)
K8s二进制安装:主要内容是安装k8s及安装etcd,并生成了K8s和etcd需要的证书文件(文章结束后会把使用到的容器镜像及工具一并共享)
1.安装 K8S 和 ETCD 二进制文件
# 下载安装包wgethttps://github.com/etcd-io/etcd/releases/download/v3.5.12/etcd-v3.5.12-linux-amd64.tar.gzwgethttps://cdn.dl.k8s.io/release/v1.29.2/kubernetes-server-linux-amd64.tar.gz# 解压k8s安装文件tar-xf kubernetes-server-linux-amd64.tar.gz --strip-components=3-C /usr/local/bin kubernetes/server/bin/kube{let,ctl,-apiserver,-controller-manager,-scheduler,-proxy}# 解压etcd安装文件tar-xf etcd*.tar.gz&&mvetcd-*/etcd /usr/local/bin/&&mvetcd-*/etcdctl /usr/local/bin/# 查看/usr/local/bin下内容[root@server170 ~]# ll /usr/local/bin/总用量543048-rwxr-xr-x152828789939235438081月312024etcd -rwxr-xr-x152828789939177438721月312024etcdctl -rwxr-xr-x1root root1237196802月142024kube-apiserver -rwxr-xr-x1root root1183498242月142024kube-controller-manager -rwxr-xr-x1root root497049602月142024kubectl -rwxr-xr-x1root root1118126082月142024kubelet -rwxr-xr-x1root root552632322月142024kube-proxy -rwxr-xr-x1root root559431682月142024kube-scheduler# 查看版本kubelet --version Kubernetes v1.29.2 etcdctl version etcdctl version:3.5.12 API version:3.5# 将组件发送至其它 k8s 节点(定义一个变量)Master='server171 server172'Work='server173 server174'# 拷贝 master 组件(使用for循环调取环境变量进行传输)forNODEin$Master;doecho$NODE;scp/usr/local/bin/kube{let,ctl,-apiserver,-controller-manager,-scheduler,-proxy}$NODE:/usr/local/bin/;scp/usr/local/bin/etcd*$NODE:/usr/local/bin/;done# 拷贝 work 组件forNODEin$Work;doecho$NODE;scp/usr/local/bin/kube{let,-proxy}$NODE:/usr/local/bin/;done# 所有节点执行mkdir-p /opt/cni/bin2.相关证书生成
2.1 安装证书工具
# master01 节点下载证书生成工具wget"https://github.com/cloudflare/cfssl/releases/download/v1.6.4/cfssl_1.6.4_linux_amd64"-O /usr/local/bin/cfsslwget"https://github.com/cloudflare/cfssl/releases/download/v1.6.4/cfssljson_1.6.4_linux_amd64"-O /usr/local/bin/cfssljsonchmod+x /usr/local/bin/cfssl /usr/local/bin/cfssljson2.2 生成 ETCD 证书(以下操作在所有 master 节点操作)
mkdir/etc/etcd/ssl -pcd/etc/etcd/ssl# 写入生成证书所需的配置文件,master01 节点生成 etcd 证书cat>ca-config.json<<EOF { "signing": { "default": { "expiry": "876000h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "876000h" } } } } EOF# 对于kubernetes配置文件,证书的过期时间也是876000h,即100年。cat>etcd-ca-csr.json<<EOF { "CN": "etcd", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "etcd", "OU": "Etcd Security" } ], "ca": { "expiry": "876000h" } } EOF# 生成证书cfssl gencert -initca etcd-ca-csr.json|cfssljson -bare /etc/etcd/ssl/etcd-cacat>etcd-csr.json<<EOF { "CN": "etcd", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "etcd", "OU": "Etcd Security" } ] } EOF# 生成证书cfssl gencert -ca=/etc/etcd/ssl/etcd-ca.pem -ca-key=/etc/etcd/ssl/etcd-ca-key.pem -config=ca-config.json -hostname=127.0.0.1,server170,server171,server172,192.168.1.170,192.168.1.171,192.168.1.172 -profile=kubernetes etcd-csr.json|cfssljson -bare /etc/etcd/ssl/etcd# 将证书复制到其他Master节点Master='server171 server172'forNODEin$Master;dossh$NODE"mkdir -p /etc/etcd/ssl";forFILEinetcd-ca-key.pem etcd-ca.pem etcd-key.pem etcd.pem;doscp/etc/etcd/ssl/${FILE}$NODE:/etc/etcd/ssl/${FILE};done;done2.4 生成 K8S 相关证书(特别说明除外,以下操作在所有 master 节点操作)
mkdir-p /etc/kubernetes/pkicd/etc/kubernetes/pki# master 节点生成 k8s 证书, 写入生成证书所需的配置文件cat>ca-csr.json<<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "Kubernetes", "OU": "Kubernetes-manual" } ], "ca": { "expiry": "876000h" } } EOF# 生成证书cfssl gencert -initca ca-csr.json|cfssljson -bare /etc/kubernetes/pki/cacat>apiserver-csr.json<<EOF { "CN": "kube-apiserver", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "Kubernetes", "OU": "Kubernetes-manual" } ] } EOFcat>ca-config.json<<EOF { "signing": { "default": { "expiry": "876000h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "876000h" } } } } EOFcfssl gencert -ca=/etc/kubernetes/pki/ca.pem -ca-key=/etc/kubernetes/pki/ca-key.pem -config=ca-config.json -hostname=10.96.0.1,192.168.10.16,127.0.0.1,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,xxx.top,xxx.com,xxx.cn,192.168.1.170,192.168.1.171,192.168.1.172,192.168.1.173,192.168.1.174,192.168.1.175,192.168.1.176,192.168.1.177,192.168.1.178,192.168.1.179,192.168.1.180 -profile=kubernetes apiserver-csr.json|cfssljson -bare /etc/kubernetes/pki/apiserver# 生成 apiserver 聚合证书cat>front-proxy-ca-csr.json<<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "ca": { "expiry": "876000h" } } EOF# 生成证书cfssl gencert -initca front-proxy-ca-csr.json|cfssljson -bare /etc/kubernetes/pki/front-proxy-cacat>front-proxy-client-csr.json<<EOF { "CN": "front-proxy-client", "key": { "algo": "rsa", "size": 2048 } } EOFcfssl gencert\-ca=/etc/kubernetes/pki/front-proxy-ca.pem\-ca-key=/etc/kubernetes/pki/front-proxy-ca-key.pem\-config=ca-config.json\-profile=kubernetes front-proxy-client-csr.json|cfssljson -bare /etc/kubernetes/pki/front-proxy-client# 生成 controller-manage 的证书cat>manager-csr.json<<EOF { "CN": "system:kube-controller-manager", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "system:kube-controller-manager", "OU": "Kubernetes-manual" } ] } EOFcfssl gencert\-ca=/etc/kubernetes/pki/ca.pem\-ca-key=/etc/kubernetes/pki/ca-key.pem\-config=ca-config.json\-profile=kubernetes\manager-csr.json|cfssljson -bare /etc/kubernetes/pki/controller-manager kubectl config set-cluster kubernetes\--certificate-authority=/etc/kubernetes/pki/ca.pem\--embed-certs=true\--server=https://127.0.0.1:8443\--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig kubectl config set-context system:kube-controller-manager@kubernetes\--cluster=kubernetes\--user=system:kube-controller-manager\--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig kubectl config set-credentials system:kube-controller-manager\--client-certificate=/etc/kubernetes/pki/controller-manager.pem\--client-key=/etc/kubernetes/pki/controller-manager-key.pem\--embed-certs=true\--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig kubectl config use-context system:kube-controller-manager@kubernetes\--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig# 生成 kube-scheduler 的证书cat>scheduler-csr.json<<EOF { "CN": "system:kube-scheduler", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "system:kube-scheduler", "OU": "Kubernetes-manual" } ] } EOFcfssl gencert\-ca=/etc/kubernetes/pki/ca.pem\-ca-key=/etc/kubernetes/pki/ca-key.pem\-config=ca-config.json\-profile=kubernetes\scheduler-csr.json|cfssljson -bare /etc/kubernetes/pki/scheduler kubectl config set-cluster kubernetes\--certificate-authority=/etc/kubernetes/pki/ca.pem\--embed-certs=true\--server=https://127.0.0.1:8443\--kubeconfig=/etc/kubernetes/scheduler.kubeconfig kubectl config set-credentials system:kube-scheduler\--client-certificate=/etc/kubernetes/pki/scheduler.pem\--client-key=/etc/kubernetes/pki/scheduler-key.pem\--embed-certs=true\--kubeconfig=/etc/kubernetes/scheduler.kubeconfig kubectl config set-context system:kube-scheduler@kubernetes\--cluster=kubernetes\--user=system:kube-scheduler\--kubeconfig=/etc/kubernetes/scheduler.kubeconfig kubectl config use-context system:kube-scheduler@kubernetes\--kubeconfig=/etc/kubernetes/scheduler.kubeconfig# 生成 admin 的证书配置cat>admin-csr.json<<EOF { "CN": "admin", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "system:masters", "OU": "Kubernetes-manual" } ] } EOFcfssl gencert\-ca=/etc/kubernetes/pki/ca.pem\-ca-key=/etc/kubernetes/pki/ca-key.pem\-config=ca-config.json\-profile=kubernetes\admin-csr.json|cfssljson -bare /etc/kubernetes/pki/admin kubectl config set-cluster kubernetes\--certificate-authority=/etc/kubernetes/pki/ca.pem\--embed-certs=true\--server=https://127.0.0.1:8443\--kubeconfig=/etc/kubernetes/admin.kubeconfig kubectl config set-credentials kubernetes-admin\--client-certificate=/etc/kubernetes/pki/admin.pem\--client-key=/etc/kubernetes/pki/admin-key.pem\--embed-certs=true\--kubeconfig=/etc/kubernetes/admin.kubeconfig kubectl config set-context kubernetes-admin@kubernetes\--cluster=kubernetes\--user=kubernetes-admin\--kubeconfig=/etc/kubernetes/admin.kubeconfig kubectl config use-context kubernetes-admin@kubernetes --kubeconfig=/etc/kubernetes/admin.kubeconfig# 创建 kube-proxy 证书cat>kube-proxy-csr.json<<EOF { "CN": "system:kube-proxy", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "system:kube-proxy", "OU": "Kubernetes-manual" } ] } EOFcfssl gencert\-ca=/etc/kubernetes/pki/ca.pem\-ca-key=/etc/kubernetes/pki/ca-key.pem\-config=ca-config.json\-profile=kubernetes\kube-proxy-csr.json|cfssljson -bare /etc/kubernetes/pki/kube-proxy kubectl config set-cluster kubernetes\--certificate-authority=/etc/kubernetes/pki/ca.pem\--embed-certs=true\--server=https://127.0.0.1:8443\--kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig kubectl config set-credentials kube-proxy\--client-certificate=/etc/kubernetes/pki/kube-proxy.pem\--client-key=/etc/kubernetes/pki/kube-proxy-key.pem\--embed-certs=true\--kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig kubectl config set-context kube-proxy@kubernetes\--cluster=kubernetes\--user=kube-proxy\--kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig kubectl config use-context kube-proxy@kubernetes --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig# 创建 ServiceAccount Key ——secretopenssl genrsa -out /etc/kubernetes/pki/sa.key2048openssl rsa -in /etc/kubernetes/pki/sa.key -pubout -out /etc/kubernetes/pki/sa.pub# 将证书发送到其他 master 节点# 其他节点创建目录mkdir/etc/kubernetes/pki/ -pforNODEink8s-master02 k8s-master03;doforFILEin$(ls/etc/kubernetes/pki|grep-v etcd);doscp/etc/kubernetes/pki/${FILE}$NODE:/etc/kubernetes/pki/${FILE};done;forFILEinadmin.kubeconfig controller-manager.kubeconfig scheduler.kubeconfig;doscp/etc/kubernetes/${FILE}$NODE:/etc/kubernetes/${FILE};done;done# 查看证书ls/etc/kubernetes/pki/3.ETCD 配置
# Server170cat>/etc/etcd/etcd.config.yml<<EOF name: 'server170'># Server171cat>/etc/etcd/etcd.config.yml<<EOF name: 'server171'># Server172cat>/etc/etcd/etcd.config.yml<<EOF name: 'server172'># 创建 service( 所有 master 节点操作)cat>/usr/lib/systemd/system/etcd.service<<EOF [Unit] Description=Etcd Service Documentation=https://coreos.com/etcd/docs/latest/ After=network.target [Service] Type=notify ExecStart=/usr/local/bin/etcd --config-file=/etc/etcd/etcd.config.yml Restart=on-failure RestartSec=10 LimitNOFILE=65536 [Install] WantedBy=multi-user.target Alias=etcd3.service EOF# 创建 etcd 证书目录(3台master)mkdir/etc/kubernetes/pki/etcdln-s /etc/etcd/ssl/* /etc/kubernetes/pki/etcd/ systemctl daemon-reload systemctlenable--now etcd.service systemctl status etcd.service# 查看 etcd 状态# 如果要用 IPv6 那么把 IPv4 地址修改为 IPv6 即可exportETCDCTL_API=3etcdctl --endpoints="192.168.1.170:2379,192.168.1.171:2379,192.168.1.172:2379"--cacert=/etc/kubernetes/pki/etcd/etcd-ca.pem --cert=/etc/kubernetes/pki/etcd/etcd.pem --key=/etc/kubernetes/pki/etcd/etcd-key.pem endpoint status --write-out=table# 输出结果+--------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+|ENDPOINT|ID|VERSION|DB SIZE|IS LEADER|IS LEARNER|RAFTTERM|RAFT INDEX|RAFT APPLIED INDEX|ERRORS|+--------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+|192.168.1.170:2379|c1621f2f11fc33f9|3.5.12|20kB|true|false|2|9|9|||192.168.1.171:2379|14f18e5e057e3164|3.5.12|20kB|false|false|2|9|9|||192.168.1.172:2379|225a00eef92e8f19|3.5.12|20kB|false|false|2|9|9||+--------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
