CentOS 7二进制安装Kubernetes 1.10.5集群

发表于 | 分类于 | | 阅读次数:

集群规划

​ 集群节点为1主2从,如下表如示:

master:

master:master(192.168.8.201)

组件 版本 路径
etcd 3.3.8 /usr/bin
flannel 0.10.0 /opt/flannel/bin
cni 0.7.1 /opt/cni/bin
kubernetes 1.10.5 /usr/bin kube-apiserver、kube-controller-manager、kube-scheduler

node

node:slave-i(192.168.8.211),slave-ii(192.168.8.221)

组件 版本 路径
etcd 3.3.8 /usr/bin
flannel 0.10.0 /opt/flannel/bin
cni 0.7.1 /opt/cni/bin
kubernetes 1.10.5 /usr/bin kubelet、kube-proxy
docker 18.03.1-ce /usr/bin

安装包下载

etcd:下载地址:https://github.com/coreos/etcd/releases/,下载3.3.8版本;
flannel:下载地址:https://github.com/coreos/flannel/releases/,下载v0.10.0版本;
cni:下载地址:https://github.com/containernetworking/plugins/releases,下载v0.7.1版本;
kubernetes:下载地地址:https://github.com/kubernetes/kubernetes/releases,下载1.10.5版本;
docker直接使用aliyun镜像安装,因此不用下载单独下载安装包。

服务器设置

主机名修改

​ 将主节点主机名修改为master,两从机主机名修改为slave-i和slave-ii。分别在master(192.168.8.201),slave-i(192.168.8.211),slave-ii(192.168.8.221)执行以下命令永久修改主机名:

hostnamectl --static set-hostname master
hostnamectl --static set-hostname slave-i
hostnamectl --static set-hostname slave-ii

同时修改三个节点的/etc/hosts文件,增加以下三条:

192.168.8.201 master
192.168.8.211 slave-i
192.168.8.221 slave-ii

并增加127.0.0.1的主机名,master节点增加127.0.0.1 master,slave-i节点增加127.0.0.1 slave-i,slave-ii节点增加127.0.0.1 slave-ii,如下图如:

master:

ia_400000000

slave-i:

ia_400000000

slave-ii:

ia_400000000

slave-i:

防火墙设置

如主机中未安装iptables,在三个主机中执行以下命令安装:

yum install iptables-services

执行iptables -L -n -v命令可以查看iptables配置,执行以下命令永久关闭三个主机的iptables:

1
chkconfig iptables off

同时关闭三个主机的iptables和firewalld并设置开机不启动,执行以下命令:

1
2
3
4
systemctl stop iptables
systemctl disable iptables
systemctl stop firewalld
systemctl disable firewalld

执行systemctl status iptables和systemctl status firewalld可以查看防火墙已经关闭。

selinux配置

可以通过getenforce或/usr/sbin/sestatus命令查看SELINUX配置,通过修改/etc/selinux/config文件中的SELINUX配置项来关闭selinux。

1
SELINUX=disabled

如图:

ia_400000000

关闭Swap分区

执行free -m命令可以查看swap分区情况。修改/etc/fstab配置文件,注释掉swap配置行。如图:

ia_400000000

时钟同步

执行以下命令安装ntpdate:

1
yum install ntpdate

执行以下命令同步时针:

1
ntpdate us.pool.ntp.org

安装etcd集群

https://github.com/coreos/etcd/releases/下载etcd3.3.8版本,将其解压,并将二进制文件拷贝到/usr/bin目录下:

1
cp etcd etcdctl /usr/bin

创建相关文件夹:

1
mkdir -p /var/lib/etcd /etc/etcd

以上两个命令在三个主机节点上都要执行。接下来配置三个主机节点的etcd配置文件,每个etcd服务器上只有两个配置文件:/usr/lib/systemd/system/etcd.service 和 /etc/etcd/etcd.conf

节点1(etcd-i)

/usr/lib/systemd/system/etcd.service

1
2
3
4
5
6
7
8
9
10
11
12
[Unit]
Description=Etcd Server
After=network.target
 
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd
 
[Install]
WantedBy=multi-user.target

/etc/etcd/etcd.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# [member]
# 节点名称
ETCD_NAME=etcd-i
# 数据存放位置
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
# 监听其他Etcd实例的地址
ETCD_LISTEN_PEER_URLS="http://192.168.8.201:2380"
# 监听客户端地址
ETCD_LISTEN_CLIENT_URLS="http://192.168.8.201:2379,http://127.0.0.1:2379"
 
#[cluster]
# 通知其他Etcd实例地址
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.8.201:2380"
# 初始化集群内节点地址
ETCD_INITIAL_CLUSTER="etcd-i=http://192.168.8.201:2380,etcd-ii=http://192.168.8.211:2380,etcd-iii=http://192.168.8.221:2380"
# 初始化集群状态,new表示新建
ETCD_INITIAL_CLUSTER_STATE="new"
# 初始化集群token
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-token"
# 通知客户端地址
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.8.201:2379,http://127.0.0.1:2379"

节点2(etcd-ii)

/usr/lib/systemd/system/etcd.service

1
2
3
4
5
6
7
8
9
10
11
12
[Unit]
Description=Etcd Server
After=network.target
 
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd
 
[Install]
WantedBy=multi-user.target

/etc/etcd/etcd.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# [member]
# 节点名称
ETCD_NAME=etcd-ii
# 数据存放位置
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
# 监听其他Etcd实例的地址
ETCD_LISTEN_PEER_URLS="http://192.168.8.211:2380"
# 监听客户端地址
ETCD_LISTEN_CLIENT_URLS="http://192.168.8.211:2379,http://127.0.0.1:2379"
 
#[cluster]
# 通知其他Etcd实例地址
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.8.211:2380"
# 初始化集群内节点地址
ETCD_INITIAL_CLUSTER="etcd-i=http://192.168.8.201:2380,etcd-ii=http://192.168.8.211:2380,etcd-iii=http://192.168.8.221:2380"
# 初始化集群状态,new表示新建
ETCD_INITIAL_CLUSTER_STATE="new"
# 初始化集群token
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-token"
# 通知客户端地址
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.8.211:2379,http://127.0.0.1:2379"

节点3(etcd-iii)

/usr/lib/systemd/system/etcd.service

1
2
3
4
5
6
7
8
9
10
11
12
[Unit]
Description=Etcd Server
After=network.target
 
[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd
 
[Install]
WantedBy=multi-user.target

/etc/etcd/etcd.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# [member]
# 节点名称
ETCD_NAME=etcd-iii
# 数据存放位置
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
# 监听其他Etcd实例的地址
ETCD_LISTEN_PEER_URLS="http://192.168.8.221:2380"
# 监听客户端地址
ETCD_LISTEN_CLIENT_URLS="http://192.168.8.221:2379,http://127.0.0.1:2379"
 
#[cluster]
# 通知其他Etcd实例地址
ETCD_INITIAL_ADVERTISE_PEER_URLS="http://192.168.8.221:2380"
# 初始化集群内节点地址
ETCD_INITIAL_CLUSTER="etcd-i=http://192.168.8.201:2380,etcd-ii=http://192.168.8.211:2380,etcd-iii=http://192.168.8.221:2380"
# 初始化集群状态,new表示新建
ETCD_INITIAL_CLUSTER_STATE="new"
# 初始化集群token
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-token"
# 通知客户端地址
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.8.221:2379,http://127.0.0.1:2379"

etcd集群的主从节点关系与kubernetes集群的主从节点关系不是同的,etcd的配置文件只是表示三个etcd节点,etcd集群在启动和运行过程中会选举出主节点。因此,配置文件中体现的只是三个节点etcd-i,etcd-ii,etcd-iii。配置好三个节点的配置文件后,便可以启动etcd集群了,执行以下命令启动集群:

1
2
systemctl daemon-reload
systemctl start etcd.service

执行命令时,不能等一台完全执行成功了再去下一台执行,因为etcd启动后会进行选举leader投票,如果各etcd启动间隔过大,会导致etcd集群启动失败。启动后可以执行以下命令检测集群:

1
2
etcdctl member list
etcdctl cluster-health

在node-i上执行etcdctl member list,输出如下,至此,etcd集群已经搭建完成

ia_400000000

docker安装

docker安装参照阿里云教程安装,这里不再赘述,三个主机都安装。参照地址:https://yq.aliyun.com/articles/110806?spm=5176.8351553.0.0.44f01991b2jQwh

flannel安装

安装flannel

https://github.com/coreos/flannel/releases/下载flannel v0.10.0版本,将其解压到/opt/flannel/bin/。执行如下命令:

mkdir -p /opt/flannel/bin/
tar -xzvf flannel-v0.10.0-linux-amd64.tar.gz -C /opt/flannel/bin/

flannel包含flanneld 和 mk-docker-opts.sh两个可执行文件,接下来配置flannel配置文件:

/usr/lib/systemd/system/flannel.service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[Unit]
Description=Flanneld overlay address etcd agent
After=network.target
After=network-online.target
Wants=network-online.target
After=etcd.service
Before=docker.service
 
[Service]
Type=notify
ExecStart=/opt/flannel/bin/flanneld -etcd-endpoints=http://192.168.8.201:2379,http://192.168.8.211:2379,http://192.168.8.221:2379 -etcd-prefix=coreos.com/network
ExecStartPost=/opt/flannel/bin/mk-docker-opts.sh -d /etc/docker/flannel_net.env -c
Restart=on-failure
 
[Install]
WantedBy=multi-user.target
RequiredBy=docker.service

flannel服务依赖etcd,必须先安装好etcd,并配置etcd服务地址-etcd-endpoints,-etcd-prefix是etcd存储的flannel网络配置的键前缀,执行以下命令设置flannel网络配置:

1
etcdctl mk /coreos.com/network/config '{"Network":"172.18.0.0/16", "SubnetMin": "172.18.1.0", "SubnetMax": "172.18.254.0",  "Backend": {"Type": "vxlan"}}'

flannel服务依赖flannel镜像,所以要先下载flannel镜像,执行以下命令从阿里云下载,并创建镜像tag:

1
2
docker pull registry.cn-beijing.aliyuncs.com/k8s_images/flannel:v0.10.0-amd64
docker tag registry.cn-beijing.aliyuncs.com/k8s_images/flannel:v0.10.0-amd64 quay.io/coreos/flannel:v0.10.0

接下来启动flannel服务,执行以下命令:

1
2
systemctl daemon-reload
systemctl start flannel.service

修改docker配置

在flannel配置文件中包含以下配置项:

1
ExecStartPost=/opt/flannel/bin/mk-docker-opts.sh -d /etc/docker/flannel_net.env -c

设置该配置后,会在flannel启动后执行mk-docker-opts.sh,并生成/etc/docker/flannel_net.env文件。flannel会修改docker网络,flannel_net.env是flannel生成的docker配置参数,因此,还要修改docker配置项。

After:flannel启动之后再启动docker;

EnvironmentFile:配置docker的启动参数,由flannel生成;

ExecStart:增加docker启动参数;

ExecStartPost:在docker启动之后执行,会修改主机的iptables路由规则。 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
# After=network-online.target firewalld.service
After=network-online.target flannel.service
Wants=network-online.target
 
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
EnvironmentFile=/etc/docker/flannel_net.env
ExecStart=/usr/bin/dockerd $DOCKER_OPTS
ExecReload=/bin/kill -s HUP $MAINPID
ExecStartPost=/usr/sbin/iptables -P FORWARD ACCEPT
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
 
[Install]
WantedBy=multi-user.target

修改好配置文件后,执行以下命令启动flannel,并重启docker。

1
2
3
systemctl daemon-reload
systemctl start flannel.service
systemctl restart docker.service

启动后可以执行ifconfig查看,已经多了flannel网络。

ia_400000000

主节点和从节点都安装flannel和配置docker参数,并可以通过以下命令验证flannel和docker运行情况:

1
2
systemctl status flannel
systemctl status docker

etcd、flannel、docker安装完成之后,便可以开始安装kubernetes集群了,在安装kubernetes集群之前先安装ca证书

CNI配置

https://github.com/containernetworking/plugins/releases下载flannel v0.7.1版本,将其解压到/opt/cni/bin。执行如下命令:

1
2
mkdir -p /opt/cni/bin /etc/cni/net.d
tar -xzvf cni-plugins-amd64-v0.7.1.tgz -C /opt/cni/bin

增加cni配置文件/etc/cni/net.d/10-flannel.conflist,配置如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
{
  "name":"cni0",
  "cniVersion":"0.3.1",
  "plugins":[
    {
      "type":"flannel",
      "delegate":{
        "forceAddress":true,
        "isDefaultGateway":true
      }
    },
    {
      "type":"portmap",
      "capabilities":{
        "portMappings":true
      }
    }
  ]
}

安装CA证书

(1)、为kube-apiserver生成一个数字证书,并用CA证书进行签名。
(2)、为kube-apiserver进程配置证书相关的启动参数,包括CA证书(用于验证客户端证书的签名真伪、自己的经过CA签名后的证书及私钥)。
(3)、为每个访问Kubernetes API Server的客户端(如kube-controller-manager、kube-scheduler、kubelet、kube-proxy及调用API Server的客户端程序kubectl等)进程生成自己的数字证书,也都用CA证书进行签名,在相关程序的启动参数中增加CA证书、自己的证书等相关参数。

要生成的证书如下表:

根证书和私钥 ca.crt、ca.key
kube-apiserver证书和私钥 server.crt、server.key
kube-controller-manager/kube-scheduler证书和私钥 cs_client.crt、cs_client.key
kubelet/kube-proxy证书和私钥 kubelet_client.crt、kubelet_client.key

master节点

创建证书目录: 

1
mkdir -p /etc/kubernetes/ca

执行以下命令生成相关证书和私钥:

(1)、生成根证书和私钥:

1
2
3
    openssl genrsa -out ca.key 2048
    openssl req -x509 -new -nodes -key ca.key -subj "/CN=master" -days 5000 -out ca.crt
    /CN为master 主机名

(2)、生成kube-apiserver证书和私钥:

新建master_ssl.conf文件,配置如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = master						#master hostname
IP.1 = 172.18.0.1					#master clusterip 可通过kubectl get service获取
IP.2 = 192.168.8.201				#master ip

执行如下命令生成证书和私钥:

1
2
3
4
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=master" -config master_ssl.conf -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.conf -out server.crt
 /CN为master 主机名

(3)、生成kube-controller-manager/kube-scheduler证书和私钥

1
2
3
4
5
openssl genrsa -out cs_client.key 2048
    openssl req -new -key cs_client.key -subj "/CN=master" -out cs_client.csr
    openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cs_client.crt -days 5000

    /CN为master 主机名

node1节点(slave-i)

创建证书目录:

1
mkdir -p /etc/kubernetes/ca

将master节点的根证书和私钥拷贝到该目录下,执行以下命令生成证书和私钥:

1
2
3
4
5
openssl genrsa -out kubelet_client.key 2048
    openssl req -new -key kubelet_client.key -subj "/CN=192.168.8.211" -out kubelet_client.csr
    openssl x509 -req -in kubelet_client.csr  -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000

     /CN为slave-i 的IP地址

node2节点(slave-ii)

创建证书目录:

1
mkdir -p /etc/kubernetes/ca

将master节点的根证书和私钥拷贝到该目录下,执行以下命令生成证书和私钥:

1
2
3
4
5
openssl genrsa -out kubelet_client.key 2048
    openssl req -new -key kubelet_client.key -subj "/CN=192.168.8.221" -out kubelet_client.csr
    openssl x509 -req -in kubelet_client.csr  -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000

     /CN为slave-ii 的IP地址

安装kubernetes集群

安装好CA证书后,开始搭建kubernetes集群。

master节点安装kube-apiserver、kube-controller-manager、kube-scheduler;node节点安装kubelet、kube-proxy。

master节点

https://github.com/kubernetes/kubernetes/releases下载kubernetes v1.10.5版本。如下图,点击CHANGELOG-1.10.md链接到下载页面。

ia_400000000

下载kubernetes-server-linux-amd64.tar.gz服务端安装包,将其解压,并将kubernetes/server/bin下的二进制文件拷贝到/usr/bin目录下。

1
cp `ls|egrep -v "*.tar|*_tag"` /usr/bin/

创建日志目录

1
mkdir -p /var/log/kubernetes

配置kube-apiserver

/usr/lib/systemd/system/kube-apiserver.service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=etcd.service
Wants=etcd.service
 
[Service]
EnvironmentFile=/etc/kubernetes/apiserver.conf
ExecStart=/usr/bin/kube-apiserver $KUBE_API_ARGS
Restart=on-failure
Type=notify
LimitNOFILE=65536
 
[Install]
WantedBy=multi-user.target

/etc/kubernetes/apiserver.conf,–etcd-servers连接到etcd集群,关闭的非安全端口8080,并用secure-port开启安全端口6443,client-ca-file、tls-private-key-file、tls-cert-file配置CA证书,enable-admission-plugins开启准入权限,–anonymous-auth=false,不接受匿名访问,若为true,则表示接受,此处设置为false,便于dashboard访问。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
KUBE_API_ARGS="\
	--storage-backend=etcd3 \
	--etcd-servers=http://192.168.8.201:2379,http://192.168.8.211:2379,http://192.168.8.221:2379 \
	--bind-address=0.0.0.0 \
	--secure-port=6443  \
	--service-cluster-ip-range=172.18.0.0/16 \
	--service-node-port-range=1-65535 \
	--kubelet-port=10250 \
	--advertise-address=192.168.8.201 \
	--allow-privileged=false \
	--anonymous-auth=false \
	--client-ca-file=/etc/kubernetes/ca/ca.crt \
	--tls-private-key-file=/etc/kubernetes/ca/server.key \
	--tls-cert-file=/etc/kubernetes/ca/server.crt \
	--enable-admission-plugins=NamespaceLifecycle,LimitRanger,NamespaceExists,SecurityContextDeny,ServiceAccount,DefaultStorageClass,ResourceQuota \
	--logtostderr=true \
	--log-dir=/var/log/kubernets \
	--v=2"

配置kube-controller-manager

配置kube-controller-config.yaml和kube-scheduler-config.yaml,分别在kube-controller-manager和kube-scheduler中引用该两文件,文件里配置了CA证书,配置如下:

kube-controller-config.yaml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
apiVersion: v1
kind: Config
users:
- name: controller
  user:
    client-certificate: /etc/kubernetes/ca/cs_client.crt
    client-key: /etc/kubernetes/ca/cs_client.key
clusters:
- name: local
  cluster:
    certificate-authority: /etc/kubernetes/ca/ca.crt
contexts:
- context:
    cluster: local
    user: controller
  name: default-context
current-context: default-context

kube-scheduler-config.yaml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
apiVersion: v1
kind: Config
users:
- name: scheduler
  user:
    client-certificate: /etc/kubernetes/ca/cs_client.crt
    client-key: /etc/kubernetes/ca/cs_client.key
clusters:
- name: local
  cluster:
    certificate-authority: /etc/kubernetes/ca/ca.crt
contexts:
- context:
    cluster: local
    user: scheduler
  name: default-context
current-context: default-context

/usr/lib/systemd/system/kube-controller-manager.service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=kube-apiserver.service
Requires=kube-apiserver.service
 
[Service]
EnvironmentFile=/etc/kubernetes/controller-manager.conf
ExecStart=/usr/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_ARGS
Restart=on-failure
LimitNOFILE=65536
 
[Install]
WantedBy=multi-user.target

/etc/kubernetes/controller-manager.conf,master连接到master节点,service-account-private-key-file、root-ca-file、cluster-signing-cert-file、cluster-signing-key-file配置CA证书,kubeconfig是配置文件。

1
2
3
4
5
6
7
8
9
10
KUBE_CONTROLLER_MANAGER_ARGS="\
	--master=https://192.168.8.201:6443 \
	--service-account-private-key-file=/etc/kubernetes/ca/server.key \
	--root-ca-file=/etc/kubernetes/ca/ca.crt \
	--cluster-signing-cert-file=/etc/kubernetes/ca/ca.crt \
	--cluster-signing-key-file=/etc/kubernetes/ca/ca.key \
	--kubeconfig=/etc/kubernetes/kube-controller-config.yaml \
	--logtostderr=true \
	--log-dir=/var/log/kubernetes \
	--v=2"

配置kube-scheduler

/usr/lib/systemd/system/kube-scheduler.service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=kube-apiserver.service
Requires=kube-apiserver.service
 
[Service]
User=root
EnvironmentFile=/etc/kubernetes/scheduler.conf
ExecStart=/usr/bin/kube-scheduler $KUBE_SCHEDULER_ARGS
Restart=on-failure
LimitNOFILE=65536
 
[Install]
WantedBy=multi-user.target

/etc/kubernetes/scheduler.conf,master连接到master节点,kubeconfig是配置文件。

1
2
3
4
5
6
KUBE_SCHEDULER_ARGS="\
	--master=https://192.168.8.201:6443 \
	--kubeconfig=/etc/kubernetes/kube-scheduler-config.yaml \
	--logtostderr=true \
	--log-dir=/var/log/kubernetes \
	--v=2

配置好配置文件后,执行以下命令启动master节点:

1
2
3
4
systemctl daemon-reload
systemctl start kube-apiserver.service
systemctl start kube-controller-manager.service
systemctl start kube-scheduler.service

启动后可执行以下命令查看启动日志信息:

1
2
3
  journalctl -xeu kube-apiserver --no-pager
  journalctl -xeu kube-controller-manager --no-pager
  journalctl -xeu kube-scheduler --no-pager

node节点

在server安装包的bin目录下已经包含了node节点的二进制文件,执行以下命令将二进制文件拷贝到/usr/bin目录下:

1
cp kubectl kubelet kube-proxy /usr/bin/

创建日志目录

1
mkdir -p /var/log/kubernetes

创建/etc/sysctl.d/k8s.conf文件

1
touch /etc/sysctl.d/k8s.conf

配置k8s.conf文件如下

1
2
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

配置kubelet-config.yaml和proxy-config.yaml,分别在kubelet和kube-proxy中引用该两文件,文件里配置了CA证书,配置如下:

kubelet-config.yaml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
apiVersion: v1
kind: Config
users:
- name: kubelet
  user:
    client-certificate: /etc/kubernetes/ca/kubelet_client.crt
    client-key: /etc/kubernetes/ca/kubelet_client.key
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/ca/ca.crt
    server: https://192.168.0.11:6443
  name: local
contexts:
- context:
    cluster: local
    user: kubelet
  name: default-context
current-context: default-context
preferences: {}

proxy-config.yaml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

apiVersion: v1
kind: Config
users:
- name: proxy
  user:
    client-certificate: /etc/kubernetes/ca/kubelet_client.crt
    client-key: /etc/kubernetes/ca/kubelet_client.key
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/ca/ca.crt
    server: https://192.168.0.11:6443
  name: local
contexts:
- context:
    cluster: local
    user: proxy
  name: default-context
current-context: default-context
preferences: {}

配置kubelet

/usr/lib/systemd/system/kubelet.service

1
2
3
4
5
6
7
8
9
10
11
12
13
[Unit]
Description=Kubelet Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
 
[Service]
EnvironmentFile=/etc/kubernetes/kubelet.conf
ExecStart=/usr/bin/kubelet $KUBELET_ARGS
Restart=on-failure
 
[Install]
WantedBy=multi-user.target

/etc/kubernetes/kubelet.conf,hostname-override配置node我名称,这里使用node节点的IP,slave-i的IP为192.168.8.211,slave-ii的IP为192.168.8.221。pod-infra-container-image指定pause镜像,kubeconfig为配置文件。

1
2
3
4
5
6
7
8
9
10
KUBELET_ARGS="\
	--kubeconfig=/etc/kubernetes/kubelet-config.yaml \
	--pod-infra-container-image=gcr.io/google_containers/pause-amd64:3.0 \
	--hostname-override=192.168.8.211 \
	--network-plugin=cni \
	--cni-conf-dir=/etc/cni/net.d \
	--cni-bin-dir=/opt/cni/bin \
	--logtostderr=true \
	--log-dir=/var/log/kubernetes \
	--v=2"

配置kube-proxy

/usr/lib/systemd/system/kube-proxy.service

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[Unit]
Description=Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
Requires=network.service
 
[Service]
EnvironmentFile=/etc/kubernetes/proxy.conf
ExecStart=/usr/bin/kube-proxy $KUBE_PROXY_ARGS
Restart=on-failure
LimitNOFILE=65536
 
[Install]
WantedBy=multi-user.target

/etc/kubernetes/proxy.conf,hostname-override配置node我名称。要与kubelet对应,kubelet配置了,则kube-proxy也要配置。这里使用node节点的IP,slave-i的IP为192.168.8.211,slave-ii的IP为192.168.8.221。master连接master服务,kubeconfig为配置文件。

1
2
3
4
5
6
7
KUBE_PROXY_ARGS="\
	--master=https://192.168.8.201:6443 \
	--hostname-override=192.168.8.211 \
	--kubeconfig=/etc/kubernetes/proxy-config.yaml \
	--logtostderr=true \
	--log-dir=/var/log/kubernetes \
	--v=2"

kubelet服务依赖二pause镜像,在启动kubelet前先要下载该镜像,执行以下命令下载和创建镜像tag:

1
2
docker pull registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0
docker tag registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 gcr.io/google_containers/pause-amd64:3.0

配置好配置文件后,执行以下命令启动master节点:

1
2
3
systemctl daemon-reload
systemctl start kubelet.service
systemctl start kube-proxy.service

启动后可执行以下命令查看启动日志信息:

1
2
journalctl -xeu kubelet --no-pager
journalctl -xeu kube-proxy --no-pager

node节点启动后,可以在master节点查看node节点已经注册到集群里了,执行以下命令查看:

ia_400000000

测试集群

这里启动了个nginx服务来测试集群。

创建rc

创建nginx-rc.yaml文件,配置如下,imagePullPolicy: IfNotPresent会下载nginx镜像:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: v1
kind: ReplicationController
metadata:
  name: nginx-rc
  labels:
    name: nginx-rc
spec:
  replicas: 2
  selector:
    name: nginx-pod
  template:
    metadata:
      labels: 
        name: nginx-pod
    spec:
      containers:
      - name: nginx
        image: nginx
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80

创建service

创建nginx-svc.yaml文件,配置如下,NodePort可以将服务端口映射到pod所在主机的端口上,因此可以在pod所在主机上访问服务:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  labels: 
    name: nginx-service
spec:
  type: NodePort
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
    nodePort: 30081
  selector:
    name: nginx-pod

执行以下命令启动rc和service:

1
2
3
kubectl create -f nginx-rc.yaml

kubectl create -f nginx-svc.yaml

在master中执行以下命令,可以查看pod创建情况:

1
kubectl get pod -o wide

可以看到pod已经创建,并分配在node中

ia_400000000

可以在集群外,访问slave-i和slave-ii的30081端口访问nginx。

http://192.168.8.211:30081/
http://192.168.8.221:30081/

返回nginx主页

ia_400000000