Kubernetes单Master集群二进制部署

原创 已于 2023-03-06 15:57:04 修改 · 342 阅读 · 0 ·
本内容遵循CC 4.0 BY-SA版权协议
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
标签
#kubernetes #linux #运维
于 2023-03-01 17:30:08 首次发布

Kubernetes单Master集群二进制部署

服务器信息

ip主机名版本cpu内存
192.168.1.151k8s-node-151centos748
192.168.1.152k8s-node-152centos748
192.168.1.153k8s-node-153centos748

k8s版本

Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.10", GitCommit:"8152330a2b6ca3621196e62966ef761b8f5a61bb", GitTreeState:"clean", BuildDate:"2021-08-11T18:06:15Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.10", GitCommit:"8152330a2b6ca3621196e62966ef761b8f5a61bb", GitTreeState:"clean", BuildDate:"2021-08-11T18:00:37Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"linux/amd64"}

系统配置

  • 关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
  • 关闭selinux
sed -i 's/enforcing/disabled/' /etc/selinux/config
setenforce 0
  • 关闭swap分区
swapoff -a      # 临时关闭
vim /etc/fstab  # 注释到swap那一行  永久关闭
  • 添加主机对应关系
echo '''
192.168.1.151 k8s-master-151
192.168.1.152 k8s-node-152
192.168.1.153 k8s-node-153
''' >> /etc/hosts
  • 将桥接的IPv4流量传递到iptables的链
cat > /etc/sysctl.d/k8s.conf << EOF
net.ipv4.ip_forward = 1
net.ipv4.tcp_tw_recycle = 0
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF

sysctl --system

  • 时间同步

  • 下载生成证书工具

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson

Docker 安装

  • 安装依赖
yum install -y yum-utils device-mapper-persistent-data lvm2
  • 获取源
yum-config-manager \
    --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
  • 安装docker
yum install docker-ce
  • 配置cgroup驱动
vim /etc/docker/daemon.json
{
  "registry-mirrors": ["https://01xxgaft.mirror.aliyuncs.com"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m"
  },
  "storage-driver": "overlay2"
}
systemctl daemon-reload
  • 配置docker开机自启
systemctl start docker
systemctl enable docker

etcd安装

自签CA证书

  • 创建生成etcd证书工作目录
mkdir /opt/etcd/tls -p
cd /opt/etcd/tls
  • 生成自签CA配置ca-config.json
cat > ca-config.json << EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
  • 生成自签CA配置ca-csr.json
cat > ca-csr.json << EOF
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "YuMingYu",
            "ST": "YuMingYu"
        }
    ]
}
EOF
  • 生成自签CA证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

签发etcd证书

cd /opt/etcd/tls
  • 创建证书申请文件
cat > server-csr.json << EOF
{
    "CN": "etcd",
    "hosts": [
        "127.0.0.1", "localhost",
        "192.168.1.151", "k8s-node-151",
        "192.168.1.152", "k8s-node-152",
        "192.168.1.153", "k8s-node-153"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "YuMingYu",
            "ST": "YuMingYu"
        }
    ]
}
EOF
  • 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

安装

  • 创建工作目录
mkdir /opt/etcd/{bin,conf,data} -p
  • 下载并解压二进制包
cd /opt/etcd/
wget https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz
tar -xf etcd-v3.4.9-linux-amd64.tar.gz
mv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
  • 创建etcd配置文件
cat > /opt/etcd/conf/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/opt/etcd/data/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.1.151:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.1.151:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.151:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.151:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.1.151:2380,etcd-2=https://192.168.1.152:2380,etcd-3=https://192.168.1.153:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
  • 创建systemd配置文件
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=/opt/etcd/conf/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
    --cert-file=/opt/etcd/tls/server.pem \
    --key-file=/opt/etcd/tls/server-key.pem \
    --peer-cert-file=/opt/etcd/tls/server.pem \
    --peer-key-file=/opt/etcd/tls/server-key.pem \
    --trusted-ca-file=/opt/etcd/tls/ca.pem \
    --peer-trusted-ca-file=/opt/etcd/tls/ca.pem \
    --logger=zap
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF
  • 将已配置好的文件转发到其他节点上
for i in 192.168.1.15{2..3}
do
    scp -r /opt/etcd/ $i:/opt/
    scp /usr/lib/systemd/system/etcd.service $i:/usr/lib/systemd/system/
done

# 修改k8s-node-152, k8s-node-153的etcd.conf配置文件中的节点名称和当前服务器IP
  • 启动etcd并设置开机自启
systemctl daemon-reload
systemctl start etcd
systemctl enable etcd
  • 验证
/opt/etcd/bin/etcdctl \
     --cacert=/opt/etcd/tls/ca.pem \
     --cert=/opt/etcd/tls/server.pem \
     --key=/opt/etcd/tls/server-key.pem \
     --endpoints="https://192.168.1.151:2379,https://192.168.1.152:2379,https://192.168.1.153:2379" \
     endpoint health --write-out=table

master节点安装

环境准备

  • 创建相关文件夹
mkdir /opt/k8s/{bin,conf,logs,tls} -p
cd /opt/k8s/
  • 下载安装包
wget https://dl.k8s.io/v1.20.10/kubernetes-server-linux-amd64.tar.gz
tar xf kubernetes-server-linux-amd64.tar.gz
cd kubernetes/server/bin
  • 拷贝命令
cp kube-apiserver kube-scheduler kube-controller-manager /opt/k8s/bin
cp kubectl /usr/local/bin/

自签CA证书

  • 生成自签CA配置ca-config.json
cd /opt/k8s/tls
cat > ca-config.json << EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
  • 生成自签CA配置ca-csr.json
cat > ca-csr.json << EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF
  • 生成自签CA证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

kube-apiserver安装

  • 创建证书申请文件
cd /opt/k8s/tls
cat > server-csr.json << EOF
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1", "127.0.0.1",
      "192.168.1.151", "192.168.1.152","192.168.1.153",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF
  • 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
  • 创建kube-apiserver配置文件
cd /opt/k8s/conf
cat > kube-apiserver.conf << EOF
KUBE_APISERVER_OPTS="--logtostderr=false \
    --v=2 \
    --log-dir=/opt/k8s/logs \
    --etcd-servers=https://192.168.1.151:2379,https://192.168.1.152:2379,https://192.168.1.153:2379 \
    --bind-address=192.168.1.151 \
    --secure-port=6443 \
    --advertise-address=192.168.1.151 \
    --allow-privileged=true \
    --service-cluster-ip-range=10.0.0.0/24 \
    --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
    --authorization-mode=RBAC,Node \
    --enable-bootstrap-token-auth=true \
    --token-auth-file=/opt/k8s/conf/token.csv \
    --service-node-port-range=30000-32767 \
    --kubelet-client-certificate=/opt/k8s/tls/server.pem \
    --kubelet-client-key=/opt/k8s/tls/server-key.pem \
    --tls-cert-file=/opt/k8s/tls/server.pem  \
    --tls-private-key-file=/opt/k8s/tls/server-key.pem \
    --client-ca-file=/opt/k8s/tls/ca.pem \
    --service-account-key-file=/opt/k8s/tls/ca-key.pem \
    --service-account-issuer=https://kubernetes.default.svc.cluster.local \
    --service-account-signing-key-file=/opt/k8s/tls/server-key.pem \
    --etcd-cafile=/opt/etcd/tls/ca.pem \
    --etcd-certfile=/opt/etcd/tls/server.pem \
    --etcd-keyfile=/opt/etcd/tls/server-key.pem \
    --requestheader-client-ca-file=/opt/k8s/tls/ca.pem \
    --proxy-client-cert-file=/opt/k8s/tls/server.pem \
    --proxy-client-key-file=/opt/k8s/tls/server-key.pem \
    --requestheader-allowed-names=kubernetes \
    --requestheader-extra-headers-prefix=X-Remote-Extra- \
    --requestheader-group-headers=X-Remote-Group \
    --requestheader-username-headers=X-Remote-User \
    --enable-aggregator-routing=true \
    --audit-log-maxage=30 \
    --audit-log-maxbackup=3 \
    --audit-log-maxsize=100 \
    --audit-log-path=/opt/k8s/logs/k8s-audit.log"
EOF
  • 创建 TLS bootstrapping token文件
cat > /opt/k8s/conf/token.csv << EOF
d19c0c66121edc24d0fd2b831f092c40,kubelet-bootstrap,10001,"system:node-bootstrapper"
EOF
  • 创建systemd配置文件
cat > /usr/lib/systemd/system/kube-apiserver.service << EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=/opt/k8s/conf/kube-apiserver.conf
ExecStart=/opt/k8s/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
  • 启动并设置开机启动
systemctl start kube-apiserver 
systemctl enable kube-apiserver

kube-controller-manager安装

  • 创建证书请求文件
cd /opt/k8s/tls
cat > kube-controller-manager-csr.json << EOF
{
  "CN": "system:kube-controller-manager",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing", 
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF
  • 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
  • 生成kubeconfig文件
KUBE_CONFIG="/opt/k8s/conf/kube-controller-manager.kubeconfig"
KUBE_APISERVER="https://192.168.1.151:6443"

kubectl config set-cluster kubernetes \
  --certificate-authority=/opt/k8s/tls/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config set-credentials kube-controller-manager \
  --client-certificate=/opt/k8s/tls/kube-controller-manager.pem \
  --client-key=/opt/k8s/tls/kube-controller-manager-key.pem \
  --embed-certs=true \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config set-context default \
  --cluster=kubernetes \
  --user=kube-controller-manager \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
  • 创建kube-controller-manager配置文件
cd /opt/k8s/conf/
cat > kube-controller-manager.conf << EOF
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \
    --v=2 \
    --log-dir=/opt/k8s/logs \
    --leader-elect=true \
    --kubeconfig=/opt/k8s/conf/kube-controller-manager.kubeconfig \
    --bind-address=192.168.1.151 \
    --allocate-node-cidrs=true \
    --cluster-cidr=10.244.0.0/16 \
    --service-cluster-ip-range=10.0.0.0/24 \
    --cluster-signing-cert-file=/opt/k8s/tls/ca.pem \
    --cluster-signing-key-file=/opt/k8s/tls/ca-key.pem  \
    --root-ca-file=/opt/k8s/tls/ca.pem \
    --service-account-private-key-file=/opt/k8s/tls/ca-key.pem \
    --cluster-signing-duration=87600h0m0s"
EOF
  • 创建systemd配置文件
cat > /usr/lib/systemd/system/kube-controller-manager.service << EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=/opt/k8s/conf/kube-controller-manager.conf
ExecStart=/opt/k8s/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
  • 启动并设置开机启动
systemctl start kube-controller-manager
systemctl enable kube-controller-manager

kube-scheduler安装

  • 创建证书请求文件
cd /opt/k8s/tls
cat > kube-scheduler-csr.json << EOF
{
  "CN": "system:kube-scheduler",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF
  • 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
  • 生成kubeconfig文件
KUBE_CONFIG="/opt/k8s/conf/kube-scheduler.kubeconfig"
KUBE_APISERVER="https://192.168.1.151:6443"

kubectl config set-cluster kubernetes \
  --certificate-authority=/opt/k8s/tls/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config set-credentials kube-scheduler \
  --client-certificate=/opt/k8s/tls/kube-scheduler.pem \
  --client-key=/opt/k8s/tls/kube-scheduler-key.pem \
  --embed-certs=true \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config set-context default \
  --cluster=kubernetes \
  --user=kube-scheduler \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
  • 创建kube-scheduler配置文件
cd /opt/k8s/conf/
cat > kube-scheduler.conf << EOF
KUBE_SCHEDULER_OPTS="--logtostderr=false \
    --v=2 \
    --log-dir=/opt/k8s/logs \
    --leader-elect \
    --kubeconfig=/opt/k8s/conf/kube-scheduler.kubeconfig \
    --bind-address=192.168.1.151"
EOF
  • 创建systemd配置文件
cat > /usr/lib/systemd/system/kube-scheduler.service << EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes

[Service]
EnvironmentFile=/opt/k8s/conf/kube-scheduler.conf
ExecStart=/opt/k8s/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
  • 启动并设置开机启动
systemctl start kube-scheduler
systemctl enable kube-scheduler

验证主节点

验证命令:kubectl get cs
需要按已下内容创建配置

  • 创建证书请求文件
cd /opt/k8s/tls
cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF
  • 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
  • 生成kubeconfig文件
mkdir /root/.kube

KUBE_CONFIG="/root/.kube/config"
KUBE_APISERVER="https://192.168.1.151:6443"
 

kubectl config set-cluster kubernetes \
  --certificate-authority=/opt/k8s/tls/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config set-credentials cluster-admin \
  --client-certificate=/opt/k8s/tls/admin.pem \
  --client-key=/opt/k8s/tls/admin-key.pem \
  --embed-certs=true \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config set-context default \
  --cluster=kubernetes \
  --user=cluster-admin \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config use-context default --kubeconfig=${KUBE_CONFIG} 

kubectl create clusterrolebinding kubelet-bootstrap \
  --clusterrole=system:node-bootstrapper \
  --user=kubelet-bootstrap

node节点部署

  • 创建相关文件夹
mkdir /opt/k8s/{bin,conf,logs,tls} -p
cd /opt/k8s/
  • 下载安装包
wget https://dl.k8s.io/v1.20.10/kubernetes-server-linux-amd64.tar.gz
tar xf kubernetes-server-linux-amd64.tar.gz
cd kubernetes/server/bin
  • 拷贝命令
cp kubelet kube-proxy /opt/k8s/bin

kubelet安装

  • 创建配置文件
cd /opt/k8s/conf
cat > kubelet.conf << EOF
KUBELET_OPTS="--logtostderr=false \\
    --v=2 \\
    --log-dir=/opt/k8s/logs \\
    --hostname-override=k8s-node-151 \\
    --network-plugin=cni \\
    --kubeconfig=/opt/k8s/conf/kubelet.kubeconfig \\
    --bootstrap-kubeconfig=/opt/k8s/conf/bootstrap.kubeconfig \\
    --config=/opt/k8s/conf/kubelet-config.yml \\
    --cert-dir=/opt/k8s/tls \\
    --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
EOF
  • 创建配置yaml文件
cat > kubelet-config.yml << EOF
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
  - 10.0.0.2
clusterDomain: cluster.local 
failSwapOn: false
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 2m0s
    enabled: true
  x509:
    clientCAFile: /opt/k8s/tls/ca.pem 
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 5m0s
    cacheUnauthorizedTTL: 30s
evictionHard:
  imagefs.available: 15%
  memory.available: 100Mi
  nodefs.available: 10%
  nodefs.inodesFree: 5%
maxOpenFiles: 1000000
maxPods: 110
EOF
  • 创建kubeconfig文件
KUBE_CONFIG="/opt/k8s/conf/bootstrap.kubeconfig"
# apiserver IP:PORT
KUBE_APISERVER="https://192.168.1.151:6443" 
# 与token.csv里保持一致  /opt/k8s/conf/token.csv
TOKEN="d19c0c66121edc24d0fd2b831f092c40"  

# 生成 kubelet bootstrap kubeconfig 配置文件
kubectl config set-cluster kubernetes \
  --certificate-authority=/opt/k8s/tls/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config set-credentials "kubelet-bootstrap" \
  --token=${TOKEN} \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config set-context default \
  --cluster=kubernetes \
  --user="kubelet-bootstrap" \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
  • 创建systemd配置文件
cat > /usr/lib/systemd/system/kubelet.service << EOF
[Unit]
Description=Kubernetes Kubelet
After=docker.service

[Service]
EnvironmentFile=/opt/k8s/conf/kubelet.conf
ExecStart=/opt/k8s/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
  • 升级systemd
yum -y upgrade systemd
  • 启动并设置开机启动
systemctl start kubelet
systemctl enable kubelet
  • 主节点允许kubelet证书申请并加入集群
#查看kubelet证书请求
kubectl get csr

#允许kubelet节点申请
kubectl certificate approve [csr name]
  • 授权apiserver访问kubelet
cd /opt/k8s/conf
cat > apiserver-to-kubelet-rbac.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:kube-apiserver-to-kubelet
rules:
  - apiGroups:
      - ""
    resources:
      - nodes/proxy
      - nodes/stats
      - nodes/log
      - nodes/spec
      - nodes/metrics
      - pods/log
    verbs:
      - "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: system:kube-apiserver
  namespace: ""
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:kube-apiserver-to-kubelet
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: kubernetes
EOF

kubectl apply -f apiserver-to-kubelet-rbac.yaml

kube-proxy安装

  • 创建证书请求文件
cd /opt/k8s/tls
cat > kube-proxy-csr.json << EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF
  • 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
  • 生成kubeconfig文件
KUBE_CONFIG="/opt/k8s/conf/kube-proxy.kubeconfig"
KUBE_APISERVER="https://192.168.1.151:6443"

kubectl config set-cluster kubernetes \
  --certificate-authority=/opt/k8s/tls/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config set-credentials kube-proxy \
  --client-certificate=/opt/k8s/tls/kube-proxy.pem \
  --client-key=/opt/k8s/tls/kube-proxy-key.pem \
  --embed-certs=true \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config set-context default \
  --cluster=kubernetes \
  --user=kube-proxy \
  --kubeconfig=${KUBE_CONFIG}
  
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
  • 创建配置文件
cd /opt/k8s/conf
cat > kube-proxy.conf << EOF
KUBE_PROXY_OPTS="--logtostderr=false \\
    --v=2 \\
    --log-dir=/opt/k8s/logs \\
    --config=/opt/k8s/conf/kube-proxy-config.yml"
EOF
  • 创建参数配置yaml文件
cat > kube-proxy-config.yml << EOF
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
metricsBindAddress: 0.0.0.0:10249
clientConnection:
  kubeconfig: /opt/k8s/conf/kube-proxy.kubeconfig
hostnameOverride: k8s-node-151
clusterCIDR: 10.244.0.0/16
EOF
  • 创建systemd管理文件
cat > /usr/lib/systemd/system/kube-proxy.service << EOF
[Unit]
Description=Kubernetes Proxy
After=network.target

[Service]
EnvironmentFile=/opt/k8s/conf/kube-proxy.conf
ExecStart=/opt/k8s/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
  • 启动并设置开机自启
systemctl start kube-proxy
systemctl enable kube-proxy

Calico插件安装

  • 获取calico.yaml
mkdir /opt/k8s/addons
cd /opt/k8s/addons
wget http://docs.projectcalico.org/v3.20/manifests/calico.yaml
  • 创建 calico
kubectl apply -f calico.yaml

Dashboard插件安装

  • 获取dashboard.yaml
cd /opt/k8s/kubernetes/
mkdir src
tar xf kubernetes-src.tar.gz -C src
cp /opt/k8s/kubernetes/src/cluster/addons/dashboard/dashboard.yaml /opt/k8s/addons
cd /opt/k8s/addons
  • 修改service kubernetes-dashboard 外网可访问
---
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 443
      targetPort: 8443
      # --- 新增 ---
      nodePort: 32000
  type: NodePort
  # --- 新增 ---
  selector:
    k8s-app: kubernetes-dashboard
  • 配置账号
# 新增以下内容
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: dashboard-admin
  namespace: kubernetes-dashboard

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dashboard-admin-cluster-role
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: dashboard-admin
    namespace: kubernetes-dashboard
  • 创建 dashboard
kubectl apply -f dashboard.yaml

CoreDNS插件安装

  • 获取coredns.yaml
cp /opt/k8s/kubernetes/src/cluster/addons/dns/coredns/coredns.yaml.base /opt/k8s/addons/coredns.yaml
cd /opt/k8s/addons
  • 修改配置
sed -i 's/__DNS__DOMAIN__/cluster.local/g' coredns.yaml
sed -i 's/__DNS__MEMORY__LIMIT__/256Mi/g' coredns.yaml # 此处可根据服务器资源修改
sed -i 's/__DNS__SERVER__/10.0.0.2/g' coredns.yaml
sed -i 's#k8s.gcr.io/coredns#egistry.aliyuncs.com/google_containers/coredns#g' coredns.yaml
  • 创建 coredns
kubectl apply -f coredns.yaml

部署完成

krioo
关注
kubernetes-----部署master二进制群集
qq_42761527的博客
04-28 591
一.master二进制集群分析 节点的架构图 master组件 我们需要再master部署三大核心组件 kube-apiserver:是集群的统一入口,各个组件的协调者,所有对象资源的增删改查和监听操作都交给APIserver处理,再提交给etcd存储。 kue-controller-manager:处理群集中常规的后台任务,一个资源对应一个控制器,而controller-man......
Kubernetes二进制部署方案
z2050025507的博客
08-18 1058
启动 Etcd 主节点。上传 flannel-v0.12.0-linux-amd64.tar.gz 软件包,解压 Flannel 二进制并分别拷贝到 Node 节点。在 k8s-node1 与 k8s-node2 主机上分别编辑 flanneld 配置文件。在 k8s-node01 与 k8s-node02 主机上配置 Docker 启动指定网段,修改 Docker 配置脚本文件。在 k8s-master 主机上依次进行如下操作,部署 Kubernetes-master 组件,具体操作如下所示。
Kubernetes二进制部署
业精于勤,荒于嬉;行成于思,毁于随。
10-28 1255
Kubernetes二进制部署 社区有很多解释,这里就不在过多叙述。 k8s基于etcd和flannel,所以我们先来把这两个服务做好 准备工作:配置域名解析,配置静态ip 操作系统:CentOS7 软件版本:Docker 19.03.9 Kubernetes 1.11.10 机器配置要求:视情况而定(越大越好) 服务器角色 IP 组件 k8s-master1 192.168.119.144 kube-apiserver,kube-controller-manager
kubernetes二进制部署
m0_59424504的博客
01-17 526
二进制部署kubernets/k8s
Kubernetes 二进制搭建
2301_76875445的博客
08-08 870
Kubernetes 二进制搭建
二进制部署k8smaster集群
最新发布
qq_54188720的博客
08-01 1909
k8s 组网方案对比:●flannel方案需要在每个节点上把发向容器的数据包进行封装后,再用隧道将封装后的数据包发送到运行着目标Pod的node节点上。目标node节点再负责去掉封装,将去除封装的数据包发送到目标Pod上。数据通信性能则大受影响。●calico方案Calico不使用隧道或NAT来实现转发,而是把每个操作系统的协议栈认为是一个路由器,然后把所有的容器认为是连在这个路由器上的网络终端,在路由器之间跑标准的路由协议——BGP的协议,然后让它们自己去学习这个网络拓扑该如何转发。
Kubernetes 二进制方式集群部署/多 master
shenyuanhaojie的博客
12-14 2349
文章目录一、常见的 K8S 部署方式1. Minikube2. Kubeadmin3. 二进制安装部署4. 小结二、K8S Master 节点二进制部署1. 环境准备1.1 服务器配置1.2 关闭防火墙1.3 修改主机名1.4 关闭 swap1.5 添加 hosts(所有节点)1.6 将桥接的 IPv4 流量传递到 iptables 的链(所有节点)1.7 时间同步2. 部署 etcd 集群2.1 etcd 概述2.1.1 etcd 简介2.1.2 etcd 的特点2.1.3 etcd 端口2.2 签发
[云原生案例2.1 ] Kubernetes部署安装 【master集群架构 ---- (二进制安装部署)】节点部分
m0_74170357的博客
11-06 1579
Kubeadm也是一个工具,提供kubeadm init和kubeadm join,用于快速部署K8S集群,相对简。Minikube是一个工具,可以在本地快速运行一个节点微型K8S,仅用于学习、预览K8S的一些特性使用。生产首选,从官方下载发行版的二进制包,手动部署每个组件和自签TLS证书,组成K8S集群,新手推荐。
Kubernetes集群二进制部署(二)——master集群
ML908的博客
05-05 1319
文章目录一、环境及软件包二、部署master组件1、api-server1) api-server生成证书2)解压k8s服务器端压缩包3)创建token令牌4)开启apiserver2、启动scheduler服务3、启动controller-manager4、查看master节点状态三、node节点部署1、创建kubeconfig2、node01部署kubelet3、node01启动proxy服务...
Kubernetes二进制master部署
weixin_58376680的博客
05-15 1522
etcd是CoreOS团队于2013年6月发起的开源项目,它的目标是一个高可用的分布式键值(key-value)数据库。etcd内部采用raft协议作为一致性算法,etcd是go语言编写的。
Kubernetes 集群二进制安装部署Master节点)
段小宝的博客
08-11 1267
目录前言一、常见的K8S按照部署方式二、安装部署分析三、首先部署ETCD集群3.1 ETCD介绍3.2 准备证书签发环境3.3 环境部署3.3.1 下载证书制作工具3.3.2 安装ETCD四、在所有Node上安装docker五、flannell 网络配置Flannel 工作流程 前言 一、常见的K8S按照部署方式 Minikube Minikube是一个工具,可以在本地快速运行一个节点微型K8s,仅用于学习、 预览K8S的一些特性使用,没有商业价值。 部署地址: https://kubernetes.
【云原生Kubernetes二进制搭建Kubernetes集群(上)——部署etcd集群master
在熙丶的博客
07-18 1060
文章目录前言master集群架构图一、实验环境二、部署etcd集群2.1 操作系统初始化配置2.2 部署 etcd 集群(分布式键值对数据库)1)在 etcd01 节点上操作2)在 etcd02 和 etcd03 节点上操作在 etcd02 节点上操作(42主机):在 etcd03 节点上操作(43主机):检查etcd群集状态:三、部署 Master 组件总结etcd数据库:etcd安装步骤:master组件安装步骤:1.先安装apiserver2.再启动controller-manager 和sched
云原生Kubernetes:二进制部署K8SMaster架构(一)
cronaldo91的博客
09-01 1813
etcd就是etcd服务的启动命令,后面可跟各种启动参数;etcdctl主要为etcd服务提供了命令行操作。1、从etcd中获取network的配置信息2、划分subnet, 并在etcd中进行注册3、将子网信息记录到/run/flannel/subnet.env中。
实验:详解master节点用二进制部署K8S集群
Mr_ChenWJ的博客
11-23 533
目录一 master节点用二进制部署K8S集群1.1 环境部署1.2 部署K8S集群中会用到的自签SSL证书1.3 实验操作步骤1.3.1 部署Etcd群集1.3.2 docker引擎部署1.3.3 flannel网络配置1.3.4 部署master1.3.5 node01部署1.3.6 node02部署master节点用二进制部署K8S集群 1.1 环境部署 主机名 IP地址 所需部署组件 master 20.0.0.101 kube-apiserver kube-control
【K8S 二进制部署部署Master Kurbernetes集群
koeda1的博客
12-27 1354
K8S的二进制部署
k8s二进制安装部署超超详细指南
qq_41009846的博客
07-09 5351
k8s安装部署详细指南概念什么是k8sK8s的功能k8s集群架构K8s部署步骤集群结构实验环境规划部署master集群集群规划:初始化服务器关闭防火墙(所有节点都执行)关闭selinux(所有节点都执行)配置主机名称(所有节点都执行)配置名称解析 host文件(所有节点都执行)配置时间同步配置k8s-master1配置客户端 node1 node2关闭交换分区(会导致服务起不来)部署集群给etcd颁发证书部署etcd 概念 什么是k8s K8s是一组服务器集群 K8s所管理的集群节点上的容器 K8s的
Kubernetes----二进制集群master节点部署)
XuMin6的博客
05-05 700
Kubernetes----二进制集群master节点部署) 一:实验环境 本次实验搭建部署是基于上一篇的基础上继续做的。 在 Master 上,要部署三大核心组件: kube-apiserver:是集群的统一入口,各组件协调者,所有对象资源的增删改查和监听操作都交给 APIServer 处理后再提交给 Etcd 存储; kube-controller-manager:处理群集中常规后台任务...
【云原生K8s】二进制部署master K8s+etcd集群
cxin1225的博客
08-03 1382
1、client 证书,服务端连接客户端时携带的证书,用于客户端验证服务端身份,如 kube-apiserver 访问 etcd;2、server 证书,客户端连接服务端时携带的证书,用于服务端验证客户端身份,如 etcd 对外提供服务;3、peer 证书,相互之间连接时使用的证书,如 etcd 节点之间进行验证和通信。这里全部都使用同一套证书认证。
Kubernetes 集群部署 ------ 二进制集群 Master集群部署 + 多 Master群集部署)2
weixin_45409371的博客
02-07 512
基于上篇博客的部署的环境上,这篇博客开始部署 k8s集群中的 ------ Master 群集 Master 集群架构图: 以下是自签 SSL 证书列表: 首先,我们要了解在 Master 上,要部署以下三大核心组件: kube-apiserver:是集群的统一入口,各组件协调者,所有对象资源的增删改查和监听操作都交给 APIServer 处理后再提交给 Etcd 存储; kube-...
kubernetes二进制集群部署master集群纯手工编译)!!!
下一个艺术家
01-21 484
纯手工二进制部署k8smaster节点,master部署了etcd数据库,kube-apiserver,kube-controller-manager,kube-scheduler,node上部署了etcd,flannel,docker,kubelet,kube-proxuy服务
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值