Shulou(Shulou.com)06/02 Report--

Background of installation and configuration (HTTPS+RBAC) of Kubernetes binary mode v1.13.2 production environment

Due to well-known reasons, it is impossible to access Google services directly in China. Because of its convenient download and flexible customization, binary package is loved by the majority of kubernetes users, and it has become one of the more popular ways for enterprises to deploy production environment. Kubernetes v1.13.2 is the latest version. The installation and deployment process can be complex and tedious, so use the script of the steps as much as possible during the installation process. The script involved in this article has passed my test.

II Environment and Architecture figure 2.1 Software Environment

OS (minimized installation):

Cat / etc/centos-releaseCentOS Linux release 7.6.1810 (Core)

Docker Engine:

Docker versionClient: Version: 18.06.0-ce API version: 1.38 Go version: go1.10.3 Git commit: 0ffa825 Built: Wed Jul 18 19:08:18 2018 OS/Arch: linux/amd64 Experimental: falseServer: Engine: Version: 18.06.0-ce API version: 1.38 (minimum version 1.12) Go version: Go1.10.3 Git commit: 0ffa825 Built: Wed Jul 18 19:10:42 2018 OS/Arch: linux/amd64 Experimental: false

Kubenetes:

Kubectl versionClient Version: version.Info {Major: "1", Minor: "13", GitVersion: "v1.13.2", GitCommit: "cff46ab41ff0bb44d8584413b598ad8360ec1def", GitTreeState: "clean", BuildDate: "2019-01-10T23:35:51Z", GoVersion: "go1.11.4", Compiler: "gc", Platform: "linux/amd64"} Server Version: version.Info {Major: "1", Minor: "13", GitVersion: "v1.13.2", GitCommit: "cff46ab41ff0bb44d8584413b598ad8360ec1def", GitTreeState: "clean" BuildDate: "2019-01-10T23:28:14Z", GoVersion: "go1.11.4", Compiler: "gc", Platform: "linux/amd64"}

ETCD:

Etcd-- versionetcd Version: 3.3.11Git SHA: 2cf9e51d2Go Version: go1.10.7Go OS/Arch: linux/amd64

Flannel:

Flanneld-versionv0.11.02.2 server planning IP hostname (Hostname) role (Role) component (Component) 172.31.2.11gyslcopyright mastery Masterbatch Nodekubekubewayapiser.KubeQ, controllercontroller, (kubectl), kubelet,kube-proxy,docker,flannel172.31.2.12gysl-node1Nodekubelet,kube-proxy,docker,flannel,etcd172.31.2.13gysl-node2Nodekubelet,kube-proxy,docker,flannel,etcd

Note: bold is a component that must be installed on Master nodes. Etcd can be deployed on other nodes or on Master nodes. Kubectl is a command line tool for managing kubernetes. The rest are required components of the Node node.

2.3 introduction to the functions of nodes or components

Master node:

The Master node mainly consists of four modules, apiserver,schedule,controller-manager,etcd.

Apiserver: kubernetes API service responsible for providing RESTful to the outside world. It is a unified interface for system management instructions. Any addition or deletion of resources should be handed over to apiserver and then to etcd. Kubectl (the client-side tool provided by kubernetes, which is an internal call to kubernetes API) interacts directly with apiserver.

Schedule: responsible for dispatching Pod to the appropriate Node. If scheduler is treated as a black box, its input is pod and a list of multiple Node, and the output is the binding of Pod and a Node. Kubernetes currently provides scheduling algorithms, but also retains the interface. Users define their own scheduling algorithm according to their own needs.

Controller-manager: if apiserver works in the foreground, then controller-manager is in charge of the background. Each resource corresponds to a controller. Control manager is responsible for managing these controllers. For example, we create a Pod through APIServer, and when the Pod is created successfully, the task of apiserver is complete.

Etcd:etcd is a highly available key storage system, which is used by kubernetes to store the state of each resource, thus implementing the API of Restful.

Node node:

Each Node node is mainly composed of two modules: kublet and kube-proxy.

Kube-proxy: this module implements the service discovery and reverse proxy functions in kubernetes. Kube-proxy supports TCP and UDP connection forwarding, and the default base Round Robin algorithm forwards client traffic to a set of backend pod corresponding to service. In terms of service discovery, kube-proxy uses etcd's watch mechanism to monitor the dynamic changes of service and endpoint object data in the cluster, and maintains a mapping relationship from service to endpoint, thus ensuring that the IP changes of the back-end pod will not affect visitors. In addition, kube-proxy also supports session affinity.

Kublet:kublet is the agent of Master on each Node node and the most important module on the Node node. It is responsible for maintaining and managing all containers on that Node, but it does not manage if the container is not created through kubernetes. In essence, it is responsible for making the running state of the Pod consistent with the desired state.

2.4 Kubernetes Architecture Diagram

2.5 Kubernetes Workflow Chart

Three steps 3.1 targeted initialization settings

Execute the script KubernetesInstall-01.sh on all hosts, taking the Master node as an example.

[root@gysl-master ~] # sh KubernetesInstall-01.sh

The script reads as follows:

#! / bin/bash# Initialize the machine. This needs to be executed on every machine.# Add host domain name.cat > > / etc/hosts&/dev/null yum list docker-ce--showduplicates | grep "^ doc" | sort-r yum-y install docker-ce-18.06.0.ce-3.el7 rm-f / etc/yum.repos.d/docker-ce.repo systemctl enable docker & & systemctl start docker & & systemctl status docker else echo "Install failed! Please try again!"; exit 110fi

Note: the above steps need to be performed on each node. If swap is enabled, it needs to be disabled (the script KubernetesInstall-01.sh is already involved), and you can see the details through the free command. In addition, you need to pay attention to the time synchronization on each node.

3.3 download related binary packages

You can download it by executing the script KubernetesInstall-03.sh in Master.

[root@gysl-master ~] # sh KubernetesInstall-03.sh

The script reads as follows:

#! / bin/bash# Download relevant softwares. Please verify sha512 yourself.while true Do echo "Downloading Please wait a moment. "& &\ curl-L-C-O https://dl.k8s.io/v1.13.2/kubernetes-server-linux-amd64.tar.gz & &\ curl-L-C-O https://github.com/etcd-io/etcd/releases/download/v3.2.26/etcd-v3.2.26-linux-amd64.tar.gz & &\ curl-L-C- -O https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 & &\ curl-L-C-- O https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 & &\ curl-L-C-- O https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64\ curl-L-C-- O https://github.com/coreos/ Flannel/releases/download/v0.11.0/flannel-v0.11.0-linux-amd64.tar.gz if [$?-eq 0] Then echo "Congratulations! All software packages have been downloaded. " Break fi done

Kubernetes-server-linux-amd64.tar.gz includes the main components of kubernetes, and there is no need to download additional packages. Etcd-v3.2.26-linux-amd64.tar.gz is the package you need to deploy etcd. The rest are cfssl-related software, which will not be delved into for the time being. For network reasons, we can only download the script, which may take a while.

3.4 deploy etcd cluster 3.4.1 create CA certificate

Execute the script KubernetesInstall-04.sh in Master.

[root@gysl-master ~] # sh KubernetesInstall-04.sh2019/01/28 16:29:47 [INFO] generating a new CA key and certificate from CSR2019/01/28 16:29:47 [INFO] generate received request2019/01/28 16:29:47 [INFO] received CSR2019/01/28 16:29:47 [INFO] generating key: rsa-20482019/01/28 16:29:47 [INFO] encoded CSR2019/01/28 16:29:47 [INFO] signed certificate with serial number 36803438652499167179532383900484606172966256702019UniUniple 28 16 29:47 [INFO] generate received request2019/01/28 16:29:47 [INFO] received CSR2019/01/28 16:29:47 [INFO] generating key: rsa-20482019/01/28 16:29:48 [INFO] encoded CSR2019/01/28 16:29:48 [INFO] signed certificate with serial number 7144864901526888264617006746226745488644945347982019 Canada 28 16:29:48 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable forwebsites. For more information see the Baseline Requirements for the Issuance and Managementof Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);specifically, section 10.2.3 ("Information Requirements"). / etc/etcd/ssl/ca-key.pem / etc/etcd/ssl/ca.pem / etc/etcd/ssl/server-key.pem / etc/etcd/ssl/server.pem

The script reads as follows:

#! / bin/bashmv cfssl* / usr/local/bin/chmod + x / usr/local/bin/cfssl*ETCD_SSL=/etc/etcd/sslmkdir-p $ETCD_SSL# Create some CA certificates for etcd cluster.cat

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.