01-1-二进制方式安装
1. 实验环境
| IP | 主机名 | cpu | 内存 | 硬盘 | 说明 |
| 192.168.109.137 | hywang-137.host.com | 4C | 3g | 20G | master,node;vip:192.168.109.130 |
| 192.168.109.138 | hywang-138.host.com | 4C | 3g | 20G | master,node;vip:192.168.109.130 |
| 192.168.109.139 | hywang-139.host.com | 1C | 1g | 20G | 备用(因为etcd集群至少需三台) |
2.安装前准备
2.1.环境准备
所有机器都需要执行:
1.关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
2.关闭selinux
setenforce 0
sed -ir '/^SELINUX=/s/=.+/=disabled/' /etc/selinux/config
3.配置主机名
4.配置名称解析(这里用bind做dns解决)
5.配置时间同步(chronyd)
6.基础包环境安装
yum install -y epel-release
yum install -y wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils vim less
2.2.bind安装
2.2.1. hywang-137 安装bind
[root@hywang-137 ~]# yum install -y bind
2.2.2. hywang-137 配置bind
主配置文件
[root@hywang-137 ~]# vim /etc/named.conf# 确保以下配置正确
listen-on port 53 { 192.168.109.137; };
directory "/var/named";
allow-query { any; };
forwarders { 192.168.109.2; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
确保参数选项(192.168.109.2为网关)
在 hywang-137.host.com 配置区域文件
[root@hywang-137 named]# vim /var/named/host.com.zone
zone "host.com" IN {
type master;
file "host.com.zone";
allow-update { 192.168.109.137; };
};
zone "od.com" IN {
type master;
file "od.com.zone";
allow-update { 192.168.109.137; };
};
# 增加两个zone配置,od.com为业务域,host.com.zone为主机域
在 hywang-137.host.com 配置主机域文件
mkdir -pv /var/named/
[root@hywang-137 named]# vim /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.host.com. dnsadmin.host.com. (
2020061901 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.host.com.
$TTL 60 ; 1 minute
dns A 192.168.109.137
hywang-137 A 192.168.109.137
hywang-138 A 192.168.109.138
hywang-139 A 192.168.109.139
vim /var/named/host.com.zone # line6中时间需要修改
在 hywang-137.host.com 配置业务域文件
[root@hywang-137 named]# vim /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2020061901 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 192.168.109.137
业务域文件
在 hywang-137.host.com 启动bind服务,并测试
[root@hywang-137 named]# named-checkconf # 检查配置文件 [root@hywang-137 named]# [root@hywang-137 named]# systemctl start named [root@hywang-137 named]# systemctl enable named [root@hywang-137 named]# host hywang-137 192.168.109.137 Using domain server: Name: 192.168.109.137 Address: 192.168.109.137#53 Aliases: hywang-137.host.com has address 192.168.109.137 [root@hywang-137 named]#自我测试
2.2.3. 修改主机DNS
修改所有主机的dns服务器地址(我这主机有:192.168.109.137-139和本地windows机器)
vim /etc/sysconfig/network-scripts/ifcfg-ens33
DNS1=192.168.109.2改为DNS1=192.168.109.137
重启网卡:systemctl restart network
[root@hywang-137 ~]# cat /etc/resolv.conf # Generated by NetworkManager search host.com nameserver 192.168.109.137 nameserver 8.8.8.8 [root@hywang-137 ~]#检查配置
测试各机器之间ping域名ok,能正确解析
2.3. 根证书准备
在 hywang-137.host.com 下载工具
[root@hywang-137 bin]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl [root@hywang-137 bin]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssl-json [root@hywang-137 bin]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo [root@hywang-137 bin]# chmod u+x /usr/local/bin/cfssl*流程
在 hywang-137.host.com 签发根证书
[root@hywang-137 bin]# mkdir /opt/certs/
[root@hywang-137 bin]# cd /opt/certs/
[root@hywang-137 certs]# vim /opt/certs/ca-csr.json
# CN 一般写域名,浏览器会校验 # names 为地区和公司信息 # expiry 为过期时间
{
"CN": "OldboyEdu",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
根证书配置:
[root@hywang-137 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
[root@hywang-137 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca 2020/06/19 16:43:10 [INFO] generating a new CA key and certificate from CSR 2020/06/19 16:43:10 [INFO] generate received request 2020/06/19 16:43:10 [INFO] received CSR 2020/06/19 16:43:10 [INFO] generating key: rsa-2048 2020/06/19 16:43:10 [INFO] encoded CSR 2020/06/19 16:43:10 [INFO] signed certificate with serial number 242587203587639555281329885323278473608769912563 [root@hywang-137 certs]# [root@hywang-137 certs]# ll 总用量 16 -rw-r--r-- 1 root root 993 6月 19 16:43 ca.csr -rw-r--r-- 1 root root 328 6月 19 16:42 ca-csr.json -rw------- 1 root root 1679 6月 19 16:43 ca-key.pem -rw-r--r-- 1 root root 1346 6月 19 16:43 ca.pem [root@hywang-137 certs]#过程
2.4. docker环境准备
需要安装docker的机器:hywang-137 hywang-138 hywang-139,以hywang-137为例
# 各个机器上bip网段不一致,bip中间两段与宿主机最后两段相同,目的是方便定位问题
#备注(bip一样会导致后期创建的pod的IP一样;后期修改bip需要重启网卡,ip a查看docker0)
[root@hywang-137 ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@hywang-137 ~]# yum install -y docker-ce
[root@hywang-137 ~]# mkdir /etc/docker/
# 不安全的registry中增加了harbor地址
# 各个机器上bip网段不一致,bip中间两段与宿主机最后两段相同,目的是方便定位问题
[root@hywang-137 ~]# vim /etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
"registry-mirrors": ["https://registry.docker-cn.com"],
"bip": "172.109.137.1/24",
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
[root@hywang-137 ~]# mkdir -p /data/docker
[root@hywang-137 ~]# systemctl start docker
[root@hywang-137 ~]# systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
[root@hywang-137 ~]#
过程
2.5. harbor安装
官方地址:https://goharbor.io/
下载地址:https://github.com/goharbor/harbor/releases
2.5.1. hywang-137.host.com 安装harbor
# 目录说明:
# /opt/src : 源码、文件下载目录
# /opt/release : 各个版本软件存放位置
# /opt/apps : 各个软件当前版本的软链接
[root@hywang-137 opt]# mkdir /opt/src
[root@hywang-137 opt]# cd /opt/src/
[root@hywang-137 src]# wget https://github.com/goharbor/harbor/releases/download/v1.9.4/harbor-offline-installer-v1.9.4.tgz
[root@hywang-137 src]# tar -zxf harbor-offline-installer-v1.9.4.tgz
[root@hywang-137 opt]# mkdir /opt/release
[root@hywang-137 src]# mv harbor /opt/release/harbor-v1.9.4
[root@hywang-137 src]# mkdir -p /opt/apps
[root@hywang-137 src]# ln -s /opt/release/harbor-v1.9.4 /opt/apps/harbor
# 实验环境仅修改以下配置项,生产环境还得修改密码
[root@hywang-137 ~]# mkdir -p /data/harbor/logs
[root@hywang-137 src]# vim /opt/apps/harbor/harbor.yml
hostname: harbor.od.com
http:
port: 180
data_volume: /data/harbor
location: /data/harbor/logs
[root@hywang-137 src]# yum install -y docker-compose
[root@hywang-137 src]# cd /opt/apps/harbor/
[root@hywang-137 harbor]# ./install.sh
[root@hywang-137 harbor]# docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------
harbor-core /harbor/harbor_core Up
harbor-db /docker-entrypoint.sh Up 5432/tcp
harbor-jobservice /harbor/harbor_jobservice ... Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up 8080/tcp
nginx nginx -g daemon off; Up 0.0.0.0:180->8080/tcp
redis redis-server /etc/redis.conf Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up 5000/tcp
registryctl /harbor/start.sh Up
[root@hywang-137 harbor]#
设置harbor开机启动
[root@hywang-137 harbor]# vim /etc/rc.d/rc.local # 增加以下内容
# start harbor
cd /opt/apps/harbor
/usr/bin/docker-compose stop
/usr/bin/docker-compose start
过程
2.5.2. hdss7-200 安装nginx
安装Nginx反向代理harbor
[root@hywang-137 ~]# yum -y install nginx
[root@hywang-137 conf.d]# vim /etc/nginx/conf.d/harbor.conf
server {
listen 80;
server_name harbor.od.com;
# 避免出现上传失败的情况
client_max_body_size 1000m;
location / {
proxy_pass http://127.0.0.1:180;
}
}
配置文件
[root@hywang-137 conf.d]# nginx -t
[root@hywang-137 conf.d]# systemctl start nginx
[root@hywang-137 conf.d]# systemctl enable nginx
hywang-137.host.com 配置DNS解析
[root@hywang-137 conf.d]# vim /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2020061902 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 192.168.109.137
harbor A 192.168.109.137
# 序列号需要滚动一个
[root@hywang-137 conf.d]# systemctl restart named.service # reload 无法使得配置生效
[root@hywang-137 conf.d]# host harbor.od.com
harbor.od.com has address 192.168.109.137
[root@hywang-137 conf.d]#
浏览器测试:harbor.od.com(账号:admin 密码:Harbor12345)
新建项目: public
测试harbor
[root@hywang-137 harbor]# docker pull nginx #下载一个nginx镜像 [root@hywang-137 ~]# docker image tag nginx:latest harbor.od.com/public/nginx:latest #打成私有仓库镜像 登陆harbor: [root@hywang-137 ~]# docker login -u admin harbor.od.com Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@hywang-137 ~]# 上传镜像到私有仓库harbor: [root@hywang-137 ~]# docker image push harbor.od.com/public/nginx:latest [root@hywang-137 ~]# docker logout测试流程
3. 主控节点安装
3.1. etcd安装
etcd 的leader选举机制,要求至少为3台或以上的奇数台。本次安装涉及:( 【hywang-137】、【hywang-138】、【hywang-139】 )
3.1.1. 签发etcd证书
证书签发服务器:hywang-137.host.com
创建ca的json配置: /opt/certs/ca-config.json
server 表示服务端连接客户端时携带的证书,用于客户端验证服务端身份
client 表示客户端连接服务端时携带的证书,用于服务端验证客户端身份
peer 表示相互之间连接时使用的证书,如etcd节点之间验证
[root@hywang-137 certs]# vim /opt/certs/ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
配置文件
创建etcd证书配置:/opt/certs/etcd-peer-csr.json
重点在hosts上,将所有可能的etcd服务器添加到host列表,不能使用网段,新增etcd服务器需要重新签发证书
[root@hywang-137 certs]# vim /opt/certs/etcd-peer-csr.json
{
"CN": "k8s-etcd",
"hosts": [
"192.168.109.137",
"192.168.109.138",
"192.168.109.139",
"192.168.109.140",
"192.168.109.141"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
配置文件
签发证书
[root@hywang-137 certs]# cd /opt/certs/
[root@hywang-137 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer
2020/06/20 15:34:49 [INFO] generate received request
2020/06/20 15:34:49 [INFO] received CSR
2020/06/20 15:34:49 [INFO] generating key: rsa-2048
2020/06/20 15:34:49 [INFO] encoded CSR
2020/06/20 15:34:49 [INFO] signed certificate with serial number 175824685461041592573788580843312206282798897328
2020/06/20 15:34:49 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@hywang-137 certs]#
签发流程
3.1.2. 安装etcd
etcd地址:https://github.com/etcd-io/etcd/
实验使用版本: etcd-v3.1.20-linux-amd64.tar.gz
本次安装涉及:( 【hywang-137】、【hywang-138】、【hywang-139】 )
下载etcd
[root@hywang-137 ~]# useradd -s /sbin/nologin -M etcd [root@hywang-137 ~]# cd /opt/src/ [root@hywang-137 src]# wget https://github.com/etcd-io/etcd/releases/download/v3.1.20/etcd-v3.1.20-linux-amd64.tar.gz [root@hywang-137 src]# tar -zxf etcd-v3.1.20-linux-amd64.tar.gz [root@hywang-137 src]# mv etcd-v3.1.20-linux-amd64 /opt/release/etcd-v3.1.20 [root@hywang-137 src]# ln -s /opt/release/etcd-v3.1.20 /opt/apps/etcd [root@hywang-137 src]# mkdir -p /opt/apps/etcd/certs /data/etcd /data/logs/etcd-server流程及准备
下发证书到各个etcd上
[root@hywang-137 src]# cd /opt/certs/
scp ca.pem etcd-peer.pem etcd-peer-key.pem 各机器IP:/opt/apps/etcd/certs/
如:[root@hywang-137 certs]# scp ca.pem etcd-peer.pem etcd-peer-key.pem 192.168.109.137:/opt/apps/etcd/certs/
[root@hywang-137 certs]# md5sum /opt/apps/etcd/certs/*
b98dcbd19ed7044d4efba13f8d66d512 /opt/apps/etcd/certs/ca.pem
ea246d131b7c0f6e51fb4326ebf588c6 /opt/apps/etcd/certs/etcd-peer-key.pem
c8b82b1f3f9af36a952a229cbf8ae0ab /opt/apps/etcd/certs/etcd-peer.pem
[root@hywang-137 certs]#
创建启动脚本(部分参数每台机器不同)
[root@hywang-137 certs]# vim /opt/apps/etcd/etcd-server-startup.sh
#!/bin/sh
# listen-peer-urls etcd节点之间通信端口
# listen-client-urls 客户端与etcd通信端口
# quota-backend-bytes 配额大小
# 需要修改的参数:name,listen-peer-urls,listen-client-urls,initial-advertise-peer-urls
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/apps/etcd/etcd --name etcd-server-109-137 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://192.168.109.137:2380 \
--listen-client-urls https://192.168.109.137:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://192.168.109.137:2380 \
--advertise-client-urls https://192.168.109.137:2379,http://127.0.0.1:2379 \
--initial-cluster etcd-server-109-137=https://192.168.109.137:2380,etcd-server-109-138=https://192.168.109.138:2380,etcd-server-109-139=https://192.168.109.139:23
80 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
配置文件
[root@hywang-137 etcd]# chmod u+x /opt/apps/etcd/etcd-server-startup.sh
[root@hywang-137 etcd]# chown -R etcd.etcd /opt/apps/etcd/ /data/etcd /data/logs/etcd-server
3.1.3. 启动etcd
因为这些进程都是要启动为后台进程,要么手动启动,要么采用后台进程管理工具,实验中使用后台管理工具(supervisor)
[root@hywang-137 etcd]# yum install -y supervisor [root@hywang-137 etcd]# systemctl start supervisord [root@hywang-137 etcd]# systemctl enable supervisordsupervisor安装
[root@hywang-137 etcd]# vim /etc/supervisord.d/etcd-server.ini
[program:etcd-server-109-137] command=/opt/apps/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/apps/etcd ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=etcd ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=5 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false)配置文件
[root@hywang-137 etcd]# supervisorctl update
etcd 进程状态查看
[root@hywang-137 etcd]# supervisorctl status
[root@hywang-137 etcd]# netstat -lntp|grep etcd
集群起后可以用命令查看(# 随着etcd重启,leader会变化):
[root@hywang-137 etcd]# /opt/apps/etcd/etcdctl member list
或
[root@hywang-137 etcd]# /opt/apps/etcd/etcdctl cluster-health
etcd 启停方式
[root@hywang-137 etcd]# supervisorctl start etcd-server-109-137 [root@hywang-137 etcd]# supervisorctl stop etcd-server-109-137 [root@hywang-137 etcd]# supervisorctl restart etcd-server-109-137 [root@hywang-137 etcd]# supervisorctl status etcd-server-109-137命令
3.2. apiserver 安装
3.2.1. 下载kubernetes服务端
aipserver 涉及的服务器:( 【hywang-137】、【hywang-138】 )
下载 kubernetes 二进制版本包需要d工具
进入kubernetes的github页面: https://github.com/kubernetes/kubernetes
进入tags页签: https://github.com/kubernetes/kubernetes/tags
选择要下载的版本: https://github.com/kubernetes/kubernetes/releases/tag/v1.15.2
点击 CHANGELOG-${version}.md 进入说明页面:
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md#downloads-for-v1152
下载Server Binaries: https://dl.k8s.io/v1.15.2/kubernetes-server-linux-amd64.tar.gz
hywang-137.host.com
[root@hywang-137 ~]# cd /opt/src [root@hywang-137 src]# wget https://dl.k8s.io/v1.15.2/kubernetes-server-linux-amd64.tar.gz [root@hywang-137 src]# tar -zxf kubernetes-server-linux-amd64.tar.gz [root@hywang-137 src]# mv kubernetes /opt/release/kubernetes-v1.15.2 [root@hywang-137 src]# ln -s /opt/release/kubernetes-v1.15.2 /opt/apps/kubernetes [root@hywang-137 src]# cd /opt/apps/kubernetes [root@hywang-137 kubernetes]# rm -f kubernetes-src.tar.gz [root@hywang-137 kubernetes]# cd server/bin/ # *.tar *_tag 镜像文件 [root@hywang-137 bin]# rm -f *.tar *_tag流程
3.2.2. 签发证书
签发证书 涉及的服务器:hywang-137.host.com
签发client证书(apiserver和etcd通信证书)
[root@hywang-137 bin]# cd /opt/certs/
[root@hywang-137 certs]# vim /opt/certs/client-csr.json
{
"CN": "k8s-node",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
配置
[root@hywang-137 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
签发server证书(apiserver和其它k8s组件通信使用)
# hosts中将所有可能作为apiserver的ip添加进去,VIP 192.168.109.130 也要加入
[root@hywang-137 certs]# vim /opt/certs/apiserver-csr.json
{
"CN": "k8s-apiserver",
"hosts": [
"127.0.0.1",
"192.168.0.1",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"192.168.109.137",
"192.168.109.138",
"192.168.109.139",
"192.168.109.140",
"192.168.109.141",
"192.168.109.130"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
配置+vip
[root@hywang-137 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver
证书下发:( 【hywang-137】、【hywang-138】 )
[root@hywang-137 certs]# mkdir /opt/apps/kubernetes/server/bin/certs
[root@hywang-137 certs]# scp apiserver-key.pem apiserver.pem ca-key.pem ca.pem client-key.pem client.pem 192.168.109.137:/opt/apps/kubernetes/server/bin/certs/
3.2.3. 配置apiserver日志审计
aipserver 涉及的服务器:( 【hywang-137】、【hywang-138】 )
[root@hywang-137 certs]# mkdir /opt/apps/kubernetes/conf
[root@hywang-137 certs]# mkdir -p /data/logs/kubernetes/kube-apiserver/
# vim打开文件后,设置 :set paste,避免自动缩进
[root@hywang-137 certs]# vim /opt/apps/kubernetes/conf/audit.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
配置
3.2.4. 配置启动脚本
aipserver 涉及的服务器:( 【hywang-137】、【hywang-138】 )
创建启动脚本
[root@hywang-137 certs]# vim /opt/apps/kubernetes/server/bin/kube-apiserver-startup.sh
#!/bin/bash
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/apps/kubernetes/server/bin/kube-apiserver \
--apiserver-count 2 \
--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
--audit-policy-file ../../conf/audit.yaml \
--authorization-mode RBAC \
--client-ca-file ./certs/ca.pem \
--requestheader-client-ca-file ./certs/ca.pem \
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionW
ebhook,ResourceQuota \
--etcd-cafile ./certs/ca.pem \
--etcd-certfile ./certs/client.pem \
--etcd-keyfile ./certs/client-key.pem \
--etcd-servers https://192.168.109.137:2379,https://192.168.109.138:2379,https://192.168.109.139:2379 \
--service-account-key-file ./certs/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/24 \
--service-node-port-range 3000-29999 \
--target-ram-mb=1024 \
--kubelet-client-certificate ./certs/client.pem \
--kubelet-client-key ./certs/client-key.pem \
--log-dir /data/logs/kubernetes/kube-apiserver \
--tls-cert-file ./certs/apiserver.pem \
--tls-private-key-file ./certs/apiserver-key.pem \
--v 2
配置
配置supervisor启动配置
[root@hywang-137 certs]# vim /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-109-137] command=/opt/apps/kubernetes/server/bin/kube-apiserver-startup.sh numprocs=1 directory=/opt/apps/kubernetes/server/bin autostart=true autorestart=true startsecs=30 startretries=3 exitcodes=0,2 stopsignal=QUIT stopwaitsecs=10 user=root redirect_stderr=true stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log stdout_logfile_maxbytes=64MB stdout_logfile_backups=5 stdout_capture_maxbytes=1MB stdout_events_enabled=false配置
[root@hywang-137 certs]# chmod +x /opt/apps/kubernetes/server/bin/kube-apiserver-startup.sh
[root@hywang-137 certs]# supervisorctl update
[root@hywang-137 bin]# supervisorctl status
启停apiserver命令:
[root@hywang-137 kube-apiserver]# supervisorctl stop kube-apiserver-109-137 [root@hywang-137 kube-apiserver]# supervisorctl start kube-apiserver-109-137 [root@hywang-137 kube-apiserver]# supervisorctl restart kube-apiserver-109-137 [root@hywang-137 kube-apiserver]# supervisorctl status kube-apiserver-109-137
查看进程:
[root@hywang-137 bin]# netstat -lntp|grep api tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 73863/kube-apiserve tcp6 0 0 :::6443 :::* LISTEN 73863/kube-apiserve [root@hywang-137 bin]# [root@hywang-137 bin]# ps uax|grep kube-apiserver|grep -v grep
3.3. 配置apiserver L4代理
3.3.1. nginx配置
L4 代理涉及的服务器:( 【hywang-137】、【hywang-138】 )
# 末尾加上以下内容,stream 只能加在 main 中
# 此处只是简单配置下nginx,实际生产中,建议进行更合理的配置
[root@hywang-137 bin]# vim /etc/nginx/nginx.conf
stream {
log_format proxy '$time_local|$remote_addr|$upstream_addr|$protocol|$status|'
'$session_time|$upstream_connect_time|$bytes_sent|$bytes_received|'
'$upstream_bytes_sent|$upstream_bytes_received' ;
upstream kube-apiserver {
server 192.168.109.137:6443 max_fails=3 fail_timeout=30s;
server 192.168.109.138:6443 max_fails=3 fail_timeout=30s;
}
server {
listen 7443;
proxy_connect_timeout 2s;
proxy_timeout 900s;
proxy_pass kube-apiserver;
access_log /var/log/nginx/proxy.log proxy;
}
}
配置
[root@hywang-137 bin]# nginx -t
[root@hywang-137 bin]# systemctl restart nginx
[root@hywang-137 bin]# systemctl enable nginx
3.3.2. keepalived配置
aipserver L4 代理涉及的服务器:( 【hywang-137】、【hywang-138】 )
安装keepalive
[root@hywang-137 bin]# yum install -y keepalived
# 配置检查脚本
[root@hywang-137 keepalived]# vim /etc/keepalived/check_port.sh
#!/bin/bash
if [ $# -eq 1 ] && [[ $1 =~ ^[0-9]+ ]];then
[ $(netstat -lntp|grep ":$1 " |wc -l) -eq 0 ] && echo "[ERROR] nginx may be not running!" && exit 1 || exit 0
else
echo "[ERROR] need one port!"
exit 1
fi
配置
[root@hywang-137 keepalived]# chmod +x /etc/keepalived/check_port.sh
配置主节点:/etc/keepalived/keepalived.conf
主节点中,必须加上 nopreempt
因为一旦因为网络抖动导致VIP漂移,不能让它自动飘回来,必须要分析原因后手动迁移VIP到主节点!如主节点确认正常后,重启备节点的keepalive,让VIP飘到主节点.
keepalived 的日志输出配置此处省略,生产中需要进行处理
! Configuration File for keepalived
global_defs {
router_id 192.168.109.137
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 251
priority 100
advert_int 1
mcast_src_ip 192.168.109.137
nopreempt
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
192.168.109.130
}
}
主keepalived.conf配置
配置备节点:/etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 192.168.109.138
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
virtual_router_id 251
mcast_src_ip 192.168.109.138
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
192.168.109.130
}
}
从keepalived.conf配置
启动keepalived
[root@hywang-137 keepalived]# systemctl start keepalived
[root@hywang-137 keepalived]# systemctl enable keepalived
[root@hywang-137 keepalived]# ip a show ens33
3.4. controller-manager 安装
controller-manager 涉及的服务器:( 【hywang-137】、【hywang-138】 )
controller-manager 设置为只调用当前机器的 apiserver,走127.0.0.1网卡,因此不配制SSL证书
[root@hywang-137 keepalived]# vim /opt/apps/kubernetes/server/bin/kube-controller-manager-startup.sh
#!/bin/sh
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/apps/kubernetes/server/bin/kube-controller-manager \
--cluster-cidr 172.7.0.0/16 \
--leader-elect true \
--log-dir /data/logs/kubernetes/kube-controller-manager \
--master http://127.0.0.1:8080 \
--service-account-private-key-file ./certs/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/24 \
--root-ca-file ./certs/ca.pem \
--v 2
配置
[root@hywang-137 keepalived]# chmod u+x /opt/apps/kubernetes/server/bin/kube-controller-manager-startup.sh
[root@hywang-138 keepalived]# vim /etc/supervisord.d/kube-controller-manager.ini
[program:kube-controller-manager-109-137] command=/opt/apps/kubernetes/server/bin/kube-controller-manager-startup.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/apps/kubernetes/server/bin ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/kubernetes/kube-controller-manager/controller.stdout.log ; stderr log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=4 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false)配置
[root@hywang-137 keepalived]# mkdir -pv /data/logs/kubernetes/kube-controller-manager/
[root@hywang-137 keepalived]# supervisorctl update
[root@hywang-137 keepalived]# supervisorctl status
3.5. kube-scheduler安装
kube-scheduler 涉及的服务器:( 【hywang-137】、【hywang-138】 )
kube-scheduler 设置为只调用当前机器的 apiserver,走127.0.0.1网卡,因此不配制SSL证书
[root@hywang-137 keepalived]# vim /opt/apps/kubernetes/server/bin/kube-scheduler-startup.sh
#!/bin/sh
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/apps/kubernetes/server/bin/kube-scheduler \
--leader-elect \
--log-dir /data/logs/kubernetes/kube-scheduler \
--master http://127.0.0.1:8080 \
--v 2
配置
[root@hywang-137 ~]# chmod u+x /opt/apps/kubernetes/server/bin/kube-scheduler-startup.sh
[root@hywang-137 ~]# mkdir -p /data/logs/kubernetes/kube-scheduler
[root@hywang-137 ~]# vim /etc/supervisord.d/kube-scheduler.ini
[program:kube-scheduler-109-137] command=/opt/apps/kubernetes/server/bin/kube-scheduler-startup.sh numprocs=1 directory=/opt/apps/kubernetes/server/bin autostart=true autorestart=true startsecs=30 startretries=3 exitcodes=0,2 stopsignal=QUIT stopwaitsecs=10 user=root redirect_stderr=true stdout_logfile=/data/logs/kubernetes/kube-scheduler/scheduler.stdout.log stdout_logfile_maxbytes=64MB stdout_logfile_backups=4 stdout_capture_maxbytes=1MB stdout_events_enabled=false配置
[root@hywang-137 ~]# supervisorctl update
[root@hywang-137 ~]# supervisorctl status
3.6. 检查主控节点状态
[root@hywang-137 ~]# ln -s /opt/apps/kubernetes/server/bin/kubectl /usr/local/bin/
[root@hywang-137 ~]# kubectl get cs
4. 运算节点部署
4.1. kubelet 部署
4.1.1. 签发证书
证书签发在 hywang-137.host.com 操作
[root@hywang-137 ~]# cd /opt/certs/
# 将所有可能的kubelet机器IP添加到hosts中
[root@hywang-137 certs]# vim kubelet-csr.json
{
"CN": "k8s-kubelet",
"hosts": [
"127.0.0.1",
"192.168.109.137",
"192.168.109.138",
"192.168.109.139",
"192.168.109.140",
"192.168.109.141",
"192.168.109.142",
"192.168.109.143",
"192.168.109.144",
"192.168.109.130"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
配置文件
[root@hywang-137 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server kubelet-csr.json | cfssl-json -bare kubelet
[root@hywang-137 certs]# scp kubelet.pem kubelet-key.pem 192.168.109.137:/opt/apps/kubernetes/server/bin/certs/
[root@hywang-137 certs]# scp kubelet.pem kubelet-key.pem 192.168.109.138:/opt/apps/kubernetes/server/bin/certs/
4.1.2. 创建kubelet配置
kubelet配置在 ( 【hywang-137】、【hywang-138】 ) 操作
set-cluster # 创建需要连接的集群信息,可以创建多个k8s集群信息
kubectl config set-cluster myk8s \ --certificate-authority=/opt/apps/kubernetes/server/bin/certs/ca.pem \ --embed-certs=true \ --server=https://192.168.109.130:7443 \ --kubeconfig=/opt/apps/kubernetes/conf/kubelet.kubeconfig命令
set-credentials # 创建用户账号,即用户登陆使用的客户端私有和证书,可以创建多个证书
kubectl config set-credentials k8s-node \ --client-certificate=/opt/apps/kubernetes/server/bin/certs/client.pem \ --client-key=/opt/apps/kubernetes/server/bin/certs/client-key.pem \ --embed-certs=true \ --kubeconfig=/opt/apps/kubernetes/conf/kubelet.kubeconfig命令
set-context # 设置context,即确定账号和集群对应关系
kubectl config set-context myk8s-context \ --cluster=myk8s \ --user=k8s-node \ --kubeconfig=/opt/apps/kubernetes/conf/kubelet.kubeconfig命令
use-context # 设置当前使用哪个context
[root@hywang-137 certs]# kubectl config use-context myk8s-context --kubeconfig=/opt/apps/kubernetes/conf/kubelet.kubeconfig
4.1.3. 授权k8s-node用户
此步骤只需要在一台master节点执行
授权 k8s-node 用户绑定集群角色 system:node ,让 k8s-node 成为具备运算节点的权限
[root@hywang-137 ~]# vim k8s-node.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: k8s-node roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:node subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: k8s-node配置
[root@hywang-137 ~]# kubectl create -f k8s-node.yaml
[root@hywang-137 ~]# kubectl get clusterrolebinding k8s-node
4.1.4. 装备pause镜像
docker image pull kubernetes/pause docker image tag kubernetes/pause:latest harbor.od.com/public/pause:latest docker login -u admin harbor.od.com docker image push harbor.od.com/public/pause:latest流程
4.1.5. 创建启动脚本
在node节点创建脚本并启动kubelet,涉及服务器: ( 【hywang-137】、【hywang-138】 )
[root@hywang-137 ~]# vim /opt/apps/kubernetes/server/bin/kubelet-startup.sh
#!/bin/sh
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/apps/kubernetes/server/bin/kubelet \
--anonymous-auth=false \
--cgroup-driver systemd \
--cluster-dns 192.168.0.2 \
--cluster-domain cluster.local \
--runtime-cgroups=/systemd/system.slice \
--kubelet-cgroups=/systemd/system.slice \
--fail-swap-on="false" \
--client-ca-file ./certs/ca.pem \
--tls-cert-file ./certs/kubelet.pem \
--tls-private-key-file ./certs/kubelet-key.pem \
--hostname-override hywang-137.host.com \
--image-gc-high-threshold 20 \
--image-gc-low-threshold 10 \
--kubeconfig ../../conf/kubelet.kubeconfig \
--log-dir /data/logs/kubernetes/kube-kubelet \
--pod-infra-container-image harbor.od.com/public/pause:latest \
--root-dir /data/kubelet
配置
[root@hywang-137 ~]# chmod u+x /opt/apps/kubernetes/server/bin/kubelet-startup.sh
[root@hywang-137 ~]# mkdir -p /data/logs/kubernetes/kube-kubelet /data/kubelet
[root@hywang-137 ~]# vim /etc/supervisord.d/kube-kubelet.ini
[program:kube-kubelet-109-137] command=/opt/apps/kubernetes/server/bin/kubelet-startup.sh numprocs=1 directory=/opt/apps/kubernetes/server/bin autostart=true autorestart=true startsecs=30 startretries=3 exitcodes=0,2 stopsignal=QUIT stopwaitsecs=10 user=root redirect_stderr=true stdout_logfile=/data/logs/kubernetes/kube-kubelet/kubelet.stdout.log stdout_logfile_maxbytes=64MB stdout_logfile_backups=5 stdout_capture_maxbytes=1MB stdout_events_enabled=false配置
[root@hywang-137 ~]# supervisorctl update
[root@hywang-137 ~]# supervisorctl status
[root@hywang-137 certs]# kubectl get node
4.1.6. 修改节点角色
使用 kubectl get nodes 获取的Node节点角色为空,可以按照以下方式修改
[root@hywang-137 certs]# kubectl label node hywang-137.host.com node-role.kubernetes.io/node=
[root@hywang-137 certs]# kubectl label node hywang-138.host.com node-role.kubernetes.io/node=
[root@hywang-137 certs]# kubectl label node hywang-137.host.com node-role.kubernetes.io/master=
[root@hywang-137 certs]# kubectl label node hywang-138.host.com node-role.kubernetes.io/master=
即做主控节点,也做运算节点
4.2. kube-proxy部署
4.2.1. 签发证书
证书签发在 hywang-137.host.com 操作
[root@hywang-137 certs]# cd /opt/certs/
[root@hywang-137 certs]# vim kube-proxy-csr.json # CN 其实是k8s中的角色
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
配置
[root@hywang-137 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client kube-proxy-csr.json |cfssl-json -bare kube-proxy-client
# 因为kube-proxy使用的用户是kube-proxy,不能使用client证书,必须要重新签发自己的证书
[root@hywang-137 certs]# ls kube-proxy-c* -l
[root@hywang-137 certs]# scp kube-proxy-client-key.pem kube-proxy-client.pem 192.168.109.137:/opt/apps/kubernetes/server/bin/certs/
[root@hywang-137 certs]# scp kube-proxy-client-key.pem kube-proxy-client.pem 192.168.109.138:/opt/apps/kubernetes/server/bin/certs/
4.2.2. 创建kube-proxy配置
在所有node节点创建,涉及服务器:( 【hywang-137】、【hywang-138】 )
kubectl config set-cluster myk8s \ --certificate-authority=/opt/apps/kubernetes/server/bin/certs/ca.pem \ --embed-certs=true \ --server=https://192.168.109.130:7443 \ --kubeconfig=/opt/apps/kubernetes/conf/kube-proxy.kubeconfig命令
kubectl config set-credentials kube-proxy \ --client-certificate=/opt/apps/kubernetes/server/bin/certs/kube-proxy-client.pem \ --client-key=/opt/apps/kubernetes/server/bin/certs/kube-proxy-client-key.pem \ --embed-certs=true \ --kubeconfig=/opt/apps/kubernetes/conf/kube-proxy.kubeconfig命令
kubectl config set-context myk8s-context \ --cluster=myk8s \ --user=kube-proxy \ --kubeconfig=/opt/apps/kubernetes/conf/kube-proxy.kubeconfig配置
[root@hywang-137 certs]# kubectl config use-context myk8s-context --kubeconfig=/opt/apps/kubernetes/conf/kube-proxy.kubeconfig
4.2.3. 加载ipvs模块
kube-proxy 共有3种流量调度模式,分别是 namespace,iptables,ipvs,其中ipvs性能最好。
[root@hywang-137 certs]# for i in $(ls /usr/lib/modules/$(uname -r)/kernel/net/netfilter/ipvs|grep -o "^[^.]*");do echo $i; /sbin/modinfo -F filename $i >/dev/null 2>&1&& /sbin/modprobe $i;done
[root@hywang-137 certs]# lsmod | grep ip_vs # 查看ipvs模块
4.2.4. 创建启动脚本
[root@hywang-137 certs]# vim /opt/apps/kubernetes/server/bin/kube-proxy-startup.sh
#!/bin/sh WORK_DIR=$(dirname $(readlink -f $0)) [ $? -eq 0 ] && cd $WORK_DIR || exit /opt/apps/kubernetes/server/bin/kube-proxy \ --cluster-cidr 172.7.0.0/16 \ --hostname-override hywang-137.host.com \ --proxy-mode=ipvs \ --ipvs-scheduler=nq \ --kubeconfig ../../conf/kube-proxy.kubeconfig配置
[root@hywang-137 certs]# chmod u+x /opt/apps/kubernetes/server/bin/kube-proxy-startup.sh
[root@hywang-137 certs]# mkdir -p /data/logs/kubernetes/kube-proxy
[root@hywang-137 certs]# vim /etc/supervisord.d/kube-proxy.ini
[program:kube-proxy-109-137] command=/opt/apps/kubernetes/server/bin/kube-proxy-startup.sh numprocs=1 directory=/opt/apps/kubernetes/server/bin autostart=true autorestart=true startsecs=30 startretries=3 exitcodes=0,2 stopsignal=QUIT stopwaitsecs=10 user=root redirect_stderr=true stdout_logfile=/data/logs/kubernetes/kube-proxy/proxy.stdout.log stdout_logfile_maxbytes=64MB stdout_logfile_backups=5 stdout_capture_maxbytes=1MB stdout_events_enabled=false配置
[root@hywang-137 certs]# supervisorctl update
4.2.5. 验证集群
[root@hywang-137 conf]# supervisorctl status
[root@hywang-137 conf]# yum install -y ipvsadm
[root@hywang-137 conf]# ipvsadm -Ln
在任意一个运算节点创建一个资源配置清单
这里在hywang-137.host.com主机:
[root@hywang-137 conf]# vim /root/nginx-ds.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: nginx-ds
spec:
template:
metadata:
labels:
app: nginx-ds
spec:
containers:
- name: my-nginx
image: nginx:latest
ports:
- containerPort: 80
配置
[root@hywang-137 ~]# kubectl create -f nginx-ds.yaml
[root@hywang-137 ~]# kubectl get pods
[root@hywang-137 ~]# kubectl get pods -o wide
hywang-137.host.com机器分别curl这个2个pod的IP,本机的172.109.137.2通,与172.109.138.3不通
跨主机通信问题,后面CNI网络插件会解决~
5. 核心插件部署
5.1. CNI网络插件
kubernetes设计了网络模型,但是pod之间通信的具体实现交给了CNI往插件。常用的CNI网络插件有:Flannel 、Calico、Canal、Contiv等,其中Flannel和Calico占比接近80%,Flannel占比略多于Calico。本次部署使用Flannel作为网络插件。涉及的机器 :( 【hywang-137】、【hywang-138】 )
5.1.1. 安装Flannel
github地址:https://github.com/coreos/flannel/releases
涉及的机器 :( 【hywang-137】、【hywang-138】 )
[root@hywang-137 ~]# cd /opt/src/ [root@hywang-137 src]# wget https://github.com/coreos/flannel/releases/download/v0.11.0/flannel-v0.11.0-linux-amd64.tar.gz # 因为flannel压缩包内部没有套目录 [root@hywang-137 src]# mkdir /opt/release/flannel-v0.11.0 [root@hywang-137 src]# tar -zxf flannel-v0.11.0-linux-amd64.tar.gz -C /opt/release/flannel-v0.11.0 [root@hywang-137 src]# ln -s /opt/release/flannel-v0.11.0 /opt/apps/flannel流程
5.1.2. 拷贝证书
# flannel 需要以客户端的身份访问etcd,需要相关证书
[root@hywang-137 src]# mkdir /opt/apps/flannel/certs
[root@hywang-137 src]# cd /opt/certs/
[root@hywang-137 certs]# scp ca.pem client-key.pem client.pem 192.168.109.137:/opt/apps/flannel/certs/
[root@hywang-137 certs]# scp ca.pem client-key.pem client.pem 192.168.109.138:/opt/apps/flannel/certs/
5.1.3. 创建启动脚本
涉及的机器 :( 【hywang-137】、【hywang-138】 )
# 创建子网信息,hywang-137.host.com的subnet需要修改,创建一个大的(FLANNEL_NETWORK=172.109.0.0/16)
[root@hywang-137 ~]# vim /opt/apps/flannel/subnet.env
FLANNEL_NETWORK=172.109.0.0/16 FLANNEL_SUBNET=172.109.137.1/24 FLANNEL_MTU=1500 FLANNEL_IPMASQ=false配置
#设flannel的模型:(有三种【host-gw模型;vxlan模型(是flannel推荐的方式。需要通信的网络设备能够支持vxlan协议);udp模型】),
实际上大多数情况,k8s机器都在同一个网关内,可以用host-gw模型,下面就是host-gw模型:
将数据刷到etcd数据库存储起来,只需在一台etcd上操作即可
[root@hywang-137 ~]# /opt/apps/etcd/etcdctl set /coreos.com/network/config '{"Network": "172.109.0.0/16", "Backend": {"Type": "host-gw"}}'
[root@hywang-137 ~]# /opt/apps/etcd/etcdctl get /coreos.com/network/config
# public-ip 为本机IP,iface 为当前宿主机对外网卡
[root@hywang-137 ~]# vim /opt/apps/flannel/flannel-startup.sh
#!/bin/sh
WORK_DIR=$(dirname $(readlink -f $0))
[ $? -eq 0 ] && cd $WORK_DIR || exit
/opt/apps/flannel/flanneld \
--public-ip=192.168.109.137 \
--etcd-endpoints=https://192.168.109.137:2379,https://192.168.109.138:2379,https://192.168.109.139:2379 \
--etcd-keyfile=./certs/client-key.pem \
--etcd-certfile=./certs/client.pem \
--etcd-cafile=./certs/ca.pem \
--iface=ens33 \
--subnet-file=./subnet.env \
--healthz-port=2401
配置
[root@hywang-137 ~]# chmod u+x /opt/apps/flannel/flannel-startup.sh
[root@hywang-137 ~]# vim /etc/supervisord.d/flannel.ini
[program:flanneld-109-137] command=/opt/apps/flannel/flannel-startup.sh ; the program (relative uses PATH, can take args) numprocs=1 ; number of processes copies to start (def 1) directory=/opt/apps/flannel ; directory to cwd to before exec (def no cwd) autostart=true ; start at supervisord start (default: true) autorestart=true ; retstart at unexpected quit (default: true) startsecs=30 ; number of secs prog must stay running (def. 1) startretries=3 ; max # of serial start failures (default 3) exitcodes=0,2 ; 'expected' exit codes for process (default 0,2) stopsignal=QUIT ; signal used to kill process (default TERM) stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10) user=root ; setuid to this UNIX account to run the program redirect_stderr=true ; redirect proc stderr to stdout (default false) stdout_logfile=/data/logs/flanneld/flanneld.stdout.log ; stderr log path, NONE for none; default AUTO stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB) stdout_logfile_backups=5 ; # of stdout logfile backups (default 10) stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0) stdout_events_enabled=false ; emit events on stdout writes (default false)配置
[root@hywang-137 ~]# mkdir -p /data/logs/flanneld/
[root@hywang-137 ~]# supervisorctl update
[root@hywang-137 ~]# supervisorctl status
备注:flannel的host-gw模型实质就是添加一条路由(类似:route add -net 172.109.137.0/24 gw 192.168.109.137 dev ens33)
备注:如果修改flannel的模型,操作如下
supervisorctl stop 对应的flanneld
ps aux | grep flanneld
route -n
删路由
route del -net 172.109.137.0/24 gw 192.168.109.137
测试ping一下pod的IP
修改后端flanneld的工作模式(etcd)
/opt/apps/etcd/etcdctl get /coreos.com/network/config
修改(删除)
/opt/apps/etcd/etcdctl rm /coreos.com/network/config
更改
/opt/apps/etcd/etcdctl set /coreos.com/network/config '{"Network": "172.109.0.0/16", "Backend": {"Type": "VxLAN"}}'
/opt/apps/etcd/etcdctl get /coreos.com/network/config
只做分析不实验
5.1.4. 验证跨网络访问
5.1.5. 解决pod间IP透传问题
所有Node上操作,即优化NAT网络
# 从pod a跨宿主机访问pod b时,在pod b中能看到的地址为 pod a 宿主机地址
137的pod内访问--138的pod:如:(root@nginx-ds-m2fgx:/# curl -I 172.109.138.2)
138的pod日志打印的是宿主机的ip(192.168.109.137),而不是真正的后端pod的ip(172.109.137.2),不易日后dingwei定位问题
# 引发问题的规则
[root@hywang-137 ~]# iptables-save |grep POSTROUTING|grep docker
解决:
[root@hywang-137 ~]# yum install -y iptables-services
[root@hywang-137 ~]# systemctl start iptables.service
[root@hywang-137 ~]# systemctl enable iptables.service
# 需要处理的规则:
[root@hywang-137 ~]# iptables-save |grep POSTROUTING|grep docker -A POSTROUTING -s 172.109.137.0/24 ! -o docker0 -j MASQUERADE [root@hywang-137 ~]# [root@hywang-137 ~]# iptables-save | grep -i reject -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited [root@hywang-137 ~]#查看需要处理的规则
# 处理方式:
[root@hywang-137 ~]# iptables -t nat -D POSTROUTING -s 172.109.137.0/24 ! -o docker0 -j MASQUERADE [root@hywang-137 ~]# iptables -t nat -I POSTROUTING -s 172.109.137.0/24 ! -d 172.109.0.0/16 ! -o docker0 -j MASQUERADE [root@hywang-137 ~]# [root@hywang-137 ~]# #实验中我们这直接删除了阻止规则,生产中可根据需求放行允许的ip段 [root@hywang-137 ~]# iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited [root@hywang-137 ~]# iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited [root@hywang-137 ~]# [root@hywang-137 ~]# [root@hywang-137 ~]# iptables-save > /etc/sysconfig/iptables [root@hywang-137 ~]#处理方式
#测试# 此时跨宿主机访问pod时,显示pod的IP
5.2. CoreDNS
CoreDNS用于实现 service --> cluster IP 的DNS解析。以容器的方式交付到k8s集群,由k8s自行管理,降低人为操作的复杂度。
5.2.1. 配置yaml文件库
在hywang-137.host.com中配置yaml文件库,后期通过Http方式去使用yaml清单文件。
配置nginx虚拟主机
[root@hywang-137 harbor]# vim /etc/nginx/conf.d/k8s-yaml.od.com.conf
server {
listen 80;
server_name k8s-yaml.od.com;
location / {
autoindex on;
default_type text/plain;
root /data/k8s-yaml;
}
}
配置
[root@hywang-137 harbor]# mkdir /data/k8s-yaml
[root@hywang-137 harbor]# nginx -t
[root@hywang-137 harbor]# nginx -s reload
配置dns解析(hywang-137.host.com)
[root@hywang-137 harbor]# vim /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2020061903 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 192.168.109.137
harbor A 192.168.109.137
k8s-yaml A 192.168.109.137
配置(滚动+1;加一条k8s-yaml.od.com域名记录)
[root@hywang-137 harbor]# systemctl restart named
5.2.2. coredns的资源清单文件
清单文件存放到 hywang-137.host.com:/data/k8s-yaml/coredns/coredns_1.6.1/
[root@hywang-137 ~]# mkdir -p /data/k8s-yaml/coredns/coredns_1.6.1/
[root@hywang-137 ~]# vim /data/k8s-yaml/coredns/coredns_1.6.1/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: coredns
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: Reconcile
name: system:coredns
rules:
- apiGroups:
- ""
resources:
- endpoints
- services
- pods
- namespaces
verbs:
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: EnsureExists
name: system:coredns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:coredns
subjects:
- kind: ServiceAccount
name: coredns
namespace: kube-system
配置
[root@hywang-137 ~]# vim /data/k8s-yaml/coredns/coredns_1.6.1/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
data:
Corefile: |
.:53 {
errors
log
health
ready
kubernetes cluster.local 192.168.0.0/24
forward . 192.168.109.137
cache 30
loop
reload
loadbalance
}
配置
[root@hywang-137 coredns_1.6.1]# vim /data/k8s-yaml/coredns/coredns_1.6.1/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
labels:
k8s-app: coredns
kubernetes.io/name: "CoreDNS"
spec:
replicas: 1
selector:
matchLabels:
k8s-app: coredns
template:
metadata:
labels:
k8s-app: coredns
spec:
priorityClassName: system-cluster-critical
serviceAccountName: coredns
containers:
- name: coredns
image: coredns/coredns:1.6.1
args:
- -conf
- /etc/coredns/Corefile
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
- containerPort: 9153
name: metrics
protocol: TCP
livenessProbe:
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 60
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
dnsPolicy: Default
volumes:
- name: config-volume
configMap:
name: coredns
items:
- key: Corefile
path: Corefile
配置
[root@hywang-137 coredns_1.6.1]# vim /data/k8s-yaml/coredns/coredns_1.6.1/service.yaml
apiVersion: v1
kind: Service
metadata:
name: coredns
namespace: kube-system
labels:
k8s-app: coredns
kubernetes.io/cluster-service: "true"
kubernetes.io/name: "CoreDNS"
spec:
selector:
k8s-app: coredns
clusterIP: 192.168.0.2
ports:
- name: dns
port: 53
protocol: UDP
- name: dns-tcp
port: 53
- name: metrics
port: 9153
protocol: TCP
配置
5.2.3. 交付coredns到K8s
[root@hywang-137 ~]# docker pull coredns/coredns:1.6.1
[root@hywang-137 ~]# docker image tag coredns/coredns:1.6.1 harbor.od.com/public/coredns:v1.6.1
[root@hywang-137 ~]# docker image push harbor.od.com/public/coredns:v1.6.1
# 交付coredns
[root@hywang-137 ~]# kubectl apply -f http://k8s-yaml.od.com/coredns/coredns_1.6.1/rbac.yaml [root@hywang-137 ~]# kubectl apply -f http://k8s-yaml.od.com/coredns/coredns_1.6.1/configmap.yaml [root@hywang-137 ~]# kubectl apply -f http://k8s-yaml.od.com/coredns/coredns_1.6.1/deployment.yaml [root@hywang-137 ~]# kubectl apply -f http://k8s-yaml.od.com/coredns/coredns_1.6.1/service.yaml或cd 到目录下,kubectl apply -f ./*
[root@hywang-137 coredns_1.6.1]# kubectl get all -n kube-system -o wide
5.2.4. 测试dns
# 创建service
[root@hywang-137 ~]# kubectl create deployment nginx-web --image=nginx:latest
[root@hywang-137 ~]# kubectl expose deployment nginx-web --port=80 --target-port=80
[root@hywang-137 ~]# kubectl get svc
集群外必须使用FQDN(Fully Qualified Domain Name),全域名
# 内网解析OK(这里hywang-137.host.com和hywang-138.host.com机器k8s集群)
[root@hywang-138 ~]# dig -t A nginx-web.default.svc.cluster.local @192.168.0.2 +short
# 外网解析OK
[root@hywang-138 ~]# dig -t A www.baidu.com @192.168.0.2 +short
5.3. Ingress-Controller
service是将一组pod管理起来,提供了一个cluster ip和service name的统一访问入口,屏蔽了pod的ip变化。 ingress 是一种基于七层的流量转发策略,即将符合条件的域名或者location流量转发到特定的service上,而ingress仅仅是一种规则,k8s内部并没有自带代理程序完成这种规则转发。
ingress-controller 是一个代理服务器,将ingress的规则能真正实现的方式,常用的有 nginx,traefik,haproxy。但是在k8s集群中,建议使用traefik,性能比haroxy强大,更新配置不需要重载服务,是首选的ingress-controller。github地址:https://github.com/containous/traefik
5.3.1. 配置traefik资源清单
清单文件存放到hywang-137.host.com:/data/k8s-yaml/traefik/traefik_1.7.2
[root@hywang-137 ~]# mkdir -p /data/k8s-yaml/traefik/traefik_1.7.2
[root@hywang-137 ~]# cd /data/k8s-yaml/traefik/traefik_1.7.2
[root@hywang-137 traefik_1.7.2]# docker pull traefik:v1.7.2-alpine
[root@hywang-137 traefik_1.7.2]# docker image tag traefik:v1.7.2-alpine harbor.od.com/public/traefik:v1.7.2
[root@hywang-137 traefik_1.7.2]# docker push harbor.od.com/public/traefik:v1.7.2
[root@hywang-137 traefik_1.7.2]# vim /data/k8s-yaml/traefik/traefik_1.7.2/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
配置
[root@hywang-137 traefik_1.7.2]# vim /data/k8s-yaml/traefik/traefik_1.7.2/daemonset.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: traefik-ingress
namespace: kube-system
labels:
k8s-app: traefik-ingress
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress
name: traefik-ingress
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik:v1.7.2-alpine
name: traefik-ingress
ports:
- name: controller
containerPort: 80
hostPort: 81
- name: admin-web
containerPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
- --insecureskipverify=true
- --kubernetes.endpoint=https://192.168.109.130:7443
- --accesslog
- --accesslog.filepath=/var/log/traefik_access.log
- --traefiklog
- --traefiklog.filepath=/var/log/traefik.log
- --metrics.prometheus
配置
[root@hywang-137 traefik_1.7.2]# vim /data/k8s-yaml/traefik/traefik_1.7.2/service.yaml
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress
ports:
- protocol: TCP
port: 80
name: controller
- protocol: TCP
port: 8080
name: admin-web
配置
[root@hywang-137 traefik_1.7.2]# vim /data/k8s-yaml/traefik/traefik_1.7.2/ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: traefik.od.com
http:
paths:
- path: /
backend:
serviceName: traefik-ingress-service
servicePort: 8080
配置
5.3.2. 交付traefik到k8s
[root@hywang-137 ~]# kubectl apply -f http://k8s-yaml.od.com/traefik/traefik_1.7.2/rbac.yaml [root@hywang-137 ~]# kubectl apply -f http://k8s-yaml.od.com/traefik/traefik_1.7.2/daemonset.yaml [root@hywang-137 ~]# kubectl apply -f http://k8s-yaml.od.com/traefik/traefik_1.7.2/service.yaml [root@hywang-137 ~]# kubectl apply -f http://k8s-yaml.od.com/traefik/traefik_1.7.2/ingress.yaml流程
解决上面冲突:
[root@hywang-137 ~]# kubectl get pod NAME READY STATUS RESTARTS AGE nginx-ds-5bjnl 1/1 Running 2 3d nginx-ds-m2fgx 1/1 Running 1 3d nginx-web-7564864859-52x87 1/1 Running 0 4h46m [root@hywang-137 ~]# [root@hywang-137 ~]# kubectl delete -f nginx-ds.yaml daemonset.extensions "nginx-ds" deleted [root@hywang-137 ~]# [root@hywang-137 ~]# kubectl get pod NAME READY STATUS RESTARTS AGE nginx-web-7564864859-52x87 1/1 Running 0 5h1m [root@hywang-137 ~]#流程
查看状态:
[root@hywang-137 ~]# kubectl get pods -n kube-system -o wide
问题一:pod始终处于创建状态(traefik-ingress-ckvtp 0/1 ContainerCreating 0 <invalid>)
排查:
1.[root@hywang-137 ~]# kubectl logs traefik-ingress-ckvtp -n kube-system
2.[root@hywang-137 ~]# kubectl describe pod traefik-ingress-ckvtp -n kube-system
解决:光看这个报错: iptables: No chain/target/match by that name,就能够看出是跟iptables有关
原因(猜测):
如果再启动docker service的时候网关是关闭的,那么docker管理网络的时候就不会操作网管的配置(chain docker),然后网关重新启动了,导致docker network无法对新container进行网络配置,也就是没有网管的操作权限,做重启处理
处理:systemctl restart docker; 另一个方法:关闭网关(不建议)我们这不能这么操作【systemctl stop firewalld;systemctl stop iptables】
三台机器重启docker,删除pod重建,继续观察:
[root@hywang-137 ~]# kubectl describe -f pod traefik-ingress-ckvtp -n kube-system
问题二:(hywang-137.host.com Error: ErrImagePull)是因为我虚拟机资源有限关闭了habor私有仓库节约资源,改了yaml配置中的镜像拉取方式,变成了从外网拉取不到
解决:因为我们这本地有traefik:v1.7.2-alpine镜像,我们只需改下yaml配置文件(imagePullPolicy: IfNotPresent)
修改[root@hywang-137 traefik_1.7.2]# vim /data/k8s-yaml/traefik/traefik_1.7.2/daemonset.yaml 添加 imagePullPolicy: IfNotPresent
重新生效:[root@hywang-137 ~]# kubectl apply -f http://k8s-yaml.od.com/traefik/traefik_1.7.2/daemonset.yaml
再次查看,结果正常如下图:[root@hywang-137 ~]# kubectl get pods -n kube-system -o wide
[root@hywang-137 ~]# kubectl get ds -n kube-system
5.3.3. 配置外部nginx负载均衡
hywang-137.host.com和hywang-138.host.com 配置nginx L7转发
[root@hywang-137 ~]# vim /etc/nginx/conf.d/od.com.conf
server {
server_name *.od.com;
location / {
proxy_pass http://default_backend_traefik;
proxy_set_header Host $http_host;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
}
}
upstream default_backend_traefik {
# 所有的nodes都放到upstream中
server 192.168.109.137:81 max_fails=3 fail_timeout=10s;
server 192.168.109.138:81 max_fails=3 fail_timeout=10s;
}
配置
[root@hywang-137 conf.d]# scp /etc/nginx/conf.d/od.com.conf 192.168.109.138:/etc/nginx/conf.d/
[root@hywang-137 conf.d]# nginx -t
[root@hywang-137 conf.d]# nginx -s reload
配置dns解析
[root@hywang-137 ~]# vim /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2020061903 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 192.168.109.137
harbor A 192.168.109.137
k8s-yaml A 192.168.109.137
traefik A 192.168.109.137
回滚+1;添加记录(traefik A 192.168.109.137)
[root@hywang-137 ~]# systemctl restart named
查看traefik网页(http://traefik.od.com/)
5.4. dashboard
5.4.1. 配置资源清单
清单文件存放到hywang-137.host.com:/data/k8s-yaml/dashboard/dashboard_1.10.1
准备镜像
# 镜像准备 # 因不可描述原因,无法访问k8s.gcr.io,改成registry.aliyuncs.com/google_containers [root@hywang-137 ~]# docker image pull registry.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1 [root@hywang-137 ~]# docker image tag f9aed6605b81 harbor.od.com/public/kubernetes-dashboard-amd64:v1.10.1 [root@hywang-137 ~]# docker image push harbor.od.com/public/kubernetes-dashboard-amd64:v1.10.1流程
[root@hywang-137 ~]# mkdir -p /data/k8s-yaml/dashboard/dashboard_1.10.1 && cd /data/k8s-yaml/dashboard/dashboard_1.10.1
[root@hywang-137 dashboard_1.10.1]# vim /data/k8s-yaml/dashboard/dashboard_1.10.1/rbac.yaml
# 当前为dashboard的默认权限
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-admin
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard-admin
namespace: kube-system
配置(vim 打开文件后,设置 :set paste,避免自动缩进)(添加本地拉取imagePullPolicy: IfNotPresent)
[root@hywang-137 dashboard_1.10.1]# vim /data/k8s-yaml/dashboard/dashboard_1.10.1/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
spec:
priorityClassName: system-cluster-critical
containers:
- name: kubernetes-dashboard
image: registry.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 100m
memory: 300Mi
requests:
cpu: 50m
memory: 100Mi
ports:
- containerPort: 8443
protocol: TCP
args:
# PLATFORM-SPECIFIC ARGS HERE
- --auto-generate-certificates
volumeMounts:
- name: tmp-volume
mountPath: /tmp
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard-admin
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
配置(vim 打开文件后,设置 :set paste,避免自动缩进)(添加本地拉取imagePullPolicy: IfNotPresent)
[root@hywang-137 dashboard_1.10.1]# vim /data/k8s-yaml/dashboard/dashboard_1.10.1/service.yaml
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
k8s-app: kubernetes-dashboard
ports:
- port: 443
targetPort: 8443
配置
[root@hywang-137 dashboard_1.10.1]# vim /data/k8s-yaml/dashboard/dashboard_1.10.1/ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: dashboard.od.com
http:
paths:
- backend:
serviceName: kubernetes-dashboard
servicePort: 443
配置
5.4.2. 交付dashboard到k8s
[root@hywang-137 ~]# kubectl apply -f http://k8s-yaml.od.com/dashboard/dashboard_1.10.1/rbac.yaml [root@hywang-137 ~]# kubectl apply -f http://k8s-yaml.od.com/dashboard/dashboard_1.10.1/deployment.yaml [root@hywang-137 ~]# kubectl apply -f http://k8s-yaml.od.com/dashboard/dashboard_1.10.1/service.yaml [root@hywang-137 ~]# kubectl apply -f http://k8s-yaml.od.com/dashboard/dashboard_1.10.1/ingress.yaml流程
5.4.3. 配置DNS解析
[root@hywang-137 ~]# vim /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2020061905 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 192.168.109.137
harbor A 192.168.109.137
k8s-yaml A 192.168.109.137
traefik A 192.168.109.137
dashboard A 192.168.109.137
回滚+1;添加记录(dashboard A 192.168.109.137)
[root@hywang-137 ~]# systemctl restart named.service
5.4.4. 签发SSL证书(这里换种方法尝试openssl模式)
[root@hywang-137 ~]# cd /opt/certs/ [root@hywang-137 certs]# (umask 077; openssl genrsa -out dashboard.od.com.key 2048) [root@hywang-137 certs]# openssl req -new -key dashboard.od.com.key -out dashboard.od.com.csr -subj "/CN=dashboard.od.com/C=CN/ST=BJ/L=Beijing/O=OldboyEdu/OU=ops" [root@hywang-137 certs]# openssl x509 -req -in dashboard.od.com.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out dashboard.od.com.crt -days 3650 [root@hywang-137 certs]# ll dashboard.od.com.*流程
5.4.5. 配置Nginx
hywang-137.host.com 和 hywang-138.host.com 都需要操作
[root@hywang-137 ~]# vim /etc/nginx/conf.d/dashborad.conf
server {
listen 80;
server_name dashboard.od.com;
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
server {
listen 443 ssl;
server_name dashboard.od.com;
ssl_certificate "certs/dashboard.od.com.crt";
ssl_certificate_key "certs/dashboard.od.com.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://default_backend_traefik;
proxy_set_header Host $http_host;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
}
}
配置
[root@hywang-137 ~]# scp /etc/nginx/conf.d/dashborad.conf 192.168.109.138:/etc/nginx/conf.d/
上传证书:
[root@hywang-137 ~]# mkdir -p /etc/nginx/certs/
[root@hywang-137 certs]# scp /opt/certs/dashboard.od.com.crt 192.168.109.137:/etc/nginx/certs/ [root@hywang-137 certs]# scp /opt/certs/dashboard.od.com.crt 192.168.109.138:/etc/nginx/certs/ [root@hywang-137 certs]# scp /opt/certs/dashboard.od.com.key 192.168.109.137:/etc/nginx/certs/ [root@hywang-137 certs]# scp /opt/certs/dashboard.od.com.key 192.168.109.138:/etc/nginx/certs/流程
[root@hywang-137 certs]# nginx -t
[root@hywang-137 certs]# nginx -s reload
页面测试配置:(https://dashboard.od.com)
5.4.6. 测试token登陆
[root@hywang-137 ~]# kubectl get secret -n kube-system
[root@hywang-137 ~]# kubectl describe secret kubernetes-dashboard-admin-token-bkrq8 -n kube-system