kubernetes（二）二进制安装-环境准备

系统信息

角色	系统	CPU Core	内存	主机名称	ip	安装组件
master	18.04.1-Ubuntu	4	8G	master	192.168.0.107	kubectl,kube-apiserver,kube-controller-manager,kube-scheduler,etcd,flannald
slave	18.04.1-Ubuntu	4	4G	slave	192.168.0.114	docker,flannald,kubelet,kube-proxy,coredns

k8s&docker版本

软件	版本
k8s	1.17.2
etcd	v3.3.18
coredns	1.6.6(docker镜像）
Flanel	v0.11.0
docker	18.09

安装前准备（主节点和从节点都须要执行）

1. 关闭swap

   sudo swapoff -a 
   sudo  sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab

2. 配置经常使用软件安装源
   在/etc/apt/sources.list.d/ 追加system.list文件,内容以下

   deb http://mirrors.aliyun.com/ubuntu/ bionic main restricted  
   deb http://mirrors.aliyun.com/ubuntu/ bionic-updates main restricted  
   deb http://mirrors.aliyun.com/ubuntu/ bionic universe  
   deb http://mirrors.aliyun.com/ubuntu/ bionic-updates universe  
   deb http://mirrors.aliyun.com/ubuntu/ bionic multiverse  
   deb http://mirrors.aliyun.com/ubuntu/ bionic-updates multiverse  
   deb http://mirrors.aliyun.com/ubuntu/ bionic-backports main restricted universe multiverse

   执行

   sudo apt-get update

3. 建立工做目录

   mkdir -p /opt/k8s/{bin,work} /etc/{kubernetes,etcd}/cert

4. 将 /opt/k8s/bin追加到$PATH中

   echo 'PATH=/opt/k8s/bin:$PATH' >>/root/.bashrc
   source /root/.bashrc

5. 安装ssh服务，并设置root能够执行

   apt install openssh-server
   
   #编辑/etc/ssh/sshd_config文件，在#PermitRootLogin prohibit-password下追加PermitRootLogin yes ，重启ssh服务
   
   systemctl restart ssh.service

6. 安装依赖工具包

   apt install -y ipvsadm ipset curl jq socat

7. 设置主机名

   cat >> /etc/hosts <<EOF
   192.168.0.107 master
   192.168.0.114 slave
   EOF

8. 添加节点信任关系,只用在master节点上执行

   ssh-keygen -t rsa 
   ssh-copy-id root@192.168.0.114

建立CA根证书和秘钥(在master节点上执行）

1. 安装cfssl工具集

   cd /opt/k8s/work
   
   wget https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl_1.4.1_linux_amd64
   cp cfssl_1.4.1_linux_amd64 /opt/k8s/bin/cfssl
   
   wget https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssljson_1.4.1_linux_amd64
   cp cfssljson_1.4.1_linux_amd64 /opt/k8s/bin/cfssljson
   
   wget https://github.com/cloudflare/cfssl/releases/download/v1.4.1/cfssl-certinfo_1.4.1_linux_amd64
   cp cfssl-certinfo_1.4.1_linux_amd64 /opt/k8s/bin/cfssl-certinfo
   
   chmod +x /opt/k8s/bin/*

2. 建立CA配置文件

   cd /opt/k8s/work
   cat > ca-config.json <<EOF
   {
     "signing": {
       "default": {
         "expiry": "87600h"
       },
       "profiles": {
         "kubernetes": {
           "usages": [
               "signing",
               "key encipherment",
               "server auth",
               "client auth"
           ],
           "expiry": "87600h"
         }
       }
     }
   }
   EOF

   • signing：表示该证书可用于签名其它证书（生成的 ca.pem 证书中 CA=TRUE）；
   • server auth：表示 client 能够用该该证书对 server 提供的证书进行验证；
   • client auth：表示 server 能够用该该证书对 client 提供的证书进行验证；
   • expiry : "87600h"：证书有效期设置为 10 年；

3. 建立证书签名请求文件

   cd /opt/k8s/work
   cat > ca-csr.json <<EOF
   {
     "CN": "kubernetes",
     "key": {
       "algo": "rsa",
       "size": 2048
     },
     "names": [
       {
         "C": "CN",
         "ST": "NanJing",
         "L": "NanJing",
         "O": "k8s",
         "OU": "system"
       }
     ],
     "ca": {
       "expiry": "87600h"
    }
   }
   EOF

4. 生成证书

   cd /opt/k8s/work
   cfssl gencert -initca ca-csr.json | cfssljson -bare ca
   ls ca*

5. 安装证书

   cd /opt/k8s/work
   
   cp ca*.pem ca-config.json /etc/kubernetes/cert
   
   # 分发到从节点
   export node_ip=192.168.0.114
   scp ca*.pem ca-config.json root@${node_ip}:/etc/kubernetes/cert/