kubernets部署思路
0.配置主机名和关闭防火墙
1.自签名SSL证书
2.ETCD数据库集群部署
3.Node安装Docker
4.Flannel容器集群网络部署
5.部署Master组件
6.部署Node组件
7.部署集群内部DNS解析服务(coredns)
8.部署DashBoard
##############################
# 1.自签名SSL证书
##############################
#各个组件及使用的证书
#ETCD: ca.pem server.pem server-key.pem
#Flannel: ca.pem server.pem server-key.pem
#Kube-apiserver: ca.pem server.pem server-key.pem
#Kubelet: ca.pem kube-proxy.pem kube-proxy-key.pem
#kubelet-proxy: ca.pem kube-proxy.pem kube-proxy-key.pem
#kubectl: ca.pem admin.pem admin-key.pem
cat>/$HOME/SSL.sh<<'EOFALG' #!/bin/bash #1. 生成CA证书,各个组件之间通讯必须有ca证书 mkdir -p /k8s/{etcd,kubernetes}/{cfg,bin,ssl,apps,data} cd /k8s/etcd/ssl/ #ca-config.json是ca证书的配置文件 cat > ca-config.json<<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "etcd": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF #ca-csr.json是ca证书的签名文件 cat > ca-csr.json<<EOF { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca #server-csr.json是三个节点之间的通信验证 #192.168.31.82 etc1 #192.168.31.83 etc2 #192.168.31.84 etc3 cat > server-csr.json<<EOF { "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.31.82", "192.168.31.83", "192.168.31.84" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server EOFALG
##############################
# 2.ETCD数据库集群部署
##############################
#创建启动脚本和配置文件
#创建启动脚本和配置文件 cat >/$HOME/StartETCD.sh<<'EOFALG' #!/bin/bash ############################################################# # # example: StartEtcd.sh etc01 192.168.31.82 etcd02=https://192.168.31.83:2380,etcd03=https://192.168.31.84:2380 # ############################################################# ETCD_NAME=$1 ETCD_IP=$2 ETCD_CLUSTER=$3 cat >/k8s/etcd/cfg/etcd.conf<<EOF #[Member] ETCD_NAME="${ETCD_NAME}" ETCD_DATA_DIR="/k8s/etcd/data" ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380" ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379,http://127.0.0.1:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380" ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379" ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" #[Security] ETCD_CERT_FILE="/k8s/etcd/ssl/server.pem" ETCD_KEY_FILE="/k8s/etcd/ssl/server-key.pem" ETCD_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem" ETCD_CLIENT_CERT_AUTH="true" ETCD_PEER_CERT_FILE="/k8s/etcd/ssl/server.pem" ETCD_PEER_KEY_FILE="/k8s/etcd/ssl/server-key.pem" ETCD_PEER_TRUSTED_CA_FILE="/k8s/etcd/ssl/ca.pem" ETCD_PEER_CLIENT_CERT_AUTH="true" EOF cat >/usr/lib/systemd/system/etcd.service<<'EOF' [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify WorkingDirectory=${ETCD_DATA_DIR} EnvironmentFile=-/k8s/etcd/cfg/etcd.conf # set GOMAXPROCS to number of processors ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /k8s/etcd/bin/etcd --name=\"${ETCD_NAME}\" --data-dir=\"${ETCD_DATA_DIR}\" --listen-client-urls=\"${ETCD_LISTEN_CLIENT_URLS}\" --listen-peer-urls=\"${ETCD_LISTEN_PEER_URLS}\" --advertise-client-urls=\"${ETCD_ADVERTISE_CLIENT_URLS}\" --initial-cluster-token=\"${ETCD_INITIAL_CLUSTER_TOKEN}\" --initial-cluster=\"${ETCD_INITIAL_CLUSTER}\" --initial-cluster-state=\"${ETCD_INITIAL_CLUSTER_STATE}\" --cert-file=\"${ETCD_CERT_FILE}\" --key-file=\"${ETCD_KEY_FILE}\" --trusted-ca-file=\"${ETCD_TRUSTED_CA_FILE}\" --client-cert-auth=\"${ETCD_CLIENT_CERT_AUTH}\" --peer-cert-file=\"${ETCD_PEER_CERT_FILE}\" --peer-key-file=\"${ETCD_PEER_KEY_FILE}\" --peer-trusted-ca-file=\"${ETCD_PEER_TRUSTED_CA_FILE}\" --peer-client-cert-auth=\"${ETCD_PEER_CLIENT_CERT_AUTH}\"" Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOFALG