet.conf
--hostname-override=k8s-node02
vim /opt/kubernetes/cfg/kube-proxy-config.yml
hostnameOverride: k8s-node02
4)node02节点启动kubelet和kube-proxy并设置开机启动
systemctl daemon-reload
systemctl start kubelet kube-proxy
systemctl enable kubelet kube-proxy
systemctl status kubelet kube-proxy
5)master节点批准node02节点证书申请并加入集群
# 查看证书请求
kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
node-csr-4zTjsaVSrhuyhIGqsefxzVoZDCNKei-aE2jyTP81Uro 89s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending
# 授权证书请求
kubectl certificate approve node-csr-4zTjsaVSrhuyhIGqsefxzVoZDCNKei-aE2jyTP81Uro(对应修改)
# 删除证书请求(省略)
kubectl delete csr node-csr-JsvCE-ElsOTnPRROiBAwopSWiyBnZ1M6cCqr5ut6RkY
# 查看证书详情(省略)
kubectl describe csr node-csr-JsvCE-ElsOTnPRROiBAwopSWiyBnZ1M6cCqr5ut6RkY
6)master节点查看Node节点状态
kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-node01 Ready <none> 47m v1.20.15
k8s-node02 Ready <none> 6m49s v1.20.15
# 注意:若node节点状态不是Ready,node节点重新启动kubelet 和kube-proxy 服务。
六、部署Dashboard和CoreDNS
6.1 master节点部署Dashboard
kubectl apply -f kubernetes-dashboard.yaml
kubectl get pods,svc -n kubernetes-dashboard
6.2 master节点创建用户
# 创建dashboard-admin用户
kubectl create serviceaccount dashboard-admin -n kube-system
# 绑定默认cluster-admin管理员集群角色
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin \
--serviceaccount=kube-system:dashboard-admin
# 查看token
kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
6.3 登录Dashboard
浏览器输入地址:https://192.168.10.132:30001,则可以访问dashboard。
使用输出的token登录Dashboard。
6.4 master节点部署CoreDNS
CoreDNS是 Kubernetes 集群中用于域名解析DNS的服务。作用是将 Service 名称解析为 clusterIP 地址,从而实现在集群内部进行服务发现和网络通信。
kubectl apply -f coredns.yaml
kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-5ffbfd976d-j6shb 1/1 Running 0 32s
6.5 master节点DNS解析测试
# 部署busybox服务
kubectl run -it --rm dns-test --image=busybox:1.28.4 sh
# 测试DNS解析
/ # nslookup kubernetes
Server: 10.0.0.2
Address 1: 10.0.0.2 kube-dns.kube-system.svc.cluster.local
Name: kubernetes
Address 1: 10.0.0.1 kubernetes.default.svc.cluster.local
到此,一个简单的kubernetes集群就搭建完成了!这个环境就足以满足工作了,如果你的服务器配置较高,可继续扩容多master集群!
总结:整理不易,如果对你有帮助,请记得点赞,关注,收藏。更多kubernetes相关知识持续分享中。
扫一扫
1538
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
