軟件環境
| 軟件 | 版本 |
|---|---|
| 操作系統 | CentOS 7.4 |
| Docker | 18-ce |
| Kubernetes | 1.12 |
服務器角色
| 角色 | IP | 組件 |
|---|---|---|
| k8s-master | 192.168.0.205 | kube-apiserver, kuber-controller-manager, kube-scheduler, etcd |
| k8s-node1 | 192.168.0.206 | kube-let, kuber-proxy, docker, flannel, etcd |
| k8s-node2 | 192.168.0.207 | kube-let, kuber-proxy, docker, flannel, etcd |
架構圖
在 master 上安裝 ansible 管理集群
yum install ansible -y
# 配置ansible
cat > /etc/ansible/hosts <<EOF
[myhost]
192.168.0.205
[node]
192.168.0.206
192.168.0.207
EOF
# 生成無密碼公私鑰
cd ~
ssh-keygen -t rsa
# 復制到對應的主機
ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.0.205
ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.0.206
ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.0.207
# 測試 ansible
ansible all -m ping
開放防火牆
ansible all -m shell -a 'firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.0/16" accept"'
ansible all -m shell -a 'firewall-cmd --reload'
生成證書
在 k8s-master 上執行
使用cfssl來生成自簽證書,先下載cfssl工具:
mkdir /iba/tools -p
cd /iba/tools
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
創建以下三個文件
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
ca-config.json:可以定義多個 profiles,分別指定不同的過期時間、使用場景等參數;后續在簽名證書時使用某個 profile;
signing:表示該證書可用於簽名其它證書;生成的 ca.pem 證書中 CA=TRUE;
server auth:表示client可以用該 CA 對server提供的證書進行驗證;
client auth:表示server可以用該CA對client提供的證書進行驗證;
cat > ca-csr.json <<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
"CN":Common Name, 組件從證書中提取該字段作為請求的用戶名 (User Name);瀏覽器使用該字段驗證網站是否合法;
cat > server-csr.json <<EOF
{
"CN": "etcd",
"hosts": [
"192.168.0.205",
"192.168.0.206",
"192.168.0.207"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
生成證書
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
# 生成了 ca.pem ca-key.pem ca.csr
ca.pem,ca-key.pem,ca.csr 組成了一個自簽名的CA機構
| 證書名稱 | 作用 |
|---|---|
| ca.pem | CA 根證書文件 |
| ca-key.pem | 服務端私鑰,用於對客戶端請求的解密和簽名 |
| ca.csr | 證書簽名請求,用於交叉簽名或重新簽名 |
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
# 生成了 server.csr server-key.pem server.pem
部署Etcd
cd /iba/tools
wget https://github.com/etcd-io/etcd/releases/download/v3.2.12/etcd-v3.2.12-linux-amd64.tar.gz
mkdir /opt/etcd/{bin,cfg,ssl} -p
tar zxf etcd-v3.2.12-linux-amd64.tar.gz
mv etcd-v3.2.12-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
創建etcd配置文件:
cat > /opt/etcd/cfg/etcd <<EOF
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.0.205:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.0.205:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.0.205:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.0.205:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.0.205:2380,etcd02=https://192.168.0.206:2380,etcd03=https://192.168.0.207:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
備注
ETCD_NAME # 節點名稱
ETCD_DATA_DIR # 數據目錄
ETCD_LISTEN_PEER_URLS # 集群通信監聽地址
ETCD_LISTEN_CLIENT_URLS # 客戶端訪問監聽地址
ETCD_INITIAL_ADVERTISE_PEER_URLS # 集群通告地址
ETCD_ADVERTISE_CLIENT_URLS # 客戶端通告地址
ETCD_INITIAL_CLUSTER # 集群節點地址
ETCD_INITIAL_CLUSTER_TOKEN # 集群 Token
ETCD_INITIAL_CLUSTER_STATE # 加入集群的當前狀態,new 是新集群,existing 表示加入已有
systemd管理etcd:
cat > /usr/lib/systemd/system/etcd.service <<-'EOF'
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd
ExecStart=/opt/etcd/bin/etcd \
--name=${ETCD_NAME} \
--data-dir=${ETCD_DATA_DIR} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
把剛才生成的證書拷貝到配置文件中的位置:
cd /iba/tools
cp ca*pem server*pem /opt/etcd/ssl/
把二進制文件和配置文件復制到 nodes 節點上
ansible node -m shell -a 'mkdir /opt/etcd/{bin,cfg,ssl} -p'
cd /opt/etcd/bin/
ansible node -m copy -a 'src=etcd dest=/opt/etcd/bin/'
ansible node -m copy -a 'src=etcdctl dest=/opt/etcd/bin/'
ansible node -m shell -a 'chmod +x /opt/etcd/bin/etcd'
ansible node -m shell -a 'chmod +x /opt/etcd/bin/etcdctl'
cd /opt/etcd/ssl/
ansible node -m copy -a 'src=ca-key.pem dest=/opt/etcd/ssl/'
ansible node -m copy -a 'src=ca.pem dest=/opt/etcd/ssl/'
ansible node -m copy -a 'src=server-key.pem dest=/opt/etcd/ssl/'
ansible node -m copy -a 'src=server.pem dest=/opt/etcd/ssl/'
ansible node -m shell -a 'ls /opt/etcd/ssl/'
ansible node -m copy -a 'src=/opt/etcd/cfg/etcd dest=/opt/etcd/cfg/'
ansible node -m copy -a 'src=/usr/lib/systemd/system/etcd.service dest=/usr/lib/systemd/system/'
修改 node1,node2 上面的 /opt/etcd/cfg/etcd 為對應的值
ETCD_NAME # 修改名稱
ETCD_LISTEN_PEER_URLS # 修改IP
ETCD_LISTEN_CLIENT_URLS # 修改IP
ETCD_INITIAL_ADVERTISE_PEER_URLS # 修改IP
ETCD_ADVERTISE_CLIENT_URLS # 修改IP
啟動 etcd
ansible node -m shell -a 'systemctl enable etcd'
ansible node -m shell -a 'systemctl start etcd '
檢查etcd集群狀態
cd /opt/etcd/ssl
/opt/etcd/bin/etcdctl \
--ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem \
--endpoints="https://192.168.0.205:2379,https://192.168.0.206:2379,https://192.168.0.207:2379" \
cluster-health