Kubernetes二進制部署——證書的制作和ETCD的部署

• 一、實驗環境
• • 自簽 SSL 證書
• 二、ETCD集群部署
• • 1、環境部署
  • 2、master節點
  • 3、node1節點
  • 4、node2節點
  • 5、master節點

一、實驗環境

主機名IP服務

master	192.168.172.10/24	kube-apiserver kube-controller-manager kube-scheduler etcd
node1	192.168.172.20/24	etcd docker kubelet kube-proxyflannel
node2	192.168.172.30/24	etcd docker kubelet kube-proxyflannel

自簽 SSL 證書

組件使用的證書

etcd	ca.pem、server.pem、server-key.pem
fiannel	ca.pem、server.pem、server-key.pem
kube-apiserver	ca.pem、server.pem、server-key.pem
kubelet	ca.pem、ca-key.pem
kube-proxy	ca.pem、kube-proxy.pem、kube-proxy-key.pem
kubectl	ca.pem、admin.pem、admin-key.pem

二、ETCD集群部署

二進制部署方式

1、環境部署

更改matser主機名' hostnamectl set-hostname master su -另外兩臺node1、2節點' hostnamectl set-hostname node1su - hostnamectl set-hostname node2su -關閉防火墻及安全訪問控制機制' systemctl stop firewalld systemctl disable firewalld.service setenforce 0

2、master節點

準備工作

[root@master ~]# mkdir k8s [root@master ~]# cd k8s/ [root@master ~/k8s]# vim cfssl.sh #此腳本用于下載證書制作工具 curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo[root@master ~/k8s]# bash cfssl.sh #執行該腳本

開始制作證書

[root@master ~/k8s]# mkdir etcd-cert [root@master ~/k8s]# cd etcd-cert/ ##定義ca證書 cat > ca-config.json <<EOF {"signing": {"default": {"expiry": "87600h"},"profiles": {"www": {"expiry": "87600h","usages": ["signing","key encipherment","server auth","client auth" ]}}} } EOF

##實現證書簽名 cat > ca-csr.json <<EOF { "CN": "etcd CA","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "Beijing","ST": "Beijing"}] } EOF##生產證書，生成ca-key.pem ca.pem cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

##指定etcd三個節點之間的通信驗證 cat > server-csr.json <<EOF {"CN": "etcd","hosts": ["192.168.172.10","192.168.172.20","192.168.172.30"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "BeiJing","ST": "BeiJing"}] } EOF##生成ETCD證書 server-key.pem server.pem cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

[root@master ~/k8s/etcd-cert]# cd .. #拉入壓縮包etcd-v3.3.10-linux-amd64.tar.gz [root@master ~/k8s]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz [root@master ~/k8s]# ls etcd-v3.3.10-linux-amd64

[root@master ~/k8s]# mkdir /opt/etcd/{cfg,bin,ssl} -p #三個目錄分別存放配置文件，命令文件，證書 [root@master ~/k8s]# mv etcd-v3.3.10-linux-amd64/etcd etcd-v3.3.10-linux-amd64/etcdctl /opt/etcd/bin/ [root@master ~/k8s]# ls /opt/etcd/bin/ etcd etcdctl [root@master ~/k8s]# cp etcd-cert/*.pem /opt/etcd/ssl/ [root@master ~/k8s]# ls /opt/etcd/ssl/ ca-key.pem ca.pem server-key.pem server.pem

[root@master ~/k8s]# vim etcd.sh #!/bin/bash #以下為使用格式：etcd名稱 當前etcd的IP地址+完整的集群名稱和地址 # example: ./etcd.sh etcd01 192.168.172.10 etcd02=https://192.168.172.20:2380,etcd03=https://192.168.172.30:2380ETCD_NAME=$1 #位置變量1：etcd節點名稱 ETCD_IP=$2 #位置變量2：節點地址 ETCD_CLUSTER=$3 #位置變量3：集群WORK_DIR=/opt/etcd #指定工作目錄cat <<EOF >$WORK_DIR/cfg/etcd #在指定工作目錄創建ETCD的配置文件 #[Member] ETCD_NAME="${ETCD_NAME}" #etcd名稱 ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380" #etcd IP地址：2380端口。用于集群之間通訊 ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379" #etcd IP地址：2379端口，用于開放給外部客戶端通訊#[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380" ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379" #對外提供的url使用https的協議進行訪問 ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}" #多路訪問 ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" #tokens 令牌環名稱：etcd-cluster ETCD_INITIAL_CLUSTER_STATE="new" #狀態，重新創建 EOFcat <<EOF >/usr/lib/systemd/system/etcd.service #定義ectd的啟動腳本 [Unit] #基本項 Description=Etcd Server #類似為 etcd 服務 After=network.target After=network-online.target Wants=network-online.target[Service] #服務項 Type=notify EnvironmentFile=${WORK_DIR}/cfg/etcd #etcd文件位置 ExecStart=${WORK_DIR}/bin/etcd \ #準啟動狀態及以下的參數 --name=\${ETCD_NAME} \ --data-dir=\${ETCD_DATA_DIR} \ --listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \ --listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \ --advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \ #以下為群集內部的設定 --initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \ --initial-cluster=\${ETCD_INITIAL_CLUSTER} \ --initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \ #群集內部通信，也是使用的令牌，為了保證安全（防范中間人竊取） --initial-cluster-state=new \ --cert-file=${WORK_DIR}/ssl/server.pem \ #證書相關參數 --key-file=${WORK_DIR}/ssl/server-key.pem \ --peer-cert-file=${WORK_DIR}/ssl/server.pem \ --peer-key-file=${WORK_DIR}/ssl/server-key.pem \ --trusted-ca-file=${WORK_DIR}/ssl/ca.pem \ --peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem Restart=on-failure LimitNOFILE=65536 #開放最多的端口號[Install] WantedBy=multi-user.target #進行啟動 EOFsystemctl daemon-reload #參數重載 systemctl enable etcd systemctl restart etcd

進入卡住狀態等待其他節點加入
打開一個新的終端，會發現etcd進程已經開啟

拷貝證書去其他節點

[root@master ~]# scp -r /opt/etcd/ root@192.168.172.20:/opt/ [root@master ~]# scp -r /opt/etcd/ root@192.168.172.30:/opt/

啟動腳本拷貝其他節點

[root@master ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.172.20:/usr/lib/systemd/system/ [root@master ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.172.30:/usr/lib/systemd/system/

3、node1節點

[root@node1 ~]# vim /opt/etcd/cfg/etcd#[Member] ETCD_NAME="etcd02" #修改數據庫名稱 ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.172.20:2380" #修改節點IP ETCD_LISTEN_CLIENT_URLS="https://192.168.172.20:2379" #修改節點IP#[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.172.20:2380" #修改節點IP ETCD_ADVERTISE_CLIENT_URLS="https://192.168.172.20:2379" #修改節點IP ETCD_INITIAL_CLUSTER="etcd01=https://192.168.172.10:2380,etcd02=https://192.168.172.20:2380,etcd03=https://192.168.172.30:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new"[root@node1 ~]# systemctl stop firewalld.service [root@node1 ~]# setenforce 0 [root@node1 ~]# systemctl start etcd.service

4、node2節點

[root@node2 ~]# vim /opt/etcd/cfg/etcd#[Member] ETCD_NAME="etcd03" #修改數據庫名稱 ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.172.30:2380" #修改節點IP ETCD_LISTEN_CLIENT_URLS="https://192.168.172.30:2379" #修改節點IP#[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.172.30:2380" #修改節點IP ETCD_ADVERTISE_CLIENT_URLS="https://192.168.172.30:2379" #修改節點IP ETCD_INITIAL_CLUSTER="etcd01=https://192.168.172.10:2380,etcd02=https://192.168.172.20:2380,etcd03=https://192.168.172.30:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new"[root@node2 ~]# systemctl stop firewalld.service [root@node2 ~]# setenforce 0 [root@node2 ~]# systemctl start etcd.service

5、master節點

[root@master ~]# systemctl start etcd [root@master ~]# systemctl enable etcd [root@master ~]# systemctl status etcd 檢查群集狀態(需要在有證書的目錄下使用此命令) [root@master ~]# cd /opt/etcd/ssl [root@master /opt/etcd/ssl]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.172.10:2379,https://192.168.172.20:2379,https://192.168.172.30:2379" cluster-health

總結

以上是生活随笔為你收集整理的Kubernetes二进制部署——证书的制作和ETCD的部署的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。