k8s 离线安装(一) 前期规划,docker ,etcd安装

1,下载k8s离线包

需要的可以私我

2,环境架构

ip 节点 部署程序
192.168.145.180 k8s-master docker etct master
192.168.145.181 k8s-work1 docker etct slave1
192.168.145.182 k8s-work2 docker etct slave2

3,docker 安装

3.1 上传docker-20.10.0.taz包到各个服务器。

mkdir /usr/local/docker  
mv docker-20.10.0.taz /usr/local/docker  
tar zxvf docker-20.10.0.taz  

3.2,将解压后的文件移动到/usr/bin下

cd /usr/local/docker/   
cp docker/* /usr/bin/  

3.3 检查安装

docker version  
启动docker  
dockerd & 

3.4 注册系统服务

cat /etc/systemd/system/docker.service  

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
 
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
 
[Install]
WantedBy=multi-user.target

3.5 启动docker服务进程

systemctl daemon-reload  
systemctl start docker  

3.6 设置开机自启

systemctl enable docker  

3.7 检查docker 是否正常启动

docker ps

4,ETCD集群数据库安装

4.1 在master节点生产pem证书

mkdir -p /data/soft/cfssl
mkdir -p /data/soft/ssl
mkdir -p /data/kubernetes
mkdir -p /data/kubernetes/{bin,cfg,ssl}
cd /data/soft/cfssl
#将3个证书文件拷贝到/data/soft/cfssl
#给三个证书文件授权
chmod +x .. ... ...
#移动文件到系统目录
mv ... /usr/local/bin/cfssl
mv ... /usr/local/bin/cfssljson
mv ... /usr/local/bin/cfssl-certinfo
#进入ssl目录,开始生产pem证书配置文件
cd /data/soft/ssl
cfssl print-defaults config > config.json
cfssl print-defaults csr > csr.json
cfssl print-defaults csr > server-csr.json
cfssl print-defaults csr > admin-csr.json
cfssl print-defaults csr > kube-proxy-csr.json
#编辑config.json内容如下
{
   “signing”: {
      "default": {
         "expiry": "87600h"
      },
      "profiles": {
         "kubernetes": {
           "expiry": "8760h",
           "usages": [
             "signing",
             "key encipherment",
             "server auth",
             "client auth"
           ]
         }
      }
   } 
}
#编辑csr.json
{
  "CN": "kubernets",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names":[
    {
      "C": "CN",
      "L": "Beijing",
      "ST": "Beijing",
      "O": "k8s",
      "OU": "system"
    }
  ]
}
#编辑server-csr.json
{
  "CN": "kubernetes",
  "hosts": [
     "127.0.0.1",
     "kubernetes.default",
     "kubernetes.default.svc",
     "kubernetes.default.svc.cluster",
     "kubernates.default.svc.cluster.local"
  ],
  "key": {
     "algo": "rsa",
     "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "Beijing",
      "ST": "Beijing",
      "O": "k8s",
      "OU": "system"
    }
  ]
}
#编辑admin-csr.json,命令如下
{
  "CN": "admin",
  "hosts": [],
  "key": {
     "algo": "rsa",
     "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "Beijing",
      "ST": "Beijing",
      "O": "k8s",
      "OU": "system"
    }
   ]
}
#编辑kube-proxy-csr.json,命令如下
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
     "algo": "rsa",
     "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "Beijing",
      "ST": "Beijing",
      "O": "k8s",
      "OU": "system"
    }
   ]
}
#生产pem证书,命令如下
cfssl gencert -initca csr.json | cfssljson -bare ca -
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=config.json -profile=kubernetes server-csr.json | cfssljson -bare server
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
cfssl gencert -ca=ca.pem --ca-key=ca-key.pem -config=config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
#保留证书 删除其他多余文件,命令如下
ls | grep -v pem|  xargs -i rm {}

4.2 安装etcd

#将etcd的安装文件上传到服务器的/opt/soft目录
cd /opt/soft
tar -zxvf etcd-......tar.gz 
#移动etcd执行文件到kubernetes的bin目录下,命令如下:
mv /opt/soft/etcd...../etcd /data/kubernetes/bin/
mv /opt/soft/etcd....../etcdctl /data/kubernetes/bin/

#创建etcd配置文件如下:
vi /data/kubernetes/cfg/etcd
#修改内容如下

#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.145.180:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.145.180:2379"
#[clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.145.180:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.145.180:2379" 
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.145.180:2380,etcd02=https://192.168.145.181:2380,etcd03=https://192.168.145.182:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

4.3 创建etcd系统服务

#创建命令如下:
vi /usr/lib/systemd/system/etcd.service
#内容如下: 
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=/data/kubernetes/cfg/etcd
ExecStart=/data/kubernetes/bin/etcd \
--name=${ETCD_NAME} \
--data-dir=${ETCD_DATA_DIR} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-state=new \
--cert-file=/data/kubernetes/ssl/server.pem \
--key-file=/data/kubernetes/ssl/server-key.pem \
--peer-cert-file=/data/kubernetes/ssl/server.pem \
--peer-key-file=/data/kubernetes/ssl/server-key.pem \
--trusted-ca-file=/data/kubernetes/ssl/ca.pem \
--peer-trusted-ca-file=/data/kubernetes/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

4.4 拷贝pem证书

#拷贝pem到/kubernetes/ssl下,命令如下:
cp /data/soft/ssl/server*pem /data/soft/ssl/ca*pem /data/kubernetes/ssl/

5,etcd slave节点安装

5.1 安装前准备

#创建文件
cd /data
mkdir soft
cd soft
mkdir -p /data/soft/cfssl
mkdir -p /data/soft/ssl
mkdir -p /data/kubernetes
mkdir -p /data/kubernetes/{bin,cfg,ssl}
cd /data/soft/cfssl

5.2 将主机的cfssl文件拷贝过来

cp /usr/local/k8s/ssl/cfssl* ./
#授权
chmod +x ./*
#移动到系统目录
mv ./cfssl_linux-amd64 /usr/local/bin/cfssl
mv ./cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv ./cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
#将主机生成的pem证书拷贝到slave节点上,在73的主机执行
scp -r ./* root@10.96.28.75:/data/kubernetes/ssl/

5.3 slave节点安装etcd

跟master安装一致,注意vi /data/kubernetes/cfg/etcd时的name和ip修改。

6,启动和测试

#每台机器都启动
systemctl start etcd
#测试  进入到etcdctl的目录
./etcdctl --ca-file=data/kubernetes/ssl/ca.pem --cert-file=/data/kubernetes/ssl/server.pem --key-file=/data/kubernetes/ssl/server-key.pem cluster-health
#查看如下,则etcd集群ok了
member a27fc182cdf9212e is healthy: got healthy result from https://10.96.28.73:2379
member d6289d5fd6e9bfce is healthy: got healthy result from https://10.96.28.77:2379
member e2fd93456b65c44c is healthy: got healthy result from https://10.96.28.75:2379
cluster is healthy
上一篇:CoreOS发布etcd v2.3.0,重点提升稳定性和可靠性


下一篇:Cluster Setup - CIS Benchmarks(集群设置-CIS基线)