Shulou(Shulou.com)06/02 Report--

There are many ways to install Kubernetes cluster: download source package compilation and installation, download compiled binary package installation, install using kubeadm tools, and so on. This article installs the Kubernetes cluster as a binary file.

System environment

Hostname IP address operating system installation components k8s-master192.168.2.212Centos 7.564-bit etcd, kube-apiserver, kube-controller-manager, kube-schedulerk8s-node1192.168.2.213Centos 7.564-bit kubelet, kube-proxyk8s-node2192.168.2.214Centos 7.564-bit kubelet, kube-proxyk8s-node3192.168.2.215Centos 7.564-bit kubelet, kube-proxy I, global operations (executed by all machines)

1. Install the tools you need.

Yum-y install vim bash-completion wget

Note: after installing the bash-completion tool, you can use the tab key to complete long format parameters, which is very convenient. The parameters of the kubectl command are all in long format, and for some commands I can't remember, let alone long format parameters.

2. Turn off firewalld Firewall

There will be a lot of network communication between Kubernetes's master (management host) and node (work node). The safe practice is to configure the port number that each component needs to communicate with each other on the firewall. I will explain the configuration of the firewall separately in the following blog post. It is recommended to turn off the firewall service in a secure internal network environment, where we turn off the firewall to deploy the test environment.

Systemctl disable firewalldsystemctl stop firewalld

3. Close SELinux

The purpose of disabling SELinux is to allow the container to read the host file system

Sed-I "s/SELINUX=enforcing/SELINUX=disabled/g" / etc/selinux/configsed-I's etc/selinux/configsetenforce, deploy the master management node

1. Install CFSSL

[root@k8s-master ~] # wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64-O / usr/local/bin/cfssl [root@k8s-master ~] # wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64-O / usr/local/bin/cfssljson [root@k8s-master ~] # wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64-O / usr/local/bin/cfssl- Certinfo [root@k8s-master ~] # chmod + x / usr/local/bin/cfssl / usr/local/bin/cfssljson / usr/local/bin/cfssl-certinfo

2. Download and extract the compiled binary package

[root@k8s-master tmp] # wget https://github.com/etcd-io/etcd/releases/download/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz[root@k8s-master tmp] # wget https://dl.k8s.io/v1.12.2/kubernetes-server-linux-amd64.tar.gz[root@k8s-master tmp] # tar zxvf etcd-v3.3.10-linux-amd64.tar.gz [root@k8s-master tmp] # tar zxvf kubernetes-server-linux-amd64.tar.gz

3. Copy the executable file to the / usr/bin directory

[root@k8s-master tmp] # cd etcd-v3.3.10-linux-amd64/ [root@k8s-master etcd-v3.3.10-linux-amd64] # cp-p etcd etcdctl / usr/bin/ [root@k8s-master etcd-v3.3.10-linux-amd64] # cd / tmp/kubernetes/server/bin/ [root@k8s-master bin] # cp-p kube-apiserver kube-controller-manager kube-scheduler kubectl / usr/bin/

4. Configure etcd service

Note: etcd, as the database of kubernetes cluster, stores the data of all resource objects. For security, digital certificate authentication is used. In the production environment, it is recommended to separate the etcd and deploy the etcd cluster separately.

(1) generate CA certificate configuration file

[root@k8s-master bin] # mkdir-p / etc/ {etcd/ssl,kubernetes/ssl} [root@k8s-master bin] # cd/ etc/etcd/ssl/ [root@k8s-master ssl] # cfssl print-defaults config > ca-config.json [root@k8s-master ssl] # cfssl print-defaults csr > ca-csr.json

(2) modify the configuration file

Modify the ca-config.json file to set the validity period of 43800h (5 years)

{"signing": {"default": {"expiry": "43800h"}, "profiles": {"kubernetes": {"expiry": "43800h", "usages": ["signing", "key encipherment" "server auth", "client auth"]}

"server auth" and "client auth" means that the server and the client use the same certificate for authentication.

Modify the ca-csr.json file as follows

{"CN": "k8s-master", "key": {"algo": "rsa", "size": 2048}, "names": [{"C": "CN", "L": "ShangHai", "ST": "ShangHai", "O": "K8s" "OU": "System"}]}

(3) generate files related to CA certificate and private key

[root@k8s-master ssl] # cfssl gencert-initca ca-csr.json | cfssljson-bare ca

(4) issue etcd certificate documents

[root@k8s-master ssl] # cfssl print-defaults csr > etcd-csr.json

Modify the server-csr.json file as follows

{"CN": "etcd", "hosts": ["127.0.0.1", "192.168.2.212"], "key": {"algo": "rsa", "size": 2048}, "names": [{"C": "CN", "L": "ShangHai" "ST": "ShangHai", "O": "K8s", "OU": "System"}]}

Generate etcd certificate and private key

[root@k8s-master ssl] # cfssl gencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=kubernetes-hostname=127.0.0.1192.168.2.212 etcd-csr.json | cfssljson-bare etcd

Note: enter the IP,-hostname of all etcd hosts in "hosts". Enter the IP of the current host, or you can enter the IP of all etcd hosts, so that other etcd nodes do not need to create certificates and private keys. The value of profile=kubernetes is based on the value of the profiles field in the corresponding ca-config.json file.

(5) create a script to generate the etcd configuration file

[root@k8s-master ssl] # cd / root/ [root@k8s-master ~] # vim etcd.shroud ETCD_INITIAL_CLUSTER=$ ETCD_INITIAL_CLUSTER=$ {3 root@k8s-master -} ETCD_INITIAL_CLUSTER=$ {3VR -} cat

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.