本文汇总了k8s集群所需要的各组件二进制安装配置过程,包括etcd、kubelet、kube-apiserver,kube-proxy,kube-controller-manager,kube-scheduler。
- containerd安装与配置
- etcd集群安装
- kube-apiserver部署
- 配置kubeconfig并安装kube-controller-manager
- 部署kube-scheduler服务
- HAProxy与keepalived部署
- node部署服务
- 集群优化
{/collapse-item}
环境配置
dnf -y install iptables ipvsadm ipset nfs-utils{/tabs-pane}
{tabs-pane label="安装模块"}
cat /etc/modules-load.d/calico.conf
ip_vs
ip_vs_rr
iptable_nat
iptable_filter
vxlan
ipip
cat /etc/modules-load.d/containerd.conf
overlay
br_netfilter
nf_conntrack
#确保机器上安装了以上模块
#创建了以上两个文件后使用systemctl命令来重新加载模块,使这些模块生效
systemctl restart systemd-modules-load{/tabs-pane}
{tabs-pane label="环境配置"}
#禁用selinux
sed -i '/^SELINUX=/s//SELINUX=disabled/' /etc/selinux/config
#禁用swap
swapoff -a && sed -i '/swap/d' /etc/fstab
#关掉防火墙
dnf -y remove firewalld
#修改hosts文件
vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.88.51 master1
192.168.88.52 master2
192.168.88.53 master3
192.168.88.61 node001
192.168.88.62 node002
192.168.88.63 node003
{/tabs-pane}
创建目录
#创建存放根证书的目录
mkdir -p /etc/kubernetes/pki
#创建存放etcd配置文件、CA证书,etcd数据的目录
mkdir -p /etc/etcd/{pki,data}
#kubeconfig默认读取目录
mkdir -p $HOME/.kube
# containerd cni插件目录
mkdir -p /opt/cni/bin/
# containerd cni插件配置文件目录
mkdir -p /etc/cni/net.d/
#containerd镜像加速存放加速地址配置文件的目录
mkdir -p /etc/containerd/certs.d/docker.ioCA证书制作
证书所需要的配置文件
vim /etc/etcd/pki/etcd_ssl.cnf
[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
IP.1 = 192.168.88.51
IP.2 = 192.168.88.52
IP.3 = 192.168.88.53{/tabs-pane}
{tabs-pane label="master_ssl.cnf"}
vim /etc/kubernetes/pki/master_ssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = k8s-1
DNS.6 = k8s-2
DNS.7 = k8s-3
IP.1 = 10.245.0.1
IP.2 = 192.168.88.51
IP.3 = 192.168.88.52
IP.4 = 192.168.88.53
IP.5 = 192.168.18.100{/tabs-pane}
创建证书
cd /etc/kubernetes/pki
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=192.168.88.51" -days 36500 -out ca.crt{/tabs-pane}
{tabs-pane label="etcd服务端证书"}
etcd集群间相互认证所需证书
cd /etc/etcd/pki/
openssl genrsa -out etcd_server.key 2048
openssl req -new -key etcd_server.key -config etcd_ssl.cnf -subj "/CN=etcd-server" -out etcd_server.csr
openssl x509 -req -in etcd_server.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile etcd_ssl.cnf -out etcd_server.crt{/tabs-pane}
{/tabs-pane}
{tabs-pane label="etcd客户端证书"}
kube-apiserver使用etcd数据库所需要证书
cd /etc/etcd/pki/
openssl genrsa -out etcd_client.key 2048
openssl req -new -key etcd_client.key -config etcd_ssl.cnf -subj "/CN=etcd-client" -out etcd_client.csr
openssl x509 -req -in etcd_client.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile etcd_ssl.cnf -out etcd_client.crt{/tabs-pane}
{/tabs-pane}
{tabs-pane label="kube-apiserver服务端证书"}
cd /etc/kubernetes/pki
openssl genrsa -out apiserver.key 2048
openssl req -new -key apiserver.key -config master_ssl.cnf -subj "/CN=192.168.88.51" -out apiserver.csr
openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 36500 -extensions v3_req -extfile master_ssl.cnf -out apiserver.crt
cat ca.crt ca.key > ca.pem
openssl x509 -in ca.crt -pubkey -noout > ca.pub{/tabs-pane}
{/tabs-pane}
{tabs-pane label="kube-apiserver客户端证书"}
kube-controller-manager,kube-scheduler,kubelet,kube-proxy服务作为客户端连接kube-apiserver服务时,需要为它们创建客户端CA证书,使其能够正确访问kube-apiserver。
cd /etc/kubernetes/pki
openssl genrsa -out client.key 2048
openssl req -new -key client.key -subj "/CN=admin" -out client.csr
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 36500{/tabs-pane}
制作kubeconfig配置文件
kubeconfig 文件是 Kubernetes 的核心配置文件,用于管理和切换不同集群的访问配置。
核心作用
- 集群连接管理:存储多个 Kubernetes 集群的 API 服务器地址、CA 证书等信息,便于客户端(如 kubectl)安全连接。
- 用户身份认证:保存用户凭据,例如客户端证书、Token、用户名/密码或 OAuth2 令牌,用于验证操作集群的权限。
- 上下文切换:通过定义上下文(Context),将集群、用户和命名空间(Namespace)组合起来,快速切换不同环境(如开发、测试、生产)。
- 多配置整合:支持通过环境变量 KUBECONFIG 合并多个配置文件,灵活管理不同项目或环境的配置。
vim /etc/kubernetes/kubeconfig
apiVersion: v1
kind: Config
clusters: # 集群列表
- name: default
cluster:
server: https://192.168.88.100:9443 # 集群API地址
certificate-authority: /etc/kubernetes/pki/ca.crt # 验证集群的CA证书
users:
- name: admin # 用户列表
user:
client-certificate: /etc/kubernetes/pki/client.crt 用户身份证书
client-key: /etc/kubernetes/pki/client.key # 用户私钥
contexts: # 上下文列表
- context:
cluster: default # 关联的集群
user: admin # 关联的用户
name: default # 默认命名空间
current-context: default # 当前生效的上下文配置service
配置service文件,方便使用systemctl工具对各组件进行管理。
vim /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/etc/kubernetes/apiserver
ExecStart=/usr/bin/kube-apiserver $KUBE_API_ARGS
Restart=always
[Install]
WantedBy=multi-user.target
{/tabs-pane}
{tabs-pane label="kubelet"}
vim /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet Server
Documentation=https://github.com/kubernetes/kubernetes
After=containerd.service
Requires=containerd.service
[Service]
EnvironmentFile=/etc/kubernetes/kubelet
ExecStart=/usr/bin/kubelet $KUBELET_ARGS
Restart=always
[Install]
WantedBy=multi-user.target{/tabs-pane}
{tabs-pane label="scheduler"}
vim /usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/etc/kubernetes/scheduler
ExecStart=/usr/bin/kube-scheduler $KUBE_SCHEDULER_ARGS
Restart=always
[Install]
WantedBy=multi-user.target
{/tabs-pane}
{tabs-pane label="controller-manager"}
vim /usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/etc/kubernetes/controller-manager
ExecStart=/usr/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_ARGS
Restart=always
[Install]
WantedBy=multi-user.target
{/tabs-pane}
{tabs-pane label="kube-proxy"}
vim /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
EnvironmentFile=/etc/kubernetes/proxy
ExecStart=/usr/bin/kube-proxy $KUBE_PROXY_ARGS
Restart=always
[Install]
WantedBy=multi-user.target
{/tabs-pane}
创建各组件所需要的配置文件
vim /etc/kubernetes/apiserver
KUBE_API_ARGS="--secure-port=6443 \
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt \
--tls-private-key-file=/etc/kubernetes/pki/apiserver.key \
--client-ca-file=/etc/kubernetes/pki/ca.crt \
--apiserver-count=3 --endpoint-reconciler-type=master-count \
--etcd-servers=https://192.168.88.51:2379,https://192.168.88.52:2379,https://192.168.88.53:2379 \
--etcd-cafile=/etc/kubernetes/pki/ca.crt \
--etcd-certfile=/etc/etcd/pki/etcd_client.crt \
--etcd-keyfile=/etc/etcd/pki/etcd_client.key \
--service-cluster-ip-range=10.245.0.0/16 \
--service-node-port-range=30000-32767 \
--allow-privileged=true \
--kubelet-client-certificate=/etc/kubernetes/pki/ca.crt \
--kubelet-client-key=/etc/kubernetes/pki/ca.key \
--service-account-key-file=/etc/kubernetes/pki/ca.pub \
--service-account-signing-key-file=/etc/kubernetes/pki/ca.pem \
--service-account-issuer=api"
{/tabs-pane}
{tabs-pane label="kubelet"}
vim /etc/kubernetes/kubelet
KUBELET_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig
--config=/etc/kubernetes/kubelet.config \
--hostname-override=192.168.88.51"
{/tabs-pane}
{tabs-pane label="kubelet.config"}
vim /etc/kubernetes/kubelet.config
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 0.0.0.0
port: 10250
cgroupDriver: systemd
clusterDNS: ["10.245.0.100"]
clusterDomain: cluster.local
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
{/tabs-pane}
{tabs-pane label="scheduler"}
vim /etc/kubernetes/scheduler
KUBE_SCHEDULER_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig \
--leader-elect=true"
{/tabs-pane}
{tabs-pane label="controller-manager"}
vim /etc/kubernetes/controller-manager
KUBE_CONTROLLER_MANAGER_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig \
--leader-elect=true \
--service-cluster-ip-range=10.245.0.0/16 \
--cluster-cidr=10.244.0.0/16 \
--allocate-node-cidrs=true \
--service-account-private-key-file=/etc/kubernetes/pki/apiserver.key \
--root-ca-file=/etc/kubernetes/pki/ca.crt"
{/tabs-pane}
{tabs-pane label="proxy"}
vim /etc/kubernetes/proxy
KUBE_PROXY_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig \
--hostname-override=192.168.88.51 \
--proxy-mode=ipvs \
--ipvs-strict-arp=true \
--cluster-cidr=10.244.0.0/16"{/tabs-pane}
启动服务
systemctl enable --now kube-apiserver
systemctl enable --now kube-proxy
systemctl enable --now kubelet
systemctl enable --now kube-scheduler
systemctl enable --now kube-controller-manager配置文件下载
etcd相关
kubernetes组件相关
各组件配置文件
各组件service文件
CA认证文件
评论 (0)