一些设置


设置本地DNS:

192.168.1.127 k8s-master etcd
192.168.1.128 k8s-node01
192.168.1.129 k8s-node02

永久关闭node节点的swap。

swapoff -a
vim /etc/fstab



安装flannel


可以先把 etcd+docker+flannel 安装好,把网调通后再安装 k8s。

详见:https://www.scriptjc.com/article/1002



创建CA证书


#创建CA私钥:
openssl genrsa -out ca.key 2048
#创建自签CA证书:
openssl req -x509 -new -nodes -key ca.key -subj "/CN=k8s-master" -days 5000 -out ca.crt



etcd证书


创建etcd证书和私钥:

etcd_server 服务端使用的证书:

openssl genrsa -out etcd_server.key 2048
openssl req -new -key etcd_server.key -subj "/CN=etcd" -out etcd_server.csr
openssl x509 -req -in etcd_server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out etcd_server.crt -days 5000

etcd_client 连接etcd使用的证书:

openssl genrsa -out etcd_client.key 2048
openssl req -new -key etcd_client.key -subj "/CN=etcd" -out etcd_client.csr
openssl x509 -req -in etcd_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out etcd_client.crt -days 5000



apiserver


创建server证书:

#服务证书私钥:
openssl genrsa -out server.key 2048
#服务证书签署请求:
openssl req -new -key server.key -subj "/CN=k8s-master" -config master_ssl.cnf -out server.csr
#CA签署服务证书:
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt

master_ssl.cnf:

cat > master_ssl.cnf <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = k8s-master
IP.1 = 169.169.0.1
IP.2 = 192.168.1.127
EOF

kube-apiserver.service:

cat > /usr/lib/systemd/system/kube-apiserver.service <<EOF
[Unit]
Description=Kubernetes API Server
After=etcd.service
Wants=etcd.service

[Service]
#EnvironmentFile=/etc/kubernetes/apiserver
ExecStart=/usr/bin/kube-apiserver \\
--etcd-servers=https://etcd:2379 \\
--etcd-cafile=/etc/kubernetes/cert/ca.crt \\
--etcd-certfile=/etc/kubernetes/cert/etcd_client.crt \\
--etcd-keyfile=/etc/kubernetes/cert/etcd_client.key \\
--insecure-bind-address=0.0.0.0 \\
--insecure-port=0 \\
--secure-port=6443 \\
--service-cluster-ip-range=169.169.0.0/16 \\
--service-node-port-range=1-65535 \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
--client-ca-file=/etc/kubernetes/cert/ca.crt \\
--tls-private-key-file=/etc/kubernetes/cert/server.key \\
--tls-cert-file=/etc/kubernetes/cert/server.crt \\
--logtostderr=false \\
--log-dir=/var/log/kubernetes \\
--v=0


Restart=on-failure
Type=notify
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF



controller-manager


cs_client证书:

openssl genrsa -out cs_client.key 2048
openssl req -new -key cs_client.key -subj "/CN=k8s-master" -out cs_client.csr
openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cs_client.crt -days 5000

kubeconfig-ca.yml:

cat > /etc/kubernetes/kubeconfig-ca.yml <<EOF
apiVersion: v1
kind: Config
users:
- name: client
  user:
    client-certificate: /etc/kubernetes/cert/cs_client.crt
    client-key: /etc/kubernetes/cert/cs_client.key
clusters:
- name: default
  cluster:
    certificate-authority: /etc/kubernetes/cert/ca.crt
    server: https://192.168.1.127:6443
contexts:
- context:
    cluster: default
    user: client
  name: default
current-context: default
EOF

kube-controller-manager.service:

cat > /usr/lib/systemd/system/kube-controller-manager.service <<EOF
[Unit]
Description=Kubernetes Controller Manager
After=kube-apiserver.service
Requires=kube-apiserver.service

[Service]
#EnvironmentFile=/etc/kubernetes/apiserver
ExecStart=/usr/bin/kube-controller-manager \\
--kubeconfig=/etc/kubernetes/kubeconfig-ca.yml \\
--service-account-private-key-file=/etc/kubernetes/cert/server.key \\
--root-ca-file=/etc/kubernetes/cert/ca.crt \\
--logtostderr=false \\
--log-dir=/var/log/kubernetes \\
--v=0

Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF



scheduler


kube-scheduler.service:

cat > /usr/lib/systemd/system/kube-scheduler.service <<EOF
[Unit]
Description=Kubernetes scheduler
After=kube-apiserver.service
Requires=kube-apiserver.service

[Service]
ExecStart=/usr/bin/kube-scheduler \\
--kubeconfig=/etc/kubernetes/kubeconfig-ca.yml \\
--logtostderr=false \\
--log-dir=/var/log/kubernetes \\
--v=0

Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF



在各个node节点上:


kubelet


kubelet_client证书:

openssl genrsa -out kubelet_client.key 2048
openssl req -new -key kubelet_client.key -subj "/CN=k8s-node01" -out kubelet_client.csr
openssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000

kubeconfig-ca.yml:

cat > /etc/kubernetes/kubeconfig-ca.yml <<EOF
apiVersion: v1
kind: Config
users:
- name: kubelet
  user:
    client-certificate: /etc/kubernetes/cert/kubelet_client.crt
    client-key: /etc/kubernetes/cert/kubelet_client.key
clusters:
- name: local
  cluster:
    certificate-authority: /etc/kubernetes/cert/ca.crt
    server: https://192.168.1.127:6443
contexts:
- context:
    cluster: local
    user: kubelet
  name: my-context
current-context: my-context
EOF

kubelet.service:

cat > /usr/lib/systemd/system/kubelet.service <<EOF
[Unit]
Description=Kubernetes kubelet Server
After=docker.service
Requires=docker.service

[Service]
WorkingDirectory=/var/lib/kubelet
ExecStart=/usr/bin/kubelet \\
--kubeconfig=/etc/kubernetes/kubeconfig-ca.yml \\
--hostname-override=k8s-node01 \\
--runtime-cgroups=/systemd/system.slice \\
--kubelet-cgroups=/systemd/system.slice \\
--logtostderr=false \\
--log-dir=/var/log/kubernetes \\
--v=0
ExecStartPost=/usr/sbin/iptables -P FORWARD ACCEPT
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF


kube-proxy


kube-proxy.service:

cat > /usr/lib/systemd/system/kube-proxy.service <<EOF
[Unit]
Description=Kubernetes Kube-Proxy Server
After=network.target
Requires=network.service

[Service]
WorkingDirectory=/var/lib/kubelet
ExecStart=/usr/bin/kube-proxy \\
--kubeconfig=/etc/kubernetes/kubeconfig-ca.yml \\
--logtostderr=false \\
--log-dir=/var/log/kubernetes \\
--v=2

Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF



访问k8s集群:

kubectl


kubectl:

kubectl --server=https://192.168.1.127:6443 \
--certificate-authority=/etc/kubernetes/cert/ca.crt \
--client-certificate=/etc/kubernetes/cert/cs_client.crt \
--client-key=/etc/kubernetes/cert/cs_client.key get nodes

或者:

cat > ~/.bashrc <<EOF
alias kubectl='kubectl --server=https://192.168.1.127:6443 --certificate-authority=/etc/kubernetes/cert/ca.crt --client-certificate=/etc/kubernetes/cert/cs_client.crt --client-key=/etc/kubernetes/cert/cs_client.key'
EOF
source ~/.bashrc


Pod基础镜像:

        在每个node的kubelet启动参数后加上如下参数,k8s集群中是以Pod为基本单元,需要 k8s.gcr.io/pause:3.1 镜像来实现Pod。其中 docker-registry 为私有镜像仓库地址。

--pod-infra-container-image=docker-registry:5000/pause:3.1