新master 执行
关闭防火墙
systemctl stop firewalld.service
systemctl disable firewalld.service
关闭selinux
sed -i 's/enforcing/disabled/' /etc/selinux/config
setenforce 0
查看是否关闭
getenforce
取消swap分区
swapoff -a
vim /etc/fstab
#把swap的给注释掉
改主机名
hostnamectl set-hostname master2
更新终段名称
bash
配置hosts
cat >> /etc/hosts << EOF
192.168.85.160 master
192.168.85.158 master2
192.168.85.161 node1
192.168.85.162 node2
EOF
配置数据流
cat >> /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
时间同步
yum install ntpdate -y
ntpdate time.windows.com
安装docker
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
yum install -y yum-utils device-mapper-persistent-data lvm2
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
yum install docker-ce docker-ce-cli containerd.io docker-compose-plugin
systemctl enable docker && systemctl start docker
cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"]
}
EOF
systemctl restart docker
docker info
添加阿里云YUM软件源
cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
安装kubeadm,kubelet和kubectl
yum install -y kubelet-1.20.0 kubeadm-1.20.0 kubectl-1.20.0
systemctl enable kubelet
mkdir /etc/kubernetes/pki/etcd/
原master执行
kubectl edit cm kubeadm-config -n kube-system
...
kubernetesVersion: v1.20.0
controlPlaneEndpoint: 192.168.85.199:16443 #增加 4层负载均衡的VIP
networking:
...
移动现有的 APIServer 的证书和密钥,创建新的
mv /etc/kubernetes/pki/apiserver.{
crt,key} ~
使用 kubeadm 命令生成一个新的证书
kubectl -n kube-system get configmap kubeadm-config -o jsonpath='{.data.ClusterConfiguration}' > kubeadm.yaml
kubeadm init phase certs apiserver --config kubeadm.yaml
重启 APIServer 来接收新的证书
docker ps | grep kube-apiserver | grep -v pause
kill 掉容器kube-apiserver
docker kill 750dcbadd30a
使用 openssl 命令去查看生成的证书信息是否包含我们新添加的VIP
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
.....
DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:master, IP Address:10.96.0.1, IP Address:192.168.85.160, IP Address:192.168.85.199
同步master证书到新master节点
scp /etc/kubernetes/pki/ca.crt [email protected]:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/ca.key [email protected]:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/sa.key [email protected]:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/sa.pub [email protected]:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/front-proxy-ca.crt [email protected]:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/front-proxy-ca.key [email protected]:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/etcd/ca.crt [email protected]:/etc/kubernetes/pki/etcd/
scp /etc/kubernetes/pki/etcd/ca.key [email protected]:/etc/kubernetes/pki/etcd/
scp /etc/kubernetes/admin.conf [email protected]:/etc/kubernetes/
将集群的证书上传到集群中
kubeadm init phase upload-certs --upload-certs
生成token
kubeadm token create --print-join-command
新master 执行,源master生成的token+key
kubeadm join 192.168.85.160:6443 --token hh6yer.3xc3bc4c08lqgve9 --discovery-token-ca-cert-hash sha256:6a1f2f98d25921215d0ab29edb3fe86b270eaadcd96eb3a3af3f5bde8ddc655b --control-plane --certificate-key 6db637a0bba3510d4ff223c0cea7e127184fe739551992acd3201f734dbad0cf
###加上了--control-plane --certificate-key(kubeadm init phase upload-certs --upload-certs生成的key)
加入之后的配置
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
原master 执行,验证是否成功
kubectl get node
NAME STATUS ROLES AGE VERSION
master Ready control-plane,jenkins,jmaster,master 48d v1.20.0
master2 Ready control-plane,master 21h v1.20.0
node1 Ready jenkins 48d v1.20.0
node2 Ready jenkins 48d v1.20.0