本文详细介绍Kubernetes1.20版本的高可用部署过程,涵盖系统环境配置、基础环境搭建、核心组件安装及配置、网络插件部署、监控与管理工具集成等内容。
一. 系统软件环境
| 软件 | 版本 |
|---|---|
| 操作系统 | CentOS Linux release 7.8.2003 (Core) |
| Docker | docker-20.10.6-ce |
| Kubernetes | 1.20.6 |
| ETCD | 3.4.15 |
节点组件
| 角色 | IP | 组件 |
|---|---|---|
| k8s-master1 | 3.1.101.49 | kube-apiserver, kube-controller-manager, kube-scheduler, docker, kubelet, kube-proxy,etcd,nginx,keepalived |
| k8s-master2 | 3.1.101.50 | kube-apiserver, kube-controller-manager, kube-scheduler, docker, kubelet, kube-proxy,etcd,nginx,keepalived |
| k8s-node1 | 3.1.101.51 | docker, kubelet, kube-proxy, etcd |
| k8s-node2 | 3.1.101.52 | docker, kubelet, kube-proxy, etcd |
| k8s-node1 | 3.1.101.53 | docker, kubelet, kube-proxy, etcd |
| VIP | 3.1.101.45 |
master1和master2为基于Ningx+Keepalived的高可用
二. 基础环境配置
所有NODE节点
2.1 创建目录
## 创建目录结构
mkdir -pv /opt/etcd/{
bin,cfg,ssl,logs}
mkdir -pv /opt/k8s/{
bin,cfg,ssl,logs,yaml}
mkdir -pv /opt/cni/{
bin,cfg,yaml}
mkdir -pv /etc/cni/
2.2 hosts配置
cat >> /etc/hosts << EOF
3.1.101.49 k8s-master1
3.1.101.50 k8s-master2
3.1.101.51 k8s-node1
3.1.101.52 k8s-node2
3.1.101.53 k8s-node3
3.1.101.49 etcd-1
3.1.101.50 etcd-2
3.1.101.51 etcd-3
3.1.101.52 etcd-4
3.1.101.53 etcd-5
EOF
## 2.3 主机名修改
在对应节点分别执行
hostnamectl set-hostname k8s-master1
hostnamectl set-hostname k8s-master2
hostnamectl set-hostname k8s-node1
hostnamectl set-hostname k8s-node2
hostnamectl set-hostname k8s-node3
2.4 其他系统设置
## 启用IPVS模式相关配置
cat > /etc/sysctl.d/k8s.conf << EOF
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
## 生效
sysctl --system
## 关闭缓存,配置/etc/fstab,永久关闭
# 临时关闭:
swapoff -a
## 关闭NetworkManager
systemctl stop NetworkManager
systemctl disable NetworkManager
## 时间同步
/usr/bin/cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
ntpdate time.windows.com
##配置环境变量(根据节点情况,一般配置master节点即可)
echo 'export PATH=$PATH:/opt/k8s/bin/' >> /etc/profile
echo 'export PATH=$PATH:/opt/etcd/bin/' >> /etc/profile
source /etc/profile
## 为了便捷操作,在k8s-master1上创建免密登录其他节点
ssh-keygen -t rsa
ssh-copy-id -i /root/.ssh/id_rsa.pub root@k8s-node1
ssh-copy-id -i /root/.ssh/id_rsa.pub root@k8s-node2
三. 安装cfssl证书工具
master节点
## 创建自签证书目录
mkdir -pv /data/TLS/{
etcd,k8s}
## 下载地址
https://github.com/cloudflare/cfssl/releases/download
## 移动到/usr/bin目录下
mv cfssl_1.5.0_linux_amd64 /usr/bin/cfssl
mv cfssl-certinfo_1.5.0_linux_amd64 /usr/bin/cfssl-certinfo
mv cfssljson_1.5.0_linux_amd64 /usr/bin/cfssljson
## 添加可执行权限
chmod +x /usr/bin/cfssl*
## 生成配置模版命令
cfssl print-defaults config > config.json
cfssl print-defaults csr > csr.json
四. 部署ETCD集群
| 节点名称 | IP |
|---|---|
| etcd-1 | 3.1.101.49 |
| etcd-2 | 3.1.101.50 |
| etcd-3 | 3.1.101.51 |
| etcd-4 | 3.1.101.52 |
| etcd-5 | 3.1.101.53 |
4.1 自签TLS证书
- ETCD-1操作,然后同步到其他节点
自签证书颁发机构(CA)
cd /data/TLS/etcd/
自签CA
cd /data/TLS/etcd/
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
生成证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
使用自签CA签发Etcd HTTPS证书
创建证书申请文件(hosts中要包含所有etcd节点ip,也可以多写几个预留)
cat > server-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"3.1.101.49",
"3.1.101.50",
"3.1.101.51",
"3.1.101.52",
"3.1.101.53",
"3.1.101.54",
"3.1.101.55"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare serverlsca-config.json ca-key.pem server-csr.jsonca.csr ca.pem server-key.pemca-csr.json server.csr server.pem
同步证书
cp /data/TLS/etcd/*.pem /opt/etcd/ssl/ls /opt/etcd/ssl/ca-key.pem ca.pem server-key.pem server.pemrsync -av /data/TLS/etcd/*.pem etcd-2:/opt/etcd/ssl/rsync -av /data/TLS/etcd/*.pem etcd-3:/opt/etcd/ssl/rsync -av /data/TLS/etcd/*.pem etcd-4:/opt/etcd/ssl/rsync -av /data/TLS/etcd/*.pem etcd-5:/opt/etcd/ssl/
4.2 ETCD安装
下载地址
https://github.com/etcd-io/etcd/releases/download/v3.4.15/etcd-v3.4.15-linux-amd64.tar.gz
解压部署
- ETCD-1操作,然后同步到其他节点
tar -zxf etcd-v3.4.15-linux-amd64.tar.gz
mv etcd-v3.4.15-linux-amd64/etcd* /opt/etcd/bin/
rsync -av /opt/etcd/bin/* etcd-1:/opt/etcd/bin/
rsync -av /opt/etcd/bin/* etcd-2:/opt/etcd/bin/
rsync -av /opt/etcd/bin/* etcd-3:/opt/etcd/bin/
rsync -av /opt/etcd/bin/* etcd-4:/opt/etcd/bin/
rsync -av /opt/etcd/bin/* etcd-5:/opt/etcd/bin/
4.3 创建ETCD配置文件
ETCD各节点配置基本相同, 注意修改如下配置, 修改成本机etcd-name或者IP
cat > /opt/etcd/cfg/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://3.1.101.49:2380"
ETCD_LISTEN_CLIENT_URLS="https://3.1.101.49:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://3.1.101.49:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://3.1.101.49:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://3.1.101.49:2380,etcd-2=https://3.1.101.50:2380,etcd-3=https://3.1.101.51:2380,etcd-4=https://3.1.101.52:2380,etcd-5=https://3.1.101.53:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
- ETCD_NAME:节点名称,集群中唯一
- ETCD_DATA_DIR:数据目录
- ETCD_LISTEN_PEER_URLS:集群通信监听地址
- ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
- ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址
- ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
- ETCD_INITIAL_CLUSTER:集群节点地址
- ETCD_INITIAL_CLUSTER_TOKEN:集群Token
- ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群
4.4 创建ETCD启动文件
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
4.5 启动ETCD
## 重载启动配置文件
systemctl daemon-reload
## 启动etcd
systemctl restart etcd
## 加入开机自启动
systemctl enable etcd
## 4.6 验证ETCD状态
/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://3.1.101.49:2379,https://3.1.101.50:2379,https://3.1.101.51:2379,https://3.1.101.52:2379,https://3.1.101.53:2379" endpoint health
/opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://3.1.101.49:2379,https://3.1.101.50:2379,https://3.1.101.51:2379,https://3.1.101.52:2379,https://3.1.101.53:2379" member list
五. 二进制部署DOCKER
5.1 下载地址
https://download.docker.com/linux/static/stable/x86_64/
tar zxf docker-20.10.6.tgz
mv docker/* /usr/bin/
编辑docker配置文件
mkdir /etc/dockercat > /etc/docker/daemon.json << EOF{
"registry-mirrors": ["https://gsm39obv.mirror.aliyuncs.com"]}EOF
5.2 创建systemd启动文件
cat > /usr/lib/systemd/system/docker.service << EOF
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
EOF
5.3 启动docker
systemctl daemon-reload
systemctl restart docker
systemctl enable docker
六. kubenetes部署
二进制文件部署
下载地址
https://dl.k8s.io/v1.20.6/kubernetes-server-linux-amd64.tar.gz
解压
tar zxvf kubernetes-server-linux-amd64.tar.gz
cd kubernetes/server/bin
master节点
rsync -av kubectl kube-apiserver kube-controller-manager kube-scheduler kubelet kube-proxy /opt/k8s/bin/
node节点
rsync -av kubelet kube-proxy root@k8s-node1:/opt/k8s/bin/
rsync -av kubelet kube-proxy root@k8s-node2:/opt/k8s/bin/
rsync -av kubelet kube-proxy root@k8s-node3:/opt/k8s/bin/
七. Master节点部署
7.1 部署kube-apiserver
生成kube-apiserver证书
- 自签证书颁发机构(CA)
cd /data/TLS/k8s/
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
生成CA证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
- 使用自签CA签发kube-apiserver HTTPS证书
## 创建证书申请文件:
cat > server-csr.json << EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"3.1.101.48",
"3.1.101.49",
"3.1.101.50",
"3.1.101.51",
"3.1.101.52",
"3.1.101.53",
"3.1.101.45",
"3.1.101.46",
"3.1.101.57",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
注:上述文件hosts字段中IP为所有Master/LB/VIP IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP。
生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
同步证书
# master 节点
cp /data/TLS/k8s/ca*pem /opt/k8s/ssl/
cp /data/TLS/k8s/server*pem /opt/k8s/ssl/
# 同步至node节点
scp /data/TLS/k8s/ca.pem root@k8s-node1:/opt/k8s/ssl
scp /data/TLS/k8s/ca.pem root@k8s-node2:/opt/k8s/ssl
scp /data/TLS/k8s/ca.pem root@k8s-node3:/opt/k8s/ssl
创建conf配置文件
最低0.47元/天 解锁文章
扫一扫
346
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
