k8s二进制部署(一)

举报
ming-1 发表于 2021/01/26 21:50:51 2021/01/26
【摘要】 实验环境:Cetnos7服务器三台hostname按照如下设置10.107.141.50     k8s-master0110.107.141.51     k8s-node0110.107.141.52     k8s-node02准备环境(三台相同配置):##安装dockeryum install yum-utils device-mapper-persistent-data lvm2y...

实验环境:

Cetnos7服务器三台

hostname按照如下设置

10.107.141.50     k8s-master01

10.107.141.51     k8s-node01

10.107.141.52     k8s-node02


准备环境(三台相同配置):

##安装docker

yum install yum-utils device-mapper-persistent-data lvm2

yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

yum install docker-ce-18.03.0.ce

service docker start

docker -v

##配置镜像加速

vi /etc/docker/daemon.json

{

 "registry-mirrors": ["https://m3dz4myl.mirror.aliyuncs.com"]

}

systemctl restart docker

docker info

##关闭防火墙

systemctl stop firewalld

systemctl disable firewalld

##关闭selinux

sed -i 's/enforcing/disabled/' /etc/selinux/config  

setenforce 0

##关闭swapoff分区

swapoff -a

sed -ri 's/.*swap.*/#&/' /etc/fstab

##同步时间

yum install ntpdate -y

ntpdate time.izatcloud.net



准备CA自签证书

##准备下载cffssl的脚本

cat > cfssl.sh << EOF
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
EOF

##安装cfssl

bash cfssl.sh

##创建所需文件

mkdir /opt/k8s/{etcd-cert,k8s-cert} -p

cd /opt/k8s/etcd-cert

##准备CA证书peer证书文件

cat > ca-config.json << EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
cat > ca-csr.json << EOF
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

##通过gencert -initca来初始化,然后使用cfssljson命令保存

##生成三个文件:私钥ca-key.pem、证书请求ca.csr、公钥ca.pem

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -


使用自签CA签发Etcd HTTPS证书

##创建证书申请文件

cat > server-csr.json << EOF
{
    "CN": "etcd",
    "hosts": [
    "10.107.141.50",
    "10.107.141.51",
    "10.107.141.52"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        }
    ]
}
EOF

##然后使用刚才生成的CA来给服务器签署证书

##生成三个文件:证书请求:server.csr :公钥server.pem 私钥:server-key.pem

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

安装ETCD

下载地址:

https://github.com/etcd-io/etcd/releases/tag/v3.3.0

##解压压缩文件至指定目录

mkdir /opt/etcd/{bin,cfg,ssl} -p

tar -zxvf  etcd-v3.3.0-linux-amd64.tar.gz

mv  etcd-v3.3.0-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/

##创建etcd配置文件

##三台主机相同配置,注意更改ip地址和ETCD_NAME

cat > /opt/etcd/cfg/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://10.107.141.50:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.107.141.50:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.107.141.50:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://10.107.141.50:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://10.107.141.50:2380,etcd-2=https://10.107.141.51:2380,etcd-3=https://10.107.141.52:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_ENABLE_V2="true"
EOF

##创建service文件用system管理etcd

##三台主机相同

cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --peer-cert-file=/opt/etcd/ssl/server.pem --peer-key-file=/opt/etcd/ssl/server-key.pem --trusted-ca-file=/opt/etcd/ssl/ca.pem --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF

##拷贝证书至etcd目录下

cp /opt/k8s/etcd-cert/{server.pem,server-key.pem,ca.pem} /opt/etcd/ssl/

##三台主机相同

scp -r /opt/etcd/ root@10.107.141.51:/opt/

scp -r /opt/etcd/ root@10.107.141.52:/opt/

##启动etcd

systemctl daemon-reload

systemctl start etcd

systemctl enable etcd

##检查etcd启动情况

/opt/etcd/bin/etcdctl --ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem --endpoints="https://10.107.141.50:2379,https://10.107.141.51:2379,https://10.107.141.52:2379" cluster-health

##如果出现启动失败可通过日志查询

tail /vat/log/messages -f

【版权声明】本文为华为云社区用户原创内容,转载时必须标注文章的来源(华为云社区)、文章链接、文章作者等基本信息, 否则作者和本社区有权追究责任。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱: cloudbbs@huaweicloud.com
  • 点赞
  • 收藏
  • 关注作者

评论(0

0/1000
抱歉,系统识别当前为高风险访问,暂不支持该操作

全部回复

上滑加载中

设置昵称

在此一键设置昵称,即可参与社区互动!

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。

确认 取消

加入云驻计划,成为创作者

  • 华为云周边好礼
  • 免费体验产品
  • 特殊身份标识
  • 线下官方门票
  • 内部专家零距离
  • 与10000+优质创作者共同成长
立即加入