ETCD
ETCD是Kubernetes提供默认的存储系统,保存所有集群数据,使用时需要为etcd数据提供备份计划。
为集群创建CA以及Certificates证书
Kubernetes使用前需要为各组件创建证书服务,操作如下:
在Master建立/etc/etcd/ssl文件夹,然后进入目录完成以下操作。
mkdir -p /etc/etcd/ssl && cd /etc/etcd/ssl export PKI_URL="https://kairen.github.io/files/manual-v1.8/pki"
下载ca-config.json与etcd-ca-csr.json文件,并产生 CA 密钥:
wget "${PKI_URL}/ca-config.json" "${PKI_URL}/etcd-ca-csr.json"
cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare etcd-ca
ls etcd-ca*.pem
etcd-ca-key.pem etcd-ca.pem
下载etcd-csr.json文件,并产生 kube-apiserver certificate 证书:
wget "${PKI_URL}/etcd-csr.json"
cfssl gencert \
-ca=etcd-ca.pem \
-ca-key=etcd-ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
etcd-csr.json | cfssljson -bare etcd
ls etcd*.pem
etcd-ca-key.pem etcd-ca.pem etcd-key.pem etcd.pem
可能kairen.github.io 网址国内无法连接,可以手动创建三个json文件,其余方式与上面一样,
ca-config.json
{
"signing": {
"default": {
"expiry": "876000h" # 过期时间,自定义
},
"profiles": {
"kubernetes": {
"usages": [
"signing", #可以签名其他的证书(生成的证书ca.pem中CA=TRUE)
"key encipherment",
"server auth", #表示client可以用于该证书对server提供的证书进行验证
"client auth" #表示server可以用于该证书对client提供的证书进行验证
],
"expiry": "876000h" # 同上
}
}
}
}
ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN", # 都可以自定义,国家
"ST": "ShenZhen", # 地区
"L": "ShenZhen", # 城市
"O": "k8s", # 组织名
"OU": "system" # 组织单位
}
]
}
etcd-csr.json
{
"CN": "etcd",
"hosts": [
"192.168.81.128",#master各etcd节点主机IP
"192.168.81.129"#node各etcd节点主机IP
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "guangdong",
"ST": "shenzhen"
}
]
}
完成后删除不必要文件:
rm -rf *.json
确认/etc/etcd/ssl有以下文件:
ls /etc/etcd/ssl etcd-ca.csr etcd-ca-key.pem etcd-ca.pem etcd.csr etcd-key.pem etcd.pem
ETCD安装和设置
etcd.conf
[Member] ETCD_NAME="etcd-1" #当前节点名字 ETCD_DATA_DIR="/var/lib/etcd/default.etcd" #存储数据目录 ETCD_LISTEN_PEER_URLS="https://192.168.81.128:2380" #本机IP ETCD_LISTEN_CLIENT_URLS="https://192.168.81.128:2379" [Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.81.128:2380" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.81.128:2379" ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.81.128:2380" 所有集群IP ETCD_INITIAL_CLUSTER_TOKEN="etcd-single" #集群间通信所用token ETCD_INITIAL_CLUSTER_STATE="new" #新建,添加为‘exsiting’
[Security] ETCD_CERT_FILE="/etc/etcd/ssl/etcd.pem" #etcd pem位置 ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem" #etcd key位置 ETCD_CLIENT_CERT_AUTH="true" ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/etcd-ca.pem" #ca pem位置 ETCD_AUTO_TLS="true" ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem" ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem" ETCD_PEER_CLIENT_CERT_AUTH="true" ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/etcd-ca.pem" ETCD_PEER_AUTO_TLS="true"
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=/etc/etcd/etcd.conf
User=etcd
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/local/bin/etcd \
--name=\"${ETCD_NAME}\" \
--cert-file=\"${ETCD_CERT_FILE}\" \
--key-file=\"${ETCD_KEY_FILE}\" \
--peer-cert-file=\"${ETCD_PEER_CERT_FILE}\" \
--peer-key-file=\"${ETCD_PEER_KEY_FILE}\" \
--trusted-ca-file=\"${ETCD_TRUSTED_CA_FILE}\" \
--peer-trusted-ca-file=\"${ETCD_PEER_TRUSTED_CA_FILE}\" \
--initial-advertise-peer-urls=\"${ETCD_INITIAL_ADVERTISE_PEER_URLS}\" \
--listen-peer-urls=\"${ETCD_LISTEN_PEER_URLS}\" \
--listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\" \
--advertise-client-urls=\"${ETCD_ADVERTISE_CLIENT_URLS}\" \
--initial-cluster-token=\"${ETCD_INITIAL_CLUSTER_TOKEN}\" \
--initial-cluster=\"${ETCD_INITIAL_CLUSTER}\" \
--initial-cluster-state=\"${ETCD_INITIAL_CLUSTER_STATE}\" \
--data-dir=\"${ETCD_DATA_DIR}\""
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
建立 var 存放信息,然后启动 Etcd 服务:
mkdir -p /var/lib/etcd && chown etcd:etcd -R /var/lib/etcd /etc/etcd systemctl enable etcd.service && systemctl start etcd.service
通过简单指令验证:
$ export CA="/etc/etcd/ssl"
$ ETCDCTL_API=3 etcdctl \
--cacert=${CA}/etcd-ca.pem \
--cert=${CA}/etcd.pem \
--key=${CA}/etcd-key.pem \
--endpoints="https://172.16.35.12:2379" \
endpoint health
# output
https://192.168.81.128:2379 is healthy: successfully committed proposal: took = 1.763032ms