[关闭]
@zhangyy 2021-12-01T10:13:40.000000Z 字数 9045 阅读 180

k8s 1.22.4 二进制部署

kubernetes系列


一: 系统环境初始化

1.1 系统环境

  1. cat /etc/hosts
  2. ----
  3. 172.16.10.11 flyfishsrvs01
  4. 172.16.10.12 flyfishsrvs02
  5. 172.16.10.13 flyfishsrvs03
  6. 172.16.10.14 flyfishsrvs04
  7. 172.16.10.15 flyfishsrvs05
  8. 172.16.10.16 flyfishsrvs06
  9. 172.16.10.17 flyfishsrvs07
  10. -----
  11. 先安装单master版本后续扩容成多master
  12. 系统关闭firewalld/selinux /清空iptables防火墙规则

1.2 升级系统内核

  1. 所有机器都要升级内核
  2. #查看当前内核版本
  3. uname -r
  4. uname -a
  5. cat /etc/redhat-release
  6. #添加yum源仓库
  7. mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
  8. curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
  9. curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
  10. rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
  11. yum install -y https://www.elrepo.org/elrepo-release-7.0-4.el7.elrepo.noarch.rpm
  12. #更新yum源仓库
  13. yum -y update
  14. #查看可用的系统内核包
  15. yum --disablerepo="*" --enablerepo="elrepo-kernel" list available
  16. #安装内核,注意先要查看可用内核,我安装的是5.4版本的内核
  17. yum --enablerepo=elrepo-kernel install kernel-lt
  18. #查看目前可用内核
  19. awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
  20. #使用序号为0的内核,序号0是前面查出来的可用内核编号
  21. grub2-set-default 0
  22. #生成 grub 配置文件并重启
  23. grub2-mkconfig -o /boot/grub2/grub.cfg
  24. reboot

image_1fldfh8jn86b1851ml18quhe13e.png-64.5kB


1.2 环境配置

  1. #修改时区,同步时间
  2. yum install chrond -y
  3. vim /etc/chrony.conf
  4. -----
  5. ntpdate ntp1.aliyun.com iburst
  6. -----
  7. ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
  8. echo 'Asia/Shanghai' > /etc/timezone
  9. #关闭防火墙,selinux
  10. systemctl stop firewalld
  11. systemctl disable firewalld
  12. sed -i 's/enforcing/disabled/' /etc/selinux/config
  13. setenforce 0
  14. ## 关闭swap
  15. swapoff -a
  16. sed -ri 's/.*swap.*/#&/' /etc/fstab
  17. #系统优化
  18. cat > /etc/sysctl.d/k8s_better.conf << EOF
  19. net.bridge.bridge-nf-call-iptables=1
  20. net.bridge.bridge-nf-call-ip6tables=1
  21. net.ipv4.ip_forward=1
  22. net.ipv4.tcp_tw_recycle=0
  23. vm.swappiness=0
  24. vm.overcommit_memory=1
  25. vm.panic_on_oom=0
  26. fs.inotify.max_user_instances=8192
  27. fs.inotify.max_user_watches=1048576
  28. fs.file-max=52706963
  29. fs.nr_open=52706963
  30. net.ipv6.conf.all.disable_ipv6=1
  31. net.netfilter.nf_conntrack_max=2310720
  32. EOF
  33. sysctl -p /etc/sysctl.d/k8s_better.conf
  34. #确保每台机器的uuid不一致,如果是克隆机器,修改网卡配置文件删除uuid那一行
  35. cat /sys/class/dmi/id/product_uuid

image_1fldfod3v1np1fp8k4j1ok9abm6q.png-124.4kB


1.3 安装docker

  1. 全部节点安装:
  2. 安装docker
  3. 这里介绍yum源安装
  4. 1. 卸载旧版本
  5. yum remove docker \
  6. docker-client \
  7. docker-client-latest \
  8. docker-common \
  9. docker-latest \
  10. docker-latest-logrotate \
  11. docker-logrotate \
  12. docker-engine \
  13. docker-ce
  14. rm -rf /var/lib/docker
  15. 2.安装必备软件包
  16. yum install -y yum-utils device-mapper-persistent-data lvm2
  17. 3.设置yum
  18. #建议使用阿里源
  19. yum-config-manager \
  20. --add-repo \
  21. http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
  22. 4.安装docker
  23. 这里介绍两种安装方式,我是用的是第一种
  24. 1)使用yum命令安装
  25. #查看可用版本
  26. yum list docker-ce --showduplicates | sort -r
  27. #安装18.09.1的版本,安装其他版本照套格式就行
  28. yum install docker-ce-18.09.1 docker-ce-cli-18.09.1 containerd.io
  29. #安装最新版本
  30. yum install -y docker-ce docker-ce-cli containerd.io
  31. mkdir -p /etc/docker
  32. vim /etc/docker/daemon.json
  33. -----
  34. {
  35. "exec-opts": [
  36. "native.cgroupdriver=systemd"
  37. ],
  38. "log-driver": "json-file",
  39. "log-level": "warn",
  40. "log-opts": {
  41. "max-size": "1000m",
  42. "max-file": "3"
  43. },
  44. "registry-mirrors": [
  45. "https://b9pmyelo.mirror.aliyuncs.com"
  46. ],
  47. "insecure-registries": [],
  48. "selinux-enabled": false
  49. }

image_1flpqmffkm0m1sn198ta7q96p1p.png-93.7kB

image_1flpqrbl45141g471rvp1bj2gkf26.png-150.5kB

二:部署etcd集群

2.1 关于签名证书

  1. wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
  2. wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
  3. wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
  4. chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
  5. mv cfssl_linux-amd64 /usr/bin/cfssl
  6. mv cfssljson_linux-amd64 /usr/bin/cfssljson
  7. mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

image_1fldg056r178g1nua1lje1eq3u87k.png-112.3kB

  1. mkdir -p ~/TLS/{etcd,k8s}
  2. cd ~/TLS/etcd
  3. 自签CA
  4. cat > ca-config.json << EOF
  5. {
  6. "signing": {
  7. "default": {
  8. "expiry": "87600h"
  9. },
  10. "profiles": {
  11. "www": {
  12. "expiry": "87600h",
  13. "usages": [
  14. "signing",
  15. "key encipherment",
  16. "server auth",
  17. "client auth"
  18. ]
  19. }
  20. }
  21. }
  22. }
  23. EOF
  24. cat > ca-csr.json << EOF
  25. {
  26. "CN": "etcd CA",
  27. "key": {
  28. "algo": "rsa",
  29. "size": 2048
  30. },
  31. "names": [
  32. {
  33. "C": "CN",
  34. "L": "Beijing",
  35. "ST": "Beijing"
  36. }
  37. ]
  38. }
  39. EOF
  40. 生成证书:
  41. cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
  42. 会生成ca.pemca-key.pem文件

image_1flpr2h9p1jtfuus1o0ogmg6bk2j.png-182kB

  1. 2. 使用自签CA签发Etcd HTTPS证书
  2. 创建证书申请文件:
  3. cat > server-csr.json << EOF
  4. {
  5. "CN": "etcd",
  6. "hosts": [
  7. "172.16.10.11",
  8. "172.16.10.12",
  9. "172.16.10.13",
  10. "172.16.10.14",
  11. "172.16.10.15",
  12. "172.16.10.16",
  13. "172.16.10.17",
  14. "172.16.10.18",
  15. "172.16.10.19",
  16. "172.16.10.200"
  17. ],
  18. "key": {
  19. "algo": "rsa",
  20. "size": 2048
  21. },
  22. "names": [
  23. {
  24. "C": "CN",
  25. "L": "BeiJing",
  26. "ST": "BeiJing"
  27. }
  28. ]
  29. }
  30. EOF
  31. 注:上述文件hosts字段中IP为所有etcd节点的集群内部通信IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP
  32. 生成证书:
  33. cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
  34. 会生成server.pemserver-key.pem文件。

image_1flpr7vq2te6hs5vvq1cs6c9n3g.png-172.5kB

2.2 部署etcd

  1. 1. Etcd 的概念:
  2. Etcd 是一个分布式键值存储系统,Kubernetes使用Etcd进行数据存储,所以先准备一个Etcd数据库,为解决Etcd单点故障,应采用集群方式部署,这里使用3台组建集群,可容忍1台机器故障,当然,你也可以使用5台组建集群,可容忍2台机器故障。
  3. 下载地址: https://github.com/etcd-io/etcd/releases
  4. 以下在节点1上操作,为简化操作,待会将节点1生成的所有文件拷贝到节点2和节点3.

  1. 2. 安装配置etcd
  2. mkdir /opt/etcd/{bin,cfg,ssl} -p
  3. tar zxvf etcd-v3.5.1-linux-amd64.tar.gz
  4. mv etcd-v3.5.1-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/

image_1fldipv98102t1lp176f1v6aj2ten.png-220.6kB

  1. flyfishsrvs01 etcd 配置文件
  2. cat > /opt/etcd/cfg/etcd.conf << EOF
  3. #[Member]
  4. ETCD_NAME="etcd-1"
  5. ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
  6. ETCD_LISTEN_PEER_URLS="https://172.16.10.11:2380"
  7. ETCD_LISTEN_CLIENT_URLS="https://172.16.10.11:2379"
  8. #[Clustering]
  9. ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.10.11:2380"
  10. ETCD_ADVERTISE_CLIENT_URLS="https://172.16.10.11:2379"
  11. ETCD_INITIAL_CLUSTER="etcd-1=https://172.16.10.11:2380,etcd-2=https://172.16.10.12:2380,etcd-3=https://172.16.10.13:2380"
  12. ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
  13. ETCD_INITIAL_CLUSTER_STATE="new"
  14. EOF
  15. ---
  16. ETCD_NAME:节点名称,集群中唯一
  17. ETCD_DATA_DIR:数据目录
  18. ETCD_LISTEN_PEER_URLS:集群通信监听地址
  19. ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
  20. ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址
  21. ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
  22. ETCD_INITIAL_CLUSTER:集群节点地址
  23. ETCD_INITIAL_CLUSTER_TOKEN:集群Token
  24. ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群

  1. 3. systemd管理etcd
  2. cat > /usr/lib/systemd/system/etcd.service << EOF
  3. [Unit]
  4. Description=Etcd Server
  5. After=network.target
  6. After=network-online.target
  7. Wants=network-online.target
  8. [Service]
  9. Type=notify
  10. EnvironmentFile=/opt/etcd/cfg/etcd.conf
  11. ExecStart=/opt/etcd/bin/etcd \
  12. --cert-file=/opt/etcd/ssl/server.pem \
  13. --key-file=/opt/etcd/ssl/server-key.pem \
  14. --peer-cert-file=/opt/etcd/ssl/server.pem \
  15. --peer-key-file=/opt/etcd/ssl/server-key.pem \
  16. --trusted-ca-file=/opt/etcd/ssl/ca.pem \
  17. --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
  18. --logger=zap
  19. Restart=on-failure
  20. LimitNOFILE=65536
  21. [Install]
  22. WantedBy=multi-user.target
  23. EOF

image_1fldjihdi1ijec1de87u233jq9.png-167.6kB

  1. 4. 拷贝刚才生成的证书
  2. 把刚才生成的证书拷贝到配置文件中的路径:
  3. cp ~/TLS/etcd/ca*pem ~/TLS/etcd/server*pem /opt/etcd/ssl/

image_1flprcn8o180b61ienejidq3t.png-33kB

  1. 5. 同步所有主机
  2. scp -r /opt/etcd/ root@172.16.10.12:/opt/
  3. scp -r /opt/etcd/ root@172.16.10.13:/opt/
  4. scp /usr/lib/systemd/system/etcd.service root@172.16.10.12:/usr/lib/systemd/system/
  5. scp /usr/lib/systemd/system/etcd.service root@172.16.10.13:/usr/lib/systemd/system/

image_1flprfab11gs8e1m87v1to8197g4a.png-89.2kB

image_1flprfnld1qll1h071b011am91jgt4n.png-95.2kB


  1. flyfishsrvs02 etcd
  2. vim /opt/etcd/cfg/etcd.conf
  3. -----
  4. #[Member]
  5. ETCD_NAME="etcd-2"
  6. ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
  7. ETCD_LISTEN_PEER_URLS="https://172.16.10.12:2380"
  8. ETCD_LISTEN_CLIENT_URLS="https://172.16.10.12:2379"
  9. #[Clustering]
  10. ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.10.12:2380"
  11. ETCD_ADVERTISE_CLIENT_URLS="https://172.16.10.12:2379"
  12. ETCD_INITIAL_CLUSTER="etcd-1=https://172.16.10.11:2380,etcd-2=https://172.16.10.12:2380,etcd-3=https://172.16.10.13:2380"
  13. ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
  14. ETCD_INITIAL_CLUSTER_STATE="new"
  15. ----

  1. flyfishsrvs03 etcd
  2. vim /opt/etcd/cfg/etcd.conf
  3. ----
  4. #[Member]
  5. ETCD_NAME="etcd-3"
  6. ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
  7. ETCD_LISTEN_PEER_URLS="https://172.16.10.13:2380"
  8. ETCD_LISTEN_CLIENT_URLS="https://172.16.10.13:2379"
  9. #[Clustering]
  10. ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.16.10.13:2380"
  11. ETCD_ADVERTISE_CLIENT_URLS="https://172.16.10.13:2379"
  12. ETCD_INITIAL_CLUSTER="etcd-1=https://172.16.10.11:2380,etcd-2=https://172.16.10.12:2380,etcd-3=https://172.16.10.13:2380"
  13. ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
  14. ETCD_INITIAL_CLUSTER_STATE="new"
  15. -----

  1. 6. 启动etcd:
  2. systemctl daemon-reload
  3. systemctl start etcd
  4. systemctl enable etcd

image_1flprk868fu619c76sd14h014ak5k.png-87.3kB

  1. 验证:
  2. ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://172.16.10.11:2379,https://172.16.10.12:2379,https://172.16.10.13:2379" endpoint health --write-out=table

image_1flprmmgadrl5db85svlusl561.png-120.7kB

2.3 部署k8s1.22.4

  1. 1. Github下载二进制文件
  2. 下载地址: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.22.md
  3. 注:打开链接你会发现里面有很多包,下载一个server包就够了,包含了MasterWorker Node二进制文件。

image_1flprsia81p5k1mpc1ei02hqt1a6e.png-325kB

image_1flpruda4a6218p4gos1an9vo18h.png-356.3kB

  1. 2. 创建k8s kube-apiserver证书
  2. cd ~/TLS/k8s
  3. cat > ca-config.json << EOF
  4. {
  5. "signing": {
  6. "default": {
  7. "expiry": "87600h"
  8. },
  9. "profiles": {
  10. "kubernetes": {
  11. "expiry": "87600h",
  12. "usages": [
  13. "signing",
  14. "key encipherment",
  15. "server auth",
  16. "client auth"
  17. ]
  18. }
  19. }
  20. }
  21. }
  22. EOF
  23. cat > ca-csr.json << EOF
  24. {
  25. "CN": "kubernetes",
  26. "key": {
  27. "algo": "rsa",
  28. "size": 2048
  29. },
  30. "names": [
  31. {
  32. "C": "CN",
  33. "L": "Beijing",
  34. "ST": "Beijing",
  35. "O": "k8s",
  36. "OU": "System"
  37. }
  38. ]
  39. }
  40. EOF
  41. 生成证书:
  42. cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
  43. 会生成ca.pemca-key.pem文件。

image_1flps2ea0dq9cp41o5db6l1fql9e.png-181.1kB

  1. 2. 使用自签CA签发kube-apiserver HTTPS证书
  2. 创建证书申请文件:
  3. cat > server-csr.json << EOF
  4. {
  5. "CN": "kubernetes",
  6. "hosts": [
  7. "10.0.0.1",
  8. "127.0.0.1",
  9. "172.16.10.11",
  10. "172.16.10.12",
  11. "172.16.10.13",
  12. "172.16.10.14",
  13. "172.16.10.15",
  14. "172.16.10.16",
  15. "172.16.10.17",
  16. "172.16.10.18",
  17. "172.16.10.19",
  18. "172.16.10.200",
  19. "kubernetes",
  20. "kubernetes.default",
  21. "kubernetes.default.svc",
  22. "kubernetes.default.svc.cluster",
  23. "kubernetes.default.svc.cluster.local"
  24. ],
  25. "key": {
  26. "algo": "rsa",
  27. "size": 2048
  28. },
  29. "names": [
  30. {
  31. "C": "CN",
  32. "L": "BeiJing",
  33. "ST": "BeiJing",
  34. "O": "k8s",
  35. "OU": "System"
  36. }
  37. ]
  38. }
  39. EOF
  40. 注:上述文件hosts字段中IP为所有Master/LB/VIP IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP
  41. cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注