学校的网站开发过程,手机网站要求,廊坊网站建设多少钱,北京做网站公司哪家强文章目录 1、创建工作目录并拷贝二进制文件2 部署kubelet #xff08;master节点操作#xff09;2.1 创建配置文件2.2 配置参数文件2.3 生成bootstrap.kubeconfig文件2.4 systemd管理kubelet2.5 启动并设置开机启动 3 批准kubelet证书申请并加入集群4 部署kube-proxy #x… 文章目录 1、创建工作目录并拷贝二进制文件2 部署kubelet master节点操作2.1 创建配置文件2.2 配置参数文件2.3 生成bootstrap.kubeconfig文件2.4 systemd管理kubelet2.5 启动并设置开机启动 3 批准kubelet证书申请并加入集群4 部署kube-proxy master节点操作4.1 创建配置文件4.2 配置参数文件4.3 生成kube-proxy.kubeconfig文件4.4 systemd管理kube-proxy4.5 启动并设置开机启动 5 部署CNI网络 master节点操作5.1 准备CNI二进制文件5.2 解压二进制包并移动到默认工作目录5.3 部署CNI网络 6 授权apiserver访问kubelet master节点操作7 新增加Worker Node7.1 拷贝已部署好的Node相关文件到新节点7.2 删除kubelet证书和kubeconfig文件7.3 修改主机名7.4 启动并设置开机启动7.5 在Master上批准新Node kubelet证书申请7.6 查看Node状态 下面还是在Master Node上操作即同时作为Worker Node 1、创建工作目录并拷贝二进制文件
在所有worker node创建工作目录 node节点操作
mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs} 从master节点拷贝master节点操作
cd /opt/tools/kubernetes/server/bin/
cp kubelet kube-proxy /opt/kubernetes/bin/scp kubelet kube-proxy k8s-node1:/opt/kubernetes/bin/
scp kubelet kube-proxy k8s-node2:/opt/kubernetes/bin/2 部署kubelet master节点操作
2.1 创建配置文件
cat /opt/kubernetes/cfg/kubelet.conf EOF
KUBELET_OPTS--logtostderrfalse \\
--v2 \\
--log-dir/opt/kubernetes/logs \\
--hostname-overridek8s-master \\
--network-plugincni \\
--kubeconfig/opt/kubernetes/cfg/kubelet.kubeconfig \\
--bootstrap-kubeconfig/opt/kubernetes/cfg/bootstrap.kubeconfig \\
--config/opt/kubernetes/cfg/kubelet-config.yml \\
--cert-dir/opt/kubernetes/ssl \\
--pod-infra-container-imagemirrorgooglecontainers/pause-amd64:3.0
EOF–hostname-override显示名称集群中唯一–network-plugin启用CNI–kubeconfig空路径会自动生成后面用于连接apiserver–bootstrap-kubeconfig首次启动向apiserver申请证书–config配置参数文件–cert-dirkubelet证书生成目录–pod-infra-container-image管理Pod网络容器的镜像
2.2 配置参数文件
cat /opt/kubernetes/cfg/kubelet-config.yml EOF
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local
failSwapOn: false
authentication:anonymous:enabled: falsewebhook:cacheTTL: 2m0senabled: truex509:clientCAFile: /opt/kubernetes/ssl/ca.pem
authorization:mode: Webhookwebhook:cacheAuthorizedTTL: 5m0scacheUnauthorizedTTL: 30s
evictionHard:imagefs.available: 15%memory.available: 100Minodefs.available: 10%nodefs.inodesFree: 5%
maxOpenFiles: 1000000
maxPods: 110
EOF2.3 生成bootstrap.kubeconfig文件
KUBE_APISERVERhttps://10.20.17.20:6443 # apiserver IP:PORT
TOKEN063e91e42837f2a2b36860457f515053 # 与token.csv里保持一致cd /root/TLS/k8s# 生成 kubelet bootstrap kubeconfig 配置文件
kubectl config set-cluster kubernetes \--certificate-authority/opt/kubernetes/ssl/ca.pem \--embed-certstrue \--server${KUBE_APISERVER} \--kubeconfigbootstrap.kubeconfigkubectl config set-credentials kubelet-bootstrap \--token${TOKEN} \--kubeconfigbootstrap.kubeconfigkubectl config set-context default \--clusterkubernetes \--userkubelet-bootstrap \--kubeconfigbootstrap.kubeconfigkubectl config use-context default --kubeconfigbootstrap.kubeconfig拷贝到配置文件路径
cp /root/TLS/k8s/bootstrap.kubeconfig /opt/kubernetes/cfg2.4 systemd管理kubelet
cat /usr/lib/systemd/system/kubelet.service EOF
[Unit]
DescriptionKubernetes Kubelet
Afterdocker.service
[Service]
EnvironmentFile/opt/kubernetes/cfg/kubelet.conf
ExecStart/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restarton-failure
LimitNOFILE65536
[Install]
WantedBymulti-user.target
EOF2.5 启动并设置开机启动
systemctl daemon-reload
systemctl start kubelet
systemctl enable kubelet注若无法启动可通过查看系统日志排查问题原因cat /var/log/messages 3 批准kubelet证书申请并加入集群
# 查看kubelet证书请求
[rootk8s-master ~]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
node-csr-LHEDjWtPT39E8gkKemznF7a5GgEfX4Y5Q34E-MgzJbw 9m53s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending# 批准申请
kubectl certificate approve node-csr-LHEDjWtPT39E8gkKemznF7a5GgEfX4Y5Q34E-MgzJbw# 查看节点
[rootk8s-master ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master NotReady none 21s v1.18.3注由于网络插件还没有部署节点会没有准备就绪 NotReady 4 部署kube-proxy master节点操作
4.1 创建配置文件
cat /opt/kubernetes/cfg/kube-proxy.conf EOF
KUBE_PROXY_OPTS--logtostderrfalse \\
--v2 \\
--log-dir/opt/kubernetes/logs \\
--config/opt/kubernetes/cfg/kube-proxy-config.yml
EOF4.2 配置参数文件
cat /opt/kubernetes/cfg/kube-proxy-config.yml EOF
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
metricsBindAddress: 0.0.0.0:10249
clientConnection:kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig
hostnameOverride: k8s-master
clusterCIDR: 10.0.0.0/24
EOF4.3 生成kube-proxy.kubeconfig文件
生成kube-proxy证书
# 切换工作目录
cd /root/TLS/k8s# 创建证书请求文件
cat kube-proxy-csr.json EOF
{CN: system:kube-proxy,hosts: [],key: {algo: rsa,size: 2048},names: [{C: CN,L: BeiJing,ST: BeiJing,O: k8s,OU: System}]
}
EOF# 生成证书
cfssl gencert -caca.pem -ca-keyca-key.pem -configca-config.json -profilekubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy# ls kube-proxy*pem
kube-proxy-key.pem kube-proxy.pem生成kubeconfig文件 KUBE_APISERVERhttps://10.20.17.20:6443cd /root/TLS/k8skubectl config set-cluster kubernetes \--certificate-authority/opt/kubernetes/ssl/ca.pem \--embed-certstrue \--server${KUBE_APISERVER} \--kubeconfigkube-proxy.kubeconfigkubectl config set-credentials kube-proxy \--client-certificate./kube-proxy.pem \--client-key./kube-proxy-key.pem \--embed-certstrue \--kubeconfigkube-proxy.kubeconfigkubectl config set-context default \--clusterkubernetes \--userkube-proxy \--kubeconfigkube-proxy.kubeconfigkubectl config use-context default --kubeconfigkube-proxy.kubeconfig拷贝到配置文件指定路径
cp /root/TLS/k8s/kube-proxy.kubeconfig /opt/kubernetes/cfg/4.4 systemd管理kube-proxy
cat /usr/lib/systemd/system/kube-proxy.service EOF
[Unit]
DescriptionKubernetes Proxy
Afternetwork.target
[Service]
EnvironmentFile/opt/kubernetes/cfg/kube-proxy.conf
ExecStart/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restarton-failure
LimitNOFILE65536
[Install]
WantedBymulti-user.target
EOF4.5 启动并设置开机启动
systemctl daemon-reload
systemctl start kube-proxy
systemctl enable kube-proxy5 部署CNI网络 master节点操作
5.1 准备CNI二进制文件
下载地址https://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-amd64-v0.8.6.tgz
5.2 解压二进制包并移动到默认工作目录
mkdir -p /opt/cni/bin
cd /opt/tools/
tar zxvf cni-plugins-linux-amd64-v0.8.6.tgz -C /opt/cni/bin5.3 部署CNI网络
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml# 若默认镜像地址无法访问修改为docker hub镜像仓库。此处我们不进行修改
sed -i -r s#quay.io/coreos/flannel:.*-amd64#lizhenliang/flannel:v0.12.0-amd64#g kube-flannel.yml生成flannel网络容器
# kubectl apply -f kube-flannel.yml# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
kube-flannel-ds-amd64-c4t2v 1/1 Running 0 25s# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master Ready none 36m v1.18.3部署好网络插件Node准备就绪。
6 授权apiserver访问kubelet master节点操作
cat apiserver-to-kubelet-rbac.yaml EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:annotations:rbac.authorization.kubernetes.io/autoupdate: truelabels:kubernetes.io/bootstrapping: rbac-defaultsname: system:kube-apiserver-to-kubelet
rules:- apiGroups:- resources:- nodes/proxy- nodes/stats- nodes/log- nodes/spec- nodes/metrics- pods/logverbs:- *
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: system:kube-apiservernamespace:
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: system:kube-apiserver-to-kubelet
subjects:- apiGroup: rbac.authorization.k8s.iokind: Username: kubernetes
EOFkubectl apply -f apiserver-to-kubelet-rbac.yaml7 新增加Worker Node
7.1 拷贝已部署好的Node相关文件到新节点
master节点操作 在master节点将Worker Node涉及文件拷贝到新节点node1 、node2
scp -r /opt/kubernetes k8s-node1:/opt/
scp -r /usr/lib/systemd/system/{kubelet,kube-proxy}.service k8s-node1:/usr/lib/systemd/system
scp -r /opt/cni/ k8s-node1:/opt/
scp /opt/kubernetes/ssl/ca.pem k8s-node1:/opt/kubernetes/ssl7.2 删除kubelet证书和kubeconfig文件
node节点操作
rm /opt/kubernetes/cfg/kubelet.kubeconfig
rm -f /opt/kubernetes/ssl/kubelet*注这几个文件是证书申请审批后自动生成的每个Node不同必须删除重新生成。 7.3 修改主机名
node节点操作
vim /opt/kubernetes/cfg/kubelet.conf
--hostname-overridek8s-node1vim /opt/kubernetes/cfg/kube-proxy-config.yml
hostnameOverride: k8s-node17.4 启动并设置开机启动
node 节点操作
systemctl daemon-reload
systemctl start kubelet
systemctl enable kubelet
systemctl start kube-proxy
systemctl enable kube-proxy7.5 在Master上批准新Node kubelet证书申请
master节点操作
# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
node-csr-LHEDjWtPT39E8gkKemznF7a5GgEfX4Y5Q34E-MgzJbw 68m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued
node-csr-eFXMlBTEP1jYeRrMur_ZdpMeWyKmtyQ-A_LGOQZ74a0 57s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pendingkubectl certificate approve node-csr-eFXMlBTEP1jYeRrMur_ZdpMeWyKmtyQ-A_LGOQZ74a07.6 查看Node状态
master节点操作
[rootk8s-master ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master Ready none 60m v1.18.3
k8s-node1 Ready none 62s v1.18.3注若新加的节点状态为NotReady时可使用journalctl -f -u kubelet 检查问题若为以下报错 Container runtime network not ready: NetworkReadyfalse reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized此问题为网络插件没有准备好我们可以执行命令docker images|grep flannel来查看flannel镜像是否已经成功拉取下来.经过排查,flannel镜像拉取的有点慢,稍等一会以后就可以了或者手动执行命令下载镜像docker pull quay.io/coreos/flannel:v0.12.0-amd64
若需要继续添加node节点2同上操作即可记得修改主机名
