Kubernetes(二)-- 搭建(未完待續)
一、部署前規劃
1. 作業系統初始化設定 :需要設定好叢集機器,關閉防火牆和selinux
2. 建立ca證書和私鑰 :叢集間通訊要加密,那麼肯定要有ca的建立,以後就用這一步建立的ca當作證書頒發機構給自己發證書,也可通過配置檔案省略
3. docker安裝與解除安裝 :k8s基於docker,要先安裝docker
4. harbor安裝 :有了docker之後,需要用到docker倉庫,這裡搭建一個映象倉庫平臺,便於管理
5. harbor使用 :上傳和下載映象,設定共有和私有
6. 部署etcd叢集 :k8s用etcd進行服務發現。比如叢集節點間報告自己的狀態及可以提供的服務,就用etcd實現。所以要先安裝etcd
7. 部署flannel網路 :叢集間有自己的叢集間網路,這個靠flannel來實現,所以要安裝flannel
8. 部署master節點 :主叢集節點,管理節點
9. 部署node節點 :服務端階段
10. 部署dns外掛 :Kubenetes以外掛的形式提供DNS服務,一般是執行在kube-system名稱空間下的service,擁有固定IP地址。
外掛執行起來後,配置各個節點上的kubelet,告訴它叢集中DNS服務的IP地址,kebelet在
啟動容器時再將DNS伺服器的地址告訴容器,容器再使用此DNS伺服器進行域名解析。
11. 部署dashboard外掛 :k8s的圖形化介面
12. 部署heapster外掛:更好支援原生的k8s
二、centos 7環境部署
1.基礎環境
1).機器情況
master:192.168.11.199 node:192.168.11.196
2).關閉防火牆和selinux
1 # systemctl stop firewalld 2 3 # systemctl disable firewalld4 5 # setenforce 0
三、建立ca證書和私鑰
1.生成CA私鑰(.key):
1 # openssl genrsa -out ca.key 2048 //2048,安全性更高
2.生成CA證書請求(.csr):
1 # openssl req -new -key ca.key -out ca.csr
3.自簽名得到根證書(.crt):
1 # openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
4.生成三個檔案
四、安裝docker-ce + docker-compose (指令碼安裝)
1 # vim docker.sh 2 #!/bin/bash 3 # coding: utf-8 4 # Copyright (c) 2018 5 set -e #返回值為0時,退出指令碼 6 echo "1. 備份yum" 7 { 8 for i in /etc/yum.repos.d/*.repo;do cp $i ${i%.repo}.bak;done 9 rm -rf /etc/yum.repos.d/*.repo 10 } || { 11 echo "備份出錯,請手動執行" 12 exit 1 13 } 14 15 echo "2. 獲取網路yum" 16 { 17 wget -P /etc/yum.repos.d/ http://mirrors.aliyun.com/repo/Centos-7.repo >/dev/null 2>&1 18 wget -P /etc/yum.repos.d/ http://mirrors.163.com/.help/CentOS7-Base-163.repo >/dev/null 2>&1 19 yum clean >/dev/null 2>&1 20 yum repolist >/dev/null 2>&1 21 } || { 22 echo "獲取出錯,請手動執行" 23 exit 1 24 } 25 26 echo "3. 安裝docker-ce......" 27 { 28 yum -y install yum-utils >/dev/null 2>&1 29 yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo >/dev/null 2>&1 30 yum clean >/dev/null 2>&1 31 yum repolist >/dev/null 2>&1 32 yum -y install epel-release docker-ce >/dev/null 2>&1 33 } || { 34 echo "安裝出錯,請手動安裝" 35 exit 1 36 } 37 38 systemctl start docker >/dev/null 2>&1 39 systemctl enable docker >/dev/null 2>&1 40 41 echo "4. 新增內和引數" 42 { 43 cat <<EOF>> /etc/sysctl.conf 44 net.bridge.bridge-nf-call-ip6tables = 1 45 net.bridge.bridge-nf-call-iptables = 1 46 EOF 47 sysctl -p >/dev/null 2>&1 48 } 49 50 echo "5. 新增映象加速" 51 { 52 cat <<EOF>> /etc/docker/daemon.json 53 { 54 "registry-mirrors": [ 55 "https://registry.docker-cn.com" 56 ] 57 } 58 EOF 59 } 60 61 echo "6.安裝docker-compose" 62 { 63 curl -L https://github.com/docker/compose/releases/download/1.23.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose 64 chmod +x /usr/local/bin/docker-compose 65 } || { 66 echo "安裝出錯,請手動安裝" 67 exit 1 68 } 69 70 systemctl daemon-reload >/dev/null 2>&1 71 systemctl restart docker >/dev/null 2>&1 72 73 rm -rf ./*.sh
五、harbor安裝
1.下載harbor包
線上安裝:# wget -P /usr/local/src/ https://github.com/vmware/harbor/releases/download/v1.2.0/harbor-online-installer-v1.2.0.tgz
離線安裝:# wget https://github.com/vmware/harbor/releases/download/v1.2.0/harbor-offline-installer-v1.2.0.tgz
2.解壓到/usr/local:# tar xvf harbor-online-installer-v1.2.0.tgz -C /usr/local
3.檢視解壓目錄
4.修改hostname:# vim harbor.cfg
hostname manager
5.執行安裝指令碼:./install.sh
6..檢視程序:# docker ps 或者 docker-compose ps
7.登入:http://192.168.11.199,使用者名稱:admin ,密碼:Harbor12345
8.修改映象加速地址為harbor倉庫的地址
# rm -rf /etc/docker/daemon.json
# vim /usr/lib/systemd/system/docker.service
--insecure-registry 192.168.11.199
9.重新載入daemon和docker
# systemctl daemon-reload
# systemctl restart docker
10.定製映象,用於上傳和下載
# vim Dockerfile
FROM centos:centos7.1.1503 //基礎映象是centos,版本為7.1
ENV TZ "Asia/Shanghai" //設定系統的時區為上海
# docker build -t 192.168.11.199/library/centos7.1:0.1 .
11.測試上傳與下載
1).登入倉庫: # docker login 192.168.11.199
2).上傳映象
# docker image ls -a
# docker push 192.168.11.199/library/centos7.1
3).下載任意映象: # docker pull nginx
4).打標籤: # docker tag nginx:latest 192.168.11.199/library/nginx.v1
5).上傳: # docker push 192.168.11.199/library/nginx.v1
6).刪除映象: #docker image rm 192.168.11.199/library/nginx.v1:latest
7).重新從私有倉庫拉取: # docker pull 192.168.11.199/library/nginx.v1
12.harbor配置TLS證書
1).修改harbor配置檔案: # vim /usr/local/harbor/harbor.cfg
ui_url_protocol = https
ssl_cert = /home/ssl/ca.crt
ssl_cert_key = /home/ssl/ca.key
2).重啟harbor:# ./install.sh
因為證書是自籤的,所以谷歌會攔截警告
六、部署etcd叢集
1.master節點安裝etcd和kubernetes-master: # yum -y install etcd kubernetes-master
2.修改etcd配置檔案,設定監聽地址: # vim /etc/etcd/etcd.conf
ETCD_LISTEN_CLIENT_URLS="http://0.0.0.0:2379"
3.修改k8s api配置:# vim /etc/kubernetes/apiserver
KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0"
4.配置kubernetes使用token請求
不配置的話,直接刪除ServiceAccount:
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ResourceQuota"
配置: # vim /etc/kubernetes/apiserver
KUBE_API_ARGS="--service_account_key_file=/home/ssl/ca.key"
# vim /etc/kubernetes/controller-manager
KUBE_CONTROLLER_MANAGER_ARGS="--service_account_private_key_file=/home/ssl/ca.key"
5.啟動etcd、kube-apiserver、kube-controller-manager、kube-scheduler服務:
# for SERVICES in etcd kube-apiserver kube-controller-manager kube-scheduler; do systemctl restart $SERVICES;systemctl enable $SERVICES;systemctl status $SERVICES ; done
七、部署flannel網路
1.在etcd中定義flannel網路:# etcdctl mk /atomic.io/network/config '{"Network":"172.17.0.0/16"}'
2.在node節點上安裝flannel和kubernetes-node:
# yum -y install epel-release
# yum -y install flannel kubernetes-node
3.為flannel網路指定etcd服務,修改/etc/sysconfig/flanneld檔案
# vim /etc/sysconfig/flanneld
FLANNEL_ETCD_ENDPOINTS="http://192.168.11.199:2379" //客戶端IP
4.修改/etc/kubernetes/config檔案
# vim /etc/kubernetes/config
KUBE_MASTER="--master=http://192.168.11.199:8080"
5. 修改對應minion機器上的配置檔案/etc/kubernetes/kubelet
# vim /etc/kubernetes/kubelet
KUBELET_ADDRESS="--address=0.0.0.0"
KUBELET_HOSTNAME="--hostname-override=192.168.11.196"
KUBELET_API_SERVER="--api-servers=http://192.168.11.199:8080"
6.在所有minion節點上啟動kube-proxy,kubelet,docker,flanneld等服務,並設定開機啟動。
# for SERVICES in kube-proxy kubelet docker flanneld;do systemctl restart $SERVICES;systemctl enable $SERVICES;systemctl status $SERVICES; done
7.驗證叢集
# kubectl get node
# kubectl -s http://192.168.11.199:8080 get node
八、部署服務
1.