kubernetes集群部署 - 环境准备

2018年7月21日 0条评论 1,117次阅读 0人点赞

环境准备

软件	版本
Linux	Centos_7.5_x64
Kubernetes	1.9
Docker	17.12-ce
Etcd	3

角色 IP 组件

- master 
  - 192.168.1.101 
  - kube-apiserver
  - kube-controller-manager
  - kube-scheduler
  - etcd

- node01 
  - 192.168.1.102 
  - kubelet
  - kube-proxy
  - docker
  - flannel
  - etcd

- node02 
  - 192.168.1.103 
  - kubelet
  - kube-proxy
  - docker
  - flannel
  - etcd

安装docker(在node节点上安装)

#下载docker
wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-ce-17.12.0.ce-1.el7.centos.x86_64.rpm

#安装docker
yum -y install docker-ce-17.12.0.ce-1.el7.centos.x86_64.rpm 

#启动docker
systemctl start docker

#开机启动docker 
systemctl enable docker 

#查看docker版本
docker -v

#修改docker仓库地址
echo -e '{\n  "registry-mirrors": ["https://registry.docker-cn.com"]\n}' > /etc/docker/daemon.json

#重启docker
systemctl restart docker

#查看docker仓库地址是否发生改变
[root@k8s-node-1 ~]# docker info
Registry Mirrors:
 https://registry.docker-cn.com/

以下操作均在master主机完成

组件	使用的证书
etcd	ca.pem,server.pem,server-key.pem
flannel	ca.pem,server.pem,server-key.pem
kube-apiserver	ca.pem,server.pem,server-key.pem
kubelet	ca.pem,ca-key.pem
kube-proxy	ca.pem,kube-proxy.pem,kube-proxy-key.pem
kubectl	ca.pem,admin.pem,admin-key.pem

cfssl配置

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

#赋予可执行权限
chmod +x  *-amd64

#移动到/usr/local/bin目录,方便使用
mv cfssl_linux-amd64  /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64  /usr/local/bin/cfssl-certinfo

#查看证书的配置模板
[root@k8s-master ssl]# cfssl print-defaults csr 
[root@k8s-master ssl]# cfssl print-defaults config

创建配置根证书

cat > ca-config.json << EOF
{
    "signing": {
        "default": {
            "expiry": "87600h"
        },
        "profiles": {
            "kubernetes": {
                "expiry": "87600h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            }
        }
    }
}
EOF

cat > ca-csr.json << EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",
            "OU": "system"
        }
    ]
}
EOF

#生成ca证书文件
[root@k8s-master ssl]# cfssl gencert -initca  ca-csr.json | cfssljson -bare ca -
2018/07/07 16:33:14 [INFO] generating a new CA key and certificate from CSR
2018/07/07 16:33:14 [INFO] generate received request
2018/07/07 16:33:14 [INFO] received CSR
2018/07/07 16:33:14 [INFO] generating key: rsa-2048
2018/07/07 16:33:14 [INFO] encoded CSR
2018/07/07 16:33:14 [INFO] signed certificate with serial number 579476460172932681555137073881682361408892748627
[root@k8s-master ssl]# ll ca*.pem
-rw------- 1 root root 1679 Jul  7 16:33 ca-key.pem
-rw-r--r-- 1 root root 1359 Jul  7 16:33 ca.pem

生成server证书模板,api https通信使用的证书

cat > server-csr.json << EOF
{
    "CN": "kubernetes",
    "hosts": [
      "127.0.0.1",
      "192.168.1.101",
      "192.168.1.102",
      "192.168.1.103",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",
            "OU": "system"
        }
    ]
}
EOF

#生成server证书
[root@k8s-master ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
2018/07/07 16:51:01 [INFO] generate received request
2018/07/07 16:51:01 [INFO] received CSR
2018/07/07 16:51:01 [INFO] generating key: rsa-2048
2018/07/07 16:51:01 [INFO] encoded CSR
2018/07/07 16:51:01 [INFO] signed certificate with serial number 504049377326895450242375653112353015482815867683
2018/07/07 16:51:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master ssl]# ll server*
-rw-r--r-- 1 root root 1236 Jul  7 16:51 server.csr
-rw-r--r-- 1 root root  519 Jul  7 16:50 server-csr.json
-rw------- 1 root root 1679 Jul  7 16:51 server-key.pem
-rw-r--r-- 1 root root 1590 Jul  7 16:51 server.pem

生成admin证书

cat > admin-csr.json << EOF
{
    "CN": "admin",
    "host": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "system:masters",
            "OU": "system"
        }
    ]
}
EOF

#生成admin证书
[root@k8s-master ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json  | cfssljson  -bare admin
2018/07/07 16:57:20 [INFO] generate received request
2018/07/07 16:57:20 [INFO] received CSR
2018/07/07 16:57:20 [INFO] generating key: rsa-2048
2018/07/07 16:57:21 [INFO] encoded CSR
2018/07/07 16:57:21 [INFO] signed certificate with serial number 469347655290741305884684712481054134394169940876
2018/07/07 16:57:21 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master ssl]# ll admin*                                                                                -rw-r--r-- 1 root root 1009 Jul  7 16:57 admin.csr
-rw-r--r-- 1 root root  286 Jul  7 16:57 admin-csr.json
-rw------- 1 root root 1679 Jul  7 16:57 admin-key.pem
-rw-r--r-- 1 root root 1387 Jul  7 16:57 admin.pem

生成kube-proxy证书模板

cat > kube-proxt-csr.json << EOF
{
    "CN": "system:kube-proxy",
    "host": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",
            "OU": "system"
        }
    ]
}
EOF

#生成kube-proxy证书文件
[root@k8s-master ssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxt-csr.json  | cfssljson  -bare kube-proxy
2018/07/07 17:02:10 [INFO] generate received request
2018/07/07 17:02:10 [INFO] received CSR
2018/07/07 17:02:10 [INFO] generating key: rsa-2048
2018/07/07 17:02:10 [INFO] encoded CSR
2018/07/07 17:02:10 [INFO] signed certificate with serial number 526840743555158056329087917258527911083730289049
2018/07/07 17:02:10 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master ssl]# ll kube-prox*
-rw-r--r-- 1 root root  287 Jul  7 17:02 kube-proxt-csr.json
-rw-r--r-- 1 root root 1009 Jul  7 17:02 kube-proxy.csr
-rw------- 1 root root 1675 Jul  7 17:02 kube-proxy-key.pem
-rw-r--r-- 1 root root 1387 Jul  7 17:02 kube-proxy.pem