-
创建者:
虚拟的现实,上次更新时间:9月 23, 2025
需要 8 分钟阅读时间
前言
x86 环境下的操作可以参考
ARM 环境主要基于信创要求,以下内容参照政务云提供的安装文档进行部署
软件环境
| 软件 | 版本 |
|---|---|
| 操作系统 | Kylin Linux Advanced Server V10 (Halberd) SP3 |
| Docker | 28.0.4 |
| Kubernetes | 1.28.15 |
服务器整体规划:
| 角色 | IP | 组件 |
|---|---|---|
| k8s-master1 | 192.168.120.51 | kube-apiserver,kube-controller-manager,kube-scheduler,etcd,kubelet,kube-proxy,docker |
| k8s-master2 | 192.168.120.52 | kube-apiserver,kube-controller-manager,kube-scheduler,etcd,kubelet,kube-proxy,docker |
| k8s-master3 | 192.168.120.53 | kube-apiserver,kube-controller-manager,kube-scheduler,etcd,kubelet,kube-proxy,docker |
| k8s-node1 | 192.168.120.54 | kubelet,kube-proxy,docker , keepalived+ nginx |
| k8s-node2 | 192.168.120.55 | kubelet,kube-proxy,docker, keepalived+ nginx |
| k8s-node3 | 192.168.120.56 | kubelet,kube-proxy,docker, keepalived+ nginx |
| VIP | 192.168.120.50 |
操作系统初始化配置
在所有的主机操作系统上执行
安装依赖包
yum install -y conntrack-tools conntrack ntpdate ntp ipvsadm ipset iptables curl sysstat libseccomp vim net-tools rpcbind nfs-utils
集群 ip 映射
# shell:
ip_addr=$(ip addr show | grep -E 'inet.*brd' | grep -v '127.0.0.1' | awk '{print $2}' | cut -d '/' -f1 | head -n 1)
if [ -z "$ip_addr" ]; then
echo "无法获取有效的IPv4地址"
else
echo "检测到IP地址: $ip_addr"
# 提取IP的最后一段
ip_last_octet=$(echo "$ip_addr" | awk -F '.' '{print $4}')
# 构造目标hostname
target_hostname="host${ip_last_octet}"
# 设置hostname
hostnamectl set-hostname "$target_hostname"
if [ $? -eq 0 ]; then
echo "$target_hostname" > /etc/hostname
fi
fi
cat >> /etc/hosts << EOF
192.168.120.51 host51
192.168.120.52 host52
192.168.120.53 host53
192.168.120.54 host54
192.168.120.55 host55
192.168.120.56 host56
EOF
关闭防火墙,关闭 selinux,禁用 swap 分区
systemctl stop firewalld systemctl disable firewalld sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config setenforce 0 && sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config && getenforce swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
禁用 linux 的透明大页、标准大页
echo never > /sys/kernel/mm/transparent_hugepage/defrag echo never > /sys/kernel/mm/transparent_hugepage/enabled echo 'echo never > /sys/kernel/mm/transparent_hugepage/defrag' >> /etc/rc.local echo 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' >> /etc/rc.local chmod +x /etc/rc.d/rc.local
文件数设置
ulimit -SHn 65535 cat >> /etc/security/limits.conf << EOF * soft nofile 655360 * hard nofile 131072 * soft nproc 655350 * hard nproc 655350 * soft memlock unlimited * hard memlock unlimitedd EOF
linux 内核参数调优
配置内核路由转发及网桥过滤
#将桥接的IPv4流量传递到iptables的链 cat > /etc/sysctl.d/k8s.conf << EOF #开启网桥模式【重要】 net.bridge.bridge-nf-call-iptables=1 #开启网桥模式【重要】 net.bridge.bridge-nf-call-ip6tables=1 net.ipv4.ip_forward=1 net.ipv4.tcp_tw_recycle=0 # 禁止使用 swap 空间,只有当系统 OOM 时才允许使用它 vm.swappiness=0 # 不检查物理内存是否够用 vm.overcommit_memory=1 # 开启 OOM vm.panic_on_oom=0 fs.inotify.max_user_instances=8192 fs.inotify.max_user_watches=1048576 fs.file-max=52706963 fs.nr_open=52706963 #关闭ipv6【重要】 # net.ipv6.conf.all.disable_ipv6=1 # net.netfilter.nf_conntrack_max=2310720 # 下面的内核参数可以解决ipvs模式下长连接空闲超时的问题 net.ipv4.tcp_keepalive_intvl = 30 net.ipv4.tcp_keepalive_probes = 10 net.ipv4.tcp_keepalive_time = 600 EOF sysctl --system
加载网桥过滤模块
modprobe br_netfilter cat > /etc/sysconfig/modules/ipvs.modules <<EOF #!/bin/bash modprobe -- ip_vs modprobe -- ip_vs_rr modprobe -- ip_vs_wrr modprobe -- ip_vs_sh modprobe -- nf_conntrack modprobe -- br_netfilter EOF chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4 # 查看网桥过滤模块是否成功加载 lsmod | grep br_netfilter # 重新刷新配置 sysctl -p /etc/sysctl.d/k8s.conf # 保证在节点重启后能自动加载所需模块 cat >> /etc/rc.d/rc.local << EOF bash /etc/sysconfig/modules/ipvs.modules EOF chmod +x /etc/rc.d/rc.local
时间同步
yum install ntpdate -y #ntpdate time.windows.com ntpdate ntp1.aliyun.com # 或者配置crontab执行: # `crontab -e` # 0 */1 * * * /usr/sbin/ntpdate ntp1.aliyun.com echo "0 */1 * * * /usr/sbin/ntpdate ntp1.aliyun.com" >> /var/spool/cron/root
reboot 重启虚拟机,配置生效。
部署 Etcd 集群
准备证书
cfssl 是一个开源的证书管理工具,使用 json 文件生成证书,相比 openssl 更方便使用,找任意一台服务器操作,这里用 Master01 节点。
Master01 节点上生成证书
1.获取 cfssl 工具
mkdir -p /data/k8s-work cd /data/k8s-work # 把下载好的cfssl工具上传到服务器 [root@host51 k8s-work]# ls -l 总用量 25164 -rw-r--r-- 1 root root 11534488 8月 13 10:22 cfssl_1.6.5_linux_arm64 -rw-r--r-- 1 root root 8126616 8月 13 10:37 cfssl-certinfo_1.6.5_linux_arm64 -rw-r--r-- 1 root root 6095000 8月 13 10:36 cfssljson_1.6.5_linux_arm64 [root@host51 k8s-work]# [root@host51 k8s-work]# chmod +x cfssl* [root@host51 k8s-work]# [root@host51 k8s-work]# ls -l 总用量 25164 -rwxr-xr-x 1 root root 11534488 8月 13 10:22 cfssl_1.6.5_linux_arm64 -rwxr-xr-x 1 root root 8126616 8月 13 10:37 cfssl-certinfo_1.6.5_linux_arm64 -rwxr-xr-x 1 root root 6095000 8月 13 10:36 cfssljson_1.6.5_linux_arm64 [root@host51 k8s-work]# mv cfssl_1.6.5_linux_arm64 /usr/local/bin/cfssl mv cfssl-certinfo_1.6.5_linux_arm64 /usr/local/bin/cfssl-certinfo mv cfssljson_1.6.5_linux_arm64 /usr/local/bin/cfssljson cfssl version
2.自签证书颁发机构(CA)
cd /data/k8s-work/
# 配置ca证书请求文件
cat > ca-csr.json <<"EOF"
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "kubemsb",
"OU": "CN"
}
],
"ca": {
"expiry": "87600h"
}
}
EOF
# 创建ca证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
# 配置ca证书策略
cfssl print-defaults config > ca-config.json
cat > ca-config.json <<"EOF"
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
3.使用自签 CA 签发 Etcd HTTPS 证书
# 创建证书申请文件:
cat > etcd-csr.json << "EOF"
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.120.51",
"192.168.120.52",
"192.168.120.53",
"192.168.120.151",
"192.168.120.152"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
# 生成证书: etcd.csr、etcd-key.pem、etcd.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
注:上述文件hosts字段中IP为所有etcd节点的集群内部通信IP,一个都不能少!为了方便后期扩容预留了2个临时IP
部署 Etcd 集群
https://github.com/etcd-io/etcd/releases(版本:3.5.21)
以下在 master1上操作,为简化操作,待会将master1 生成的所有文件拷贝到 master2 和节点 master3。
tar zxvf etcd-v3.5.21-linux-arm64.tar.gz
mv etcd-v3.5.21-linux-arm64/{etcd,etcdctl} /usr/local/bin
[root@host51 tmp]# etcdctl version
etcdctl version: 3.5.21
API version: 3.5
# k8s-master1 etcd 配置
mkdir -p /etc/etcd/ssl /var/lib/etcd/default.etcd
cd /data/k8s-work/
cp ca*.pem /etc/etcd/ssl
cp etcd*.pem /etc/etcd/ssl
cat > /etc/etcd/etcd.conf << "EOF"
#[Member]
ETCD_NAME="etcd1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.120.51:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.120.51:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.120.51:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.120.51:2379"
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.120.51:2380,etcd2=https://192.168.120.52:2380,etcd3=https://192.168.120.53:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
说明:
- ETCD_NAME:节点名称,集群中唯一
- ETCD_DATA_DIR:数据目录
- ETCD_LISTEN_PEER_URLS:集群通信监听地址
- ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
- ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址
- ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
- ETCD_INITIAL_CLUSTER:集群节点地址
- ETCD_INITIAL_CLUSTER_TOKEN:集群Token
- ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群
1.systemd 管理 etcd
cat > /usr/lib/systemd/system/etcd.service << 'EOF' [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify Environment="ETCD_UNSUPPORTED_ARCH=arm64" EnvironmentFile=/etc/etcd/etcd.conf ExecStart=/usr/local/bin/etcd \ --cert-file=/etc/etcd/ssl/etcd.pem \ --key-file=/etc/etcd/ssl/etcd-key.pem \ --trusted-ca-file=/etc/etcd/ssl/ca.pem \ --peer-cert-file=/etc/etcd/ssl/etcd.pem \ --peer-key-file=/etc/etcd/ssl/etcd-key.pem \ --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \ --peer-client-cert-auth \ --client-cert-auth --logger=zap Restart=on-failure LimitNOFILE=65536 RestartSec=5 [Install] WantedBy=multi-user.target EOF
因为是arm环境,需要加上Environment="ETCD_UNSUPPORTED_ARCH=arm64"
2.将上面 master1 所有生成的文件拷贝到 master2 和 master3,修改etcd.conf文件
ssh root@host52 "mkdir -p /etc/etcd/ssl/ && mkdir -p /var/lib/etcd/default.etcd"
scp -rp /etc/etcd/* root@host52:/etc/etcd/
scp -r /usr/lib/systemd/system/etcd.service root@host52:/usr/lib/systemd/system/
scp -r /usr/local/bin/{etcd,etcdctl} root@host52:/usr/local/bin/
ssh root@host53 "mkdir -p /etc/etcd/ssl/ && mkdir -p /var/lib/etcd/default.etcd"
scp -rp /etc/etcd/* root@host53:/etc/etcd/
scp -r /usr/lib/systemd/system/etcd.service root@host53:/usr/lib/systemd/system/
scp -r /usr/local/bin/{etcd,etcdctl} root@host53:/usr/local/bin/
# 修改etcd.conf文件
# k8s-master2 etcd配置
cat > /etc/etcd/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd2"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.120.52:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.120.52:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.120.52:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.120.52:2379"
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.120.51:2380,etcd2=https://192.168.120.52:2380,etcd3=https://192.168.120.53:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
# k8s-master3 etcd配置
cat > /etc/etcd/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd3"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.120.53:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.120.53:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.120.53:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.120.53:2379"
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.120.51:2380,etcd2=https://192.168.120.52:2380,etcd3=https://192.168.120.53:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
# 启动并设置开机启动
systemctl daemon-reload
systemctl restart etcd
systemctl enable etcd
systemctl status etcd
3.查看集群状态
[root@host51 k8s-work]# etcdctl member list 1bbc501e55ccdcbc, started, etcd3, https://192.168.120.53:2380, https://192.168.120.53:2379, false c2bbef323a613a8d, started, etcd1, https://192.168.120.51:2380, https://192.168.120.51:2379, false d38d45c2041ce6eb, started, etcd2, https://192.168.120.52:2380, https://192.168.120.52:2379, fals [root@host51 bin]# [root@host51 k8s-work]# etcdctl member list -w table +------------------+---------+-------+-----------------------------+-----------------------------+------------+ | ID | STATUS | NAME | PEER ADDRS | CLIENT ADDRS | IS LEARNER | +------------------+---------+-------+-----------------------------+-----------------------------+------------+ | 1bbc501e55ccdcbc | started | etcd3 | https://192.168.120.53:2380 | https://192.168.120.53:2379 | false | | c2bbef323a613a8d | started | etcd1 | https://192.168.120.51:2380 | https://192.168.120.51:2379 | false | | d38d45c2041ce6eb | started | etcd2 | https://192.168.120.52:2380 | https://192.168.120.52:2379 | false | +------------------+---------+-------+-----------------------------+-----------------------------+------------+ [root@host51 k8s-work]# ETCDCTL_API=3 /usr/local/bin/etcdctl --write-out=table --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints="https://192.168.120.51:2379,https://192.168.120.52:2379,https://192.168.120.53:2379" endpoint health +-----------------------------+--------+-------------+-------+ | ENDPOINT | HEALTH | TOOK | ERROR | +-----------------------------+--------+-------------+-------+ | https://192.168.120.51:2379 | true | 9.879548ms | | | https://192.168.120.52:2379 | true | 9.925658ms | | | https://192.168.120.53:2379 | true | 10.123852ms | | +-----------------------------+--------+-------------+-------+ [root@host51 k8s-work]# # endpoint status # endpoint health
安装 Docker 和 cri-dockerd
部署 docker
所有机器,自行部署,省略
部署 cri-dockerd
所有机器,自行安装
wget https://github.com/Mirantis/cri-dockerd/releases/download/v0.3.19/cri-dockerd-0.3.19.arm64.tgz tar zxvf cri-dockerd-0.3.19.arm64.tgz mv cri-dockerd/cri-dockerd /usr/bin/ ls -l /usr/bin/cri-dockerd # 创建配置文件 cat >/usr/lib/systemd/system/cri-docker.service << "EOF" [Unit] Description=CRI Interface for Docker Application Container Engine Documentation=https://docs.mirantis.com After=network-online.target firewalld.service docker.service Wants=network-online.target [Service] Type=notify ExecStart=/usr/bin/cri-dockerd --network-plugin=cni --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9 ExecReload=/bin/kill -s HUP $MAINPID TimeoutSec=0 RestartSec=2 Restart=always [Install] WantedBy=multi-user.target EOF # 启动并设置开机启动 systemctl daemon-reload systemctl start cri-docker systemctl enable cri-docker
部署负载均衡
kube-apiserver 是无状态的,通过 nginx 进行代理访问,从而保证服务可用性
nginx 做反向代理,后端连接所有的 kube-apiserver 实例,并提供健康检查和负载均衡功能;keepalived 提供 kube-apiserver 对外服务的VIP;
nginx 监听的端口16443需要与 kube-apiserver 的端口6443不同,避免冲突。
nginx 安装和配置,主从服务都需要安装
直接使用 rpm 包部署,麒麟V10 直接下载 NGINX 的 Centos8 的 rpm 包就行
dnf -y install nginx-1.28.0-1.el8.ngx.aarch64.rpm
nginx 配置
vi /etc/nginx/nginx.conf 新增如下信息:
stream {
# 添加socket转发的代理
upstream socket_proxy {
hash $remote_addr consistent;
# 转发的目的地址和端口
server 192.168.120.51:6443 weight=5 max_fails=3 fail_timeout=30s;
server 192.168.120.52:6443 weight=5 max_fails=3 fail_timeout=30s;
server 192.168.120.53:6443 weight=5 max_fails=3 fail_timeout=30s;
}
# 提供转发的服务,即访问localhost:6443,会跳转至代理socket_proxy指定的转发地址
server {
listen 6443;
proxy_connect_timeout 1s;
proxy_timeout 3s;
proxy_pass socket_proxy;
}
}
配置开机自启服务
# rm -f /etc/nginx/conf.d/default.conf systemctl start nginx && systemctl enable nginx
keepalived 安装和配置
1.安装keepalived
yum install -y keepalived
2.修改配置文件
cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
vi /etc/keepalived/keepalived.conf
# kd01
cat > /etc/keepalived/keepalived.conf << "EOF"
global_defs {
router_id kd01
}
vrrp_script check_run {
script "/etc/keepalived/check_web.sh"
interval 5
weight 2
}
vrrp_instance VI_1 {
state MASTER
interface enp0s11
virtual_router_id 51
priority 100
advert_int 2
nopreempt
authentication {
auth_type PASS
auth_pass 2222
}
unicast_src_ip 192.168.120.54
unicast_peer {
192.168.120.55
192.168.120.56
}
virtual_ipaddress {
192.168.120.50
}
track_script {
check_run
}
}
EOF
# kd02
cat > /etc/keepalived/keepalived.conf << "EOF"
global_defs {
router_id kd02
}
vrrp_script check_run {
script "/etc/keepalived/check_web.sh"
interval 5
weight 2
}
vrrp_instance VI_1 {
state BACKUP
interface enp0s11
virtual_router_id 51
priority 90
advert_int 2
nopreempt
authentication {
auth_type PASS
auth_pass 2222
}
unicast_src_ip 192.168.120.55
unicast_peer {
192.168.120.54
192.168.120.56
}
virtual_ipaddress {
192.168.120.50
}
track_script {
check_run
}
}
EOF
# kd03
cat > /etc/keepalived/keepalived.conf << "EOF"
global_defs {
router_id kd03
}
vrrp_script check_run {
script "/etc/keepalived/check_web.sh"
interval 5
weight 2
}
vrrp_instance VI_1 {
state BACKUP
interface enp0s11
virtual_router_id 51
priority 80
advert_int 2
nopreempt
authentication {
auth_type PASS
auth_pass 2222
}
unicast_src_ip 192.168.120.56
unicast_peer {
192.168.120.54
192.168.120.55
}
virtual_ipaddress {
192.168.120.50
}
track_script {
check_run
}
}
EOF
3.编写 nginx 监控脚本
如果nginx服务停止,keepalived服务也停止,并切换到备主机。脚本如下:/etc/keepalived/check_web.sh
cat > /etc/keepalived/check_web.sh << "EOF"
#!/bin/bash
num=$(ps -C nginx --no-header | wc -l)
if [ $num -eq 0 ]; then
systemctl restart nginx
sleep 10
num=$(ps -C nginx --no-header | wc -l)
if [ $num -eq 0 ]; then
systemctl stop keepalived
fi
fi
EOF
chmod +x /etc/keepalived/check_web.sh
4.配置开机自启 keepalived 服务
systemctl start keepalived systemctl enable keepalived systemctl status keepalived
kubernetes 集群部署
- https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.28.md#downloads-for-v1281
注意选择 arm 版本
下载并解压安装包
wget https://dl.k8s.io/v1.28.15/kubernetes-server-linux-arm64.tar.gz tar zxvf kubernetes-server-linux-arm64.tar.gz cd kubernetes/server/bin/ cp kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/local/bin/ mkdir -p /etc/kubernetes/ssl mkdir -p /var/log/kubernetes # Kubernetes软件分发 scp kube-apiserver kube-controller-manager kube-scheduler kubectl host52:/usr/local/bin/ scp kube-apiserver kube-controller-manager kube-scheduler kubectl host53:/usr/local/bin/
部署 kube-apiserver
1.创建 apiserver 证书请求文件
cd /data/k8s-work/
cat > kube-apiserver-csr.json << "EOF"
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.120.50",
"192.168.120.51",
"192.168.120.52",
"192.168.120.53",
"192.168.120.151",
"192.168.120.152",
"10.96.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "kubemsb",
"OU": "CN"
}
]
}
EOF
# 生成apiserver证书及token文件
# 生成kube-apiserver.csr、kube-apiserver-key.pem、kube-apiserver.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-apiserver-csr.json | cfssljson -bare kube-apiserver
#生成token.csv
cat > token.csv << EOF
$(head -c 16 /dev/urandom | od -An -t x | tr -d ' '),kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
注:上述文件 hosts 字段中 IP 为所有 Master/LB/VIP IP,一个都不能少!为了方便后期扩容可以多写几个预留的 IP。
2.创建配置文件
cat > /etc/kubernetes/kube-apiserver.conf << "EOF" KUBE_APISERVER_OPTS=" \ --bind-address=192.168.120.51 \ --advertise-address=192.168.120.51 \ --secure-port=6443 \ --allow-privileged=true \ --authorization-mode=Node,RBAC \ --anonymous-auth=false \ --runtime-config=api/all=true \ --enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \ --enable-bootstrap-token-auth \ --token-auth-file=/etc/kubernetes/token.csv \ --service-cluster-ip-range=10.96.0.0/16 \ --service-node-port-range=30000-32767 \ --tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.pem \ --tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver-key.pem \ --client-ca-file=/etc/kubernetes/ssl/ca.pem \ --kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem \ --kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem \ --service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \ --service-account-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \ --service-account-issuer=api \ --etcd-servers=https://192.168.120.51:2379,https://192.168.120.52:2379,https://192.168.120.53:2379 \ --etcd-cafile=/etc/etcd/ssl/ca.pem \ --etcd-certfile=/etc/etcd/ssl/etcd.pem \ --etcd-keyfile=/etc/etcd/ssl/etcd-key.pem \ --enable-aggregator-routing=true \ --requestheader-allowed-names=kubernetes \ --requestheader-extra-headers-prefix=X-Remote-Extra- \ --requestheader-group-headers=X-Remote-Group \ --requestheader-username-headers=X-Remote-User \ --apiserver-count=3 \ --event-ttl=1h \ --audit-log-maxage=30 \ --audit-log-maxbackup=3 \ --audit-log-maxsize=100 \ --audit-log-path=/var/log/kube-apiserver-audit.log \ \ --v=4" EOF
3.证书拷贝
cd /data/k8s-work/ cp ca*.pem /etc/kubernetes/ssl/ cp kube-apiserver*.pem /etc/kubernetes/ssl/ cp token.csv /etc/kubernetes/
4.创建 apiserver 服务管理配置文件
cat > /usr/lib/systemd/system/kube-apiserver.service << "EOF" [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/etc/kubernetes/kube-apiserver.conf ExecStart=/usr/local/bin/kube-apiserver $KUBE_APISERVER_OPTS Restart=on-failure RestartSec=5 Type=notify LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF
5.同步文件到集群 master 节点
scp /etc/kubernetes/ssl/ca*.pem host52:/etc/kubernetes/ssl scp /etc/kubernetes/ssl/ca*.pem host53:/etc/kubernetes/ssl scp /etc/kubernetes/ssl/kube-apiserver*.pem host52:/etc/kubernetes/ssl scp /etc/kubernetes/ssl/kube-apiserver*.pem host53:/etc/kubernetes/ssl scp /etc/kubernetes/token.csv host52:/etc/kubernetes scp /etc/kubernetes/token.csv host53:/etc/kubernetes #需要修改为对应主机的ip地址 scp /etc/kubernetes/kube-apiserver.conf host52:/etc/kubernetes/kube-apiserver.conf scp /etc/kubernetes/kube-apiserver.conf host53:/etc/kubernetes/kube-apiserver.conf scp /usr/lib/systemd/system/kube-apiserver.service host52:/usr/lib/systemd/system/kube-apiserver.service scp /usr/lib/systemd/system/kube-apiserver.service host53:/usr/lib/systemd/system/kube-apiserver.service
6.启动服务
# 启动:
systemctl daemon-reload
systemctl start kube-apiserver
systemctl enable kube-apiserver
# 验证:
curl --insecure https://192.168.120.51:6443/
curl --insecure https://192.168.120.52:6443/
curl --insecure https://192.168.120.53:6443/
curl --insecure https://192.168.120.50:6443/
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
部署 kube-controller-manager
1.创建 kube-controller-manager 证书请求文件
cd /data/k8s-work
cat > kube-controller-manager-csr.json << "EOF"
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [
"127.0.0.1",
"192.168.120.51",
"192.168.120.52",
"192.168.120.53"
],
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:kube-controller-manager",
"OU": "system"
}
]
}
EOF
2.创建 kube-controller-manager 证书文件
- kube-controller-manager.csr
- kube-controller-manager-csr.json
- kube-controller-manager-key.pem
- kube-controller-manager.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
3.创建 kube-controller-manager 的 kube-controller-manager.kubeconfig
kubectl config set-cluster kubernetes \ --certificate-authority=./ca.pem --embed-certs=true \ --server=https://192.168.120.50:6443 \ --kubeconfig=kube-controller-manager.kubeconfig kubectl config set-credentials system:kube-controller-manager \ --client-certificate=./kube-controller-manager.pem \ --client-key=./kube-controller-manager-key.pem \ --embed-certs=true \ --kubeconfig=kube-controller-manager.kubeconfig kubectl config set-context system:kube-controller-manager \ --cluster=kubernetes --user=system:kube-controller-manager \ --kubeconfig=kube-controller-manager.kubeconfig kubectl config use-context system:kube-controller-manager \ --kubeconfig=kube-controller-manager.kubeconfig
4.创建 kube-controller-manager 配置文件
cat > kube-controller-manager.conf << "EOF" KUBE_CONTROLLER_MANAGER_OPTS=" \ --secure-port=10257 \ --bind-address=127.0.0.1 \ --kubeconfig=/etc/kubernetes/kube-controller-manager.kubeconfig \ --service-cluster-ip-range=10.96.0.0/16 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \ --allocate-node-cidrs=true \ --cluster-cidr=10.244.0.0/16 \ --root-ca-file=/etc/kubernetes/ssl/ca.pem \ --service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem \ --leader-elect=true \ --feature-gates=RotateKubeletServerCertificate=true \ --controllers=*,bootstrapsigner,tokencleaner \ --tls-cert-file=/etc/kubernetes/ssl/kube-controller-manager.pem \ --tls-private-key-file=/etc/kubernetes/ssl/kube-controller-manager-key.pem \ --use-service-account-credentials=true \ --cluster-signing-duration=87600h0m0s \ --v=2" EOF
5.创建服务启动文件
cat > /usr/lib/systemd/system/kube-controller-manager.service << "EOF" [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=/etc/kubernetes/kube-controller-manager.conf ExecStart=/usr/local/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target EOF
6.同步文件到集群 master 节点
cp kube-controller-manager*.pem /etc/kubernetes/ssl/ cp kube-controller-manager.kubeconfig /etc/kubernetes/ cp kube-controller-manager.conf /etc/kubernetes/ scp kube-controller-manager*.pem host52:/etc/kubernetes/ssl/ scp kube-controller-manager*.pem host53:/etc/kubernetes/ssl/ scp kube-controller-manager.kubeconfig kube-controller-manager.conf host52:/etc/kubernetes/ scp kube-controller-manager.kubeconfig kube-controller-manager.conf host53:/etc/kubernetes/ scp /usr/lib/systemd/system/kube-controller-manager.service host52:/usr/lib/systemd/system/ scp /usr/lib/systemd/system/kube-controller-manager.service host53:/usr/lib/systemd/system/
7.启动服务
systemctl daemon-reload systemctl start kube-controller-manager systemctl enable --now kube-controller-manager systemctl status kube-controller-manager
部署 kube-scheduler
1.创建 kube-scheduler 证书请求文件
cd /data/k8s-work
cat > kube-scheduler-csr.json << "EOF"
{
"CN": "system:kube-scheduler",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:kube-scheduler",
"OU": "system"
}
]
}
EOF
2.