Reference address: https: //github.com/unixhot/salt-kubernetes
First, system initialization
1.1, install docker
All nodes installed docker, set docker domestic yum source
[root@linux-node1 ~]# cd /etc/yum.repos.d/ [root@linux-node1 yum.repos.d]# wget \ https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
1.2 Installation
yum install -y docker-ce
1.3 start
systemctl start docker
1.4, ready to deploy directory (all nodes are created)
mkdir -p /opt/kubernetes/{cfg,bin,ssl,log}
1.5, the download package
Baidu network disk Download: [HTTPS: // pan.baidu.com/s/1zs8sCouDeCQJ9lghH1BPiw] ( https://pan.baidu.com/s/1zs8sCouDeCQJ9lghH1BPiw )
Official Download: https: //github.com/kubernetes/ kubernetes / blob / master / CHANGELOG-1.10.md
1.6, unzip
# Tar zxf kubernetes.tar.gz # tar zxf kubernetes server on your network-Linux- amd64.tar.gz # tar zxf kubernetes -client-Linux- amd64.tar.gz # tar zxf kubernetes -node-linux-amd64.tar.gz
1.7, the environment variable settings (all nodes)
vim ~/.bash_profile PATH=$PATH:$HOME/bin:/opt/kubernetes/bin
source ~/.bash_profile
Second, the manual production CA certificate
2.1, install cfssl
[Linux-node1 the root @ ~] # CD / usr / local / the src [the root @ Linux -node1 the src] # wget HTTPS: // pkg.cfssl.org/R1.2/cfssl_linux-amd64 [the root @ node1 the src-Linux ] # wget HTTPS: // pkg.cfssl.org/R1.2/cfssljson_linux-amd64 [root @ node1 Linux-src] # wget HTTPS: // pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 [ the src-Linux @ node1 the root] # cfssl the chmod + X * [the root @ Linux -node1 the src] # Music Videos cfssl-certinfo_linux-AMD64 / opt / Kubernetes / bin / cfssl- certInfo [the root @ Linux -node1 the src] # Music Videos cfssljson_linux- AMD64 / opt / Kubernetes / bin / cfssljson [root @ Linux -node1 src] # mv cfssl_linux-AMD64 / opt / Kubernetes / bin /cfssl Copy cfssl command file to K8S-node1 and k8s- node2 node. If the actual multiple nodes, you need to be synchronized replication. [the root @ Linux -node1 ~] # SCP / opt / Kubernetes / bin / cfssl * 192.168 . 56.12 : / opt / Kubernetes / bin [the root @ Linux -node1 ~] # SCP / opt / Kubernetes / bin / cfssl * 192.168 . 56.13 : / opt / Kubernetes / bin
2.2, initialization cfssl
mkdir -p /usr/local/src/ssl && cd /usr/local/src/ssl
2.3, create a json file used to generate the CA certificate
[root@linux-node1 ssl]# vim ca-config.json { "signing": { "default": { "expiry": "8760h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "8760h" } } } }
2.4, created to generate json file CA certificate signing request
[root@linux-node1 ssl]# vim ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }
2.5, generated CA certificates and keys
[root@ linux-node1 ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca [root@ linux-node1 ssl]# ls -l ca* -rw-r--r-- 1 root root 290 Mar 4 13:45 ca-config.json -rw-r--r-- 1 root root 1001 Mar 4 14:09 ca.csr -rw-r--r-- 1 root root 208 Mar 4 13:51 ca-csr.json -rw------- 1 root root 1679 Mar 4 14:09 ca-key.pem -rw-r--r-- 1 root root 1359 Mar 4 14:09 ca.pem
2.6, certificates
# cp ca.csr ca.pem ca-key.pem ca-config.json /opt/kubernetes/ssl SCP证书到k8s-node1和k8s-node2节点 # scp ca.csr ca.pem ca-key.pem ca-config.json 192.168.56.12:/opt/kubernetes/ssl # scp ca.csr ca.pem ca-key.pem ca-config.json 192.168.56.13:/opt/kubernetes/ssl
Three, etcd cluster deployment
3.1, the installation package ready etcd
wget https://github.com/coreos/etcd/releases/download/v3.2.18/etcd-v3.2.18-linux-amd64.tar.gz [root@linux-node1 src]# tar zxf etcd-v3.2.18-linux-amd64.tar.gz [root@linux-node1 src]# cd etcd-v3.2.18-linux-amd64 [root@linux-node1 etcd-v3.2.18-linux-amd64]# cp etcd etcdctl /opt/kubernetes/bin/ [root@linux-node1 etcd-v3.2.18-linux-amd64]# scp etcd etcdctl 192.168.56.12:/opt/kubernetes/bin/ [root@linux-node1 etcd-v3.2.18-linux-amd64]# scp etcd etcdctl 192.168.56.13 : / opt / kubernetes / bin /
3.2, create a certificate signing request etcd
[root@linux-node1 ~]# vim etcd-csr.json { "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.56.11", "192.168.56.12", "192.168.56.13" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }
Note: The above can have their own ip ip address in each nodes, here is the easy authentication between nodes, each node is configured with the ip address.
3.3, certificate and private key generating etcd
[root@linux-node1 ~]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \ -ca-key=/opt/kubernetes/ssl/ca-key.pem \ -config=/opt/kubernetes/ssl/ca-config.json \ -profile=kubernetes etcd-csr.json | cfssljson -bare etcd 会生成以下证书文件 [root@k8s-master ~]# ls -l etcd* -rw-r--r-- 1 root root 1045 Mar 5 11:27 etcd.csr -rw-r--r-- 1 root root 257 Mar 5 11:25 etcd-csr.json -rw------- 1 root root 1679Mar Do not get 5 11 And : 27 And etcd keypem rw-r is - r 1 to set a root to set a root 1419 Mar Do not get 5 11 And : 27 And etcdpem
3.4, the certificate will be moved to the specified directory
[root@k8s-master ~]# cp etcd*.pem /opt/kubernetes/ssl [root@linux-node1 ~]# scp etcd*.pem 192.168.56.12:/opt/kubernetes/ssl [root@linux-node1 ~]# scp etcd*.pem 192.168.56.13:/opt/kubernetes/ssl [root@k8s-master ~]# rm -f etcd.csr etcd-csr.json
3.5, set etcd profile
[root@linux-node1 ~]# vim /opt/kubernetes/cfg/etcd.conf #[member] ETCD_NAME="etcd-node1" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" #ETCD_SNAPSHOT_COUNTER="10000" #ETCD_HEARTBEAT_INTERVAL="100" #ETCD_ELECTION_TIMEOUT="1000" ETCD_LISTEN_PEER_URLS="https://192.168.56.11:2380" ETCD_LISTEN_CLIENT_URLS="https://192.168.56.11:2379,https://127.0.0.1:2379" #ETCD_MAX_SNAPSHOTS="5" #ETCD_MAX_WALS="5" #ETCD_CORS="" #[cluster] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.56.11:2380" # if you use different ETCD_NAME (e.g. test), # set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..." ETCD_INITIAL_CLUSTER="etcd-node1=https://192.168.56.11:2380,etcd-node2=https://192.168.56.12:2380,etcd-node3=https://192.168.56.13:2380" ETCD_INITIAL_CLUSTER_STATE="new" ETCD_INITIAL_CLUSTER_TOKEN="k8s-etcd-cluster" ETCD_ADVERTISE_CLIENT_URLS="https://192.168.56.11:2379" #[security] CLIENT_CERT_AUTH="true" ETCD_CA_FILE="/opt/kubernetes/ssl/ca.pem" ETCD_CERT_FILE="/opt/kubernetes/ssl/etcd.pem" ETCD_KEY_FILE="/opt/kubernetes/ssl/etcd-key.pem" PEER_CLIENT_CERT_AUTH="true" ETCD_PEER_CA_FILE="/opt/kubernetes/ssl/ca.pem" ETCD_PEER_CERT_FILE="/opt/kubernetes/ssl/etcd.pem" ETCD_PEER_KEY_FILE="/opt/kubernetes/ssl/etcd-key.pe
Note: Those parts marked red nodes need to be modified to correspond to each node in the ip
3.6, create a system service etcd
[root@linux-node1 ~]# vim /etc/systemd/system/etcd.service [Unit] Description=Etcd Server After=network.target [Service] Type=simple WorkingDirectory=/var/lib/etcd EnvironmentFile=-/opt/kubernetes/cfg/etcd.conf # set GOMAXPROCS to number of processors ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /opt/kubernetes/bin/etcd" Type=notify [Install] WantedBy=multi-user.target
3.7, reload service and copied to other nodes
[Linux-node1 the root @ ~] # systemctl daemon- reload [the root @ Linux -node1 ~ ] # systemctl enable ETCD # SCP /opt/kubernetes/cfg/etcd.conf 192.168 . 56.12 : / opt / Kubernetes / CFG / # SCP /etc/systemd/system/etcd.service 192.168 . 56.12 : / etc / systemd / System / # scp /opt/kubernetes/cfg/etcd.conf 192.168 . 56.13 : / opt / Kubernetes / cfg / # scp / etc / systemd /system/etcd.service 192.168 . 56.13 : / etc / systemd / System / create etcd storage directory on all nodes and start etcd [root @ Linux -node1 ~] # mkdir /var/lib/etcd [root@linux-node1 ~]# systemctl start etcd [root@linux-node1 ~]# systemctl status etcd
3.8, Cluster Verification
[root@linux ssl]# etcdctl --endpoints=https://192.168.56.11:2379 \ > --ca-file=/opt/kubernetes/ssl/ca.pem \ > --cert-file=/opt/kubernetes/ssl/etcd.pem \ > --key-file=/opt/kubernetes/ssl/etcd-key.pem cluster-health member 435fb0a8da627a4c is healthy: got healthy result from https://192.168.56.12:2379 member 6566e06d7343e1bb is healthy: got healthy result from https://192.168.56.11:2379 member ce7b884e428b6c8c is healthy: got healthy result from https://192.168.56.13:2379 cluster is healthy