Kubernetes学习一:Kubernetes集群搭建之etcd安装部署
Posted JAIR_FOREVER
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Kubernetes学习一:Kubernetes集群搭建之etcd安装部署相关的知识,希望对你有一定的参考价值。
目录
3.9、etcd安装(三台机器都的执行此步骤,只是主文件的配置信息有区别。其他都一样)
1、软件版本和环境介绍
软件或者操作系统 | 版本 |
---|---|
OS | Centos7.6 |
kubernetes-client | v1.13.1 |
kubernetes-server | v1.13.1 |
kubernetes-node | v1.13.1 |
etcd | v3.3.10 |
flannel | v0.10.0 |
2、服务器信息介绍(以下称主机名)
服务器IP/主机名 | 用途 |
---|---|
192.168.10.200/k8s-master1 | etcd、kube-apiserver、kube-controller-manager、kube-scheduler |
192.168.10.201/k8s-node1 | etcd、kubelet、docker、kube_proxy |
192.168.10.202/k8s-node2 | etcd、kubelet、docker、kube_proxy |
3、etcd安装部署
3.1、cfssl安装
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
3.2、创建etcd证书
mkdir /k8s/etcd/bin,cfg,ssl -p
mkdir /k8s/kubernetes/bin,cfg,ssl -p
cd /k8s/etcd/ssl/
3.3、etcd ca配置
cat << EOF | tee ca-config.json
"signing":
"default":
"expiry": "87600h"
,
"profiles":
"etcd":
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
EOF
3.4、etcd ca证书
cat << EOF | tee ca-csr.json
"CN": "etcd CA",
"key":
"algo": "rsa",
"size": 2048
,
"names": [
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
]
EOF
3.5、etcd server证书
cat << EOF | tee server-csr.json
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.10.200",
"192.168.10.201",
"192.168.10.202"
],
"key":
"algo": "rsa",
"size": 2048
,
"names": [
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
]
EOF
3.6、生成etcd ca证书和私钥 初始化ca
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
3.7、生成server证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server
3.8、下发证书和秘钥
以上步骤在k8s-master1机器上面执行完之后在目录/k8s/etcd/ssl/下会生成如下图所示六个文件即以csr和pem后缀结尾的文件。将这六个文件拷贝到k8s-node1和k8s-node2的相同目录下(需要自己创建目录)
3.9、etcd安装(三台机器都的执行此步骤,只是主文件的配置信息有区别。其他都一样)
解压缩
tar -xvf etcd-v3.3.10-linux-amd64.tar.gz
cd etcd-v3.3.10-linux-amd64/
cp etcd etcdctl /k8s/etcd/bin/
配置etcd主文件(k8s-master1机器的配置)
vim /k8s/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/data1/etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.10.200:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.10.200:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.10.200:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.10.200:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.10.200:2380,etcd02=https://192.168.10.201:2380,etcd03=https://192.168.10.202:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
#[Security]
ETCD_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_PEER_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
配置etcd主文件(k8s-node1机器的配置)
vim /k8s/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/data1/etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.10.201:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.10.201:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.10.201:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.10.201:2379"
ETCD_INITIAL_CLUSTER="etcd02=https://192.168.10.201:2380,etcd01=https://192.168.10.200:2380,etcd03=https://192.168.10.202:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
#[Security]
ETCD_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_PEER_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
配置etcd主文件(k8s-node2机器的配置)
vim /k8s/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd03"
ETCD_DATA_DIR="/data1/etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.10.202:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.10.202:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.10.202:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.10.202:2379"
ETCD_INITIAL_CLUSTER="etcd03=https://192.168.10.202:2380,etcd01=https://192.168.10.200:2380,etcd02=https://192.168.10.201:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
#[Security]
ETCD_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_PEER_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
配置etcd启动文件
mkdir /data1/etcd
vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
WorkingDirectory=/data1/etcd/
EnvironmentFile=-/k8s/etcd/cfg/etcd.conf
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /k8s/etcd/bin/etcd --name=\\"$ETCD_NAME\\" --data-dir=\\"$ETCD_DATA_DIR\\" --listen-client-urls=\\"$ETCD_LISTEN_CLIENT_URLS\\" --listen-peer-urls=\\"$ETCD_LISTEN_PEER_URLS\\" --advertise-client-urls=\\"$ETCD_ADVERTISE_CLIENT_URLS\\" --initial-cluster-token=\\"$ETCD_INITIAL_CLUSTER_TOKEN\\" --initial-cluster=\\"$ETCD_INITIAL_CLUSTER\\" --initial-cluster-state=\\"$ETCD_INITIAL_CLUSTER_STATE\\" --cert-file=\\"$ETCD_CERT_FILE\\" --key-file=\\"$ETCD_KEY_FILE\\" --trusted-ca-file=\\"$ETCD_TRUSTED_CA_FILE\\" --client-cert-auth=\\"$ETCD_CLIENT_CERT_AUTH\\" --peer-cert-file=\\"$ETCD_PEER_CERT_FILE\\" --peer-key-file=\\"$ETCD_PEER_KEY_FILE\\" --peer-trusted-ca-file=\\"$ETCD_PEER_TRUSTED_CA_FILE\\" --peer-client-cert-auth=\\"$ETCD_PEER_CLIENT_CERT_AUTH\\""
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
3.10、启动etcd
#以下三个命令可以通过xshell工具三台机器同时执行(如何执行,自行百度)
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
3.11、服务检查
/k8s/etcd/bin/etcdctl --ca-file=/k8s/etcd/ssl/ca.pem --cert-file=/k8s/etcd/ssl/server.pem --key-file=/k8s/etcd/ssl/server-key.pem --endpoints="https://192.168.10.200:2379,https://192.168.10.201:2379,https://192.168.10.202:2379" cluster-health
如上图所示的效果,即表明etcd安装部署成功了
注意启动etcd有可能会执行报错:publish error: etcdserver: request timed out。这个可能是因为防火墙的问题,关闭三台服务器的防火墙就可以了。命令:systemctl stop firewalld
但是基于安全考虑可以将etcd涉及到的端口加入到防火墙的策略里面。执行如下的命令即可:
firewall-cmd --zone=public --add-port=2379/tcp --permanent
firewall-cmd --zone=public --add-port=2380/tcp --permanent
firewall-cmd --reload
参考:https://www.kubernetes.org.cn/5025.html
以上是关于Kubernetes学习一:Kubernetes集群搭建之etcd安装部署的主要内容,如果未能解决你的问题,请参考以下文章
Kubernetes学习总结(12)—— 学习 kubernetes 的10个技巧或建议