{"id":994,"date":"2021-07-29T19:47:28","date_gmt":"2021-07-29T11:47:28","guid":{"rendered":"https:\/\/egonlin.com\/?p=994"},"modified":"2021-07-30T12:11:08","modified_gmt":"2021-07-30T04:11:08","slug":"%e7%ac%ac%e4%ba%8c%e8%8a%82%ef%bc%9a%e4%ba%8c%e8%bf%9b%e5%88%b6%e5%ae%89%e8%a3%85kubernets","status":"publish","type":"post","link":"https:\/\/egonlin.com\/?p=994","title":{"rendered":"\u7b2c\u4e8c\u8282\uff1a\u4e8c\u8fdb\u5236\u5b89\u88c5kubernets"},"content":{"rendered":"

\u4e8c\u8fdb\u5236\u5b89\u88c5kubernets<\/h1>\n

\u4e00\u3001\u7b80\u4ecb<\/h2>\n
    Kubernetes\u6709\u4e24\u79cd\u65b9\u5f0f\uff0c\u7b2c\u4e00\u79cd\u662f\u4e8c\u8fdb\u5236\u7684\u65b9\u5f0f\uff0c\u53ef\u5b9a\u5236\u4f46\u662f\u90e8\u7f72\u590d\u6742\u5bb9\u6613\u51fa\u9519\uff1b\u7b2c\u4e8c\u79cd\u662fkubeadm\u5de5\u5177\u5b89\u88c5\uff0c\u90e8\u7f72\u7b80\u5355\uff0c\u4e0d\u53ef\u5b9a\u5236\u5316\u3002\u672c\u6b21\u6211\u4eec\u90e8\u7f72\u4e8c\u8fdb\u5236\u5b89\u88c5.\n    \u670d\u52a1\u5668\u914d\u7f6e\u81f3\u5c11\u662f2G2\u6838\u7684\u3002\u5982\u679c\u4e0d\u662f\u5219\u53ef\u4ee5\u5728\u96c6\u7fa4\u521d\u59cb\u5316\u540e\u9762\u589e\u52a0 --ignore-preflight-errors=NumCPU\n    k8s\u548cdocker\u4e4b\u95f4\u7684\u5173\u7cfb\uff1f\n    k8s\u662f\u4e00\u4e2a\u5bb9\u5668\u5316\u7ba1\u7406\u5e73\u53f0\uff0cdocker\u662f\u4e00\u4e2a\u5bb9\u5668\uff0c<\/code><\/pre>\n
\u4e8c\u3001\u90e8\u7f72\u89c4\u5212<\/h2>\n
1\u3001\u7248\u672c\u89c4\u5212<\/h3>\n\n\n\n\n\n\n\n\n\n\n
\u8f6f\u4ef6<\/th>\n\u7248\u672c<\/th>\n<\/tr>\n<\/thead>\n
Centos<\/td>\n7.5\u7248\u672c\u53ca\u4ee5\u4e0a<\/td>\n<\/tr>\n
Docker<\/td>\n19.03\u53ca\u4ee5\u4e0a<\/td>\n<\/tr>\n
Kubernetse<\/td>\nV1.19.1\u53ca\u4ee5\u4e0a<\/td>\n<\/tr>\n
Flanner<\/td>\nV0.13.0\u53ca\u4ee5\u4e0a<\/td>\n<\/tr>\n
Kernel-lm<\/td>\nkernel-lt-4.4.245-1.el7.elrepo.x86_64.rpm\u53ca\u4ee5\u4e0a<\/td>\n<\/tr>\n
Kernel-lm-devel<\/td>\nkernel-lt-devel-4.4.245-1.el7.elrepo.x86_64.rpm<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
2\u3001\u8282\u70b9\u89c4\u5212<\/h3>\n\n\n\n\n\n\n\n\n\n
Hostname<\/th>\nIp<\/th>\n<\/tr>\n<\/thead>\n
k8s-m-01<\/td>\n192.168.15.51<\/td>\n<\/tr>\n
k8s-m-02<\/td>\n192.168.15.52<\/td>\n<\/tr>\n
k8s-m-03<\/td>\n192.168.15.53<\/td>\n<\/tr>\n
k8s-n-01<\/td>\n192.168.15.54<\/td>\n<\/tr>\n
k8s-n-02<\/td>\n192.168.15.55<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\u4e09\u3001\u4fee\u6539\u7f51\u7edc\u53ca\uff08\u4e94\u53f0\u4e3b\u673a\uff09<\/h2>\n
1\u3001\u4fee\u6539\u865a\u62df\u7f51\u7edc\u7f16\u8f91\u5668<\/h3>\n
\"\"<\/div>
\n
\"\"<\/div><\/p>\n
2\u3001\u514b\u9686\u4e3b\u673a<\/h3>\n
\u7565<\/code><\/pre>\n
\u5185\u7f51eth1\u4e5f\u8981\u4e0d\u540cIP\u5426\u5219\u4e09\u53f0\u673a\u5668IP\u51b2\u7a81\u3002\u4fee\u6539\u5b8c\u6210\u540e\u91cd\u542f\u7f51\u5361\uff0cping baidu.com \u67e5\u770b\u7f51\u7edc\u662f\u5426\u7545\u901a<\/strong><\/p>\n
\u56db\u3001\u4fee\u6539\u4e3b\u673a\u540d\u53ca\u89e3\u6790(\u4e94\u53f0\u8282\u70b9)<\/h2>\n
1\u3001\u4fee\u6539\u4e3b\u673a\u540d<\/h3>\n
hostnamectl set-hostname k8s-m-01\nhostnamectl set-hostname k8s-m-02\nhostnamectl set-hostname k8s-m-03\nhostnamectl set-hostname k8s-n-01\nhostnamectl set-hostname k8s-n-02<\/code><\/pre>\n
2\u3001\u6dfb\u52a0host\u89e3\u6790<\/h3>\n
vim \/etc\/hosts\n192.168.15.51  k8s-m-01 m1\n192.168.15.52  k8s-m-02 m2\n192.168.15.53  k8s-m-03 m3\n192.168.15.54  k8s-n-01 n1\n192.168.15.55  k8s-n-02 n2<\/code><\/pre>\n
3\u3001\u6dfb\u52a0DNS\u89e3\u6790<\/h3>\n
 vim \/etc\/resolv.conf\n# Generated by NetworkManager\nnameserver 223.5.5.5\nnameserver 114.114.114.114\n<\/code><\/pre>\n
\u4e94\u3001\u7cfb\u7edf\u4f18\u5316(\u4e94\u4e2a\u8282\u70b9\u5168\u505a)<\/h2>\n
1\u3001\u5173\u95edselinux<\/h3>\n
# \u6c38\u4e45\u5173\u95ed\nsed -i 's#enforcing#disabled#g' \/etc\/selinux\/config\n\n#\u4e34\u65f6\u5173\u95ed\nsetenforce 0<\/code><\/pre>\n
2\u3001\u5173\u95ed\u9632\u706b\u5899<\/h3>\n
systemctl disable --now firewalld<\/code><\/pre>\n
3\u3001\u5173\u95edswap\u5206\u533a<\/h3>\n
# \u5173\u95edswap\u5206\u533a\nswapoff -a \n\n# kubelet\u5ffd\u7565swap\necho 'KUBELET_EXTRA_ARGS="--fail-swap-on=false"' > \/etc\/sysconfig\/kubelet\n\n# \u6ce8\u91caswap\u5206\u533a\nvim \/etc\/fstab<\/code><\/pre>\n
4\u3001\u505a\u514d\u5bc6\u767b\u5f55(m01\u8282\u70b9\u505a)<\/h3>\n
[root@k8s-m-01 ~]# rm -rf \/root\/.ssh\n[root@k8s-m-01 ~]# ssh-keygen       \u4ea4\u4e92\u5f0f\u76f4\u63a5\u5168\u90e8\u56de\u8f66\n[root@k8s-m-01 ~]# cd \/root\/.ssh\/\n[root@k8s-m-01 ~\/.ssh]# mv id_rsa.pub authorized_keys\n[root@k8s-m-01 ~\/.ssh]# scp  -r  \/root\/.ssh  192.168.15.51:\/root\n[root@k8s-m-01 ~\/.ssh]# scp  -r  \/root\/.ssh  192.168.15.52:\/root\n[root@k8s-m-01 ~\/.ssh]# scp  -r  \/root\/.ssh  192.168.15.53:\/root\n[root@k8s-m-01 ~\/.ssh]# scp  -r  \/root\/.ssh  192.168.15.54:\/root\n[root@k8s-m-01 ~\/.ssh]# scp  -r  \/root\/.ssh  192.168.15.55:\/root<\/code><\/pre>\n
5\u3001\u540c\u6b65\u96c6\u7fa4\u65f6\u95f4<\/h3>\n
echo '#Timing synchronization time' >>\/var\/spool\/cron\/root  #\u7ed9\u5b9a\u65f6\u4efb\u52a1\u52a0\u4e0a\u6ce8\u91ca\necho '0 *\/1 * * * \/usr\/sbin\/ntpdate ntp1.aliyun.com &>\/dev\/null' >>\/var\/spool\/cron\/root      #\u8bbe\u7f6e\u5b9a\u65f6\u4efb\u52a1\ncrontab -l  #\u68c0\u67e5\u7ed3\u679c<\/code><\/pre>\n
6\u3001\u66f4\u65b0yum\u6e90<\/h3>\n
rm -rf \/etc\/yum.repos.d\/*\n\ncurl -o \/etc\/yum.repos.d\/CentOS-Base.repo https:\/\/repo.huaweicloud.com\/repository\/conf\/CentOS-7-reg.repo\n\nyum install -y https:\/\/repo.huaweicloud.com\/epel\/epel-release-latest-7.noarch.rpm\n\nsed -i \"s\/#baseurl\/baseurl\/g\" \/etc\/yum.repos.d\/epel.repo\nsed -i \"s\/metalink\/#metalink\/g\" \/etc\/yum.repos.d\/epel.repo\nsed -i \"s@https\\?:\/\/download.fedoraproject.org\/pub@https:\/\/repo.huaweicloud.com@g\" \/etc\/yum.repos.d\/epel.repo\n\nyum clean all\nyum makecache<\/code><\/pre>\n
7\u3001\u66f4\u65b0\u7cfb\u7edf\u8f6f\u4ef6(\u6392\u9664\u5185\u6838)<\/h3>\n
yum update -y --exclud=kernel*<\/code><\/pre>\n
8\u3001\u5b89\u88c5\u57fa\u7840\u5e38\u7528\u8f6f\u4ef6<\/h3>\n
yum install wget expect vim net-tools ntp bash-completion ipvsadm ipset jq iptables conntrack sysstat libseccomp -y<\/code><\/pre>\n
9\u3001\u66f4\u65b0\u7cfb\u7edf\u5185\u6838\uff08docker \u5bf9\u7cfb\u7edf\u5185\u6838\u8981\u6c42\u6bd4\u8f83\u9ad8\uff0c\u6700\u597d\u4f7f\u75284.4+\uff09<\/h3>\n
\u4e3b\u8282\u70b9\u64cd\u4f5c<\/strong><\/p>\n
[root@k8s-m-01 ~]# wget https:\/\/elrepo.org\/linux\/kernel\/el7\/x86_64\/RPMS\/kernel-lt-5.4.107-1.el7.elrepo.x86_64.rpm\n\n[root@k8s-m-01 ~]# wget https:\/\/elrepo.org\/linux\/kernel\/el7\/x86_64\/RPMS\/kernel-lt-devel-5.4.107-1.el7.elrepo.x86_64.rpm\n\n[root@k8s-m-01 ~]# for i in m1 m2 m3 n1 n2 ; do scp kernel-lt-* $i:\/opt; done<\/code><\/pre>\n
\u4e94\u4e2a\u8282\u70b9\u64cd\u4f5c<\/strong><\/p>\n
#\u5b89\u88c5\nyum localinstall -y \/opt\/kernel-lt*\n\n#\u8c03\u5230\u9ed8\u8ba4\u542f\u52a8\ngrub2-set-default 0 && grub2-mkconfig -o \/etc\/grub2.cfg \n\n#\u67e5\u770b\u5f53\u524d\u9ed8\u8ba4\u542f\u52a8\u7684\u5185\u6838\ngrubby --default-kernel\n\n#\u91cd\u542f\u7cfb\u7edf\nreboot<\/code><\/pre>\n
10\u3001\u5b89\u88c5IPVS<\/h3>\n
1\uff09yum\u5b89\u88c5<\/h4>\n
yum install -y conntrack-tools ipvsadm ipset conntrack libseccomp <\/code><\/pre>\n
2\uff09\u52a0\u8f7dIPVS\u6a21\u5757<\/h4>\n
cat > \/etc\/sysconfig\/modules\/ipvs.modules <<EOF \n#!\/bin\/bash \nipvs_modules="ip_vs ip_vs_lc ip_vs_wlc ip_vs_rr ip_vs_wrr ip_vs_lblc ip_vs_lblcr ip_vs_dh ip_vs_sh ip_vs_fo ip_vs_nq ip_vs_sed ip_vs_ftp nf_conntrack" \n\nfor kernel_module in \\${ipvs_modules}; do \n    \/sbin\/modinfo -F filename \\${kernel_module} > \/dev\/null 2>&1 \n    if [ $? -eq 0 ]; then \n        \/sbin\/modprobe \\${kernel_module} \n    fi \ndone \nEOF\n\nchmod 755 \/etc\/sysconfig\/modules\/ipvs.modules && bash \/etc\/sysconfig\/modules\/ipvs.modules && lsmod | grep ip_vs<\/code><\/pre>\n
11\u3001\u4fee\u6539\u5185\u6838\u542f\u52a8\u53c2\u6570\u4f18\u5316<\/h3>\n
cat > \/etc\/sysctl.d\/k8s.conf << EOF\nnet.ipv4.ip_forward = 1\nnet.bridge.bridge-nf-call-iptables = 1\nnet.bridge.bridge-nf-call-ip6tables = 1\nfs.may_detach_mounts = 1\nvm.overcommit_memory=1\nvm.panic_on_oom=0\nfs.inotify.max_user_watches=89100\nfs.file-max=52706963\nfs.nr_open=52706963\nnet.ipv4.tcp_keepalive_time = 600\nnet.ipv4.tcp.keepaliv.probes = 3\nnet.ipv4.tcp_keepalive_intvl = 15\nnet.ipv4.tcp.max_tw_buckets = 36000\nnet.ipv4.tcp_tw_reuse = 1\nnet.ipv4.tcp.max_orphans = 327680\nnet.ipv4.tcp_orphan_retries = 3\nnet.ipv4.tcp_syncookies = 1\nnet.ipv4.tcp_max_syn_backlog = 16384\nnet.ipv4.ip_conntrack_max = 65536\nnet.ipv4.tcp_max_syn_backlog = 16384\nnet.ipv4.top_timestamps = 0\nnet.core.somaxconn = 16384\nEOF\n\n# \u7acb\u5373\u751f\u6548\nsysctl --system<\/code><\/pre>\n
12\u3001\u5b89\u88c5docker(\u4e94\u53f0\u8282\u70b9\u90fd\u8981\u505a)<\/h3>\n
1\uff09\u5378\u8f7d\u4e4b\u524d\u7684docker<\/h4>\n
yum remove docker docker-common docker-selinux docker-engine -y<\/code><\/pre>\n
2\uff09\u5b89\u88c5docker\u6240\u9700\u5b89\u88c5\u5305<\/h4>\n
yum install -y yum-utils device-mapper-persistent-data lvm2<\/code><\/pre>\n
3\uff09\u5b89\u88c5docker yum\u6e90<\/h4>\n
wget -O \/etc\/yum.repos.d\/docker-ce.repo https:\/\/repo.huaweicloud.com\/docker-ce\/linux\/centos\/docker-ce.repo<\/code><\/pre>\n
4\uff09\u5b89\u88c5docker<\/h4>\n
yum install docker-ce -y<\/code><\/pre>\n
\u4e0d\u6210\u529f\u591a\u6267\u884c\u51e0\u6b21<\/strong><\/p>\n
5\uff09\u542f\u52a8\u5e76\u8bbe\u7f6e\u5f00\u673a\u81ea\u542f<\/h4>\n
systemctl enable --now docker.service<\/code><\/pre>\n
\u516d\u3001\u96c6\u7fa4\u8bc1\u4e66\uff08\u53ea\u5728m01\u8282\u70b9\u64cd\u4f5c\uff09<\/h2>\n
    kubernetes\u7ec4\u4ef6\u4f17\u591a\uff0c\u8fd9\u4e9b\u7ec4\u4ef6\u4e4b\u95f4\u901a\u8fc7HTTP\/GRPC\u76f8\u4e92\u901a\u4fe1\uff0c\u4ee5\u534f\u540c\u5b8c\u6210\u96c6\u7fa4\u4e2d\u5e94\u7528\u7684\u90e8\u7f72\u548c\u7ba1\u7406\u5de5\u4f5c\u3002\u5c24\u5176\u662fmaster\u8282\u70b9\uff0c\u66f4\u662f\u638c\u63e1\u7740\u6574\u4e2a\u96c6\u7fa4\u7684\u64cd\u4f5c\u3002\u5176\u5b89\u5168\u5c31\u53d8\u5f97\u5c24\u4e3a\u91cd\u8981\u4e86\uff0c\u5728\u76ee\u524d\u4e16\u9762\u4e0a\u6700\u5b89\u5168\u7684\uff0c\u4f7f\u7528\u6700\u5e7f\u6cdb\u7684\u5c31\u662f\u6570\u5b57\u8bc1\u4e66\u3002kubernetes\u6b63\u662f\u4f7f\u7528\u8fd9\u79cd\u8ba4\u8bc1\u65b9\u5f0f\u3002<\/code><\/pre>\n
1\u3001\u5b89\u88c5cfssl\u8bc1\u4e66\u751f\u6210\u5de5\u5177<\/h3>\n
    \u672c\u6b21\u6211\u4eec\u4f7f\u7528cfssl\u8bc1\u4e66\u751f\u6210\u5de5\u5177\uff0c\u8fd9\u662f\u4e00\u6b3e\u628a\u9884\u5148\u7684\u8bc1\u4e66\u673a\u6784\u3001\u4f7f\u7528\u671f\u7b49\u65f6\u95f4\u5199\u5728json\u6587\u4ef6\u91cc\u9762\u4f1a\u66f4\u52a0\u9ad8\u6548\u548c\u81ea\u52a8\u5316\u3002cfssl\u91c7\u7528go\u8bed\u8a00\u7f16\u5199\uff0c\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u8bc1\u4e66\u7ba1\u7406\u5de5\u5177\uff0ccfssljson\u7528\u6765\u4ececfssl\u7a0b\u5e8f\u83b7\u53d6json\u8f93\u51fa\uff0c\u5e76\u5c06\u8bc1\u4e66\uff0c\u5bc6\u94a5\uff0ccsr\u548cbundle\u5199\u5165\u6587\u4ef6\u4e2d\u3002<\/code><\/pre>\n
# \u5b89\u88c5\u8bc1\u4e66\u751f\u6210\u5de5\u5177\nwget https:\/\/pkg.cfssl.org\/R1.2\/cfssl_linux-amd64\nwget https:\/\/pkg.cfssl.org\/R1.2\/cfssljson_linux-amd64\n\n# \u8bbe\u7f6e\u6267\u884c\u6743\u9650\nchmod +x cfssljson_linux-amd64\nchmod +x cfssl_linux-amd64\n\n# \u79fb\u52a8\u5230\/usr\/local\/bin\nmv cfssljson_linux-amd64 cfssljson\nmv cfssl_linux-amd64 cfssl\nmv cfssljson cfssl \/usr\/local\/bin<\/code><\/pre>\n
2\u3001\u521b\u5efa\u96c6\u7fa4\u6839\u8bc1\u4e66<\/h3>\n
    \u4ece\u6574\u4e2a\u67b6\u6784\u6765\u770b\uff0c\u96c6\u7fa4\u73af\u5883\u4e2d\u6700\u91cd\u8981\u7684\u90e8\u5206\u5c31\u662fetcd\u548cAPIserver\u3002\u6240\u4ee5\u96c6\u7fa4\u5f53\u4e2d\u7684\u8bc1\u4e66\u90fd\u662f\u9488\u5bf9etcd\u548capiserver\u6765\u8bbe\u7f6e\u7684\u3002\n    \u6240\u8c13\u6839\u8bc1\u4e66\uff0c\u662fCA\u8ba4\u8bc1\u4e2d\u5fc3\u4e0e\u7528\u6237\u5efa\u7acb\u4fe1\u4efb\u5173\u7cfb\u7684\u57fa\u7840\uff0c\u7528\u6237\u7684\u6570\u5b57\u8bc1\u4e66\u5fc5\u987b\u6709\u4e00\u4e2a\u53d7\u4fe1\u4efb\u7684\u6839\u8bc1\u4e66\uff0c\u7528\u6237\u7684\u6570\u5b57\u8bc1\u4e66\u624d\u662f\u6709\u6548\u7684\u3002\u4ece\u6280\u672f\u4e0a\u8bb2\uff0c\u8bc1\u4e66\u5176\u5b9e\u5305\u542b\u4e09\u90e8\u5206\uff0c\u7528\u6237\u7684\u4fe1\u606f\uff0c\u7528\u6237\u7684\u516c\u94a5\uff0c\u4ee5\u53ca\u8bc1\u4e66\u7b7e\u540d\u3002CA\u8d1f\u8d23\u6570\u5b57\u8bc1\u4e66\u7684\u6279\u5ba1\u3001\u53d1\u653e\u3001\u5f52\u6863\u3001\u64a4\u9500\u7b49\u529f\u80fd\uff0cCA\u9881\u53d1\u7684\u6570\u5b57\u8bc1\u4e66\u62e5\u6709CA\u7684\u6570\u5b57\u7b7e\u540d\uff0c\u6240\u4ee5\u9664\u4e86CA\u81ea\u8eab\uff0c\u5176\u4ed6\u673a\u6784\u65e0\u6cd5\u4e0d\u88ab\u5bdf\u89c9\u7684\u6539\u52a8\u3002<\/code><\/pre>\n
mkdir -p \/opt\/cert\/ca\n\ncat > \/opt\/cert\/ca\/ca-config.json <<EOF\n{\n  "signing": {\n    "default": {\n      "expiry": "8760h"\n    },\n    "profiles": {\n      "kubernetes": {\n        "usages": [\n          "signing",\n          "key encipherment",\n          "server auth",\n          "client auth"\n        ],\n           "expiry": "8760h"\n      }\n    }\n  }\n}\nEOF\n\n#\u8bc1\u4e66\u8be6\u89e3\n1.default\u662f\u9ed8\u8ba4\u7b56\u7565\uff0c\u6307\u5b9a\u8bc1\u4e66\u9ed8\u8ba4\u6709\u6548\u671f\u662f1\u5e74\n2.profiles\u662f\u5b9a\u4e49\u4f7f\u7528\u573a\u666f\uff0c\u8fd9\u91cc\u53ea\u662fkubernetes\uff0c\u5176\u5b9e\u53ef\u4ee5\u5b9a\u4e49\u591a\u4e2a\u573a\u666f\uff0c\u5206\u522b\u6307\u5b9a\u4e0d\u540c\u7684\u8fc7\u671f\u65f6\u95f4,\u4f7f\u7528\u573a\u666f\u7b49\u53c2\u6570,\u540e\u7eed\u7b7e\u540d\u8bc1\u4e66\u65f6\u4f7f\u7528\u67d0\u4e2aprofile;\n3.signing:\u8868\u793a\u8be5\u8bc1\u4e66\u53ef\u7528\u4e8e\u7b7e\u540d\u5176\u5b83\u8bc1\u4e66,\u751f\u6210\u7684ca.pem\u8bc1\u4e66\n4.serverauth:\u8868\u793aclient\u53ef\u4ee5\u7528\u8be5CA\u5bf9server\u63d0\u4f9b\u7684\u8bc1\u4e66\u8fdb\u884c\u6821\u9a8c;\n5.clientauth:\u8868\u793aserver\u53ef\u4ee5\u7528\u8be5CA\u5bf9client\u63d0\u4f9b\u7684\u8bc1\u4e66\u8fdb\u884c\u9a8c\u8bc1\u3002<\/code><\/pre>\n
3\u3001\u521b\u5efa\u6839CA\u8bc1\u4e66\u7b7e\u540d\u8bf7\u6c42\u6587\u4ef6<\/h3>\n
cat > \/opt\/cert\/ca\/ca-csr.json << EOF\n{\n  "CN": "kubernetes",\n  "key": {\n    "algo": "rsa",\n    "size": 2048\n  },\n  "names":[{\n    "C": "CN",\n    "ST": "ShangHai",\n    "L": "ShangHai"\n  }]\n}\nEOF<\/code><\/pre>\n
\u8bc1\u4e66\u8be6\u89e3<\/strong><\/p>\n\n\n\n\n\n\n\n\n\n
\u8bc1\u4e66\u9879<\/th>\n\u89e3\u91ca<\/th>\n<\/tr>\n<\/thead>\n
C<\/td>\n\u56fd\u5bb6<\/td>\n<\/tr>\n
ST<\/td>\n\u7701<\/td>\n<\/tr>\n
L<\/td>\n\u57ce\u5e02<\/td>\n<\/tr>\n
O<\/td>\n\u7ec4\u7ec7<\/td>\n<\/tr>\n
OU<\/td>\n\u7ec4\u7ec7\u522b\u540d<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
4\u3001\u751f\u6210\u6839\u8bc1\u4e66<\/h3>\n
[root@k8s-m-01 ~]# cd \/opt\/cert\/ca\n[root@k8s-m-01 \/opt\/cert\/ca]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -\n2021\/03\/26 17:34:55 [INFO] generating a new CA key and certificate from CSR\n2021\/03\/26 17:34:55 [INFO] generate received request\n2021\/03\/26 17:34:55 [INFO] received CSR\n2021\/03\/26 17:34:55 [INFO] generating key: rsa-2048\n2021\/03\/26 17:34:56 [INFO] encoded CSR\n2021\/03\/26 17:34:56 [INFO] signed certificate with serial number 661764636777400005196465272245416169967628201792\n[root@k8s-m-01 \/opt\/cert\/ca]# ll\ntotal 20\n-rw-r--r-- 1 root root  285 Mar 26 17:34 ca-config.json\n-rw-r--r-- 1 root root  960 Mar 26 17:34 ca.csr\n-rw-r--r-- 1 root root  153 Mar 26 17:34 ca-csr.json\n-rw------- 1 root root 1675 Mar 26 17:34 ca-key.pem\n-rw-r--r-- 1 root root 1281 Mar 26 17:34 ca.pem<\/code><\/pre>\n
\u53c2\u6570\u8be6\u89e3<\/strong><\/p>\n\n\n\n\n\n\n
\u53c2\u6570\u9879<\/th>\n\u89e3\u91ca<\/th>\n<\/tr>\n<\/thead>\n
gencert<\/td>\n\u751f\u6210\u65b0\u7684key\uff08\u5bc6\u94a5\uff09\u548c\u7b7e\u540d\u8bc1\u4e66<\/td>\n<\/tr>\n
–initca<\/td>\n\u521d\u59cb\u5316\u4e00\u4e2a\u65b0CA\u8bc1\u4e66<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\u4e03\u3001\u90e8\u7f72ETCD\u96c6\u7fa4<\/h2>\n
    Etcd\u662f\u57fa\u4e8eRaft\u7684\u5206\u5e03\u5f0fkey-value\u5b58\u50a8\u7cfb\u7edf\uff0c\u7531CoreOS\u56e2\u961f\u5f00\u53d1\uff0c\u5e38\u7528\u4e8e\u670d\u52a1\u53d1\u73b0\uff0c\u5171\u4eab\u914d\u7f6e\uff0c\u4ee5\u53ca\u5e76\u53d1\u63a7\u5236\uff08\u5982leader\u9009\u4e3e\uff0c\u5206\u5e03\u5f0f\u9501\u7b49\u7b49\uff09\u3002Kubernetes\u4f7f\u7528Etcd\u8fdb\u884c\u72b6\u6001\u548c\u6570\u636e\u5b58\u50a8!<\/code><\/pre>\n
2\u3001\u8282\u70b9\u89c4\u5212<\/h3>\n
192.168.15.51 etcd-01\n192.168.15.52 etcd-01\n192.168.15.53 etcd-01<\/code><\/pre>\n
3\u3001\u521b\u5efaETCD\u96c6\u7fa4\u8bc1\u4e66<\/h3>\n
mkdir -p \/opt\/cert\/etcd\ncd \/opt\/cert\/etcd\n\ncat > etcd-csr.json << EOF\n{\n    "CN": "etcd",\n    "hosts": [\n        "127.0.0.1",\n        "192.168.15.51",\n        "192.168.15.52",\n        "192.168.15.53",\n        "192.168.15.54",\n        "192.168.15.55",\n        "192.168.15.56"\n    ],\n    "key": {\n        "algo": "rsa",\n        "size": 2048\n    },\n    "names": [\n        {\n          "C": "CN",\n          "ST": "ShangHai",\n          "L": "ShangHai"\n        }\n    ]\n}\nEOF<\/code><\/pre>\n
4\u3001\u751f\u6210ETCD\u8bc1\u4e66<\/h3>\n
[root@k8s-m-01 \/opt\/cert\/etcd]# cfssl gencert -ca=..\/ca\/ca.pem -ca-key=..\/ca\/ca-key.pem -config=..\/ca\/ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd\n\n2021\/03\/26 17:38:57 [INFO] generate received request\n2021\/03\/26 17:38:57 [INFO] received CSR\n2021\/03\/26 17:38:57 [INFO] generating key: rsa-2048\n2021\/03\/26 17:38:58 [INFO] encoded CSR\n2021\/03\/26 17:38:58 [INFO] signed certificate with serial number 179909685000914921289186132666286329014949215773\n2021\/03\/26 17:38:58 [WARNING] This certificate lacks a \"hosts\" field. This makes it unsuitable for\nwebsites. For more information see the Baseline Requirements for the Issuance and Management\nof Publicly-Trusted Certificates, v.1.1.6, from the CA\/Browser Forum (https:\/\/cabforum.org);\nspecifically, section 10.2.3 (\"Information Requirements\").\n\n[root@k8s-m-01 \/opt\/cert\/etcd]# ll\ntotal 16\n-rw-r--r-- 1 root root 1050 Mar 27 19:51 etcd.csr\n-rw-r--r-- 1 root root  394 Mar 27 19:51 etcd-csr.json\n-rw------- 1 root root 1679 Mar 27 19:51 etcd-key.pem\n-rw-r--r-- 1 root root 1379 Mar 27 19:51 etcd.pem\n<\/code><\/pre>\n
\u53c2\u6570\u8be6\u89e3<\/strong><\/p>\n\n\n\n\n\n\n\n\n\n\n
\u53c2\u6570\u9879<\/th>\n\u89e3\u91ca<\/th>\n<\/tr>\n<\/thead>\n
gencert<\/td>\n\u751f\u6210\u65b0\u7684key\uff08\u5bc6\u94a5\uff09\u548c\u7b7e\u540d\u8bc1\u4e66<\/td>\n<\/tr>\n
-initca<\/td>\n\u521d\u59cb\u5316\u4e00\u4e2a\u65b0\u7684ca<\/td>\n<\/tr>\n
-ca-key<\/td>\n\u6307\u660eca\u7684\u8bc1\u4e66<\/td>\n<\/tr>\n
-config<\/td>\n\u6307\u660eca\u7684\u79c1\u94a5\u6587\u4ef6<\/td>\n<\/tr>\n
-profile<\/td>\n\u6307\u660e\u8bf7\u6c42\u8bc1\u4e66\u7684json\u6587\u4ef6<\/td>\n<\/tr>\n
-ca<\/td>\n\u4e0econfig\u4e2d\u7684profile\u5bf9\u5e94\uff0c\u662f\u6307\u6839\u636econfig\u4e2d\u7684profile\u6bb5\u6765\u751f\u6210\u8bc1\u4e66\u7684\u76f8\u5173\u4fe1\u606f<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
5\u3001\u5206\u53d1\u8bc1\u4e66<\/h3>\n
[root@k8s-m-01 \/opt\/cert\/etcd]# for ip in m1 m2 m3;do\n    ssh root@${ip} "mkdir -pv \/etc\/etcd\/ssl"\n    scp ..\/ca\/ca*.pem  root@${ip}:\/etc\/etcd\/ssl\n    scp .\/etcd*.pem  root@${ip}:\/etc\/etcd\/ssl\n  done\n\nmkdir: created directory \u2018\/etc\/etcd\u2019\nmkdir: created directory \u2018\/etc\/etcd\/ssl\u2019\nca-key.pem                                                  100% 1675     7.2KB\/s   00:00\nca.pem                                                      100% 1281    11.1KB\/s   00:00\netcd-key.pem                                                100% 1679    13.1KB\/s   00:00\netcd.pem                                                    100% 1379   414.6KB\/s   00:00\nmkdir: created directory \u2018\/etc\/etcd\u2019\nmkdir: created directory \u2018\/etc\/etcd\/ssl\u2019\nca-key.pem                                                  100% 1675   942.9KB\/s   00:00\nca.pem                                                      100% 1281     1.6MB\/s   00:00\netcd-key.pem                                                100% 1679     1.7MB\/s   00:00\netcd.pem                                                    100% 1379     1.2MB\/s   00:00\nmkdir: created directory \u2018\/etc\/etcd\u2019\nmkdir: created directory \u2018\/etc\/etcd\/ssl\u2019\nca-key.pem                                                  100% 1675     1.9MB\/s   00:00\nca.pem                                                      100% 1281     1.4MB\/s   00:00\netcd-key.pem                                                100% 1679     1.4MB\/s   00:00\netcd.pem                                                    100% 1379     1.7MB\/s   00:00\n\n##\u786e\u8ba4\n[root@k8s-m-01 \/opt\/cert\/etcd]# for ip in m1 m2 m3;do\n ssh root@${ip} "ls -l \/etc\/etcd\/ssl";\n done\ntotal 16\n-rw------- 1 root root 1675 Mar 27 20:01 ca-key.pem\n-rw-r--r-- 1 root root 1281 Mar 27 20:01 ca.pem\n-rw------- 1 root root 1679 Mar 27 20:01 etcd-key.pem\n-rw-r--r-- 1 root root 1379 Mar 27 20:01 etcd.pem\ntotal 16\n-rw------- 1 root root 1675 Mar 27 20:01 ca-key.pem\n-rw-r--r-- 1 root root 1281 Mar 27 20:01 ca.pem\n-rw------- 1 root root 1679 Mar 27 20:01 etcd-key.pem\n-rw-r--r-- 1 root root 1379 Mar 27 20:01 etcd.pem\ntotal 16\n-rw------- 1 root root 1675 Mar 27 20:01 ca-key.pem\n-rw-r--r-- 1 root root 1281 Mar 27 20:01 ca.pem\n-rw------- 1 root root 1679 Mar 27 20:01 etcd-key.pem\n-rw-r--r-- 1 root root 1379 Mar 27 20:01 etcd.pem<\/code><\/pre>\n
6\u3001\u90e8\u7f72ETCD<\/h3>\n
[root@k8s-m-01 \/opt\/cert\/etcd]# cd\n\n# \u4e0b\u8f7dETCD\u5b89\u88c5\u5305\nwget https:\/\/mirrors.huaweicloud.com\/etcd\/v3.3.24\/etcd-v3.3.24-linux-amd64.tar.gz\n\n# \u89e3\u538b\n[root@k8s-m-01 ~]# tar xf etcd-v3.3.24-linux-amd64.tar.gz\n\n# \u5206\u53d1\u81f3\u5176\u4ed6\u8282\u70b9\nfor i in m1 m2 m3\ndo\n    scp .\/etcd-v3.3.24-linux-amd64\/etcd* root@$i:\/usr\/local\/bin\/\ndone\n\n#\u786e\u8ba4\n[root@k8s-m-01 \/opt\/cert\/etcd]# for ip in m1 m2 m3;do\nssh root@${ip} "etcd --version";\ndone\n\n[root@k8s-m-01 \/opt\/etcd-v3.3.24-linux-amd64]# etcd --version\netcd Version: 3.3.24\nGit SHA: bdd57848d\nGo Version: go1.12.17\nGo OS\/Arch: linux\/amd64<\/code><\/pre>\n
7\u3001\u6ce8\u518cETCD\u670d\u52a1\uff08\u4e09\u53f0master\u8282\u70b9\u8fd0\u884c\uff09<\/h3>\n
# \u5728\u4e09\u53f0master\u8282\u70b9\u4e0a\u6267\u884c\nmkdir -pv \/etc\/kubernetes\/conf\/etcd\n\n#\u8bbe\u7f6e\u73af\u5883\u53d8\u91cf\nETCD_NAME=`hostname`\nINTERNAL_IP=`hostname -i`\nINITIAL_CLUSTER=k8s-m-01=https:\/\/192.168.15.51:2380,k8s-m-02=https:\/\/192.168.15.52:2380,k8s-m-03=https:\/\/192.168.15.53:2380\n\n#\u52a0\u5165systemd\u7ba1\u7406\ncat << EOF | sudo tee \/usr\/lib\/systemd\/system\/etcd.service\n[Unit]\nDescription=etcd\nDocumentation=https:\/\/github.com\/coreos\n\n[Service]\nExecStart=\/usr\/local\/bin\/etcd \\\\\n  --name ${ETCD_NAME} \\\\\n  --cert-file=\/etc\/etcd\/ssl\/etcd.pem \\\\\n  --key-file=\/etc\/etcd\/ssl\/etcd-key.pem \\\\\n  --peer-cert-file=\/etc\/etcd\/ssl\/etcd.pem \\\\\n  --peer-key-file=\/etc\/etcd\/ssl\/etcd-key.pem \\\\\n  --trusted-ca-file=\/etc\/etcd\/ssl\/ca.pem \\\\\n  --peer-trusted-ca-file=\/etc\/etcd\/ssl\/ca.pem \\\\\n  --peer-client-cert-auth \\\\\n  --client-cert-auth \\\\\n  --initial-advertise-peer-urls https:\/\/${INTERNAL_IP}:2380 \\\\\n  --listen-peer-urls https:\/\/${INTERNAL_IP}:2380 \\\\\n  --listen-client-urls https:\/\/${INTERNAL_IP}:2379,https:\/\/127.0.0.1:2379 \\\\\n  --advertise-client-urls https:\/\/${INTERNAL_IP}:2379 \\\\\n  --initial-cluster-token etcd-cluster \\\\\n  --initial-cluster ${INITIAL_CLUSTER} \\\\\n  --initial-cluster-state new \\\\\n  --data-dir=\/var\/lib\/etcd\nRestart=on-failure\nRestartSec=5\n\n[Install]\nWantedBy=multi-user.target\nEOF\n\n# \u542f\u52a8ETCD\u670d\u52a1\nsystemctl enable --now etcd<\/code><\/pre>\n
\u914d\u7f6e\u9879\u8be6\u89e3<\/strong><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\u914d\u7f6e\u9009\u9879<\/th>\n\u9009\u9879\u64cd\u4f5c<\/th>\n<\/tr>\n<\/thead>\n
name<\/td>\n\u8282\u70b9\u540d\u79f0<\/td>\n<\/tr>\n
data-dir<\/td>\n\u6307\u5b9a\u8282\u70b9\u7684\u6570\u636e\u5b58\u50a8\u76ee\u5f55<\/td>\n<\/tr>\n
listen-peer-urls<\/td>\n\u4e0e\u96c6\u7fa4\u5176\u5b83\u6210\u5458\u4e4b\u95f4\u7684\u901a\u4fe1\u5730\u5740<\/td>\n<\/tr>\n
listen-client-urls<\/td>\n\u76d1\u542c\u672c\u5730\u7aef\u53e3\uff0c\u5bf9\u5916\u63d0\u4f9b\u670d\u52a1\u7684\u5730\u5740<\/td>\n<\/tr>\n
initial-advertise-peer-urls<\/td>\n\u901a\u544a\u7ed9\u96c6\u7fa4\u5176\u5b83\u8282\u70b9\uff0c\u672c\u5730\u7684\u5bf9\u7b49URL\u5730\u5740<\/td>\n<\/tr>\n
advertise-client-urls<\/td>\n\u5ba2\u6237\u7aefURL\uff0c\u7528\u4e8e\u901a\u544a\u96c6\u7fa4\u7684\u5176\u4f59\u90e8\u5206\u4fe1\u606f<\/td>\n<\/tr>\n
initial-cluster<\/td>\n\u96c6\u7fa4\u4e2d\u7684\u6240\u6709\u4fe1\u606f\u8282\u70b9<\/td>\n<\/tr>\n
initial-cluster-token<\/td>\n\u96c6\u7fa4\u7684token\uff0c\u6574\u4e2a\u96c6\u7fa4\u4e2d\u4fdd\u6301\u4e00\u81f4<\/td>\n<\/tr>\n
initial-cluster-state<\/td>\n\u521d\u59cb\u5316\u96c6\u7fa4\u72b6\u6001\uff0c\u9ed8\u8ba4\u4e3anew<\/td>\n<\/tr>\n
–cert-file<\/td>\n\u5ba2\u6237\u7aef\u4e0e\u670d\u52a1\u5668\u4e4b\u95f4TLS\u8bc1\u4e66\u6587\u4ef6\u7684\u8def\u5f84<\/td>\n<\/tr>\n
–key-file<\/td>\n\u5ba2\u6237\u7aef\u4e0e\u670d\u52a1\u5668\u4e4b\u95f4TLS\u5bc6\u94a5\u6587\u4ef6\u7684\u8def\u5f84<\/td>\n<\/tr>\n
–peer-cert-file<\/td>\n\u5bf9\u7b49\u670d\u52a1\u5668TLS\u8bc1\u4e66\u6587\u4ef6\u7684\u8def\u5f84<\/td>\n<\/tr>\n
–peer-key-file<\/td>\n\u5bf9\u7b49\u670d\u52a1\u5668TLS\u5bc6\u94a5\u6587\u4ef6\u7684\u8def\u5f84<\/td>\n<\/tr>\n
–trusted-ca-file<\/td>\n\u7b7e\u540dclient\u8bc1\u4e66\u7684CA\u8bc1\u4e66\uff0c\u7528\u4e8e\u9a8c\u8bc1client\u8bc1\u4e66<\/td>\n<\/tr>\n
–peer-trusted-ca-file<\/td>\n\u7b7e\u540d\u5bf9\u7b49\u670d\u52a1\u5668\u8bc1\u4e66\u7684CA\u8bc1\u4e66<\/td>\n<\/tr>\n
–trusted-ca-file<\/td>\n\u7b7e\u540dclient\u8bc1\u4e66\u7684CA\u8bc1\u4e66\uff0c\u7528\u4e8e\u9a8c\u8bc1client\u8bc1\u4e66<\/td>\n<\/tr>\n
–peer-trusted-ca-file<\/td>\n\u7b7e\u540d\u5bf9\u7b49\u670d\u52a1\u5668\u8bc1\u4e66\u7684CA\u8bc1\u4e66\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\u6d4b\u8bd5etcd\u670d\u52a1<\/strong><\/p>\n
# \u7b2c\u4e00\u79cd\u65b9\u5f0f\nETCDCTL_API=3 etcdctl \\\n--cacert=\/etc\/etcd\/ssl\/etcd.pem \\\n--cert=\/etc\/etcd\/ssl\/etcd.pem \\\n--key=\/etc\/etcd\/ssl\/etcd-key.pem \\\n--endpoints="https:\/\/192.168.15.51:2379,https:\/\/192.168.15.52:2379,https:\/\/192.168.15.53:2379" \\\nendpoint status --write-out='table'\n\n# \u7b2c\u4e8c\u79cd\u65b9\u5f0f\nETCDCTL_API=3 etcdctl \\\n--cacert=\/etc\/etcd\/ssl\/etcd.pem \\\n--cert=\/etc\/etcd\/ssl\/etcd.pem \\\n--key=\/etc\/etcd\/ssl\/etcd-key.pem \\\n--endpoints="https:\/\/192.168.15.51:2379,https:\/\/192.168.15.52:2379,https:\/\/192.168.15.53:2379" \\\nmember list --write-out='table'<\/code><\/pre>\n
\u516b\u3001\u90e8\u7f72\u96c6\u7fa4master\u8282\u70b9<\/h2>\n
1\u3001master\u8282\u70b9\u89c4\u5212<\/h3>\n\n\n\n\n\n\n\n
\u4e3b\u673a<\/th>\nIP<\/th>\n<\/tr>\n<\/thead>\n
k8s-m-01<\/td>\n192.168.15.51<\/td>\n<\/tr>\n
k8s-m-02<\/td>\n192.168.15.52<\/td>\n<\/tr>\n
k8s-m-03<\/td>\n192.168.15.53<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
kube-apiserver\u3001\u63a7\u5236\u5668\u3001\u8c03\u5ea6\u5668\u3001flannel\u3001etcd\u3001kubelet\u3001kube-proxy\u3001DNS<\/strong><\/p>\n
2\u3001\u521b\u5efa\u96c6\u7fa4\u8bc1\u4e66\uff08m01\u64cd\u4f5c\uff09<\/h3>\n
Master\u8282\u70b9\u662f\u96c6\u7fa4\u5f53\u4e2d\u6700\u4e3a\u91cd\u8981\u7684\u4e00\u90e8\u5206\uff0c\u7ec4\u4ef6\u4f17\u591a\uff0c\u90e8\u7f72\u4e5f\u6700\u4e3a\u590d\u6742<\/strong><\/p>\n
1\uff09\u521b\u5efa\u96c6\u7fa4CA\u8bc1\u4e66<\/h4>\n
[root@k8s-m-01 ~]# mkdir \/opt\/cert\/k8s\n[root@k8s-m-01 ~]# cd \/opt\/cert\/k8s\n[root@k8s-m-01 \/opt\/cert\/k8s]# pwd\n\/opt\/cert\/k8s\n[root@k8s-m-01 \/opt\/cert\/k8s]# cat > ca-config.json << EOF\n {\n   "signing": {\n     "default": {\n       "expiry": "87600h"\n     },\n     "profiles": {\n       "kubernetes": {\n          "expiry": "87600h",\n          "usages": [\n             "signing",\n             "key encipherment",\n             "server auth",\n             "client auth"\n         ]\n       }\n     }\n   }\n }\n EOF<\/code><\/pre>\n
2\uff09\u521b\u5efa\u96c6\u7fa4\u6839CA\u8bc1\u4e66\u7b7e\u540d\u8bf7\u6c42\u6587\u4ef6<\/h4>\n
[root@k8s-m-01 \/opt\/cert\/k8s]# cat > ca-csr.json << EOF\n{\n    "CN": "kubernetes",\n    "key": {\n        "algo": "rsa",\n        "size": 2048\n    },\n    "names": [\n        {\n            "C": "CN",\n            "L": "ShangHai",\n            "ST": "ShangHai"\n        }\n    ]\n}\nEOF\n\n[root@k8s-m-01 \/opt\/cert\/k8s]# ll\ntotal 8\n-rw-r--r-- 1 root root 294 Mar 29 16:11 ca-config.json\n-rw-r--r-- 1 root root 214 Mar 29 16:11 ca-csr.json<\/code><\/pre>\n
3\uff09\u751f\u6210\u6839\u8bc1\u4e66<\/h4>\n
[root@k8s-m-01 \/opt\/cert\/k8s]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -\n\n2021\/03\/29 16:11:42 [INFO] generating a new CA key and certificate from CSR\n2021\/03\/29 16:11:42 [INFO] generate received request\n2021\/03\/29 16:11:42 [INFO] received CSR\n2021\/03\/29 16:11:42 [INFO] generating key: rsa-2048\n2021\/03\/29 16:11:42 [INFO] encoded CSR\n2021\/03\/29 16:11:42 [INFO] signed certificate with serial number 10002506757284876520896739820564095986050233319\n[root@k8s-m-01 \/opt\/cert\/k8s]# ll\ntotal 20\n-rw-r--r-- 1 root root  294 Mar 29 16:11 ca-config.json\n-rw-r--r-- 1 root root  960 Mar 29 16:11 ca.csr\n-rw-r--r-- 1 root root  214 Mar 29 16:11 ca-csr.json\n-rw------- 1 root root 1679 Mar 29 16:11 ca-key.pem\n-rw-r--r-- 1 root root 1281 Mar 29 16:11 ca.pem\n[root@k8s-m-01 \/opt\/cert\/k8s]#<\/code><\/pre>\n
3\u3001\u521b\u5efa\u96c6\u7fa4\u666e\u901a\u8bc1\u4e66\uff08m01\u64cd\u4f5c\uff09<\/h3>\n
\u521b\u5efa\u96c6\u7fa4\u5404\u4e2a\u7ec4\u4ef6\u4e4b\u95f4\u7684\u8bc1\u4e66<\/strong><\/p>\n
1\uff09\u7b7e\u53d1kube-apiserver\u7684\u8bc1\u4e66<\/h4>\n
\u2460\u914d\u7f6ekube-apiserver\u8bc1\u4e66\u7b7e\u540d\u914d\u7f6e<\/h5>\n
[root@k8s-m-01 \/opt\/cert\/k8s]# cd \/opt\/cert\/k8s\n[root@k8s-m-01 \/opt\/cert\/k8s]# ll\ntotal 20\n-rw-r--r-- 1 root root  294 Mar 29 16:11 ca-config.json\n-rw-r--r-- 1 root root  960 Mar 29 16:11 ca.csr\n-rw-r--r-- 1 root root  214 Mar 29 16:11 ca-csr.json\n-rw------- 1 root root 1679 Mar 29 16:11 ca-key.pem\n-rw-r--r-- 1 root root 1281 Mar 29 16:11 ca.pem\n[root@k8s-m-01 \/opt\/cert\/k8s]# cat > server-csr.json << EOF\n{\n    "CN": "kubernetes",\n    "hosts": [\n        "127.0.0.1",\n        "192.168.15.51",\n        "192.168.15.52",\n        "192.168.15.53",\n        "192.168.15.54",\n        "192.168.15.55",\n        "192.168.15.56",\n        "10.96.0.1",\n        "kubernetes",\n        "kubernetes.default",\n        "kubernetes.default.svc",\n        "kubernetes.default.svc.cluster",\n        "kubernetes.default.svc.cluster.local"\n    ],\n    "key": {\n        "algo": "rsa",\n        "size": 2048\n    },\n    "names": [\n        {\n            "C": "CN",\n            "L": "ShangHai",\n            "ST": "ShangHai"\n        }\n    ]\n}\nEOF\n[root@k8s-m-01 \/opt\/cert\/k8s]#<\/code><\/pre>\n
host\uff1alocalhost\u5730\u5740+master\u90e8\u7f72\u8282\u70b9\u7684ip\u5730\u5740+etcd\u8282\u70b9\u7684\u90e8\u7f72\u5730\u5740+\u8d1f\u8f7d\u5747\u8861\u6307\u5b9a\u7684VIP\uff08172.16.0.55\uff09+service\u6bb5\u7684\u7b2c\u4e00\u4e2a\u5408\u6cd5\u5730\u5740\uff0810.96.0.1\uff09+k8s\u9ed8\u8ba4\u6307\u5b9a\u7684\u4e00\u4e9b\u5730\u5740<\/strong><\/p>\n
\u2461\u751f\u6210\u8bc1\u4e66<\/h5>\n
[root@k8s-m-01 \/opt\/cert\/k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server\n\n2021\/03\/29 16:27:40 [INFO] generate received request\n2021\/03\/29 16:27:40 [INFO] received CSR\n2021\/03\/29 16:27:40 [INFO] generating key: rsa-2048\n2021\/03\/29 16:27:40 [INFO] encoded CSR\n2021\/03\/29 16:27:40 [INFO] signed certificate with serial number 594635262484388270488732386274206296879751686987\n2021\/03\/29 16:27:40 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for\nwebsites. For more information see the Baseline Requirements for the Issuance and Management\nof Publicly-Trusted Certificates, v.1.1.6, from the CA\/Browser Forum (https:\/\/cabforum.org);\nspecifically, section 10.2.3 ("Information Requirements").\n\n[root@k8s-m-01 \/opt\/cert\/k8s]# ll\ntotal 36\n-rw-r--r-- 1 root root  294 Mar 29 16:11 ca-config.json\n-rw-r--r-- 1 root root  960 Mar 29 16:11 ca.csr\n-rw-r--r-- 1 root root  214 Mar 29 16:11 ca-csr.json\n-rw------- 1 root root 1679 Mar 29 16:11 ca-key.pem\n-rw-r--r-- 1 root root 1281 Mar 29 16:11 ca.pem\n-rw-r--r-- 1 root root 1245 Mar 29 16:27 server.csr\n-rw-r--r-- 1 root root  603 Mar 29 16:22 server-csr.json\n-rw------- 1 root root 1679 Mar 29 16:27 server-key.pem\n-rw-r--r-- 1 root root 1574 Mar 29 16:27 server.pem\n[root@k8s-m-01 \/opt\/cert\/k8s]#<\/code><\/pre>\n
2\uff09\u7b7e\u53d1kube-controller-manager\u8bc1\u4e66<\/h4>\n
\u2460\u914d\u7f6ekube-controller-manager\u8bc1\u4e66\u7b7e\u540d\u914d\u7f6e<\/h5>\n
[root@k8s-m-01 \/opt\/cert\/k8s]#cat > kube-controller-manager-csr.json << EOF\n{\n    "CN": "system:kube-controller-manager",\n    "hosts": [\n        "127.0.0.1",\n        "192.168.15.51",\n        "192.168.15.52",\n        "192.168.15.53",\n        "192.168.15.54",\n        "192.168.15.55",\n        "192.168.15.56"\n    ],\n    "key": {\n        "algo": "rsa",\n        "size": 2048\n    },\n    "names": [\n        {\n            "C": "CN",\n            "L": "ShangHai",\n            "ST": "ShangHai",\n            "O": "system:kube-controller-manager",\n            "OU": "System"\n        }\n    ]\n}\nEOF\n[root@k8s-m-01 \/opt\/cert\/k8s]#<\/code><\/pre>\n
\u2461\u751f\u6210\u8bc1\u4e66<\/h5>\n
[root@k8s-m-01 \/opt\/cert\/k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager\n2021\/03\/29 16:39:58 [INFO] generate received request\n2021\/03\/29 16:39:58 [INFO] received CSR\n2021\/03\/29 16:39:58 [INFO] generating key: rsa-2048\n2021\/03\/29 16:39:59 [INFO] encoded CSR\n2021\/03\/29 16:39:59 [INFO] signed certificate with serial number 254237608083320571518569437270245246647088038454\n2021\/03\/29 16:39:59 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for\nwebsites. For more information see the Baseline Requirements for the Issuance and Management\nof Publicly-Trusted Certificates, v.1.1.6, from the CA\/Browser Forum (https:\/\/cabforum.org);\nspecifically, section 10.2.3 ("Information Requirements").\n[root@k8s-m-01 \/opt\/cert\/k8s]#<\/code><\/pre>\n
3\uff09\u7b7e\u53d1kube-scheduler\u7684\u8bc1\u4e66<\/h4>\n
\u2460\u914d\u7f6ekube-scheduler\u7b7e\u540d\u914d\u7f6e<\/h5>\n
[root@k8s-m-01 \/opt\/cert\/k8s]# cat > kube-scheduler-csr.json << EOF\n{\n    "CN": "system:kube-scheduler",\n    "hosts": [\n        "127.0.0.1",\n        "192.168.15.51",\n        "192.168.15.52",\n        "192.168.15.53",\n        "192.168.15.54",\n        "192.168.15.55",\n        "192.168.15.56"\n    ],\n    "key": {\n        "algo": "rsa",\n        "size": 2048\n    },\n    "names": [\n        {\n            "C": "CN",\n            "L": "ShangHai",\n            "ST": "ShangHai",\n            "O": "system:kube-scheduler",\n            "OU": "System"\n        }\n    ]\n}\nEOF\n[root@k8s-m-01 \/opt\/cert\/k8s]# <\/code><\/pre>\n
\u2461\u521b\u5efa\u8bc1\u4e66<\/h5>\n
[root@k8s-m-01 \/opt\/cert\/k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler\n\n2021\/03\/29 16:44:40 [INFO] generate received request\n2021\/03\/29 16:44:40 [INFO] received CSR\n2021\/03\/29 16:44:40 [INFO] generating key: rsa-2048\n2021\/03\/29 16:44:40 [INFO] encoded CSR\n2021\/03\/29 16:44:40 [INFO] signed certificate with serial number 561161531056155006136925085600132698005329368546\n2021\/03\/29 16:44:40 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for\nwebsites. For more information see the Baseline Requirements for the Issuance and Management\nof Publicly-Trusted Certificates, v.1.1.6, from the CA\/Browser Forum (https:\/\/cabforum.org);\nspecifically, section 10.2.3 ("Information Requirements").\n[root@k8s-m-01 \/opt\/cert\/k8s]#<\/code><\/pre>\n
4\uff09\u7b7e\u53d1kube-proxy\u8bc1\u4e66<\/h4>\n
\u2460\u914d\u7f6ekube-proxy\u8bc1\u4e66\u7b7e\u540d\u914d\u7f6e<\/h5>\n
[root@k8s-m-01 \/opt\/cert\/k8s]# cat > kube-proxy-csr.json << EOF\n{\n    "CN":"system:kube-proxy",\n    "hosts":[],\n    "key":{\n        "algo":"rsa",\n        "size":2048\n    },\n    "names":[\n        {\n            "C":"CN",\n            "L":"ShangHai",\n            "ST":"ShangHai",\n            "O":"system:kube-proxy",\n            "OU":"System"\n        }\n    ]\n}\nEOF\n[root@k8s-m-01 \/opt\/cert\/k8s]# <\/code><\/pre>\n
\u2464\u751f\u6210\u8bc1\u4e66<\/h5>\n
[root@k8s-m-01 \/opt\/cert\/k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy\n\n2021\/03\/29 16:48:07 [INFO] generate received request\n2021\/03\/29 16:48:07 [INFO] received CSR\n2021\/03\/29 16:48:07 [INFO] generating key: rsa-2048\n2021\/03\/29 16:48:07 [INFO] encoded CSR\n2021\/03\/29 16:48:07 [INFO] signed certificate with serial number 628839766074761184666611184242052371676337534573\n2021\/03\/29 16:48:07 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for\nwebsites. For more information see the Baseline Requirements for the Issuance and Management\nof Publicly-Trusted Certificates, v.1.1.6, from the CA\/Browser Forum (https:\/\/cabforum.org);\nspecifically, section 10.2.3 ("Information Requirements").\n[root@k8s-m-01 \/opt\/cert\/k8s]#\n<\/code><\/pre>\n
5\uff09\u7b7e\u53d1\u7ba1\u7406\u5458\u7528\u6237\u8bc1\u4e66<\/h4>\n
\u4e3a\u4e86\u80fd\u8ba9\u96c6\u7fa4\u5ba2\u6237\u7aef\u5de5\u5177\u5b89\u5168\u7684\u8bbf\u95ee\u96c6\u7fa4\uff0c\u6240\u4ee5\u8981\u4e3a\u96c6\u7fa4\u5ba2\u6237\u7aef\u521b\u5efa\u8bc1\u4e66\uff0c\u4f7f\u5176\u5177\u6709\u6240\u6709\u7684\u96c6\u7fa4\u6743\u9650<\/strong><\/p>\n
\u2460\u914d\u7f6e\u7ba1\u7406\u5458\u8bc1\u4e66\u7b7e\u540d\u914d\u7f6e<\/h5>\n
[root@k8s-m-01 \/opt\/cert\/k8s]# cat > admin-csr.json << EOF\n{\n    "CN":"admin",\n    "key":{\n        "algo":"rsa",\n        "size":2048\n    },\n    "names":[\n        {\n            "C":"CN",\n            "L":"ShangHai",\n            "ST":"ShangHai",\n            "O":"system:masters",\n            "OU":"System"\n        }\n    ]\n}\nEOF\n[root@k8s-m-01 \/opt\/cert\/k8s]# <\/code><\/pre>\n
\u2461\u751f\u6210\u8bc1\u4e66<\/h5>\n
[root@k8s-m-01 \/opt\/cert\/k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin\n\n2021\/03\/29 16:54:30 [INFO] generate received request\n2021\/03\/29 16:54:30 [INFO] received CSR\n2021\/03\/29 16:54:30 [INFO] generating key: rsa-2048\n2021\/03\/29 16:54:30 [INFO] encoded CSR\n2021\/03\/29 16:54:30 [INFO] signed certificate with serial number 555634311668718390095800345504595209009739201051\n2021\/03\/29 16:54:30 [WARNING] This certificate lacks a \"hosts\" field. This makes it unsuitable for\nwebsites. For more information see the Baseline Requirements for the Issuance and Management\nof Publicly-Trusted Certificates, v.1.1.6, from the CA\/Browser Forum (https:\/\/cabforum.org);\nspecifically, section 10.2.3 (\"Information Requirements\").\n[root@k8s-m-01 \/opt\/cert\/k8s]#<\/code><\/pre>\n
6\uff09\u9881\u53d1\u8bc1\u4e66\uff08m01\u64cd\u4f5c\uff09<\/h4>\n
Master\u8282\u70b9\u6240\u9700\u8bc1\u4e66\uff1aca\u3001kube-apiserver\u3001kube-controller-manager\u3001kube-scheduler\u3001\u7528\u6237\u8bc1\u4e66\u3001Etcd\u8bc1\u4e66<\/strong><\/p>\n
[root@k8s-m-01 \/opt\/cert\/k8s]# mkdir -pv \/etc\/kubernetes\/ssl\n[root@k8s-m-01 \/opt\/cert\/k8s]# cp -p .\/{ca*pem,server*pem,kube-controller-manager*pem,kube-scheduler*.pem,kube-proxy*pem,admin*.pem} \/etc\/kubernetes\/ssl\n\n[root@k8s-m-01 \/opt\/cert\/k8s]# for i in m1 m2 m3;do\nssh root@$i "mkdir -pv \/etc\/kubernetes\/ssl"\nscp \/etc\/kubernetes\/ssl\/* root@$i:\/etc\/kubernetes\/ssl\ndone<\/code><\/pre>\n
4\u3001Master\u8282\u70b9\u51c6\u5907\u4e8c\u8fdb\u5236\u7ec4\u4ef6<\/h3>\n
1\uff09\u4e0b\u8f7d\u4e8c\u8fdb\u5236\u7ec4\u4ef6<\/h4>\n
## \u65b9\u6cd5\u4e00\n[root@k8s-m-01 \/opt\/data]# wget https:\/\/dl.k8s.io\/v1.18.8\/kubernetes-server-linux-amd64.tar.gz\n\n## \u65b9\u6cd5\u4e8c\n[root@k8s-m-01 \/opt\/data]# docker run -it  registry.cn-hangzhou.aliyuncs.com\/k8sos\/k8s:v1.18.8.1 bash\n\n\u5f00\u4e2a\u65b0\u7a97\u53e3\n [root@k8s-m-01 \/opt\/data]# docker cp c023a1597b2a:\/kubernetes-server-linux-amd64.tar.gz .\/<\/code><\/pre>\n
2\uff09\u5206\u53d1\u7ec4\u4ef6<\/h4>\n
[root@k8s-m-01 \/opt\/data]# tar -xf kubernetes-server-linux-amd64.tar.gz\n[root@k8s-m-01 \/opt\/data]# cd kubernetes\/server\/bin\n[root@k8s-m-01 \/opt\/data]# for i in m1 m2 m3 ;do  scp kube-apiserver kube-controller-manager kube-proxy kubectl kubelet kube-scheduler root@$i:\/usr\/local\/bin; done<\/code><\/pre>\n
5\u3001\u521b\u5efa\u96c6\u7fa4\u914d\u7f6e\u6587\u4ef6\uff08m01\u64cd\u4f5c\uff09<\/h3>\n
\u5728kubernetes\u4e2d\uff0c\u6211\u4eec\u9700\u8981\u521b\u5efa\u4e00\u4e2a\u914d\u7f6e\u6587\u4ef6\uff0c\u7528\u6765\u914d\u7f6e\u96c6\u7fa4\u3001\u7528\u6237\u3001\u547d\u540d\u7a7a\u95f4\u53ca\u8eab\u4efd\u8ba4\u8bc1\u7b49\u4fe1\u606f<\/strong><\/p>\n
\u53c2\u6570\u8be6\u89e3<\/strong><\/p>\n
1.--certificate-authority\uff1a\u9a8c\u8bc1\u76f8\u5173\u7ec4\u4ef6\u8bc1\u4e66\u7684\u6839\u8bc1\u4e66\u3002\n2.--client-certificate\u3001--client-key\uff1a\u521a\u751f\u6210\u7684kube-controller-manager\u8bc1\u4e66\u548c\u79c1\u94a5\uff0c\u8fde\u63a5kube-apiserver\u65f6\u4f7f\u7528\u3002\n3.--embed-certs=true\uff1a\u5c06ca.pem\u548ckube-controller-manager\u8bc1\u4e66\u5185\u5bb9\u5d4c\u5165\u5230\u751f\u6210\u7684kubectl.kubeconfig\u6587\u4ef6\u4e2d(\u4e0d\u52a0\u65f6\uff0c\u5199\u5165\u7684\u662f\u8bc1\u4e66\u6587\u4ef6\u8def\u5f84)\u3002<\/code><\/pre>\n
1\uff09\u521b\u5efakube-controller-manager.kubeconfig\u96c6\u7fa4\u914d\u7f6e\u6587\u4ef6<\/h4>\n
export KUBE_APISERVER="https:\/\/192.168.15.56:8443"\n\n# \u8bbe\u7f6e\u96c6\u7fa4\u53c2\u6570\nkubectl config set-cluster kubernetes \\\n  --certificate-authority=\/etc\/kubernetes\/ssl\/ca.pem \\\n  --embed-certs=true \\\n  --server=${KUBE_APISERVER} \\\n  --kubeconfig=kube-controller-manager.kubeconfig\n\n# \u8bbe\u7f6e\u5ba2\u6237\u7aef\u8ba4\u8bc1\u53c2\u6570\nkubectl config set-credentials "kube-controller-manager" \\\n  --client-certificate=\/etc\/kubernetes\/ssl\/kube-controller-manager.pem \\\n  --client-key=\/etc\/kubernetes\/ssl\/kube-controller-manager-key.pem \\\n  --embed-certs=true \\\n  --kubeconfig=kube-controller-manager.kubeconfig\n\n# \u8bbe\u7f6e\u4e0a\u4e0b\u6587\u53c2\u6570\uff08\u5728\u4e0a\u4e0b\u6587\u53c2\u6570\u4e2d\u5c06\u96c6\u7fa4\u53c2\u6570\u548c\u7528\u6237\u53c2\u6570\u5173\u8054\u8d77\u6765\uff09\nkubectl config set-context default \\\n  --cluster=kubernetes \\\n  --user="kube-controller-manager" \\\n  --kubeconfig=kube-controller-manager.kubeconfig\n\n# \u914d\u7f6e\u9ed8\u8ba4\u4e0a\u4e0b\u6587\nkubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig<\/code><\/pre>\n
2\uff09\u521b\u5efakube-scheduler.kubeconfig\u96c6\u7fa4\u914d\u7f6e\u6587\u4ef6<\/h4>\n
export KUBE_APISERVER=\"https:\/\/192.168.15.56:8443\"\n\n# \u8bbe\u7f6e\u96c6\u7fa4\u53c2\u6570\nkubectl config set-cluster kubernetes \\\n  --certificate-authority=\/etc\/kubernetes\/ssl\/ca.pem \\\n  --embed-certs=true \\\n  --server=${KUBE_APISERVER} \\\n  --kubeconfig=kube-scheduler.kubeconfig\n\n# \u8bbe\u7f6e\u5ba2\u6237\u7aef\u8ba4\u8bc1\u53c2\u6570\nkubectl config set-credentials \"kube-scheduler\" \\\n  --client-certificate=\/etc\/kubernetes\/ssl\/kube-scheduler.pem \\\n  --client-key=\/etc\/kubernetes\/ssl\/kube-scheduler-key.pem \\\n  --embed-certs=true \\\n  --kubeconfig=kube-scheduler.kubeconfig\n\n# \u8bbe\u7f6e\u4e0a\u4e0b\u6587\u53c2\u6570\uff08\u5728\u4e0a\u4e0b\u6587\u53c2\u6570\u4e2d\u5c06\u96c6\u7fa4\u53c2\u6570\u548c\u7528\u6237\u53c2\u6570\u5173\u8054\u8d77\u6765\uff09\nkubectl config set-context default \\\n  --cluster=kubernetes \\\n  --user=\"kube-scheduler\" \\\n  --kubeconfig=kube-scheduler.kubeconfig\n\n# \u914d\u7f6e\u9ed8\u8ba4\u4e0a\u4e0b\u6587\nkubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig<\/code><\/pre>\n
3\uff09\u521b\u5efakube-proxy.kubeconfig\u96c6\u7fa4\u914d\u7f6e\u6587\u4ef6<\/h4>\n
export KUBE_APISERVER="https:\/\/192.168.15.56:8443"\n\n# \u8bbe\u7f6e\u96c6\u7fa4\u53c2\u6570\nkubectl config set-cluster kubernetes \\\n  --certificate-authority=\/etc\/kubernetes\/ssl\/ca.pem \\\n  --embed-certs=true \\\n  --server=${KUBE_APISERVER} \\\n  --kubeconfig=kube-proxy.kubeconfig\n\n# \u8bbe\u7f6e\u5ba2\u6237\u7aef\u8ba4\u8bc1\u53c2\u6570\nkubectl config set-credentials "kube-proxy" \\\n  --client-certificate=\/etc\/kubernetes\/ssl\/kube-proxy.pem \\\n  --client-key=\/etc\/kubernetes\/ssl\/kube-proxy-key.pem \\\n  --embed-certs=true \\\n  --kubeconfig=kube-proxy.kubeconfig\n\n# \u8bbe\u7f6e\u4e0a\u4e0b\u6587\u53c2\u6570\uff08\u5728\u4e0a\u4e0b\u6587\u53c2\u6570\u4e2d\u5c06\u96c6\u7fa4\u53c2\u6570\u548c\u7528\u6237\u53c2\u6570\u5173\u8054\u8d77\u6765\uff09\nkubectl config set-context default \\\n  --cluster=kubernetes \\\n  --user="kube-proxy" \\\n  --kubeconfig=kube-proxy.kubeconfig\n\n# \u914d\u7f6e\u9ed8\u8ba4\u4e0a\u4e0b\u6587\nkubectl config use-context default --kubeconfig=kube-proxy.kubeconfig<\/code><\/pre>\n
4\uff09\u521b\u5efa\u8d85\u7ea7\u7ba1\u7406\u5458\u96c6\u7fa4\u914d\u7f6e\u6587\u4ef6<\/h4>\n
export KUBE_APISERVER="https:\/\/192.168.15.56:8443"\n\n# \u8bbe\u7f6e\u96c6\u7fa4\u53c2\u6570\nkubectl config set-cluster kubernetes \\\n  --certificate-authority=\/etc\/kubernetes\/ssl\/ca.pem \\\n  --embed-certs=true \\\n  --server=${KUBE_APISERVER} \\\n  --kubeconfig=admin.kubeconfig\n\n# \u8bbe\u7f6e\u5ba2\u6237\u7aef\u8ba4\u8bc1\u53c2\u6570\nkubectl config set-credentials "admin" \\\n  --client-certificate=\/etc\/kubernetes\/ssl\/admin.pem \\\n  --client-key=\/etc\/kubernetes\/ssl\/admin-key.pem \\\n  --embed-certs=true \\\n  --kubeconfig=admin.kubeconfig\n\n# \u8bbe\u7f6e\u4e0a\u4e0b\u6587\u53c2\u6570\uff08\u5728\u4e0a\u4e0b\u6587\u53c2\u6570\u4e2d\u5c06\u96c6\u7fa4\u53c2\u6570\u548c\u7528\u6237\u53c2\u6570\u5173\u8054\u8d77\u6765\uff09\nkubectl config set-context default \\\n  --cluster=kubernetes \\\n  --user="admin" \\\n  --kubeconfig=admin.kubeconfig\n\n# \u914d\u7f6e\u9ed8\u8ba4\u4e0a\u4e0b\u6587\nkubectl config use-context default --kubeconfig=admin.kubeconfig<\/code><\/pre>\n
5\uff09\u9881\u53d1\u96c6\u7fa4\u914d\u7f6e\u6587\u4ef6<\/h4>\n
[root@k8s-m-01 \/opt\/cert\/k8s]# for i in m1 m2 m3; do\nssh root@$i  "mkdir -pv \/etc\/kubernetes\/cfg"\nscp .\/*.kubeconfig root@$i:\/etc\/kubernetes\/cfg\ndone\n\n#\u67e5\u770b\n[root@k8s-m-01 \/opt\/cert\/k8s]# ll \/etc\/kubernetes\/cfg\/\ntotal 32\n-rw------- 1 root root 6107 Mar 29 18:02 admin.kubeconfig\n-rw------- 1 root root 6319 Mar 29 18:02 kube-controller-manager.kubeconfig\n-rw------- 1 root root 6137 Mar 29 18:02 kube-proxy.kubeconfig\n-rw------- 1 root root 6269 Mar 29 18:02 kube-scheduler.kubeconfig<\/code><\/pre>\n
6\u3001\u521b\u5efa\u96c6\u7fa4token\uff08m01\u64cd\u4f5c\uff09<\/h3>\n
token\uff1a\u8eab\u4efd\u4ee4\u724c\uff0c\u7528\u6765\u4f5c\u4e3a\u8eab\u4efd\u9a8c\u8bc1<\/strong><\/p>\n
# \u53ea\u9700\u8981\u521b\u5efa\u4e00\u6b21\n# \u5fc5\u987b\u8981\u7528\u81ea\u5df1\u673a\u5668\u521b\u5efa\u7684Token\nTLS_BOOTSTRAPPING_TOKEN=`head -c 16 \/dev\/urandom | od -An -t x | tr -d ' '`\n\ncat > token.csv << EOF\n${TLS_BOOTSTRAPPING_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"\nEOF\n\n# \u5206\u53d1\u96c6\u7fa4token\uff0c\u7528\u4e8e\u96c6\u7fa4TLS\u8ba4\u8bc1\n[root@k8s-m-01 \/opt\/cert\/k8s]# for i in m1 m2 m3;do\nscp token.csv root@$i:\/etc\/kubernetes\/cfg\/\ndone<\/code><\/pre>\n
7\u3001\u5404\u4e2a\u7ec4\u4ef6\u90e8\u7f72<\/h3>\n
1\uff09\u5b89\u88c5kube-apiserver\uff08\u6240\u6709master\u8282\u70b9\u6267\u884c\uff09<\/h4>\n
\u2460\u521b\u5efa\u914d\u7f6e\u6587\u4ef6<\/h5>\n
[root@k8s-m-01 ~]# KUBE_APISERVER_IP=`hostname -i`\n\n[root@k8s-m-01 ~]# cat > \/etc\/kubernetes\/cfg\/kube-apiserver.conf << EOF\nKUBE_APISERVER_OPTS="--logtostderr=false \\\\\n--v=2 \\\\\n--log-dir=\/var\/log\/kubernetes \\\\\n--advertise-address=${KUBE_APISERVER_IP} \\\\\n--default-not-ready-toleration-seconds=360 \\\\\n--default-unreachable-toleration-seconds=360 \\\\\n--max-mutating-requests-inflight=2000 \\\\\n--max-requests-inflight=4000 \\\\\n--default-watch-cache-size=200 \\\\\n--delete-collection-workers=2 \\\\\n--bind-address=0.0.0.0 \\\\\n--secure-port=6443 \\\\\n--allow-privileged=true \\\\\n--service-cluster-ip-range=10.96.0.0\/16 \\\\\n--service-node-port-range=30000-52767 \\\\\n--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\\\\n--authorization-mode=RBAC,Node \\\\\n--enable-bootstrap-token-auth=true \\\\\n--token-auth-file=\/etc\/kubernetes\/cfg\/token.csv \\\\\n--kubelet-client-certificate=\/etc\/kubernetes\/ssl\/server.pem \\\\\n--kubelet-client-key=\/etc\/kubernetes\/ssl\/server-key.pem \\\\\n--tls-cert-file=\/etc\/kubernetes\/ssl\/server.pem  \\\\\n--tls-private-key-file=\/etc\/kubernetes\/ssl\/server-key.pem \\\\\n--client-ca-file=\/etc\/kubernetes\/ssl\/ca.pem \\\\\n--service-account-key-file=\/etc\/kubernetes\/ssl\/ca-key.pem \\\\\n--audit-log-maxage=30 \\\\\n--audit-log-maxbackup=3 \\\\\n--audit-log-maxsize=100 \\\\\n--audit-log-path=\/var\/log\/kubernetes\/k8s-audit.log \\\\\n--etcd-servers=https:\/\/192.168.15.51:2379,https:\/\/192.168.15.52:2379,https:\/\/192.168.15.53:2379 \\\\\n--etcd-cafile=\/etc\/etcd\/ssl\/ca.pem \\\\\n--etcd-certfile=\/etc\/etcd\/ssl\/etcd.pem \\\\\n--etcd-keyfile=\/etc\/etcd\/ssl\/etcd-key.pem"\nEOF<\/code><\/pre>\n
\u53c2\u6570\u8be6\u89e3<\/strong><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\u914d\u7f6e\u9879<\/th>\n\u8bf4\u660e<\/th>\n<\/tr>\n<\/thead>\n
–logtostderr=false<\/td>\n\u8f93\u51fa\u65e5\u5fd7\u5230\u6587\u4ef6\u4e2d\uff0c\u4e0d\u8f93\u51fa\u5230\u6807\u51c6\u9519\u8bef\u63a7\u5236\u53f0<\/td>\n<\/tr>\n
–v=2<\/td>\n\u6307\u5b9a\u8f93\u51fa\u65e5\u5fd7\u7684\u7ea7\u522b<\/td>\n<\/tr>\n
–advertise-address<\/td>\n\u5411\u96c6\u7fa4\u6210\u5458\u901a\u77e5apiserver\u6d88\u606f\u7684IP\u5730\u5740<\/td>\n<\/tr>\n
–etcd-servers<\/td>\n\u8fde\u63a5\u7684etcd\u670d\u52a1\u5668\u5217\u8868<\/td>\n<\/tr>\n
–etcd-cafile<\/td>\n\u7528\u4e8eetcd\u901a\u4fe1\u7684SSLCA\u6587\u4ef6<\/td>\n<\/tr>\n
–etcd-certfile<\/td>\n\u7528\u4e8eetcd\u901a\u4fe1\u7684\u7684SSL\u8bc1\u4e66\u6587\u4ef6<\/td>\n<\/tr>\n
–etcd-keyfile<\/td>\n\u7528\u4e8eetcd\u901a\u4fe1\u7684SSL\u5bc6\u94a5\u6587\u4ef6<\/td>\n<\/tr>\n
–service-cluster-ip-range<\/td>\nService\u7f51\u7edc\u5730\u5740\u5206\u914d<\/td>\n<\/tr>\n
–bind-address<\/td>\n\u76d1\u542c–seure-port\u7684IP\u5730\u5740\uff0c\u5982\u679c\u4e3a\u7a7a\uff0c\u5219\u5c06\u4f7f\u7528\u6240\u6709\u63a5\u53e3\uff080.0.0.0\uff09<\/td>\n<\/tr>\n
–secure-port=6443<\/td>\n\u7528\u4e8e\u76d1\u542c\u5177\u6709\u8ba4\u8bc1\u6388\u6743\u529f\u80fd\u7684HTTPS\u534f\u8bae\u7684\u7aef\u53e3\uff0c\u9ed8\u8ba4\u503c\u662f6443<\/td>\n<\/tr>\n
–allow-privileged<\/td>\n\u662f\u5426\u542f\u7528\u6388\u6743\u529f\u80fd<\/td>\n<\/tr>\n
–service-node-port-range<\/td>\nService\u4f7f\u7528\u7684\u7aef\u53e3\u8303\u56f4<\/td>\n<\/tr>\n
–default-not-ready-toleration-seconds<\/td>\n\u8868\u793anotReady\u72b6\u6001\u7684\u5bb9\u5fcd\u5ea6\u79d2\u6570<\/td>\n<\/tr>\n
–default-unreachable-toleration-seconds<\/td>\n\u8868\u793aunreachable\u72b6\u6001\u7684\u5bb9\u5fcd\u5ea6\u79d2\u6570<\/td>\n<\/tr>\n
–max-mutating-requests-inflight=2000<\/td>\n\u5728\u7ed9\u5b9a\u65f6\u95f4\u5185\u8fdb\u884c\u4e2d\u53ef\u53d8\u8bf7\u6c42\u7684\u6700\u5927\u6570\u91cf\uff0c0\u503c\u8868\u793a\u6ca1\u6709\u9650\u5236\uff08\u9ed8\u8ba4\u503c200\uff09<\/td>\n<\/tr>\n
–default-watch-cache-size=200<\/td>\n\u9ed8\u8ba4\u76d1\u89c6\u7f13\u5b58\u5927\u5c0f\uff0c0\u8868\u793a\u5bf9\u4e8e\u6ca1\u6709\u8bbe\u7f6e\u9ed8\u8ba4\u76d1\u89c6\u5927\u5c0f\u7684\u8d44\u6e90\uff0c\u5c06\u7981\u7528\u76d1\u89c6\u7f13\u5b58<\/td>\n<\/tr>\n
–delete-collection-workers=2<\/td>\n\u7528\u4e8eDeleteCollection\u8c03\u7528\u7684\u5de5\u4f5c\u8005\u6570\u91cf\uff0c\u8fd9\u88ab\u7528\u4e8e\u52a0\u901fnamespace\u7684\u6e05\u7406(\u9ed8\u8ba4\u503c1)<\/td>\n<\/tr>\n
–enable-admission-plugins<\/td>\n\u8d44\u6e90\u9650\u5236\u7684\u76f8\u5173\u914d\u7f6e<\/td>\n<\/tr>\n
–authorization-mode<\/td>\n\u5728\u5b89\u5168\u7aef\u53e3\u4e0a\u8fdb\u884c\u6743\u9650\u9a8c\u8bc1\u7684\u63d2\u4ef6\u7684\u987a\u5e8f\u5217\u8868\uff0c\u4ee5\u9017\u53f7\u5206\u9694\u7684\u5217\u8868\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\u2461\u52a0\u5165systemd\u7ba1\u7406<\/h5>\n
[root@k8s-m-01 ~]# cat > \/usr\/lib\/systemd\/system\/kube-apiserver.service << EOF\n[Unit]\nDescription=Kubernetes API Server\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\nAfter=network.target\n\n[Service]\nEnvironmentFile=\/etc\/kubernetes\/cfg\/kube-apiserver.conf\nExecStart=\/usr\/local\/bin\/kube-apiserver \\$KUBE_APISERVER_OPTS\nRestart=on-failure\nRestartSec=10\nType=notify\nLimitNOFILE=65536\n\n[Install]\nWantedBy=multi-user.target\nEOF\n\n#\u5237\u65b0\n[root@k8s-m-01 ~]# systemctl daemon-reload\n[root@k8s-m-01 ~]# systemctl enable --now kube-apiserver.service<\/code><\/pre>\n
2\uff09\u5bf9kube-apiserver\u505a\u9ad8\u53ef\u7528\uff08\u6240\u6709master\u8282\u70b9\u64cd\u4f5c\uff09<\/h4>\n
\u2460\u5b89\u88c5\u9ad8\u53ef\u7528\u8f6f\u4ef6<\/h5>\n
# keeplived + haproxy\n[root@k8s-m-01 ~]# yum install -y keepalived haproxy<\/code><\/pre>\n
\u2461\u4fee\u6539keepalived\u914d\u7f6e\u6587\u4ef6<\/h5>\n
\n
\u7edf\u4e00\u64cd\u4f5c<\/p>\n<\/blockquote>\n
mv \/etc\/keepalived\/keepalived.conf \/etc\/keepalived\/keepalived.conf_bak\n\ncd \/etc\/keepalived\n\nKUBE_APISERVER_IP=`hostname -i`\n\ncat > \/etc\/keepalived\/keepalived.conf <<EOF\n! Configuration File for keepalived\nglobal_defs {\n    router_id LVS_DEVEL\n}\nvrrp_script chk_kubernetes {\n    script "\/etc\/keepalived\/check_kubernetes.sh"\n    interval 2\n    weight -5\n    fall 3\n    rise 2\n}\nvrrp_instance VI_1 {\n    state MASTER\n    interface eth0\n    mcast_src_ip ${KUBE_APISERVER_IP}\n    virtual_router_id 51\n    priority 100\n    advert_int 2\n    authentication {\n        auth_type PASS\n        auth_pass K8SHA_KA_AUTH\n    }\n    virtual_ipaddress {\n        192.168.15.56\n    }\n}\nEOF<\/code><\/pre>\n
\u4e0d\u540c\u8282\u70b9\u914d\u7f6e\u4e0d\u540c\uff0c\u9700\u8981\u5355\u72ec\u66f4\u6539<\/strong><\/p>\n
\n
m01 \u65e0\u9700\u6539\u52a8<\/p>\n
m02<\/p>\n<\/blockquote>\n
sed -i 's#state MASTER#state BACKUP#g' \/etc\/keepalived\/keepalived.conf\nsed -i 's#192.168.15.51#192.168.15.52#g' \/etc\/keepalived\/keepalived.conf\nsed -i 's#priority 100#priority 90#g' \/etc\/keepalived\/keepalived.conf<\/code><\/pre>\n
\n
m03<\/p>\n<\/blockquote>\n
sed -i 's#state MASTER#state BACKUP#g' \/etc\/keepalived\/keepalived.conf\nsed -i 's#192.168.15.51#192.168.15.53#g' \/etc\/keepalived\/keepalived.conf\nsed -i 's#priority 100#priority 80#g' \/etc\/keepalived\/keepalived.conf<\/code><\/pre>\n
\u2462\u8bbe\u7f6e\u76d1\u63a7\u68c0\u67e5\u811a\u672c\uff08\u4e09\u4e2a\u8282\u70b9\u64cd\u4f5c\uff09<\/h5>\n
cat > \/etc\/keepalived\/check_kubernetes.sh <<EOF\n#!\/bin\/bash\n\nfunction chech_kubernetes() {\n    for ((i=0;i<5;i++));do\n        apiserver_pid_id=$(pgrep kube-apiserver)\n        if [[ ! -z $apiserver_pid_id ]];then\n            return\n        else\n            sleep 2\n        fi\n        apiserver_pid_id=0\n    done\n}\n\n# 1:running 0:stopped\ncheck_kubernetes\nif [[ $apiserver_pid_id -eq 0 ]];then\n    \/usr\/bin\/systemctl stop keepalived\n    exit 1\nelse\n    exit 0\nfi\nEOF\n\nchmod +x \/etc\/keepalived\/check_kubernetes.sh<\/code><\/pre>\n
\u2463\u4fee\u6539haproxy\u914d\u7f6e\u6587\u4ef6<\/h5>\n
\u8d1f\u8f7d\u5747\u8861\u8f6f\u4ef6<\/strong><\/p>\n
cat > \/etc\/haproxy\/haproxy.cfg <<EOF\nglobal\n  maxconn  2000\n  ulimit-n  16384\n  log  127.0.0.1 local0 err\n  stats timeout 30s\n\ndefaults\n  log global\n  mode  http\n  option  httplog\n  timeout connect 5000\n  timeout client  50000\n  timeout server  50000\n  timeout http-request 15s\n  timeout http-keep-alive 15s\n\nfrontend monitor-in\n  bind *:33305\n  mode http\n  option httplog\n  monitor-uri \/monitor\n\nlisten stats\n  bind    *:8006\n  mode    http\n  stats   enable\n  stats   hide-version\n  stats   uri       \/stats\n  stats   refresh   30s\n  stats   realm     Haproxy\\ Statistics\n  stats   auth      admin:admin\n\nfrontend k8s-master\n  bind 0.0.0.0:8443\n  bind 127.0.0.1:8443\n  mode tcp\n  option tcplog\n  tcp-request inspect-delay 5s\n  default_backend k8s-master\n\nbackend k8s-master\n  mode tcp\n  option tcplog\n  option tcp-check\n  balance roundrobin\n  default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100\n  server k8s-m-01    192.168.15.51:6443  check inter 2000 fall 2 rise 2 weight 100\n  server k8s-m-02    192.168.15.52:6443  check inter 2000 fall 2 rise 2 weight 100\n  server k8s-m-03    192.168.15.53:6443  check inter 2000 fall 2 rise 2 weight 100\nEOF<\/code><\/pre>\n
\u2464\u542f\u52a8keepalive\u3001haproxy<\/h5>\n
systemctl enable --now keepalived\nsystemctl enable --now haproxy.service<\/code><\/pre>\n
3\uff09\u90e8\u7f72TLS bootstrapping\uff08m01\u64cd\u4f5c\uff09<\/h4>\n
\u8bf4\u660e<\/strong><\/p>\n
    TLS bootstrapping\u662f\u7528\u6765\u7b80\u5316\u7ba1\u7406\u5458\u914d\u7f6ekubelet\u4e0eapiserver\u53cc\u5411\u52a0\u5bc6\u901a\u4fe1\u7684\u914d\u7f6e\u6b65\u9aa4\u7684\u4e00\u79cd\u673a\u5236\u3002\u5f53\u96c6\u7fa4\u5f00\u542f\u4e86TLS\u8ba4\u8bc1\u540e\uff0c\u6bcf\u4e2a\u8282\u70b9\u7684kubelet\u7ec4\u4ef6\u90fd\u8981\u4f7f\u7528\u7531apiserver\u4f7f\u7528\u7684CA\u7b7e\u53d1\u7684\u6709\u6548\u8bc1\u4e66\u624d\u80fd\u4e0eapiserver\u901a\u8baf\uff0c\u6b64\u65f6\u5982\u679c\u6709\u5f88\u591a\u4e2a\u8282\u70b9\u90fd\u9700\u8981\u5355\u72ec\u7b7e\u7f72\u8bc1\u4e66\u90a3\u5c06\u53d8\u5f97\u975e\u5e38\u7e41\u7410\u4e14\u6781\u6613\u51fa\u9519\uff0c\u5bfc\u81f4\u96c6\u7fa4\u4e0d\u7a33\u3002\n    TLSbootstrapping\u529f\u80fd\u5c31\u662f\u8ba9node\u8282\u70b9\u4e0a\u7684kubelet\u7ec4\u4ef6\u5148\u4f7f\u7528\u4e00\u4e2a\u9884\u5b9a\u7684\u4f4e\u6743\u9650\u7528\u6237\u8fde\u63a5\u5230apiserver\uff0c\u7136\u540e\u5411apiserver\u7533\u8bf7\u8bc1\u4e66\uff0c\u7531apiserver\u52a8\u6001\u7b7e\u7f72\u9881\u53d1\u5230Node\u8282\u70b9\uff0c\u5b9e\u73b0\u8bc1\u4e66\u7b7e\u7f72\u81ea\u52a8\u5316\u3002\n    apiserver \u52a8\u6001\u7b7e\u7f72\u9881\u53d1\u5230Node\u8282\u70b9\uff0c\u5b9e\u73b0\u8bc1\u4e66\u7b7e\u7f72\u81ea\u52a8\u5316<\/code><\/pre>\n
\u2460\u521b\u5efa\u96c6\u7fa4\u914d\u7f6e\u6587\u4ef6<\/h5>\n
–token\u8981\u662f\u7528\u5148\u524d\u914d\u7f6e\u597d\u7684<\/strong><\/p>\n
[root@k8s-m-01 \/etc\/keepalived]# cd \/opt\/cert\/k8s\/\n\nexport KUBE_APISERVER="https:\/\/192.168.15.56:8443"\n\n# \u8bbe\u7f6e\u96c6\u7fa4\u53c2\u6570\nkubectl config set-cluster kubernetes \\\n  --certificate-authority=\/etc\/kubernetes\/ssl\/ca.pem \\\n  --embed-certs=true \\\n  --server=${KUBE_APISERVER} \\\n  --kubeconfig=kubelet-bootstrap.kubeconfig\n\n# \u8bbe\u7f6e\u5ba2\u6237\u7aef\u8ba4\u8bc1\u53c2\u6570,\u6b64\u5904token\u5fc5\u987b\u7528\u4e0a\u53d9token.csv\u4e2d\u7684token\nkubectl config set-credentials "kubelet-bootstrap" \\\n  --token=a2774241a913f90c77a53b502420d7f7 \\\n  --kubeconfig=kubelet-bootstrap.kubeconfig\n\n# \u8bbe\u7f6e\u4e0a\u4e0b\u6587\u53c2\u6570\uff08\u5728\u4e0a\u4e0b\u6587\u53c2\u6570\u4e2d\u5c06\u96c6\u7fa4\u53c2\u6570\u548c\u7528\u6237\u53c2\u6570\u5173\u8054\u8d77\u6765\uff09\nkubectl config set-context default \\\n  --cluster=kubernetes \\\n  --user="kubelet-bootstrap" \\\n  --kubeconfig=kubelet-bootstrap.kubeconfig\n\n# \u914d\u7f6e\u9ed8\u8ba4\u4e0a\u4e0b\u6587\nkubectl config use-context default --kubeconfig=kubelet-bootstrap.kubeconfig<\/code><\/pre>\n
\u2461\u9881\u53d1\u8bc1\u4e66<\/h5>\n
# \u9881\u53d1\u96c6\u7fa4\u914d\u7f6e\u6587\u4ef6\n[root@k8s-m-01 \/opt\/cert\/k8s]# for i in m1 m2 m3; do\nscp kubelet-bootstrap.kubeconfig root@$i:\/etc\/kubernetes\/cfg\/\ndone<\/code><\/pre>\n
\u2462\u521b\u5efaTLS\u4f4e\u6743\u9650\u7528\u6237<\/h5>\n
# \u521b\u5efa\u4e00\u4e2a\u4f4e\u6743\u9650\u7528\u6237\n[root@k8s-m-01 \/opt\/cert\/k8s]# kubectl create clusterrolebinding kubelet-bootstrap \\\n--clusterrole=system:node-bootstrapper \\\n--user=kubelet-bootstrap<\/code><\/pre>\n
4\uff09\u90e8\u7f72contorller-manager\uff08\u6240\u6709master\u8282\u70b9\uff09<\/h4>\n
\u2460\u521b\u5efa\u914d\u7f6e\u6587\u4ef6<\/h5>\n
cat > \/etc\/kubernetes\/cfg\/kube-controller-manager.conf << EOF\nKUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \\\\\n--v=2 \\\\\n--log-dir=\/var\/log\/kubernetes \\\\\n--leader-elect=true \\\\\n--cluster-name=kubernetes \\\\\n--bind-address=127.0.0.1 \\\\\n--allocate-node-cidrs=true \\\\\n--cluster-cidr=10.244.0.0\/12 \\\\\n--service-cluster-ip-range=10.96.0.0\/16 \\\\\n--cluster-signing-cert-file=\/etc\/kubernetes\/ssl\/ca.pem \\\\\n--cluster-signing-key-file=\/etc\/kubernetes\/ssl\/ca-key.pem  \\\\\n--root-ca-file=\/etc\/kubernetes\/ssl\/ca.pem \\\\\n--service-account-private-key-file=\/etc\/kubernetes\/ssl\/ca-key.pem \\\\\n--kubeconfig=\/etc\/kubernetes\/cfg\/kube-controller-manager.kubeconfig \\\\\n--tls-cert-file=\/etc\/kubernetes\/ssl\/kube-controller-manager.pem \\\\\n--tls-private-key-file=\/etc\/kubernetes\/ssl\/kube-controller-manager-key.pem \\\\\n--experimental-cluster-signing-duration=87600h0m0s \\\\\n--controllers=*,bootstrapsigner,tokencleaner \\\\\n--use-service-account-credentials=true \\\\\n--node-monitor-grace-period=10s \\\\\n--horizontal-pod-autoscaler-use-rest-clients=true"\nEOF<\/code><\/pre>\n
\u2461\u52a0\u5165systemd\u7ba1\u7406<\/h5>\n
cat > \/usr\/lib\/systemd\/system\/kube-controller-manager.service << EOF\n[Unit]\nDescription=Kubernetes Controller Manager\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\nAfter=network.target\n\n[Service]\nEnvironmentFile=\/etc\/kubernetes\/cfg\/kube-controller-manager.conf\nExecStart=\/usr\/local\/bin\/kube-controller-manager \\$KUBE_CONTROLLER_MANAGER_OPTS\nRestart=on-failure\nRestartSec=5\n\n[Install]\nWantedBy=multi-user.target\nEOF\n\n# \u91cd\u65b0\u52a0\u8f7d\nsystemctl daemon-reload<\/code><\/pre>\n
\u2462\u542f\u52a8<\/h5>\n
systemctl daemon-reload \nsystemctl enable --now kube-controller-manager.service <\/code><\/pre>\n
5\uff09\u90e8\u7f72kube-scheduler\uff08\u6240\u6709master\u8282\u70b9\uff09<\/h4>\n
\u2460\u521b\u5efa\u914d\u7f6e\u6587\u4ef6<\/h5>\n
cat > \/etc\/kubernetes\/cfg\/kube-scheduler.conf << EOF\nKUBE_SCHEDULER_OPTS="--logtostderr=false \\\\\n--v=2 \\\\\n--log-dir=\/var\/log\/kubernetes \\\\\n--kubeconfig=\/etc\/kubernetes\/cfg\/kube-scheduler.kubeconfig \\\\\n--leader-elect=true \\\\\n--master=http:\/\/127.0.0.1:8080 \\\\\n--bind-address=127.0.0.1 "\nEOF<\/code><\/pre>\n
\u2461\u52a0\u5165systemd\u7ba1\u7406<\/h5>\n
cat > \/usr\/lib\/systemd\/system\/kube-scheduler.service << EOF\n[Unit]\nDescription=Kubernetes Scheduler\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\nAfter=network.target\n\n[Service]\nEnvironmentFile=\/etc\/kubernetes\/cfg\/kube-scheduler.conf\nExecStart=\/usr\/local\/bin\/kube-scheduler \\$KUBE_SCHEDULER_OPTS\nRestart=on-failure\nRestartSec=5\n\n[Install]\nWantedBy=multi-user.target\nEOF<\/code><\/pre>\n
\u2462\u542f\u52a8<\/h5>\n
systemctl daemon-reload \nsystemctl enable --now kube-scheduler.service <\/code><\/pre>\n
6\uff09\u67e5\u770b\u96c6\u7fa4\u72b6\u6001<\/h4>\n
[root@k8s-m-01 \/opt\/cert\/k8s]# kubectl get cs\nNAME                 STATUS    MESSAGE             ERROR\nscheduler            Healthy   ok                  \ncontroller-manager   Healthy   ok                  \netcd-2               Healthy   {"health":"true"}   \netcd-1               Healthy   {"health":"true"}   \netcd-0               Healthy   {"health":"true"}  <\/code><\/pre>\n
7\uff09\u90e8\u7f72kubelet\u670d\u52a1\uff08\u6240\u6709master\u8282\u70b9\uff09<\/h4>\n
\u2460\u521b\u5efa\u914d\u7f6e\u6587\u4ef6<\/h5>\n
KUBE_HOSTNAME=`hostname`\n\ncat > \/etc\/kubernetes\/cfg\/kubelet.conf << EOF\nKUBELET_OPTS="--logtostderr=false \\\\\n--v=2 \\\\\n--log-dir=\/var\/log\/kubernetes \\\\\n--hostname-override=${KUBE_HOSTNAME} \\\\\n--container-runtime=docker \\\\\n--kubeconfig=\/etc\/kubernetes\/cfg\/kubelet.kubeconfig \\\\\n--bootstrap-kubeconfig=\/etc\/kubernetes\/cfg\/kubelet-bootstrap.kubeconfig \\\\\n--config=\/etc\/kubernetes\/cfg\/kubelet-config.yml \\\\\n--cert-dir=\/etc\/kubernetes\/ssl \\\\\n--image-pull-progress-deadline=15m \\\\\n--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com\/k8sos\/pause:3.2"\nEOF<\/code><\/pre>\n
\u2461\u521b\u5efakubelet-config.yaml<\/h5>\n
KUBE_HOSTNAME_IP=`hostname -i`\n\ncat > \/etc\/kubernetes\/cfg\/kubelet-config.yml << EOF\nkind: KubeletConfiguration\napiVersion: kubelet.config.k8s.io\/v1beta1\naddress: ${KUBE_HOSTNAME_IP}\nport: 10250\nreadOnlyPort: 10255\ncgroupDriver: cgroupfs\nclusterDNS:\n- 10.96.0.2\nclusterDomain: cluster.local\nfailSwapOn: false\nauthentication:\n  anonymous:\n    enabled: false\n  webhook:\n    cacheTTL: 2m0s\n    enabled: true\n  x509:\n    clientCAFile: \/etc\/kubernetes\/ssl\/ca.pem\nauthorization:\n  mode: Webhook\n  webhook:\n    cacheAuthorizedTTL: 5m0s\n    cacheUnauthorizedTTL: 30s\nevictionHard:\n  imagefs.available: 15%\n  memory.available: 100Mi\n  nodefs.available: 10%\n  nodefs.inodesFree: 5%\nmaxOpenFiles: 1000000\nmaxPods: 110\nEOF<\/code><\/pre>\n
\u2462\u52a0\u5165systemd\u7ba1\u7406<\/h5>\n
cat > \/usr\/lib\/systemd\/system\/kubelet.service << EOF\n[Unit]\nDescription=Kubernetes Kubelet\nAfter=docker.service\n\n[Service]\nEnvironmentFile=\/etc\/kubernetes\/cfg\/kubelet.conf\nExecStart=\/usr\/local\/bin\/kubelet \\$KUBELET_OPTS\nRestart=on-failure\nRestartSec=10\nLimitNOFILE=65536\n\n[Install]\nWantedBy=multi-user.target\nEOF<\/code><\/pre>\n
\u2463\u542f\u52a8<\/h5>\n
systemctl daemon-reload \nsystemctl enable --now kubelet.service <\/code><\/pre>\n
8\uff09\u90e8\u7f72kube-proxy\uff08\u6240\u6709master\u8282\u70b9\uff09<\/h4>\n
\u2460\u521b\u5efa\u914d\u7f6e\u6587\u4ef6<\/h5>\n
cat > \/etc\/kubernetes\/cfg\/kube-proxy.conf << EOF\nKUBE_PROXY_OPTS="--logtostderr=false \\\\\n--v=2 \\\\\n--log-dir=\/var\/log\/kubernetes \\\\\n--config=\/etc\/kubernetes\/cfg\/kube-proxy-config.yml"\nEOF<\/code><\/pre>\n
\u2461\u521b\u5efakube-proxy-config.yml<\/h5>\n
KUBE_HOSTNAME_IP=`hostname -i`\nHOSTNAME=`hostname`\n\ncat > \/etc\/kubernetes\/cfg\/kube-proxy-config.yml << EOF\nkind: KubeProxyConfiguration\napiVersion: kubeproxy.config.k8s.io\/v1alpha1\nbindAddress: ${KUBE_HOSTNAME_IP}\nhealthzBindAddress: ${KUBE_HOSTNAME_IP}:10256\nmetricsBindAddress: ${KUBE_HOSTNAME_IP}:10249\nclientConnection:\n  burst: 200\n  kubeconfig: \/etc\/kubernetes\/cfg\/kube-proxy.kubeconfig\n  qps: 100\nhostnameOverride: ${HOSTNAME}\nclusterCIDR: 10.96.0.0\/16\nenableProfiling: true\nmode: "ipvs"\nkubeProxyIPTablesConfiguration:\n  masqueradeAll: false\nkubeProxyIPVSConfiguration:\n  scheduler: rr\n  excludeCIDRs: []\nEOF<\/code><\/pre>\n
\u2462\u52a0\u5165systemd\u7ba1\u7406<\/h5>\n
cat > \/usr\/lib\/systemd\/system\/kube-proxy.service << EOF\n[Unit]\nDescription=Kubernetes Proxy\nAfter=network.target\n\n[Service]\nEnvironmentFile=\/etc\/kubernetes\/cfg\/kube-proxy.conf\nExecStart=\/usr\/local\/bin\/kube-proxy \\$KUBE_PROXY_OPTS\nRestart=on-failure\nRestartSec=10\nLimitNOFILE=65536\n\n[Install]\nWantedBy=multi-user.target\nEOF<\/code><\/pre>\n
\u2463\u542f\u52a8<\/h5>\n
systemctl daemon-reload \nsystemctl enable --now kube-proxy.service<\/code><\/pre>\n
9\uff09\u52a0\u5165\u96c6\u7fa4\u8282\u70b9<\/h4>\n
\u2460\u67e5\u770b\u96c6\u7fa4\u8282\u70b9\u52a0\u5165\u8bf7\u6c42<\/h5>\n
# \u53ea\u9700\u8981\u5728\u4e00\u53f0\u8282\u70b9\u4e0a\u6267\u884c\u5373\u53ef\n[root@k8s-m-01 \/opt\/cert\/k8s]# kubectl get csr\nNAME                                                   AGE    SIGNERNAME                                    REQUESTOR           CONDITION\nnode-csr-5AWYEWZ0DkF4DzHTOP00M2_Ne6on7XMwvryxbwsh90M   6m3s   kubernetes.io\/kube-apiserver-client-kubelet   kubelet-bootstrap   Pending\nnode-csr-8_Rjm9D7z-04h400v_8RDHHCW3UGILeSRhxx-KkIWNI   6m3s   kubernetes.io\/kube-apiserver-client-kubelet   kubelet-bootstrap   Pending\nnode-csr-wlHMJiNAkMuPsQPoD6dan8QF4AIlm-x_hVYJt9DukIg   6m2s   kubernetes.io\/kube-apiserver-client-kubelet   kubelet-bootstrap   Pending<\/code><\/pre>\n
\u2461\u6279\u51c6\u52a0\u5165<\/h5>\n
# \u53ea\u9700\u8981\u5728\u4e00\u53f0\u8282\u70b9\u4e0a\u6267\u884c\u5373\u53ef\n[root@k8s-m-01 \/opt\/cert\/k8s]# kubectl certificate approve `kubectl get csr | grep "Pending" | awk '{print $1}'`\ncertificatesigningrequest.certificates.k8s.io\/node-csr-5AWYEWZ0DkF4DzHTOP00M2_Ne6on7XMwvryxbwsh90M approved\ncertificatesigningrequest.certificates.k8s.io\/node-csr-8_Rjm9D7z-04h400v_8RDHHCW3UGILeSRhxx-KkIWNI approved\ncertificatesigningrequest.certificates.k8s.io\/node-csr-wlHMJiNAkMuPsQPoD6dan8QF4AIlm-x_hVYJt9DukIg approved\n[root@k8s-m-01 \/opt\/cert\/k8s]# kubectl get nodes\nNAME       STATUS   ROLES    AGE   VERSION\nk8s-m-01   Ready    <none>   13s   v1.18.8\nk8s-m-02   Ready    <none>   12s   v1.18.8\nk8s-m-03   Ready    <none>   12s   v1.18.8<\/code><\/pre>\n
10\uff09\u5b89\u88c5\u7f51\u7edc\u63d2\u4ef6<\/h4>\n
\u672c\u6b21\u9009\u62e9\u4f7f\u7528flannel\u7f51\u7edc\u63d2\u4ef6<\/strong><\/p>\n
\u2460\u4e0b\u8f7dflannel\u5b89\u88c5\u5305\u5e76\u5b89\u88c5<\/h5>\n
# \u53ea\u9700\u8981\u5728\u4e00\u53f0\u8282\u70b9\u4e0a\u6267\u884c\u5373\u53ef\ncd \/opt\/data\nwget https:\/\/github.com\/coreos\/flannel\/releases\/download\/v0.13.1-rc1\/flannel-v0.13.1-rc1-linux-amd64.tar.gz\ntar -xf flannel-v0.13.1-rc1-linux-amd64.tar.gz\n\nfor i in m1 m2 m3;do\nscp flanneld mk-docker-opts.sh root@$i:\/usr\/local\/bin\/\ndone<\/code><\/pre>\n
\u2461\u5c06flannel\u914d\u7f6e\u5199\u5165\u96c6\u7fa4\u6570\u636e\u5e93<\/h5>\n
# \u53ea\u9700\u8981\u5728\u4e00\u53f0\u8282\u70b9\u4e0a\u6267\u884c\u5373\u53ef\netcdctl \\\n--ca-file=\/etc\/etcd\/ssl\/ca.pem \\\n--cert-file=\/etc\/etcd\/ssl\/etcd.pem \\\n--key-file=\/etc\/etcd\/ssl\/etcd-key.pem \\\n--endpoints="https:\/\/192.168.15.51:2379,https:\/\/192.168.15.52:2379,https:\/\/192.168.15.53:2379" \\\nmk \/coreos.com\/network\/config '{"Network":"10.244.0.0\/12", "SubnetLen": 21, "Backend": {"Type": "vxlan", "DirectRouting": true}}'<\/code><\/pre>\n
\u2462\u52a0\u5165systemd\u7ba1\u7406<\/h5>\n
# \u9700\u8981\u5728\u4e09\u53f0\u673a\u5668\u8fd0\u884c\ncat > \/usr\/lib\/systemd\/system\/flanneld.service << EOF\n[Unit]\nDescription=Flanneld address\nAfter=network.target\nAfter=network-online.target\nWants=network-online.target\nAfter=etcd.service\nBefore=docker.service\n\n[Service]\nType=notify\nExecStart=\/usr\/local\/bin\/flanneld \\\\\n  -etcd-cafile=\/etc\/etcd\/ssl\/ca.pem \\\\\n  -etcd-certfile=\/etc\/etcd\/ssl\/etcd.pem \\\\\n  -etcd-keyfile=\/etc\/etcd\/ssl\/etcd-key.pem \\\\\n  -etcd-endpoints=https:\/\/192.168.15.51:2379,https:\/\/192.168.15.52:2379,https:\/\/192.168.15.53:2379 \\\\\n  -etcd-prefix=\/coreos.com\/network \\\\\n  -ip-masq\nExecStartPost=\/usr\/local\/bin\/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d \/run\/flannel\/subnet.env\nRestart=always\nRestartSec=5\nStartLimitInterval=0\n[Install]\nWantedBy=multi-user.target\nRequiredBy=docker.service\nEOF<\/code><\/pre>\n
\u2463\u4fee\u6539docker\u542f\u52a8\u6587\u4ef6<\/h5>\n
# \u8ba9flannel\u63a5\u7ba1docker\u7f51\u7edc\n# \u9700\u8981\u5728\u4e09\u53f0\u673a\u5668\u8fd0\u884c\nsed -i '\/ExecStart\/s\/\\(.*\\)\/#\\1\/' \/usr\/lib\/systemd\/system\/docker.service\nsed -i '\/ExecReload\/a ExecStart=\/usr\/bin\/dockerd $DOCKER_NETWORK_OPTIONS -H fd:\/\/ --containerd=\/run\/containerd\/containerd.sock' \/usr\/lib\/systemd\/system\/docker.service\nsed -i '\/ExecReload\/a EnvironmentFile=-\/run\/flannel\/subnet.env' \/usr\/lib\/systemd\/system\/docker.service<\/code><\/pre>\n
\u2464\u542f\u52a8<\/h5>\n
# \u9700\u8981\u5728\u4e09\u53f0\u673a\u5668\u8fd0\u884c\nsystemctl daemon-reload\nsystemctl enable --now flanneld.service\nsystemctl restart docker<\/code><\/pre>\n
\u2465\u9a8c\u8bc1\u96c6\u7fa4\u7f51\u7edc<\/h5>\n
# \u96c6\u7fa4\u8282\u70b9\u4e92ping\u5bf9\u65b9\u7684flannel\u7f51\u7edc<\/code><\/pre>\n
11\uff09\u5b89\u88c5\u96c6\u7fa4DNS<\/h4>\n
# \u53ea\u9700\u8981\u5728\u4e00\u53f0\u8282\u70b9\u4e0a\u6267\u884c\u5373\u53ef\n# \u4e0b\u8f7dDNS\u5b89\u88c5\u914d\u7f6e\u6587\u4ef6\u5305\n[root@k8s-m-01 ~]# wget https:\/\/github.com\/coredns\/deployment\/archive\/refs\/heads\/master.zip\n[root@k8s-m-01 ~]# unzip deployment-master.zip\n[root@k8s-m-01 ~]# cd deployment-master\/kubernetes\n\n# \u6267\u884c\u90e8\u7f72\u547d\u4ee4\n[root@k8s-m-01 ~\/deployment-master\/kubernetes]# .\/deploy.sh -i 10.96.0.2 -s | kubectl apply -f -\n\n# \u9a8c\u8bc1\u96c6\u7fa4DNS\n[root@k8s-m-01 ~\/deployment-master\/kubernetes]# kubectl get pods -n kube-system\nNAME                      READY   STATUS    RESTARTS   AGE\ncoredns-6ff445f54-m28gw   1\/1     Running   0          48s<\/code><\/pre>\n
12\uff09\u9a8c\u8bc1\u96c6\u7fa4<\/h4>\n
# \u7ed1\u5b9a\u4e00\u4e0b\u8d85\u7ba1\u7528\u6237\uff08\u53ea\u9700\u8981\u5728\u4e00\u53f0\u670d\u52a1\u5668\u4e0a\u6267\u884c\u5373\u53ef\uff09\n[root@k8s-m-01 ~\/deployment-master\/kubernetes]# kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=kubernetes\nclusterrolebinding.rbac.authorization.k8s.io\/cluster-system-anonymous created\n\n# \u9a8c\u8bc1\u96c6\u7fa4DNS\u548c\u96c6\u7fa4\u7f51\u7edc\u6210\u529f\n[root@k8s-m-01 ~\/deployment-master\/kubernetes]# kubectl run test -it --rm --image=busybox:1.28.3\nIf you don't see a command prompt, try pressing enter.\n\/ # nslookup kubernetes\nServer:    10.96.0.2\nAddress 1: 10.96.0.2 kube-dns.kube-system.svc.cluster.local\n\nName:      kubernetes\nAddress 1: 10.96.0.1 kubernetes.default.svc.cluster.local<\/code><\/pre>\n
\u4e5d\u3001Node\u8282\u70b9\u5b89\u88c5<\/h2>\n
\u200b   Node\u8282\u70b9\u4e3b\u8981\u8d1f\u8d23\u63d0\u4f9b\u5e94\u7528\u8fd0\u884c\u73af\u5883\uff0c\u5176\u6700\u4e3b\u8981\u7684\u7ec4\u4ef6\u5c31\u662fkube-proxy\u548ckubelet\u3002\u63a5\u4e0b\u6765\u6211\u4eec\u5c31\u5728\u96c6\u7fa4\u5f53\u4e2d\u90e8\u7f72Node\u8282\u70b9\u3002<\/strong><\/p>\n
\n
node\u9700\u8981\u90e8\u7f72\u54ea\u4e9b\u7ec4\u4ef6\uff1f<\/p>\n
\u200b  kubelet\u3001kube-proxy\u3001flannel<\/p>\n<\/blockquote>\n
1\u3001\u96c6\u7fa4\u89c4\u5212<\/h3>\n
192.168.15.54  k8s-n-01 n1\n192.168.15.55  k8s-n-02 n2<\/code><\/pre>\n
2\u3001\u514d\u5bc6\u767b\u5f55<\/h3>\n
\u7565<\/code><\/pre>\n
3\u3001m01\u5206\u53d1\u8f6f\u4ef6\u5305<\/h3>\n
[root@k8s-m-01 ~]# cd \/opt\/data\/\n\n[root@k8s-m-01 \/opt\/data]# for i in n1 n2;do\nscp flanneld mk-docker-opts.sh kubernetes\/server\/bin\/kubelet kubernetes\/server\/bin\/kube-proxy root@$i:\/usr\/local\/bin;done<\/code><\/pre>\n
4\u3001\u5206\u53d1\u8bc1\u4e66<\/h3>\n
[root@k8s-m-01 \/opt\/data]# for i in n1 n2; do ssh root@$i "mkdir -pv \/etc\/kubernetes\/ssl"; scp -pr \/etc\/kubernetes\/ssl\/{ca*.pem,admin*pem,kube-proxy*pem} root@$i:\/etc\/kubernetes\/ssl; done<\/code><\/pre>\n
5\u3001\u5206\u53d1\u914d\u7f6e\u6587\u4ef6<\/h3>\n
# flanneld\u3001etcd\u7684\u8bc1\u4e66\u3001docker.service\n\n# \u5206\u53d1ETCD\u8bc1\u4e66\n[root@k8s-m-01 \/opt\/data]# cd \/etc\/etcd\/ssl\/\n[root@k8s-m-01 \/etc\/etcd\/ssl]# for i in n1 n2 ;do ssh root@$i "mkdir -pv \/etc\/etcd\/ssl"; scp.\/*  root@$i:\/etc\/etcd\/ssl; done\n\n#\u5206\u53d1flannel\u548cdocker\u7684\u542f\u52a8\u811a\u672c\n[root@k8s-m-01 \/etc\/etcd\/ssl]# for i in n1 n2;do scp \/usr\/lib\/systemd\/system\/docker.service root@$i:\/usr\/lib\/systemd\/system\/docker.service; scp \/usr\/lib\/systemd\/system\/flanneld.service root@$i:\/usr\/lib\/systemd\/system\/flanneld.service; done<\/code><\/pre>\n
6\u3001\u90e8\u7f72kubelet<\/h3>\n
1\uff09m01\u5206\u53d1\u914d\u7f6e\u6587\u4ef6<\/h4>\n
[root@k8s-m-01 ~]# for i in n1 n2 ;do\n    ssh root@$i "mkdir -pv  \/etc\/kubernetes\/cfg";\n    scp \/etc\/kubernetes\/cfg\/kubelet.conf root@$i:\/etc\/kubernetes\/cfg\/kubelet.conf;\n    scp \/etc\/kubernetes\/cfg\/kubelet-config.yml root@$i:\/etc\/kubernetes\/cfg\/kubelet-config.yml;\n    scp \/usr\/lib\/systemd\/system\/kubelet.service root@$i:\/usr\/lib\/systemd\/system\/kubelet.service;\n    scp \/etc\/kubernetes\/cfg\/kubelet.kubeconfig root@$i:\/etc\/kubernetes\/cfg\/kubelet.kubeconfig;\n    scp \/etc\/kubernetes\/cfg\/kubelet-bootstrap.kubeconfig root@$i:\/etc\/kubernetes\/cfg\/kubelet-bootstrap.kubeconfig;\n    scp \/etc\/kubernetes\/cfg\/token.csv root@$i:\/etc\/kubernetes\/cfg\/token.csv;\ndone\n<\/code><\/pre>\n
2\uff09\u4fee\u6539<\/h4>\n
\u56e0\u4e3a\u662f\u76f4\u63a5\u4ecem01\u62f7\u8d1d\u8fc7\u6765\u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u6240\u6709\u8981\u4fee\u6539\u914d\u7f6e\u6587\u4ef6\u5185\u5bb9<\/strong><\/p>\n
# \u4fee\u6539\u914d\u7f6e\u6587\u4ef6kubelet-config.yml\u548ckubelet.conf<\/code><\/pre>\n
3\uff09\u542f\u52a8kubelet<\/h4>\n
[root@k8s-n-02 \/etc\/kubernetes\/cfg]# systemctl enable --now kubelet.service\nCreated symlink from \/etc\/systemd\/system\/multi-user.target.wants\/kubelet.service to \/usr\/lib\/systemd\/system\/kubelet.service.<\/code><\/pre>\n
7\u3001\u90e8\u7f72kube-proxy<\/h3>\n
1\uff09m01\u5206\u53d1\u914d\u7f6e\u6587\u4ef6<\/h4>\n
[root@k8s-m-01 ~]# for i in n1 n2 ; do \n    scp \/etc\/kubernetes\/cfg\/kube-proxy.conf root@$i:\/etc\/kubernetes\/cfg\/kube-proxy.conf;  \n    scp \/etc\/kubernetes\/cfg\/kube-proxy-config.yml root@$i:\/etc\/kubernetes\/cfg\/kube-proxy-config.yml ;  \n    scp \/usr\/lib\/systemd\/system\/kube-proxy.service root@$i:\/usr\/lib\/systemd\/system\/kube-proxy.service;  \n    scp \/etc\/kubernetes\/cfg\/kube-proxy.kubeconfig root@$i:\/etc\/kubernetes\/cfg\/kube-proxy.kubeconfig;\n    done<\/code><\/pre>\n
2\uff09\u4fee\u6539<\/h4>\n
# \u4fee\u6539kube-proxy-config.yml\u4e2dIP\u548c\u4e3b\u673a\u540d<\/code><\/pre>\n
3\uff09\u542f\u52a8<\/h4>\n
# \u542f\u52a8\n[root@k8s-n-02 ~]# systemctl enable --now kube-proxy.service <\/code><\/pre>\n
8\u3001\u52a0\u5165\u96c6\u7fa4<\/h3>\n
1\uff09\u67e5\u770b\u96c6\u7fa4\u72b6\u6001<\/h4>\n
[root@k8s-m-01 ~]# kubectl get cs\nNAME                 STATUS    MESSAGE             ERROR\nscheduler            Healthy   ok\ncontroller-manager   Healthy   ok\netcd-2               Healthy   {"health":"true"}\netcd-0               Healthy   {"health":"true"}\netcd-1               Healthy   {"health":"true"<\/code><\/pre>\n
2\uff09\u67e5\u770b\u52a0\u5165\u96c6\u7fa4\u8bf7\u6c42<\/h4>\n
[root@k8s-m-01 ~]# kubectl get csr\nNAME                                                   AGE   SIGNERNAME                                    REQUESTOR           CONDITION\nnode-csr-4_UFaJOBTN1e_UHxH4uUG23TRxV0iC9Y3R4HChCfn9w   11m   kubernetes.io\/kube-apiserver-client-kubelet   kubelet-bootstrap   Pending\nnode-csr-O6lrJ_C6xASbA9SzlCy9S2fpHACc_4WElKWyHBZ95Mg   11m   kubernetes.io\/kube-apiserver-client-kubelet   kubelet-bootstrap   Pending\n<\/code><\/pre>\n
3\uff09\u6279\u51c6\u52a0\u5165<\/h4>\n
[root@k8s-m-01 ~]#  kubectl certificate approve `kubectl get csr | grep "Pending" | awk '{print $1}'`\ncertificatesigningrequest.certificates.k8s.io\/node-csr-4_UFaJOBTN1e_UHxH4uUG23TRxV0iC9Y3R4HChCfn9w approved\ncertificatesigningrequest.certificates.k8s.io\/node-csr-O6lrJ_C6xASbA9SzlCy9S2fpHACc_4WElKWyHBZ95Mg approved<\/code><\/pre>\n
4\uff09\u67e5\u770b\u52a0\u5165\u72b6\u6001<\/h4>\n
[root@k8s-m-01 ~]# kubectl get csr\nNAME                                                   AGE   SIGNERNAME                                    REQUESTOR           CONDITION\nnode-csr-4_UFaJOBTN1e_UHxH4uUG23TRxV0iC9Y3R4HChCfn9w   13m   kubernetes.io\/kube-apiserver-client-kubelet   kubelet-bootstrap   Approved,Issued\nnode-csr-O6lrJ_C6xASbA9SzlCy9S2fpHACc_4WElKWyHBZ95Mg   13m   kubernetes.io\/kube-apiserver-client-kubelet   kubelet-bootstrap   Approved,Issued<\/code><\/pre>\n
5\uff09\u67e5\u770b\u52a0\u5165\u8282\u70b9<\/h4>\n
[root@k8s-m-01 ~]# kubectl get nodes\nNAME       STATUS   ROLES    AGE     VERSION\nk8s-m-01   Ready    <none>   21h     v1.18.8\nk8s-m-02   Ready    <none>   21h     v1.18.8\nk8s-m-03   Ready    <none>   21h     v1.18.8\nk8s-n-01   Ready    <none>   2m21s   v1.18.8\nk8s-n-02   Ready    <none>   2m20s   v1.18.8<\/code><\/pre>\n
6\uff09\u8bbe\u7f6e\u96c6\u7fa4\u89d2\u8272<\/h4>\n
[root@k8s-m-01 ~]# kubectl label nodes k8s-m-01 node-role.kubernetes.io\/master=k8s-m-01\n\nnode\/k8s-m-01 labeled\n[root@k8s-m-01 ~]#  kubectl label nodes k8s-m-02 node-role.kubernetes.io\/master=k8s-m-02\n\nnode\/k8s-m-02 labeled\n[root@k8s-m-01 ~]# kubectl label nodes k8s-m-03 node-role.kubernetes.io\/master=k8s-m-03\n\nnode\/k8s-m-03 labeled\n[root@k8s-m-01 ~]# kubectl label nodes k8s-n-01 node-role.kubernetes.io\/node=k8s-n-01\n\nnode\/k8s-n-01 labeled\n[root@k8s-m-01 ~]# kubectl label nodes k8s-n-02 node-role.kubernetes.io\/node=k8s-n-02\n\nnode\/k8s-n-02 labeled\n[root@k8s-m-01 ~]# kubectl get nodes\nNAME       STATUS   ROLES    AGE     VERSION\nk8s-m-01   Ready    master   21h     v1.18.8\nk8s-m-02   Ready    master   21h     v1.18.8\nk8s-m-03   Ready    master   21h     v1.18.8\nk8s-n-01   Ready    node     3m46s   v1.18.8\nk8s-n-02   Ready    node     3m45s   v1.18.8\n[root@k8s-m-01 ~]#<\/code><\/pre>\n
9\u3001\u5b89\u88c5\u96c6\u7fa4\u56fe\u5f62\u5316\u754c\u9762<\/h3>\n
1\uff09\u4e0b\u8f7dyaml<\/h4>\n
https:\/\/github.com\/kubernetes\/dashboard\n\n wget https:\/\/raw.githubusercontent.com\/kubernetes\/dashboard\/v2.2.0\/aio\/deploy\/recommended.yaml<\/code><\/pre>\n
\"\"<\/div><\/p>\n
2\uff09\u5b89\u88c5<\/h4>\n
[root@k8s-m-01 ~]# kubectl apply -f recommended.yaml \nnamespace\/kubernetes-dashboard created\nserviceaccount\/kubernetes-dashboard created\nservice\/kubernetes-dashboard created\nsecret\/kubernetes-dashboard-certs created\nsecret\/kubernetes-dashboard-csrf created\nsecret\/kubernetes-dashboard-key-holder created\nconfigmap\/kubernetes-dashboard-settings created\nrole.rbac.authorization.k8s.io\/kubernetes-dashboard created\nclusterrole.rbac.authorization.k8s.io\/kubernetes-dashboard created\nrolebinding.rbac.authorization.k8s.io\/kubernetes-dashboard created\nclusterrolebinding.rbac.authorization.k8s.io\/kubernetes-dashboard created\ndeployment.apps\/kubernetes-dashboard created\nservice\/dashboard-metrics-scraper created\ndeployment.apps\/dashboard-metrics-scraper created<\/code><\/pre>\n
3\uff09\u6307\u5b9a\u7aef\u53e3\u6620\u5c04<\/h4>\n
# \u5f00\u4e00\u4e2a\u7aef\u53e3\uff0c\u7528\u4e8e\u8bbf\u95ee\n[root@k8s-m-01 ~]# kubectl edit svc -n kubernetes-dashboard kubernetes-dashboard\n \u4fee\u6539\uff1a type: ClusterIP   =>  type: NodePort\n\n##\u5982\u679c\u62a5\u9519\u6839\u636e\u62a5\u9519\u91cd\u65b0\u6267\u884cyaml\u6587\u4ef6\n    kubectl replace -f \/tmp\/kubectl-edit-ptlrv.yaml\n\n# \u67e5\u770b\u4fee\u6539\u540e\u5f97\u7aef\u53e3\n[root@k8s-m-01 ~]# kubectl get svc -n kubernetes-dashboard\nNAME                        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE\ndashboard-metrics-scraper   ClusterIP   10.96.17.143    <none>        8000\/TCP        6m6s\nkubernetes-dashboard        NodePort    10.96.161.179   <none>        443:44121\/TCP   6m8s<\/code><\/pre>\n
4\uff09\u8bbf\u95ee<\/h4>\n
https:\/\/192.168.15.51:44121\/<\/code><\/pre>\n
\"\"<\/div><\/p>\n
5\uff09\u521b\u5efatoken\u6587\u4ef6<\/h4>\n
[root@k8s-m-01 ~]# vim token.yaml\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: admin-user\n  namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: admin-user\n  annotations:\n    rbac.authorization.kubernetes.io\/autoupdate: "true"\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: cluster-admin\nsubjects:\n- kind: ServiceAccount\n  name: admin-user\n  namespace: kube-system<\/code><\/pre>\n
6\uff09\u90e8\u7f72token\u5230\u96c6\u7fa4<\/h4>\n
[root@k8s-m-01 ~]# kubectl apply -f token.yaml \nserviceaccount\/admin-user created\nclusterrolebinding.rbac.authorization.k8s.io\/admin-user created<\/code><\/pre>\n
7\uff09\u83b7\u53d6token<\/h4>\n
[root@k8s-m-01 ~]# kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}') | grep token: | awk '{print $2}'<\/code><\/pre>\n
10\u3001tab\u952e\u4f18\u5316\uff08\u4e3b\u8282\u70b9\u6267\u884c\uff09<\/h3>\n
yum install -y bash-completion\nsource \/usr\/share\/bash-completion\/bash_completion\nsource <(kubectl completion bash)\necho "source <(kubectl completion bash)" >> ~\/.bashrc<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u4e8c\u8fdb\u5236\u5b89\u88c5kubernets \u4e00\u3001\u7b80\u4ecb Kubernetes\u6709\u4e24\u79cd\u65b9\u5f0f\uff0c\u7b2c\u4e00\u79cd\u662f\u4e8c\u8fdb\u5236\u7684\u65b9\u5f0f\uff0c\u53ef\u5b9a\u5236\u4f46\u662f\u90e8\u7f72\u590d […]<\/p>\n","protected":false},"author":3,"featured_media":1002,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[122],"tags":[21,133,134,135,19,22,132,20],"_links":{"self":[{"href":"https:\/\/egonlin.com\/index.php?rest_route=\/wp\/v2\/posts\/994"}],"collection":[{"href":"https:\/\/egonlin.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/egonlin.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/egonlin.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/egonlin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=994"}],"version-history":[{"count":0,"href":"https:\/\/egonlin.com\/index.php?rest_route=\/wp\/v2\/posts\/994\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/egonlin.com\/index.php?rest_route=\/wp\/v2\/media\/1002"}],"wp:attachment":[{"href":"https:\/\/egonlin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=994"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/egonlin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=994"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/egonlin.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=994"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}