IP地址 主机名 角色 备注
192.168.133.128 k8s-m01 k8s-master/etcd
192.168.133.129 k8s-m02 k8s-master/etcd
192.168.133.130 k8s-m03 k8s-master/etcd
192.168.133.131 k8s-n01 k8s node节点
192.168.133.132 k8s-n02 k8s node节点
yum -y remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-selinux \
docker-engine-selinux \
docker-engine
yum install -y yum-utils device-mapper-persistent-data lvm2 conntrack ipvsadm ipset jq sysstat curl iptables libseccomp wget lrzsz
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum makecache fast && yum -y install docker-ce
systemctl restart docker
systemctl enable docker
cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://jek8a03u.mirror.aliyuncs.com"]
}
EOF
systemctl restart docker
systemctl enable docker
systemctl stop firewalld && systemctl disable firewalld
swapoff -a && sysctl -w vm.swappiness=0
sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
cat > /etc/sysctl.d/99-sysctl.conf <<EOF
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
vm.swappiness=0
vm.overcommit_memory=1
vm.panic_on_oom=0
fs.inotify.max_user_watches=89100
EOF
sysctl -p /etc/sysctl.d/99-sysctl.conf
mount -t cgroup -o cpu,cpuacct none /sys/fs/cgroup/cpu,cpuacct
modprobe br_netfilter
modprobe ip_vs
wget https://dl.k8s.io/v1.11.2/kubernetes-server-linux-amd64.tar.gz
tar zxf kubernetes-server-linux-amd64.tar.gz
export NODE_IPS=(192.168.133.128 192.168.133.129 192.168.133.130)
for node_ip in ${NODE_IPS[@]};do
scp kubernetes/server/bin/{kubeadm,kubectl,kube-apiserver,kube-controller-manager,kube-scheduler} ${node_ip}:/usr/local/bin/
done
export NODE_IPS=(192.168.133.128 192.168.133.129 192.168.133.130 192.168.133.131 192.168.133.132)
for node_ip in ${NODE_IPS[@]};do
echo ${node_ip}
scp kubernetes/server/bin/{kubelet,kube-proxy} ${node_ip}:/usr/local/bin/
done
建议做免秘钥认证通信,这样做后面拷贝文件以及证书的时候不需重复输入密码。制作免秘钥通信过程请自行参考其他文档。
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
- CA 配置文件用于配置根证书的使用场景 (profile) 和具体参数 (usage,过期时间、服务端认证、客户端认证、加密等)。
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "4Paradigm"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
ls ca*
- 将生成的 CA 证书、秘钥文件、配置文件拷贝到所有节点的 /etc/kubernetes/ssl 目录下。
export NODE_IPS=(192.168.133.128 192.168.133.129 192.168.133.130 192.168.133.131 192.168.133.132)
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p /etc/kubernetes/ssl"
scp ca*.pem ca-config.json ${node_ip}:/etc/kubernetes/ssl
ssh root@${node_ip} "chmod 755 -R /etc/kubernetes/ssl/*"
done