Shulou(Shulou.com)06/02 Report--

I. Project introduction

The project aims to enable enterprises or individuals interested in using native kubernetes clusters to build kubernetes high-availability clusters manually in a convenient and systematic way. And let the relevant personnel can better understand the operation mechanism of kubernetes cluster.

Software version os centos7.7 (ubuntu also applies, some commands need to be replaced) kubernetes 1.16.2etcd 3.4.3docker 18.06calico 3.10.1-2coredns configuration policy

Kube-apiserver:

Use node local nginx layer 4 transparent proxy to achieve high availability; close non-secure port 8080 and anonymous access; receive https requests on secure port 6443; strict authentication and authorization policies (x509, token, RBAC); enable bootstrap token authentication, support kubelet TLS bootstrapping; to access kubelet and etcd using https, and encrypt communications

Kube-controller-manager:

3 nodes are highly available; close non-secure port 10252 and receive https requests on secure port 10257; use kubeconfig to access the secure port of apiserver; automatic approve kubelet certificate signing request (CSR), which automatically rotates when the certificate expires; each controller accesses apiserver using its own ServiceAccount

Kube-scheduler:

3 nodes are highly available; close non-secure port 10251 and receive https requests on secure port 10259; use kubeconfig to access the secure port of apiserver

Kubelet:

Use kubeadm to dynamically create bootstrap token instead of static configuration in apiserver; use TLS bootstrap mechanism to generate client and server certificates automatically and rotate automatically after expiration; configure main parameters in JSON files of KubeletConfiguration type; close read-only port 10255, receive https requests on secure port 10250, authenticate and authorize requests, deny anonymous and unauthorized access; use kubeconfig to access apiserver's secure port

Kube-proxy:

Use kubeconfig to access the secure port of apiserver; configure main parameters in the JSON file of type KubeProxyConfiguration; use ipvs proxy mode

Cluster plug-in:

DNS: use coredns;Dashboard with better function and performance: support login authentication; Metric:metrics-server, use https to access kubelet secure port; Log:Elasticsearch, Fluend, Kibana;Registry mirror library: docker-registry, harbor; II, practice environment preparation 1. Server description

We are using five centos 7.7 virtual machines here. The details are as follows:

System type IP address node role CPUMemoryHostnamecentos-7.7172.18.0.100master > = 2 > = 2Gk8s-m01centos-7.7172.18.0.101master > = 2 > = 2Gk8s-m02centos-7.7172.18.0.102master > = 2 > = 2Gk8s-m03centos-7.7172.18.0.103worker > = 2 > = 2Gk8s-n01centos-7.7172.18.0.104worker > = 2 > = 2Gk8s-n02

two。 System Settings (all nodes) 2.1 Hostname

The hostname must be different from each node and ensure that all points can be accessed to each other through hostname.

# View hostname $hostname# modify hostname $hostnamectl set-hostname # configure host so that primary nodes can access each other through hostname $vi / etc/hosts# 2.2 install dependency package # update yum$ yum update# installation dependency package $yum install-y conntrack ipvsadm ipset jq sysstat curl iptables libseccomp wget## time synchronization $ntpdate time1.aliyun.com2.3 turn off firewall, swap Reset iptables# close Firewall $systemctl stop firewalld & & systemctl disable firewalld# reset iptables$ iptables-F & & iptables-X & & iptables-F-t nat & & iptables-X-t nat & & iptables-P FORWARD ACCEPT# close swap$ swapoff-a $sed-I'/ swap/s/ ^\ (. *\) $/ #\ 1GPG'/ etc/fstab# close selinux$ setenforce close dnsmasq (otherwise it may cause the docker container to fail to resolve the domain name ) $service dnsmasq stop & & systemctl disable dnsmasq2.4 system parameter settings # make configuration file $cat > / etc/sysctl.d/kubernetes.conf

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.