Kubernetes (k8s) 集群部署(二) 完整版
4 / 0 / 创建于 4年前 /
最闲的码农 的个人博客
第二步:Etcd
在开始安装 Kubernetes 之前,需要先将一些必要系统创建完成,其中 Etcd 就是 Kubernetes 最重要的一环,Kubernetes 会将大部分信息储存于 Etcd 上,来提供给其他节点索取,以确保整个集群运作与沟通正常。在这部分,将会需要产生 client 与 server 的各组件 certificates,并且替 Kubernetes admin user 产生 client 证书。建立/etc/etcd/ssl文件夹,然后进入目录完成以下操作。
1、在master01需要安装CFSSL工具,这将会用来建立 TLS certificates
$ export CFSSL_URL="https://pkg.cfssl.org/R1.2"
$ wget "${CFSSL_URL}/cfssl_linux-amd64" -O /usr/local/bin/cfssl
$ wget "${CFSSL_URL}/cfssljson_linux-amd64" -O /usr/local/bin/cfssljson
$ wget "${CFSSL_URL}/cfssl-certinfo_linux-amd64" -O /usr/local/bin/cfssl-certinfo
$ chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
$ scp -r /usr/local/bin/ 192.168.184.29:/usr/local/
$ scp -r /usr/local/bin/ 192.168.184.30:/usr/local/2、创建ca证书与秘钥
- 创建目录ssl临时目录
$ cd /etc/etcd/ssl_tmp- 创建用来生成 CA 文件的 JSON 配置文件
$ cfssl print-defaults config > config.json && cfssl print-defaults csr > csr.json
$ cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
EOF- 创建用来生成 CA 证书签名请求(CSR)的 JSON 配置文件
$ cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF- 生成CA证书和密钥
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca- 校验证书
$ openssl x509 -noout -text -in ca.pem- 分发证书
$ cp ca.csr ca.pem ca-key.pem ca-config.json ../ssl
$ scp ca.csr ca.pem ca-key.pem ca-config.json 192.168.184.29:/etc/etcd/ssl/
$ scp ca.csr ca.pem ca-key.pem ca-config.json 192.168.184.30:/etc/etcd/ssl/3、Etcd 安装与设定
- 首先在master1节点下载 Etcd:
$ export ETCD_URL="https://github.com/coreos/etcd/releases/download"
$ cd && wget "${ETCD_URL}/v3.2.9/etcd-v3.2.9-linux-amd64.tar.gz"
$ tar -zxf etcd-v3.2.9-linux-amd64.tar.gz
$ mv etcd-v3.2.9-linux-amd64/etcd* /usr/local/bin/ && rm -rf etcd-v3.2.9-linux-amd64
$ scp /usr/local/bin/etcd* 192.168.184.29:/usr/local/bin/
$ scp /usr/local/bin/etcd* 192.168.184.30:/usr/local/bin/- 创建etcd证书签名请求
$ cd /etc/etcd/ssl_tmp
$ cat > etcd-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.184.28",
"192.168.184.29",
"192.168.184.30"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF- 产生 kube-apiserver certificate 证书:
$ cfssl gencert -ca=/etc/etcd/ssl/ca.pem -ca-key=/etc/etcd/ssl/ca-key.pem -config=/etc/etcd/ssl/ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd- 分发
$ cp etcd*.pem ../ssl
$ scp etcd*.pem 192.168.184.29:/etc/etcd/ssl/
$ scp etcd*.pem 192.168.184.30:/etc/etcd/ssl/- etcd相关文件
$ cat > /etc/etcd/cfg/etcd.conf <<EOF
#[member]
ETCD_NAME="master01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
#ETCD_SNAPSHOT_COUNTER="10000"
#ETCD_HEARTBEAT_INTERVAL="100"
#ETCD_ELECTION_TIMEOUT="1000"
ETCD_LISTEN_PEER_URLS="https://192.168.184.28:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.184.28:2379,https://127.0.0.1:2379"
#ETCD_MAX_SNAPSHOTS="5"
#ETCD_MAX_WALS="5"
#ETCD_CORS=""
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.184.28:2380"
# if you use different ETCD_NAME (e.g. test),
# set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..."
ETCD_INITIAL_CLUSTER="master01=https://192.168.184.28:2380,work01=https://192.168.184.29:2380,work02=https://192.168.184.30:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.184.28:2379"
#[security]
CLIENT_CERT_AUTH="true"
ETCD_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_CERT_FILE="/etc/etcd/ssl/etcd.pem"
ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"
EOF$ cat > /lib/systemd/system/etcd.service <<EOF
[Unit]
Description=Etcd Server
After=network.target
[Service]
Type=simple
WorkingDirectory=/var/lib/etcd
EnvironmentFile=-/etc/etcd/cfg/etcd.conf
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /usr/local/bin/etcd"
Type=notify
[Install]
WantedBy=multi-user.target
EOF- 建立 var 存放信息,然后启动 Etcd 服务:
$ scp /etc/etcd/cfg/* 192.168.184.29:/etc/etcd/cfg/
$ scp /etc/etcd/cfg/* 192.168.184.30:/etc/etcd/cfg/
$ scp /lib/systemd/system/etcd.service 192.168.184.29:/lib/systemd/system/etcd.service
$ scp /lib/systemd/system/etcd.service 192.168.184.30:/lib/systemd/system/etcd.service- 修改192.168.184.29和192.168.184.30
- 启动
$ systemctl enable etcd.service && systemctl start etcd.service- 查看集群健康状态
$ etcdctl --endpoints=https://192.168.184.28:2379 --ca-file=/etc/etcd/ssl/ca.pem --cert-file=/etc/etcd/ssl/etcd.pem --key-file=/etc/etcd/ssl/etcd-key.pem member list
本作品采用《CC 协议》,转载必须注明作者和本文链接
关于 LearnKu
粤公网安备 44030502004330号