标签:模块 _for route load hosts fstab ddr mes 内核参数
1.kubernetes的五个组件
master节点的三个组件
kube-apiserver
整个集群的唯一入口,并提供认证、授权、访问控制、API注册和发现等机制。
kube-controller-manager
控制器管理器
负责维护集群的状态,比如故障检测、自动扩展、滚动更新等。保证资源到达期望值。
kube-scheduler
调度器
经过策略调度POD到合适的节点上面运行。分别有预选策略和优选策略。
node节点的两个组件
kubelet
在集群节点上运行的代理,kubelet会通过各种机制来确保容器处于运行状态且健康。kubelet不会管理不是由kubernetes创建的容器。kubelet接收POD的期望状态(副本数、镜像、网络等),并调用容器运行环境来实现预期状态。
kubelet会定时汇报节点的状态给apiserver,作为scheduler调度的基础。kubelet会对镜像和容器进行清理,避免不必要的文件资源占用。
kube-proxy
kube-proxy是集群中节点上运行的网络代理,是实现service资源功能组件之一。kube-proxy建立了POD网络和集群网络之间的关系。不同node上的service流量转发规则会通过kube-proxy来调用apiserver访问etcd进行规则更新。
service流量调度方式有三种方式:userspace(废弃,性能很差)、iptables(性能差,复杂,即将废弃)、ipvs(性能好,转发方式清晰)。
2.集群架构
3. 搭建集群
3.1 机器基本配置
以下配置在6台机器上面操作
3.1.1 修改主机名
修改主机名称:km1、km2\node1、node2
3.1.2 配置hosts文件
修改机器的/etc/hosts文件
cat >> /etc/hosts << EOF
10.252.4.11 km1
10.252.4.12 km2
10.252.4.14 kn1
10.252.4.15 kn2
EOF
3.1.3 关闭防火墙和selinux
systemctl stop firewalld
setenforce 0
sed -i ‘s/^SELINUX=.*/SELINUX=disabled/‘ /etc/selinux/config
3.1.4 关闭交换分区
swapoff -a
永久关闭,修改/etc/fstab,注释掉swap一行
3.1.5 时间同步
yum install -y chrony
systemctl start chronyd
systemctl enable chronyd
chronyc sources
3.1.6 修改内核参数
cat > /etc/sysctl.d/k8s.conf << EOF
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
3.1.7 加载ipvs模块
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
lsmod | grep ip_vs
lsmod | grep nf_conntrack_ipv4
yum install -y ipvsadm
3.2 配置工作目录
每台机器都需要配置证书文件、组件的配置文件、组件的服务启动文件,现专门选择 km1 来统一生成这些文件,然后再分发到其他机器。以下操作在 km1 上进行
[root@km1 ~]# mkdir -p /data/work
注:该目录为配置文件和证书文件生成目录,后面的所有文件生成相关操作均在此目录下进行
[root@km1 ~]# ssh-keygen -t rsa -b 2048
[root@km1 ~]# ssh-copy-id -i .ssh/id_rsa.pub km2
将秘钥分发到另外五台机器,让 master1 可以免密码登录其他机器
3.3 搭建etcd集群
3.3.1 配置etcd工作目录
[root@km1 ~]# mkdir -p /etc/etcd # 配置文件存放目录
[root@km1 ~]# mkdir -p /etc/etcd/ssl # 证书文件存放目录
3.3.2 创建etcd证书
工具下载
[root@km1 ~]# cd /data/work/
[root@km1 work]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@km1 work]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@km1 work]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd
工具配置
[root@km1 work]# chmod +x cfssl*
[root@km1 work]# mv cfssl_linux-amd64 /usr/local/bin/cfssl
[root@km1 work]# mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
[root@km1 work]# mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
配置ca请求文件
[root@km1 work]# cat ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "beijing",
"O": "k8s",
"OU": "system"
}
],
"ca": {
"expiry": "175200h"
}
}
注:
CN:Common Name,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法;
O:Organization,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group)
创建ca证书
[root@km1 work]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
配置ca证书策略
[root@km1 work]# cat ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "175200h"
}
}
}
}
配置etcd请求csr文件
[root@km1 work]# vim etcd-csr.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"10.252.4.11",
"10.252.4.12",
"10.252.4.13"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "k8s",
"OU": "system"
}]
}
生成证书
[root@km1 work]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
[root@km1 work]# ls etcd*.pem
3.3.3 部署etcd集群
[root@km1 work]# wget https://github.com/etcd-io/etcd/releases/download/v3.4.13/etcd-v3.4.13-linux-amd64.tar.gz
[root@km1 work]# tar -xf etcd-v3.4.13-linux-amd64.tar.gz
[root@km1 work]# cp -p etcd-v3.4.13-linux-amd64/etcd* /usr/local/bin/
[root@km1 work]# rsync -vaz etcd-v3.4.13-linux-amd64/etcd* kn2:/usr/local/bin/
创建配置文件
[root@km1 work]# vim etcd.conf
#[Member]
ETCD_NAME="etcd1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://10.252.4.11:2380"
ETCD_LISTEN_CLIENT_URLS="https://10.252.4.11:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.252.4.11:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://10.252.4.11:2379"
ETCD_INITIAL_CLUSTER="etcd1=https://10.252.4.11:2380,etcd2=https://10.252.4.12:2380,etcd3=https://10.252.4.13:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
注:
ETCD_NAME:节点名称,集群中唯一
ETCD_DATA_DIR:数据目录
ETCD_LISTEN_PEER_URLS:集群通信监听地址
ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址
ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
ETCD_INITIAL_CLUSTER:集群节点地址
ETCD_INITIAL_CLUSTER_TOKEN:集群Token
ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群
创建启动服务文件
方式一:
有配置文件的启动
[root@km1 work]# vim etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=-/etc/etcd/etcd.conf
WorkingDirectory=/var/lib/etcd/
ExecStart=/usr/local/bin/etcd --cert-file=/etc/etcd/ssl/etcd.pem --key-file=/etc/etcd/ssl/etcd-key.pem --trusted-ca-file=/etc/etcd/ssl/ca.pem --peer-cert-file=/etc/etcd/ssl/etcd.pem --peer-key-file=/etc/etcd/ssl/etcd-key.pem --peer-trusted-ca-file=/etc/etcd/ssl/ca.pem --peer-client-cert-auth --client-cert-auth
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
同步相关文件到各个节点
[root@km1 work]# cp ca*.pem etcd*.pem /etc/etcd/ssl/
[root@km1 work]# cp etcd.conf /etc/etcd/
[root@km1 work]# cp etcd.service /usr/lib/systemd/system/
[root@km1 work]# scp ca*.pem etcd*.pem km2:/etc/etcd/ssl/
[root@km1 work]# scp etcd.conf km2:/etc/etcd/
[root@km1 work]# scp etcd.service km2:/usr/lib/systemd/system/
[root@km1 work]# scp ca*.pem etcd*.pem kn:/etc/etcd/ssl/
[root@km1 work]# scp etcd.conf kn:/etc/etcd/
[root@km1 work]# scp etcd.service kn:/usr/lib/systemd/system/
注:km2和kn分别修改配置文件中etcd名字和ip,并创建目录 /var/lib/etcd/default.etcd
启动etcd集群<km1、km2和kn分别执行以下命令>
[root@km1 work]# mkdir -p /var/lib/etcd/default.etcd
[root@km1 work]# systemctl daemon-reload
[root@km1 work]# systemctl start etcd.service
[root@km1 work]# systemctl status etcd
注:同时启动三个节点
查看集群状态
etcdctl member list
3.4 kubernetes组件部署
3.4.1 下载安装包
[root@km1 work]# wget https://dl.k8s.io/v1.20.1/kubernetes-server-linux-amd64.tar.gz
[root@km1 work]# tar -xf kubernetes-server-linux-amd64.tar
[root@km1 work]# cd kubernetes/server/bin/
[root@km1 bin]# cp kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/local/bin/
[root@km1 bin]# scp kube-apiserver kube-controller-manager kube-scheduler kubectl km2:/usr/local/bin/
[root@km1 bin]# scp kubelet kube-proxy kn:/usr/local/bin/
[root@km1 bin]# cd /data/work/
3.4.2 创建工作目录<km1\km2>
[root@km1 work]# mkdir -p /etc/kubernetes/ # kubernetes组件配置文件存放目录
[root@km1 work]# mkdir -p /etc/kubernetes/ssl # kubernetes组件证书文件存放目录
[root@km1 work]# mkdir /var/log/kubernetes # kubernetes组件日志文件存放目录
3.4.3 部署api-server
创建csr请求文件
[root@km1 work]# vim kube-apiserver-csr.json
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"10.252.4.11",
"10.252.4.12",
"10.252.4.13",
"10.252.4.10",
"10.255.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "k8s",
"OU": "system"
}
]
}
注:
如果 hosts 字段不为空则需要指定授权使用该证书的 IP 或域名列表。
由于该证书后续被 kubernetes master 集群使用,需要将master节点的IP都填上,同时还需要填写 service 网络的首个IP。(一般是 kube-apiserver 指定的 service-cluster-ip-range 网段的第一个IP,如 10.255.0.1)
生成证书和token文件
[root@km1 work]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-apiserver-csr.json | cfssljson -bare kube-apiserver
[root@km1 work]# cat > token.csv << EOF
> $(head -c 16 /dev/urandom | od -An -t x | tr -d ‘ ‘),kubelet-bootstrap,10001,"system:kubelet-bootstrap"
> EOF
创建配置文件
[root@km1 work]# vim kube-apiserver.conf
KUBE_APISERVER_OPTS="--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota --anonymous-auth=false --bind-address=10.252.4.11 --secure-port=6443 --advertise-address=10.252.4.11 --insecure-port=0 --authorization-mode=Node,RBAC --runtime-config=api/all=true --enable-bootstrap-token-auth --service-cluster-ip-range=10.255.0.0/16 --token-auth-file=/etc/kubernetes/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.pem --tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver-key.pem --client-ca-file=/etc/kubernetes/ssl/ca.pem --kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem --kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem --service-account-key-file=/etc/kubernetes/ssl/ca-key.pem --service-account-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \ # 1.20以上版本必须有此参数
--service-account-issuer=https://kubernetes.default.svc.cluster.local \ # 1.20以上版本必须有此参数
--etcd-cafile=/etc/etcd/ssl/ca.pem --etcd-certfile=/etc/etcd/ssl/etcd.pem --etcd-keyfile=/etc/etcd/ssl/etcd-key.pem --etcd-servers=https://10.252.4.11:2379,https://10.252.4.12:2379,https://10.252.4.13:2379 --enable-swagger-ui=true --allow-privileged=true --apiserver-count=2 --audit-log-maxage=30 --audit-log-maxbackup=3 --audit-log-maxsize=100 --audit-log-path=/var/log/kube-apiserver-audit.log --event-ttl=1h --alsologtostderr=true --logtostderr=false --log-dir=/var/log/kubernetes --v=4"
注:
--logtostderr:启用日志
--v:日志等级
--log-dir:日志目录
--etcd-servers:etcd集群地址
--bind-address:监听地址
--secure-port:https安全端口
--advertise-address:集群通告地址
--allow-privileged:启用授权
--service-cluster-ip-range:Service虚拟IP地址段
--enable-admission-plugins:准入控制模块
--authorization-mode:认证授权,启用RBAC授权和节点自管理
--enable-bootstrap-token-auth:启用TLS bootstrap机制
--token-auth-file:bootstrap token文件
--service-node-port-range:Service nodeport类型默认分配端口范围
--kubelet-client-xxx:apiserver访问kubelet客户端证书
--tls-xxx-file:apiserver https证书
--etcd-xxxfile:连接Etcd集群证书
--audit-log-xxx:审计日志
创建服务启动文件
[root@km1 work]# vim kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
After=etcd.service
Wants=etcd.service
[Service]
EnvironmentFile=-/etc/kubernetes/kube-apiserver.conf
ExecStart=/usr/local/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
同步相关文件到各个节点
[root@km1 work]# cp ca*.pem kube-apiserver*.pem /etc/kubernetes/ssl/
[root@km1 work]# cp token.csv kube-apiserver.conf /etc/kubernetes/
[root@km1 work]# cp kube-apiserver.service /usr/lib/systemd/system/
[root@km1 work]# scp ca*.pem kube-apiserver*.pem km2:/etc/kubernetes/ssl/
[root@km1 work]# scp token.csv kube-apiserver.conf km2:/etc/kubernetes/
[root@km1 work]# scp kube-apiserver.service km2:/usr/lib/systemd/system/
注:km1\km2配置文件的IP地址修改为实际的本机IP
启动服务
[root@km1 work]# systemctl daemon-reload
[root@km1 work]# systemctl start kube-apiserver
[root@km1 work]# systemctl status kube-apiserver
[root@km1 work]# systemctl enable kube-apiserver
[root@km1 work]# netstat -nltup|grep kube-api
3.4.4 部署四层反向代理
分别在km节点安装NGINX和keepalived
[root@km1 work]# yum install nginx keepalived -y
[root@km1 work]# vi /etc/nginx/nginx.conf
stream {
upstream kube-apiserver {
server 10.252.4.11:6443 max_fails=3 fail_timeout=30s;
server 10.252.4.12:6443 max_fails=3 fail_timeout=30s;
}
server {
listen 7443;
proxy_connect_timeout 2s;
proxy_timeout 900s;
proxy_pass kube-apiserver;
}
}
[root@km1 work]# nginx -t
检查脚本
`vi /etc/keepalived/check_port.sh`
#!/bin/bash
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
if [ $PORT_PROCESS -eq 0 ];then
echo "Port $CHK_PORT Is Not Used,End."
exit 1
fi
else
echo "Check Port Cant Be Empty!"
fi
[root@km1 work]# chmod +x /etc/keepalived/check_port.sh
##########
配置文件
keepalived 主
[root@km1 work]# vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 10.252.4.11
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 251
priority 100
advert_int 1
mcast_src_ip 10.252.4.11
nopreempt
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.252.4.10
}
}
keepalived 从:
! Configuration File for keepalived
global_defs {
router_id 10.252.4.12
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
virtual_router_id 251
mcast_src_ip 10.252.4.12
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.252.4.10
}
}
nopreempt:非抢占式
启动代理并检查
systemctl start nginx keepalived
systemctl enable nginx keepalived
netstat -lntup|grep nginx
ip add
kubernetes高可用集群安装(二进制安装、v1.20.2版)
标签:模块 _for route load hosts fstab ddr mes 内核参数
原文地址:https://www.cnblogs.com/zhugq02/p/14401161.html
