1、安装docker,在Node节点上面操作
yum安装
yum install -y yum-utils device-mapper-persistent-data lvm2 yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo yum list --showduplicates |grep docker-ce yum install -y docker-ce-17.12.1.ce-1.el7.centos
二进制安装
二进制包下载地址:https://download.docker.com/linux/static/stable/x86_64/
wget https://download.docker.com/linux/static/stable/x86_64/docker-18.09.3.tgz tar xf docker-18.09.3.tgz mv docker/* /usr/bin mkdir /etc/docker
cat /usr/lib/systemd/system/docker.service [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com After=network-online.target firewalld.service containerd.service Wants=network-online.target [Service] Type=notify ExecStart=/usr/bin/dockerd ExecReload=/bin/kill -s HUP $MAINPID TimeoutSec=0 RestartSec=2 Restart=always StartLimitBurst=3 StartLimitInterval=60s LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity TasksMax=infinity Delegate=yes KillMode=process [Install] WantedBy=multi-user.target
配置国内docker镜像源
sudo mkdir -p /etc/docker #两种,一种是阿里云的加速 sudo tee /etc/docker/daemon.json <<-'EOF' { "registry-mirrors": ["https://l2uj4chq.mirror.aliyuncs.com"] } EOF
#一种是daocloud的加速 [root@k8s-node01 ~]# cat /etc/docker/daemon.json { "registry-mirrors": ["http://f1361db2.m.daocloud.io"], "insecure-registries":["10.16.8.159"], #为私有仓库地址,目前还没安装私有仓库,预留 "graph": "/max_data" #docker默认的数据存储目录为/var/lib/docker,通过这个参数可以指定存储目录 }
启动
sudo systemctl daemon-reload sudo systemctl start docker sudo systemctl enable docker
2、在所有node节点安装kubelet、kube-proxy
目录结构
[root@k8s-node01 opt]# tree kubernetes/ kubernetes/ ├── bin │ ├── kubelet │ └── kube-proxy ├── cfg │ ├── bootstrap.kubeconfig │ ├── kubelet.conf │ ├── kubelet-config.yml │ ├── kube-proxy.conf │ ├── kube-proxy-config.yml │ └── kube-proxy.kubeconfig ├── logs └── ssl ├── ca.pem ├── kube-proxy-key.pem └── kube-proxy.pem
bin目录:可执行文件为前面下载的kubernetes-server二进制包中
ssl目录:证书文件为前面部署master时生成的
cfg配置文件:
.conf为基本配置文件
.kubeconfi为连接apiserver配置文件
.yml为主要配置文件
kubelet相关配置文件
配置文件中不同的Node,需要修改hostnameOverride: k8s-node01
[root@k8s-node01 cfg]# cat bootstrap.kubeconfig apiVersion: v1 clusters: - cluster: certificate-authority: /opt/kubernetes/ssl/ca.pem server: https://10.16.8.150:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubelet-bootstrap name: default current-context: default kind: Config preferences: {} users: - name: kubelet-bootstrap user: token: c47ffb939f5ca36231d9e3121a252940
[root@k8s-node01 cfg]# cat kubelet.conf KUBELET_OPTS="--logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --hostname-override=k8s-node01 --network-plugin=cni --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig --config=/opt/kubernetes/cfg/kubelet-config.yml --cert-dir=/opt/kubernetes/ssl --pod-infra-container-image=lizhenliang/pause-amd64:3.0"
[root@k8s-node01 cfg]# cat kubelet-config.yml kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: 0.0.0.0 port: 10250 readOnlyPort: 10255 cgroupDriver: cgroupfs clusterDNS: - 10.0.0.2 clusterDomain: cluster.local failSwapOn: false authentication: anonymous: enabled: false webhook: cacheTTL: 2m0s enabled: true x509: clientCAFile: /opt/kubernetes/ssl/ca.pem authorization: mode: Webhook webhook: cacheAuthorizedTTL: 5m0s cacheUnauthorizedTTL: 30s evictionHard: imagefs.available: 15% memory.available: 100Mi nodefs.available: 10% nodefs.inodesFree: 5% maxOpenFiles: 1000000 maxPods: 110
kube-proxy相关配置文件
[root@k8s-node01 cfg]# cat kube-proxy.conf KUBE_PROXY_OPTS="--logtostderr=false --v=2 --log-dir=/opt/kubernetes/logs --config=/opt/kubernetes/cfg/kube-proxy-config.yml" [root@k8s-node01 cfg]# cat kube-proxy-config.yml kind: KubeProxyConfiguration apiVersion: kubeproxy.config.k8s.io/v1alpha1 address: 0.0.0.0 metricsBindAddress: 0.0.0.0:10249 clientConnection: kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig hostnameOverride: k8s-node01 clusterCIDR: 10.0.0.0/24 mode: ipvs ipvs: scheduler: "rr" iptables: masqueradeAll: true
[root@k8s-node01 cfg]# cat kube-proxy.kubeconfig apiVersion: v1 clusters: - cluster: certificate-authority: /opt/kubernetes/ssl/ca.pem server: https://10.16.8.150:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kube-proxy name: default current-context: default kind: Config preferences: {} users: - name: kube-proxy user: client-certificate: /opt/kubernetes/ssl/kube-proxy.pem client-key: /opt/kubernetes/ssl/kube-proxy-key.pem
启动配置文件
[root@k8s-node01 cfg]# cat /usr/lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet After=docker.service Before=docker.service [Service] EnvironmentFile=/opt/kubernetes/cfg/kubelet.conf ExecStart=/opt/kubernetes/bin/kubelet $KUBELET_OPTS Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target
[root@k8s-node01 cfg]# cat /usr/lib/systemd/system/kube-proxy.service [Unit] Description=Kubernetes Proxy After=network.target [Service] EnvironmentFile=/opt/kubernetes/cfg/kube-proxy.conf ExecStart=/opt/kubernetes/bin/kube-proxy $KUBE_PROXY_OPTS Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target
3、启动
systemctl start kubelet
systemctl start kube-proxy
systemctl enable kubelet
systemctl enable kube-proxy
4、允许给Node颁发证书,master上操作
[root@k8s-master01 node]# kubectl get csr NAME AGE REQUESTOR CONDITION node-csr-REeuIC9SyqMEnXZObe4ke1gbS60kQxvIf22G9himeFE 2m10s kubelet-bootstrap Pending [root@k8s-master01 node]# kubectl certificate approve node-csr-REeuIC9SyqMEnXZObe4ke1gbS60kQxvIf22G9himeFE certificatesigningrequest.certificates.k8s.io/node-csr-REeuIC9SyqMEnXZObe4ke1gbS60kQxvIf22G9himeFE approved
本次有3个node,所以颁发3次
[root@k8s-master01 node]# kubectl get csr NAME AGE REQUESTOR CONDITION node-csr-25NwnztxHV28qb5XiwYZllT0_pOl7n01DWbXltSqlzI 8s kubelet-bootstrap Pending node-csr-3Tm1zh9TFML_H-kapIeDYGJXj39B1tnw1xV3AIpUTbA 52s kubelet-bootstrap Pending node-csr-REeuIC9SyqMEnXZObe4ke1gbS60kQxvIf22G9himeFE 7m25s kubelet-bootstrap Approved,Issued [root@k8s-master01 node]# kubectl certificate approve node-csr-25NwnztxHV28qb5XiwYZllT0_pOl7n01DWbXltSqlzI certificatesigningrequest.certificates.k8s.io/node-csr-25NwnztxHV28qb5XiwYZllT0_pOl7n01DWbXltSqlzI approved [root@k8s-master01 node]# kubectl certificate approve node-csr-3Tm1zh9TFML_H-kapIeDYGJXj39B1tnw1xV3AIpUTbA certificatesigningrequest.certificates.k8s.io/node-csr-3Tm1zh9TFML_H-kapIeDYGJXj39B1tnw1xV3AIpUTbA approved [root@k8s-master01 node]# kubectl get csr NAME AGE REQUESTOR CONDITION node-csr-25NwnztxHV28qb5XiwYZllT0_pOl7n01DWbXltSqlzI 46s kubelet-bootstrap Approved,Issued node-csr-3Tm1zh9TFML_H-kapIeDYGJXj39B1tnw1xV3AIpUTbA 90s kubelet-bootstrap Approved,Issued node-csr-REeuIC9SyqMEnXZObe4ke1gbS60kQxvIf22G9himeFE 8m3s kubelet-bootstrap Approved,Issued
5、查看node
[root@k8s-master01 node]# kubectl get node NAME STATUS ROLES AGE VERSION k8s-node01 NotReady <none> 4m19s v1.16.0 k8s-node02 NotReady <none> 52s v1.16.0 k8s-node03 NotReady <none> 62s v1.16.0
6、node上面查看cfg和ssl目录
[root@k8s-node01 kubernetes]# tree cfg cfg ├── bootstrap.kubeconfig ├── kubelet.conf ├── kubelet-config.yml ├── kubelet.kubeconfig ├── kube-proxy.conf ├── kube-proxy-config.yml └── kube-proxy.kubeconfig 0 directories, 7 files [root@k8s-node01 kubernetes]# tree ssl ssl ├── ca.pem ├── kubelet-client-2019-11-05-11-41-51.pem ├── kubelet-client-current.pem -> /opt/kubernetes/ssl/kubelet-client-2019-11-05-11-41-51.pem ├── kubelet.crt ├── kubelet.key ├── kube-proxy-key.pem └── kube-proxy.pem
可以发现多了 kubelet.kubeconfig,kubelet-client-2019-11-05-11-41-51.pem,kubelet-client-current.pem,kubelet.crt,kubelet.key这些文件,这些都是颁发证书的时候自动生成的文件