一、部署前规划
1. 操作系统初始化设置 :需要设置好集群机器,关闭防火墙和selinux
2. 创建ca证书和私钥 :集群间通信要加密,那么肯定要有ca的创建,以后就用这一步创建的ca当作证书颁发机构给自己发证书,也可通过配置文件省略
3. docker安装与卸载 :k8s基于docker,要先安装docker
4. harbor安装 :有了docker之后,需要用到docker仓库,这里搭建一个镜像仓库平台,便于管理
5. harbor使用 :上传和下载镜像,设置共有和私有
6. 部署etcd集群 :k8s用etcd进行服务发现。比如集群节点间报告自己的状态及可以提供的服务,就用etcd实现。所以要先安装etcd
7. 部署flannel网络 :集群间有自己的集群间网络,这个靠flannel来实现,所以要安装flannel
8. 部署master节点 :主集群节点,管理节点
9. 部署node节点 :服务端阶段
10. 部署dns插件 :Kubenetes以插件的形式提供DNS服务,一般是运行在kube-system名称空间下的service,拥有固定IP地址。
插件运行起来后,配置各个节点上的kubelet,告诉它集群中DNS服务的IP地址,kebelet在
启动容器时再将DNS服务器的地址告诉容器,容器再使用此DNS服务器进行域名解析。
11. 部署dashboard插件 :k8s的图形化界面
12. 部署heapster插件:更好支持原生的k8s
二、centos 7环境部署
1.基础环境
1).机器情况
master:192.168.11.199
node:192.168.11.196
2).关闭防火墙和selinux
# systemctl stop firewalld # systemctl disable firewalld # setenforce
三、创建ca证书和私钥
1.生成CA私钥(.key):
# openssl genrsa -out ca.key //2048,安全性更高
2.生成CA证书请求(.csr):
# openssl req -new -key ca.key -out ca.csr
3.自签名得到根证书(.crt):
# openssl x509 -req -days -in ca.csr -signkey ca.key -out ca.crt
4.生成三个文件
四、安装docker-ce + docker-compose (脚本安装)
# vim docker.sh
#!/bin/bash
# coding: utf-
# Copyright (c)
set -e #返回值为0时,退出脚本
echo "1. 备份yum"
{
for i in /etc/yum.repos.d/*.repo;do cp $i ${i%.repo}.bak;done
rm -rf /etc/yum.repos.d/*.repo
} || {
echo "备份出错,请手动执行"
exit 1
} echo "2. 获取网络yum"
{
wget -P /etc/yum.repos.d/ http://mirrors.aliyun.com/repo/Centos-7.repo >/dev/null 2>&1
wget -P /etc/yum.repos.d/ http://mirrors.163.com/.help/CentOS7-Base-163.repo >/dev/null 2>&1
yum clean >/dev/null 2>&1
yum repolist >/dev/null 2>&1
} || {
echo "获取出错,请手动执行"
exit 1
} echo "3. 安装docker-ce......"
{
yum -y install yum-utils >/dev/null 2>&1
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo >/dev/null 2>&1
yum clean >/dev/null 2>&1
yum repolist >/dev/null 2>&1
yum -y install epel-release docker-ce >/dev/null 2>&1
} || {
echo "安装出错,请手动安装"
exit 1
} systemctl start docker >/dev/null 2>&1
systemctl enable docker >/dev/null 2>&1 echo "4. 添加内和参数"
{
cat <<EOF>> /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p >/dev/null 2>&1
} echo "5. 添加镜像加速"
{
cat <<EOF>> /etc/docker/daemon.json
{
"registry-mirrors": [
"https://registry.docker-cn.com"
]
}
EOF
} echo "6.安装docker-compose"
{
curl -L https://github.com/docker/compose/releases/download/1.23.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
} || {
echo "安装出错,请手动安装"
exit 1
} systemctl daemon-reload >/dev/null 2>&1
systemctl restart docker >/dev/null 2>&1 rm -rf ./*.sh
五、harbor安装
1.下载harbor包
在线安装:# wget -P /usr/local/src/ https://github.com/vmware/harbor/releases/download/v1.2.0/harbor-online-installer-v1.2.0.tgz
离线安装:# wget https://github.com/vmware/harbor/releases/download/v1.2.0/harbor-offline-installer-v1.2.0.tgz
2.解压到/usr/local:# tar xvf harbor-online-installer-v1.2.0.tgz -C /usr/local
3.查看解压目录
4.修改hostname:# vim harbor.cfg
hostname manager
5.执行安装脚本:./install.sh
6..查看进程:# docker ps 或者 docker-compose ps
7.登录:http://192.168.11.199,用户名:admin ,密码:Harbor12345
8.修改镜像加速地址为harbor仓库的地址
# rm -rf /etc/docker/daemon.json
# vim /usr/lib/systemd/system/docker.service
--insecure-registry 192.168.11.199
9.重新加载daemon和docker
# systemctl daemon-reload
# systemctl restart docker
10.定制镜像,用于上传和下载
# vim Dockerfile
FROM centos:centos7.1.1503 //基础镜像是centos,版本为7.1
ENV TZ "Asia/Shanghai" //设置系统的时区为上海
# docker build -t 192.168.11.199/library/centos7.1:0.1 .
11.测试上传与下载
1).登录仓库: # docker login 192.168.11.199
2).上传镜像
# docker image ls -a
# docker push 192.168.11.199/library/centos7.1
3).下载任意镜像: # docker pull nginx
4).打标签: # docker tag nginx:latest 192.168.11.199/library/nginx.v1
5).上传: # docker push 192.168.11.199/library/nginx.v1
6).删除镜像: #docker image rm 192.168.11.199/library/nginx.v1:latest
7).重新从私有仓库拉取: # docker pull 192.168.11.199/library/nginx.v1
12.harbor配置TLS证书
1).修改harbor配置文件: # vim /usr/local/harbor/harbor.cfg
ui_url_protocol = https
ssl_cert = /home/ssl/ca.crt
ssl_cert_key = /home/ssl/ca.key
2).重启harbor:# ./install.sh
因为证书是自签的,所以谷歌会拦截警告
六、部署etcd集群
1.master节点安装etcd和kubernetes-master: # yum -y install etcd kubernetes-master
2.修改etcd配置文件,设置监听地址: # vim /etc/etcd/etcd.conf
ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379"
3.修改k8s api配置:# vim /etc/kubernetes/apiserver
KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0"
4.配置kubernetes使用token请求
不配置的话,直接删除ServiceAccount:
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ResourceQuota"
配置: # vim /etc/kubernetes/apiserver
KUBE_API_ARGS="--service_account_key_file=/home/ssl/ca.key"
# vim /etc/kubernetes/controller-manager
KUBE_CONTROLLER_MANAGER_ARGS="--service_account_private_key_file=/home/ssl/ca.key"
5.启动etcd、kube-apiserver、kube-controller-manager、kube-scheduler服务:
# for SERVICES in etcd kube-apiserver kube-controller-manager kube-scheduler; do systemctl restart $SERVICES;systemctl enable $SERVICES;systemctl status $SERVICES ; done
七、部署flannel网络
1.在etcd中定义flannel网络:# etcdctl mk /atomic.io/network/config '{"Network":"172.17.0.0/16"}'
2.在node节点上安装flannel和kubernetes-node:
# yum -y install epel-release
# yum -y install flannel kubernetes-node
3.为flannel网络指定etcd服务,修改/etc/sysconfig/flanneld文件
# vim /etc/sysconfig/flanneld
FLANNEL_ETCD_ENDPOINTS="http://192.168.11.199:2379" //客户端IP
4.修改/etc/kubernetes/config文件
# vim /etc/kubernetes/config
KUBE_MASTER="--master=http://192.168.11.199:8080"
5. 修改对应minion机器上的配置文件/etc/kubernetes/kubelet
# vim /etc/kubernetes/kubelet
KUBELET_ADDRESS="--address=0.0.0.0"
KUBELET_HOSTNAME="--hostname-override=192.168.11.196"
KUBELET_API_SERVER="--api-servers=http://192.168.11.199:8080"
6.在所有minion节点上启动kube-proxy,kubelet,docker,flanneld等服务,并设置开机启动。
# for SERVICES in kube-proxy kubelet docker flanneld;do systemctl restart $SERVICES;systemctl enable $SERVICES;systemctl status $SERVICES; done
7.验证集群
# kubectl get node
# kubectl -s http://192.168.11.199:8080 get node
八、部署服务
1.