前端

《二》Kubernetes集群部署(node)-搭建单集群v1.1

云博小周宇5 Mins Read

在Node节点部署组件

Master apiserver启用TLS认证后,Node节点kubelet组件想要加入集群,必须使用CA签发的有效证书才能与
apiserver通信,当Node节点很多时,签署证书是一件很繁琐的事情,因此有了TLS Bootstrapping机制,kubelet
会以一个低权限用户自动向apiserver申请证书,kubelet的证书由apiserver动态签署。
认证大致工作流程如图所示:

1、将kubelet-bootstrap用户绑定到系统集群角色
在主节点(192.168.1.13)上运行
[root@docker kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap \
–clusterrole=system:node-bootstrapper \
–user=kubelet-bootstrap

返回结果:
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created

2、拷贝文件:(将前面下载的二进制包中的kubelet和kube-proxy拷贝到/opt/kubernetes/bin目录下)
[root@docker bin]# pwd
/data/tools/k8s/kubernetes/server/bin
[root@docker bin]# scp kubelet kube-proxy 192.168.1.23:/opt/kubernetes/bin/
[root@docker bin]# scp kubelet kube-proxy 192.168.1.24:/opt/kubernetes/bin/

执行脚本,生成 kube-proxy.kubeconfig bootstrap.kubeconfig 2个文件
cat /data/k8s/kubeconfig/kubeconfig.sh
[root@docker kubeconfig]# cat kubeconfig.sh
#—————–start—————————————————————————————–
#已经创建 cat /opt/kubernetes/cfg/token.csv 就不需要再创建了
#创建 TLS Bootstrapping Token
#BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ‘ ‘)
#BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008

#cat > token.csv << EOF
#${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,”system:kubelet-bootstrap”
#EOF

BOOTSTRAP_TOKEN=674c457d4dcf2eefe4920d7dbb6b0ddcc
APISERVER=$1
SSL_DIR=$2

#创建kubelet bootstrapping kubeconfig
export KUBE_APISERVER=”https://$APISERVER:6443

#设置集群参数
kubectl config set-cluster kubernetes \
–certificate-authority=$SSL_DIR/ca.pem \
–embed-certs=true \
–server=${KUBE_APISERVER} \
–kubeconfig=bootstrap.kubeconfig

#设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
–token=${BOOTSTRAP_TOKEN} \
–kubeconfig=bootstrap.kubeconfig

#设置上下文参数
kubectl config set-context default \
–cluster=kubernetes \
–user=kubelet-bootstrap \
–kubeconfig=bootstrap.kubeconfig

#设置默认上下文
kubectl config use-context default –kubeconfig=bootstrap.kubeconfig

#创建kube-proxy kubeconfig文件

kubectl config set-cluster kubernetes \
–certificate-authority=$SSL_DIR/ca.pem \
–embed-certs=true \
–server=${KUBE_APISERVER} \
–kubeconfig=kube-proxy.kubeconfig

kubectl config set-credentials kube-proxy \
–client-certificate=$SSL_DIR/kube-proxy.pem \
–client-key=$SSL_DIR/kube-proxy-key.pem \
–embed-certs=true \
–kubeconfig=kube-proxy.kubeconfig

kubectl config set-context default \
–cluster=kubernetes \
–user=kube-proxy \
–kubeconfig=kube-proxy.kubeconfig

kubectl config use-context default –kubeconfig=kube-proxy.kubeconfig

#—————–end—————————————————————————————–

参数1:本地ip,参数2:ca.pem目录
[root@docker kubeconfig]# bash kubeconfig.sh 192.168.1.13 /data/k8s/master-ca
3、拷贝文件
[root@docker kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig 192.168.1.23:/opt/kubernetes/cfg/
[root@docker kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig 192.168.1.24:/opt/kubernetes/cfg/

部署kubelet组件

1、创建kubelet配置文件
[root@docker cfg]# cd /opt/kubernetes/cfg
[root@docker cfg]# cat kubelet.sh
#——————–start————————————————————-
#!/bin/bash

NODE_ADDRESS=$1
DNS_SERVER_IP=${2:-“10.0.0.2”}

cat <<EOF >/opt/kubernetes/cfg/kubelet

KUBELET_OPTS=”–logtostderr=true \
–v=4 \
–hostname-override=${NODE_ADDRESS} \
–kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
–bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
–config=/opt/kubernetes/cfg/kubelet.config \
–cert-dir=/opt/kubernetes/ssl \
–pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0″

EOF

cat <<EOF >/opt/kubernetes/cfg/kubelet.config

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: ${NODE_ADDRESS}
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:

  • ${DNS_SERVER_IP}
    clusterDomain: cluster.local.
    failSwapOn: false
    authentication:
    anonymous:
    enabled: true
    EOF

cat << EOF > /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
KillMode=process

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet

#——————–end————————————————————-

执行脚本(生成kubelet、kubelet.config配置文件):
bash kubelet.sh 192.168.1.23

参数说明:
–hostname-override 在集群中显示的主机名
–kubeconfig 指定kubeconfig文件位置,会自动生成
–bootstrap-kubeconfig 指定刚才生成的bootstrap.kubeconfig文件
–cert-dir 颁发证书存放位置
–pod-infra-container-image 管理Pod网络的镜像

systemd管理kubelet组件:
[root@docker cfg]# cat /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service

[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet
ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS
Restart=on-failure
KillMode=process

[Install]
WantedBy=multi-user.target

启动:
systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet

错误日志:/var/log/message
很大一个原因是:在master主机上生成的配置文件(bootstrap.kubeconfig kube-proxy.kubeconfig)有问题,需要在看看

在Master审批Node加入集群:

启动后还没加入到集群中,需要手动允许该节点才可以。 在Master节点查看请求签名的Node:
主节点上:
查看未授权的CSR请求:

通过CSR请求:
[root@docker kubeconfig]# kubectl certificate approve node-csr-SgU-ybOM3oSGMi_9WJ10D3LXtCp9JNolSrRRchdw7So
certificatesigningrequest.certificates.k8s.io/node-csr-SgU-ybOM3oSGMi_9WJ10D3LXtCp9JNolSrRRchdw7So approved

验证:
通过CSR请求:
[root@docker kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-SgU-ybOM3oSGMi_9WJ10D3LXtCp9JNolSrRRchdw7So 9m48s kubelet-bootstrap Approved,Issued

查看node节点
[root@docker kubeconfig]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.1.23 NotReady <none> 8s v1.12.3

[root@docker kubeconfig]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.1.23 Ready <none> 11s v1.12.3

部署kube-proxy组件

执行脚本(包含创建kube-proxy、启动项kube-proxy.service):
[root@docker cfg]# cd /opt/kubernetes/cfg
[root@docker cfg]# cat proxy.sh
#—————————–start—————————————————————-
#!/bin/bash

NODE_ADDRESS=$1

cat <<EOF >/opt/kubernetes/cfg/kube-proxy

KUBE_PROXY_OPTS=”–logtostderr=true \
–v=4 \
–hostname-override=${NODE_ADDRESS} \
–cluster-cidr=10.0.0.0/24 \
–proxy-mode=ipvs \
–kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig”

EOF

cat <<EOF >/usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Proxy
After=network.target

[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable kube-proxy
systemctl restart kube-proxy

#—————————–end—————————————————————-

执行脚本:sh proxy.sh 192.168.1.23

验证:
查看是否启动:

部署node2(192.168.1.24)节点

1、拷贝node1(192.168.1.23)上的整个kubernetes 包
scp -r kubernetes/ 192.168.1.24:/opt/

2、scp -r /usr/lib/systemd/system/{kubelet,kube-proxy}.service 192.168.1.24:/usr/lib/systemd/system/

3、到node2上修改IP
cd /opt/kubernetes/cfg
修改kubelet、kubelet.config、kube-proxy为:192.168.1.24

4、启动:
systemctl start kubelet
systemctl start kube-proxy
systemctl enable kube-proxy
systemctl enable kubelet

5、验证

6、加入集群

单机群部署总结

部署前所有节点关闭firewalld(systemctl stop firewalld),并同步互联网时间。

1、自签ETCD证书
2、ETCD部署
3、Node安装Docker
4、Flannel部署(先写入子网到etcd)
5、自签APIServer证书
6、部署APIServer组件(token.csv)
7、部署controller-manager(指定apiserver证书)和scheduler组件
8、生成kubeconfig(bootstrap.kubeconfig和kube-proxy.kubeconfig)
9、部署kubelet组件(kubectl create clusterrolebinding kubelet-bootstrap …)
10、部署kube-proxy组件
11、kubectl get csr && kubectl certificate approve 允许颁发证书,加入集群
12、增加一个Node(删除第一台Node已生成的ssl/*证书,修改kubelet,kubele.config,kube-proxy里Node IP)