kubernets部署思路
0.配置主機名和關閉防火牆
1.自簽名SSL證書
2.ETCD資料庫叢集部署
3.Node安裝Docker
4.Flannel容器叢集網絡部署
5.部署Master元件
6.部署Node元件
7.部署叢集内部DNS解析服務(coredns)
8.部署DashBoard
##############################
# 1.自簽名SSL證書
#各個元件及使用的證書
#ETCD: ca.pem server.pem server-key.pem
#Flannel: ca.pem server.pem server-key.pem
#Kube-apiserver: ca.pem server.pem server-key.pem
#Kubelet: ca.pem kube-proxy.pem kube-proxy-key.pem
#kubelet-proxy: ca.pem kube-proxy.pem kube-proxy-key.pem
#kubectl: ca.pem admin.pem admin-key.pem
cat>/$HOME/SSL.sh<<'EOFALG'
#!/bin/bash
#1. 生成CA憑證,各個元件之間通訊必須有ca證書
mkdir -p /k8s/{etcd,kubernetes}/{cfg,bin,ssl,apps,data}
cd /k8s/etcd/ssl/
#ca-config.json是ca證書的配置檔案
cat > ca-config.json<<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"etcd": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
#ca-csr.json是ca證書的簽名檔案
cat > ca-csr.json<<EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
#server-csr.json是三個節點之間的通信驗證
#192.168.31.82 etc1
#192.168.31.83 etc2
#192.168.31.84 etc3
cat > server-csr.json<<EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.31.82",
"192.168.31.83",
"192.168.31.84"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server
EOFALG SSL.sh
# 2.ETCD資料庫叢集部署
#建立啟動腳本和配置檔案
#建立啟動腳本和配置檔案
cat >/$HOME/StartETCD.sh<<'EOFALG'
#!/bin/bash
#############################################################
#
# example: StartEtcd.sh etc01 192.168.31.82 etcd02=https://192.168.31.83:2380,etcd03=https://192.168.31.84:2380
#
#############################################################
ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3
cat >/k8s/etcd/cfg/etcd.conf<<EOF
#[Member]
ETCD_NAME="${ETCD_NAME}"
ETCD_DATA_DIR="/k8s/etcd/data"
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
#[Security]
ETCD_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_PEER_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
EOF
cat >/usr/lib/systemd/system/etcd.service<<'EOF'
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=${ETCD_DATA_DIR}
EnvironmentFile=-/k8s/etcd/cfg/etcd.conf
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /k8s/etcd/bin/etcd --name=\"${ETCD_NAME}\" --data-dir=\"${ETCD_DATA_DIR}\" --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\" --listen-peer-urls=\"${ETCD_LISTEN_PEER_URLS}\" --advertise-client-urls=\"${ETCD_ADVERTISE_CLIENT_URLS}\" --initial-cluster-token=\"${ETCD_INITIAL_CLUSTER_TOKEN}\" --initial-cluster=\"${ETCD_INITIAL_CLUSTER}\" --initial-cluster-state=\"${ETCD_INITIAL_CLUSTER_STATE}\" --cert-file=\"${ETCD_CERT_FILE}\" --key-file=\"${ETCD_KEY_FILE}\" --trusted-ca-file=\"${ETCD_TRUSTED_CA_FILE}\" --client-cert-auth=\"${ETCD_CLIENT_CERT_AUTH}\" --peer-cert-file=\"${ETCD_PEER_CERT_FILE}\" --peer-key-file=\"${ETCD_PEER_KEY_FILE}\" --peer-trusted-ca-file=\"${ETCD_PEER_TRUSTED_CA_FILE}\" --peer-client-cert-auth=\"${ETCD_PEER_CLIENT_CERT_AUTH}\""
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOFALG