手工部署Kubernete 1.14.2 小记

简介

最近在倒腾k8s, 这里记录下k8s的部署记录，以方便后续操作使用

证书准备

etcd	/etc/etd/ssl/ca.pem    /etc/etd/ssl/server.pem   /etc/etd/ssl/server-key.pem
kube-apiserver	/etc/kubernetes/ssl/ca.pem   /etc/kubernetes/ssl/server.pem   /etc/kubernetes/ssl/server-key.pem
kube-proxy	/etc/kubernetes/ssl/ca.pem  /etc/kubernetes/ssl/kube-proxy.pem  /etc/kubernetes/ssl/kube-proxy-key.pem
kubelet	/etc/kubernetes/ssl/ca.pem  /etc/kubernetes/ssl/ca-key.pem
kubectl	/etc/kubernetes/ssl/ca.pem  /etc/kubernetes/ssl/admin.pem  /etc/kubernetes/ssl/admin-key.pem

证书准备过程如下：

1. etcd证书准备

2. kubelet证书准备

   /etc/kubernete/ca-config.json 

{
  "signing": {
    "default": {
      "expiry": "876000h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "876000h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }

/etc/kubernete/ca-config.json 

{
    "CN": "kubernetes",
    "key": {
           "algo": "rsa",
           "size": 2048
     },
     "names": [
         {
             "C": "CN",
             "L": "HeFei",
             "ST": "HeFei",
             "O": "k8s",
             "OU": "System"
         }
       ]
}

执行  cfssl gencert -initca ca-csr.json | cfssljson -bare ca -  生成根证书   ca.csr、ca.pem、ca-key.pem

3. kube-proxy证书准备

编辑 /etc/kubernetes/ssl/kube-proxy-csr.json

{
    "CN": "system:kube-proxy",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "HeFei",
            "ST": "HeFei",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

执行命令 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes  kube-proxy-csr.json  | cfssljson -bare kube-proxy

生成证书kube-proxy.csr、kube-proxy.pem、kube-proxy-key.pem

4. kube-apiserver证书准备

 生成server证书, 编辑/etc/kubernete/server-config.json 

{
     "CN": "kubernetes",
     "hosts": [
     "127.0.0.1",
     "192.168.0.1",
     "192.168.0.2",
     "192.168.0.3",
     "kubernetes",
     "k8s-node01",
     "k8s-master01",
     "k8s-node02",
     "kubernetes.default",
     "kubernetes.default.svc",
     "kubernetes.default.svc.cluster",
     "kubernetes.default.svc.cluster.local"
     ],
     "key": {
         "algo": "rsa",
         "size": 2048
     },
     "names": [
         {
             "C": "CN",
             "L": "HeFei",
             "ST": "HeFei",
             "O": "k8s",
             "OU": "System"
         }
      ]
     }

执行命令 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes  server-csr.json | cfssljson -bare server 生成证书 server.csr server-key.pem server.pem

5. kubectl admin证书准备

 /etc/kubernetes/ssl/admin-csr.json

{
    "CN": "admin",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "HeFei",
            "ST": "HeFei",
            "O": "System:masters",
            "OU": "System"
        }
    ]
}

执行命令cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes  admin-csr.json  | cfssljson -bare admin

生成证书 admin.csr、admin-key.pem、admin.pem

6. 同步证书到各服务器

cd /etc/kubernetes/ssl/

scp * root@192.168.0.2:/etc/kubernetes/ssl/

scp * root@192.168.0.3:/etc/kubernetes/ssl/

部署k8s master

生成token.csv文件

head -c 16 /dev/urandom |od  -An -t x |tr -d ' ' > /etc/kubenerets/token.csv

编辑token.csv

7624eec3dd645fd059d53ddcbd794eba,kubelet-bootstrap,10001,"system:kubelet-bootstrap"

执行kubectl config配置

[root@master01 kubernetes]BOOTSTRAP_TOKEN=7624eec3dd645fd059d53ddcbd794eba 

[root@master01 kubernetes]KUBE_APISERVER="https://192.168.0.1:6443"

设置集群参数

[root@master01 kubernetes]#  kubectl config set-cluster kubernetes \
>    --certificate-authority=/etc/kubernetes/ssl/ca.pem \
>    --embed-certs=true \
>    --server=${KUBE_APISERVER} \
>    --kubeconfig=kube-proxy.kubeconfig

设置客户端认证参数

[root@master01 kubernetes]#  kubectl config set-credentials kubelet-bootstrap \
>    --token=${BOOTSTRAP_TOKEN} \
>    --kubeconfig=bootstrap.kubeconfig

设置上下文参数

[root@master01 kubernetes]#  kubectl config set-context default \
>    --cluster=kubernetes \
>    --user=kubelet-bootstrap \
>    --kubeconfig=bootstrap.kubeconfig

设置默认上下文

[root@master01 kubernetes]# kubectl config use-context default --kubeconfig=bootstrap.kubeconfig

创建kube-proxy.kubeconfig文件

[root@swift01 kubernetes]#  kubectl config set-cluster kubernetes \
>    --certificate-authority=/etc/kubernetes/ssl/ca.pem \
>    --embed-certs=true \
>    --server=${KUBE_APISERVER} \
>    --kubeconfig=kube-proxy.kubeconfig   
Cluster "kubernetes" set.
[root@swift01 kubernetes]# 
[root@swift01 kubernetes]# 
[root@swift01 kubernetes]#  kubectl config set-cluster kubernetes \
>    --certificate-authority=/etc/kubernetes/ssl/ca.pem\
>    --embed-certs=true \
>    --server=${KUBE_APISERVER} \
>    --kubeconfig=bootstrap.kubeconfig
Cluster "kubernetes" set.
[root@swift01 kubernetes]#    
[root@swift01 kubernetes]# 
[root@swift01 kubernetes]#  kubectl config set-context default \
>    --cluster=kubernetes \
>    --user=kube-proxy \
>    --kubeconfig=kube-proxy.kubeconfig
Context "default" created.
[root@swift01 kubernetes]# 
[root@swift01 kubernetes]# 
[root@swift01 kubernetes]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
Switched to context "default".

至此配置结束

部署apiserver