张莜雨大胆,铺铺儿,宇宙战皇txt下载
前言:本篇博客是博主踩过无数坑,反复查阅资料,一步步搭建完成后整理的个人心得,分享给大家~~~
本文所需的安装包,都上传在我的网盘中,需要的可以打赏博主一杯咖啡钱,然后私密博主,博主会很快答复呦~
kube-apiserver:
kube-controller-manager:
kube-scheduler:
kubelet:
kube-proxy:
集群插件:
本文档中的 etcd 集群、master 节点、worker 节点均使用这三台机器。
在每个服务器上都要执行以下全部操作,如果没有特殊指明,本文档的所有操作均在kube-master 节点上执行
1、设置永久主机名称,然后重新登录
$ sudo hostnamectl set-hostname kube-master
$ sudo hostnamectl set-hostname kube-node1
$ sudo hostnamectl set-hostname kube-node2
2、修改 /etc/hostname 文件,添加主机名和 ip 的对应关系:
$ vim /etc/hosts
192.168.10.108 kube-master
192.168.10.109 kube-node1
192.168.10.110 kube-node2
1、在每台机器上添加 k8s 账户
$ sudo useradd -m k8s
$ sudo sh -c 'echo along |passwd k8s --stdin' #为k8s 账户设置密码
2、修改visudo权限
$ sudo visudo #去掉%wheel all=(all) nopasswd: all这行的注释
$ sudo grep '%wheel.*nopasswd: all' /etc/sudoers
%wheel all=(all) nopasswd: all
3、将k8s用户归到wheel组
$ gpasswd -a k8s wheel
adding user k8s to group wheel
$ id k8s
uid=1000(k8s) gid=1000(k8s) groups=1000(k8s),10(wheel)
4、在每台机器上添加 docker 账户,将 k8s 账户添加到 docker 组中,同时配置 dockerd 参数(注:安装完docker才有):
$ sudo useradd -m docker
$ sudo gpasswd -a k8s docker
$ sudo mkdir -p /opt/docker/
$ vim /opt/docker/daemon.json #可以后续部署docker时在操作
{
"registry-mirrors": ["https://hub-mirror.c.163.com", "https://docker.mirrors.ustc.edu.cn"],
"max-concurrent-downloads": 20
}
1、生成秘钥对
[root@kube-master ~]# ssh-keygen #连续回车即可
2、将自己的公钥发给其他服务器
[root@kube-master ~]# ssh-copy-id root@kube-master
[root@kube-master ~]# ssh-copy-id root@kube-node1
[root@kube-master ~]# ssh-copy-id root@kube-node2
[root@kube-master ~]# ssh-copy-id k8s@kube-master
[root@kube-master ~]# ssh-copy-id k8s@kube-node1
[root@kube-master ~]# ssh-copy-id k8s@kube-node2
在每台机器上添加环境变量:
$ sudo sh -c "echo 'path=/opt/k8s/bin:$path:$home/bin:$java_home/bin' >> /etc/profile.d/k8s.sh"
$ source /etc/profile.d/k8s.sh
在每台机器上安装依赖包:
centos:
$ sudo yum install -y epel-release
$ sudo yum install -y conntrack ipvsadm ipset jq sysstat curl iptables libseccomp
ubuntu:
$ sudo apt-get install -y conntrack ipvsadm ipset jq sysstat curl iptables libseccomp
注:ipvs 依赖 ipset;
在每台机器上关闭防火墙:
① 关闭服务,并设为开机不自启
$ sudo systemctl stop firewalld
$ sudo systemctl disable firewalld
② 清空防火墙规则
$ sudo iptables -f && sudo iptables -x && sudo iptables -f -t nat && sudo iptables -x -t nat
$ sudo iptables -p forward accept
1、如果开启了 swap 分区,kubelet 会启动失败(可以通过将参数 --fail-swap-on 设置为false 来忽略 swap on),故需要在每台机器上关闭 swap 分区:
$ sudo swapoff -a
2、为了防止开机自动挂载 swap 分区,可以注释 /etc/fstab 中相应的条目:
$ sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
1、关闭 selinux,否则后续 k8s 挂载目录时可能报错 permission denied :
$ sudo setenforce 0
2、修改配置文件,永久生效;
$ grep selinux /etc/selinux/config
selinux=disabled
linux 系统开启了 dnsmasq 后(如 gui 环境),将系统 dns server 设置为 127.0.0.1,这会导致 docker 容器无法解析域名,需要关闭它:
$ sudo service dnsmasq stop
$ sudo systemctl disable dnsmasq
$ sudo modprobe br_netfilter
$ sudo modprobe ip_vs
$ cat > kubernetes.conf <<eof
net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-ip6tables=1 net.ipv4.ip_forward=1 net.ipv4.tcp_tw_recycle=0 vm.swappiness=0 vm.overcommit_memory=1 vm.panic_on_oom=0 fs.inotify.max_user_watches=89100 fs.file-max=52706963 fs.nr_open=52706963 net.ipv6.conf.all.disable_ipv6=1 net.netfilter.nf_conntrack_max=2310720
eof
$ sudo cp kubernetes.conf /etc/sysctl.d/kubernetes.conf
$ sudo sysctl -p /etc/sysctl.d/kubernetes.conf
$ sudo mount -t cgroup -o cpu,cpuacct none /sys/fs/cgroup/cpu,cpuacct
注:
1、调整系统 timezone
$ sudo timedatectl set-timezone asia/shanghai
2、将当前的 utc 时间写入硬件时钟
$ sudo timedatectl set-local-rtc 0
3、重启依赖于系统时间的服务
$ sudo systemctl restart rsyslog
$ sudo systemctl restart crond
$ yum -y install ntpdate
$ sudo ntpdate cn.pool.ntp.org
在每台机器上创建目录:
$ sudo mkdir -p /opt/k8s/bin
$ sudo mkdir -p /opt/k8s/cert
$ sudo mkdir -p /opt/etcd/cert
$ sudo mkdir -p /opt/lib/etcd
$ sudo mkdir -p /opt/k8s/script
$ chown -r k8s /opt/*
$ curl https://raw.githubusercontent.com/docker/docker/master/contrib/check-config.sh > check-config.sh
$ chmod +x check-config.sh
$ bash ./check-config.sh
本文档使用 cloudflare 的 pki 工具集 cfssl 创建所有证书。
mkdir -p /opt/k8s/cert && sudo chown -r k8s /opt/k8s && cd /opt/k8s
wget https://pkg.cfssl.org/r1.2/cfssl_linux-amd64
mv cfssl_linux-amd64 /opt/k8s/bin/cfssl
wget https://pkg.cfssl.org/r1.2/cfssljson_linux-amd64
mv cfssljson_linux-amd64 /opt/k8s/bin/cfssljson
wget https://pkg.cfssl.org/r1.2/cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /opt/k8s/bin/cfssl-certinfo
chmod +x /opt/k8s/bin/*
ca 证书是集群所有节点共享的,只需要创建一个 ca 证书,后续创建的所有证书都由它签名。
02-02-01 创建配置文件
ca 配置文件用于配置根证书的使用场景 (profile) 和具体参数 (usage,过期时间、服务端认证、客户端认证、加密等),后续在签名其它证书时需要指定特定场景。
[root@kube-master ~]# cd /opt/k8s/cert
[root@kube-master cert]# vim ca-config.json
我要评论{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
注:
① signing :表示该证书可用于签名其它证书,生成的 ca.pem 证书中ca=true ;
② server auth :表示 client 可以用该该证书对 server 提供的证书进行验证;
③ client auth :表示 server 可以用该该证书对 client 提供的证书进行验证;
02-02-02 创建证书签名请求文件
[root@kube-master cert]# vim ca-csr.json
{
"cn": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"c": "cn",
"st": "beijing",
"l": "beijing",
"o": "k8s",
"ou": "4paradigm"
}
]
}
注:
① cn: common name ,kube-apiserver 从证书中提取该字段作为请求的用户名(user name),浏览器使用该字段验证网站是否合法;
② o: organization ,kube-apiserver 从证书中提取该字段作为请求用户所属的组(group);
③ kube-apiserver 将提取的 user、group 作为 rbac 授权的用户标识;
02-02-03 生成 ca 证书和私钥
[root@kube-master cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
[root@kube-master cert]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
02-02-04 分发证书文件
将生成的 ca 证书、秘钥文件、配置文件拷贝到所有节点的/opt/k8s/cert 目录下:
[root@kube-master ~]# vim /opt/k8s/script/scp_k8scert.sh
node_ips=("192.168.10.108" "192.168.10.109" "192.168.10.110")
for node_ip in ${node_ips[@]};do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p /opt/k8s/cert && chown -r k8s /opt/k8s"
scp /opt/k8s/cert/ca*.pem /opt/k8s/cert/ca-config.json k8s@${node_ip}:/opt/k8s/cert
done
[root@kube-master ~]# chmod +x /opt/k8s/script/scp_k8scert.sh && /opt/k8s/script/scp_k8scert.sh
kubectl 是 kubernetes 集群的命令行管理工具,本文档介绍安装和配置它的步骤。
kubectl 默认从 ~/.kube/config 文件读取 kube-apiserver 地址、证书、用户名等信息,如果没有配置,执行 kubectl 命令时可能会出错:
$ kubectl get pods
the connection to the server localhost:8080 was refused - did you specify the right host or port?
本文档只需要部署一次,生成的 kubeconfig 文件与机器无关。
下载和解压
kubectl二进制文件需要科学上网下载,我已经下载到我的网盘,有需要的小伙伴联系我~
[root@kube-master ~]# wget https://dl.k8s.io/v1.10.4/kubernetes-client-linux-amd64.tar.gz
[root@kube-master ~]# tar -xzvf kubernetes-client-linux-amd64.tar.gz
03-02-01 创建证书签名请求
[root@kube-master ~]# cd /opt/k8s/cert/
cat > admin-csr.json <<eof
{
"cn": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"c": "cn",
"st": "beijing",
"l": "beijing",
"o": "system:masters",
"ou": "4paradigm"
}
]
}
注:
① o 为 system:masters ,kube-apiserver 收到该证书后将请求的 group 设置为system:masters;
② 预定义的 clusterrolebinding cluster-admin 将 group system:masters 与role cluster-admin 绑定,该 role 授予所有 api的权限;
③ 该证书只会被 kubectl 当做 client 证书使用,所以 hosts 字段为空;
03-02-02 生成证书和私钥
[root@kube-master cert]# cfssl gencert -ca=/opt/k8s/cert/ca.pem \
-ca-key=/opt/k8s/cert/ca-key.pem \
-config=/opt/k8s/cert/ca-config.json \
-profile=kubernetes admin-csr.json | cfssljson_linux-amd64 -bare admin
[root@kube-master cert]# ls admin*
admin.csr admin-csr.json admin-key.pem admin.pem
03-03-01 创建kubeconfig文件
kubeconfig 为 kubectl 的配置文件,包含访问 apiserver 的所有信息,如 apiserver 地址、ca 证书和自身使用的证书;
① 设置集群参数,(--server=${kube_apiserver} ,指定ip和端口;我使用的是haproxy的vip和端口;如果没有haproxy代理,就用实际服务的ip和端口;如:https://192.168.10.108:6443)
[root@kube-master ~]# kubectl config set-cluster kubernetes \
--certificate-authority=/opt/k8s/cert/ca.pem \
--embed-certs=true \
--server=https://192.168.10.10:8443 \
--kubeconfig=/root/.kube/kubectl.kubeconfig
② 设置客户端认证参数
[root@kube-master ~]# kubectl config set-credentials kube-admin \
--client-certificate=/opt/k8s/cert/admin.pem \
--client-key=/opt/k8s/cert/admin-key.pem \
--embed-certs=true \
--kubeconfig=/root/.kube/kubectl.kubeconfig
③ 设置上下文参数
[root@kube-master ~]# kubectl config set-context kube-admin@kubernetes \
--cluster=kubernetes \
--user=kube-admin \
--kubeconfig=/root/.kube/kubectl.kubeconfig
④ 设置默认上下文
[root@kube-master ~]# kubectl config use-context kube-admin@kubernetes --kubeconfig=/root/.kube/kubectl.kubeconfig
注:在后续kubernetes认证,文章中会详细讲解
[root@kube-master ~]# chmod +x /opt/k8s/script/kubectl_environment.sh && /opt/k8s/script/kubectl_environment.sh
03-03-01 验证kubeconfig文件
[root@kube-master ~]# ls /root/.kube/kubectl.kubeconfig
/root/.kube/kubectl.kubeconfig
[root@kube-master ~]# kubectl config view --kubeconfig=/root/.kube/kubectl.kubeconfig
apiversion: v1
clusters:
- cluster:
certificate-authority-data: redacted
server: https://192.168.10.10:8443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kube-admin
name: kube-admin@kubernetes
current-context: kube-admin@kubernetes
kind: config
preferences: {}
users:
- name: kube-admin
user:
client-certificate-data: redacted
client-key-data: redacted
03-03-03 分发 kubeclt 和kubeconfig 文件,分发到所有使用kubectl 命令的节点
[root@kube-master ~]# vim /opt/k8s/script/scp_kubectl.sh
node_ips=("192.168.10.108" "192.168.10.109" "192.168.10.110")
node_ips=("192.168.10.108" "192.168.10.109" "192.168.10.110")
for node_ip in ${node_ips[@]};do
echo ">>> ${node_ip}"
scp /root/kubernetes/client/bin/kubectl k8s@${node_ip}:/opt/k8s/bin/
ssh k8s@${node_ip} "chmod +x /opt/k8s/bin/*"
ssh k8s@${node_ip} "mkdir -p ~/.kube"
scp ~/.kube/config k8s@${node_ip}:~/.kube/config
ssh root@${node_ip} "mkdir -p ~/.kube"
scp ~/.kube/config root@${node_ip}:~/.kube/config
done
[root@kube-master ~]# chmod +x /opt/k8s/script/scp_kubectl.sh && /opt/k8s/script/scp_kubectl.sh
etcd 是基于 raft 的分布式 key-value 存储系统,由 coreos 开发,常用于服务发现、共享配置以及并发控制(如 leader 选举、分布式锁等)。kubernetes 使用 etcd 存储所有运行数据。
本文档介绍部署一个三节点高可用 etcd 集群的步骤:
① 下载和分发 etcd 二进制文件
② 创建 etcd 集群各节点的 x509 证书,用于加密客户端(如 etcdctl) 与 etcd 集群、etcd 集群之间的数据流;
③ 创建 etcd 的 systemd unit 文件,配置服务参数;
④ 检查集群工作状态;
到 https://github.com/coreos/etcd/releases 页面下载最新版本的发布包:
[root@kube-master ~]# https://github.com/coreos/etcd/releases/download/v3.3.7/etcd-v3.3.7-linux-amd64.tar.gz
[root@kube-master ~]# tar -xvf etcd-v3.3.7-linux-amd64.tar.gz
04-02-01 创建证书签名请求
[root@kube-master ~]# cd /opt/etcd/cert
[root@kube-master cert]# cat > etcd-csr.json <<eof
{
"cn": "etcd",
"hosts": [
"127.0.0.1",
"192.168.10.108",
"192.168.10.109",
"192.168.10.110"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"c": "cn",
"st": "beijing",
"l": "beijing",
"o": "k8s",
"ou": "4paradigm"
}
]
}
eof
注:hosts 字段指定授权使用该证书的 etcd 节点 ip 或域名列表,这里将 etcd 集群的三个节点 ip 都列在其中;
04-02-02 生成证书和私钥
[root@kube-master cert]# cfssl gencert -ca=/opt/k8s/cert/ca.pem \
-ca-key=/opt/k8s/cert/ca-key.pem \
-config=/opt/k8s/cert/ca-config.json \
-profile=kubernetes etcd-csr.json | cfssljson_linux-amd64 -bare etcd
[root@kube-master cert]# ls etcd*
etcd.csr etcd-csr.json etcd-key.pem etcd.pem
04-02-03 分发生成的证书和私钥到各 etcd 节点
[root@kube-master ~]# vim /opt/k8s/script/scp_etcd.sh
node_ips=("192.168.10.108" "192.168.10.109" "192.168.10.110")
for node_ip in ${node_ips[@]};do
echo ">>> ${node_ip}"
scp /root/etcd-v3.3.7-linux-amd64/etcd* k8s@${node_ip}:/opt/k8s/bin
ssh k8s@${node_ip} "chmod +x /opt/k8s/bin/*"
ssh root@${node_ip} "mkdir -p /opt/etcd/cert && chown -r k8s /opt/etcd/cert"
scp /opt/etcd/cert/etcd*.pem k8s@${node_ip}:/opt/etcd/cert/
done
04-03-01 创建etcd 的systemd unit 模板
[root@kube-master ~]# cat > /opt/etcd/etcd.service.template <<eof
[unit]
description=etcd server
after=network.target
after=network-online.target
wants=network-online.target
documentation=https://github.com/coreos
[service]
user=k8s
type=notify
workingdirectory=/opt/lib/etcd/
execstart=/opt/k8s/bin/etcd \
--data-dir=/opt/lib/etcd \
--name ##node_name## \
--cert-file=/opt/etcd/cert/etcd.pem \
--key-file=/opt/etcd/cert/etcd-key.pem \
--trusted-ca-file=/opt/k8s/cert/ca.pem \
--peer-cert-file=/opt/etcd/cert/etcd.pem \
--peer-key-file=/opt/etcd/cert/etcd-key.pem \
--peer-trusted-ca-file=/opt/k8s/cert/ca.pem \
--peer-client-cert-auth \
--client-cert-auth \
--listen-peer-urls=https://##node_ip##:2380 \
--initial-advertise-peer-urls=https://##node_ip##:2380 \
--listen-client-urls=https://##node_ip##:2379,http://127.0.0.1:2379\
--advertise-client-urls=https://##node_ip##:2379 \
--initial-cluster-token=etcd-cluster-0 \
--initial-cluster=etcd0=https://192.168.10.108:2380,etcd1=https://192.168.10.109:2380,etcd2=https://192.168.10.110:2380 \
--initial-cluster-state=new
restart=on-failure
restartsec=5
limitnofile=65536
[install]
wantedby=multi-user.target
eof
注:
[root@kube-master ~]# cd /opt/k8s/script
[root@kube-master script]# vim etcd_service.sh
node_names=("etcd0" "etcd1" "etcd2")
node_ips=("192.168.10.108" "192.168.10.109" "192.168.10.110")
#替换模板文件中的变量,为各节点创建 systemd unit 文件
for (( i=0; i < 3; i++ ));do
sed -e "s/##node_name##/${node_names[i]}/g" -e "s/##node_ip##/${node_ips[i]}/g" /opt/etcd/etcd.service.template > /opt/etcd/etcd-${node_ips[i]}.service
done
#分发生成的 systemd unit 和etcd的配置文件:
for node_ip in ${node_ips[@]};do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p /opt/lib/etcd && chown -r k8s /opt/lib/etcd"
scp /opt/etcd/etcd-${node_ip}.service root@${node_ip}:/etc/systemd/system/etcd.service
done
[root@kube-master script]# chmod +x /opt/k8s/script/etcd_service.sh && /opt/k8s/script/etcd_service.sh
[root@kube-master script]# ls /opt/etcd/*.service
/opt/etcd/etcd-192.168.10.108.service /opt/etcd/etcd-192.168.10.110.service
/opt/etcd/etcd-192.168.10.109.service
[root@kube-master script]# ls /etc/systemd/system/etcd.service
/etc/systemd/system/etcd.service
[root@kube-master script]# vim /opt/k8s/script/etcd.sh
node_ips=("192.168.10.108" "192.168.10.109" "192.168.10.110")
#启动 etcd 服务
for node_ip in ${node_ips[@]};do
echo ">>> ${node_ip}"
ssh root@${node_ip} "systemctl daemon-reload && systemctl enable etcd && systemctl start etcd"
done
#检查启动结果,确保状态为 active (running)
for node_ip in ${node_ips[@]};do
echo ">>> ${node_ip}"
ssh k8s@${node_ip} "systemctl status etcd|grep active"
done
#验证服务状态,输出均为healthy 时表示集群服务正常
for node_ip in ${node_ips[@]};do
echo ">>> ${node_ip}"
etcdctl_api=3 /opt/k8s/bin/etcdctl \
--endpoints=https://${node_ip}:2379 \
--cacert=/opt/k8s/cert/ca.pem \
--cert=/opt/etcd/cert/etcd.pem \
--key=/opt/etcd/cert/etcd-key.pem endpoint health
done
[root@kube-master script]# chmod +x etcd.sh && ./etcd.sh
>>> 192.168.10.108
created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /etc/systemd/system/etcd.service.
>>> 192.168.10.109
created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /etc/systemd/system/etcd.service.
>>> 192.168.10.110
created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /etc/systemd/system/etcd.service.
#确保状态为 active (running),否则查看日志,确认原因:$ journalctl -u etcd
>>> 192.168.10.108
active: active (running) since mon 2018-11-26 17:41:00 cst; 12min ago
>>> 192.168.10.109
active: active (running) since mon 2018-11-26 17:41:00 cst; 12min ago
>>> 192.168.10.110
active: active (running) since mon 2018-11-26 17:41:01 cst; 12min ago
#输出均为healthy 时表示集群服务正常
>>> 192.168.10.108
https://192.168.10.108:2379 is healthy: successfully committed proposal: took = 1.373318ms
>>> 192.168.10.109
https://192.168.10.109:2379 is healthy: successfully committed proposal: took = 2.371807ms
>>> 192.168.10.110
https://192.168.10.110:2379 is healthy: successfully committed proposal: took = 1.764309ms
到 https://github.com/coreos/flannel/releases 页面下载最新版本的发布包:
[root@kube-master ~]# wget https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz
[root@kube-master ~]# tar -xzvf flannel-v0.10.0-linux-amd64.tar.gz -c flannel
flannel 从 etcd 集群存取网段分配信息,而 etcd 集群启用了双向 x509 证书认证,所以需要为 flanneld 生成证书和私钥。
05-02-01 创建证书签名请求:
[root@kube-master ~]# cd /opt/flannel/cert
cat > flanneld-csr.json <<eof
{
"cn": "flanneld",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"c": "cn",
"st": "beijing",
"l": "beijing",
"o": "k8s",
"ou": "4paradigm"
}
]
}
eof
该证书只会被 kubectl 当做 client 证书使用,所以 hosts 字段为空;
05-02-02 生成证书和私钥
[root@kube-master cert]# cfssl gencert -ca=/opt/k8s/cert/ca.pem \
-ca-key=/opt/k8s/cert/ca-key.pem \
-config=/opt/k8s/cert/ca-config.json \
-profile=kubernetes flanneld-csr.json | cfssljson -bare flanneld
[root@kube-master cert]# ls
flanneld.csr flanneld-csr.json flanneld-key.pem flanneld.pemls flanneld*pem
05-02-03 将flanneld 二进制文件he1生成的证书和私钥分发到所有节点
cat > /opt/k8s/script/scp_flannel.sh <<eof
node_ips=("192.168.10.108" "192.168.10.109" "192.168.10.110")
for node_ip in ${node_ips[@]};do
echo ">>> ${node_ip}"
scp /root/flannel/{flanneld,mk-docker-opts.sh} k8s@${node_ip}:/opt/k8s/bin/
ssh k8s@${node_ip} "chmod +x /opt/k8s/bin/*"
ssh root@${node_ip} "mkdir -p /opt/flannel/cert && chown -r k8s /opt/flannel"
scp /opt/flannel/cert/flanneld*.pem k8s@${node_ip}:/opt/flannel/cert
done
eof
注意:本步骤只需执行一次。
[root@kube-master ~]# etcdctl \
--endpoints="https://192.168.10.108:2379,https://192.168.10.109:2379,https://192.168.10.110:2379" \
--ca-file=/opt/k8s/cert/ca.pem \
--cert-file=/opt/flannel/cert/flanneld.pem \
--key-file=/opt/flannel/cert/flanneld-key.pem \
set /atomic.io/network/config '{"network":"10.30.0.0/16","subnetlen": 24, "backend": {"type": "vxlan"}}'
{"network":"10.30.0.0/16","subnetlen": 24, "backend": {"type": "vxlan"}}
注:
[root@kube-master ~]# cat > /opt/flannel/flanneld.service << eof
[unit] description=flanneld overlay address etcd agent after=network.target after=network-online.target wants=network-online.target after=etcd.service before=docker.service [service] type=notify execstart=/opt/k8s/bin/flanneld \ -etcd-cafile=/opt/k8s/cert/ca.pem \ -etcd-certfile=/opt/flannel/cert/flanneld.pem \ -etcd-keyfile=/opt/flannel/cert/flanneld-key.pem \ -etcd-endpoints=https://192.168.10.108:2379,https://192.168.10.109:2379,https://192.168.10.110:2379 \ -etcd-prefix=/atomic.io/network \ -iface=eth1 execstartpost=/opt/k8s/bin/mk-docker-opts.sh -k docker_network_options -d /run/flannel/docker restart=on-failure [install] wantedby=multi-user.target requiredby=docker.service
注:
如对本文有疑问,请在下面进行留言讨论,广大热心网友会与你互动!! 点击进行留言回复
linux下文本编辑器vim的使用方法(复制、粘贴、替换、行号、撤销、多文件操作)
网友评论