kubernets集群二进制单节点部署

Posted 可乐卷儿

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了kubernets集群二进制单节点部署相关的知识,希望对你有一定的参考价值。

提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档


前言

官方提供的三种部署方式:kubeadmin、二进制、minikube,本文主要讲解二进制部署方式
K8S二进制部署,分为几个模块部署:
1、ETCD集群
2、FLANNEL网络
3、单master部署
4、node部署
5、多master部署

一、CA证书

在 Kubernetes 的组件之间进行通信时,数字证书的验证是在协议层面通过TLS完成的,除了需要在建立通信时提供相关的证书和密钥外,在应用层面并不需要进行特殊处理。采用TLS 进行验证有两种方式:

  1. 服务器单向认证:只需要服务器端提供证书,客户端通过服务器端证书验证服务的身份,但服务器并不验证客户端的身份。这种情况一般适用于对Internet开放的服务,例如搜索引擎网站,任何客户端都可以连接到服务器上进行访问,但客户端需要验证服务器的身份,以避免连接到伪造的恶意服务器。
  2. 双向TLS 认证:除了客户端需要验证服务器的证书,服务器也要通过客户端证书验证客户端的身份。这种情况下服务器提供的是敏感信息,只允许特定身份的客户端访问。在Kubernetes中,各个组件提供的接口中包含了集群的内部信息。如果这些接口被非法访问,将影响集群的安全,因此组件之间的通信需要采用双向rLs认证。即客户端和服务器端都需要验证对方的身份信息。在两个组件进行双向认证时,会涉及到下面这些证书相关的文件:
    ①:服务器端证书:服务器用于证明自身身份的数字证书,里面主要包含了服务器端的公钥以及服务器的身份信息。
    ②:服务器端私钥:服务器端证书中包含的公钥所对应的私钥。公钥和私钥是成对使用的,在进行rL s验证时,服务器使用该私钥来向客户州证明自己是服务器端证书的拥有者
    ③:客户端证书:客户端用于证明自身身份的数字证书,里面主要包含了客户端的公钥以及客户端的身份信息。
    ④:客户端私钥:客户端证书中包含的公钥所对应的私钥,同理,客户端使用该私钥来向服务器端证明自己是客户端证书的拥有者
    ⑤:服务器端CA根证书:签发服务器端证书的 CA根证书,客户端使用该CA 根证书来验证服务器端证书的合法性。
    ⑥:客户端端CA根证书:签发客户端证书的CA根证书,服务器端使用该CA根证书来验证客户端证书的合法性。

1、制作官方颁发的证书

  1. 创建ca密钥(文件定义)ca-key.pem
  2. 创建ca证书(文件定义)ca.pem

2、制作master端的证书

(用于内部加密通讯,同时为了给与client端颁发master签名的证书)

  1. 创建过程:需要以下几步
    设置私钥确保安全加密 .pem
    私钥签名确保身份真实 .csr
    制作证书(需要cA官方颁发) cert.pem
  2. 创建私钥
  3. 私钥签名
  4. 使用ca证书与密钥证书签名

3、制作node瑞证书

  1. 由master端制作node端密钥对
  2. node端的证书进行签名
  3. 创建一个配置文件(区别于服务端,进行客户端验证)
  4. 生成证书

4、证书有效期

二进制是etcd-cert.sh内的ca-config.json中可以自定义:87600,10年
kubeadmin是默认1年

二、k8s二进制部署

服务器ip角色
kube-apiserver、kube-controller-manager、kube-scheduler、etcd192.168.35.40/24Master1
kubelet、kube-proxy、docker、flannel、etcd02192.168.35.20/24node01
kubelet、kube-proxy、docker、flannel、etcd03192.168.35.30/24node2

1、ETCD集群部署

systemctl stop firewalld
systemctl disable friewalld
vim /etc/reslov.conf
	nameserver 114.114.114.114
ntpdate ntp1.aliyun.com
setenforce 0
swapoff -a 	##关闭交换空间

1.1、创建cfssl类型工具下载脚本

先从官网源中制作证书的工具下载下来

[ root@master etcd-cert] #cat cfssl.sh
##先从官网源中制作证书的工具下载下来,(-o:导出)放在/usr/local/bin中便于系统识别
curi -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl

##从另一个站点源中下载cfssljson工具,用于识别json配置文件格式
curl -L https:/ /pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson

##下载cfssl-certinfo工具
curl -I https://pkg .cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo

[root@master01 k8s]# cd /usr/local/bin
[root@master01 bin]# chmod +x *
[root@master01 bin]# ll
总用量 18808
-rwxr-xr-x. 1 root root 10376657 1月  16 2020 cfssl
-rwxr-xr-x. 1 root root  6595195 1月  16 2020 cfssl-certinfo
-rwxr-xr-x. 1 root root  2277873 1月  16 2020 cfssljson

2.2、定义证书两个脚本

[root@master ~]# mkdir k8s		##创建证书的目录,复制k8s目录下的证书创建脚本
[root@master ~]# cd k8s		
[root@master k8s]# ls		##上传证书和启动脚本
etcd-cert.sh  etcd.sh
	etcd-cert.sh 是证书制作的脚本
	etcd.sh etcd启动脚本
[root@master k8s]# cat etcd-cert.sh 		##查看CA的证书
cat > ca-config.json <<EOF		##CA证书配置文件;

  "signing": 					##键名称
    "default": 
      "expiry": "87600h"			##证书有效期(10年)
    ,
    "profiles": 					##简介
      "www": 					##名称,可自定义
         "expiry": "87600h",
         "usages": [				##使用方法
            "signing",				#键名
            "key encipherment",		##认证方式:密钥验证(密钥验证要设置在CA证书中)
            "server auth",			##服务器端验证
            "client auth"				##客户端验证
        ]
      
    
  

EOF

cat > ca-csr.json <<EOF			##CA签名文件;CA的秘钥

    "CN": "etcd CA",				##CA签名为etcd指定(三个节点均需要)
    "key": 
        "algo": "rsa",				##使用rsa非对称密钥的形式
        "size": 2048				##密钥长度为2048
    ,
    "names": [					##在证书中定义信息(标准格式)
        
            "C": "CN",				##名称
            "L": "Beijing",		
            "ST": "Beijing"		
        
    ]

EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -		##基于签名文件制作秘钥证书	;生成证书,生成ca-key.pem 和ca.pem
##cfssl:制作证书的工具
-initca:初始化ca证书


#-----------------------

cat > server-csr.json <<EOF			#服务器端的签名;etcd节点服务端的签名文件 

    "CN": "etcd",
    "hosts": [					#定义三个节点的IP地址
    "192.168.35.40",				##修改为实际的ip地址,master01
    "192.168.35.20",				##node01
    "192.168.35.10"				##node02
    ],
    "key": 
        "algo": "rsa",
        "size": 2048
    ,
    "names": [
        
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        
    ]

EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server		##根据服务端签名文件生成证书
##cfssl 为证书制作工具
-----------以上签名文件制作完毕-------------------------------
[root@master01 k8s]# sh -x etcd-cert.sh
[root@master01 k8s]# cat etcd.sh 	##查看etcd 启动脚本 
#!/bin/bash
#以下为使用格式:etcd名称 当前etcd的IP地址+完整的集群名称和地址
# example: ./etcd.sh etcd01 192.168.1.10 		etcd02=https://192.168.1.11:2380,etcd03=https://192.168.1.12:2380
ETCD_NAME=$1						#位置变量1:etcd节点名称
ETCD_IP=$2							#位置变量2:节点地址
ETCD_CLUSTER=$3						#位置变量3:集群

WORK_DIR=/opt/etcd					#指定工作目录

cat <<EOF >$WORK_DIR/cfg/etcd				#在指定工作目录创建ETCD的配置文件
#[Member]
ETCD_NAME="$ETCD_NAME"				#etcd名称
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://$ETCD_IP:2380"		#etcd IP地址:2380端口。用于集	群之间通讯
ETCD_LISTEN_CLIENT_URLS="https://$ETCD_IP:2379"	#etcd IP地址:2379端口,用于开放给外部客户端通讯

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://$ETCD_IP:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://$ETCD_IP:2379"	#对外提供的url使用https的协议进行访问
ETCD_INITIAL_CLUSTER="etcd01=https://$ETCD_IP:2380,$ETCD_CLUSTER"		#多路访问
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"		#tokens 令牌环名称:etcd-cluster
ETCD_INITIAL_CLUSTER_STATE="new"			#状态,重新创建
EOF

cat <<EOF >/usr/lib/systemd/system/etcd.service		#定义ectd的启动脚本
[Unit]										#基本项			
Description=Etcd Server						#类似为 etcd 服务
After=network.target						
After=network-online.target
Wants=network-online.target

[Service]									#服务项
Type=notify
EnvironmentFile=$WORK_DIR/cfg/etcd		#etcd文件位置
ExecStart=$WORK_DIR/bin/etcd \\			#准启动状态及以下的参数
--name=\\$ETCD_NAME \\
--data-dir=\\$ETCD_DATA_DIR \\
--listen-peer-urls=\\$ETCD_LISTEN_PEER_URLS \\
--listen-client-urls=\\$ETCD_LISTEN_CLIENT_URLS,http://127.0.0.1:2379 \\
--advertise-client-urls=\\$ETCD_ADVERTISE_CLIENT_URLS \\ #以下为群集内部的设定
--initial-advertise-peer-urls=\\$ETCD_INITIAL_ADVERTISE_PEER_URLS \\
--initial-cluster=\\$ETCD_INITIAL_CLUSTER \\
--initial-cluster-token=\\$ETCD_INITIAL_CLUSTER_TOKEN \\	#群集内部通信,也是使用的令牌,为了保证安全(防范中间人窃取)
--initial-cluster-state=new \\
--cert-file=$WORK_DIR/ssl/server.pem \\		#证书相关参数
--key-file=$WORK_DIR/ssl/server-key.pem \\
--peer-cert-file=$WORK_DIR/ssl/server.pem \\
--peer-key-file=$WORK_DIR/ssl/server-key.pem \\
--trusted-ca-file=$WORK_DIR/ssl/ca.pem \\
--peer-trusted-ca-file=$WORK_DIR/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536								#开放最多的端口号

[Install]
WantedBy=multi-user.target						#进行启动
EOF

systemctl daemon-reload							#参数重载
systemctl enable etcd
systemctl restart etcd

3.3、ETCD集群部署

上传etcd的压缩包
[root@master k8s]# tar xzvf etcd-v3.3.10-linux-amd64.tar.gz
[root@master k8s]# ls
etcd-cert                 etcd-v3.3.10-linux-amd64.tar.gz
etcd.sh                   flannel-v0.10.0-linux-amd64.tar.gz
etcd-v3.3.10-linux-amd64  kubernetes-server-linux-amd64.tar.gz
[root@master01 k8s]# cd etcd-v3.3.10-linux-amd64/
[root@master01 etcd-v3.3.10-linux-amd64]# ls
Documentation  etcdctl            README.md
etcd           README-etcdctl.md  READMEv2-etcdctl.md

[root@localhost k8s]# mkdir /opt/etcd/cfg,bin,ssl -p    	##创建配置文件,命令文件,证书
[root@localhost k8s]# mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/		##拷贝命令文件至相应目录

[root@localhost k8s]# cp *.pem /opt/etcd/ssl/		##拷贝证书文件至相应目录进行加密
------------->进入卡住状态等待其他节点加入<-------------------
[root@localhost k8s]# bash etcd.sh etcd01 192.168.35.40 etcd02=https://192.168.35.20:2380,etcd03=https://192.168.35.30:2380		##命令运行会加入
产生systemd文件
[root@master01 k8s]# ps -ef | grep etcd		##另开终端查询进程

[root@localhost k8s]# scp -r /opt/etcd/ root@192.168.35.20:/opt/		##拷贝证书去其他节点
[root@localhost k8s]# scp -r /opt/etcd/ root@192.168.35.30:/opt/

[root@localhost k8s]# scp /usr/lib/systemd/system/etcd.service 			root@192.168.35.20:/usr/lib/systemd/system/			##启动脚本拷贝其他节点
[root@localhost k8s]# scp /usr/lib/systemd/system/etcd.service root@192.168.35.30:/usr/lib/systemd/system/
------------->修改node节点<-------------------
[root@localhost ~]# vim /opt/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd02"			##修改为etcd02
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.35.20:2380"			##修改为node1节点
ETCD_LISTEN_CLIENT_URLS="https://192.168.35.20:2379"		##修改为node1节点

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.35.20:2380"	##修改为node1节点
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.35.20:2379"		##修改为node1节点
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.35.40:2380,etcd02=https://192.168.35.20:2	380,etcd03=https://192.168.35.30:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

同样方式更改node2节点

[root@localhost ssl]# systemctl start etcd		##启动master01,node1,node2
[root@localhost ssl]# systemctl status etcd
master01检查群集状态
[root@localhost ~]# cd /root/k8s			##进入证书所在的位置
[root@master etcd-cert]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.35.40:2379,https://192.168.35.20:2379,https://192.168.35.30:2379" cluster-health
member 83aa12b16de79aa is healthy: got healthy result from https://192.168.35.30:2379
member 5884349a8c33351b is healthy: got healthy result from https://192.168.35.40:2379
member 9a3eb09d184e6553 is healthy: got healthy result from https://192.168.35.30:2379
cluster is healthy
	--ca-file=ca.pem:指定ca证书位置
	--endpoints:指定集群节点

2、node节点部署docker

yum install -y yum-utils device-mapper-persistent-data lvm2
cd /etc/yum.repos.d/
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install -y docker-ce
systemctl start docker
systemctl enable docker
tee /etc/docker/daemon.json <<-'EOF'

  "registry-mirrors": ["https://jqqwsp8f.mirror.aliyuncs.com"]

EOF
systemctl daemon-reload
systemctl restart docker
vim /etc/sysctl.conf
net.ipv4.ip_forward=1
sysctl -p
systemctl restart network
systemctl restart docker 

3、flannel网络集群部署

上传flannel软件包至k8s目录下

[root@master01 k8s]# tar xzvf flannel-v0.10.0-linux-amd64.tar.gz

写入分配的子网段到etcd中,供flannel使用

[root@master01 k8s]# cd k8s
[root@master01 k8s]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.35.40:2379,https://192.168.35.20:2379,https://192.168.35.30:2379" set /coreos.com/network/config ' "Network": "172.17.0.0/16", "Backend": "Type": "vxlan"'	##写入分配的子网段到etcd中,供flannel使用
 "Network": "172.17.0.0/16", "Backend": "Type": "vxlan"
[root@master01 k8s]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.35.40:2379,https://192.168.35.20:2379,https://192.168.35.30:2379" get /coreos.com/network/config		##查看写入的信息
 "Network": "172.17.0.0/16", "Backend": "Type": "vxlan"


所有node节点操作

上传flanner安装包
[root@node1 ~]# mkdir /opt/kubernetes/cfg,bin,ssl -p
[root@node1 ~]# tar xzvf flannel-v0.10.0-linux-amd64.tar.gz 
flanneld
mk-docker-opts.sh
README.md
[root@node1 ~]# mv mk-docker-opts.sh flanneld /opt/kubernetes/bin/
[root@node1 ~]# ls /opt/kubernetes/bin/*
/opt/kubernetes/bin/flanneld  /opt/kubernetes/bin/mk-docker-opts.sh
[root@node1 ~]# vim flannel.sh 		##上传flannel的脚本并编辑
#!/bin/bash

ETCD_ENDPOINTS=$1:-"http://127.0.0.1:2379"

cat <<EOF >/opt/kubernetes/cfg/flanneld		##flannel的配置文件

FLANNEL_OPTIONS="--etcd-endpoints=$ETCD_ENDPOINTS \\		##定义etcd的对接
-etcd-cafile=/opt/etcd/ssl/ca.pem \\			##etcd的访问证书
-etcd-certfile=/opt/etcd/ssl/server.pem \\		
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"

EOF

cat <<EOF >/usr/lib/systemd/system/flanneld.service		##启动脚本
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service

[Service]
Type=notify										##类型notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \\$FLANNEL_OPTIONS
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
Restart=on-failure

[Install]
WantedBy=multi-user.target

EOF

开启flannel服务

[root@node1 ~]# systemctl daemon-reload	
[root@node1 ~]# systemctl enable flanneld
[root@node1 ~]# systemctl restart flanneld

配置docker连接flannel

[root@node1 ~]# vim /usr/lib/systemd/system/docker.service 	##配置docker连接flannel
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket containerd.service
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
EnvironmentFile=/run/flannel/subnet.env		##添加此条信息
ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS -H fd:// --containerd=/run/containerd/containerd.sock		##添加大写字母部分
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
...
[root@node1 ~]# cat /run/flannel/subnet.env 
DOCKER_OPT_BIP="--bip=172.17.53.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=false"
DOCKER_OPT_MTU="--mtu=1450"
DOCKER_NETWORK_OPTIONS=" --bip=172.17.53.1/24 --ip-masq=false --mtu=1450

重启docker服务

[root@node1 ~]# systemctl daemon-reload
[root@node1 ~]# systemctl restart docker

查看flannel网络

[root@node1 ~]# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.53.1  netmask 255.255.255.0  broadcast 172.17.53.255
        ether 02:42:27:0d:cf:b7  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.35.20  netmask 255.255.255.0  broadcast 192.168.35.255
        inet6 fe80::20c:29ff:feac:dda4  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:ac:dd:a4  txqueuelen 1000  (Ethernet)
        RX packets 462532  bytes 208752911 (199.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 386159  bytes 41563322 (39.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

flannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 172.17.53.0  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 fe80::a4e2:5aff:fe86:a4c4  prefixlen 64  scopeid 0x20<link>
        ether a6:e2:5a:86:a4:c4  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 39 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4507  bytes 800521 (781.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4507  bytes 800521 (781.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:e6:f0:5e  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


测试ping通对方docker0网卡 证明flannel起到路由作用

[root@localhost ~]# docker run -it centos:7 /bin/bash
[root@5f9a65565b53 /]# yum install net-tools -y


 [root@node1 ~]# ping 172.17.80.1		##测试ping通node2的docker0网卡 证明flannel起到路由作用


4、部署master组件

在master上操作,api-server生成证书

root@localhost k8s]# unzip master.zip
[root@localhost k8s]# mkdir /opt/kubernetes/cfg,bin,ssl -p
[root@localhost k8s]# mkdir k8s-cert
[root@localhost k8s]# cd k8s-cert/
[root@localhost k8s-cert]# ls
k8s-cert.sh
 
cat > ca-config.json <<EOF

  "signing": 
    "default": 
      "expiry": "87600h"
    ,
    "profiles": 
      "kubernetes": 
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      
    
  

EOF
 
cat > ca-csr.json <<EOF

    "CN": "kubernetes",
    "key": 
        "algo": "rsa",
        "size": 2048
    ,
    "names": [
        
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
           "O": "k8s",
            "OU": "System"
        
    ]

EOF
 
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
 
#-----------------------
 
cat > server-csr.json <<EOF

    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",		##集群的网段
      "127.0.0.1",
    "192.168.35.40",		##master1	;##若是单节点仅需要定义master01、node01、node02
      "192.168.35.20",	##node1
      "192.168.35.30",	##node2
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": 
        "algo": "rsa",
        "size": 2048
    ,
    "names": [
        
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        
    ]

EOF
 
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
 
#-----------------------
 
cat > admin-csr.json <<EOF

  "CN": "admin",
  "hosts": [],
  "key": 
    "algo": "rsa",
    "size": 2048
  ,
  "names": [
    
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    
  ]

EOF
 
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
 
#-----------------------
 
cat > kube-proxy-csr.json <<EOF

  "CN": "system:kube-proxy",
  "hosts": [],
  "key": 
    "algo": "rsa",
    "size": 2048
  ,
  "names": [
    
      "C": "CN",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    
  ]

EOF
 
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

生成k8s证书

[root@localhost k8s-cert]# bash k8s-cert.sh 
2020/01/15 23:31:03 [INFO] generating a new CA key and certificate from CSR
2020/01/15 23:31:03 [INFO] generate received request
2020/01/15 23:31:03 [INFO] received CSR
2020/01/15 23:31:03 [INFO] generating key: rsa-2048
2020/01/15 23:31:03 [INFO] encoded CSR
2020/01/15 23:31:03 [INFO] signed certificate with serial number 149957285008634365032949076461783766565292979186
2020/01/15 23:31:03 [INFO] generate received request
2020/01/15 23:31:03 [INFO] received CSR
2020/01/15 23:31:03 [INFO] generating key: rsa-2048
2020/01/15 23:31:03 [INFO] encoded CSR
2020/01/15 23:31:03 [INFO] signed certificate with serial number 531833477097469967316212525772159687029821034128
2020/01/15 23:31:03 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
2020/01/15 23:31:04 [INFO] generate received request
2020/01/15 23:31:04 [INFO] received CSR
2020/01/15 23:31:04 [INFO] generating key: rsa-2048
2020/01/15 23:31:04 [INFO] encoded CSR
2020/01/15 23:31:04 [INFO] signed certificate with serial number 684040931566157342098288079791465097738732990534
2020/01/15 23:31:04 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
2020/01/15 23:31:04 [INFO] generate received request
2020/01/15 23:31:04 [INFO] received CSR
2020/01/15 23:31:04 [INFO] generating key: rsa-2048
2020/01/15 23:31:04 [INFO] encoded CSR
2020/01/15 23:31:04 [INFO] signed certificate with serial number 681469506930419424853732902538890426797365900103
2020/01/15 23:31:04 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
 
[root@localhost k8s-cert]# ls *pem
admin-key.pem  ca-key.pem  kube-proxy-key.pem  server-key.pem
admin.pem      ca.pem      kube-proxy.pem      server.pem
[root@localhost k8s-cert]# cp ca*pem server*pem /opt/kubernetes/ssl/
[root@localhost k8s-cert]# cd ..

解压kubernetes压缩包

[root@localhost k8s]# tar zxvf kubernetes-server-linux-amd64.tar.gz
[root@localhost k8s]# cd /root/k8s/kubernetes/server/bin
[root@localhost k8s]# ls


复制关键命令文件

[root@localhost bin]# cp kube-apiserver kubectl kube-controller-manager kube-scheduler /opt/kubernetes/bin/
[root@localhost k8s]# vim /opt/kubernetes/cfg/token.csv
82f1f14173bd43dec416ad6bd4b16628,kubelet-bootstrap,10001,"system:kubelet-bootstrap"	##序列号,用户名,id,角色
##使用 head -c 16 /dev/urandom | od -An -t x | tr -d ' ' 可以随机生成序列号
82f1f14173bd43dec416ad6bd4b16628
##二进制文件,token,证书都准备好

开启apiserver

[root@master01 k8s]# bash apiserver.sh 192.168.35.40 https://192.168.35.40:2379,https://192.168.35.20:2379,https://192.168.35.30:2379
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-apiserver.service to /usr/lib/systemd/system/kube-apiserver.service.

检查进程是否启动成功

[root@master01 k8s]# ps aux | grep kub
root      34742  5.3  8.4 414728 326460 ?       Ssl  14:04   0:18 /opt/kubernetes/bin/kube-apiserver --logtostderr=true --v=4 --etcd-servers=https://192.168.35.40:2379,https://192.168.35.20:2379,https://192.168.35.30:2379 --bind-address=192.168.35.40 --secure-port=6443 --advertise-address=192.168.35.40 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/etcd/ssl/ca.pem --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pem
root      34836  0.0  0.0 112724   988 pts/3    S+   14:10   0:00 grep --color=auto kub

查看配置文件

[root@localhost k8s]# cat /opt/kubernetes/cfg/kube-apiserver
[root@master01 k8s]# cat /opt/kubernetes/cfg/kube-apiserver 

KUBE_APISERVER_OPTS="--logtostderr=true \\
--v=4 \\
--etcd-servers=https://192.168.35.40:2379,https://192.168.35.20:2379,https://192.168.35.30:2379 \\
--bind-address=192.168.35.40 \\
--secure-port=6443 \\
--advertise-address=192.168.35.40 \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
--authorization-mode=RBAC,Node \\
--kubelet-https=true \\
--enable-bootstrap-token-auth \\
--token-auth-file=/opt/kubernetes/cfg/token.csv \\
--service-node-port-range=30000-50000 \\
--tls-cert-file=/opt/kubernetes/ssl/server.pem  \\
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
##LimitRanger:资源的定义范围;是针对namespace中的每个组件做的资源限制
##ServiceAccount:服务发现的数量
##ResourceQuota:资源配额,是对namespace进行资源配额,配置一个namespace可以使用的资源量
##NodeRestriction:限制了每个kubelet的权限, kubelet确保它只能修改绑定到其及其自己的Node对象的pod

监听的https端口

[root@master01 k8s]# netstat -antp | grep 6443
tcp        0      0 192.168.35.40:6443      0.0.0.0:*               LISTEN      34742/kube-apiserve 
tcp        0      0 192.168.35.40:33920     192.168.35.40:6443      ESTABLISHED 34742/kube-apiserve 
tcp        0      0 192.168.35.40:6443      192.168.35.40:33920     ESTABLISHED 34742/kube-apiserve 
[root@master01 k8s]# netstat -antp | grep 8080
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      34742/kube-apiserve 

启动scheduler服务

[root@master01 k8s]# ./scheduler.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-scheduler.service to /usr/lib/systemd/system/kube-scheduler.service.
[root@master01 k8s]# ps aux | grep ku
postfix   34337  0.0  0.1  91732  4088 ?        S    13:35   0:00 pickup -l -t unix -u
root      34742  3.8  6.1 414728 235888 ?       Ssl  14:04   0:38 /opt/kubernetes/bin/kube-apiserver --logtostderr=true --v=4 --etcd-servers=https://192.168.35.40:2379,https://192.168.35.20:2379,https://192.168.35.30:2379 --bind-address=192.168.35.40 --secure-port=6443 --advertise-address=192.168.35.40 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/etcd/ssl/ca.pem --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pem
root      35000  2.0  0.5  46128 19752 ?        Ssl  14:20   0:00 /opt/kubernetes/bin/kube-scheduler --logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect
root      35024  0.0  0.0 112724   988 pts/3    S+   14:21   0:00 grep --color=auto ku


启动controller-manager

[root@master01 k8s]# chmod +x controller-manager.sh 
[root@master01 k8s]# ./controller-manager.sh 127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /usr/lib/systemd/system/kube-controller-manager.service.
[root@master01 k8s]# ps aux | grep ku
[root@master01 k8s]# systemctl status kube-controller-manager.service


查看master 节点状态

[root@master01 k8s]# /opt/kubernetes/bin/kubectl get cs
NAME                 STATUS    MESSAGE             ERROR
controller-manager   Healthy   ok                  
scheduler            Healthy   ok                  
etcd-1               Healthy   "health":"true"   
etcd-0               Healthy   "health":"true"   
etcd-2               Healthy   "health":"true"

4、node节点部署

master上操作
把 kubelet、kube-proxy拷贝到node节点上去

[root@localhost k8s]# cd /root/k8s/kubernetes/server/bin
[root@localhost bin]# scp kubelet kube-proxy root@192.168.195.150:/opt/kubernetes/bin/
root@192.168.195.150's password:
kubelet                                                           100%  168MB  27.9MB/s   00:06    
kube-proxy                                                        100%   48MB  31.5MB/s   00:01    
[root@localhost bin]# scp kubelet kube-proxy root@192.168.195.151:/opt/kubernetes/bin/
root@192.168.195.151's password:
kubelet                                                           100%  168MB  56.1MB/s   00:03    
kube-proxy                                                        100%   48MB  37.3MB/s   00:01    

-------------------->node01节点操作(复制node.zip到/root目录下再解压)<------------------------------

[root@localhost ~]# ls
anaconda-ks.cfg  flannel-v0.10.0-linux-amd64.tar.gz  node.zip   公共  视频  文档  音乐
flannel.sh       initial-setup-ks.cfg                README.md  模板  图片  下载  桌面
//解压node.zip,获得kubelet.sh  proxy.sh
[root@node1 ~]# unzip node.zip 
Archive:  node.zip
  inflating: proxy.sh                
  inflating: kubelet.sh 

-------------------->在master上操作<------------------------------

  [root@master01 k8s]# mkdir kubeconfig
[root@master01 k8s]# cd kubeconfig/
[root@master01 kubeconfig]# mv kubeconfig.sh kubeconfig	##上传kubeconfig.sh文件并进行重命名
[root@localhost kubeconfig]# vim kubeconfig
----------------删除以下部分----------------------------------------------------------------------
# 创建 TLS Bootstrapping Token
#BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
BOOTSTRAP_TOKEN=0fb61c46f8991b718eb38d27b605b008
 
cat > token.csv <<EOF
$BOOTSTRAP_TOKEN,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
 ---------------------------------------------------------------------------------------------------------- 
获取token信息
[root@master01 kubeconfig]# cat /opt/kubernetes/cfg/token.csv 
88bca997dc91f854290262f8eed24a9f,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
配置文件修改为tokenID
# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \\
--token=82f1f14173bd43dec416ad6bd4b16628 \\
  	--kubeconfig=bootstrap.kubeconfig

--------------------> 设置环境变量(可以写入到/etc/profile中)<------------------------------

[root@master01 kubeconfig]# export PATH=$PATH:/opt/kubernetes/bin/
[root@master01 kubeconfig]# kubectl get cs		##查看组件状态kube-scheduler和kube-controller-manager
NAME                 STATUS    MESSAGE             ERROR
scheduler            Healthy   ok                  
controller-manager   Healthy   ok                  
etcd-0               Healthy   "health":"true"   
etcd-2               Healthy   "health":"true"   
etcd-1               Healthy   "health":"true" 

--------------------> 生成配置文件<------------------------------

[root@master01 kubeconfig]# bash kubeconfig 192.168.35.40 /root/k8s/k8s-cert/
Cluster "kubernetes" set.
User "kubelet-bootstrap" set.
Context "default" created.
Switched to context "default".
Cluster "kubernetes" set.
User "kube-proxy" set.
Context "default" created.
Switched to context "default".
[root@master01 kubeconfig]# ls
bootstrap.kubeconfig  kubeconfig  kube-proxy.kubeconfig

--------------------> 拷贝配置文件到node节点<------------------------------

[root@master01 kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.35.20:/opt/kubernetes/cfg/
root@192.168.35.20's password: 
bootstrap.kubeconfig                   100% 2167     1.2MB/s   00:00    
kube-proxy.kubeconfig                  100% 6273     5.9MB/s   00:00    
[root@master01 kubeconfig]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.35.30:/opt/kubernetes/cfg/
root@192.168.35.30's password: 
bootstrap.kubeconfig                   100% 2167     1.6MB/s   00:00    
kube-proxy.kubeconfig                  100% 6273     7.2MB/s   00:00

-------------------->创建bootstrap角色赋予权限用于连接apiserver请求签名(关键)<------------------------------

[root@master01 kubeconfig]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
	##cluster:集群
##role:角色
##binding:本地
在node01节点上操作
[root@node1 ~]# bash kubelet.sh 192.168.35.20
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.

-------------------->检查kubelet服务启动<------------------------------

[root@node1 ~]# ps aux | grep kube


master上操作
-------------------->检查到node01节点的请求<-----------------------------------------------------------

[root@master01 kubeconfig]# kubectl get csr		##查看证书状态
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-eRw7xAB2VoPGaqn3U_5RhdhnulwkFjOHaRoRodOi21s   3m24s   kubelet-bootstrap   Pending(等待集群给该节点颁发证书)
[root@master01 kubeconfig]# kubectl certificate approve node-csr-eRw7xAB2VoPGaqn3U_5RhdhnulwkFjOHaRoRodOi21s		##颁发证书
certificatesigningrequest.certificates.k8s.io/node-csr-eRw7xAB2VoPGaqn3U_5RhdhnulwkFjOHaRoRodOi21s approved
[root@master01 kubeconfig]# kubectl get csr		##继续查看证书状态
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-eRw7xAB2VoPGaqn3U_5RhdhnulwkFjOHaRoRodOi21s   6m53s   kubelet-bootstrap   Approved,Issued(加入集群)
[root@localhost kubeconfig]# kubectl get csr
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-NOI-9vufTLIqJgMWq4fHPNPHKbjCXlDGHptj7FqTa8A   8m56s   kubelet-bootstrap   Approved,Issued(已经被允许加入群集)
[root@master01 kubeconfig]# kubectl get csr		##查看证书状态
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-eRw7xAB2VoPGaqn3U_5RhdhnulwkFjOHaRoRodOi21s   3m24s   kubelet-bootstrap   Pending(等待集群给该节点颁发证书)
[root@master01 kubeconfig]# kubectl certificate approve node-csr-eRw7xAB2VoPGaqn3U_5RhdhnulwkFjOHaRoRodOi21s		##颁发证书
certificatesigningrequest.certificates.k8s.io/node-csr-eRw7xAB2VoPGaqn3U_5RhdhnulwkFjOHaRoRodOi21s approved
[root@master01 kubeconfig]# kubectl get csr		##继续查看证书状态
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-eRw7xAB2VoPGaqn3U_5RhdhnulwkFjOHaRoRodOi21s   6m53s   kubelet-bootstrap   Approved,Issued(加入集群)
[root@localhost kubeconfig]# kubectl get csr
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-NOI-9vufTLIqJgMWq4fHPNPHKbjCXlDGHptj7FqTa8A   8m56s   kubelet-bootstrap   Approved,Issued(已经被允许加入群集)

-------------------->查看群集节点,成功加入node01节点<-----------------------------------------------------------

[root@master01 kubeconfig]# kubectl get nodes
NAME            STATUS   ROLES    AGE    VERSION
192.168.35.20   Ready    <none>   2m2s   v1.12.3

-------------------->在node01节点操作,启动proxy服务<-----------------------------------------------------------

[root@node1 ~]# bash proxy.sh 192.168.35.20
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[root@localhost ~]# systemctl status kube-proxy.service

5、node02节点部署

在node01节点操作
把现成的/opt/kubernetes目录复制到其他节点进行修改即可

[root@node1 kubernetes]# scp -r /opt/kubernetes/ root@192.168.35.30:/opt/
The authenticity of host '192.168.195.151 (192.168.195.151)' can't be established.
ECDSA key fingerprint is SHA256:HyV9L/xOcN5435t9zCPMCC63XiwMwgBLIa7L++Gea0k.
ECDSA key fingerprint is MD5:4b:01:0f:c3:cb:3e:3a:4c:f0:51:85:fc:c1:6b:c5:fe.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.195.151' (ECDSA) to the list of known hosts.
root@192.168.195.151's password:
flanneld                                                          100%  241   471.1KB/s   00:00    
bootstrap.kubeconfig                                              100% 2169     2.9MB/s   00:00    
kube-proxy.kubeconfig                                             100% 6275    10.3MB/s   00:00    
kubelet                                                           100%  379   130.7KB/s   00:00    
kubelet.config                                                    100%  269   420.0KB/s   00:00    
kubelet.kubeconfig                                                100% 2298     3.5MB/s   00:00    
kube-proxy                                                        100%  191   353.2KB/s   00:00    
mk-docker-opts.sh                                                 100% 2139     4.5MB/s   00:00    
flanneld                                                          100%   35MB  50.5MB/s   00:00    
kubelet                                                           100%  168MB  84.9MB/s   00:01    
kube-proxy                                                        100%   48MB  94.7MB/s   00:00    
kubelet.crt                                                       100% 2197   902.9KB/s   00:00    
kubelet.key                                                       100% 1679     2.3MB/s   00:00    
kubelet-client-2020-02-02-00-42-27.pem                            100% 1277   493.9KB/s   00:00    
kubelet-client-current.pem                                        100% 1277   429.5KB/s   00:00    

把kubelet,kube-proxy的service文件拷贝到node2中

[root@node1 kubernetes]# scp /usr/lib/systemd/system/kubelet,kube-proxy.service root@192.168.35.30:/usr/lib/systemd/system/
root@192.168.35.30's password: 
kubelet.service                                     100%  264   151.2KB/s   00:00    
/usr/lib/systemd/system/kube-proxy.service: No such file or directory
在node02上操作,进行修改
首先删除复制过来的证书,等会node02会自行申请证书
[root@localhost ~]# cd /opt/kubernetes/ssl/
[root@localhost ssl]# rm -rf *
修改配置文件kubelet  kubelet.config kube-proxy(三个配置文件) 
[root@node02 ssl]# cd ../cfg/
[root@node02 cfg]# vim kubelet

KUBELET_OPTS="--logtostderr=true \\
--v=4 \\
--hostname-override=192.168.35.30 \\
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\
--config=/opt/kubernetes/cfg/kubelet.config \\
--cert-dir=/opt/kubernetes/ssl \\
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"

 
[root@localhost cfg]# vim kubelet.config

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 192.168.35.30
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local.
failSwapOn: false
authentication:
  anonymous:
    enabled: true
[root@localhost cfg]# vim kube-proxy
KUBE_PROXY_OPTS="--logtostderr=true \\
--v=4 \\
--hostname-override=192.168.35.30 \\
--cluster-cidr=10.0.0.0/24 \\
--proxy-mode=ipvs \\
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig"
启动服务
[root@node02 cfg]# cd ~
[root@node02 ~]# 
[root@node02 ~]# bash proxy.sh 192.168.35.30
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[root@node02 ~]# systemctl start kube-proxy.service
[root@node02 ~]# systemctl status kube-proxy.service
[root@localhost cfg]# systemctl enable kubelet.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[root@localhost cfg]# systemctl start kube-proxy.service
[root@localhost cfg]# systemctl enable kube-proxy.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.

6、加入集群

在master上操作查看请求

[root@master01 kubeconfig]# kubectl get csr
NAME                                                   AGE     REQUESTOR           CONDITION
node-csr-9cW1OAD-FtegjD8PmgyRP37uhgnyt5LrAerwgX-Es04   5m21s   kubelet-bootstrap   Pending
node-csr-eRw7xAB2VoPGaqn3U_5RhdhnulwkFjOHaRoRodOi21s   14m     kubelet-bootstrap   Approved,Issued
授权许可加入群集
[root@master01 kubeconfig]# kubectl certificate approve node-csr-9cW1OAD-FtegjD8PmgyRP37uhgnyt5LrAerwgX-Es04
certificatesigningrequest.certificates.k8s.io/node-csr-9cW1OAD-FtegjD8PmgyRP37uhgnyt5LrAerwgX-Es04 approved
查看群集中的节点
[root@master01 kubeconfig]# kubectl get nodes
NAME            STATUS   ROLES    AGE     VERSION
192.168.35.20   Ready    <none>   9m13s   v1.12.3
192.168.35.30   Ready    <none>   18s     v1.12.3

7、测试创建实例

[root@master01 kubeconfig]# kubectl get pods
NAME                    READY   STATUS    RESTARTS   AGE
nginx-dbddb74b8-24fk6   1/1     Running   0          3m14s
nginx-dbddb74b8-bsb2l   1/1     Running   0          3m14s
nginx-dbddb74b8-f9q7r   1/1     Running   0          3m14s
[root@master01 kubeconfig]# kubectl get pod -o wide
NAME                    READY   STATUS    RESTARTS   AGE   IP            NODE            NOMINATED NODE
nginx-dbddb74b8-24fk6   1/1     Running   0          70s   172.17.53.3   192.168.35.20   <none>
nginx-dbddb74b8-bsb2l   1/1     Running   0          70s   172.17.80.2   192.168.35.30   <none>
nginx-dbddb74b8-f9q7r   1/1     Running   0          70s   172.17.53.2   192.168.35.20   <none>
[root@master01 kubeconfig]# kubectl run nginx --image=nginx --replicas=3
kubectl run --generator=deployment/apps.v1beta1 is DEPRECATED and will be removed in a future version. Use kubectl create instead.
deployment.apps/nginx created

以上是关于kubernets集群二进制单节点部署的主要内容,如果未能解决你的问题,请参考以下文章

kubernets集群二进制单节点部署

kubernets集群二进制单节点部署

kubernets集群二进制单节点部署

Kubernetes二进制部署 单节点master

Kubernetes二进制部署 单节点master

Kubernetes二进制部署 单节点master