环境信息:
|c720111.xiodi.cn |192.168.20.111 |k8s master-1 |
|c720112.xiodi.cn |192.168.20.112 |k8s master-2 |
|c720113.xiodi.cn |192.168.20.113 |k8s master-3 |
|c720114.xiodi.cn |192.168.20.114 |k8s slave-1 |
|c720115.xiodi.cn |192.168.20.115 |k8s slave-2 |
|c720116.xiodi.cn |192.168.20.116 |k8s master vip|
部署过程:
1. 系统升级
由于k8s在较低内核中存在某些bug,因此需要先升级下内核。建议使用4.10或以上版本。
1.1 下载地址
软件包百度网盘:
https://pan.baidu.com/s/1JtecfQoZISxN2EQRVrjKdg 6taj
1.2 执行以下命令进行内核升级
# 升级内核 $ wget https://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-ml-5.0.4-1.el7.elrepo.x86_64.rpm $ wget https://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-ml-devel-5.0.4-1.el7.elrepo.x86_64.rpm $ yum -y install kernel-ml-5.0.4-1.el7.elrepo.x86_64.rpm kernel-ml-devel-5.0.4-1.el7.elrepo.x86_64.rpm # 调整默认内核启动 $ cat /boot/grub2/grub.cfg |grep menuentry $ grub2-set-default "CentOS Linux (5.0.4-1.el7.elrepo.x86_64) 7 (Core)" # 检查是否修改正确 $ grub2-editenv list $ reboot
1.3 IPVS的支持开启
# 确认内核版本后,开启 IPVS $ uname -a $ cat > /etc/sysconfig/modules/ipvs.modules <<EOF #!/bin/bash ipvs_modules="ip_vs ip_vs_lc ip_vs_wlc ip_vs_rr ip_vs_wrr ip_vs_lblc ip_vs_lblcr ip_vs_dh ip_vs_sh ip_vs_fo ip_vs_nq ip_vs_sed ip_vs_ftp nf_conntrack" for kernel_module in \${ipvs_modules}; do /sbin/modinfo -F filename \${kernel_module} > /dev/null 2>&1 if [ $? -eq 0 ]; then /sbin/modprobe \${kernel_module} fi done EOF $ chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep ip_vs
1.4 关闭交换分区,Selinux及Firewalld等
# 关闭 Selinux/firewalld $ systemctl stop firewalld && systemctl disable firewalld $ setenforce 0 $ sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config # 关闭交换分区 $ swapoff -a $ cp /etc/{fstab,fstab.bak} $ cat /etc/fstab.bak | grep -v swap > /etc/fstab # 设置 iptables $ echo """ vm.swappiness = 0 net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 """ > /etc/sysctl.conf $ sysctl -p
1.5 配置主机名的解析及时间的同步(略)
1.6 配置各个主机能够免密钥进行通信
# 此处配置c720111.xiodi.cn能够和其它几个主机免密钥互通 [root@c720111 ~]# ssh-keygen [root@c720111 ~]# ssh-copy-id [email protected] [root@c720111 ~]# ssh-copy-id [email protected] [root@c720111 ~]# ssh-copy-id [email protected] [root@c720111 ~]# ssh-copy-id [email protected] [root@c720111 ~]# ssh-copy-id [email protected]
2. 签发证书
2.1 证书签发配置
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl cfssljson mv cfssl cfssljson /usr/local/bin/
将会分别为下列组件签发证书:
- admin user
- kubelet
- kube-controller-manager
- kube-proxy
- kube-scheduler
- kube-api
2.2 创建CA证书配置请求
(1)产生ca证书
CA证书配置请求
$ cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "8760h" }, "profiles": { "kubernetes": { "usages": ["signing", "key encipherment", "server auth", "client auth"], "expiry": "8760h" } } } } EOF
CA证书签名请求
$ cat > ca-csr.json <<EOF { "CN": "Kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Shanghai", "O": "xiodi", "OU": "CA", "ST": "Winterfell" } ] } EOF
产生CA证书
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca # 查看产生的证书 [root@c720111 tmp]# ls -al -rw------- 1 root root 1675 Mar 23 11:04 ca-key.pem -rw-r--r-- 1 root root 1314 Mar 23 11:04 ca.pem
(2)产生admin用户证书
证书签名请求配置:
$ cat > admin-csr.json <<EOF { "CN": "admin", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "Westeros", "L": "The North", "O": "system:masters", "OU": "Kubernetes The Hard Way", "ST": "Winterfell" } ] } EOF
产生admin用户证书并校验结果:
# 产生证书 $ cfssl gencert \ -ca=ca.pem \ -ca-key=ca-key.pem \ -config=ca-config.json \ -profile=kubernetes \ admin-csr.json | cfssljson -bare admin # 查看产生的证书 [root@c720111 tmp]# ls admin-key.pem admin.pem