{"id":439,"date":"2023-05-21T01:01:33","date_gmt":"2023-05-20T17:01:33","guid":{"rendered":"https:\/\/www.bunnyism.com\/?p=439"},"modified":"2024-12-18T21:53:16","modified_gmt":"2024-12-18T13:53:16","slug":"k8s%e4%ba%8c%e8%bf%9b%e5%88%b6%e6%90%ad%e5%bb%ba%e8%af%a6%e7%bb%86%e6%b5%81%e7%a8%8b-k8s%e7%af%87-%ef%bc%88%e6%b5%8b%e8%af%95%e7%8e%af%e5%a2%83%ef%bc%89","status":"publish","type":"post","link":"https:\/\/www.bunnyism.com\/?p=439","title":{"rendered":"k8s\u4e8c\u8fdb\u5236\u642d\u5efa\u8be6\u7ec6\u6d41\u7a0b (k8s\u7bc7 v1.22.2) \uff08\u6d4b\u8bd5\u73af\u5883\uff09"},"content":{"rendered":"

\u63a7\u5236\u8282\u70b9<\/h2>\n

kubernetes-server\u5b89\u88c5<\/h3>\n
cd \/data\/work\r\nwget https:\/\/dl.k8s.io\/v1.22.2\/kubernetes-server-linux-amd64.tar.gz\r\ntar -xf kubernetes-server-linux-amd64.tar.gz\r\ncd kubernetes\/server\/bin\/\r\ncp kube-apiserver kube-controller-manager kube-scheduler kubectl \/usr\/local\/bin\/\r\nrsync -vaz kube-apiserver kube-controller-manager kube-scheduler kubectl master2:\/usr\/local\/bin\/\r\nrsync -vaz kube-apiserver kube-controller-manager kube-scheduler kubectl master3:\/usr\/local\/bin\/<\/pre>\n
\u521b\u5efa\u76ee\u5f55<\/h4>\n
mkdir -p \/etc\/kubernetes\/ # kubernetes\u7ec4\u4ef6\u914d\u7f6e\u6587\u4ef6\u5b58\u653e\u76ee\u5f55\r\nmkdir -p \/etc\/kubernetes\/ssl # kubernetes\u7ec4\u4ef6\u8bc1\u4e66\u6587\u4ef6\u5b58\u653e\u76ee\u5f55\r\nmkdir \/var\/log\/kubernetes # kubernetes\u7ec4\u4ef6\u65e5\u5fd7\u6587\u4ef6\u5b58\u653e\u76ee\u5f55\r\nmkdir -p \/data\/work\/kubernetes # kubernetes\u5b58\u653e\u8bc1\u4e66\u751f\u6210\u7684\u76ee\u5f55<\/pre>\n
\u521b\u5efacsr\u8bf7\u6c42\u6587\u4ef6<\/h4>\n
 {\r\n\"CN\": \"kubernetes\",\r\n\"hosts\": [\r\n\"127.0.0.1\",\r\n\"192.168.32.11\",\r\n\"192.168.32.12\",\r\n\"192.168.32.13\",\r\n\"192.168.32.14\",\r\n\"192.168.32.15\",\r\n\"192.168.32.16\",\r\n\"192.168.32.17\",\r\n\"192.168.32.18\",\r\n\"192.168.32.155\",\r\n\"10.100.0.1\",\r\n\"kubernetes\",\r\n\"kubernetes.default\",\r\n\"kubernetes.default.svc\",\r\n\"kubernetes.default.svc.cluster\",\r\n\"kubernetes.default.svc.cluster.local\"\r\n],\r\n\"key\": {\r\n\"algo\": \"rsa\",\r\n\"size\": 2048\r\n},\r\n\"names\": [\r\n{\r\n\"C\": \"CN\",\r\n\"ST\": \"Hubei\",\r\n\"L\": \"Wuhan\",\r\n\"O\": \"k8s\",\r\n\"OU\": \"system\"\r\n}\r\n]\r\n}<\/pre>\n
\u6ce8:10.100.0.1\u662f\u96c6\u7fa4\u7684\u4e00\u4e2aip<\/p>\n
\u751f\u6210\u8bc1\u4e66\u548ctoken\u6587\u4ef6<\/h4>\n
cfssl gencert -ca=etcd\/ca.pem -ca-key=etcd\/ca-key.pem -config=ca-config.json -profile=kubernetes kube-apiserver-csr.json | cfssljson -bare kubernetes\/kube-apiserver<\/pre>\n
cat > token.csv << EOF\r\n$(head -c 16 \/dev\/urandom | od -An -t x | tr -d ' '),kubelet-bootstrap,10001,\"system:kubelet-bootstrap\"\r\nEOF<\/pre>\n
\u521b\u5efa\u914d\u7f6e\u6587\u4ef6<\/h4>\n
vim kube-apiserver.conf \r\nKUBE_APISERVER_OPTS=\"--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\\r\n--anonymous-auth=false \\\r\n--bind-address=192.168.32.11 \\\r\n--secure-port=6443 \\\r\n--advertise-address=192.168.32.11 \\\r\n--insecure-port=0 \\\r\n--authorization-mode=Node,RBAC \\\r\n--runtime-config=api\/all=true \\\r\n--enable-bootstrap-token-auth \\\r\n--service-cluster-ip-range=10.100.0.0\/16 \\\r\n--token-auth-file=\/etc\/kubernetes\/token.csv \\\r\n--service-node-port-range=3000-50000 \\ #\u8bbe\u7f6enode-port\u4f18\u5316\r\n--tls-cert-file=\/etc\/kubernetes\/ssl\/kube-apiserver.pem \\\r\n--tls-private-key-file=\/etc\/kubernetes\/ssl\/kube-apiserver-key.pem \\\r\n--client-ca-file=\/etc\/kubernetes\/ssl\/ca.pem \\\r\n--kubelet-client-certificate=\/etc\/kubernetes\/ssl\/kube-apiserver.pem \\\r\n--kubelet-client-key=\/etc\/kubernetes\/ssl\/kube-apiserver-key.pem \\\r\n--service-account-key-file=\/etc\/kubernetes\/ssl\/ca-key.pem \\\r\n--service-account-signing-key-file=\/etc\/kubernetes\/ssl\/ca-key.pem \\ # 1.20\u4ee5\u4e0a\u7248\u672c\u5fc5\u987b\u6709\u6b64\u53c2\u6570\r\n--service-account-issuer=https:\/\/kubernetes.default.svc.cluster.local \\ # 1.20\u4ee5\u4e0a\u7248\u672c\u5fc5\u987b\u6709\u6b64\u53c2\u6570\r\n--etcd-cafile=\/etc\/etcd\/ssl\/ca.pem \\\r\n--etcd-certfile=\/etc\/etcd\/ssl\/etcd.pem \\\r\n--etcd-keyfile=\/etc\/etcd\/ssl\/etcd-key.pem \\\r\n--etcd-servers=https:\/\/192.168.32.11:2379,https:\/\/192.168.32.12:2379,https:\/\/192.168.32.13:2379 \\\r\n--enable-swagger-ui=true \\\r\n--allow-privileged=true \\\r\n--apiserver-count=3 \\\r\n--audit-log-maxage=30 \\\r\n--audit-log-maxbackup=3 \\\r\n--audit-log-maxsize=100 \\\r\n--audit-log-path=\/var\/log\/kube-apiserver-audit.log \\\r\n--event-ttl=1h \\\r\n--alsologtostderr=true \\\r\n--logtostderr=false \\\r\n--log-dir=\/var\/log\/kubernetes \\\r\n--v=4\"<\/pre>\n
logtostderr\uff1a\u542f\u7528\u65e5\u5fd7
\nv\uff1a\u65e5\u5fd7\u7b49\u7ea7
\nlog-dir\uff1a\u65e5\u5fd7\u76ee\u5f55
\netcd-servers\uff1aetcd\u96c6\u7fa4\u5730\u5740
\nbind-address\uff1a\u76d1\u542c\u5730\u5740
\nsecure-port\uff1ahttps\u5b89\u5168\u7aef\u53e3
\nadvertise-address\uff1a\u96c6\u7fa4\u901a\u544a\u5730\u5740
\nallow-privileged\uff1a\u542f\u7528\u6388\u6743
\nservice-cluster-ip-range\uff1aService\u865a\u62dfIP\u5730\u5740\u6bb5
\nenable-admission-plugins\uff1a\u51c6\u5165\u63a7\u5236\u6a21\u5757
\nauthorization-mode\uff1a\u8ba4\u8bc1\u6388\u6743\uff0c\u542f\u7528RBAC\u6388\u6743\u548c\u8282\u70b9\u81ea\u7ba1\u7406
\nenable-bootstrap-token-auth\uff1a\u542f\u7528TLS bootstrap\u673a\u5236
\ntoken-auth-file\uff1abootstrap token\u6587\u4ef6
\nservice-node-port-range\uff1aService nodeport\u7c7b\u578b\u9ed8\u8ba4\u5206\u914d\u7aef\u53e3\u8303\u56f4
\nkubelet-client-xxx\uff1aapiserver\u8bbf\u95eekubelet\u5ba2\u6237\u7aef\u8bc1\u4e66
\ntls-xxx-file\uff1aapiserver https\u8bc1\u4e66
\netcd-xxxfile\uff1a\u8fde\u63a5Etcd\u96c6\u7fa4\u8bc1\u4e66
\naudit-log-xxx\uff1a\u5ba1\u8ba1\u65e5\u5fd7<\/p><\/blockquote>\n
\u521b\u5efa\u670d\u52a1\u542f\u52a8\u6587\u4ef6<\/h4>\n
vim \/usr\/lib\/systemd\/system\/kube-apiserver.service\r\n[Unit]\r\nDescription=Kubernetes API Server\r\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\r\nAfter=etcd.service\r\nWants=etcd.service\r\n\r\n[Service]\r\nEnvironmentFile=-\/etc\/kubernetes\/kube-apiserver.conf\r\nExecStart=\/usr\/local\/bin\/kube-apiserver $KUBE_APISERVER_OPTS\r\nRestart=on-failure\r\nRestartSec=5\r\nType=notify\r\nLimitNOFILE=65536\r\n\r\n[Install]\r\nWantedBy=multi-user.target<\/pre>\n
\u540c\u6b65\u76f8\u5173\u6587\u4ef6\u5230\u5404\u4e2a\u8282\u70b9<\/h4>\n
cp kubernetes\/* \/etc\/kubernetes\/ssl\/\r\ncp ca.pem \/etc\/kubernetes\/ssl\r\ncp ca-key.pem \/etc\/kubernetes\/ssl\r\ncp token.csv \/etc\/kubernetes\/\r\ncp kube-apiserver.conf \/etc\/kubernetes\/\r\nrsync \/usr\/lib\/systemd\/system\/kube-apiserver.service master2:\/usr\/lib\/systemd\/system\/kube-apiserver.service\r\nrsync \/usr\/lib\/systemd\/system\/kube-apiserver.service master3:\/usr\/lib\/systemd\/system\/kube-apiserver.service\r\nrsync -vaz token.csv master2:\/etc\/kubernetes\/\r\nrsync -vaz token.csv master3:\/etc\/kubernetes\/\r\nrsync -vaz \/etc\/kubernetes\/ssl\/* master2:\/etc\/kubernetes\/ssl\/\r\nrsync -vaz \/etc\/kubernetes\/ssl\/* master3:\/etc\/kubernetes\/ssl\/\r\nrsync -vaz kube-apiserver.conf master2:\/etc\/kubernetes\/\r\nrsync -vaz kube-apiserver.conf master3:\/etc\/kubernetes\/<\/pre>\n
\u5176\u4ed6\u4e24\u4e2a\u8282\u70b9\u4fee\u6539\u914d\u7f6e\u6587\u4ef6ip<\/p>\n
\u542f\u52a8\u670d\u52a1<\/h3>\n
systemctl daemon-reload\r\nsystemctl enable kube-apiserver\r\nsystemctl start kube-apiserver\r\nsystemctl status kube-apiserver \r\ncurl --insecure https:\/\/192.168.32.11:6443\/<\/pre>\n
\u90e8\u7f72kubectl<\/h3>\n
\u521b\u5efacsr\u8bf7\u6c42\u6587\u4ef6<\/h4>\n
 {\r\n\"CN\": \"admin\",\r\n\"hosts\": [],\r\n\"key\": {\r\n\"algo\": \"rsa\",\r\n\"size\": 2048\r\n},\r\n\"names\": [\r\n{\r\n\"C\": \"CN\",\r\n\"ST\": \"Hubei\",\r\n\"L\": \"Wuhan\",\r\n\"O\": \"system:masters\", \r\n\"OU\": \"system\"\r\n}\r\n]\r\n}<\/pre>\n
\u751f\u6210\u8bc1\u4e66<\/h4>\n
mkdir kubectl\r\ncfssl gencert -ca=etcd\/ca.pem -ca-key=etcd\/ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare kubectl\/admin<\/pre>\n
\u521b\u5efakubeconfig\u914d\u7f6e\u6587\u4ef6<\/h4>\n
kubectl config set-cluster kubernetes --certificate-authority=etcd\/ca.pem --embed-certs=true --server=https:\/\/192.168.32.155:6443 --kubeconfig=kube.config\r\nkubectl config set-credentials admin --client-certificate=kubectl\/admin.pem --client-key=kubectl\/admin-key.pem --embed-certs=true --kubeconfig=kube.config\r\nkubectl config set-context kubernetes --cluster=kubernetes --user=admin --kubeconfig=kube.config\r\nkubectl config use-context kubernetes --kubeconfig=kube.config\r\nmkdir ~\/.kube\r\ncp kube.config ~\/.kube\/config\r\nkubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes\r\n<\/pre>\n
\u67e5\u770b\u96c6\u7fa4\u7ec4\u4ef6\u72b6\u6001<\/h4>\n
kubectl cluster-info \r\nkubectl get componentstatuses \r\nkubectl get all --all-namespace<\/code><\/pre>\n
\u540c\u6b65kubectl\u914d\u7f6e\u6587\u4ef6\u5230\u5176\u4ed6\u8282\u70b9<\/h4>\n
rsync -vaz \/root\/.kube\/config master2:\/root\/.kube\/\r\nrsync -vaz \/root\/.kube\/config master3:\/root\/.kube\/<\/pre>\n
\u914d\u7f6ekubectl\u8865\u5168<\/h4>\n
yum install -y bash-completion \r\nsource \/usr\/share\/bash-completion\/bash_completion \r\nsource <<\/span>(kubectl completion<\/span> bash)<\/span> \r\nkubectl<\/span> completion<\/span> bash<\/span> ><\/span><\/span> ~\/.kube\/completion.bash.inc \r\nsource '\/root\/.kube\/completion.bash.inc' \r\nsource $HOME\/.bash_profile<\/code><\/pre>\n
\u90e8\u7f72kube-controller-manager<\/h3>\n
\u521b\u5efacsr\u8bf7\u6c42\u6587\u4ef6<\/h4>\n
vim kube-controller-manager-csr.json\r\n{\r\n\"CN\": \"system:kube-controller-manager\",\r\n\"key\": {\r\n\"algo\": \"rsa\",\r\n\"size\": 2048\r\n},\r\n\"hosts\": [\r\n\"192.168.32.1\",\r\n\"192.168.32.11\",\r\n\"192.168.32.12\",\r\n\"192.168.32.13\"\r\n],\r\n\"names\": [\r\n{\r\n\"C\": \"CN\",\r\n\"ST\": \"Hubei\",\r\n\"L\": \"Wuhan\",\r\n\"O\": \"system:kube-controller-manager\",\r\n\"OU\": \"system\"\r\n}\r\n]\r\n}<\/pre>\n
\u751f\u6210\u8bc1\u4e66<\/h4>\n
cfssl gencert -ca=etcd\/ca.pem -ca-key=etcd\/ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager\r\nls kube-controller-manager*.pem<\/pre>\n
\u521b\u5efakube-controller-manager\u7684kubeconfig<\/h4>\n
kubectl config set-cluster kubernetes --certificate-authority=etcd\/ca.pem --embed-certs=true --server=https:\/\/192.168.32.155:6443 --kubeconfig=kube-controller-manager.kubeconfig \r\nkubectl config set-credentials system:kube-controller-manager --client-certificate=kube-controller-manager.pem --client-key=kube-controller-manager-key.pem --embed-certs=true --kubeconfig=kube-controller-manager.kubeconfig \r\nkubectl config set-context system:kube-controller-manager --cluster=kubernetes --user=system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig \r\nkubectl config use-context system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig<\/code><\/pre>\n
\u521b\u5efa\u914d\u7f6e\u6587\u4ef6<\/h4>\n
vim kube-controller-manager.conf\r\nKUBE_CONTROLLER_MANAGER_OPTS=\"--port=0 \\\r\n--secure-port=10252 \\\r\n--bind-address=127.0.0.1 \\\r\n--kubeconfig=\/etc\/kubernetes\/kube-controller-manager.kubeconfig \\\r\n--service-cluster-ip-range=10.100.0.0\/16 \\\r\n--cluster-name=kubernetes \\\r\n--cluster-signing-cert-file=\/etc\/kubernetes\/ssl\/ca.pem \\\r\n--cluster-signing-key-file=\/etc\/kubernetes\/ssl\/ca-key.pem \\\r\n--allocate-node-cidrs=true \\\r\n--cluster-cidr=10.0.0.0\/16 \\\r\n--experimental-cluster-signing-duration=87600h \\\r\n--root-ca-file=\/etc\/kubernetes\/ssl\/ca.pem \\\r\n--service-account-private-key-file=\/etc\/kubernetes\/ssl\/ca-key.pem \\\r\n--leader-elect=true \\\r\n--feature-gates=RotateKubeletServerCertificate=true \\\r\n--controllers=*,bootstrapsigner,tokencleaner \\\r\n--horizontal-pod-autoscaler-use-rest-clients=true \\\r\n--horizontal-pod-autoscaler-sync-period=10s \\\r\n--tls-cert-file=\/etc\/kubernetes\/ssl\/kube-controller-manager.pem \\\r\n--tls-private-key-file=\/etc\/kubernetes\/ssl\/kube-controller-manager-key.pem \\\r\n--use-service-account-credentials=true \\\r\n--alsologtostderr=true \\\r\n--logtostderr=false \\\r\n--log-dir=\/var\/log\/kubernetes \\\r\n--v=2\"<\/pre>\n
\u521b\u5efa\u542f\u52a8\u6587\u4ef6<\/h4>\n
vim kube-controller-manager.service\r\n[Unit]\r\nDescription=Kubernetes Controller Manager\r\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\r\n\r\n[Service]\r\nEnvironmentFile=-\/etc\/kubernetes\/kube-controller-manager.conf\r\nExecStart=\/usr\/local\/bin\/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS\r\nRestart=on-failure\r\nRestartSec=5\r\n\r\n[Install]\r\nWantedBy=multi-user.target<\/pre>\n
\u540c\u6b65\u76f8\u5173\u6587\u4ef6\u5230\u5404\u4e2a\u8282\u70b9<\/h4>\n
cp kube-controller-manager*.pem \/etc\/kubernetes\/ssl\/\r\ncp kube-controller-manager.kubeconfig \/etc\/kubernetes\/\r\ncp kube-controller-manager.conf \/etc\/kubernetes\/\r\ncp kube-controller-manager.service \/usr\/lib\/systemd\/system\/\r\nrsync -vaz kube-controller-manager*.pem master2:\/etc\/kubernetes\/ssl\/\r\nrsync -vaz kube-controller-manager*.pem master3:\/etc\/kubernetes\/ssl\/\r\nrsync -vaz kube-controller-manager.kubeconfig kube-controller-manager.conf master2:\/etc\/kubernetes\/\r\nrsync -vaz kube-controller-manager.kubeconfig kube-controller-manager.conf master3:\/etc\/kubernetes\/\r\nrsync -vaz kube-controller-manager.service master2:\/usr\/lib\/systemd\/system\/\r\nrsync -vaz kube-controller-manager.service master3:\/usr\/lib\/systemd\/system\/<\/pre>\n
\u542f\u52a8\u670d\u52a1<\/h4>\n
systemctl daemon-reload \r\nsystemctl enable kube-controller-manager\r\nsystemctl start kube-controller-manager\r\nsystemctl status kube-controller-manager<\/pre>\n
\u90e8\u7f72kube-scheduler<\/h3>\n
\u521b\u5efacsr\u8bf7\u6c42\u6587\u4ef6<\/h4>\n
vim kube-scheduler-csr.json\r\n{\r\n\"CN\": \"system:kube-scheduler\",\r\n\"hosts\": [\r\n\"127.0.0.1\",\r\n\"192.168.32.11\",\r\n\"192.168.32.12\",\r\n\"192.168.32.13\"\r\n],\r\n\"key\": {\r\n\"algo\": \"rsa\",\r\n\"size\": 2048\r\n},\r\n\"names\": [\r\n{\r\n\"C\": \"CN\",\r\n\"ST\": \"Hubei\",\r\n\"L\": \"Wuhan\",\r\n\"O\": \"system:kube-scheduler\",\r\n\"OU\": \"system\"\r\n}\r\n]\r\n}<\/pre>\n
\u751f\u6210\u8bc1\u4e66<\/h4>\n
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler\r\nls kube-scheduler*.pem<\/pre>\n
\u521b\u5efakube-scheduler\u7684kubeconfig<\/h4>\n
kubectl config set-cluster kubernetes --certificate-authority=etcd\/ca.pem --embed-certs=true --server=https:\/\/192.168.32.155:6443 --kubeconfig=kube-scheduler.kubeconfig\r\nkubectl config set-credentials system:kube-scheduler --client-certificate=kube-scheduler.pem --client-key=kube-scheduler-key.pem --embed-certs=true --kubeconfig=kube-scheduler.kubeconfig\r\nkubectl config set-context system:kube-scheduler --cluster=kubernetes --user=system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig\r\nkubectl config use-context system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig<\/pre>\n
\u521b\u5efa\u670d\u52a1\u542f\u52a8\u6587\u4ef6<\/h4>\n
vim kube-scheduler.service\r\n[Unit]\r\nDescription=Kubernetes Scheduler\r\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\r\n\r\n[Service]\r\nEnvironmentFile=-\/etc\/kubernetes\/kube-scheduler.conf\r\nExecStart=\/usr\/local\/bin\/kube-scheduler \r\n --v=2 \\<\/span>  \r\n --leader-elect=true \\<\/span>  \r\n --kubeconfig=<\/span>\/etc\/kubernetes\/kube-scheduler.kubeconfig\r\nRestart=on-failure\r\nRestartSec=5\r\n\r\n[Install]\r\nWantedBy=multi-user.target<\/pre>\n
\u540c\u6b65\u76f8\u5173\u6587\u4ef6\u5230\u5404\u4e2a\u8282\u70b9<\/h4>\n
cp kube-scheduler*.pem \/etc\/kubernetes\/ssl\/\r\ncp kube-scheduler.kubeconfig \/etc\/kubernetes\/\r\ncp kube-scheduler.conf \/etc\/kubernetes\/\r\ncp kube-scheduler.service \/usr\/lib\/systemd\/system\/\r\nrsync -vaz kube-scheduler*.pem master2:\/etc\/kubernetes\/ssl\/\r\nrsync -vaz kube-scheduler*.pem master3:\/etc\/kubernetes\/ssl\/\r\nrsync -vaz kube-scheduler.kubeconfig kube-scheduler.conf master2:\/etc\/kubernetes\/\r\nrsync -vaz kube-scheduler.kubeconfig kube-scheduler.conf master3:\/etc\/kubernetes\/\r\nrsync -vaz kube-scheduler.service master2:\/usr\/lib\/systemd\/system\/\r\nrsync -vaz kube-scheduler.service master3:\/usr\/lib\/systemd\/system\/<\/pre>\n
\u542f\u52a8\u670d\u52a1<\/h4>\n
systemctl daemon-reload\r\nsystemctl enable kube-scheduler\r\nsystemctl start kube-scheduler\r\nsystemctl status kube-scheduler<\/pre>\n
\u5de5\u4f5c\u8282\u70b9<\/h2>\n
\u90e8\u7f72docker<\/h3>\n
\u5728\u4e09\u4e2awork\u8282\u70b9\u4e0a\u5b89\u88c5<\/p>\n
wget https:\/\/mirrors.aliyun.com\/docker-ce\/linux\/centos\/docker-ce.repo -O \/etc\/yum.repos.d\/docker-ce.repo\r\nyum install -y docker-ce\r\nsystemctl enable docker\r\nsystemctl start docker\r\ndocker --version<\/pre>\n
\u4fee\u6539docker\u6e90\u548c\u9a71\u52a8<\/h4>\n
cat > \/etc\/docker\/daemon.json << EOF\r\n{\r\n\"exec-opts\": [\"native.cgroupdriver=systemd\"],\r\n\"registry-mirrors\": [\r\n\"https:\/\/1nj0zren.mirror.aliyuncs.com\",\r\n\"https:\/\/kfwkfulq.mirror.aliyuncs.com\",\r\n\"https:\/\/2lqq34jg.mirror.aliyuncs.com\",\r\n\"https:\/\/pee6w651.mirror.aliyuncs.com\",\r\n\"http:\/\/hub-mirror.c.163.com\",\r\n\"https:\/\/docker.mirrors.ustc.edu.cn\",\r\n\"http:\/\/f1361db2.m.daocloud.io\",\r\n\"https:\/\/registry.docker-cn.com\"\r\n]\r\n}\r\nEOF\r\nsystemctl restart docker\r\ndocker info | grep \"Cgroup Driver\"<\/pre>\n
\u4e0b\u8f7d\u4f9d\u8d56\u955c\u50cf\u6d4b\u8bd5<\/h4>\n
docker pull registry.cn-hangzhou.aliyuncs.com\/google_containers\/pause:3.2\r\ndocker tag registry.cn-hangzhou.aliyuncs.com\/google_containers\/pause:3.2 k8s.gcr.io\/pause:3.2\r\ndocker rmi registry.cn-hangzhou.aliyuncs.com\/google_containers\/pause:3.2\r\ndocker pull registry.cn-hangzhou.aliyuncs.com\/google_containers\/coredns:1.7.0\r\ndocker tag registry.cn-hangzhou.aliyuncs.com\/google_containers\/coredns:1.7.0 k8s.gcr.io\/coredns:1.7.0\r\ndocker rmi registry.cn-hangzhou.aliyuncs.com\/google_containers\/coredns:1.7.0<\/pre>\n
\u90e8\u7f72kubelet<\/h3>\n
\u4ee5\u4e0b\u64cd\u4f5c\u5728master1\u4e0a\u64cd\u4f5c<\/p>\n
\u521b\u5efakubelet-bootstrap.kubeconfig<\/h4>\n
BOOTSTRAP_TOKEN=$(awk -F \",\" '{print $1}' \/etc\/kubernetes\/token.csv)\r\nkubectl config set-cluster kubernetes --certificate-authority=etcd\/ca.pem --embed-certs=true --server=https:\/\/192.168.32.150:6443 --kubeconfig=kubelet-bootstrap.kubeconfig\r\nkubectl config set-credentials kubelet-bootstrap --token=${BOOTSTRAP_TOKEN} --kubeconfig=kubelet-bootstrap.kubeconfig\r\nkubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=kubelet-bootstrap.kubeconfig\r\nkubectl config use-context default --kubeconfig=kubelet-bootstrap.kubeconfig\r\nkubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap<\/pre>\n
\u521b\u5efa\u914d\u7f6e\u6587\u4ef6<\/h4>\n
vim kubelet.json\r\n{\r\n\"kind\": \"KubeletConfiguration\",\r\n\"apiVersion\": \"kubelet.config.k8s.io\/v1beta1\",\r\n\"authentication\": {\r\n\"x509\": {\r\n\"clientCAFile\": \"\/etc\/kubernetes\/ssl\/ca.pem\"\r\n},\r\n\"webhook\": {\r\n\"enabled\": true,\r\n\"cacheTTL\": \"2m0s\"\r\n},\r\n\"anonymous\": {\r\n\"enabled\": false\r\n}\r\n},\r\n\"authorization\": {\r\n\"mode\": \"Webhook\",\r\n\"webhook\": {\r\n\"cacheAuthorizedTTL\": \"5m0s\",\r\n\"cacheUnauthorizedTTL\": \"30s\"\r\n}\r\n},\r\n\"address\": \"192.168.32.14\",\r\n\"port\": 10250,\r\n\"readOnlyPort\": 10255,\r\n\"cgroupDriver\": \"cgroupfs\", # \u5982\u679cdocker\u7684\u9a71\u52a8\u4e3asystemd\uff0c\u5904\u4fee\u6539\u4e3asystemd\u3002\u6b64\u5904\u8bbe\u7f6e\u5f88\u91cd\u8981\uff0c\u5426\u5219\u540e\u9762node\u8282\u70b9\u65e0\u6cd5\u52a0\u5165\u5230\u96c6\u7fa4\r\n\"hairpinMode\": \"promiscuous-bridge\",\r\n\"serializeImagePulls\": false,\r\n\"featureGates\": {\r\n\"RotateKubeletClientCertificate\": true,\r\n\"RotateKubeletServerCertificate\": true\r\n},\r\n\"clusterDomain\": \"cluster.local.\",\r\n\"clusterDNS\": [\"10.100.0.2\"]\r\n}<\/pre>\n
\u521b\u5efa\u542f\u52a8\u6587\u4ef6<\/h4>\n
vim kubelet.service\r\n[Unit]\r\nDescription=Kubernetes Kubelet\r\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\r\nAfter=docker.service\r\nRequires=docker.service\r\n\r\n[Service]\r\nWorkingDirectory=\/var\/lib\/kubelet\r\nExecStart=\/usr\/local\/bin\/kubelet \\\r\n--bootstrap-kubeconfig=\/etc\/kubernetes\/kubelet-bootstrap.kubeconfig \\\r\n--cert-dir=\/etc\/kubernetes\/ssl \\\r\n--kubeconfig=\/etc\/kubernetes\/kubelet.kubeconfig \\\r\n--config=\/etc\/kubernetes\/kubelet.json \\\r\n--network-plugin=cni \\\r\n--pod-infra-container-image=k8s.gcr.io\/pause:3.2 \\\r\n--alsologtostderr=true \\\r\n--logtostderr=false \\\r\n--log-dir=\/var\/log\/kubernetes \\\r\n--v=2\r\nRestart=on-failure\r\nRestartSec=5\r\n\r\n[Install]\r\nWantedBy=multi-user.target<\/pre>\n
\u2013hostname-override\uff1a\u663e\u793a\u540d\u79f0\uff0c\u96c6\u7fa4\u4e2d\u552f\u4e00
\n\u2013network-plugin\uff1a\u542f\u7528CNI
\n\u2013kubeconfig\uff1a\u7a7a\u8def\u5f84\uff0c\u4f1a\u81ea\u52a8\u751f\u6210\uff0c\u540e\u9762\u7528\u4e8e\u8fde\u63a5apiserver
\n\u2013bootstrap-kubeconfig\uff1a\u9996\u6b21\u542f\u52a8\u5411apiserver\u7533\u8bf7\u8bc1\u4e66
\n\u2013config\uff1a\u914d\u7f6e\u53c2\u6570\u6587\u4ef6
\n\u2013cert-dir\uff1akubelet\u8bc1\u4e66\u751f\u6210\u76ee\u5f55
\n\u2013pod-infra-container-image\uff1a\u7ba1\u7406Pod\u7f51\u7edc\u5bb9\u5668\u7684\u955c\u50cf<\/p><\/blockquote>\n
\u540c\u6b65\u76f8\u5173\u6587\u4ef6\u5230\u5404\u4e2a\u8282\u70b9<\/h4>\n
\u5230\u5b50\u8282\u70b9<\/p>\n
cp kubelet-bootstrap.kubeconfig \/etc\/kubernetes\/\r\ncp kubelet.json \/etc\/kubernetes\/\r\ncp kubelet.service \/usr\/lib\/systemd\/system\/\r\nfor i in node1 node2 node3;do rsync -vaz kubelet-bootstrap.kubeconfig kubelet.json $i:\/etc\/kubernetes\/;done\r\nfor i in node1 node2 node3;do rsync -vaz ca.pem $i:\/etc\/kubernetes\/ssl\/;done\r\nfor i in node1 node2 node3;do rsync -vaz kubelet.service $i:\/usr\/lib\/systemd\/system\/;done<\/pre>\n
kubelete.json\u914d\u7f6e\u6587\u4ef6address\u6539\u4e3a\u5404\u4e2a\u8282\u70b9\u7684ip\u5730\u5740<\/p>\n
\u542f\u52a8\u670d\u52a1<\/h4>\n
mkdir \/var\/lib\/kubelet\r\nmkdir \/var\/log\/kubernetes\r\nsystemctl daemon-reload\r\nsystemctl enable kubelet\r\nsystemctl start kubelet\r\nsystemctl status kubelet<\/pre>\n
\u67e5\u770b\u8282\u70b9 csr<\/h4>\n
kubectl certificate approve node-csr-HlX3cExsZohWsu8Dd6Rp_ztFejmMdpzvti_qgxo4SAQ\r\nkubectl certificate approve node-csr-oykYfnH_coRF2PLJH4fOHlGznOZUBPDg5BPZXDo2wgk\r\nkubectl certificate approve node-csr-ytRB2fikhL6dykcekGg4BdD87o-zw9WPU44SZ1nFT50\r\nkubectl get csr\r\nkubectl get nodes<\/pre>\n
\u90e8\u7f72kube-proxy<\/h3>\n
vim kube-proxy-csr.json\r\n{\r\n\"CN\": \"system:kube-proxy\",\r\n\"key\": {\r\n\"algo\": \"rsa\",\r\n\"size\": 2048\r\n},\r\n\"names\": [\r\n{\r\n\"C\": \"CN\",\r\n\"ST\": \"Hubei\",\r\n\"L\": \"Wuhan\",\r\n\"O\": \"k8s\",\r\n\"OU\": \"system\"\r\n}\r\n]\r\n}<\/pre>\n
\u751f\u6210\u8bc1\u4e66<\/h4>\n
cfssl gencert -ca=etcd\/ca.pem -ca-key=etcd\/ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy<\/pre>\n
\u521b\u5efakubeconfig\u6587\u4ef6<\/h4>\n
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https:\/\/172.10.0.20:6443 --kubeconfig=kube-proxy.kubeconfig\r\nkubectl config set-credentials kube-proxy --client-certificate=kube-proxy.pem --client-key=kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig\r\nkubectl config set-context default --cluster=kubernetes --user=kube-proxy --kubeconfig=kube-proxy.kubeconfig\r\nkubectl config use-context default --kubeconfig=kube-proxy.kubeconfig<\/pre>\n
\u521b\u5efakube-proxy\u914d\u7f6e\u6587\u4ef6<\/h4>\n
vim kube-proxy.yaml\r\napiVersion: kubeproxy.config.k8s.io\/v1alpha1\r\nbindAddress: 192.168.32.14\r\nclientConnection:\r\nkubeconfig: \/etc\/kubernetes\/kube-proxy.kubeconfig\r\nclusterCIDR: 10.10.0.0\/16 # \u6b64\u5904\u7f51\u6bb5\u5fc5\u987b\u4e0e\u7f51\u7edc\u7ec4\u4ef6\u7f51\u6bb5\u4fdd\u6301\u4e00\u81f4\uff0c\u5426\u5219\u90e8\u7f72\u7f51\u7edc\u7ec4\u4ef6\u65f6\u4f1a\u62a5\u9519\r\nhealthzBindAddress: 192.168.32.14:10256\r\nkind: KubeProxyConfiguration\r\nmetricsBindAddress: 192.168.32.14:10249\r\nmode: \"ipvs\"<\/pre>\n
\u521b\u5efa\u670d\u52a1\u542f\u52a8\u6587\u4ef6<\/h4>\n
vim kube-proxy.service\r\n[Unit]\r\nDescription=Kubernetes Kube-Proxy Server\r\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\r\nAfter=network.target\r\n\r\n[Service]\r\nWorkingDirectory=\/var\/lib\/kube-proxy\r\nExecStart=\/usr\/local\/bin\/kube-proxy \\\r\n--config=\/etc\/kubernetes\/kube-proxy.yaml \\\r\n--alsologtostderr=true \\\r\n--logtostderr=false \\\r\n--log-dir=\/var\/log\/kubernetes \\\r\n--v=2\r\nRestart=on-failure\r\nRestartSec=5\r\nLimitNOFILE=65536\r\n\r\n[Install]\r\nWantedBy=multi-user.target<\/pre>\n
\u540c\u6b65\u6587\u4ef6\u5230\u5404\u4e2a\u8282\u70b9<\/h4>\n
cp kube-proxy*.pem \/etc\/kubernetes\/ssl\/\r\ncp kube-proxy.kubeconfig kube-proxy.yaml \/etc\/kubernetes\/\r\ncp kube-proxy.service \/usr\/lib\/systemd\/system\/\r\nfor i in node1 node2 node3;do rsync -vaz kube-proxy.kubeconfig kube-proxy.yaml $i:\/etc\/kubernetes\/;done\r\nfor i in node1 node2 node3;do rsync -vaz kube-proxy.service $i:\/usr\/lib\/systemd\/system\/;done<\/pre>\n
\u914d\u7f6e\u6587\u4ef6kube-proxy.yaml\u4e2daddress\u4fee\u6539\u4e3a\u5404\u8282\u70b9\u7684\u5b9e\u9645IP<\/p>\n
\u542f\u52a8\u670d\u52a1<\/h4>\n
mkdir -p \/var\/lib\/kube-proxy\r\nsystemctl daemon-reload\r\nsystemctl enable kube-proxy\r\nsystemctl restart kube-proxy\r\nsystemctl status kube-proxy<\/pre>\n
\u914d\u7f6e\u7f51\u7edc\u7ec4\u4ef6<\/h4>\n
wget https:\/\/docs.projectcalico.org\/v3.14\/manifests\/calico.yaml\r\nkubectl apply -f calico.yaml<\/pre>\n
\u67e5\u770b\u8282\u70b9<\/h3>\n
kubectl get pods -A<\/pre>\n
\u90e8\u7f72coredns<\/h2>\n
\u90e8\u7f72\u65f6 \u5982\u679c\u62a5\u9519 \u4fee\u6539\u5bbf\u4e3b\u673a\u7684\u914d\u7f6e\/etc\/hosts #127.0.0.1:53<\/strong><\/p>\n
\u4e0b\u8f7dcoredns yaml\u6587\u4ef6<\/h3>\n
https:\/\/raw.githubusercontent.com\/coredns\/deployment\/master\/kubernetes\/coredns.yaml.sed<\/pre>\n
\u4fee\u6539yaml\u6587\u4ef6<\/h3>\n
kubernetes cluster.local in-addr.arpa ip6.arpa\r\nforward . \/etc\/resolv.conf\r\nclusterIP\u4e3a\uff1a10.100.0.2<\/pre>\n
\u5b89\u88c5coredns<\/h3>\n
kubectl apply -f coredns.yaml<\/pre>\n
\u81f3\u6b64 \u4e8c\u8fdb\u5236\u5b89\u88c5k8s\u5c31\u5230\u6b64\u7ed3\u675f~<\/strong><\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
\u63a7\u5236\u8282\u70b9 kubernetes-server\u5b89\u88c5 cd \/data\/work wget https:\/\/dl. […]<\/p>\n","protected":false},"author":1,"featured_media":440,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-439","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-k8s"],"_links":{"self":[{"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=\/wp\/v2\/posts\/439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=439"}],"version-history":[{"count":114,"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=\/wp\/v2\/posts\/439\/revisions"}],"predecessor-version":[{"id":569,"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=\/wp\/v2\/posts\/439\/revisions\/569"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=\/wp\/v2\/media\/440"}],"wp:attachment":[{"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bunnyism.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}