Kubernetes学习一:Kubernetes集群搭建之etcd安装部署

Posted JAIR_FOREVER

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Kubernetes学习一:Kubernetes集群搭建之etcd安装部署相关的知识,希望对你有一定的参考价值。

目录

1、软件版本和环境介绍

2、服务器信息介绍(以下称主机名)

3、etcd安装部署

3.1、cfssl安装

3.2、创建etcd证书

3.3、etcd ca配置

3.4、etcd ca证书

3.5、etcd server证书

3.6、生成etcd ca证书和私钥 初始化ca

3.7、生成server证书

3.8、下发证书和秘钥

3.9、etcd安装(三台机器都的执行此步骤,只是主文件的配置信息有区别。其他都一样)

3.10、启动etcd

3.11、服务检查


1、软件版本和环境介绍

软件或者操作系统版本
OSCentos7.6
kubernetes-clientv1.13.1
kubernetes-serverv1.13.1
kubernetes-nodev1.13.1
etcdv3.3.10
flannelv0.10.0

 

 

 

 

 

 

 

 

2、服务器信息介绍(以下称主机名)

服务器IP/主机名用途
192.168.10.200/k8s-master1etcd、kube-apiserver、kube-controller-manager、kube-scheduler
192.168.10.201/k8s-node1etcd、kubelet、docker、kube_proxy
192.168.10.202/k8s-node2etcd、kubelet、docker、kube_proxy

 

 

 

 

 

3、etcd安装部署

3.1、cfssl安装

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

3.2、创建etcd证书

mkdir /k8s/etcd/bin,cfg,ssl -p
mkdir /k8s/kubernetes/bin,cfg,ssl -p
cd /k8s/etcd/ssl/

3.3、etcd ca配置

cat << EOF | tee ca-config.json

  "signing": 
    "default": 
      "expiry": "87600h"
    ,
    "profiles": 
      "etcd": 
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      
    
  

EOF

3.4、etcd ca证书

cat << EOF | tee ca-csr.json

    "CN": "etcd CA",
    "key": 
        "algo": "rsa",
        "size": 2048
    ,
    "names": [
        
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        
    ]

EOF

3.5、etcd server证书

cat << EOF | tee server-csr.json

    "CN": "etcd",
    "hosts": [
	"127.0.0.1",
    "192.168.10.200",
    "192.168.10.201",
    "192.168.10.202"
    ],
    "key": 
        "algo": "rsa",
        "size": 2048
    ,
    "names": [
        
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        
    ]

EOF

3.6、生成etcd ca证书和私钥 初始化ca

cfssl gencert -initca ca-csr.json | cfssljson -bare ca 

3.7、生成server证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server

3.8、下发证书和秘钥

以上步骤在k8s-master1机器上面执行完之后在目录/k8s/etcd/ssl/下会生成如下图所示六个文件即以csr和pem后缀结尾的文件。将这六个文件拷贝到k8s-node1和k8s-node2的相同目录下(需要自己创建目录)

3.9、etcd安装(三台机器都的执行此步骤,只是主文件的配置信息有区别。其他都一样)

解压缩

tar -xvf etcd-v3.3.10-linux-amd64.tar.gz
cd etcd-v3.3.10-linux-amd64/
cp etcd etcdctl /k8s/etcd/bin/

配置etcd主文件(k8s-master1机器的配置)

vim /k8s/etcd/cfg/etcd.conf   
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/data1/etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.10.200:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.10.200:2379,http://127.0.0.1:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.10.200:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.10.200:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.10.200:2380,etcd02=https://192.168.10.201:2380,etcd03=https://192.168.10.202:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

#[Security]
ETCD_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_PEER_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"

配置etcd主文件(k8s-node1机器的配置)

vim /k8s/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd02"
ETCD_DATA_DIR="/data1/etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.10.201:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.10.201:2379,http://127.0.0.1:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.10.201:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.10.201:2379"
ETCD_INITIAL_CLUSTER="etcd02=https://192.168.10.201:2380,etcd01=https://192.168.10.200:2380,etcd03=https://192.168.10.202:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

#[Security]
ETCD_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_PEER_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"

配置etcd主文件(k8s-node2机器的配置)

vim /k8s/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd03"
ETCD_DATA_DIR="/data1/etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.10.202:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.10.202:2379,http://127.0.0.1:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.10.202:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.10.202:2379"
ETCD_INITIAL_CLUSTER="etcd03=https://192.168.10.202:2380,etcd01=https://192.168.10.200:2380,etcd02=https://192.168.10.201:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

#[Security]
ETCD_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/k8s/etcd/ssl/server.pem"
ETCD_PEER_KEY_FILE="/k8s/etcd/ssl/server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"

配置etcd启动文件

mkdir /data1/etcd
vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
WorkingDirectory=/data1/etcd/
EnvironmentFile=-/k8s/etcd/cfg/etcd.conf
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /k8s/etcd/bin/etcd --name=\\"$ETCD_NAME\\" --data-dir=\\"$ETCD_DATA_DIR\\" --listen-client-urls=\\"$ETCD_LISTEN_CLIENT_URLS\\" --listen-peer-urls=\\"$ETCD_LISTEN_PEER_URLS\\" --advertise-client-urls=\\"$ETCD_ADVERTISE_CLIENT_URLS\\" --initial-cluster-token=\\"$ETCD_INITIAL_CLUSTER_TOKEN\\" --initial-cluster=\\"$ETCD_INITIAL_CLUSTER\\" --initial-cluster-state=\\"$ETCD_INITIAL_CLUSTER_STATE\\" --cert-file=\\"$ETCD_CERT_FILE\\" --key-file=\\"$ETCD_KEY_FILE\\" --trusted-ca-file=\\"$ETCD_TRUSTED_CA_FILE\\" --client-cert-auth=\\"$ETCD_CLIENT_CERT_AUTH\\" --peer-cert-file=\\"$ETCD_PEER_CERT_FILE\\" --peer-key-file=\\"$ETCD_PEER_KEY_FILE\\" --peer-trusted-ca-file=\\"$ETCD_PEER_TRUSTED_CA_FILE\\" --peer-client-cert-auth=\\"$ETCD_PEER_CLIENT_CERT_AUTH\\""
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

3.10、启动etcd

#以下三个命令可以通过xshell工具三台机器同时执行(如何执行,自行百度)
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd

3.11、服务检查

/k8s/etcd/bin/etcdctl --ca-file=/k8s/etcd/ssl/ca.pem --cert-file=/k8s/etcd/ssl/server.pem --key-file=/k8s/etcd/ssl/server-key.pem --endpoints="https://192.168.10.200:2379,https://192.168.10.201:2379,https://192.168.10.202:2379" cluster-health

如上图所示的效果,即表明etcd安装部署成功了

注意启动etcd有可能会执行报错:publish error: etcdserver: request timed out。这个可能是因为防火墙的问题,关闭三台服务器的防火墙就可以了。命令:systemctl stop firewalld

但是基于安全考虑可以将etcd涉及到的端口加入到防火墙的策略里面。执行如下的命令即可:

firewall-cmd --zone=public --add-port=2379/tcp --permanent
firewall-cmd --zone=public --add-port=2380/tcp --permanent
firewall-cmd --reload

参考:https://www.kubernetes.org.cn/5025.html

以上是关于Kubernetes学习一:Kubernetes集群搭建之etcd安装部署的主要内容,如果未能解决你的问题,请参考以下文章

kubernetes学习01—kubernetes介绍

Kubernetes 状态集缩减

kubernetes命令总结集

Kubernetes学习总结(12)—— 学习 kubernetes 的10个技巧或建议

Kubernetes学习总结(12)—— 学习 kubernetes 的10个技巧或建议

Kubernetes学习一:Kubernetes集群搭建之etcd安装部署