当前位置 博文首页 > 七月流星雨:二进制方法-部署k8s集群部署1.18版本
目前生产部署Kubernetes集群主要有两种方式
kuberadm
Kubeadm是一个K8s部署工具,提供kubeadm init和kubeadm join,用于快速部署Kubernetes集群。
二进制包
从github下载发行版的二进制包,手动部署每个组件,组成Kubernetes集群。
Kubeadm降低部署门槛,但屏蔽了很多细节,遇到问题很难排查。如果想更容易可控,推荐使用二进制包部署Kubernetes集群,虽然手动部署麻烦点,期间可以学习很多工作原理,也利于后期维护。
软件 | 版本 |
---|---|
操作系统 | CentOS7.8_x64 (mini) |
Docker | 19-ce |
Kubernetes | 1.18 |
角色 | IP | 组件 |
---|---|---|
k8s-master | 192.168.0.201 | kube-apiserver,kube-controller-manager,kube-scheduler,etcd |
k8s-node1 | 192.168.0.202 | kubelet,kube-proxy,docker etcd |
k8s-node2 | 192.168.0.203 | kubelet,kube-proxy,docker,etcd |
# 关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
# 关闭selinux
sed -i 's/enforcing/disabled/' /etc/selinux/config # 永久
setenforce 0 # 临时
# 关闭swap
swapoff -a # 临时
sed -ri 's/.*swap.*/#&/' /etc/fstab # 永久
# 根据规划设置主机名
hostnamectl set-hostname <hostname>
# 在master添加hosts
cat >> /etc/hosts << EOF
192.168.0.201 k8s-master
192.168.0.202 k8s-node1
192.168.0.203 k8s-node2
EOF
# 将桥接的IPv4流量传递到iptables的链
cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system # 生效
# 时间同步
yum install ntpdate -y
ntpdate time.windows.com
Etcd 是一个分布式键值存储系统,Kubernetes使用Etcd进行数据存储,所以先准备一个Etcd数据库,为解决Etcd单点故障,应采用集群方式部署,这里使用3台组建集群,可容忍1台机器故障,当然,你也可以使用5台组建集群,可容忍2台机器故障。
节点名称 | IP |
---|---|
etcd-1 | 192.168.0.201 |
etcd-2 | 192.168.0.202 |
etcd-3 | 192.168.0.203 |
注:为了节省机器,这里与K8s节点机器复用。也可以独立于k8s集群之外部署,只要apiserver能连接到就行。
cfssl是一个开源的证书管理工具,使用json文件生成证书,相比openssl更方便使用。
找任意一台服务器操作,这里用Master节点
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
[root@k8s-master ~]# mkdir -p ~/cfssl/
[root@k8s-master ~]# cd cfssl/
[root@k8s-master cfssl]# pwd
/root/cfssl
[root@k8s-master cfssl]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@k8s-master cfssl]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@k8s-master cfssl]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@k8s-master cfssl]# chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
[root@k8s-master cfssl]# mv cfssl_linux-amd64 /usr/local/bin/cfssl
[root@k8s-master cfssl]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
[root@k8s-master cfssl]# mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
[root@k8s-master ~]# mkdir -p ~/TLS/{etcd,k8s}
[root@k8s-master ~]# cd /root/TLS/etcd/
执行json格式配置
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
[root@k8s-master etcd]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2020/11/17 20:53:48 [INFO] generating a new CA key and certificate from CSR
2020/11/17 20:53:48 [INFO] generate received request
2020/11/17 20:53:48 [INFO] received CSR
2020/11/17 20:53:48 [INFO] generating key: rsa-2048
2020/11/17 20:53:48 [INFO] encoded CSR
2020/11/17 20:53:48 [INFO] signed certificate with serial number 101950529088026535677297860863057856432140076739
[root@k8s-master etcd]# ls *pem
ca-key.pem ca.pem
创建证书申请文件
cat > server-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"192.168.0.201",
"192.168.0.202",
"192.168.0.203"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
执行配置文件
[root@k8s-master etcd]# cat > server-csr.json << EOF
> {
> "CN": "etcd",
> "hosts": [
> "192.168.0.201",
> "192.168.0.202",
> "192.168.0.203"
> ],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "BeiJing",
> "ST": "BeiJing"
> }
> ]
> }
> EOF
注:上述文件hosts字段中IP为所有etcd节点的集群内部通信IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP。
[root@k8s-master etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2020/11/17 21:03:05 [INFO] generate received request
2020/11/17 21:03:05 [INFO] received CSR
2020/11/17 21:03:05 [INFO] generating key: rsa-2048
2020/11/17 21:03:05 [INFO] encoded CSR
2020/11/17 21:03:05 [INFO] signed certificate with serial number 134705649830183343899987337527377566420156796503
2020/11/17 21:03:05 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master etcd]# ls server*pem
server-key.pem server.pem
[root@k8s-master etcd]# mkdir -p ~/tools
[root@k8s-master etcd]# cd /root/tools/
[root@k8s-master tools]# wget https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz
[root@k8s-master tools]# ll
总用量 16960
-rw-r--r--. 1 root root 17364053 11月 17 21:09 etcd-v3.4.9-linux-amd64.tar.gz
以下在节点1上操作,为简化操作,待会将节点1生成的所有文件拷贝到节点2和节点3.
mkdir /opt/etcd/{bin,cfg,ssl} -p
tar zxvf etcd-v3.4.9-linux-amd64.tar.gz
mv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
执行上面命令工作目录
[root@k8s-master etcd]# cd /root/tools/
[root@k8s-master tools]# ll
总用量 16960
-rw-r--r--. 1 root root 17364053 11月 17 21:09 etcd-v3.4.9-linux-amd64.tar.gz
[root@k8s-master tools]# tar zxvf etcd-v3.4.9-linux-amd64.tar.gz
[root@k8s-master tools]# mv etcd-v3.4.9-linux-amd64/etcd /opt/etcd/bin/
[root@k8s-master tools]# mv etcd-v3.4.9-linux-amd64/etcdctl /opt/etcd/bin/
cat > /opt/etcd/cfg/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.0.201:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.0.201:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.0.201:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.0.201:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.0.201:2380,etcd-2=https://192.168.0.202:2380,etcd-3=https://192.168.0.203:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
ETCD_NAME:节点名称,集群中唯一
ETCD_DATA_DIR:数据目录
ETCD_LISTEN_PEER_URLS:集群通信监听地址
ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址
ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
ETCD_INITIAL_CLUSTER:集群节点地址
ETCD_INITIAL_CLUSTER_TOKEN:集群Token
ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群
服务器执行配置
[root@k8s-master ~]# cat > /opt/etcd/cfg/etcd.conf << EOF
> #[Member]
> ETCD_NAME="etcd-1"
> ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
> ETCD_LISTEN_PEER_URLS="https://192.168.0.201:2380"
> ETCD_LISTEN_CLIENT_URLS="https://192.168.0.201:2379"
> #[Clustering]
> ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.0.201:2380"
> ETCD_ADVERTISE_CLIENT_URLS="https://192.168.0.201:2379"
> ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.0.201:2380,etcd-2=https://192.168.0.202:2380,etcd-3=https://192.168.0.203:2380"
> ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
> ETCD_INITIAL_CLUSTER_STATE="new"
> EOF
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
服务器执行配置
[root@k8s-master ~]# cat > /usr/lib/systemd/system/etcd.service << EOF
> [Unit]
> Description=Etcd Server
> After=network.target
> After=network-online.target
> Wants=network-online.target
> [Service]
> Type=notify
> EnvironmentFile=/opt/etcd/cfg/etcd.conf
> ExecStart=/opt/etcd/bin/etcd \
> --cert-file=/opt/etcd/ssl/server.pem \
> --key-file=/opt/etcd/ssl/server-key.pem \
> --peer-cert-file=/opt/etcd/ssl/server.pem \
> --peer-key-file=/opt/etcd/ssl/server-key.pem \
> --trusted-ca-file=/opt/etcd/ssl/ca.pem \
> --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
> --logger=zap
> Restart=on-failure
> LimitNOFILE=65536
> [Install]
> WantedBy=multi-user.target
> EOF
拷贝ca证书和etcd证书
[root@k8s-master ~]# cp ~/TLS/etcd/ca*pem /opt/etcd/ssl/
[root@k8s-master ~]# cp -a ~/TLS/etcd/server*pem /opt/etcd/ssl/
[root@k8s-master ~]# ll /opt/etcd/ssl/
总用量 16
-rw-------. 1 root root 1675 11月 19 14:53 ca-key.pem
-rw-r--r--. 1 root root 1265 11月 19 14:53 ca.pem
-rw-------. 1 root root 1675 11月 17 21:03 server-key.pem
-rw-r--r--. 1 root root 1338 11月 17 21:03 server.pem
[root@k8s-master ~]# scp -r /opt/etcd/ root@192.168.0.202:/opt
[root@k8s-master ~]# scp -r /usr/lib/systemd/system/etcd.service root@192.168.0.202:/usr/lib/systemd/system/
[root@k8s-master ~]# scp -r /opt/etcd/ root@192.168.0.203:/opt
[root@k8s-master ~]# scp -r /usr/lib/systemd/system/etcd.service root@192.168.0.203:/usr/lib/systemd/system/
[root@k8s-node1 ~]# vim /opt/etcd/cfg/etcd.conf
[root@k8s-node1 ~]# cat /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-2" # 修改此处,节点2改为etcd-2,节点3改为etcd-3
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.0.202:2380" # 修改此处为当前服务器IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.0.202:2379" # 修改此处为当前服务器IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.0.202:2380" # 修改此处为当前服务器IP
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.0.202:2379" # 修改此处为当前服务器IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.0.201:2380,etcd-2=https://192.168.0.202:2380,etcd-3=https://192.168.0.203:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
[root@k8s-node2 ~]# vim /opt/etcd/cfg/etcd.conf
[root@k8s-node2 ~]# cat /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-3" # 修改此处,节点2改为etcd-2,节点3改为etcd-3
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.0.203:2380" # 修改此处为当前服务器IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.0.203:2379" # 修改此处为当前服务器IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.0.203:2380" # 修改此处为当前服务器IP
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.0.203:2379" # 修改此处为当前服务器IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.0.201:2380,etcd-2=https://192.168.0.202:2380,etcd-3=https://192.168.0.203:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
启动master节点
[root@k8s-master ~]# systemctl daemon-reload
[root@k8s-master ~]# systemctl start etcd
[root@k8s-master ~]# systemctl enable etcd
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
启动node1节点
[root@k8s-node1 ~]# systemctl daemon-reload
[root@k8s-node1 ~]# systemctl start etcd
[root@k8s-node1 ~]# systemctl enable etcd
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
启动node2节点
[root@k8s-node2 ~]# systemctl daemon-reload
[root@k8s-node2 ~]# systemctl start etcd
[root@k8s-node2 ~]# systemctl enable etcd
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
[root@k8s-master ~]# ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.0.201:2379,https://192.168.0.202:2379,https://192.168.0.203:2379" endpoint health
https://192.168.0.201:2379 is healthy: successfully committed proposal: took = 40.294783ms
https://192.168.0.203:2379 is healthy: successfully committed proposal: took = 40.593516ms
https://192.168.0.202:2379 is healthy: successfully committed proposal: took = 21.798951ms
如果输出上面信息,就说明集群部署成功。如果有问题第一步先看日志:/var/log/message 或 journalctl -u etcd
以下在所有节点操作,这里采用yum安装方式,
yum install -y yum-utils device-mapper-persistent-data lvm2
[root@k8s-master ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@k8s-node1 ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@k8s-node2 ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
[root@k8s-master ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
已加载插件:fastestmirror
adding repo from: https://download.docker.com/linux/centos/docker-ce.repo
grabbing file https://download.docker.com/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo
repo saved to /etc/yum.repos.d/docker-ce.repo
[root@k8s-node1 ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
已加载插件:fastestmirror
adding repo from: https://download.docker.com/linux/centos/docker-ce.repo
grabbing file https://download.docker.com/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo
repo saved to /etc/yum.repos.d/docker-ce.repo
[root@k8s-node2 ~]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
已加载插件:fastestmirror
adding repo from: https://download.docker.com/linux/centos/docker-ce.repo
grabbing file https://download.docker.com/linux/centos/docker-ce.repo to /etc/yum.repos.d/docker-ce.repo
repo saved to /etc/yum.repos.d/docker-ce.repo
[root@k8s-master ~]# yum install -y docker-ce
[root@k8s-node1 ~]# yum install -y docker-ce
[root@k8s-node2 ~]# yum install -y docker-ce
mkdir -p /etc/docker
cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"]
}
EOF
/bin/systemctl daemon-reload
/bin/systemctl start docker
/bin/systemctl enable docker
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
执行apiserver证书配置
[root@k8s-master ~]# mkdir -p /root/TLS/apiserver
[root@k8s-master ~]# cd /root/TLS/apiserver/
[root@k8s-master apiserver]# ll
总用量 0
[root@k8s-master apiserver]# cat > ca-config.json << EOF
> {
> "signing": {
> "default": {
> "expiry": "87600h"
> },
> "profiles": {
> "kubernetes": {
> "expiry": "87600h",
> "usages": [
> "signing",
> "key encipherment",
> "server auth",
> "client auth"
> ]
> }
> }
> }
> }
> EOF
[root@k8s-master apiserver]# cat > ca-csr.json << EOF
> {
> "CN": "kubernetes",
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "Beijing",
> "ST": "Beijing",
> "O": "k8s",
> "OU": "System"
> }
> ]
> }
> EOF
执行生成ca证书
[root@k8s-master apiserver]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2020/11/19 21:02:47 [INFO] generating a new CA key and certificate from CSR
2020/11/19 21:02:47 [INFO] generate received request
2020/11/19 21:02:47 [INFO] received CSR
2020/11/19 21:02:47 [INFO] generating key: rsa-2048
2020/11/19 21:02:47 [INFO] encoded CSR
2020/11/19 21:02:47 [INFO] signed certificate with serial number 618964693704774402914754546857528123070512384496
[root@k8s-master apiserver]# ll *pem
-rw-------. 1 root root 1675 11月 19 21:02 ca-key.pem
-rw-r--r--. 1 root root 1359 11月 19 21:02 ca.pem
创建证书申请文件
cat > server-csr.json << EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.0.201",
"192.168.0.202",
"192.168.0.203",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
执行生成apiserver证书配置
[root@k8s-master /]# cd /root/TLS/apiserver/
[root@k8s-master apiserver]# cat > server-csr.json << EOF
> {
> "CN": "kubernetes",
> "hosts": [
> "10.0.0.1",
> "127.0.0.1",
> "192.168.0.201",
> "192.168.0.202",
> "192.168.0.203",
> "kubernetes",
> "kubernetes.default",
> "kubernetes.default.svc",
> "kubernetes.default.svc.cluster",
> "kubernetes.default.svc.cluster.local"
> ],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "L": "BeiJing",
> "ST": "BeiJing",
> "O": "k8s",
> "OU": "System"
> }
> ]
> }
> EOF
注:上述文件hosts字段中IP为所有Master/LB/VIP IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP。
执行生成证书
[root@k8s-master apiserver]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
2020/11/19 21:16:00 [INFO] generate received request
2020/11/19 21:16:00 [INFO] received CSR
2020/11/19 21:16:00 [INFO] generating key: rsa-2048
2020/11/19 21:16:01 [INFO] encoded CSR
2020/11/19 21:16:01 [INFO] signed certificate with serial number 61289883131760633497559745925872614733825752323
2020/11/19 21:16:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master apiserver]# ls server*pem
server-key.pem server.pem
下载地址:https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md
注释:打开链接你会发现里面有很多包,下载一个server包就够了,包含了master和worker node二进制文件
[root@k8s-master /]# mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}
[root@k8s-master apiserver]# cd /root/tools/
[root@k8s-master tools]# wget https://storage.googleapis.com/kubernetes-release/release/v1.18.3/kubernetes-server-linux-amd64.tar.gz
[root@k8s-master tools]# tar -zxvf kubernetes-server-linux-amd64.tar.gz
[root@k8s-master tools]# cd kubernetes/server/bin/
[root@k8s-master bin]# ll
总用量 1087376
-rwxr-xr-x. 1 root root 48128000 5月 20 2020 apiextensions-apiserver
-rwxr-xr-x. 1 root root 39813120 5月 20 2020 kubeadm
-rwxr-xr-x. 1 root root 120668160 5月 20 2020 kube-apiserver
-rw-r--r--. 1 root root 8 5月 20 2020 kube-apiserver.docker_tag
-rw-------. 1 root root 174558720 5月 20 2020 kube-apiserver.tar
-rwxr-xr-x. 1 root root 110059520 5月 20 2020 kube-controller-manager
-rw-r--r--. 1 root root 8 5月 20 2020 kube-controller-manager.docker_tag
-rw-------. 1 root root 163950080 5月 20 2020 kube-controller-manager.tar
-rwxr-xr-x. 1 root root 44032000 5月 20 2020 kubectl
-rwxr-xr-x. 1 root root 113283800 5月 20 2020 kubelet
-rwxr-xr-x. 1 root root 38379520 5月 20 2020 kube-proxy
-rw-r--r--. 1 root root 8 5月 20 2020 kube-proxy.docker_tag
-rw-------. 1 root root 119099392 5月 20 2020 kube-proxy.tar
-rwxr-xr-x. 1 root root 42950656 5月 20 2020 kube-scheduler
-rw-r--r--. 1 root root 8 5月 20 2020 kube-scheduler.docker_tag
-rw-------. 1 root root 96841216 5月 20 2020 kube-scheduler.tar
-rwxr-xr-x. 1 root root 1687552 5月 20 2020 mounter
[root@k8s-master bin]# cp kube-apiserver /opt/kubernetes/bin/
[root@k8s-master bin]# cp kube-scheduler /opt/kubernetes/bin/
[root@k8s-master bin]# cp kube-controller-manager /opt/kubernetes/bin/
[root@k8s-master bin]# cp kubectl /usr/bin/
cat > /opt/kubernetes/cfg/kube-apiserver.conf << EOF
KUBE_APISERVER_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--etcd-servers=https://192.168.0.201:2379,https://192.168.0.202:2379,https://192.168.0.203:2379 \\
--bind-address=192.168.0.201 \\
--secure-port=6443 \\
--advertise-address=192.168.0.201 \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
--authorization-mode=RBAC,Node \\
--enable-bootstrap-token-auth=true \\
--token-auth-file=/opt/kubernetes/cfg/token.csv \\
--service-node-port-range=30000-32767 \\
--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \\
--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \\
--tls-cert-file=/opt/kubernetes/ssl/server.pem \\
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem \\
--audit-log-maxage=30 \\
--audit-log-maxbackup=3 \\
--audit-log-maxsize=100 \\
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
EOF
注释:上面两个\ \ 第一个是转义符,第二个是换行符,使用转义符是为了使用EOF保留换行符。
[root@k8s-master /]# cat > /opt/kubernetes/cfg/kube-apiserver.conf << EOF
> KUBE_APISERVER_OPTS="--logtostderr=false \\
> --v=2 \\
> --log-dir=/opt/kubernetes/logs \\
> --etcd-servers=https://192.168.0.201:2379,https://192.168.0.202:2379,https://192.168.0.203:2379 \\
> --bind-address=192.168.0.201 \\
> --secure-port=6443 \\
> --advertise-address=192.168.0.201 \\
> --allow-privileged=true \\
> --service-cluster-ip-range=10.0.0.0/24 \\
> --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
> --authorization-mode=RBAC,Node \\
> --enable-bootstrap-token-auth=true \\
> --token-auth-file=/opt/kubernetes/cfg/token.csv \\
> --service-node-port-range=30000-32767 \\
> --kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \\
> --kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \\
> --tls-cert-file=/opt/kubernetes/ssl/server.pem \\
> --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
> --client-ca-file=/opt/kubernetes/ssl/ca.pem \\
> --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
> --etcd-cafile=/opt/etcd/ssl/ca.pem \\
> --etcd-certfile=/opt/etcd/ssl/server.pem \\
> --etcd-keyfile=/opt/etcd/ssl/server-key.pem \\
> --audit-log-maxage=30 \\
> --audit-log-maxbackup=3 \\
> --audit-log-maxsize=100 \\
> --audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
> EOF
[root@k8s-master /]# cp -a /root/TLS/apiserver/ca*pem /opt/kubernetes/ssl/
[root@k8s-master /]# cp -a /root/TLS/apiserver/server*pem /opt/kubernetes/ssl/
[root@k8s-master /]# ll /opt/kubernetes/ssl/
总用量 16
-rw-------. 1 root root 1675 11月 19 21:02 ca-key.pem
-rw-r--r--. 1 root root 1359 11月 19 21:02 ca.pem
-rw-------. 1 root root 1679 11月 19 21:16 server-key.pem
-rw-r--r--. 1 root root 1627 11月 19 21:16 server.pem