一、下载包【地址:https://github.com/kubernetes/kubernetes/releases】(master主机,尽量下载正式版)
①、本地上传压缩包至linux服务器
#windows系统本地上传到linux
scp -r D:\迅雷下载\kubernetes-server-linux-amd64.tar.gz root@172.17.217.232:/usr/local/bin
#wget下载二进制包【需要科学·上网】
wget https://dl.k8s.io/v1.15.2/kubernetes-server-linux-amd64.tar.gz
#解压
tar -xvf kubernetes-server-linux-amd64.tar.gz
#创建kubernetes相关文件夹
mkdir /opt/kubernetes
#创建二进制、配置文件、ssl文件夹
mkdir /opt/kubernetes/ bin cfg ssl
#将二进制文件复制至/opt/kubernetes/bin
cp kubernetes/server/bin/{kube-controller-manager,kube-apiserver,kubectl,kube-scheduler} /opt/kubernetes/bin/
②、创建api证书配置文件
#创建ca颁发机构配置
vi /opt/kubernetes/ssl/ca-config.json
{
"signing": {
"default": {
"expiry": "175200h" #过期时间20年
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"kubernetes": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
#创建ca颁发机构配置
vi /opt/kubernetes/ssl/ca-config.json
#配置信息
{
"signing": {
"default": {
"expiry": "175200h" #过期时间20年
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"kubernetes": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
#ca颁发机构证书配置
vi /opt/kubernetes/ssl/ca-csr.json
#写入配置
{
"CN": "kubernetes CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "guangdong",
"ST": "shenzhen"
}
]
}
#hosts中将所有可能作为apiserver的ip添加进去, 也要加入
vi /opt/kubernetes/ssl/server-csr.json
#写入配置
{
"CN": "kubernetes",
"hosts": [
"172.17.217.232",
"127.0.0.1",
"172.17.217.226",
"172.17.217.228",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "guangdong",
"ST": "shenzhen"
}
]
}
#创建kube-proxy-csr.josn文件
vi /opt/kubernetes/ssl/kube-proxy-csr.json
#写入配置
{
"CN": "kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "guangdong",
"ST": "shenzhen",
"O": "k8s",
"OU": "System"
}
]
}
颁发证书:
#颁发ca证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#签发kube-proxy证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
#签发apiserver证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
③、创建配置(kube-apiserver.conf)
vi /opt/kubernetes/cfg/kube-apiserver.conf
KUBE_APISERVER_OPTS="--logtostderr=true \#是否开启标转错误日志
--v=4 \ #日志级别
--log-dir=/opt/kubernetes/logs \#日志存放地址
--etcd-servers=https://172.17.217.232:2379,https://172.17.217.226:2379,https://172.17.217.228:2379 \#etcd节点地址
--bind-address=172.17.217.232 \#当前master绑定地址
--secure-port=6443 \#当前监听端口
--advertise-address=172.17.217.228 \#通告其他节点地址
--allow-privileged=true \#是否使用管理员创建容器
--service-cluster-ip-range=10.0.0.0/24 \#service服务网段
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,NodeRestriction \#使用插件
--authorization-mode=RBAC,Node \#授权模式、角色、节点
--enable-bootstrap-token-auth=true \#基于bootstrap自签颁发证书
--token-auth-file=/opt/kubernetes/cfg/token.csv \#自签证书配置
--service-node-port-range=30000-50000 \#端口范围
--tls-cert-file=/opt/kubernetes/ssl/server.pem \#访问apiserver 证书
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \#访问etcd证书
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem \
--audit-log-maxage=30 \#日志相关配置
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/opt/kubernetes/logs/k8s.log"
④、创建配置(kube-controller-manager.conf)
#创建配置文件
vi /opt/kubernetes/cfg/kube-controller-manager.conf
#写入配置
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \#标准错误日志
--v=4 \#日志等级
--log-dir=/opt/kubernetes/logs \
--master=127.0.0.1:8080 \#api-server 地址
--leader-elect=true \#多个
--address=127.0.0.1 \#监听地址
--allocate-node-cidrs=true \#是否支持网络插件
--cluster-cidr=10.224.0.0/16 \#基于网络插件网段
--service-cluster-ip-range=10.0.0.0/24 \#客户端地址范围
--cluster-name=kubernetes \
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \
--root-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem"
⑤、创建配置(kube-scheduler.conf)
#创建配置
vi /opt/kubernetes/cfg/kube-scheduler.conf
#写入配置
KUBE_SCHEDULER_OPTS="--logtostderr=true \
--v=4 \
--log-dir=/opt/kubernetes/logs \
--master=127.0.0.1:8080 \#master 地址
--leader-elect \#自动选举
--address=127.0.0.1"#当前监听地址
⑥、创建启动服务(kube-apiserver.service)
#创建启动服务文件
vi /usr/lib/systemd/system/kube-apiserver.service
#写入配置
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver.conf #指定配置文件
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
⑦、创建启动服务(kube-controller-manager.service)
#创建启动服务文件
vi /usr/lib/systemd/system/kube-controller-manager.service
#写入配置
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager.conf
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
⑧、创建启动配置(kube-scheduler.service)
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler.conf
ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
⑨、创建token.csv【自签证书】
#创建token.csv文件
touch /opt/kubernetes/cfg/token.csv
#token【随机生成】 #用户名 #用户Id #用户所在命名空间
b2h326jj2sns6bryahz4i1m6cklesj9o,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
⑩、启动服务查看服务
#启动、开机自启动apiserver
systemctl start kube-apiserver
systemctl enable kube-apiserver
#启动、开机自启动controller-manager
systemctl start kube-controller-manager
systemctl enable kube-controller-manager
#启动开机自启scheduler
systemctl start kube-scheduler
systemctl enable kube-scheduler
#查看运行服务
ps aux |grep kube
#查看服务运行状态
/opt/kubernetes/bin/kubectl get cs
#将kubectl复制到/bin/下【直接执行 kubectl get cs】
cp /opt/kubernetes/bin/kubectl /bin/
查看运行状态
二、错误查看、排查
①、查看错误日志
cat /var/log/messages|grep kube-apiserver|grep -i error
②、服务启动失败排查错误,执行失败会打印出错误信息【例如api-server】
#执行kube-apiserver 加上配置
/opt/kubernetes/bin/kube-apiserver --logtostderr=true --v=4 --log-dir=/opt/kubernetes/logs \
--etcd-servers=https://192.168.2.200:2379,https://192.168.2.110:2379 \
--bind-address=192.168.2.200 \
--secure-port=6443 \
--advertise-address=192.168.2.200 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth=true \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-50000 \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem \
--audit-log-maxage=30 --audit-log-maxbackup=3 \
--audit-log-maxsize=100 --audit-log-path=/opt/kubernetes/logs/k8s.log