kubernetes的安裝
- 獲取源碼
最新安裝包下載地址,GitHub下載地址node
本次實驗的1.10.0的二進制包下載,百度網盤linux
- 機器環境
| Kubernetes Roles | IP地址 | Hostname |
|---|---|---|
| Master | 192.168.142.161 | kubernetes-node1.example.com |
| Node | 192.168.142.162 | kubernetes-node2.example.com |
| Node | 192.168.142.163 | kubernetes-node3.example.com |
Master端配置
- 配置kube-apiserver服務
將kube-apiserver的可執行文件複製到/usr/bin目錄下 而後編輯systemd的服務文件 vim /usr/lib/systemd/system/kube-apiserver.service [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes After=etcd.service Wants=etcd.service [Service] EnvironmentFile=/etc/kubernetes/apiserver ExecStart=/usr/bin/kube-apiserver $KUBE_API_ARGS Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target
基於CA簽名的雙向數字證書認證方式進行認證
生成過程以下:git
(1)爲kube-apiserver生成一個數字證書,並用CA證書進行簽名。 (2)爲kube-apiserver進程配置證書相關的啓動參數,包括CA證書(用於驗證客戶端證書的簽名真僞、本身通過CA簽名後的證書及私鑰)。 (3)爲每一個訪問Kubernetes API Server的客戶端進程生成本身的數字證書,也都用CA證書進行簽名,在相關程序的啓動參數中增長CA證書、本身的證書等相關參數。
設置kube-apiserver的CA證書相關的文件和啓動參數github
OpenSSL工具在Master服務器上建立CA證書和私鑰相關的文件 openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -key ca.key -subj "/CN=example.com" -days 5000 -out ca.crt openssl genrsa -out server.key 2048
生成文件以下:docker
ca.crt ca.key server.key
建立Master_ssl.cnf文件,生成x509 v3版本證書.在該文件中主要須要設置Master服務器的hostname,IP地址,以及Kubernetes Master Service的虛擬服務器名稱和該虛擬服務器的clusterIP地址。vim
DNS.5爲Master服務器的HostName,IP.1爲Kubernetes Master Service的Cluster IP,IP.2爲Master服務器的IP。centos
[req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = kubernetes DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster.local DNS.5 = kubernets-node1.example.com IP.1 = 169.169.0.1 IP.2 = 192.168.142.161
基於Master_ssl.cnf生成server.csr和server.crt。
在生成server.csr時,-subj參數中/CN指定的名字須要爲Master所在的主機名。api
openssl req -new -key server.key -subj "/CN=kubernets-node1.example.com" -config /etc/kubernetes/master_ssl.cnf -out server.csr openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile /etc/kubernetes/master_ssl.cnf -out server.crt
如今有6個文件:bash
ca.crt ca.key ca.srl server.crt server.csr server.key cp ca.crt ca.key ca.srl server.crt server.csr server.key /var/run/kubernetes/
指定配置文件/etc/kubernetes/apiserver的內容,具體內容以下:服務器
vim /etc/kubernetes/apiserver KUBE_API_ARGS="--etcd-servers=http://192.168.142.161:2379,http://192.168.142.162:2379,http://192.168.142.163:2379 --bind-address=0.0.0.0 --secure-port=443 --insecure-port=0 --client-ca-file=/var/run/kubernetes/ca.crt --tls-private-key-file=/var/run/kubernetes/server.key --tls-cert-file=/var/run/kubernetes/server.crt --service-cluster-ip-range=169.169.0.0/16 --service-node-port-range=1-65535 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ResourceQuota --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
- 配置kube-controller-manager服務
kube-controller-manager依賴於kube-apiserver服務。
配置啓動文件
cat /usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes After=kube-apiserver.service Wants=kube-apiserver.service [Service] EnvironmentFile=/etc/kubernetes/controller-manager ExecStart=/usr/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_ARGS Restart=on-failure #Type=notify LimitNOFILE=65536 [Install] WantedBy=multi-user.target
設置kube-controller-manager的客戶端證書、私鑰
openssl genrsa -out cs_client.key 2048 openssl req -new -key cs_client.key -subj "/CN=kubernets-node1.example.com" -out cs_client.csr openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cs_client.crt -days 5000
其中在生成cs_client.crt時,-CA參數和-CAkey參數使用的是apiserver的ca.crt和ca.key文件,而後將這些文件複製到一個目錄中(/var/run/kubernetes)
接下來建立/etc/kubernetes/kubeconfig文件(kube-controller-manager與kube-scheduler共用)
內容以下
cat /etc/kubernetes/kubeconfig
apiVersion: v1
kind: Config
users:
- name: controllermanager
user:
client-certificate: /var/run/kubernetes/cs_client.crt
client-key: /var/run/kubernetes/cs_client.key
clusters:
- name: local
cluster:
certificate-authority: /var/run/kubernetes/ca.crt
contexts:
- context:
cluster: local
user: controllermanager
name: my-context
current-context: my-contex
而後設置kube-controller-manager的啓動參數
cat /etc/kubernetes/controller-manager KUBE_CONTROLLER_MANAGER_ARGS="--master=https://192.168.142.161 --service-account-private-key-file=/var/run/kubernetes/server.key --root-ca-file=/var/run/kubernetes/ca.crt --kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
- 配置kube-scheduler服務
kube-scheduler服務也依賴於kube-apiserver服務
cat /usr/lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes After=kube-apiserver.service Wants=kube-apiserver.service [Service] EnvironmentFile=/etc/kubernetes/scheduler ExecStart=/usr/bin/kube-scheduler $KUBE_SCHEDULER_ARGS Restart=on-failure #Type=notify LimitNOFILE=65536 [Install] WantedBy=multi-user.target
複用kube-controller-manager建立的客戶端證書
配置開機啓動參數
cat /etc/kubernetes/scheduler KUBE_SCHEDULER_ARGS="--master=https://192.168.142.161 --kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/lib/kubernetes --v=2"
至此Master端安裝完成。啓動全部服務:
systemctl start kube-apiserver systemctl start kube-controller-manager systemctl start kube-kube-scheduler
配置Node上的kubelet和kube-proxy
kubelet服務依賴docker,這裏咱們須要安裝docker。安裝過程以下:
若是你以前安裝過 docker,請先刪掉 yum remove docker docker-common docker-selinux docker-engine 安裝依賴 yum install -y yum-utils device-mapper-persistent-data lvm2 下載repo文件 wget -O /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo 替換爲國內的源鏡像站 sed -i 's+download-stage.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo 安裝docker yum install docker-ce 啓動 systemctl enable docker systemctl start docker
1:首先複製kube-apiserver的ca.crt和ca.key文件到node上,在生成kubelet_client.crt時-CA參數和-CAkey參數使用的是apiserver的ca.crt和ca.key文件。在生成kube_let.csr時-subj參數中的「/CN」設置爲Node的IP地址。
openssl genrsa -out kubelet_client.key 2048 openssl req -new -key kubelet_client.key -subj "/CN=192.168.142.162" -out kubelet_client.csr openssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000
2:而後建立/etc/kubernetes/kubeconfig文件。(kubelet和kube-proxy進程共用),配置客戶端證書等相關參數:
cat /etc/kubernetes/kubeconfig
apiVersion: v1
kind: Config
users:
- name: kubelet
user:
client-certificate: /var/run/kubernetes/kubelet_client.crt
client-key: /var/run/kubernetes/kubelet_client.key
clusters:
- name: local
cluster:
server: https://192.168.142.161
certificate-authority: /var/run/kubernetes/ca.crt
contexts:
- context:
cluster: local
user: kubelet
name: my-context
current-context: my-context
3:設置kubelet服務的啓動參數
cat /etc/kubernetes/kubelet KUBELET_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig --hostname-override=192.168.142.162 --pod-infra-container-image=registry-vpc.cn-beijing.aliyuncs.com/k8s_len/pause-amd64:3.0 --fail-swap-on=false --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
4:設置kube-proxy的啓動參數
cat /etc/kubernetes/kube-proxy KUBE_PROXY_ARGS="--master=https://192.168.142.161 --kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
5:定義開機服務的啓動項
cat /usr/lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet Server Documentation=https://github.com/kubernetes/kubernetes After=docker.service Wants=docker.service [Service] WorkingDirectory=/var/lib/kubelet EnvironmentFile=/etc/kubernetes/kubeconfig.yaml EnvironmentFile=/etc/kubernetes/kubelet ExecStart=/usr/bin/kubelet $KUBELET_ARGS Restart=on-failure #Type=notify #LimitNOFILE=65536 [Install] WantedBy=multi-user.target
cat /usr/lib/systemd/system/kube-proxy.service [Unit] Description=Kubernetes Kube-proxy Server Documentation=https://github.com/kubernetes/kubernetes After=network.service Wants=network.service [Service] EnvironmentFile=/etc/kubernetes/kube-proxy ExecStart=/usr/bin/kube-proxy $KUBE_PROXY_ARGS Restart=on-failure #Type=notify LimitNOFILE=65536 [Install] WantedBy=multi-user.target
相關文章
- 1. Kubernetes的安裝
- 2. kubernetes安裝kubespray
- 3. Kubernetes-A-安裝
- 4. Kubernetes安裝dashboard
- 5. kubernetes 安裝 Jenkins
- 6. centos7安裝kubernetes
- 7. win10安裝 Kubernetes
- 8. kubernetes-ingress 安裝
- 9. Linux安裝kubernetes
- 10. 安裝 kubernetes v1.11.1
- 更多相關文章...
- • Docker 安裝 Nginx - Docker教程
- • Docker 安裝 Node.js - Docker教程
- • Composer 安裝與使用
- • IntelliJ IDEA安裝代碼格式化插件
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 升級Gradle後報錯Gradle‘s dependency cache may be corrupt (this sometimes occurs
- 2. Smarter, Not Harder
- 3. mac-2019-react-native 本地環境搭建(xcode-11.1和android studio3.5.2中Genymotion2.12.1 和VirtualBox-5.2.34 )
- 4. 查看文件中關鍵字前後幾行的內容
- 5. XXE萌新進階全攻略
- 6. Installation failed due to: ‘Connection refused: connect‘安卓studio端口占用
- 7. zabbix5.0通過agent監控winserve12
- 8. IT行業UI前景、潛力如何?
- 9. Mac Swig 3.0.12 安裝
- 10. Windows上FreeRDP-WebConnect是一個開源HTML5代理,它提供對使用RDP的任何Windows服務器和工作站的Web訪問
歡迎關注本站公眾號,獲取更多信息
