Shulou(Shulou.com)05/31 Report--

In order to solve the problem of how to quickly deploy clusters in Kubernetes, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

Through manual simple deployment of a K8S cluster to understand the overall architecture of K8S and the relationship between internal components.

The deployment process described below is mainly to enable readers to understand how K8S works. In order to simplify the process, there are no high-availability, high-performance solutions.

Installation instructions:

Simply deploy all the components on two nodes, including MASTER and NODE as shown in the figure

All components are installed in the root directory of / opt/ {component}, including binaries and configuration files

In addition, the component process is managed by systemd, and its configuration file is in / etc/systemd/system/ {component} .service

All the installation code has been put on https://github.com/bilc/kubernetes-deploy for your reference.

1 preparation in advance

Configure the environment variable file environment, as follows, and modify only MASTER_IP and NODE_IP.

Service of virtual IPexport CLUSTER_KUBERNETES_SVC_IP= "10.254.0.1" # apiserver used by export MASTER_IP=10.1.0.86export NODE_IP=10.1.0.87#serviceexport SERVICE_CIDR= "10.254.0.0amp" 16 "# service Port # for coredns & kubeletexport CLUSTER_DNS_DOMAIN= "cluster.local" # domain name suffix export CLUSTER_DNS_SVC_IP= "10.254.0.2" # dnsserver address # podexport CLUSTER_CIDR= "172.30.0.0amp 16" # pod network assigned by pod to access service of type export NODE_PORT_RANGE= "30000-32767" # pod

Mainly need to configure secret-free login and download binaries, here the download.sh downloaded files may need to climb the wall to solve.

Ssh-keygen # generates the public and private keys for secret-free login. Envrionment./ssh-nopwd.sh # set secret-free login cd cert./download.sh # here need to climb the wall to solve. / install.sh # create directories and upload files on the target machine cd-2 certificate generation

First, let's introduce the certificate file types:

Ca.pem, ca-key.pem: certificate authority's own certificate and private key

* .pem, *-key.pem: certificate and private key of the module

* .kubeconfig: access the configuration file of K8S, including the apiserver, ca, certificate and private key of the cluster, which is equivalent to configuring parameters such as separate public and private keys.

When issuing the certificate, note that when you are the accessed node, you need to put all the IP and domain names accessed into the certificate hosts field.

Command parameters function parameters indicate that kube-apiserver accesses etcd

-etcd-cafile=$ {DIR} / ca.pem\\

-etcd-certfile=$ {DIR} / kubernetes.pem\\

-etcd-keyfile=$ {DIR} / kubernetes-key.pem\\

Visit kubelet

-kubelet-certificate-authority=$ {DIR} / ca.pem\\

-kubelet-client-certificate=$ {DIR} / kubernetes.pem\\

-kubelet-client-key=$ {DIR} / kubernetes-key.pem\\

Apiserver's dependence on kubelet mainly requires some commands from proxy.

For example, kubectl exec

Accessed by other components

-client-ca-file=$ {DIR} / ca.pem\\

-tls-cert-file=$ {DIR} / kubernetes.pem\\

-tls-private-key-file=$ {DIR} / kubernetes-key.pem\\

Encryption of secret resources-service-account-key-file=$ {DIR} / service-account.pem needs to be used with kube-contrller manager

Encryption of kube-controller-managersecret resources

-- service-account-private-key-file=

/ opt/kube-controller-manager/service-account-key.pem\\

Visit kube-apiserver--kubeconfig=/opt/kube-controller-manager/kube-controller-manager.kubeconfig\\

Issue certificates for access clusters within pod

Cluster-signing-cert-file=/opt/kube-controller-manager/ca.pem\\

Cluster-signing-key-file=/opt/kube-controller-manager/ca-key.pem\\

Kube-scheduler visits kube-apiserverkubeconfig: "/ opt/kube-scheduler/kube-scheduler.kubeconfig" kubelet accesses kube-apiserver--kubeconfig=/opt/kubelet/$ {NODE_IP} .kubeconfig\\ accessed by kube-apiserver

TlsCertFile: "/ opt/kubelet/$ {NODE_IP} .pem"

TlsPrivateKeyFile: "/ opt/kubelet/$ {NODE_IP}-key.pem"

ClientCAFile: "/ opt/kubelet/ca.pem"

Etcd is accessed by the client

Trusted-ca-file=/opt/etcd/ca.pem\\

Cert-file=/opt/etcd/etcd.pem\\

Key-file=/opt/etcd/etcd-key.pem\\

Visit peer and be accessed by peer-- peer-trusted-ca-file=/opt/etcd/ca.pem\\

Peer-cert-file=/opt/etcd/etcd.pem\\

Peer-key-file=/opt/etcd/etcd-key.pem\\

An example of generating a certificate is as follows:

All execution commands are executed as follows:

. Environmentcd cert. . / install.shcd-3 deploy ETCD

The etcd of the production environment needs to deploy three or five nodes. In order to save resources and facilitate deployment, only a single node can be deployed.

4 deploy MASTER

The meanings of all the parameters are not listed here. If necessary, you can refer to the official website. Several key parameters are as follows:

In addition to some certificate configurations, the main parameters for deploying kube-apiserver include:

-- service-cluster-ip-range=$ {SERVICE_CIDR}\\ service assigns the range of IP

-- service-node-port-range=$ {NODE_PORT_RANGE}\\ Nodeport assigned port

Key parameters of kube-controller-manager:

-- allocate-node-cidrs=true\\ assigns IP segments to pod on node

-- the total IP segment of cluster-cidr=$ {CLUSTER_CIDR}\\ pod

-- IP range of service-cluster-ip-range=$ {SERVICE_CIDR}\\ service

Kube-scheduler will actively connect to apiserver and watch related events

. Environmentcd master./kube-apiserver.sh./kube-controller-manager.sh./kube-scheduler.shcd-5 deployment NODE

Node mainly includes kubelet, kube-proxy and Container Service.

The standards related to container service are CRI and OCI:

CRI (Container Runtime Interface) is a set of gRPC services defined by Kubernetes. Kubelet, as a client, is based on the gRPC framework and communicates with the container runtime through Socket. It includes two types of services: mirror service (ImageService) and run-time service (RuntimeService). Some implementations include: containerd,cri-o.

OCI (Open Container Initiative) defines open source industry standards for creating containers and runtimes, including the Mirror Specification (Image-Specification) and the Runtime Specification (RuntimeSpecification), and some implementations include: runc,kata.

As shown in the following figure, this article uses the second approach in the following figure:

. Environmentcd node. . / containerd.sh. . / kubelet.sh. . / kube-proxy.shcd-6 deployment of Flannel and CoreDNS

Next, deploy Kubernetes's network-related plug-ins, Flannel and CoreDNS.

CoreDNS is an implementation scheme of Kubernetes domain name server, which does DNS parsing by synchronizing service and pod data with API Server. The operation diagram is as follows:

Flannel is an overlay network solution for Kubernetes that runs a flanneId agent on each host machine, which is responsible for pre-assigning a subnet to the host and assigning an IP address to the Pod. Flannel uses Kubernetes or etcd to store information such as network configuration, assigned subnets, and host public IP. Packets are forwarded through back-end mechanisms such as VXLAN, UDP, or host-gw. As shown in the following figure:

. Environmentcd flannel./flannel.shcd-cd coredns./coredns.shcd-7 Verification Cluster kubectl apply. / pod.yamlkubectl get pods this is the answer to the question about how to quickly deploy a cluster in Kubernetes. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.