更新时间:2022-09-26 16:03:36
1.配置并启用 etcd 集群
A. 配置启动项并将启动项分发至其他节点
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
# vim /usr/lib/systemd/system/etcd.service [Unit] Description=etcd After=network.target After=network-online.target Wants=network-online.target Documentation= [Service] Type=notify WorkingDirectory= /var/lib/etcd
EnvironmentFile=- /etc/etcd/etcd .conf
ExecStart= /usr/bin/etcd --config- file /etc/etcd/etcd .conf
Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target # ansible node -m copy -a 'src=/usr/lib/systemd/system/etcd.service dest=/usr/lib/systemd/system/' |
B.指定 etcd 的工作目录和数据目录
1
2
3
|
# mkdir -p /var/lib/etcd/ && mkdir -p /etc/etcd # ansible node -m file -a 'path=/var/lib/etcd state=directory' # ansible node -m file -a 'path=/etc/etcd state=directory' |
C. 配置 etcd.conf 配置文件并分发至其他节点
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
# export ETCD_NAME=etcd1 # export INTERNAL_IP=192.168.100.102 # cat << EOF > etcd.conf name: '${ETCD_NAME}'
data- dir : "/var/lib/etcd/"
listen-peer-urls: https: // ${INTERNAL_IP}:2380
listen-client-urls: https: // ${INTERNAL_IP}:2379,https: //127 .0.0.1:2379
initial-advertise-peer-urls: https: // ${INTERNAL_IP}:2380
advertise-client-urls: https: // ${INTERNAL_IP}:2379
initial-cluster: "etcd1=https://192.168.100.102:2380,etcd2=https://192.168.100.103:2380,etcd3=https://192.168.100.104:2380"
initial-cluster-token: 'etcd-cluster'
# 初始化集群状态('new' or 'existing'). initial-cluster-state: 'new'
client-transport-security: cert- file : /etc/kubernetes/ssl/etcd .pem
key- file : /etc/kubernetes/ssl/etcd-key .pem
trusted-ca- file : /etc/kubernetes/ssl/ca .pem
peer-transport-security: cert- file : /etc/kubernetes/ssl/etcd .pem
key- file : /etc/kubernetes/ssl/etcd-key .pem
trusted-ca- file : /etc/kubernetes/ssl/ca .pem
EOF # mv etcd.conf /etc/etcd/ ##更换节点 etcd 名及其 IP ,完成后分发至相应节点 # ansible 192.168.100.103 -m copy -a 'src=etcd.conf dest=/etc/etcd/etcd.conf' # ansible 192.168.100.104 -m copy -a 'src=etcd.conf dest=/etc/etcd/etcd.conf' |
D. 启动 etcd 集群
1
2
3
4
5
6
|
# systemctl start etcd # systemctl status etcd # systemctl enable etcd # ansible node -a 'systemctl start etcd' # ansible node -a 'systemctl status etcd' # ansible node -a 'systemctl enable etcd' |
注:首个 etcd 节点会显示启动失败,那是由于没有检测到其他节点存活状态。
E.查看集群成员
1
2
3
4
|
# etcdctl --endpoints=https://192.168.100.102:2379 member list 32293bbc65784dda: name=etcd1 peerURLs=https: //192 .168.100.102:2380 clientURLs=https: //192 .168.100.102:2379 isLeader= true
703725a0e421bc44: name=etcd2 peerURLs=https: //192 .168.100.103:2380 clientURLs=https: //192 .168.100.103:2379 isLeader= false
78ac8de330c5272a: name=etcd3 peerURLs=https: //192 .168.200.104:2380 clientURLs=https: //192 .168.100.104:2379 isLeader= false
|
F.查看集群健康状况
1
2
3
4
5
|
# etcdctl --endpoints=https://192.168.100.102:2379 cluster-health member 32293bbc65784dda is healthy: got healthy result from https: //192 .168.100.102:2379
member 703725a0e421bc44 is healthy: got healthy result from https: //192 .168.100.103:2379
member 78ac8de330c5272a is healthy: got healthy result from https: //192 .168.100.104:2379
cluster is healthy |
2.配置并启用 flanneld
A. 配置启动项并分发至其他节点
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
# vim /usr/lib/systemd/system/flanneld.service [Unit] Description=Flanneld overlay address etcd agent After=network.target After=network-online.target Wants=network-online.target After=etcd.service Before=docker.service [Service] Type=notify EnvironmentFile= /etc/sysconfig/flanneld
EnvironmentFile=- /etc/sysconfig/docker-network
ExecStart= /usr/bin/flanneld-start $FLANNEL_OPTIONS
ExecStartPost= /usr/libexec/flannel/mk-docker-opts .sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/docker
Restart=on-failure [Install] WantedBy=multi-user.target RequiredBy=docker.service # ansible node -m copy -a 'src=/usr/lib/systemd/system/flanneld.service dest=/usr/lib/systemd/system/' # cat << EOF > /usr/bin/flanneld-start #!/bin/sh exec /usr/bin/flanneld \
-etcd-endpoints=${FLANNEL_ETCD_ENDPOINTS:-${FLANNEL_ETCD}} \
-etcd-prefix=${FLANNEL_ETCD_PREFIX:-${FLANNEL_ETCD_KEY}} \
"$@"
EOF # chmod 755 /usr/bin/flanneld-start # ansible node -m copy -a 'src=/usr/bin/flanneld-start dest=/usr/bin/ mode=755' |
B. 配置 flannel 配置文件并分发至其他节点
1
2
3
4
5
6
|
# cat << EOF > /etc/sysconfig/flanneld FLANNEL_ETCD_ENDPOINTS= "https://192.168.100.102:2379,https://192.168.100.103:2379,https://192.168.100.104:2379"
FLANNEL_ETCD_PREFIX= "/kube/network"
FLANNEL_OPTIONS= "-etcd-cafile=/etc/kubernetes/ssl/ca.pem -etcd-certfile=/etc/kubernetes/ssl/etcd.pem -etcd-keyfile=/etc/kubernetes/ssl/etcd-key.pem"
EOF # ansible node -m copy -a 'src=/etc/sysconfig/flanneld dest=/etc/sysconfig/' |
C.使用 etcd 存储为 flannel 创建目录并添加网络配置
1
2
3
|
# etcdctl --endpoints=https://192.168.100.102:2379 mkdir /kube/network # etcdctl --endpoints=https://192.168.100.102:2379 set /kube/network/config '{ "Network": "10.254.0.0/16" }' { "Network" : "10.254.0.0/16" }
|
D. 启动 flanneld
1
2
3
4
5
6
|
# systemctl start flanneld # systemctl status flanneld # systemctl enable flanneld # ansible node -a 'systemctl start flanneld' # ansible node -a 'systemctl status flanneld' # ansible node -a 'systemctl enable flanneld' |
E. 查看各节点网段
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
# cat /var/run/flannel/subnet.env FLANNEL_NETWORK=10.254.0.0 /16
FLANNEL_SUBNET=10.254.80.1 /24
FLANNEL_MTU=1472 FLANNEL_IPMASQ= false
# ansible node -a "cat /var/run/flannel/subnet.env" 192.168.100.104 | SUCCESS | rc=0 >> FLANNEL_NETWORK=10.254.0.0 /16
FLANNEL_SUBNET=10.254.95.1 /24
FLANNEL_MTU=1472 FLANNEL_IPMASQ= false
192.168.100.103 | SUCCESS | rc=0 >> FLANNEL_NETWORK=10.254.0.0 /16
FLANNEL_SUBNET=10.254.59.1 /24
FLANNEL_MTU=1472 FLANNEL_IPMASQ= false
|
F. 更改 docker 网段为 flannel 分配的网段
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# export FLANNEL_SUBNET=10.254.80.1/24 # cat << EOF > daemon.json { "bip" : "$FLANNEL_SUBNET"
} EOF # mkdir -p /etc/docker/ && mv daemon.json /etc/docker/ ##更换为相应节点网段,完成后分发至相应节点 # ansible node -m file -a 'path=/etc/docker/ state=directory' # ansible 192.168.100.103 -m copy -a 'src=daemon.json dest=/etc/docker/daemon.json' # ansible 192.168.100.104 -m copy -a 'src=daemon.json dest=/etc/docker/daemon.json' # systemctl daemon-reload # systemctl restart docker # ansible node -a "systemctl daemon-reload" # ansible node -a "systemctl restart docker" |
G. 查看是否已分配相应网段
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.100.2 0.0.0.0 UG 100 0 0 ens33 10.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 flannel0 10.254.80.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0 192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33 # ansible node -a 'route -n' 192.168.100.103 | SUCCESS | rc=0 >> Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.100.2 0.0.0.0 UG 100 0 0 ens33 10.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 flannel0 10.254.59.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0 192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33 192.168.100.104 | SUCCESS | rc=0 >> Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.100.2 0.0.0.0 UG 100 0 0 ens33 10.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 flannel0 10.254.95.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0 192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33 |
H. 使用 etcdctl 命令查看 flannel 的相关信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
# etcdctl --endpoints=https://192.168.100.102:2379 ls /kube/network/subnets /kube/network/subnets/10 .254.80.0-24
/kube/network/subnets/10 .254.59.0-24
/kube/network/subnets/10 .254.95.0-24
# etcdctl --endpoints=https://192.168.100.102:2379 -o extended get /kube/network/subnets/10.254.80.0-24 Key: /kube/network/subnets/10 .254.80.0-24
Created-Index: 10 Modified-Index: 10 TTL: 85486 Index: 12 { "PublicIP" : "192.168.100.102" }
# etcdctl --endpoints=https://192.168.100.102:2379 -o extended get /kube/network/subnets/10.254.59.0-24 Key: /kube/network/subnets/10 .254.59.0-24
Created-Index: 11 Modified-Index: 11 TTL: 85449 Index: 12 { "PublicIP" : "192.168.100.103" }
# etcdctl --endpoints=https://192.168.100.102:2379 -o extended get /kube/network/subnets/10.254.95.0-24 Key: /kube/network/subnets/10 .254.95.0-24
Created-Index: 12 Modified-Index: 12 TTL: 85399 Index: 12 { "PublicIP" : "192.168.100.104" }
|
I. 测试网络是否正常
1
2
|
# ping -c 4 10.254.59.1 # ping -c 4 10.254.95.1 |
3. 配置并启用 Kubernetes Master 节点
Kubernetes Master 节点包含的组件:
kube-apiserver
kube-controller-manager
kube-scheduler
A. 配置 config 文件并分发至所有节点
1
2
3
4
5
6
|
# grep ^[A-Z] /etc/kubernetes/config KUBE_LOGTOSTDERR= "--logtostderr=true"
KUBE_LOG_LEVEL= "--v=0"
KUBE_ALLOW_PRIV= "--allow-privileged=true"
KUBE_MASTER= "--master=http://192.168.100.102:8080"
# ansible node -m copy -a 'src=/etc/kubernetes/config dest=/etc/kubernetes/' |
B. 配置 kube-apiserver 启动项
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
# vim /usr/lib/systemd/system/kube-apiserver.service [Unit] Description=Kubernetes API Server Documentation=https: //github .com /kubernetes/kubernetes
After=network.target After=etcd.service [Service] EnvironmentFile=- /etc/kubernetes/config
EnvironmentFile=- /etc/kubernetes/apiserver
ExecStart= /usr/bin/kube-apiserver \
$KUBE_LOGTOSTDERR \
$KUBE_LOG_LEVEL \
$KUBE_ETCD_SERVERS \
$KUBE_API_ADDRESS \
$KUBE_API_PORT \
$KUBELET_PORT \
$KUBE_ALLOW_PRIV \
$KUBE_SERVICE_ADDRESSES \
$KUBE_ADMISSION_CONTROL \
$KUBE_API_ARGS
Restart=on-failure Type=notify LimitNOFILE=65536 [Install] WantedBy=multi-user.target |
C. 配置 apiserver 配置文件
1
2
3
4
5
6
|
# grep ^[A-Z] /etc/kubernetes/apiserver KUBE_API_ADDRESS= "--advertise-address=192.168.100.102 --bind-address=192.168.100.102 --insecure-bind-address=192.168.100.102"
KUBE_ETCD_SERVERS= "--etcd-servers=https://192.168.100.102:2379,192.168.100.103:2379,192.168.100.104:2379"
KUBE_SERVICE_ADDRESSES= "--service-cluster-ip-range=10.254.0.0/16"
KUBE_ADMISSION_CONTROL= "--admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota"
KUBE_API_ARGS= "--authorization-mode=RBAC,Node --kubelet-https=true --service-node-port-range=30000-42767 --enable-bootstrap-token-auth --token-auth-file=/etc/kubernetes/token.csv --tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem --client-ca-file=/etc/kubernetes/ssl/ca.pem --service-account-key-file=/etc/kubernetes/ssl/ca-key.pem --etcd-cafile=/etc/kubernetes/ssl/ca.pem --etcd-certfile=/etc/kubernetes/ssl/etcd.pem --etcd-keyfile=/etc/kubernetes/ssl/etcd-key.pem --enable-swagger-ui=true --event-ttl=1h --basic-auth-file=/etc/kubernetes/basic_auth_file"
|
D. 配置访问用户
1
|
# echo admin,admin,1 > /etc/kubernetes/basic_auth_file |
格式:用户名、密码和UID
E. 启动 kube-apiserver
1
2
3
|
# systemctl start kube-apiserver # systemctl status kube-apiserver # systemctl enable kube-apiserver |
F. 将 admin 用户与clusterrole: cluster-admin 绑定到一起并验证
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
# kubectl get clusterrole/cluster-admin -o yaml # kubectl create clusterrolebinding login-on-dashboard-with-cluster-admin --clusterrole=cluster-admin --user=admin clusterrolebinding "login-on-dashboard-with-cluster-admin" created
# kubectl get clusterrolebinding/login-on-dashboard-with-cluster-admin -o yaml apiVersion: rbac.authorization.k8s.io /v1
kind: ClusterRoleBinding metadata: creationTimestamp: 2017-10-31T10:35:06Z
name: login-on-dashboard-with-cluster-admin
resourceVersion: "116"
selfLink: /apis/rbac .authorization.k8s.io /v1/clusterrolebindings/login-on-dashboard-with-cluster-admin
uid: 292ae19a-be27-11e7-853b-000c297aff5d
roleRef: apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects: - apiGroup: rbac.authorization.k8s.io kind: User
name: admin
|
G. 配置 kube-controller-manager 启动项
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
# vim /usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation= [Service] EnvironmentFile=- /etc/kubernetes/config
EnvironmentFile=- /etc/kubernetes/controller-manager
ExecStart= /usr/bin/kube-controller-manager \
$KUBE_LOGTOSTDERR \
$KUBE_LOG_LEVEL \
$KUBE_MASTER \
$KUBE_CONTROLLER_MANAGER_ARGS
Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target |
H. 配置 kube-controller-manager 配置文件
1
2
|
# grep ^[A-Z] /etc/kubernetes/controller-manager KUBE_CONTROLLER_MANAGER_ARGS= "--address=127.0.0.1 --service-cluster-ip-range=10.254.0.0/16 --cluster-name=kubernetes --cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem --cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem --service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem --root-ca-file=/etc/kubernetes/ssl/ca.pem"
|
I. 启动 kube-controller-manager
1
2
|
# systemctl start kube-controller-manager # systemctl status kube-controller-manager |
J. 配置 kube-scheduler 启动项
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
# vim /usr/lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Plugin Documentation= [Service] EnvironmentFile=- /etc/kubernetes/config
EnvironmentFile=- /etc/kubernetes/scheduler
ExecStart= /usr/bin/kube-scheduler \
$KUBE_LOGTOSTDERR \
$KUBE_LOG_LEVEL \
$KUBE_MASTER \
$KUBE_SCHEDULER_ARGS
Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target |
K. 配置 kube-scheduler 配置文件
1
2
|
# grep ^[A-Z] /etc/kubernetes/scheduler KUBE_SCHEDULER_ARGS= "--address=127.0.0.1"
|
L. 启动 kube-scheduler
1
2
|
# systemctl start kube-scheduler # systemctl status kube-scheduler |
M. 验证 Master 节点
1
2
3
4
5
6
|
# kubectl get cs # kubectl get componentstatuses NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-0 Healthy { "health" : "true" }
|
4. 配置并启用 Kubernetes Node 节点
Kubernetes Node 节点包含如下组件:
kubelet
kube-proxy
A. 为 kubelet 赋予权限并新建 kubelet 数据目录
kubelet 启动时向 kube-apiserver 发送 TLS bootstrapping 请求,需要先将 bootstrap token 文件中的 kubelet-bootstrap 用户赋予 system:node-bootstrapper cluster 角色(role), 然后 kubelet 才能有权限创建认证请求(certificate signing requests)。
Master:
1
2
3
4
5
6
|
# kubectl create clusterrolebinding kubelet-bootstrap \ --clusterrole=system:node-bootstrapper \
--user=kubelet-bootstrap
clusterrolebinding "kubelet-bootstrap" created
# mkdir -p /var/lib/kubelet # ansible node -m file -a 'path=/var/lib/kubelet state=directory' |
B. 配置 kubelet 启动项并分发至 node 节点
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
# vim /usr/lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet Server Documentation=https: //github .com /kubernetes/kubernetes
After=docker.service Requires=docker.service [Service] WorkingDirectory= /var/lib/kubelet
EnvironmentFile=- /etc/kubernetes/config
EnvironmentFile=- /etc/kubernetes/kubelet
ExecStart= /usr/bin/kubelet \
$KUBE_LOGTOSTDERR \
$KUBE_LOG_LEVEL \
$KUBELET_ADDRESS \
$KUBELET_PORT \
$KUBELET_HOSTNAME \
$KUBE_ALLOW_PRIV \
$KUBELET_POD_INFRA_CONTAINER \
$KUBELET_ARGS
Restart=on-failure [Install] WantedBy=multi-user.target ##分发至其他 Node 节点 # ansible node -m copy -a 'src=/usr/lib/systemd/system/kubelet.service dest=/usr/lib/systemd/system/' |
C. 配置 kubelet 配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
|
# export KUBELET_ADDRESS=192.168.100.102 # export KUBELET_HOSTNAME=Master # cat << EOF > kubelet KUBELET_ADDRESS= "--address=$KUBELET_ADDRESS"
KUBELET_PORT= "--port=10250"
KUBELET_HOSTNAME= "--hostname-override=$KUBELET_HOSTNAME"
KUBELET_POD_INFRA_CONTAINER= "--pod-infra-container-image=hub.c.163.com/k8s163/pause-amd64:3.0"
KUBELET_ARGS= "--cluster-dns=10.254.0.2 --experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig --fail-swap-on=false --cert-dir=/etc/kubernetes/ssl --cluster-domain=cluster.local. --serialize-image-pulls=false"
EOF # mv kubelet /etc/kubernetes/ ##更换 kubelet 节点 IP 和 hostname,完成后分发至相应节点 # ansible 192.168.100.103 -m copy -a 'src=kubelet dest=/etc/kubernetes/' # ansible 192.168.100.104 -m copy -a 'src=kubelet dest=/etc/kubernetes/' |
D.启动 kubelet
1
2
3
4
|
# systemctl start kubelet # systemctl status kubelet # ansible node -a 'systemctl start kubelet' # ansible node -a 'systemctl status kubelet' |
E.将 Node 加入 Kubernetes 集群
kubelet 首次启动时向 kube-apiserver 发送证书签名请求,必须通过 Master 认证才会将该 Node 加入到集群。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
# kubectl get nodes No resources found. # kubectl get csr ###查看未授权的 CSR 请求 NAME AGE REQUESTOR CONDITION node-csr-ZU39iUu-E9FuadeTq58 9s kubelet-bootstrap Pending node-csr-sJXwbG8c9UUGS8iTrV8 15s kubelet-bootstrap Pending node-csr-zpol8cIJZfrcU8fd7l4 15s kubelet-bootstrap Pending # kubectl certificate approve node-csr-ZU39iphJAYDQfsLssAwMViUu-E9Fua2pKhELMdeTq58 ###通过 CSR 请求[其他两个节点也使用同样的命令授权] certificatesigningrequest "node-csr-ZU39iphJAYDQfsLssAwMViUu-E9Fua2pKhELMdeTq58" approved
# kubectl get csr NAME AGE REQUESTOR CONDITION node-csr-ZU39iUu-E9FuadeTq58 50s kubelet-bootstrap Approved,Issued node-csr-sJXwbG8c9UUGS8iTrV8 1m kubelet-bootstrap Approved,Issued node-csr-zpol8cIJZfrcU8fd7l4 1m kubelet-bootstrap Approved,Issued # kubectl get nodes ##查看 nodes NAME STATUS AGE VERSION master Ready 1m v1.8.2 node1 Ready 2m v1.8.2 node2 Ready 2m v1.8.2 |
注:CSR 授权后会自动在 Node 端生成 kubelet kubeconfig 配置文件和公私钥:
1
2
3
4
|
# ls /etc/kubernetes/kubelet.kubeconfig /etc/kubernetes/kubelet .kubeconfig
# ls /etc/kubernetes/ssl/kubelet* /etc/kubernetes/ssl/kubelet-client .crt /etc/kubernetes/ssl/kubelet-client .key /etc/kubernetes/ssl/kubelet .crt /etc/kubernetes/ssl/kubelet .key
|
F. 配置 kube-proxy 启动项并分发至其他 node 节点
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
# vim /usr/lib/systemd/system/kube-proxy.service [Unit] Description=Kubernetes Kube-Proxy Server Documentation=https: //github .com /kubernetes/kubernetes
After=network.target [Service] EnvironmentFile=- /etc/kubernetes/config
EnvironmentFile=- /etc/kubernetes/proxy
ExecStart= /usr/bin/kube-proxy \
$KUBE_LOGTOSTDERR \
$KUBE_LOG_LEVEL \
$KUBE_MASTER \
$KUBE_PROXY_ARGS
Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target ##分发至其他 Node 节点 # ansible node -m copy -a 'src=/usr/lib/systemd/system/kube-proxy.service dest=/usr/lib/systemd/system/' |
G. 调整内核参数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
# grep -v ^# /etc/sysctl.conf ###配置 kube-proxy 代理模式 net.ipv4.ip_forward=1 net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-ip6tables=1 # sysctl -p ###加载系统参数 net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 # ansible node -m copy -a 'src=/etc/sysctl.conf dest=/etc/' # ansible node -a 'sysctl -p' 192.168.100.104 | SUCCESS | rc=0 >> net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 192.168.100.103 | SUCCESS | rc=0 >> net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 |
说明:在这加这个参数是因为 kube-proxy 使用 iptables 来进行数据转发,而Linux系统默认是禁止数据包转发,这里我是因为无法使用nodeport发现的。
H. 配置 kube-proxy 配置文件并分发至其他 node 节点
1
2
3
4
5
6
7
8
|
# export KUBE_PROXY=192.168.100.102 # cat << EOF > proxy KUBE_PROXY_ARGS= "--bind-address=$KUBE_PROXY --hostname-override=$KUBE_PROXY --cluster-cidr=10.254.0.0/16 --proxy-mode=iptables --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig"
EOF # mv proxy /etc/kubernetes/proxy ##更换 kube-proxy 节点 IP,完成后分发至相应节点 # ansible 192.168.100.103 -m copy -a 'src=proxy dest=/etc/kubernetes/' # ansible 192.168.100.104 -m copy -a 'src=proxy dest=/etc/kubernetes/' |
I. 启动 kube-proxy
1
2
3
4
|
# systemctl start kube-proxy # systemctl status kube-proxy # ansible node -a 'systemctl start kube-proxy' # ansible node -a 'systemctl status kube-proxy' |
J. 查看节点相关信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
# kubectl get nodes -o wide ###查看节点相关信息(注:这里容器显示Unknown是因为版本相对较高) NAME STATUS ROLES AGE VERSION EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME master Ready <none> 3m v1.8.2 <none> CentOS Linux 7 (Core) 3.10.0-693.2.2.el7.x86_64 docker: //Unknown
node1 Ready <none> 3m v1.8.2 <none> CentOS Linux 7 (Core) 3.10.0-693.2.2.el7.x86_64 docker: //Unknown
node2 Ready <none> 3m v1.8.2 <none> CentOS Linux 7 (Core) 3.10.0-693.2.2.el7.x86_64 docker: //Unknown
# kubectl get node --show-labels=true # kubectl get nodes --show-labels ###查看节点标签 NAME STATUS ROLES AGE VERSION LABELS master Ready <none> 4m v1.8.2 beta.kubernetes.io /arch =amd64,beta.kubernetes.io /os =linux,kubernetes.io /hostname =master
node1 Ready <none> 5m v1.8.2 beta.kubernetes.io /arch =amd64,beta.kubernetes.io /os =linux,kubernetes.io /hostname =node1
node2 Ready <none> 5m v1.8.2 beta.kubernetes.io /arch =amd64,beta.kubernetes.io /os =linux,kubernetes.io /hostname =node2
# kubectl version --short ###查看kubectl版本信息 Client Version: v1.8.2 Server Version: v1.8.2 # curl ###查看健康状况 ok # kubectl cluster-info ###查看集群信息 Kubernetes master is running at https: //192 .168.100.102:6443
# kubectl get ns ###获取所有命名空间 # kubectl get namespace NAME STATUS AGE default Active 29m kube-public Active 29m kube-system Active 29m # kubectl get services ###查看默认service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.254.0.1 <none> 443 /TCP 36m
# kubectl get services --all-namespaces ###查看所有service NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE default kubernetes ClusterIP 10.254.0.1 <none> 443 /TCP 37m
# kubectl get ep ###查看endpoints # kubectl get endpoints NAME ENDPOINTS AGE kubernetes 192.168.100.102:6443 38m # kubectl get sa ###查看service account # kubectl get serviceaccount NAME SECRETS AGE default 1 38m |
说明:其他命令可使用kubectl --help查看,某些长命令可以缩写(如kubectl get namespace可缩写为kubectl get ns),kubectl命令表参考如下:
http://docs.kubernetes.org.cn/683.html
本文转自 结束的伤感 51CTO博客,原文链接:http://blog.51cto.com/wangzhijian/2046124