基於Kubernetes構建企業容器雲
前言
團隊成員有DBA、運維、Python開發,因爲須要跨部門向公司私有云團隊申請虛擬機, 此時我在思考可否在現有已申請的虛擬機之上,再進行更加細粒度的資源隔離和劃分,讓本團隊的成員使用, 也就是在私有云上構建docker容器雲,因而研究下Kubernetes,看一下可否找到一些突破點?Kubernetes (庫伯耐踢死),省略了Kubernetes中間8個字母,簡稱K8S;node
Kuberbetes的架構
Kubernetes是一款容器(不單單支持docker)管理平臺;linux
Kubernetes有Kubernetes Master節點和Node節點共同組成了Kubernetes集羣;ios
1.Kubernetes Master組件git
Kubectl:控制Kubernetes的命令行工具github
API Server:基於REST api的對外管理接口web
Scheduler:調度任務(建立1組容器)到指定Node上執行docker
Controler Manager:控制管理器Controler-manager裏面有1個複製控制器(若是客戶端要建立3個容器,我會檢查node中建立的是否是3個?)json
etcd:etcd集羣存儲Kubernetes集羣中全部的數據 bootstrap
2.Node節點組件vim
Kubelet:至關於master裝在各個Node節點上的1個agent(管理Pod以及容器、鏡像、Volum等,實現對節點進行管理)
Kube-porxy:爲容器中的web服務,提供網絡代理和負載均衡功能,支持Iptables和LVS
Docker Engin:負責節點容器的正真建立、管理
3.Kubernetes工做流程
假設我如今要使用Kubectl命令行建立1組容器出來,大體都會經歷那些流程呢?
A.Kubectl把命令提交到API Server
B.Secheduler獲取任務,算出最佳的node
C.API Server通知最佳node上的代理(Kublet)
D.Kublet調用docker-engin進行實際的容器建立工做
實驗環境準備
本文主要介紹使用Centos7 安裝 Kubernetes 1.10.1版本
1.設置VMware Workstation的爲NAT模式
2.修改網卡名稱並設置靜態IP地址
[root@remote network-scripts]# cd /etc/sysconfig/network-scripts/ [root@remote network-scripts]# mv ifcfg-ems33 ifcfg-eth0
GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="crashkernel=auto rhgb quiet net.ifnames=0 biosdevname=0" GRUB_DISABLE_RECOVERY="true"
[root@localhost network-scripts]# grub2-mkconfig -o /boot/grub2/grub.cfg Generating grub configuration file ... Found linux image: /boot/vmlinuz-3.10.0-514.el7.x86_64 Found initrd image: /boot/initramfs-3.10.0-514.el7.x86_64.img Found linux image: /boot/vmlinuz-0-rescue-eb3d805e301049b0a680718a9cc3bec0 Found initrd image: /boot/initramfs-0-rescue-eb3d805e301049b0a680718a9cc3bec0.img
TYPE="Ethernet" BOOTPROTO="static" DEFROUTE="yes" PEERDNS="no" PEERROUTES="yes" NAME="eth0" DEVICE="eth0" ONBOOT="yes" IPADDR="192.168.56.11" NETMASK="255.255.255.0" GATEWAY="192.168.56.2" DNS="8.8.8.8"
重啓
3.關閉 firewalld&selinux服務
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
[root@localhost zhanggen]# setenforce 0 [root@localhost zhanggen]# getenforce Permissive [root@localhost zhanggen]# systemctl stop firewalld
4.系統環境準備
[root@linux-node1 ~]# cd /etc/yum.repos.d/ [root@linux-node1 yum.repos.d]# wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo [root@linux-node1 ~]# yum install -y docker-ce [root@linux-node1 ~]# systemctl start docker
5.安裝包
Kubernetes的安裝包分爲
kubernetes.tar.gz 源碼包
kubernetes-server-linux-amd64.tar.gz 服務端包
kubernetes-node-linux-amd64.tar.gz node節點包
kubernetes-client-linux-amd64.tar.gz 客戶端工具包
[root@linux-node1 桌面]# mv k8s-v1.10.1-manual /usr/local/src/ [root@linux-node1 桌面]# cd /usr/src/ [root@linux-node1 src]# ls debug kernels [root@linux-node1 src]# cd /usr/local/src/k8s-v1.10.1-manual/ [root@linux-node1 k8s-v1.10.1-manual]# ls k8s-v1.10.1 [root@linux-node1 k8s-v1.10.1-manual]# cd k8s-v1.10.1/ [root@linux-node1 k8s-v1.10.1]# ls cfssl-certinfo_linux-amd64 flannel-v0.10.0-linux-amd64.tar.gz cfssljson_linux-amd64 kubernetes-client-linux-amd64.tar.gz cfssl_linux-amd64 kubernetes-node-linux-amd64.tar.gz cni-plugins-amd64-v0.7.1.tgz kubernetes-server-linux-amd64.tar.gz etcd-v3.2.18-linux-amd64.tar.gz kubernetes.tar.gz [root@linux-node1 k8s-v1.10.1]#
6.Kubernetes部署目錄
配置文件、二進制文件、ssl證書、日誌
mkdir -p /opt/kubernetes/{cfg,bin,ssl,log}
7.配置Kubernetes的環境變量
# .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin:/opt/kubernetes/bin export PATH
source ~/.bash_profile
Centos7安裝 Kubernetes 1.10.1版本
kubernetes項目是由Go寫的,因此都是一堆已經編譯好的二進制文件,想要安裝它們無需編譯;
比較麻煩的地方就是Kubernetes的組件間通訊是基於SSL協議,因此要爲安裝每一個組件都要生成、分發證書;
下載安裝包----->複製到安裝目錄---------->寫配置文件------->生成證書----------> 分發證書--------->啓動
集羣CA證書的建立和分發
從Kubernetes 1.8.x開始部署Kubernetes都須要使用TLS證書進行通訊加密
本環節主要是安裝cfssl,生成證書、並把證書存放在 /usr/local/src/ssl目錄下,而後分發到其餘節點去;
1.安裝 cfssl
[root@linux-node1 ~]# cd /usr/local/src [root@linux-node1 src]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 [root@linux-node1 src]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 [root@linux-node1 src]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 [root@linux-node1 src]# chmod +x cfssl* [root@linux-node1 src]# mv cfssl-certinfo_linux-amd64 /opt/kubernetes/bin/cfssl-certinfo [root@linux-node1 src]# mv cfssljson_linux-amd64 /opt/kubernetes/bin/cfssljson [root@linux-node1 src]# mv cfssl_linux-amd64 /opt/kubernetes/bin/cfssl ---------------同步到其餘node節點--------------------------------------------------------------- [root@linux-node1 bin]# scp /opt/kubernetes/bin/cfssl* 192.168.56.12:/opt/kubernetes/bin root@192.168.56.12's password: cfssl-certinfo 100% 6441KB 6.3MB/s 00:00 cfssljson
2.建立證書存放目錄
[root@linux-node1 src]# mkdir -p /usr/local/src/ssl [root@linux-node1 src]# cd usr/local/src/ssl bash: cd: usr/local/src/ssl: 沒有那個文件或目錄 [root@linux-node1 src]# cd /usr/local/src/ssl [root@linux-node1 ssl]# pwd /usr/local/src/ssl
3.編輯證書配置文件
{ "signing": { "default": { "expiry": "8760h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "8760h" } } } }
4.編輯ca-csr配置文件
{ "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }
5.生成證書
[root@linux-node1 ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca 2019/04/28 11:09:23 [INFO] generating a new CA key and certificate from CSR 2019/04/28 11:09:23 [INFO] generate received request 2019/04/28 11:09:23 [INFO] received CSR 2019/04/28 11:09:23 [INFO] generating key: rsa-2048 2019/04/28 11:09:23 [INFO] encoded CSR 2019/04/28 11:09:23 [INFO] signed certificate with serial number 201551104749556046170924668398043154803671249365 [root@linux-node1 ssl
6.把在/usr/local/ssl目錄中生成的證書 cp 到 本機和其餘節點的 /opt/kubernetes/ssl
[root@linux-node1 ssl]# cp ca.csr ca.pem ca-key.pem ca-config.json /opt/kubernetes/ssl [root@linux-node1 ssl]# scp ca.csr ca.pem ca-key.pem ca-config.json 192.168.56.12:/opt/kubernetes/ssl root@192.168.56.12's password: ca.csr 100% 1001 1.0KB/s 00:00 ca.pem 100% 1359 1.3KB/s 00:00 ca-key.pem 100% 1679 1.6KB/s 00:00 ca-config.json 100% 283 0.3KB/s 00:00 [root@linux-node1 ssl]#
ETCD集羣部署
ETCD集羣相似於Hadoop中的zookper分佈式協同服務,
也能夠是一種分佈式的專門爲分佈式系統設計的K-V存儲。
0.準備etcd軟件包
wget https://github.com/coreos/etcd/releases/download/v3.2.18/etcd-v3.2.18-linux-amd64.tar.gz [root@linux-node1 src]# tar zxf etcd-v3.2.18-linux-amd64.tar.gz [root@linux-node1 src]# cd etcd-v3.2.18-linux-amd64 [root@linux-node1 etcd-v3.2.18-linux-amd64]# cp etcd etcdctl /opt/kubernetes/bin/ [root@linux-node1 etcd-v3.2.18-linux-amd64]# scp etcd etcdctl 192.168.56.12:/opt/kubernetes/bin/ [root@linux-node1 etcd-v3.2.18-linux-amd64]# scp etcd etcdctl 192.168.56.13:/opt/kubernetes/bin/
1.建立 etcd 證書籤名配置文件:
etcd集羣的通訊也須要 CA證書進行認證,因此要使用搭建好的自簽名證書給,生成證書,並分發給其餘節點;
{ "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.56.11", "192.168.56.12", "192.168.56.13" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }
2.生成 etcd 證書和私鑰:
[root@linux-node1 ~]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \ -ca-key=/opt/kubernetes/ssl/ca-key.pem \ -config=/opt/kubernetes/ssl/ca-config.json \ -profile=kubernetes etcd-csr.json | cfssljson -bare etcd 會生成如下證書文件 [root@k8s-master ~]# ls -l etcd* -rw-r--r-- 1 root root 1045 Mar 5 11:27 etcd.csr -rw-r--r-- 1 root root 257 Mar 5 11:25 etcd-csr.json -rw------- 1 root root 1679 Mar 5 11:27 etcd-key.pem -rw-r--r-- 1 root root 1419 Mar 5 11:27 etcd.pem
3.將證書移動到/opt/kubernetes/ssl目錄下
[root@k8s-master ~]# cp etcd*.pem /opt/kubernetes/ssl [root@linux-node1 ~]# scp etcd*.pem 192.168.56.12:/opt/kubernetes/ssl [root@linux-node1 ~]# scp etcd*.pem 192.168.56.13:/opt/kubernetes/ssl [root@k8s-master ~]# rm -f etcd.csr etcd-csr.json
4.設置ETCD配置文件併發發給其餘節點
[root@linux-node1 ~]# vim /opt/kubernetes/cfg/etcd.conf #[member] ETCD_NAME="etcd-node1" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" #ETCD_SNAPSHOT_COUNTER="10000" #ETCD_HEARTBEAT_INTERVAL="100" #ETCD_ELECTION_TIMEOUT="1000" ETCD_LISTEN_PEER_URLS="https://192.168.56.11:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.56.11:2379,https://127.0.0.1:2379" #ETCD_MAX_SNAPSHOTS="5" #ETCD_MAX_WALS="5" #ETCD_CORS="" #[cluster] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.56.11:2380" # if you use different ETCD_NAME (e.g. test), # set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..." ETCD_INITIAL_CLUSTER="etcd-node1=https://192.168.56.11:2380,etcd-node2=https://192.168.56.12:2380,etcd-node3=https://192.168.56.13:2380" ETCD_INITIAL_CLUSTER_STATE="new" ETCD_INITIAL_CLUSTER_TOKEN="k8s-etcd-cluster" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.56.11:2379" #[security] CLIENT_CERT_AUTH="true" ETCD_CA_FILE="/opt/kubernetes/ssl/ca.pem" ETCD_CERT_FILE="/opt/kubernetes/ssl/etcd.pem" ETCD_KEY_FILE="/opt/kubernetes/ssl/etcd-key.pem" PEER_CLIENT_CERT_AUTH="true" ETCD_PEER_CA_FILE="/opt/kubernetes/ssl/ca.pem" ETCD_PEER_CERT_FILE="/opt/kubernetes/ssl/etcd.pem" ETCD_PEER_KEY_FILE="/opt/kubernetes/ssl/etcd-key.pem"
5.建立ETCD系統服務
[root@linux-node1 ~]# vim /etc/systemd/system/etcd.service [Unit] Description=Etcd Server After=network.target [Service] Type=simple WorkingDirectory=/var/lib/etcd EnvironmentFile=-/opt/kubernetes/cfg/etcd.conf # set GOMAXPROCS to number of processors ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /opt/kubernetes/bin/etcd" Type=notify [Install] WantedBy=multi-user.target
6.從新加載系統服務
[root@linux-node1 ~]# systemctl daemon-reload [root@linux-node1 ~]# systemctl enable etcd # scp /opt/kubernetes/cfg/etcd.conf 192.168.56.12:/opt/kubernetes/cfg/ # scp /etc/systemd/system/etcd.service 192.168.56.12:/etc/systemd/system/ # scp /opt/kubernetes/cfg/etcd.conf 192.168.56.13:/opt/kubernetes/cfg/ # scp /etc/systemd/system/etcd.service 192.168.56.13:/etc/systemd/system/ 在全部節點上建立etcd存儲目錄並啓動etcd [root@linux-node1 ~]# mkdir /var/lib/etcd [root@linux-node1 ~]# systemctl start etcd [root@linux-node1 ~]# systemctl status etcd
7.驗證集羣
[root@linux-node1 ~]# etcdctl --endpoints=https://192.168.56.11:2379 \ --ca-file=/opt/kubernetes/ssl/ca.pem \ --cert-file=/opt/kubernetes/ssl/etcd.pem \ --key-file=/opt/kubernetes/ssl/etcd-key.pem cluster-health member 435fb0a8da627a4c is healthy: got healthy result from https://192.168.56.12:2379 member 6566e06d7343e1bb is healthy: got healthy result from https://192.168.56.11:2379 member ce7b884e428b6c8c is healthy: got healthy result from https://192.168.56.13:2379 cluster is healthy
Kubernetes Master節點部署
Kubernetes的Master節點主要包含3個服務:
API Server:Kubernetes組件間的數據交換和通訊樞紐,
只有Apiserver才能夠操做etcd集羣,其餘模塊只能經過ApiServer間接查詢或修改數據;
Scheduler:分配調度Pod(Kubernetes中的邏輯單位,包含容器)到集羣的node節點
Controller-manager:有一系列的控制器組成,它經過ApiServer監控整個集羣的狀態,並確保集羣處在預期的工做狀態;
部署Kubernetes API服務部署
0.準備軟件包
[root@linux-node1 ~]# cd /usr/local/src/kubernetes [root@linux-node1 kubernetes]# cp server/bin/kube-apiserver /opt/kubernetes/bin/ [root@linux-node1 kubernetes]# cp server/bin/kube-controller-manager /opt/kubernetes/bin/ [root@linux-node1 kubernetes]# cp server/bin/kube-scheduler /opt/kubernetes/bin/
1.建立生成CSR的 JSON 配置文件
{ "CN": "kubernetes", "hosts": [ "127.0.0.1", "192.168.56.11", "10.1.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }
2.生成 kubernetes 證書和私鑰
生成kubernetes 證書和私鑰存放在/opt/kubernetes/ssl/目錄下
[root@linux-node1 src]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \ -ca-key=/opt/kubernetes/ssl/ca-key.pem \ -config=/opt/kubernetes/ssl/ca-config.json \ -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes [root@linux-node1 src]# cp kubernetes*.pem /opt/kubernetes/ssl/ [root@linux-node1 ~]# scp kubernetes*.pem 192.168.56.12:/opt/kubernetes/ssl/ [root@linux-node1 ~]# scp kubernetes*.pem 192.168.56.13:/opt/kubernetes/ssl/
3.建立 kube-apiserver 使用的客戶端 token 文件
在/opt/kubernetes/ssl/bootstrap-token.csv生成token文件
[root@linux-node1 ~]# head -c 16 /dev/urandom | od -An -t x | tr -d ' ' ad6d5bb607a186796d8861557df0d17f [root@linux-node1 ~]# vim /opt/kubernetes/ssl/ bootstrap-token.csv ad6d5bb607a186796d8861557df0d17f,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
4.建立基礎用戶名/密碼認證配置
在/opt/kubernetes/ssl/basic-auth.csv用戶密碼認證文件
admin,admin,1 readonly,readonly,2
5.設置Kubernetes API Server的啓動項
[root@linux-node1 ~]# vim /usr/lib/systemd/system/kube-apiserver.service [Unit] Description=Kubernetes API Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] ExecStart=/opt/kubernetes/bin/kube-apiserver \ --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \ --bind-address=192.168.56.11 \ --insecure-bind-address=127.0.0.1 \ --authorization-mode=Node,RBAC \ --runtime-config=rbac.authorization.k8s.io/v1 \ --kubelet-https=true \ --anonymous-auth=false \ --basic-auth-file=/opt/kubernetes/ssl/basic-auth.csv \ --enable-bootstrap-token-auth \ --token-auth-file=/opt/kubernetes/ssl/bootstrap-token.csv \ --service-cluster-ip-range=10.1.0.0/16 \ --service-node-port-range=20000-40000 \ --tls-cert-file=/opt/kubernetes/ssl/kubernetes.pem \ --tls-private-key-file=/opt/kubernetes/ssl/kubernetes-key.pem \ --client-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \ --etcd-cafile=/opt/kubernetes/ssl/ca.pem \ --etcd-certfile=/opt/kubernetes/ssl/kubernetes.pem \ --etcd-keyfile=/opt/kubernetes/ssl/kubernetes-key.pem \ --etcd-servers=https://192.168.56.11:2379,https://192.168.56.12:2379,https://192.168.56.13:2379 \ --enable-swagger-ui=true \ --allow-privileged=true \ --audit-log-maxage=30 \ --audit-log-maxbackup=3 \ --audit-log-maxsize=100 \ --audit-log-path=/opt/kubernetes/log/api-audit.log \ --event-ttl=1h \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5 Type=notify LimitNOFILE=65536 [Install] WantedBy=multi-user.target
ps:
192.168.56.11:6443端口是kubernetes-api對外的socket(須要認證)
127.0.0.1:8080端口是給Controller-manager、Scheduler節點內部通訊使用;(無需認證)
6.啓動API Server服務
[root@linux-node1 ~]# systemctl daemon-reload [root@linux-node1 ~]# systemctl enable kube-apiserver [root@linux-node1 ~]# systemctl start kube-apiserver 查看API Server服務狀態 [root@linux-node1 ~]# systemctl status kube-apiserver
部署Controller Manager服務
1.設置 kube-controller-manager的啓動項
[root@linux-node1 ~]# vim /usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/GoogleCloudPlatform/kubernetes [Service] ExecStart=/opt/kubernetes/bin/kube-controller-manager \ --address=127.0.0.1 \ --master=http://127.0.0.1:8080 \ --allocate-node-cidrs=true \ --service-cluster-ip-range=10.1.0.0/16 \ --cluster-cidr=10.2.0.0/16 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ --root-ca-file=/opt/kubernetes/ssl/ca.pem \ --leader-elect=true \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target
ps:kube-controller-manager監聽在內網127.0.0.1:10252
2.啓動Controller Manager服務
[root@linux-node1 ~]# systemctl daemon-reload [root@linux-node1 scripts]# systemctl enable kube-controller-manager [root@linux-node1 scripts]# systemctl start kube-controller-manager
部署Kubernetes-Scheduler
0.設置Kubernetes-Scheduler的啓動項
[root@linux-node1 ~]# vim /usr/lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/GoogleCloudPlatform/kubernetes [Service] ExecStart=/opt/kubernetes/bin/kube-scheduler \ --address=127.0.0.1 \ --master=http://127.0.0.1:8080 \ --leader-elect=true \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target
2.啓動Kubernetes-Scheduler
[root@linux-node1 ~]# systemctl daemon-reload [root@linux-node1 scripts]# systemctl enable kube-scheduler [root@linux-node1 scripts]# systemctl start kube-scheduler [root@linux-node1 scripts]# systemctl status kube-scheduler
部署kubectl 命令行工具
管理K8S集羣除了可使用程序調用 Api-Server,還能夠經過kubectl命令行進行調用
1.準備二進制命令包
[root@linux-node1 ~]# cd /usr/local/src/kubernetes/client/bin [root@linux-node1 bin]# cp kubectl /opt/kubernetes/bin/
2.建立 admin 證書籤名請求
[root@linux-node1 ~]# cd /usr/local/src/ssl/ [root@linux-node1 ssl]# vim admin-csr.json { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:masters", "OU": "System" } ] }
3.生成 admin 證書和私鑰
[root@linux-node1 ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \ -ca-key=/opt/kubernetes/ssl/ca-key.pem \ -config=/opt/kubernetes/ssl/ca-config.json \ -profile=kubernetes admin-csr.json | cfssljson -bare admin [root@linux-node1 ssl]# ls -l admin* -rw-r--r-- 1 root root 1009 Mar 5 12:29 admin.csr -rw-r--r-- 1 root root 229 Mar 5 12:28 admin-csr.json -rw------- 1 root root 1675 Mar 5 12:29 admin-key.pem -rw-r--r-- 1 root root 1399 Mar 5 12:29 admin.pem [root@linux-node1 src]# mv admin*.pem /opt/kubernetes/ssl/
如下操做都是爲了幫你在當前用戶加目錄下生成1個config文件,該文件在kuberctl 和api通訊就使用這個文件進行加密
apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVSTAzZE5wWjExNmVWc0hEdUY2RDZjb29sTWRVd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEU1TURReU9EQXpNRFF3TUZvWERUSTBNRFF5TmpBek1EUXdNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeG10WHBRZVpxUUxaRnpyQ0dwRFUKUE9JNDlFclZSd3ZaV2toMmVYSzZsMVpCTXZSWGY0QTczbHU5UkdpanErZ3EwRGNsSmMwWHRoSXNJMlVUNFJ4Qwp5QlpGNzIyVmkrZHlDTHNnUHFYSFFTYUVVVDdQeGhIOUt6c0dMbWV6M0YwUUJCbWNXNU00clJ5U2E1VDYxbkpnCm5QWmQvdjVFZ1VEMDI2TldFcWM2aWp0blVvQ1hFdDFteDRhbWE1YTk1OFBQTm5OSXVJUlFSUnp6Z1U0L3NFVGQKSUpPR2l2N043RysrdWU0Z3pLemZPRFJUU0FDK1FUVnB6c0RNN05sY29ITWpnOGNSL0ZxYWVjQXJoZ05xckxPbQpMamoxUjZDR0d3a2FnUG40SWhGQVkxamJQVXBHSnRQSkN4RlUzY0RQeXQrVEZwblFOVmxCYmMrWE5HTGo0QkFUCkx3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVM1ZqU2gyVWp5akFicTgranB5dTM2OThua1lJd0h3WURWUjBqQkJnd0ZvQVUzVmpTaDJVagp5akFicTgranB5dTM2OThua1lJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFMaHdXWExjMmMyREprRW41Y2VrClhxQlJqbXNIVVhKYzhiQWN5aXBrL0Y5OXBKaDRoYjJCMXcvd011aGdTZStRWFptSFVhZUdWbFZJUGhuTkMxM00KallnajZGenM4RGJXbVQ4TWViVHJtVXVjMSttMnQ1clpSdENDeGZocHdhSmJHcURPU29vYUpBVWdvdWdVS00vQQppU2t2N3J6OC9BYjdramFNY2ZFRzJsbmEzdkNXRXhUTW9PL2V3RkR3THZnWUgxMXcybU9ZSjRSV1gxaUFlNVlxCnAzclRscVdQNmM3U1RsNkpyem1EOVUwWkpkMzQ0SmNxcDFORkNpUzJYcGZIdFMySkhxRVVVN1Y4Zi81RzRkeWIKcmRQYVRNNGJsZzlaWUMvcGtlbUZoRjIvRm50Y3hrQVhzWXR4eUVzOVdHeHZyK0JvRnJqeXBpdzlhMDNLeVlDTwo3NGM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K server: https://192.168.56.11:6443 name: kubernetes contexts: - context: cluster: kubernetes user: admin name: kubernetes current-context: kubernetes kind: Config preferences: {} users: - name: admin user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQzVENDQXNXZ0F3SUJBZ0lVRlNwVzZHcCt6YmtmaloyeDZFMFpGS01mTkpnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEU1TURReU9URTBNall3TUZvWERUSXdNRFF5T0RFME1qWXdNRm93YXpFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RnpBVgpCZ05WQkFvVERuTjVjM1JsYlRwdFlYTjBaWEp6TVE4d0RRWURWUVFMRXdaVGVYTjBaVzB4RGpBTUJnTlZCQU1UCkJXRmtiV2x1TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6bzFtSEtrdW54OWMKTVFEUlBuTVpMUEd4S250UHFPcjhKKzRGNlRtWmlnTHg5aElXR2lCSHNxQUZPUEhJU3VtTnc1RWE4S29aNDMzRQp6UnM1dnpZUnVRRGE0MDVRcHJrNHhOMzMzeFFSZ204Snk4c2tocUU3WjlqTWxYTGpHVEhtM0txWWIrNXE0SWdZCkUwemNLNVNkdHdvSTVUcVZpYjVZYkNNbVdkLzhEVGlLMW11cGhmZ1dWVytiUWdnLzhrdmVxM0JqbXZhTmJTZTIKRTVrVjBaN01DV2lqQUFML1hkL2YvQjE1MklJOUdwTnNxKy9sQWFFZm9tM0N4bHlPR285YzJMamhqcG9MdUpXTgp5U2hYN3duQjIzUlp0L3ZBb2pqQlUweWYwN0pkNE5DcFVlRGg5TXVUS01FOGhQT21TbzdSaHRPR0hPM2NDK2JkCng3NUFQcE9tRFFJREFRQUJvMzh3ZlRBT0JnTlZIUThCQWY4RUJBTUNCYUF3SFFZRFZSMGxCQll3RkFZSUt3WUIKQlFVSEF3RUdDQ3NHQVFVRkJ3TUNNQXdHQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZPdDFlNXo3OS9rdwo5QVU4dEhhcm9TOWs4bnpCTUI4R0ExVWRJd1FZTUJhQUZOMVkwb2RsSThvd0c2dlBvNmNydCt2Zko1R0NNQTBHCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFDdGpJYWZaeWlYWHhyU2lzM3Z4TWk2MGJDeXRTekkvWEhzcFhyWUR3bnUKRlBxNkJDSzQrbXpvUDREcVhWVTR1NG5PZzhncDFXa0QyVk12YWphUjlUOFRDbUt0NEhFSWR4ai9uSTU0ekJZUAp2eTRrRXVrbUhyWXFPTlRBT1pKMzAzQWxFQUNZRFFQNTFTU3poaThDak15N3NWdmdlUkdCOVo1WVV1TitCaFFpCmxsWm5nVXBHVlBNT0dhMUVYdlY5T01GajVWQ2taa2l1dk5NVzFOWFUvTzNXQVNoWUhhK21NNzJJTHVWdDhJOWMKRlFqTk9rUjNFamU1eHpvOTNEVFMwZGZtbFRXc3dPK0grM3pEcVFKZU9KSzNyYnROeEM2Z0ZLcUl3dHZsOUF0awpkQ2N0YzcveXdTT0NObVc4WDc1azRvaXhNY3RvamVFc3FjMWw5SnBMR1dwMwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBem8xbUhLa3VueDljTVFEUlBuTVpMUEd4S250UHFPcjhKKzRGNlRtWmlnTHg5aElXCkdpQkhzcUFGT1BISVN1bU53NUVhOEtvWjQzM0V6UnM1dnpZUnVRRGE0MDVRcHJrNHhOMzMzeFFSZ204Snk4c2sKaHFFN1o5ak1sWExqR1RIbTNLcVliKzVxNElnWUUwemNLNVNkdHdvSTVUcVZpYjVZYkNNbVdkLzhEVGlLMW11cApoZmdXVlcrYlFnZy84a3ZlcTNCam12YU5iU2UyRTVrVjBaN01DV2lqQUFML1hkL2YvQjE1MklJOUdwTnNxKy9sCkFhRWZvbTNDeGx5T0dvOWMyTGpoanBvTHVKV055U2hYN3duQjIzUlp0L3ZBb2pqQlUweWYwN0pkNE5DcFVlRGgKOU11VEtNRThoUE9tU283Umh0T0dITzNjQytiZHg3NUFQcE9tRFFJREFRQUJBb0lCQUJxbllucm1WZzdRbEN2NgpxQVhBQW9xck1hcUN1UmZhSXVuZ0xFRVpYcmZSZzNtMmdjV2pUcjA5S3c5YkcvYVd4dVZxcnloSk93Z0JMY2t0Cjd6aStlSEVBTEQ3UzExTjhhVmYyTU10SG9xN0xOMTlsK25PcEVLcG83cFdHZXNuQWg4TUgvSjNORFZ1bUZEMUIKV05RQzNJdEhMeml0WTZpZnVIZFQzZG9STGt4aU9TTUZaQ3l0cG9hRkJtc0I4dVBtSXcvajduTHRpWklGRko0eApaZ1pEaXRWTnM5c25xMFNlWVpKZVJvQm5sS0w1QmhpL2VJZDNnd3dONlplZ0ptbnFlVytydXZqUVEzV2pyNXVPCnNncFVWbDZVOW1aN1ZNYXVVWEdZVHA2Qk1UaFFKWlVUQVl5bzZGMzE3blZaRndWVWJ3WnZEU0VXM0I0VzVNS0cKZHRsY3ZpRUNnWUVBNElNOFhxNHozdTlTeVBYZFZEdER4MUNkbkZVak5TMHZ1R0E4ZGpFUGFNbng1STVpTnpFeQpwTjhrUnpaWEVHSW55b3pFVzlzOStHSjJwb3VxZnRJV3pOYUxmZUFRbzBzU3lSTmtuclNsLzlLaERFdWN6alNECkM0dURsb3poTGRmb3VWZi9BdE02SldkWDVZN3ByQXdLcFhkSjJCNU5vQXRxeGxqbnpjeU9zSWtDZ1lFQTY0VlQKMHNHc2tabkVwUUx1ZVIxSkZYSm5qSTA4R01rVFhlU1U0KzJrZzRWdkJTRmxBNzBiOUtaL2l4L3BOcUhveFVYbQpSSTdwUE1GWUJJcU93MFZxdjViN3daQzJnTXgzUWczUUpaRURZb2hZblpFZ3M5UUZyb1NmT2M1dm1seForSG02CmNLN2pkalI5OFFBcHdDd1JVR08vc2lyeFV0UGRnZW16TTFZSUFHVUNnWUFBaFUxbWl0RGorM29kclRST05iVDYKaVYxVU4zNVZhVDFyR0E0TDJDRkpCTzdpc05IWmZ1dTNKaTFYWFBEbXdOT0d6THpIMmNKVENTZHRTM1doeGFyMwozcWVFS3pqZXFCWHJFWGh5UmNqOHh1aEl0d1F1RmtFWGpjTklYaHRIbC9DYVBYSUI5NnR5MnNLQmJjdHM4cm96Cm1Bczd6Ull4QU5YR2ovNDVvL2ZRd1FLQmdRQ0p0Q1MwZjBTVXhPRXkwYW40Nm1TR3c2TkRqSGhzelhRalc3aXEKSTVJaXkrdURobWozYktSaHdNK2wybnlTMHN1MFBCQk1XWHFKYVVvN0xZQVhNQWtnQi9rZXphdkhWc1VMdStQTgpjeUlWaEQ2N3NkVDdENlpheVhRSGFtbmFTTkRaOU9KTGJCWFdVUTZwMER5WS9hc0o0Nmg3Vlp4UG4weE4zd1JGCnFiRjMrUUtCZ1FEYXhTRzgvU1RsNmkyeitIY0F2c25lem1iVXJ6QmFKc3BJM3NOMG9tQ1IvZVJXcTM5dVk5VTEKODk2VXVBQ3RDTnk4VS9EWkY3RnNsakpOK3FkYjYrVXNlN0FZRTVEejlxTDl1SFI2am80dHZoNzFTUkFreE9nRgptSCtDMnJkbDNzdStPU2ZHTlQ4dzFId2dBaDFIdExJRHVsNTFvekduTGFOWWNzNjZ0M0lQbHc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= [root@linux-node1 ~]# ^C [root@linux-node1 ~]# pwd /root [root@linux-node1 ~]# cat /root/.kube/config apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR2akNDQXFhZ0F3SUJBZ0lVSTAzZE5wWjExNmVWc0hEdUY2RDZjb29sTWRVd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEU1TURReU9EQXpNRFF3TUZvWERUSTBNRFF5TmpBek1EUXdNRm93WlRFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RERBSwpCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByZFdKbGNtNWxkR1Z6Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeG10WHBRZVpxUUxaRnpyQ0dwRFUKUE9JNDlFclZSd3ZaV2toMmVYSzZsMVpCTXZSWGY0QTczbHU5UkdpanErZ3EwRGNsSmMwWHRoSXNJMlVUNFJ4Qwp5QlpGNzIyVmkrZHlDTHNnUHFYSFFTYUVVVDdQeGhIOUt6c0dMbWV6M0YwUUJCbWNXNU00clJ5U2E1VDYxbkpnCm5QWmQvdjVFZ1VEMDI2TldFcWM2aWp0blVvQ1hFdDFteDRhbWE1YTk1OFBQTm5OSXVJUlFSUnp6Z1U0L3NFVGQKSUpPR2l2N043RysrdWU0Z3pLemZPRFJUU0FDK1FUVnB6c0RNN05sY29ITWpnOGNSL0ZxYWVjQXJoZ05xckxPbQpMamoxUjZDR0d3a2FnUG40SWhGQVkxamJQVXBHSnRQSkN4RlUzY0RQeXQrVEZwblFOVmxCYmMrWE5HTGo0QkFUCkx3SURBUUFCbzJZd1pEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCL3dJQkFqQWQKQmdOVkhRNEVGZ1FVM1ZqU2gyVWp5akFicTgranB5dTM2OThua1lJd0h3WURWUjBqQkJnd0ZvQVUzVmpTaDJVagp5akFicTgranB5dTM2OThua1lJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFMaHdXWExjMmMyREprRW41Y2VrClhxQlJqbXNIVVhKYzhiQWN5aXBrL0Y5OXBKaDRoYjJCMXcvd011aGdTZStRWFptSFVhZUdWbFZJUGhuTkMxM00KallnajZGenM4RGJXbVQ4TWViVHJtVXVjMSttMnQ1clpSdENDeGZocHdhSmJHcURPU29vYUpBVWdvdWdVS00vQQppU2t2N3J6OC9BYjdramFNY2ZFRzJsbmEzdkNXRXhUTW9PL2V3RkR3THZnWUgxMXcybU9ZSjRSV1gxaUFlNVlxCnAzclRscVdQNmM3U1RsNkpyem1EOVUwWkpkMzQ0SmNxcDFORkNpUzJYcGZIdFMySkhxRVVVN1Y4Zi81RzRkeWIKcmRQYVRNNGJsZzlaWUMvcGtlbUZoRjIvRm50Y3hrQVhzWXR4eUVzOVdHeHZyK0JvRnJqeXBpdzlhMDNLeVlDTwo3NGM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K server: https://192.168.56.11:6443 name: kubernetes contexts: - context: cluster: kubernetes user: admin name: kubernetes current-context: kubernetes kind: Config preferences: {} users: - name: admin user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQzVENDQXNXZ0F3SUJBZ0lVRlNwVzZHcCt6YmtmaloyeDZFMFpGS01mTkpnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pURUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbAphVXBwYm1jeEREQUtCZ05WQkFvVEEyczRjekVQTUEwR0ExVUVDeE1HVTNsemRHVnRNUk13RVFZRFZRUURFd3ByCmRXSmxjbTVsZEdWek1CNFhEVEU1TURReU9URTBNall3TUZvWERUSXdNRFF5T0RFME1qWXdNRm93YXpFTE1Ba0cKQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdUQjBKbGFVcHBibWN4RURBT0JnTlZCQWNUQjBKbGFVcHBibWN4RnpBVgpCZ05WQkFvVERuTjVjM1JsYlRwdFlYTjBaWEp6TVE4d0RRWURWUVFMRXdaVGVYTjBaVzB4RGpBTUJnTlZCQU1UCkJXRmtiV2x1TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6bzFtSEtrdW54OWMKTVFEUlBuTVpMUEd4S250UHFPcjhKKzRGNlRtWmlnTHg5aElXR2lCSHNxQUZPUEhJU3VtTnc1RWE4S29aNDMzRQp6UnM1dnpZUnVRRGE0MDVRcHJrNHhOMzMzeFFSZ204Snk4c2tocUU3WjlqTWxYTGpHVEhtM0txWWIrNXE0SWdZCkUwemNLNVNkdHdvSTVUcVZpYjVZYkNNbVdkLzhEVGlLMW11cGhmZ1dWVytiUWdnLzhrdmVxM0JqbXZhTmJTZTIKRTVrVjBaN01DV2lqQUFML1hkL2YvQjE1MklJOUdwTnNxKy9sQWFFZm9tM0N4bHlPR285YzJMamhqcG9MdUpXTgp5U2hYN3duQjIzUlp0L3ZBb2pqQlUweWYwN0pkNE5DcFVlRGg5TXVUS01FOGhQT21TbzdSaHRPR0hPM2NDK2JkCng3NUFQcE9tRFFJREFRQUJvMzh3ZlRBT0JnTlZIUThCQWY4RUJBTUNCYUF3SFFZRFZSMGxCQll3RkFZSUt3WUIKQlFVSEF3RUdDQ3NHQVFVRkJ3TUNNQXdHQTFVZEV3RUIvd1FDTUFBd0hRWURWUjBPQkJZRUZPdDFlNXo3OS9rdwo5QVU4dEhhcm9TOWs4bnpCTUI4R0ExVWRJd1FZTUJhQUZOMVkwb2RsSThvd0c2dlBvNmNydCt2Zko1R0NNQTBHCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFDdGpJYWZaeWlYWHhyU2lzM3Z4TWk2MGJDeXRTekkvWEhzcFhyWUR3bnUKRlBxNkJDSzQrbXpvUDREcVhWVTR1NG5PZzhncDFXa0QyVk12YWphUjlUOFRDbUt0NEhFSWR4ai9uSTU0ekJZUAp2eTRrRXVrbUhyWXFPTlRBT1pKMzAzQWxFQUNZRFFQNTFTU3poaThDak15N3NWdmdlUkdCOVo1WVV1TitCaFFpCmxsWm5nVXBHVlBNT0dhMUVYdlY5T01GajVWQ2taa2l1dk5NVzFOWFUvTzNXQVNoWUhhK21NNzJJTHVWdDhJOWMKRlFqTk9rUjNFamU1eHpvOTNEVFMwZGZtbFRXc3dPK0grM3pEcVFKZU9KSzNyYnROeEM2Z0ZLcUl3dHZsOUF0awpkQ2N0YzcveXdTT0NObVc4WDc1azRvaXhNY3RvamVFc3FjMWw5SnBMR1dwMwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBem8xbUhLa3VueDljTVFEUlBuTVpMUEd4S250UHFPcjhKKzRGNlRtWmlnTHg5aElXCkdpQkhzcUFGT1BISVN1bU53NUVhOEtvWjQzM0V6UnM1dnpZUnVRRGE0MDVRcHJrNHhOMzMzeFFSZ204Snk4c2sKaHFFN1o5ak1sWExqR1RIbTNLcVliKzVxNElnWUUwemNLNVNkdHdvSTVUcVZpYjVZYkNNbVdkLzhEVGlLMW11cApoZmdXVlcrYlFnZy84a3ZlcTNCam12YU5iU2UyRTVrVjBaN01DV2lqQUFML1hkL2YvQjE1MklJOUdwTnNxKy9sCkFhRWZvbTNDeGx5T0dvOWMyTGpoanBvTHVKV055U2hYN3duQjIzUlp0L3ZBb2pqQlUweWYwN0pkNE5DcFVlRGgKOU11VEtNRThoUE9tU283Umh0T0dITzNjQytiZHg3NUFQcE9tRFFJREFRQUJBb0lCQUJxbllucm1WZzdRbEN2NgpxQVhBQW9xck1hcUN1UmZhSXVuZ0xFRVpYcmZSZzNtMmdjV2pUcjA5S3c5YkcvYVd4dVZxcnloSk93Z0JMY2t0Cjd6aStlSEVBTEQ3UzExTjhhVmYyTU10SG9xN0xOMTlsK25PcEVLcG83cFdHZXNuQWg4TUgvSjNORFZ1bUZEMUIKV05RQzNJdEhMeml0WTZpZnVIZFQzZG9STGt4aU9TTUZaQ3l0cG9hRkJtc0I4dVBtSXcvajduTHRpWklGRko0eApaZ1pEaXRWTnM5c25xMFNlWVpKZVJvQm5sS0w1QmhpL2VJZDNnd3dONlplZ0ptbnFlVytydXZqUVEzV2pyNXVPCnNncFVWbDZVOW1aN1ZNYXVVWEdZVHA2Qk1UaFFKWlVUQVl5bzZGMzE3blZaRndWVWJ3WnZEU0VXM0I0VzVNS0cKZHRsY3ZpRUNnWUVBNElNOFhxNHozdTlTeVBYZFZEdER4MUNkbkZVak5TMHZ1R0E4ZGpFUGFNbng1STVpTnpFeQpwTjhrUnpaWEVHSW55b3pFVzlzOStHSjJwb3VxZnRJV3pOYUxmZUFRbzBzU3lSTmtuclNsLzlLaERFdWN6alNECkM0dURsb3poTGRmb3VWZi9BdE02SldkWDVZN3ByQXdLcFhkSjJCNU5vQXRxeGxqbnpjeU9zSWtDZ1lFQTY0VlQKMHNHc2tabkVwUUx1ZVIxSkZYSm5qSTA4R01rVFhlU1U0KzJrZzRWdkJTRmxBNzBiOUtaL2l4L3BOcUhveFVYbQpSSTdwUE1GWUJJcU93MFZxdjViN3daQzJnTXgzUWczUUpaRURZb2hZblpFZ3M5UUZyb1NmT2M1dm1seForSG02CmNLN2pkalI5OFFBcHdDd1JVR08vc2lyeFV0UGRnZW16TTFZSUFHVUNnWUFBaFUxbWl0RGorM29kclRST05iVDYKaVYxVU4zNVZhVDFyR0E0TDJDRkpCTzdpc05IWmZ1dTNKaTFYWFBEbXdOT0d6THpIMmNKVENTZHRTM1doeGFyMwozcWVFS3pqZXFCWHJFWGh5UmNqOHh1aEl0d1F1RmtFWGpjTklYaHRIbC9DYVBYSUI5NnR5MnNLQmJjdHM4cm96Cm1Bczd6Ull4QU5YR2ovNDVvL2ZRd1FLQmdRQ0p0Q1MwZjBTVXhPRXkwYW40Nm1TR3c2TkRqSGhzelhRalc3aXEKSTVJaXkrdURobWozYktSaHdNK2wybnlTMHN1MFBCQk1XWHFKYVVvN0xZQVhNQWtnQi9rZXphdkhWc1VMdStQTgpjeUlWaEQ2N3NkVDdENlpheVhRSGFtbmFTTkRaOU9KTGJCWFdVUTZwMER5WS9hc0o0Nmg3Vlp4UG4weE4zd1JGCnFiRjMrUUtCZ1FEYXhTRzgvU1RsNmkyeitIY0F2c25lem1iVXJ6QmFKc3BJM3NOMG9tQ1IvZVJXcTM5dVk5VTEKODk2VXVBQ3RDTnk4VS9EWkY3RnNsakpOK3FkYjYrVXNlN0FZRTVEejlxTDl1SFI2am80dHZoNzFTUkFreE9nRgptSCtDMnJkbDNzdStPU2ZHTlQ4dzFId2dBaDFIdExJRHVsNTFvekduTGFOWWNzNjZ0M0lQbHc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
[root@linux-node1 src]# kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://192.168.56.11:6443 Cluster "kubernetes" set.
[root@linux-node1 src]# kubectl config set-credentials admin \ --client-certificate=/opt/kubernetes/ssl/admin.pem \ --embed-certs=true \ --client-key=/opt/kubernetes/ssl/admin-key.pem User "admin" set.
[root@linux-node1 src]# kubectl config set-context kubernetes \ --cluster=kubernetes \ --user=admin Context "kubernetes" created.
[root@linux-node1 src]# kubectl config use-context kubernetes Switched to context "kubernetes".
[root@linux-node1 ~]# kubectl get cs NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-1 Unhealthy Get https://192.168.56.12:2379/health: remote error: tls: bad certificate etcd-2 Unhealthy Get https://192.168.56.13:2379/health: remote error: tls: bad certificate etcd-0 Healthy {"health": "true"} [root@linux-node1 ~]#
Node節點部署
如今Master節點的組件已經部署完畢,但是光桿司令是沒法工做的,因此須要部署node節點;
Node節點部署主要包括:kubelet(master的agent)、Kubernetes Proxy(提供負載均衡服務)
1.二進制包準備 將軟件包從linux-node1複製到linux-node2中去。
把kubelet、kube-proxy複製到全部node節點
[root@linux-node1 ~]# cd /usr/local/src/kubernetes/server/bin/ [root@linux-node1 bin]# cp kubelet kube-proxy /opt/kubernetes/bin/ [root@linux-node1 bin]# scp kubelet kube-proxy 192.168.56.12:/opt/kubernetes/bin/ [root@linux-node1 bin]# scp kubelet kube-proxy 192.168.56.13:/opt/kubernetes/bin/
2.建立角色綁定
[root@linux-node1 ~]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap clusterrolebinding "kubelet-bootstrap" created
切換到/usr/local/src/ssl,一些操做是在 /opt/kubernetes/ssl目錄下生成1個bootstrap.kubeconfig 文件,
當node節點的啓動kubelet服務時,node節點會攜帶 bootstrap.kubeconfig 發送post請求進行crs請求驗證
因此之後增長Node節點,都須要把該文件複製過去;
3.建立 kubelet bootstrapping kubeconfig 文件 設置集羣參數
[root@linux-node1 ~]# kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://192.168.56.11:6443 \ --kubeconfig=bootstrap.kubeconfig Cluster "kubernetes" set.
[root@linux-node1 ~]# kubectl config set-context default \ --cluster=kubernetes \ --user=kubelet-bootstrap \ --kubeconfig=bootstrap.kubeconfig Context "default" created.
[root@linux-node1 ~]# kubectl config use-context default --kubeconfig=bootstrap.kubeconfig Switched to context "default". [root@linux-node1 kubernetes]# cp bootstrap.kubeconfig /opt/kubernetes/cfg [root@linux-node1 kubernetes]# scp bootstrap.kubeconfig 192.168.56.12:/opt/kubernetes/cfg [root@linux-node1 kubernetes]# scp bootstrap.kubeconfig 192.168.56.13:/opt/kubernetes/cfg
4.部署kubelet 1.設置全部Node支持CNI
[root@linux-node2 ~]# mkdir -p /etc/cni/net.d [root@linux-node2 ~]# vim /etc/cni/net.d/10-default.conf { "name": "flannel", "type": "flannel", "delegate": { "bridge": "docker0", "isDefaultGateway": true, "mtu": 1400 } }
5.建立kubelet目錄
[root@linux-node2 ~]# mkdir /var/lib/kubelet
6.node節點建立kubelet服務配置
[root@k8s-node2 ~]# vim /usr/lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=docker.service Requires=docker.service [Service] WorkingDirectory=/var/lib/kubelet ExecStart=/opt/kubernetes/bin/kubelet \ --address=192.168.56.12 \ --hostname-override=192.168.56.12 \ --pod-infra-container-image=mirrorgooglecontainers/pause-amd64:3.0 \ --experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \ --cert-dir=/opt/kubernetes/ssl \ --network-plugin=cni \ --cni-conf-dir=/etc/cni/net.d \ --cni-bin-dir=/opt/kubernetes/bin/cni \ --cluster-dns=10.1.0.2 \ --cluster-domain=cluster.local. \ --hairpin-mode hairpin-veth \ --allow-privileged=true \ --fail-swap-on=false \ --logtostderr=true \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5
[root@k8s-node3 ~]# vim /usr/lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=docker.service Requires=docker.service [Service] WorkingDirectory=/var/lib/kubelet ExecStart=/opt/kubernetes/bin/kubelet \ --address=192.168.56.13 \ --hostname-override=192.168.56.13 \ --pod-infra-container-image=mirrorgooglecontainers/pause-amd64:3.0 \ --experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \ --cert-dir=/opt/kubernetes/ssl \ --network-plugin=cni \ --cni-conf-dir=/etc/cni/net.d \ --cni-bin-dir=/opt/kubernetes/bin/cni \ --cluster-dns=10.1.0.2 \ --cluster-domain=cluster.local. \ --hairpin-mode hairpin-veth \ --allow-privileged=true \ --fail-swap-on=false \ --logtostderr=true \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5
7.在node上4.啓動Kubelet
[root@linux-node2 ~]# systemctl daemon-reload [root@linux-node2 ~]# systemctl enable kubelet [root@linux-node2 ~]# systemctl start kubelet
[root@linux-node2 kubernetes]# systemctl status kubelet
8.在master節點上查看csr請求
注意是在linux-node1(master節點)上執行。
[root@linux-node1 ~]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-0_w5F1FM_la_SeGiu3Y5xELRpYUjjT2icIFk9gO9KOU 1m kubelet-bootstrap Pending
能夠看到node節點post發送csr請求處在 Pending狀態,下面咱們批准kubelet 的 TLS 證書請求
[root@linux-node1 ssl]# kubectl get csr|grep 'Pending' | awk 'NR>0{print $1}'| xargs kubectl certificate approve [root@linux-node1 ssl]# kubectl get csr NAME AGE REQUESTOR CONDITION node-csr-YgMzRMD3GrQsJdEUwAKMDp6Zazi-NU_h28DmOlohevc 5m kubelet-bootstrap Approved,Issued node-csr-mu9Ptdy93UCSoGLrk--AVrG1DxKImzgTv5O3kYL1TQE 6m kubelet-bootstrap Approved,Issued
csr請求處在 因爲Pending狀態進入Approved狀態
與此同時在node節點的/opt/kubernetes/ssl目錄下回生成1個名爲kubelet-client.crt 的證書
8.查看節點的狀態
[root@linux-node1 ssl]# kubectl get node NAME STATUS ROLES AGE VERSION 192.168.56.11 NotReady <none> 8h v1.10.1 192.168.56.12 Ready <none> 4m v1.10.1 192.168.56.13 Ready <none> 4m v1.10.1 [root@linux-node1 ssl]#
部署Kubernetes Proxy
1.配置kube-proxy使用LVS
[root@linux-node2 ~]# yum install -y ipvsadm ipset conntrack
2.建立 kube-proxy 證書請求
[root@linux-node1 ~]# cd /usr/local/src/ssl/ [root@linux-node1 ~]# vim kube-proxy-csr.json { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }
3.生成證書
[root@linux-node1~]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \ -ca-key=/opt/kubernetes/ssl/ca-key.pem \ -config=/opt/kubernetes/ssl/ca-config.json \ -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
4.分發證書到全部Node節點
[root@linux-node1 ssl]# cp kube-proxy*.pem /opt/kubernetes/ssl/ [root@linux-node1 ssl]# scp kube-proxy*.pem 192.168.56.12:/opt/kubernetes/ssl/ [root@linux-node1 ssl]# scp kube-proxy*.pem 192.168.56.12:/opt/kubernetes/ssl/
5.建立kube-proxy配置文件
[root@linux-node2 ~]# kubectl config set-cluster kubernetes \ --certificate-authority=/opt/kubernetes/ssl/ca.pem \ --embed-certs=true \ --server=https://192.168.56.11:6443 \ --kubeconfig=kube-proxy.kubeconfig Cluster "kubernetes" set. [root@linux-node2 ~]# kubectl config set-credentials kube-proxy \ --client-certificate=/opt/kubernetes/ssl/kube-proxy.pem \ --client-key=/opt/kubernetes/ssl/kube-proxy-key.pem \ --embed-certs=true \ --kubeconfig=kube-proxy.kubeconfig User "kube-proxy" set. [root@linux-node2 ~]# kubectl config set-context default \ --cluster=kubernetes \ --user=kube-proxy \ --kubeconfig=kube-proxy.kubeconfig Context "default" created. [root@linux-node2 ~]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig Switched to context "default".
6.分發kubeconfig配置文件
[root@linux-node1 ssl]# cp kube-proxy.kubeconfig /opt/kubernetes/cfg/ [root@linux-node1 ~]# scp kube-proxy.kubeconfig 192.168.56.12:/opt/kubernetes/cfg/ [root@linux-node1 ~]# scp kube-proxy.kubeconfig 192.168.56.13:/opt/kubernetes/cfg/
7.建立kube-proxy服務配置
[root@linux-node2 bin]# mkdir /var/lib/kube-proxy [root@k8s-node2 ~]# vim /usr/lib/systemd/system/kube-proxy.service [Unit] Description=Kubernetes Kube-Proxy Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] WorkingDirectory=/var/lib/kube-proxy ExecStart=/opt/kubernetes/bin/kube-proxy \ --bind-address=192.168.56.12 \ --hostname-override=192.168.56.12 \ --kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig \ --masquerade-all \ --feature-gates=SupportIPVSProxyMode=true \ --proxy-mode=ipvs \ --ipvs-min-sync-period=5s \ --ipvs-sync-period=5s \ --ipvs-scheduler=rr \ --logtostderr=true \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target 8.啓動Kubernetes Proxy [root@linux-node2 ~]# systemctl daemon-reload [root@linux-node2 ~]# systemctl enable kube-proxy [root@linux-node2 ~]# systemctl start kube-proxy
9.查看服務狀態 查看kube-proxy服務狀態
[root@linux-node2 cfg]# systemctl status kube-proxy ● kube-proxy.service - Kubernetes Kube-Proxy Server Loaded: loaded (/usr/lib/systemd/system/kube-proxy.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2019-04-30 08:50:57 CST; 13min ago Docs: https://github.com/GoogleCloudPlatform/kubernetes Main PID: 28022 (kube-proxy) Memory: 38.1M CGroup: /system.slice/kube-proxy.service ‣ 28022 /opt/kubernetes/bin/kube-proxy --bind-address=192.168.56.12 --hos... Apr 30 08:50:57 linux-node2.example.com systemd[1]: kube-proxy.service holdoff time.... Apr 30 08:50:57 linux-node2.example.com systemd[1]: Started Kubernetes Kube-Proxy S.... Apr 30 08:50:57 linux-node2.example.com systemd[1]: Starting Kubernetes Kube-Proxy .... Hint: Some lines were ellipsized, use -l to show in full. [root@linux-node2 cfg]# ipvsadm -L -n IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.1.0.1:443 rr persistent 10800 -> 192.168.56.11:6443 Masq 1 0 0 [root@linux-node2 cfg]#
Flannel網絡部署
即便咱們部署好了全部Kubernetes集羣的全部組件,可是它們沒有網絡是沒法通行的!
Poid:Poid是Kubernetes中1個邏輯的概念,Kubernets直接管理的不是容器而是Poid;
每一個Poild裏面又包含了1個或者N個容器;
若是你須要的容器之間須要網絡互通,你就能夠在1個poind裏面跑多個容器,它們之間經過host來通行;
每一個Poid都要1個IP地址:用來替代docker0網橋,實現Kubernetes中不一樣容器間的通訊
Replication Ctronller(複雜控制)簡稱RC
RC:是保證Kubernetes中Pod高可用,經過監控運行中的Pod來保證集羣中指定Pod的副本數量;
RS(replica set)Kubernetes感受RC的功能有點單一就對RC升級新增了新功能,RS是RC的升級版
Deployment是1個比RS應用模式更廣的API對象:它在保證Pod副本數量的前提下,還能夠建立、更新、滾動升級服務;
RC、RS和Deplyment只是保證了支持服務的Pod數量,但沒有解決如何高效訪問這些服務的問題;
在K8S集羣中客戶端要訪問的服務就是1個server對象,每一個servers對象對應集羣內有效的虛擬IP
Flunel:就是經過對docker網絡的封裝實現 Kubernetes中Pod之間的通訊,它能夠每一個Node均可以分配到不一樣的IP地址段
1.爲Flannel生成證書
在/usr/local/src/ssl
{ "CN": "flanneld", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ]
2.生成證書
[root@linux-node1 ~]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \ -ca-key=/opt/kubernetes/ssl/ca-key.pem \ -config=/opt/kubernetes/ssl/ca-config.json \ -profile=kubernetes flanneld-csr.json | cfssljson -bare flanneld
3.分發證書
[root@linux-node1 ~]# cp flanneld*.pem /opt/kubernetes/ssl/ [root@linux-node1 ~]# scp flanneld*.pem 192.168.56.12:/opt/kubernetes/ssl/ [root@linux-node1 ~]# scp flanneld*.pem 192.168.56.13:/opt/kubernetes/ssl/
4.下載Flannel軟件包
[root@linux-node1 ~]# cd /usr/local/src # wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz [root@linux-node1 src]# tar zxf flannel-v0.10.0-linux-amd64.tar.gz [root@linux-node1 src]# cp flanneld mk-docker-opts.sh /opt/kubernetes/bin/ 複製到linux-node2節點 [root@linux-node1 src]# scp flanneld mk-docker-opts.sh 192.168.56.12:/opt/kubernetes/bin/ [root@linux-node1 src]# scp flanneld mk-docker-opts.sh 192.168.56.13:/opt/kubernetes/bin/ 複製對應腳本到/opt/kubernetes/bin目錄下。 [root@linux-node1 ~]# cd /usr/local/src/kubernetes/cluster/centos/node/bin/ [root@linux-node1 bin]# cp remove-docker0.sh /opt/kubernetes/bin/ [root@linux-node1 bin]# scp remove-docker0.sh 192.168.56.12:/opt/kubernetes/bin/ [root@linux-node1 bin]# scp remove-docker0.sh 192.168.56.13:/opt/kubernetes/bin/
5.配置Flannel
[root@linux-node1 ~]# vim /opt/kubernetes/cfg/flannel FLANNEL_ETCD="-etcd-endpoints=https://192.168.56.11:2379,https://192.168.56.12:2379,https://192.168.56.13:2379" FLANNEL_ETCD_KEY="-etcd-prefix=/kubernetes/network" FLANNEL_ETCD_CAFILE="--etcd-cafile=/opt/kubernetes/ssl/ca.pem" FLANNEL_ETCD_CERTFILE="--etcd-certfile=/opt/kubernetes/ssl/flanneld.pem" FLANNEL_ETCD_KEYFILE="--etcd-keyfile=/opt/kubernetes/ssl/flanneld-key.pem" 複製配置到其它節點上 [root@linux-node1 ~]# scp /opt/kubernetes/cfg/flannel 192.168.56.12:/opt/kubernetes/cfg/ [root@linux-node1 ~]# scp /opt/kubernetes/cfg/flannel 192.168.56.13:/opt/kubernetes/cfg/
6.設置Flannel系統服務
[root@linux-node1 ~]# vim /usr/lib/systemd/system/flannel.service [Unit] Description=Flanneld overlay address etcd agent After=network.target Before=docker.service [Service] EnvironmentFile=-/opt/kubernetes/cfg/flannel ExecStartPre=/opt/kubernetes/bin/remove-docker0.sh ExecStart=/opt/kubernetes/bin/flanneld ${FLANNEL_ETCD} ${FLANNEL_ETCD_KEY} ${FLANNEL_ETCD_CAFILE} ${FLANNEL_ETCD_CERTFILE} ${FLANNEL_ETCD_KEYFILE} ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -d /run/flannel/docker Type=notify [Install] WantedBy=multi-user.target RequiredBy=docker.service
7.複製系統服務腳本到其它節點上
scp /usr/lib/systemd/system/flannel.service 192.168.56.12:/usr/lib/systemd/system/ scp /usr/lib/systemd/system/flannel.service 192.168.56.13:/usr/lib/systemd/system/
8.Flannel 和CNI集成
https://github.com/containernetworking/plugins/releases wget https://github.com/containernetworking/plugins/releases/download/v0.7.1/cni-plugins-amd64-v0.7.1.tgz [root@linux-node1 ~]# mkdir /opt/kubernetes/bin/cni [root@linux-node1 src]# tar zxf cni-plugins-amd64-v0.7.1.tgz -C /opt/kubernetes/bin/cni # scp -r /opt/kubernetes/bin/cni/* 192.168.56.12:/opt/kubernetes/bin/cni/ # scp -r /opt/kubernetes/bin/cni/* 192.168.56.13:/opt/kubernetes/bin/cni/
建立Etcd的key
/opt/kubernetes/bin/etcdctl --ca-file /opt/kubernetes/ssl/ca.pem --cert-file /opt/kubernetes/ssl/flanneld.pem --key-file /opt/kubernetes/ssl/flanneld-key.pem \ --no-sync -C https://192.168.56.11:2379,https://192.168.56.12:2379,https://192.168.56.13:2379 \ mk /kubernetes/network/config '{ "Network": "10.2.0.0/16", "Backend": { "Type": "vxlan", "VNI": 1 }}' >/dev/null 2>&1
9.啓動flannel
[root@linux-node1 ~]# systemctl daemon-reload [root@linux-node1 ~]# systemctl enable flannel [root@linux-node1 ~]# chmod +x /opt/kubernetes/bin/* [root@linux-node1 ~]# systemctl start flannel
[root@linux-node1 ~]# systemctl status flannel
10.修改docker配置文件,讓Docker使用Flannel
[root@linux-node1 ~]# vim /usr/lib/systemd/system/docker.service [Unit] #在Unit下面修改After和增長Requires After=network-online.target firewalld.service flannel.service Wants=network-online.target Requires=flannel.service [Service] #增長EnvironmentFile=-/run/flannel/docker Type=notify EnvironmentFile=-/run/flannel/docker ExecStart=/usr/bin/dockerd $DOCKER_OPTS
11.docker配置文件同步
scp /usr/lib/systemd/system/docker.service 192.168.56.12:/usr/lib/systemd/system/ scp /usr/lib/systemd/system/docker.service 192.168.56.13:/usr/lib/systemd/system/
12.重啓Docker
[root@linux-node1 ~]# systemctl daemon-reload
[root@linux-node1 ~]# systemctl restart docker
[root@linux-node1 ssl]# kubectl run net-test --image=alpine --replicas=2 sleep 360000 deployment.apps "net-test" created [root@linux-node1 ssl]# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE net-test-5767cb94df-mkj4p 0/1 ContainerCreating 0 10s <none> 192.168.56.12 net-test-5767cb94df-q8vbt 0/1 ContainerCreating 0 10s <none> 192.168.56.13 [root@linux-node1 ssl]# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE net-test-5767cb94df-mkj4p 0/1 ContainerCreating 0 27s <none> 192.168.56.12 net-test-5767cb94df-q8vbt 0/1 ContainerCreating 0 27s <none> 192.168.56.13 [root@linux-node1 ssl]# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE net-test-5767cb94df-mkj4p 1/1 Running 0 50s 10.2.101.2 192.168.56.12 net-test-5767cb94df-q8vbt 1/1 Running 0 50s 10.2.34.2 192.168.56.13 [root@linux-node1 ssl]# ping 10.2.101.2 PING 10.2.101.2 (10.2.101.2) 56(84) bytes of data. 64 bytes from 10.2.101.2: icmp_seq=1 ttl=63 time=1.88 ms 64 bytes from 10.2.101.2: icmp_seq=2 ttl=63 time=0.400 ms ^X64 bytes from 10.2.101.2: icmp_seq=3 ttl=63 time=0.348 ms 64 bytes from 10.2.101.2: icmp_seq=4 ttl=63 time=0.406 ms ^C --- 10.2.101.2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.348/0.760/1.889
若是最後容器處在 running狀態說明你的K8S已經搭建完畢;
相關文章
- 1. 騰訊基於Kubernetes的企業級容器雲平臺GaiaStack (轉)
- 2. 《開源容器雲OpenShift:構建基於Kubernetes的企業應用雲平臺》一1.4 Docker、Kubernetes與OpenShift...
- 3. 容器雲平臺No.1~基於Docker及Kubernetes構建的容器雲平臺
- 4. 《開源容器雲OpenShift:構建基於Kubernetes的企業應用雲平臺》一導讀
- 5. 《開源容器雲OpenShift:構建基於Kubernetes的企業應用雲平臺》一1.3 OpenShift
- 6. 基於Docker及Kubernetes構建的容器雲平臺
- 7. Kubernetes-基於容器雲構建devops平臺
- 8. 基於Kubernetes構建企業容器雲【入門實戰篇】- 建立第一個K8S應用(六)
- 9. 基於Kubernetes構建企業容器雲【入門實戰篇】- Node節點部署(四)
- 10. 基於Kubernetes構建企業容器雲【入門實戰篇】- CoreDNS和Dashboard部署(七)
- 更多相關文章...
- • Docker 容器連接 - Docker教程
- • Docker 容器使用 - Docker教程
- • Docker容器實戰(八) - 漫談 Kubernetes 的本質
- • Docker容器實戰(七) - 容器眼光下的文件系統
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 字節跳動21屆秋招運營兩輪面試經驗分享
- 2. Java 3 年,25K 多嗎?
- 3. mysql安裝部署
- 4. web前端開發中父鏈和子鏈方式實現通信
- 5. 3.1.6 spark體系之分佈式計算-scala編程-scala中trait特性
- 6. dataframe2
- 7. ThinkFree在線
- 8. 在線畫圖
- 9. devtools熱部署
- 10. 編譯和鏈接
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 騰訊基於Kubernetes的企業級容器雲平臺GaiaStack (轉)
- 2. 《開源容器雲OpenShift:構建基於Kubernetes的企業應用雲平臺》一1.4 Docker、Kubernetes與OpenShift...
- 3. 容器雲平臺No.1~基於Docker及Kubernetes構建的容器雲平臺
- 4. 《開源容器雲OpenShift:構建基於Kubernetes的企業應用雲平臺》一導讀
- 5. 《開源容器雲OpenShift:構建基於Kubernetes的企業應用雲平臺》一1.3 OpenShift
- 6. 基於Docker及Kubernetes構建的容器雲平臺
- 7. Kubernetes-基於容器雲構建devops平臺
- 8. 基於Kubernetes構建企業容器雲【入門實戰篇】- 建立第一個K8S應用(六)
- 9. 基於Kubernetes構建企業容器雲【入門實戰篇】- Node節點部署(四)
- 10. 基於Kubernetes構建企業容器雲【入門實戰篇】- CoreDNS和Dashboard部署(七)