Kubernetes介绍之部署 flannel 网络
写在前面:这篇文章适合在完成etcd的https方式部署之后进行参考,etcd安装的介绍可以参照我的上一篇文章:(https://blog.csdn.net/zcg19911222/article/details/97956951)
kubernetes为每个 pod 分配一个 IP 地址。创建集群时,需要为 Kubernetes 分配一段 IP 以用作 pod 的 IP,flannel 使用 vxlan 技术为各节点创建了一个可以互通的 Pod 网络(另外,其他符合 CNI 网络插件接口的方案都是可行的,例如:calico方案,就被很多人采用,感兴趣可以查找相关资料)。
一、flannel安装
1.1 yum安装
centOS系统直接使用yum命令安装即可,目前默认安装版本为v0.7.1。
$ yum install flannel -y
1.2 二进制文件安装
目前flannel最新版本为v0.11.0 ,如果想安装最新版,可以采用二进制文件方式。
cd /opt/k8s/work
mkdir flannel
wget https://github.com/coreos/flannel/releases/download/v0.11.0/flannel-v0.11.0-linux-amd64.tar.gz
tar -xzvf flannel-v0.11.0-linux-amd64.tar.gz -C flannel
二、部署flannel
下面的部署过程是基于上述1.1的安装方式进行的,如果采用二进制方式安装flannel,可以参照这篇文章完成部署:https://github.com/opsnull/follow-me-install-kubernetes-cluster/blob/master/05.部署flannel网络.md
flanneld 从 etcd 集群存取网段分配信息,而 etcd 集群启用了双向 x509 证书认证,所以需要为 flanneld 生成证书和私钥(直接使用etcd的证书和私钥也行,不过这种操作不规范)。
2.1 为flannel生成证书和私钥
$cd /opt/k8s/work
$vim flanneld-csr.json
{
"CN": "flanneld",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
完成配置文件后执行下面的命令,即可生成证书和私钥:
cfssl gencert -ca=/opt/k8s/work/ca.pem -ca-key=/opt/k8s/work/ca-key.pem -config=/opt/k8s/work/ca-config.json -profile=kubernetes flanneld-csr.json | cfssljson -bare flanneld
然后,将证书和私钥分发到各个机器(在k8s-master上执行):
cp flanneld*pem /etc/kubernetes/cert
scp flanneld*pem [email protected]:/etc/kubernetes/cert
scp flanneld*pem [email protected]:/etc/kubernetes/cert
2.2 flannel配置及启动
先把常用的参数写进环境变量:
vim /opt/k8s/bin/environment.sh
#Pod 网段,建议 /16 段地址,部署前路由不可达,部署后集群内路由可达(flanneld 保证)
CLUSTER_CIDR="172.30.0.0/16"
#flanneld 网络配置前缀
export FLANNEL_ETCD_PREFIX="/atomic.io/network"
#将二进制目录 /opt/k8s/bin 加到 PATH 中
export PATH=/opt/k8s/bin:$PATH
#让环境变量生效
source environment.sh
集群中flannel的可用子网段和网络包封装方式等配置信息需要提前写入ETCD中 (在任一节点执行即可)(由于本人已经为etcdctl进行了参数配置,所以不需要携带证书信息):
etcdctl mk ${FLANNEL_ETCD_PREFIX}/config '{"Network":"'${CLUSTER_CIDR}'", "SubnetLen": 24, "Backend": {"Type": "vxlan"}}'
然后修改flannel的配置文件:
vim /etc/sysconfig/flanneld
FLANNEL_ETCD_ENDPOINTS="https://172.24.211.217:2379,https://172.24.211.218:2379,https://172.24.211.219:2379"
FLANNEL_ETCD_PREFIX="/atomic.io/network"
FLANNEL_OPTIONS="-etcd-cafile=/etc/kubernetes/cert/ca.pem -etcd-certfile=/etc/kubernetes/cert/flanneld.pem -etcd-keyfile=/etc/kubernetes/cert/flanneld-key.pem"
在主节点配置完成后直接同步到其他节点即可:
scp /etc/sysconfig/flanneld [email protected]:/etc/sysconfig/flanneld
scp /etc/sysconfig/flanneld [email protected]:/etc/sysconfig/flanneld
开始启动flannel服务:
systemctl daemon-reload && systemctl enable flanneld && systemctl restart flanneld
验证启动是否成功:
systemctl status flanneld|grep Active
查看集群网络信息:
etcdctl ls /atomic.io/network/subnets
![](https://img.laitimes.com/img/9ZDMuAjOiMmIsIjOiQnIsIyZuBnL1UDN4MTO0UTMxADOwkTMwIzLc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
etcdctl get /atomic.io/network/subnets/172.30.21.0-24
2.3 docker配置(如果docker0和flannel.1已经处于同一个网段中,可跳过此步骤)
由于我已经提前安装了docker,现在需要对docker的启动脚本进行一些配置,以使flannel生效:
vim /usr/lib/systemd/system/docker.service
#具体配置(仅EnvironmentFile和ExecStart有改动,其他默认)
[Service]
Type=notify
#the default is not to use systemd for cgroups because the delegate issues still
#exists and systemd currently does not support the cgroup feature set required
#for containers run by docker
EnvironmentFile=-/run/flannel/docker
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS
ExecReload=/bin/kill -s HUP $MAINPID
#Having non-zero Limit*s causes performance problems due to accounting overhead
#in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
#Uncomment TasksMax if your systemd version supports it.
#Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
#set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
#kill only the docker process, not all processes in the cgroup
KillMode=process
#restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
在主节点配置完成后直接同步到其他节点,然后每个节点重启docker,即可:
scp /usr/lib/systemd/system/docker.service [email protected]:/usr/lib/systemd/system/docker.service
scp /usr/lib/systemd/system/docker.service [email protected]:/usr/lib/systemd/system/docker.service
systemctl daemon-reload && systemctl enable docker && systemctl restart docker
确认各 worker 节点的 docker0 网桥和 flannel.1 接口的 IP 处于同一个网段中,如果没问题,标志这部分工作顺利完成:
/usr/sbin/ip addr show flannel.1 && /usr/sbin/ip addr show docker0
参考资料
[1]. https://github.com/opsnull/follow-me-install-kubernetes-cluster, 和我一步步部署kubernetes集群.
[2]. https://www.cnblogs.com/netsa/p/8203173.html, k8s安装部署过程(五)-- 安装flannel网络插件.