CentOS7 使用二进制部署 Kubernetes 1.13集群

你的名字 2022-03-25 05:07 257阅读 0赞

本文楼主有实践过，有问题可以评论讨论。能解决的我会回复，不回复的说明我也解决不了，请见谅。

## 一、安装环境准备： ##

![在这里插入图片描述][20190118164653446.png]

**k8s安装包下载**

链接：[https://pan.baidu.com/s/1wO6T7byhaJYBuu2JlhZvkQ][https_pan.baidu.com_s_1wO6T7byhaJYBuu2JlhZvkQ]

提取码：pm9u

## 二、Kubernetes 安装及配置 ##

### 1、初始化环境 ###

#### 1.1、设置关闭防火墙及SELINUX ####

systemctl stop firewalld && systemctl disable firewalld
    
    setenforce 0
    
    vi /etc/selinux/config
    SELINUX=disabled

#### 1.2、关闭Swap ####

swapoff -a && sysctl -w vm.swappiness=0
    
    vi /etc/fstab
    #UUID=7bff6243-324c-4587-b550-55dc34018ebf swap                    swap    defaults        0 0

#### 1.3、设置Docker所需参数 ####

cat << EOF | tee /etc/sysctl.d/k8s.conf
    net.ipv4.ip_forward = 1
    net.bridge.bridge-nf-call-ip6tables = 1
    net.bridge.bridge-nf-call-iptables = 1
    EOF
    
    modprobe br_netfilter
    sysctl -p /etc/sysctl.d/k8s.conf

#### 1.4、安装 Docker ####

yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
    
    # 上面的yum源不行的话建议换阿里yum源
    sudo yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
    
    yum list docker-ce --showduplicates | sort -r
    yum install docker-ce -y
    systemctl start docker && systemctl enable docker

#### 1.5、创建安装目录 ####

mkdir /k8s/etcd/{bin,cfg,ssl} -p
    mkdir /k8s/kubernetes/{bin,cfg,ssl} -p

#### 1.6、安装及配置CFSSL ####

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
    wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
    wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
    chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
    mv cfssl_linux-amd64 /usr/local/bin/cfssl
    mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
    mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

#### 1.7、创建认证证书 ####

# 可以随便建个etcd目录,在目录里创建证书，后面用到的时候拷贝过去就好
    # 创建 ETCD 证书
    cat << EOF | tee ca-config.json
    {
      "signing": {
        "default": {
          "expiry": "87600h"
        },
        "profiles": {
          "www": {
             "expiry": "87600h",
             "usages": [
                "signing",
                "key encipherment",
                "server auth",
                "client auth"
            ]
          }
        }
      }
    }
    EOF
    
    # 创建 ETCD CA 配置文件
    cat << EOF | tee ca-csr.json
    {
        "CN": "etcd CA",
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "L": "Shenzhen",
                "ST": "Shenzhen"
            }
        ]
    }
    EOF
    
    # 创建 ETCD Server 证书（注意更改host字段）
    cat << EOF | tee server-csr.json
    {
        "CN": "etcd",
        "hosts": [
        "10.67.34.130",
        "10.67.34.131",
        "10.67.34.132"
        ],
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "L": "Shenzhen",
                "ST": "Shenzhen"
            }
        ]
    }
    EOF
    
    # 生成 ETCD CA 证书和私钥
    cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
    
    # 可以随便建个kubernetes目录,在目录里创建证书，后面用到的时候拷贝过去就好
    # 创建 Kubernetes CA 证书
    cat << EOF | tee ca-config.json
    {
      "signing": {
        "default": {
          "expiry": "87600h"
        },
        "profiles": {
          "kubernetes": {
             "expiry": "87600h",
             "usages": [
                "signing",
                "key encipherment",
                "server auth",
                "client auth"
            ]
          }
        }
      }
    }
    EOF
    
    cat << EOF | tee ca-csr.json
    {
        "CN": "kubernetes",
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "L": "Shenzhen",
                "ST": "Shenzhen",
                "O": "k8s",
                "OU": "System"
            }
        ]
    }
    EOF
    
    # 生成 kubernetes CA 证书和私钥
    cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
    
    # 生成API_SERVER证书
    cat << EOF | tee server-csr.json
    {
        "CN": "kubernetes",
        "hosts": [
          "10.0.0.1",
          "127.0.0.1",
          "10.67.34.130",
          "kubernetes",
          "kubernetes.default",
          "kubernetes.default.svc",
          "kubernetes.default.svc.cluster",
          "kubernetes.default.svc.cluster.local"
        ],
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "L": "Shenzhen",
                "ST": "Shenzhen",
                "O": "k8s",
                "OU": "System"
            }
        ]
    }
    EOF
    
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
    
    # 创建 Kubernetes Proxy 证书
    cat << EOF | tee kube-proxy-csr.json
    {
      "CN": "system:kube-proxy",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "L": "Shenzhen",
          "ST": "Shenzhen",
          "O": "k8s",
          "OU": "System"
        }
      ]
    }
    EOF
    
    cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

#### 1.8、 ssh-key认证 ####

$ ssh-keygen 
    Generating public/private rsa key pair.
    Enter file in which to save the key (/root/.ssh/id_rsa): 
    Created directory '/root/.ssh'.
    Enter passphrase (empty for no passphrase): 
    Enter same passphrase again: 
    Your identification has been saved in /root/.ssh/id_rsa.
    Your public key has been saved in /root/.ssh/id_rsa.pub.
    The key fingerprint is:
    SHA256:FQjjiRDp8IKGT+UDM+GbQLBzF3DqDJ+pKnMIcHGyO/o root@qas-k8s-master01
    The key's randomart image is:
    +---[RSA 2048]----+
    |o.==o o. ..      |
    |ooB+o+ o.  .     |
    |B++@o o   .      |
    |=X**o    .       |
    |o=O. .  S        |
    |..+              |
    |oo .             |
    |* .              |
    |o+E              |
    +----[SHA256]-----+
    
    $ ssh-copy-id 10.67.34.131
    $ ssh-copy-id 10.67.34.132

### 2 、部署ETCD ###

# 解压安装文件
    tar -xvf etcd-v3.3.10-linux-amd64.tar.gz
    cd etcd-v3.3.10-linux-amd64/
    cp etcd etcdctl /k8s/etcd/bin/
    
    vim /k8s/etcd/cfg/etcd   
    #[Member]
    ETCD_NAME="etcd01"
    ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
    ETCD_LISTEN_PEER_URLS="https://10.67.34.130:2380"
    ETCD_LISTEN_CLIENT_URLS="https://10.67.34.130:2379"
    
    #[Clustering]
    ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.67.34.130:2380"
    ETCD_ADVERTISE_CLIENT_URLS="https://10.67.34.130:2379"
    ETCD_INITIAL_CLUSTER="etcd01=https://10.67.34.130:2380,etcd02=https://10.67.34.131:2380,etcd03=https://10.67.34.132:2380"
    ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
    ETCD_INITIAL_CLUSTER_STATE="new"
    
    
    # 创建 etcd的 systemd unit 文件
    vim /usr/lib/systemd/system/etcd.service 
    
    [Unit]
    Description=Etcd Server
    After=network.target
    After=network-online.target
    Wants=network-online.target
    
    [Service]
    Type=notify
    EnvironmentFile=/k8s/etcd/cfg/etcd
    ExecStart=/k8s/etcd/bin/etcd \
    --name=${ETCD_NAME} \
    --data-dir=${ETCD_DATA_DIR} \
    --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
    --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
    --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
    --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
    --initial-cluster=${ETCD_INITIAL_CLUSTER} \
    --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
    --initial-cluster-state=new \
    --cert-file=/k8s/etcd/ssl/server.pem \
    --key-file=/k8s/etcd/ssl/server-key.pem \
    --peer-cert-file=/k8s/etcd/ssl/server.pem \
    --peer-key-file=/k8s/etcd/ssl/server-key.pem \
    --trusted-ca-file=/k8s/etcd/ssl/ca.pem \
    --peer-trusted-ca-file=/k8s/etcd/ssl/ca.pem
    Restart=on-failure
    LimitNOFILE=65536
    
    [Install]
    WantedBy=multi-user.target
    
    # 拷贝证书文件
    # cd etcd证书目录
    cp ca*pem server*pem /k8s/etcd/ssl
    
    # 将启动文件、配置文件拷贝到 节点1、节点2
    cd /k8s/ 
    scp -r etcd 10.67.34.131:/k8s/
    scp -r etcd 10.67.34.132:/k8s/
    scp /usr/lib/systemd/system/etcd.service  10.67.34.131:/usr/lib/systemd/system/etcd.service
    scp /usr/lib/systemd/system/etcd.service  10.67.34.132:/usr/lib/systemd/system/etcd.service 
    #### !!!!!切记到node节点上改对应得参数
    
    # 所有的机器启动ETCD服务
    systemctl daemon-reload
    systemctl enable etcd
    systemctl start etcd
    
    # 验证集群是否正常运行  切换到etcdctl对应的目录
    ./etcdctl \
    --ca-file=/k8s/etcd/ssl/ca.pem \
    --cert-file=/k8s/etcd/ssl/server.pem \
    --key-file=/k8s/etcd/ssl/server-key.pem \
    --endpoints="https://10.67.34.130:2379,\
    https://10.67.34.131:2379,\
    https://10.67.34.132:2379" cluster-health
    
    member 5db3ea816863435 is healthy: got healthy result from https://172.16.8.102:2379
    member 991b5845cecb31b is healthy: got healthy result from https://172.16.8.101:2379
    member c67ee2780d64a0d4 is healthy: got healthy result from https://172.16.8.100:2379
    cluster is healthy

### 3、部署Flannel网络 ###

# 向 etcd 写入集群 Pod 网段信息
    cd /k8s/etcd/ssl/
    
    /k8s/etcd/bin/etcdctl \
    --ca-file=ca.pem --cert-file=server.pem \
    --key-file=server-key.pem \
    --endpoints="https://10.67.34.130:2379,\
    https://10.67.34.131:2379,https://10.67.34.132:2379" \
    set /coreos.com/network/config  '{ "Network": "172.18.0.0/16", "Backend": {"Type": "vxlan"}}'
    
    
    # 注意：
    1.flanneld 当前版本 (v0.10.0) 不支持 etcd v3，故使用 etcd v2 API 写入配置 key 和网段数据；
    2.！！！写入的 Pod 网段 ${CLUSTER_CIDR} 必须是 /16 段地址，必须与 kube-controller-manager 的 –cluster-cidr 参数值一致；
    
    
    # 解压安装
    tar -xvf flannel-v0.10.0-linux-amd64.tar.gz
    mv flanneld mk-docker-opts.sh /k8s/kubernetes/bin/
    
    # 配置Flannel
    vim /k8s/kubernetes/cfg/flanneld
    
    FLANNEL_OPTIONS="--etcd-endpoints=https://10.67.34.130:2379,https://10.67.34.131:2379,https://10.67.34.132:2379 -etcd-cafile=/k8s/etcd/ssl/ca.pem -etcd-certfile=/k8s/etcd/ssl/server.pem -etcd-keyfile=/k8s/etcd/ssl/server-key.pem"
    
    # 创建 flanneld 的 systemd unit 文件
    vim /usr/lib/systemd/system/flanneld.service
    
    [Unit]
    Description=Flanneld overlay address etcd agent
    After=network-online.target network.target
    Before=docker.service
    
    [Service]
    Type=notify
    EnvironmentFile=/k8s/kubernetes/cfg/flanneld
    ExecStart=/k8s/kubernetes/bin/flanneld --ip-masq $FLANNEL_OPTIONS
    ExecStartPost=/k8s/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    
    
    # 配置Docker启动指定子网段
    vim /usr/lib/systemd/system/docker.service 
    
    [Unit]
    Description=Docker Application Container Engine
    Documentation=https://docs.docker.com
    After=network-online.target firewalld.service
    Wants=network-online.target
    
    [Service]
    Type=notify
    EnvironmentFile=/run/flannel/subnet.env
    ExecStart=/usr/bin/dockerd $DOCKER_NETWORK_OPTIONS
    ExecReload=/bin/kill -s HUP $MAINPID
    LimitNOFILE=infinity
    LimitNPROC=infinity
    LimitCORE=infinity
    TimeoutStartSec=0
    Delegate=yes
    KillMode=process
    Restart=on-failure
    StartLimitBurst=3
    StartLimitInterval=60s
    
    [Install]
    WantedBy=multi-user.target
    
    
    # 将flanneld systemd unit 文件到所有节点
    
    cd /k8s/
    scp -r kubernetes 10.67.34.131:/k8s/
    scp -r kubernetes 10.67.34.132:/k8s/
    scp /k8s/kubernetes/cfg/flanneld 10.67.34.131:/k8s/kubernetes/cfg/flanneld
    scp /k8s/kubernetes/cfg/flanneld 10.67.34.132:/k8s/kubernetes/cfg/flanneld
    scp /usr/lib/systemd/system/docker.service  10.67.34.131:/usr/lib/systemd/system/docker.service 
    scp /usr/lib/systemd/system/docker.service  10.67.34.132:/usr/lib/systemd/system/docker.service
    scp /usr/lib/systemd/system/flanneld.service  10.67.34.131:/usr/lib/systemd/system/flanneld.service 
    scp /usr/lib/systemd/system/flanneld.service  10.67.34.132:/usr/lib/systemd/system/flanneld.service 
    
    # 启动服务
    systemctl daemon-reload
    systemctl start flanneld
    systemctl enable flanneld
    systemctl restart docker
    
    
    # 查看是否生效
    ip add
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether 08:00:27:e3:57:a4 brd ff:ff:ff:ff:ff:ff
        inet 10.67.34.130/24 brd 172.16.8.255 scope global noprefixroute eth0
           valid_lft forever preferred_lft forever
        inet6 fe80::a00:27ff:fee3:57a4/64 scope link 
           valid_lft forever preferred_lft forever
    3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
        link/ether 02:42:cf:5d:a7:af brd ff:ff:ff:ff:ff:ff
        inet 172.18.25.1/24 brd 172.18.25.255 scope global docker0
           valid_lft forever preferred_lft forever
    4: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default 
        link/ether 0e:bf:c5:3b:4d:59 brd ff:ff:ff:ff:ff:ff
        inet 172.18.25.0/32 scope global flannel.1
           valid_lft forever preferred_lft forever
        inet6 fe80::cbf:c5ff:fe3b:4d59/64 scope link 
           valid_lft forever preferred_lft forever

### 4、部署 master 节点 ###

# 将二进制文件解压拷贝到master 节点
    
    tar -xvf kubernetes-server-linux-amd64.tar.gz 
    cd kubernetes/server/bin/
    cp kube-scheduler kube-apiserver kube-controller-manager kubectl /k8s/kubernetes/bin/
    
    # 拷贝认证
    # cd到kubernetes证书目录
    cp *pem /k8s/kubernetes/ssl/
    
    ## 部署 kube-apiserver 组件
    
    # 创建 TLS Bootstrapping Token
    
    $ head -c 16 /dev/urandom | od -An -t x | tr -d ' '
    2366a641f656a0a025abb4aabda4511b
    
    vim /k8s/kubernetes/cfg/token.csv
    2366a641f656a0a025abb4aabda4511b,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
    
    # 创建apiserver配置文件
    vim /k8s/kubernetes/cfg/kube-apiserver 
    
    KUBE_APISERVER_OPTS="--logtostderr=true \
    --v=4 \
    --etcd-servers=https://10.67.34.130:2379,https://10.67.34.131:2379,https://10.67.34.132:2379 \
    --bind-address=10.67.34.130 \
    --secure-port=6443 \
    --advertise-address=10.67.34.130 \
    --allow-privileged=true \
    --service-cluster-ip-range=10.0.0.0/24 \
    --enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,NodeRestriction \
    --authorization-mode=RBAC,Node \
    --enable-bootstrap-token-auth \
    --token-auth-file=/k8s/kubernetes/cfg/token.csv \
    --service-node-port-range=30000-50000 \
    --tls-cert-file=/k8s/kubernetes/ssl/server.pem  \
    --tls-private-key-file=/k8s/kubernetes/ssl/server-key.pem \
    --client-ca-file=/k8s/kubernetes/ssl/ca.pem \
    --service-account-key-file=/k8s/kubernetes/ssl/ca-key.pem \
    --etcd-cafile=/k8s/etcd/ssl/ca.pem \
    --etcd-certfile=/k8s/etcd/ssl/server.pem \
    --etcd-keyfile=/k8s/etcd/ssl/server-key.pem"
    
    
    # 创建 kube-apiserver systemd unit 文件
    
    vim /usr/lib/systemd/system/kube-apiserver.service 
    
    [Unit]
    Description=Kubernetes API Server
    Documentation=https://github.com/kubernetes/kubernetes
    
    [Service]
    EnvironmentFile=-/k8s/kubernetes/cfg/kube-apiserver
    ExecStart=/k8s/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    
    
    # 启动服务
    
    systemctl daemon-reload
    systemctl enable kube-apiserver
    systemctl restart kube-apiserver
    
    # 查看apiserver是否运行
    ps -ef |grep kube-apiserver
    
    ## 部署kube-scheduler
    
    # 创建kube-scheduler配置文件
    vim  /k8s/kubernetes/cfg/kube-scheduler 
    
    KUBE_SCHEDULER_OPTS="--logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect"
    
    # 创建kube-scheduler systemd unit 文件
    vim /usr/lib/systemd/system/kube-scheduler.service 
    
    [Unit]
    Description=Kubernetes Scheduler
    Documentation=https://github.com/kubernetes/kubernetes
    
    [Service]
    EnvironmentFile=-/k8s/kubernetes/cfg/kube-scheduler
    ExecStart=/k8s/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    
    # 启动服务
    
    systemctl daemon-reload
    systemctl enable kube-scheduler.service 
    systemctl restart kube-scheduler.service
    
    # 查看kube-scheduler是否运行
    ps -ef |grep kube-scheduler
    systemctl status kube-scheduler.service
    
    ## 部署kube-controller-manager
    
    # 创建kube-controller-manager配置文件
    
    vim /k8s/kubernetes/cfg/kube-controller-manager
    
    KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \
    --v=4 \
    --master=127.0.0.1:8080 \
    --leader-elect=true \
    --address=127.0.0.1 \
    --service-cluster-ip-range=10.0.0.0/24 \
    --cluster-name=kubernetes \
    --cluster-signing-cert-file=/k8s/kubernetes/ssl/ca.pem \
    --cluster-signing-key-file=/k8s/kubernetes/ssl/ca-key.pem  \
    --root-ca-file=/k8s/kubernetes/ssl/ca.pem \
    --service-account-private-key-file=/k8s/kubernetes/ssl/ca-key.pem"
    
    # 创建kube-controller-manager systemd unit 文件
    vim /usr/lib/systemd/system/kube-controller-manager.service 
    
    [Unit]
    Description=Kubernetes Controller Manager
    Documentation=https://github.com/kubernetes/kubernetes
    
    [Service]
    EnvironmentFile=-/k8s/kubernetes/cfg/kube-controller-manager
    ExecStart=/k8s/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    
    # 启动服务
    systemctl daemon-reload
    systemctl enable kube-controller-manager
    systemctl restart kube-controller-manager
    
    # 查看kube-controller-manager是否运行
    systemctl status kube-controller-manager
    ps -ef |grep kube-controller-manager
    
    # 将可执行文件路/k8s/kubernetes/ 添加到 PATH 变量中
    vim /etc/profile
    
    PATH=/k8s/kubernetes/bin:$PATH:$HOME/bin
    
    source /etc/profile
    
    # 查看master集群状态
    $ kubectl get cs,nodes
    NAME                                 STATUS    MESSAGE             ERROR
    componentstatus/scheduler            Healthy   ok                  
    componentstatus/etcd-2               Healthy   {"health":"true"}   
    componentstatus/etcd-1               Healthy   {"health":"true"}   
    componentstatus/etcd-0               Healthy   {"health":"true"}   
    componentstatus/controller-manager   Healthy   ok

### 5、部署node 节点 ###

# 将kubelet 二进制文件拷贝node节点
    
    cp kubelet kube-proxy /k8s/kubernetes/bin/
    scp kubelet kube-proxy 10.67.34.131:/k8s/kubernetes/bin/
    scp kubelet kube-proxy 10.67.34.132:/k8s/kubernetes/bin/
    
    # 创建 kubelet bootstrap kubeconfig 文件
    
    # cd 到kubernetes证书目录，在目录下创建environment.sh
    vim  environment.sh
    -----------------------------------------------------------------------------start
    # 创建kubelet bootstrapping kubeconfig 
    BOOTSTRAP_TOKEN=2366a641f656a0a025abb4aabda4511b
    KUBE_APISERVER="https://10.67.34.130:6443"
    # 设置集群参数
    kubectl config set-cluster kubernetes \
      --certificate-authority=./ca.pem \
      --embed-certs=true \
      --server=${KUBE_APISERVER} \
      --kubeconfig=bootstrap.kubeconfig
    
    # 设置客户端认证参数
    kubectl config set-credentials kubelet-bootstrap \
      --token=${BOOTSTRAP_TOKEN} \
      --kubeconfig=bootstrap.kubeconfig
    
    # 设置上下文参数
    kubectl config set-context default \
      --cluster=kubernetes \
      --user=kubelet-bootstrap \
      --kubeconfig=bootstrap.kubeconfig
    
    # 设置默认上下文
    kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
    
    #----------------------
    
    # 创建kube-proxy kubeconfig文件
    
    kubectl config set-cluster kubernetes \
      --certificate-authority=./ca.pem \
      --embed-certs=true \
      --server=${KUBE_APISERVER} \
      --kubeconfig=kube-proxy.kubeconfig
    
    kubectl config set-credentials kube-proxy \
      --client-certificate=./kube-proxy.pem \
      --client-key=./kube-proxy-key.pem \
      --embed-certs=true \
      --kubeconfig=kube-proxy.kubeconfig
    
    kubectl config set-context default \
      --cluster=kubernetes \
      --user=kube-proxy \
      --kubeconfig=kube-proxy.kubeconfig
    
    kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
    
    ------------------------------------------------------------------------end
    
    # 给environment.sh添加执行权限
    chmod +x environment.sh
    
    # 创建kubelet bootstrapping kubeconfig
    ./environment.sh
    
    
    # 将bootstrap kubeconfig kube-proxy.kubeconfig 文件拷贝到所有 nodes节点
    cp bootstrap.kubeconfig kube-proxy.kubeconfig /k8s/kubernetes/cfg/
    scp bootstrap.kubeconfig kube-proxy.kubeconfig 10.67.34.131:/k8s/kubernetes/cfg/
    scp bootstrap.kubeconfig kube-proxy.kubeconfig 10.67.34.132:/k8s/kubernetes/cfg/
    
    
    # 创建 kubelet 参数配置模板文件：
    vim /k8s/kubernetes/cfg/kubelet.config
    
    kind: KubeletConfiguration
    apiVersion: kubelet.config.k8s.io/v1beta1
    address: 10.67.34.130
    port: 10250
    readOnlyPort: 10255
    cgroupDriver: cgroupfs
    clusterDNS: ["10.0.0.2"]
    clusterDomain: cluster.local.
    failSwapOn: false
    authentication:
      anonymous:
        enabled: true
        
    
    # 创建kubelet配置文件
    vim /k8s/kubernetes/cfg/kubelet
    
    KUBELET_OPTS="--logtostderr=true \
    --v=4 \
    --hostname-override=10.67.34.130 \
    --kubeconfig=/k8s/kubernetes/cfg/kubelet.kubeconfig \
    --bootstrap-kubeconfig=/k8s/kubernetes/cfg/bootstrap.kubeconfig \
    --config=/k8s/kubernetes/cfg/kubelet.config \
    --cert-dir=/k8s/kubernetes/ssl \
    --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0"
    
    
    # 创建kubelet systemd unit 文件
    vim /usr/lib/systemd/system/kubelet.service 
    
    [Unit]
    Description=Kubernetes Kubelet
    After=docker.service
    Requires=docker.service
    
    [Service]
    EnvironmentFile=/k8s/kubernetes/cfg/kubelet
    ExecStart=/k8s/kubernetes/bin/kubelet $KUBELET_OPTS
    Restart=on-failure
    KillMode=process
    
    [Install]
    WantedBy=multi-user.target
    
    # 将kubelet-bootstrap用户绑定到系统集群角色
    kubectl create clusterrolebinding kubelet-bootstrap \
      --clusterrole=system:node-bootstrapper \
      --user=kubelet-bootstrap
      
    # 创建kubelet 参数配置文件拷贝到所有 nodes节点
    ### 注意到各node节点更改相应配置
    scp /k8s/kubernetes/cfg/kubelet.config 10.67.34.131:/k8s/kubernetes/cfg/
    scp /k8s/kubernetes/cfg/kubelet.config 10.67.34.132:/k8s/kubernetes/cfg/
    scp /k8s/kubernetes/cfg/kubelet 10.67.34.131:/k8s/kubernetes/cfg/
    scp /k8s/kubernetes/cfg/kubelet 10.67.34.132:/k8s/kubernetes/cfg/
    scp /usr/lib/systemd/system/kubelet.service 10.67.34.131:/usr/lib/systemd/system/
    scp /usr/lib/systemd/system/kubelet.service 10.67.34.132:/usr/lib/systemd/system/
    
    # 启动服务
    systemctl daemon-reload
    systemctl enable kubelet
    systemctl restart kubelet
    
    
    ## 部署 kube-proxy 组件
    # 创建 kube-proxy 配置文件
    vim /k8s/kubernetes/cfg/kube-proxy
    
    KUBE_PROXY_OPTS="--logtostderr=true \
    --v=4 \
    --hostname-override=10.67.34.130 \
    --cluster-cidr=10.0.0.0/24 \
    --kubeconfig=/k8s/kubernetes/cfg/kube-proxy.kubeconfig"
    
    # 创建kube-proxy systemd unit 文件
    vim /usr/lib/systemd/system/kube-proxy.service 
    
    [Unit]
    Description=Kubernetes Proxy
    After=network.target
    
    [Service]
    EnvironmentFile=-/k8s/kubernetes/cfg/kube-proxy
    ExecStart=/k8s/kubernetes/bin/kube-proxy $KUBE_PROXY_OPTS
    Restart=on-failure
    
    [Install]
    WantedBy=multi-user.target
    
    # 启动服务
    systemctl daemon-reload
    systemctl enable kube-proxy
    systemctl restart kube-proxy
    
    ## approve kubelet CSR 请求
    
    # 查看 CSR 列表：
    $ kubectl get csr
    NAME                                                   AGE    REQUESTOR           CONDITION
    node-csr-An1VRgJ7FEMMF_uyy6iPjyF5ahuLx6tJMbk2SMthwLs   39m    kubelet-bootstrap   Pending
    node-csr-dWPIyP_vD1w5gBS4iTZ6V5SJwbrdMx05YyybmbW3U5s   5m5s   kubelet-bootstrap   Pending
    
    $ kubectl certificate approve node-csr-dWPIyP_vD1w5gBS4iTZ6V5SJwbrdMx05YyybmbW3U5s  
    certificatesigningrequest.certificates.k8s.io/node-csr-dWPIyP_vD1w5gBS4iTZ6V5SJwbrdMx05YyybmbW3U5s approved
    
    $ kubectl get csr
    NAME                                                   AGE     REQUESTOR           CONDITION
    node-csr-An1VRgJ7FEMMF_uyy6iPjyF5ahuLx6tJMbk2SMthwLs   41m     kubelet-bootstrap   Approved,Issued
    node-csr-dWPIyP_vD1w5gBS4iTZ6V5SJwbrdMx05YyybmbW3U5s   7m32s   kubelet-bootstrap   Approved,Issued
    
    # 查看集群状态
    $ kubectl get node,cs
    NAME               STATUS   ROLES    AGE    VERSION
    node/10.67.34.130   Ready    master   137m   v1.13.0
    node/10.67.34.131   Ready    node     114m   v1.13.0
    node/10.67.34.132  Ready    node     93m    v1.13.0
    
    NAME                                 STATUS    MESSAGE             ERROR
    componentstatus/controller-manager   Healthy   ok                  
    componentstatus/scheduler            Healthy   ok                  
    componentstatus/etcd-0               Healthy   {"health":"true"}   
    componentstatus/etcd-1               Healthy   {"health":"true"}   
    componentstatus/etcd-2               Healthy   {"health":"true"}

[20190118164653446.png]: /images/20220325/f41460f7363d4b01a2326eba42d00b1b.png
[https_pan.baidu.com_s_1wO6T7byhaJYBuu2JlhZvkQ]: https://pan.baidu.com/s/1wO6T7byhaJYBuu2JlhZvkQ