大兵是
一个想全能的运维

kubernetes 集群搭建

安装docker

cd /etc/yum.repos.d/
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install docker-ce -y
systemctl start docker

准备工作

# 创建目录
mkdir -p /www/kubernetes/{cfg,bin,ssl,log}
# 下载地址
https://github.com/kubernetes/kubernetes

CA证书创建和分发

# 证书制作工作的下载地址:https://pkg.cfssl.org/
wget http://pkg.cfssl.org/R1.1/cfssl_linux-amd64 
wget http://pkg.cfssl.org/R1.1/cfssljson_linux-amd64 
wget http://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 

# 制作证书临时目录
cd /usr/local/src/ssl
# 生成证书需要准备的文件
[root@one ssl]# cat ca-config.json 
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "8760h"
      }
    }
  }
}
[root@one ssl]# cat ca-csr.json
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
# 生成证书
[root@one ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
# 复制到所有的节点
[root@one ssl]# cp ca.csr ca-config.json ca-key.pem ca.pem  /www/kubernetes/ssl/
[root@one ssl]# scp ca.csr ca-config.json ca-key.pem ca.pem  two:/www/kubernetes/ssl/
[root@one ssl]# scp ca.csr ca-config.json ca-key.pem ca.pem  two:/www/kubernetes/ssl/

部署ETCD

# 项目地址
https://github.com/coreos/etcd
wget https://github.com/coreos/etcd/releases/download/v3.3.5/etcd-v3.3.5-linux-amd64.tar.gz 

# 创建证书
[root@one ~]# cd /usr/local/src/ssl/
[root@one ssl]# cat etcd-csr.json
{
  "CN": "etcd",
  "hosts": [
    "127.0.0.1",
    "192.168.38.21",
    "192.168.38.22",
    "192.168.38.23",
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

# 生成证书
cfssl gencert -ca=/www/kubernetes/ssl/ca.pem -ca-key=/www/kubernetes/ssl/ca-key.pem -config=/www/kubernetes/ssl/ca-config.json -profile=kubernetes etcd-csr.json |cfssljson -bare etcd
cp etcd*pem /www/kubernetes/ssl/
scp etcd*pem two:/www/kubernetes/ssl/
scp etcd*pem three:/www/kubernetes/ssl/

# 配置文件
cd /www/kubernetes/cfg
[root@one cfg]# cat etcd.conf
#[member]
ETCD_NAME="one"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
#ETCD_SNAPSHOT_COUNTER="10000"
#ETCD_HEARTBEAT_INTERVAL="100"
#ETCD_ELECTION_TIMEOUT="1000"
ETCD_LISTEN_PEER_URLS="https://192.168.38.21:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.38.21:2379,https://127.0.0.1:2379"
#ETCD_MAX_SNAPSHOTS="5"
#ETCD_MAX_WALS="5"
#ETCD_CORS=""
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.38.21:2380"
# if you use different ETCD_NAME (e.g. test),
# set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..."
ETCD_INITIAL_CLUSTER="one=https://192.168.38.21:2380,two=https://192.168.38.22:2380,three=https://192.168.38.23:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="k8s-etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.38.21:2379"
#[security]
CLIENT_CERT_AUTH="true"
ETCD_CA_FILE="/www/kubernetes/ssl/ca.pem"
ETCD_CERT_FILE="/www/kubernetes/ssl/etcd.pem"
ETCD_KEY_FILE="/www/kubernetes/ssl/etcd-key.pem"
PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_CA_FILE="/www/kubernetes/ssl/ca.pem"
ETCD_PEER_CERT_FILE="/www/kubernetes/ssl/etcd.pem"
ETCD_PEER_KEY_FILE="/www/kubernetes/ssl/etcd-key.pem"

# 修改启动命令
[root@one cfg]# cat /etc/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target

[Service]
Type=simple
WorkingDirectory=/var/lib/etcd
EnvironmentFile=-/www/kubernetes/cfg/etcd.conf
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /www/kubernetes/bin/etcd"
Type=notify

[Install]
WantedBy=multi-user.target

# 重载及启动集群
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd

# 检查健康状态
etcdctl --endpoints=https://192.168.38.21:2379   --ca-file=/www/kubernetes/ssl/ca.pem   --cert-file=/www/kubernetes/ssl/etcd.pem   --key-file=/www/kubernetes/ssl/etcd-key.pem cluster-health

kubernetes master部署

[root@one kubernetes]# cd /www/kubernetes/server/bin/
[root@one bin]# cp kube-apiserver kube-controller-manager kube-scheduler /www/kubernetes/bin/

# 生成证书
[root@one ssl]# cat kubernetes-csr.json 
{
  "CN": "kubernetes",
  "hosts": [
    "127.0.0.1",
    "192.168.38.21",
    "10.1.0.1",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
[root@one ssl]# cfssl gencert -ca=/www/kubernetes/ssl/ca.pem -ca-key=/www/kubernetes/ssl/ca-key.pem -config=/www/kubernetes/ssl/ca-config.json -profile=kubernetes kubernetes-csr.json |cfssljson -bare kubernetes
[root@one ssl]#  cp kubernetes*.pem /www/kubernetes/ssl/
[root@one ssl]# scp kubernetes*.pem two:/www/kubernetes/ssl/
[root@one ssl]# scp kubernetes*.pem three:/www/kubernetes/ssl/

# 生成apiserver客户端使用的token
[root@one ssl]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
1a6fba02023d60449e3448ff868953bc
[root@one ssl]# cat /www/kubernetes/ssl/bootstrap-token.csv
1a6fba02023d60449e3448ff868953bc,kubelet-bootstrap,10001,"system:kubelet-bootstrap"

# 创建基础用户名/密码认证配置
[root@one ssl]# cat /www/kubernetes/ssl/basic-auth.csv
admin,admin,1
readonly,readonly,2

部署Kubernetes API Server

[root@one ssl]# cat /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target

[Service]
ExecStart=/www/kubernetes/bin/kube-apiserver \
  --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \
  --bind-address=192.168.38.21 \
  --insecure-bind-address=127.0.0.1 \
  --authorization-mode=Node,RBAC \
  --runtime-config=rbac.authorization.k8s.io/v1 \
  --kubelet-https=true \
  --anonymous-auth=false \
  --basic-auth-file=/www/kubernetes/ssl/basic-auth.csv \
  --enable-bootstrap-token-auth \
  --token-auth-file=/www/kubernetes/ssl/bootstrap-token.csv \
  --service-cluster-ip-range=10.1.0.0/16 \
  --service-node-port-range=20000-40000 \
  --tls-cert-file=/www/kubernetes/ssl/kubernetes.pem \
  --tls-private-key-file=/www/kubernetes/ssl/kubernetes-key.pem \
  --client-ca-file=/www/kubernetes/ssl/ca.pem \
  --service-account-key-file=/www/kubernetes/ssl/ca-key.pem \
  --etcd-cafile=/www/kubernetes/ssl/ca.pem \
  --etcd-certfile=/www/kubernetes/ssl/kubernetes.pem \
  --etcd-keyfile=/www/kubernetes/ssl/kubernetes-key.pem \
  --etcd-servers=https://192.168.38.21:2379,https://192.168.38.22:2379,https://192.168.38.23:2379 \
  --enable-swagger-ui=true \
  --allow-privileged=true \
  --audit-log-maxage=30 \
  --audit-log-maxbackup=3 \
  --audit-log-maxsize=100 \
  --audit-log-path=/www/kubernetes/log/api-audit.log \
  --event-ttl=1h \
  --v=2 \
  --logtostderr=false \
  --log-dir=/www/kubernetes/log
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

# 重载及启动
[root@one bin]# systemctl daemon-reload
[root@one bin]# systemctl start kube-apiserver 
[root@one bin]# systemctl status  kube-apiserver 

部署Controller Manager服务

# 配置启动文件
[root@one ~]# cat /usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes

[Service]
ExecStart=/www/kubernetes/bin/kube-controller-manager \
  --address=127.0.0.1 \
  --master=http://127.0.0.1:8080 \
  --allocate-node-cidrs=true \
  --service-cluster-ip-range=10.1.0.0/16 \
  --cluster-cidr=10.2.0.0/16 \
  --cluster-name=kubernetes \
  --cluster-signing-cert-file=/www/kubernetes/ssl/ca.pem \
  --cluster-signing-key-file=/www/kubernetes/ssl/ca-key.pem \
  --service-account-private-key-file=/www/kubernetes/ssl/ca-key.pem \
  --root-ca-file=/www/kubernetes/ssl/ca.pem \
  --leader-elect=true \
  --v=2 \
  --logtostderr=false \
  --log-dir=/www/kubernetes/log

Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

# 重载及启动
[root@one ~]# systemctl daemon-reload 
[root@one ~]#  systemctl start kube-controller-manager 
[root@one ~]#  systemctl status kube-controller-manager 

部署Kubernetes Scheduler

# 配置启动文件
[root@one ~]# cat /usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes

[Service]
ExecStart=/www/kubernetes/bin/kube-scheduler \
  --address=127.0.0.1 \
  --master=http://127.0.0.1:8080 \
  --leader-elect=true \
  --v=2 \
  --logtostderr=false \
  --log-dir=/www/kubernetes/log

Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

# 重载及启动
[root@one ~]# systemctl daemon-reload
[root@one ~]# systemctl start kube-scheduler 
[root@one ~]# systemctl status kube-scheduler 

部署kubectl 命令行工具

# 准备二进制命令
[root@one bin]# cd /usr/local/src/kubernetes/client/bin
[root@one bin]# cp kubectl /www/kubernetes/bin/

# 创建admin证书签名请求
[root@one bin]# cd /usr/local/src/ssl/ 
[root@one ssl]# cat admin-csr.json 
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}

# 生成证书和私钥
[root@one ssl]# cat admin-csr.json 
{
  "CN": "admin",
  "hosts": [
    "127.0.0.1",
    "192.168.38.21"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
[root@one ssl]# cfssl gencert -ca=/www/kubernetes/ssl/ca.pem -ca-key=/www/kubernetes/ssl/ca-key.pem -config=/www/kubernetes/ssl/ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin 
[root@one ssl]# cp admin*pem /www/kubernetes/ssl/

# 设置集群参数
[root@one ssl]# kubectl config set-cluster kubernetes --certificate-authority=/www/kubernetes/ssl/ca.pem --embed-certs=true --server=https://192.168.38.21:6443

# 设置客户端参数
[root@one ssl]# kubectl config set-credentials admin --client-certificate=/www/kubernetes/ssl/admin.pem --embed-certs=true    --client-key=/www/kubernetes/ssl/admin-key.pem

# 设置上下文参数
[root@one ssl]# kubectl config set-context kubernetes --cluster=kubernetes --user=admin 

# 设置默认上下文
[root@one ssl]# kubectl config use-context kubernetes 

# 使用kubectl工具
[root@one ssl]# kubectl get cs

部署kubernetes Node

部署kubelet

# 准备二进制命令包
[root@one bin]# cd /usr/local/src/kubernetes/server/bin/
[root@one bin]# cp kubelet kube-proxy /www/kubernetes/bin/
[root@one bin]# scp kubelet kube-proxy two:/www/kubernetes/bin/
[root@one bin]# scp kubelet kube-proxy three:/www/kubernetes/bin/

# 创建角色绑定
[root@one bin]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap

# 创建kubelet bootstrapping kubeconfig 文件 设置集群参数
[root@one bin]# kubectl config set-cluster kubernetes --certificate-authority=/www/kubernetes/ssl/ca.pem --embed-certs=true --server=https://192.168.38.21:6443 --kubeconfig=bootstrap.kubeconfig

# 设置客户端认证参数
[root@one bin]# cat /www/kubernetes/ssl/bootstrap-token.csv 
1a6fba02023d60449e3448ff868953bc,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
[root@one bin]# kubectl config set-credentials kubelet-bootstrap --token=1a6fba02023d60449e3448ff868953bc --kubeconfig=bootstrap.kubeconfig 

# 设置上下文参数
[root@one bin]# kubectl config set-context default    --cluster=kubernetes    --user=kubelet-bootstrap    --kubeconfig=bootstrap.kubeconfig

# 选择默认的上下文
[root@one bin]# kubectl config use-context default --kubeconfig=bootstrap.kubeconfig 
[root@one bin]# cp bootstrap.kubeconfig /www/kubernetes/cfg/
[root@one bin]# scp bootstrap.kubeconfig two:/www/kubernetes/cfg/
[root@one bin]# scp bootstrap.kubeconfig three:/www/kubernetes/cfg/

# 部署kubelet 1.设置CNI支持                   k8s网络相关的配置
[root@one ~]# mkdir -p /etc/cni/net.d # 不创建
[root@two ~]# mkdir -p /etc/cni/net.d
[root@three ~]# mkdir -p /etc/cni/net.d
[root@two ~]# cat /etc/cni/net.d/10-default.conf        # 三个节点上全有
{
        "name": "flannel",
        "type": "flannel",
        "delegate": {
            "bridge": "docker0",
            "isDefaultGateway": true,
            "mtu": 1400
        }
}

# 创建kubelet目录
[root@two ~]# mkdir /var/lib/kubelet  # 三个节点

# 启动
[root@two ~]# cat /usr/lib/systemd/system/kubelet.service 
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service

[Service]
WorkingDirectory=/var/lib/kubelet
ExecStart=/www/kubernetes/bin/kubelet \
  --address=192.168.38.22 \
  --hostname-override=192.168.38.22 \
  --pod-infra-container-image=mirrorgooglecontainers/pause-amd64:3.0 \
  --experimental-bootstrap-kubeconfig=/www/kubernetes/cfg/bootstrap.kubeconfig \
  --kubeconfig=/www/kubernetes/cfg/kubelet.kubeconfig \
  --cert-dir=/www/kubernetes/ssl \
  --network-plugin=cni \
  --cni-conf-dir=/etc/cni/net.d \
  --cni-bin-dir=/www/kubernetes/bin/cni \
  --cluster-dns=10.1.0.2 \
  --cluster-domain=cluster.local. \
  --hairpin-mode hairpin-veth \
  --allow-privileged=true \
  --fail-swap-on=false \
  --logtostderr=true \
  --v=2 \
  --logtostderr=false \
  --log-dir=/www/kubernetes/log
Restart=on-failure
RestartSec=5
[root@three cfg]# systemctl daemon-reload
[root@three cfg]# systemctl start kubelet 
# 启动报错的解决办法
bootstrap.kubeconfig 文件修改文件: current-context: default

部署Kubernetes Proxy

# 配置kube-proxy使用LVS
[root@two ssl]# yum install -y ipvsadm ipset conntrack

# 创建 kube-proxy 证书请求
[root@one ssl]# cd /usr/local/src/ssl/ 
[root@one ssl]# cat kube-proxy-csr.json 
{
  "CN": "system:kube-proxy",
  "hosts": [
    "127.0.0.1",
    "192.168.38.22",
    "192.168.38.23"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

# 分发证书
[root@one ssl]# cp kube-proxy*.pem /www/kubernetes/ssl/
[root@one ssl]# scp kube-proxy*.pem two:/www/kubernetes/ssl/  
[root@one ssl]# scp kube-proxy*.pem three:/www/kubernetes/ssl/

# 创建kube-proxy配置文件
[root@one ssl]# kubectl config set-cluster kubernetes --certificate-authority=/www/kubernetes/ssl/ca.pem --embed-certs=true --server=https://192.168.38.21:6443  --kubeconfig=kube-proxy.kubeconfig
[root@one ssl]# kubectl config set-credentials kube-proxy --client-certificate=/www/kubernetes/ssl/kube-proxy.pem --client-key=/www/kubernetes/ssl/kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig 
[root@one ssl]# kubectl config set-context default --cluster=kubernetes --user=kube-proxy --kubeconfig=kube-proxy.kubeconfig 
[root@one ssl]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig 

# 分发配置文件
[root@one ssl]# cp kube-proxy.kubeconfig /www/kubernetes/cfg/
[root@one ssl]# scp kube-proxy.kubeconfig two:/www/kubernetes/cfg/
[root@one ssl]# scp kube-proxy.kubeconfig three:/www/kubernetes/cfg/

# 创建kube-proxy服务配置 
[root@two ssl]# cat /usr/lib/systemd/system/kube-proxy.service 
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target

[Service]
WorkingDirectory=/var/lib/kube-proxy
ExecStart=/www/kubernetes/bin/kube-proxy \
  --bind-address=192.168.38.22 \
  --hostname-override=192.168.38.w2 \
  --kubeconfig=/www/kubernetes/cfg/kube-proxy.kubeconfig \
--masquerade-all \
  --feature-gates=SupportIPVSProxyMode=true \
  --proxy-mode=ipvs \
  --ipvs-min-sync-period=5s \
  --ipvs-sync-period=5s \
  --ipvs-scheduler=rr \
  --logtostderr=true \
  --v=2 \
  --logtostderr=false \
  --log-dir=/www/kubernetes/log

Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

# 启动
[root@two ssl]# systemctl daemon-reload 
[root@two ssl]# systemctl start kube-proxy 

# 检查
[root@two ssl]# ipvsadm -L -n 
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  10.1.0.1:443 rr persistent 10800
  -> 192.168.38.21:6443           Masq    1      0          0 

Flannel网络部署

# 为Flannel生成证书
[root@one ssl]# cat flanneld-csr.json 
{
  "CN": "flanneld",
  "hosts": [
    "127.0.0.1",
    "192.168.38.21",
    "192.168.38.22",
    "192.168.38.23" 
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
[root@one ssl]#  cfssl gencert -ca=/www/kubernetes/ssl/ca.pem -ca-key=/www/kubernetes/ssl/ca-key.pem -config=/www/kubernetes/ssl/ca-config.json -profile=kubernetes flanneld-csr.json |cfssljson -bare flanneld

# 分发证书
[root@one ssl]# cp flanneld*pem /www/kubernetes/ssl/
[root@one ssl]# scp flanneld*pem two:/www/kubernetes/ssl/
[root@one ssl]# scp flanneld*pem three:/www/kubernetes/ssl/

# 下载Flannel软件包
[root@one src]# wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz 
[root@one src]# tar xf flannel-v0.10.0-linux-amd64.tar.gz
[root@one src]# cp flanneld /www/kubernetes/bin/
[root@one src]# scp flanneld two:/www/kubernetes/bin/
[root@one src]# scp flanneld three:/www/kubernetes/bin/

# 复制脚本
[root@one src]# cd /usr/local/src/kubernetes/cluster/centos/node/bin/
[root@one bin]# cp remove-docker0.sh /www/kubernetes/bin/
[root@one bin]# scp remove-docker0.sh two:/www/kubernetes/bin/
[root@one bin]# scp remove-docker0.sh three:/www/kubernetes/bin/

# 配置文件
[root@one bin]# cat /www/kubernetes/cfg/flannel 
FLANNEL_ETCD="-etcd-endpoints=https://192.168.38.21:2379,https://192.168.38.22:2379,https://192.168.38.23:2379"
FLANNEL_ETCD_KEY="-etcd-prefix=/kubernetes/network"
FLANNEL_ETCD_CAFILE="--etcd-cafile=/www/kubernetes/ssl/ca.pem"
FLANNEL_ETCD_CERTFILE="--etcd-certfile=/www/kubernetes/ssl/flanneld.pem"
FLANNEL_ETCD_KEYFILE="--etcd-keyfile=/www/kubernetes/ssl/flanneld-key.pem"
[root@one bin]# scp /www/kubernetes/cfg/flannel two:/www/kubernetes/cfg/
[root@one bin]# scp /www/kubernetes/cfg/flannel three:/www/kubernetes/cfg/

# 启动文件
[root@one bin]# cat /usr/lib/systemd/system/flannel.service 
[Unit]
Description=Flanneld overlay address etcd agent
After=network.target
Before=docker.service

[Service]
EnvironmentFile=-/www/kubernetes/cfg/flannel
ExecStartPre=/www/kubernetes/bin/remove-docker0.sh
ExecStart=/www/kubernetes/bin/flanneld ${FLANNEL_ETCD} ${FLANNEL_ETCD_KEY} ${FLANNEL_ETCD_CAFILE} ${FLANNEL_ETCD_CERTFILE} ${FLANNEL_ETCD_KEYFILE}
ExecStartPost=/www/kubernetes/bin/mk-docker-opts.sh -d /run/flannel/docker

Type=notify

[Install]
WantedBy=multi-user.target
RequiredBy=docker.service
[root@one bin]# scp /usr/lib/systemd/system/flannel.service two:/usr/lib/systemd/system/
[root@one bin]# scp /usr/lib/systemd/system/flannel.service three:/usr/lib/systemd/system/

# Flannel CNI集成 下载插件
[root@one src]# cd /usr/local/src/
[root@one src]# wget https://github.com/containernetworking/plugins/releases/download/v0.7.1/cni-plugins-amd64-v0.7.1.tgz 
[root@one src]# mkdir /www/kubernetes/bin/cni 
[root@one src]# tar xf cni-plugins-amd64-v0.7.1.tgz -C /www/kubernetes/bin/cni 
[root@one src]# scp /www/kubernetes/bin/cni/* two:/www/kubernetes/bin/cni/ 
[root@one src]# scp /www/kubernetes/bin/cni/* three:/www/kubernetes/bin/cni/ 
# 创建Etcd的key
[root@one src]# etcdctl --ca-file /www/kubernetes/ssl/ca.pem --cert-file /www/kubernetes/ssl/flanneld.pem --key-file /www/kubernetes/ssl/flanneld-key.pem  --no-sync -C https://192.168.38.21:2379,https://192.168.38.22:2379,https://192.168.38.23:2379 mk /kubernetes/network/config '{ "Network": "10.2.0.0/16", "Backend": { "Type": "vxlan", "VNI": 1 }}'

# 启动flannel
systemctl daemon-reload
systemctl start flannel

# 为docker配置flabbel
vim /usr/lib/systemd/system/docker.service
[Unit] #在Unit下面修改After和增加Requires
After=network-online.target firewalld.service flannel.service
Wants=network-online.target
Requires=flannel.service

[Service] #增加EnvironmentFile=-/run/flannel/docker
Type=notify
EnvironmentFile=-/run/flannel/docker
ExecStart=/usr/bin/dockerd $DOCKER_OPTS

[root@one src]# systemctl daemon-reload 
[root@one src]# systemctl restart docker 
[root@one src]# systemctl status docker 

# 复制到其他节点
[root@one src]# scp /usr/lib/systemd/system/docker.service two:/usr/lib/systemd/system/docker.service
[root@one src]# scp /usr/lib/systemd/system/docker.service three:/usr/lib/systemd/system/docker.service

创建pod

[root@one ~]#  cat nginx-deployment.yaml 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.10.3
        ports:
        - containerPort: 80

# 
kubectl create -f nginx-deployment.yaml 

常用命令

# 查看
kubectl get deployment
kubectl get pods

# 详细
kubectl describe pods
kubectl describe deployment

# 创建
kubectl run kubernetes-bootcamp --image=jocatalin/kubernetes-bootcamp:v1 --port=8080

# 扩容缩容
kubectl scale deploy kubernetes-bootcamp --replicas=2

# 更新镜像
kubectl set image deploy kubernetes-bootcamp kubernetes-bootcamp=jocatalin/kubernetes-bootcamp:v2

# 更新状态
kubectl rollout status deploy kubernetes-bootcamp

# 回滚
kubectl rollout undo deploy kubernetes-bootcamp

# services
kubectl expose deploy kubernetes-bootcamp --type="NodePort" --target-port=8080 --port=80
打赏

未经允许不得转载: » kubernetes 集群搭建

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)