这篇文章为大家带来有关单master节点和多master节点的部署教程。文中分别详细介绍了单master节点部署和多master节点部署,感兴趣的小伙伴可以参考下。
一、单master群集部署
单master群集架构图:
以下是自签SSL证书列表:
1、首先,我们要了解在 Master 上,要部署以下三大核心组件:
kube-apiserver:是集群的统一入口,各组件协调者,所有对象资源的增删改查和监听操作都交给 APIServer 处理后再提交给 Etcd 存储;
kube-controller-manager:处理群集中常规后台任务,一个资源对应一个控制器,而 controller-manager 就是负责管理这些控制器的;
kube-scheduler:根据调度算法为新创建的 Pod 选择一个 Node 节点,可以任意部署,可以部署在同一个节点上,也可以部署在不同节点上。
操作流程:配置文件 -----> systemd 管理组件 -----> 启动
—— 部署开始:
接下来是在 master 上的操作,生成 api-server 证书:
将宿主机上下载好的 master.zip 包上传到 /root/k8s/ 目录下,并解压:
[root@localhost k8s]# unzip master.zip
[root@localhost k8s]# mkdir /opt/kubernetes/{cfg,bin,ssl} -p
[root@localhost k8s]# mkdir k8s-cert //创建 apiserver自签证书的目录
[root@localhost k8s]# cd k8s-cert/
[root@localhost k8s-cert]# vim k8s-cert.sh
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#-----------------------
cat > server-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.109.138", //第一台master
"192.168.109.230", //第二台master
"192.168.109.100", //vip虚拟地址
"192.168.109.133", //第一台调度服务器地址(master)
"192.168.109.137", //第二台调度服务器地址(backup)
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
#-----------------------
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
#-----------------------
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
接下来生成 k8s 证书:
[root@localhost k8s-cert]# bash k8s-cert.sh
[root@localhost k8s-cert]# ls *pem //查看证书,此处应有8个
admin-key.pem ca-key.pem kube-proxy-key.pem server-key.pem
admin.pem ca.pem kube-proxy.pem server.pem
[root@localhost k8s-cert]# cp ca*pem server*pem /opt/kubernetes/ssl/
[root@localhost k8s-cert]# cd ..
[root@localhost k8s]# tar zxvf kubernetes-server-linux-amd64.tar.gz //解压缩包
[root@localhost ~]# cd /root/k8s/kubernetes/server/bin/
//复制关键命令文件:
[root@localhost bin]# cp kube-apiserver kubectl kube-controller-manager kube-scheduler /opt/kubernetes/bin/
[root@localhost bin]# cd /root/k8s/
//使用下面命令随机生成序列号:
[root@localhost k8s]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
1232eb0133309f6ccde54802cc0b3ebe
[root@localhost k8s]# vim /opt/kubernetes/cfg/token.csv
1232eb0133309f6ccde54802cc0b3ebe,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
序列号,用户名,id号,角色
//此时,二进制文件,token,证书都准备好,开启 apiserver
[root@localhost k8s]# bash apiserver.sh 192.168.109.138 https://192.168.109.138:2379,https://192.168.109.131:2379,https://192.168.109.132:2379
//检查进程是否启动成功:
[root@localhost k8s]# ps aux | grep kube
//查看配置文件:
[root@localhost k8s]# cat /opt/kubernetes/cfg/kube-apiserver
//检查监听端口,是否都正常:
[root@localhost k8s]# netstat -natp | grep 6443
[root@localhost k8s]# netstat -natp | grep 8080
//启动 schedule 服务:
[root@localhost k8s]# ./scheduler.sh 127.0.0.1
[root@localhost k8s]# ps aux | grep ku
[root@localhost k8s]# chmod +x controller-manager.sh
[root@localhost k8s]# ./controller-manager.sh 127.0.0.1
//查看 master 节点的状态:
[root@localhost k8s]# /opt/kubernetes/bin/kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}2、在 node 节点上的部署:
首先以下是 node 节点上的 三大核心组件:
kubelet:是master在node节点上的agent,可以管理本机运行容器的生命周期,例如创建容器、Pod挂载数据卷、下载secret、获取容器和节点状态等工作,kubelet 将每个 Pod转换成一组容器。
kube-proxy:在 node节点上实现 Pod网络代理,维护网络规划和四层负载均衡工作。
docker:容器(我们已经安装好了)
—— 部署开始:
//先在master上,把 kubelet、kube-proxy 拷贝到 node节点上去:
[root@localhost ~]# cd k8s/kubernetes/server/bin/
[root@localhost bin]# ls
apiextensions-apiserver kube-apiserver.docker_tag kube-proxy
cloud-controller-manager kube-apiserver.tar kube-proxy.docker_tag
cloud-controller-manager.docker_tag kube-controller-manager kube-proxy.tar
cloud-controller-manager.tar kube-controller-manager.docker_tag kube-scheduler
hyperkube kube-controller-manager.tar kube-scheduler.docker_tag
kubeadm kubectl kube-scheduler.tar
kube-apiserver kubelet mounter
[root@localhost bin]# scp kubelet kube-proxy root@192.168.109.131:/opt/kubernetes/bin/
[root@localhost bin]# scp kubelet kube-proxy root@192.168.109.132:/opt/kubernetes/bin/
//在 node01节点上操作(将宿主机上的 node.zip包 到/root 目录下再解压):
[root@localhost ~]# ls
anaconda-ks.cfg flannel-v0.10.0-linux-amd64.tar.gz node.zip 公共 视频 文档 音乐
flannel.sh initial-setup-ks.cfg README.md 模板 图片 下载 桌面
[root@localhost ~]# unzip node.zip //解压,获得 kubelet.sh proxy.sh
Archive: node.zip
inflating: proxy.sh
inflating: kubelet.sh
————接下来在 master 上操作:
[root@localhost k8s]# mkdir kubeconfig
[root@localhost k8s]# cd kubeconfig/
[root@localhost kubeconfig]# cat /opt/kubernetes/cfg/token.csv //获取 token信息
1232eb0133309f6ccde54802cc0b3ebe,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
[root@localhost kubeconfig]# vim kubeconfig
APISERVER=$1
SSL_DIR=$2
# 创建kubelet bootstrapping kubeconfig
export KUBE_APISERVER="https://$APISERVER:6443"
# 设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=$SSL_DIR/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=bootstrap.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
--token=1232eb0133309f6ccde54802cc0b3ebe \
--kubeconfig=bootstrap.kubeconfig
# 设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=bootstrap.kubeconfig
# 设置默认上下文
--kubeconfig=bootstrap.kubeconfig
# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
#----------------------
# 创建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=$SSL_DIR/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=$SSL_DIR/kube-proxy.pem \
--client-key=$SSL_DIR/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
//设置环境变量(可以写入到 /etc/profile 中):
[root@localhost kubeconfig]# export PATH=$PATH:/opt/kubernetes/bin/
//检查健康状态:
[root@localhost kubeconfig]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
//生成配置文件:
[root@localhost kubeconfig]# bash kubeconfig 192.168.109.138 /root/k8s/k8s-cert/
[root@localhost kubeconfig]# ls
bootstrap.kubeconfig kubeconfig kube-proxy.kubeconfig
//拷贝配置文件到 node节点上:
[root@localhost kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.109.131:/opt/kubernetes/cfg/
[root@localhost kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.109.132:/opt/kubernetes/cfg/
//创建 bootstrap角色赋予权限用于连接 apiserver请求签名(至关重要):
[root@localhost kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
————接下来在 node01 节点上的操作:
[root@localhost ~]# bash kubelet.sh 192.168.109.131
//检查 kubelet 服务启动:
[root@localhost ~]# ps aux|grep kube
————在master上:
//检查到 node01 节点的请求:
[root@localhost kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-M9Iv_3cKuOZaiKSvoQGIarJHOaK1S9FnRs6SGIXP9nk 5s kubelet-bootstrap Pending(意思:等待群集给该节点颁发证书)
//接下来同意请求,颁发证书即可:
[root@localhost kubeconfig]# kubectl certificate approve node-csr-M9Iv_3cKuOZaiKSvoQGIarJHOaK1S9FnRs6SGIXP9nk
[root@localhost kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-M9Iv_3cKuOZaiKSvoQGIarJHOaK1S9FnRs6SGIXP9nk 7m7s kubelet-bootstrap Approved,Issued
(Approved,Issued:就表示已经被允许加入群集)
//查看群集节点,成功加入 node01 节点:
[root@localhost kubeconfig]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.109.131 Ready <none> 3m8s v1.12.3
————在 node01上操作,启动 proxy服务:
[root@localhost ~]# bash proxy.sh 192.168.109.131
[root@localhost ~]# systemctl status kube-proxy.service //查看状态是否正常
————部署 node02 :
为了提高效率,我们将 node01上现成的 /opt/kubernetes目录复制到其他节点进行修改即可:
[root@localhost ~]# scp -r /opt/kubernetes/ root@192.168.109.132:/opt/
//再把kubelet,kube-proxy的service文件拷贝到node2中
[root@localhost ~]# scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@192.168.109.132:/usr/lib/systemd/system/
--接下来就是在 node02 节点上的操作:
//首先,先删除复制过来的证书,因为待会 node02 会自行申请属于自己的证书:
[root@localhost ~]# cd /opt/kubernetes/ssl/
[root@localhost ssl]# rm -rf *
//修改配置文件 kubelet 、kubelet.config 、kube-proxy(三个配置文件)
[root@localhost ssl]# cd /opt/kubernetes/cfg/
[root@localhost cfg]# vim kubelet
KUBELET_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.109.132 \ ##改成自己的IP地址
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \
--config=/opt/kubernetes/cfg/kubelet.config \
--cert-dir=/opt/kubernetes/ssl \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
[root@localhost cfg]# vim kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.109.132 ##改成自己的IP地址
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
anonymous:
enabled: true
[root@localhost cfg]# vim kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \
--v=4 \
--hostname-override=192.168.109.132 \ ##改成自己的IP地址
--cluster-cidr=10.0.0.0/24 \
--proxy-mode=ipvs \
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
//启动服务:
[root@localhost cfg]# systemctl start kubelet.service
[root@localhost cfg]# systemctl start kube-proxy.service
//和之前一样,在 master 上操作查看请求:
[root@localhost kubeconfig]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-M9Iv_3cKuOZaiKSvoQGIarJHOaK1S9FnRs6SGIXP9nk 29m kubelet-bootstrap Approved,Issued
node-csr-vOfkpLYSYqFtD__GgZZZiV7NU_WaqECDvBbFuGyckRc 2m21s kubelet-bootstrap Pending
//接下来和刚刚一样,同意授权,颁发证书即可:
[root@localhost kubeconfig]# kubectl certificate approve node-csr-vOfkpLYSYqFtD__GgZZZiV7NU_WaqECDvBbFuGyckRc
//查看群集中的节点:
[root@localhost kubeconfig]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.109.131 Ready <none> 34s v1.12.3
192.168.109.132 Ready <none> 25m v1.12.3!!至此,我们一个单节点的 Master 部署就完成了,接下来是带来 多节点 Master部署
二、多 Master 节点部署:
多 Master节点集群图:
在有单 Master 节点部署环境的基础上,在部署一个 Master02 即可。
| 角色 | IP地址 |
| master02 | 192.168.109.230 |
–部署开始:
//首先关闭防火墙:
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# setenforce 0
//在 master01上,直接将 kubernetes目录拷贝到 master02上即可:
[root@localhost kubeconfig]# scp -r /opt/kubernetes/ root@192.168.109.230:/opt
//在复制 master01 上的三个组件启动脚本:kube-apiserver.service、kube-controller-manager.service、kube-scheduler.service
[root@localhost kubeconfig]# scp /usr/lib/systemd/system/{kube-apiserver,kube-controller-manager,kube-scheduler}.service root@192.168.220.129:/usr/lib/systemd/system/
//接下来,在 master02上,修改配置文件 kube-apiserver中的IP地址:
[root@localhost cfg]# pwd
/opt/kubernetes/cfg
[root@localhost cfg]# vim kube-apiserver
.
(省略部分)
.
--etcd-servers=https://192.168.109.138:2379,https://192.168.109.131:2379,https://192.168.109.132:2379 \
--bind-address=192.168.109.230 \ ##改成自己的ip地址
--secure-port=6443 \
--advertise-address=192.168.109.230 \ ##改成自己的ip地址
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
.
(省略部分)
.
//拷贝 master01 上已有的 etcd 证书给 master02 使用:
[root@localhost kubeconfig]# scp -r /opt/etcd/ root@192.168.109.230:/opt/
//接下来,启动 master02中的三个组件:
[root@localhost cfg]# systemctl start kube-apiserver.service
[root@localhost cfg]# systemctl start kube-controller-manager.service
[root@localhost cfg]# systemctl start kube-scheduler.service
//增加环境变量:
[root@localhost cfg]# vim /etc/profile
在末尾添加:
export PATH=$PATH:/opt/kubernetes/bin/
[root@localhost cfg]# source /etc/profile //环境变量生效
//master02 上查看节点情况(和 master01一模一样):
[root@localhost cfg]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.109.131 Ready <none> 44m v1.12.3
192.168.109.132 Ready <none> 70m v1.12.3关于单master节点部署和多master节点部署就分享到这里了,希望以上内容可以对大家有一定的帮助,可以学到更多知识。如果喜欢这篇文章,不如把它分享出去让更多的人看到。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
