cat > calico-csr.json <<EOF
{
"CN": "calico",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "4Paradigm"
}
]
}
EOF
cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
-ca-key=/etc/kubernetes/ssl/ca-key.pem \
-config=/etc/kubernetes/ssl/ca-config.json \
-profile=kubernetes calico-csr.json | cfssljson -bare calico
ls calico*pem
将生成的证书和私钥分发到所有节点(master 和 worker) export NODE_IPS=(192.168.133.128 192.168.133.129 192.168.133.130 192.168.133.131 192.168.133.132)
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
scp calico*pem ${node_ip}:/etc/kubernetes/ssl
ssh ${node_ip} "chmod 755 /etc/kubernetes/ssl/calico*pem"
done
wget https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/rbac.yaml
wget https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/calico.yaml
## 更改为自己的etcd集群
sed -i 's@.*etcd_endpoints:.*@\ \ etcd_endpoints:\ \"https://192.168.133.128:2379,https://192.168.133.129:2379,https://192.168.133.130:2379\"@gi' calico.yaml
export ETCD_CERT=`cat /etc/etcd/ssl/etcd.pem | base64 | tr -d '\n'`
export ETCD_KEY=`cat /etc/etcd/ssl/etcd-key.pem | base64 | tr -d '\n'`
export ETCD_CA=`cat /etc/kubernetes/ssl/ca.pem | base64 | tr -d '\n'`
sed -i "s@.*etcd-cert:.*@\ \ etcd-cert:\ ${ETCD_CERT}@gi" calico.yaml
sed -i "s@.*etcd-key:.*@\ \ etcd-key:\ ${ETCD_KEY}@gi" calico.yaml
sed -i "s@.*etcd-ca:.*@\ \ etcd-ca:\ ${ETCD_CA}@gi" calico.yaml
sed -i 's@.*etcd_ca:.*@\ \ etcd_ca:\ "/calico-secrets/ca"@gi' calico.yaml
sed -i 's@.*etcd_cert:.*@\ \ etcd_cert:\ "/calico-secrets/etcd-cert"@gi' calico.yaml
sed -i 's@.*etcd_key:.*@\ \ etcd_key:\ "/calico-secrets/etcd-key"@gi' calico.yaml
sed -i '[email protected] /[email protected] /16@gi' calico.yaml
## 禁止kubernetes启动calico-node容器
--network-plugin=cni \ # 添加该行内容
cat > nginx-ds.yml <<EOF
apiVersion: v1
kind: Service
metadata:
name: nginx-ds
labels:
app: nginx-ds
spec:
type: NodePort
selector:
app: nginx-ds
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: nginx-ds
labels:
addonmanager.kubernetes.io/mode: Reconcile
spec:
template:
metadata:
labels:
app: nginx-ds
spec:
containers:
- name: my-nginx
image: nginx:1.7.9
ports:
- containerPort: 80
EOF
kubectl create -f nginx-ds.yml
kubectl get pods -o wide|grep nginx-ds
$ kubectl get pods -o wide|grep nginx-ds
nginx-ds-4zknf 1/1 Running 0 17m 172.30.176.2 k8s-m01 <none>
nginx-ds-h2kqq 1/1 Running 0 17m 172.30.217.3 k8s-m02 <none>
nginx-ds-msb2f 1/1 Running 0 17m 172.30.181.193 k8s-n01 <none>
nginx-ds-qrbhg 1/1 Running 0 17m 172.30.57.65 k8s-n02 <none>
nginx-ds-vzb4t 1/1 Running 0 17m 172.30.205.132 k8s-m03 <none>
NODE_IPS=(192.168.133.128 192.168.133.129 192.168.133.130 192.168.133.131 192.168.133.132)
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh ${node_ip} "ping -c 4 172.30.176.2"
ssh ${node_ip} "ping -c 4 172.30.217.3"
ssh ${node_ip} "ping -c 4 172.30.181.193"
ssh ${node_ip} "ping -c 4 172.30.57.65"
ssh ${node_ip} "ping -c 4 172.30.205.132"
done
NODE_IPS=(192.168.133.128 192.168.133.129 192.168.133.130 192.168.133.131 192.168.133.132)
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh ${node_ip} "curl 10.254.42.186"
done