Installation of Kubernetes

Source: Internet
Author: User
Tags etcd

    • Get Source code

Latest installation package, GitHub

The experiment of the 1.10.0 binary package download, Baidu network disk

    • Machine Environment
Kubernetes Roles IP Address Hostname
Master 192.168.142.161 Kubernetes-node1.example.com
Node 192.168.142.162 Kubernetes-node2.example.com
Node 192.168.142.163 Kubernetes-node3.example.com
Master-side Configuration
    • Configuring the Kube-apiserver Service
将kube-apiserver的可执行文件复制到/usr/bin目录下然后编辑systemd的服务文件vim /usr/lib/systemd/system/kube-apiserver.service[Unit]Description=Kubernetes API ServerDocumentation=https://github.com/kubernetes/kubernetesAfter=etcd.serviceWants=etcd.service[Service]EnvironmentFile=/etc/kubernetes/apiserverExecStart=/usr/bin/kube-apiserver $KUBE_API_ARGSRestart=on-failureLimitNOFILE=65536[Install]WantedBy=multi-user.target

Authentication of two-way digital certificate authentication method based on CA signature
The build process is as follows:

(1)为kube-apiserver生成一个数字证书,并用CA证书进行签名。(2)为kube-apiserver进程配置证书相关的启动参数,包括CA证书(用于验证客户端证书的签名真伪、自己经过CA签名后的证书及私钥)。(3)为每个访问Kubernetes API Server的客户端进程生成自己的数字证书,也都用CA证书进行签名,在相关程序的启动参数中增加CA证书、自己的证书等相关参数。

Set Kube-apiserver CA certificate-related files and startup parameters

OpenSSL工具在Master服务器上创建CA证书和私钥相关的文件openssl genrsa -out ca.key 2048openssl req -x509 -new -nodes -key ca.key -subj "/CN=example.com" -days 5000 -out ca.crtopenssl genrsa -out server.key 2048

The resulting file is as follows:

ca.crt  ca.key  server.key

Create a master_ssl.cnf file and generate a X509 V3 version certificate. In this file, you need to set the HOSTNAME,IP address of the master server and the Kubernetes master The virtual server name of the service and the Clusterip address of the virtual server.

Dns.5 is the HOSTNAME,IP.1 of the master server for Kubernetes Master Service cluster IP,IP.2 is the IP of the master server.

[req]req_extensions = v3_reqdistinguished_name = req_distinguished_name[req_distinguished_name][ v3_req ]basicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEnciphermentsubjectAltName = @alt_names[alt_names]DNS.1 = kubernetesDNS.2 = kubernetes.defaultDNS.3 = kubernetes.default.svcDNS.4 = kubernetes.default.svc.cluster.localDNS.5 = kubernets-node1.example.comIP.1 = 169.169.0.1IP.2 = 192.168.142.161

Generates SERVER.CSR and SERVER.CRT based on MASTER_SSL.CNF.
when generating SERVER.CSR, the name specified/cn in the-SUBJ parameter needs to be the host name where Master resides .

openssl req -new -key server.key -subj "/CN=kubernets-node1.example.com" -config /etc/kubernetes/master_ssl.cnf -out server.csropenssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile /etc/kubernetes/master_ssl.cnf -out server.crt

There are now 6 files:

ca.crt ca.key ca.srl server.crt server.csr server.keycp ca.crt ca.key ca.srl server.crt server.csr server.key /var/run/kubernetes/

Specify the contents of the configuration file/etc/kubernetes/apiserver as follows:

vim /etc/kubernetes/apiserverKUBE_API_ARGS="--etcd-servers=http://192.168.142.161:2379,http://192.168.142.162:2379,http://192.168.142.163:2379 --bind-address=0.0.0.0 --secure-port=443 --insecure-port=0 --client-ca-file=/var/run/kubernetes/ca.crt --tls-private-key-file=/var/run/kubernetes/server.key --tls-cert-file=/var/run/kubernetes/server.crt --service-cluster-ip-range=169.169.0.0/16 --service-node-port-range=1-65535 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ResourceQuota --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
    • Configuring the Kube-controller-manager Service

Kube-controller-manager relies on kube-apiserver services.

Configuring Startup files

cat /usr/lib/systemd/system/kube-controller-manager.service [Unit]Description=Kubernetes Controller ManagerDocumentation=https://github.com/kubernetes/kubernetesAfter=kube-apiserver.serviceWants=kube-apiserver.service[Service]EnvironmentFile=/etc/kubernetes/controller-managerExecStart=/usr/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_ARGSRestart=on-failure#Type=notifyLimitNOFILE=65536[Install]WantedBy=multi-user.target

Set the Kube-controller-manager client certificate, private key

openssl genrsa -out cs_client.key 2048openssl req -new -key cs_client.key -subj "/CN=kubernets-node1.example.com" -out cs_client.csropenssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cs_client.crt -days 5000

Where CS_CLIENT.CRT is generated, the-CA parameter and-cakey parameters use Apiserver ca.crt and Ca.key files, and then copy the files into a directory (/var/run/kubernetes)

Next Create the/etc/kubernetes/kubeconfig file (Kube-controller-manager and Kube-scheduler share)
The contents are as follows

cat /etc/kubernetes/kubeconfigapiVersion: v1kind: Configusers:- name: controllermanager  user:    client-certificate: /var/run/kubernetes/cs_client.crt    client-key: /var/run/kubernetes/cs_client.keyclusters:- name: local  cluster:    certificate-authority: /var/run/kubernetes/ca.crtcontexts:- context:    cluster: local    user: controllermanager  name: my-contextcurrent-context: my-contex

Then set the startup parameters of the Kube-controller-manager

cat /etc/kubernetes/controller-managerKUBE_CONTROLLER_MANAGER_ARGS="--master=https://192.168.142.161 --service-account-private-key-file=/var/run/kubernetes/server.key --root-ca-file=/var/run/kubernetes/ca.crt --kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
    • Configuring the Kube-scheduler Service

Kube-scheduler service also relies on kube-apiserver services

cat /usr/lib/systemd/system/kube-scheduler.service[Unit]Description=Kubernetes SchedulerDocumentation=https://github.com/kubernetes/kubernetesAfter=kube-apiserver.serviceWants=kube-apiserver.service[Service]EnvironmentFile=/etc/kubernetes/schedulerExecStart=/usr/bin/kube-scheduler $KUBE_SCHEDULER_ARGSRestart=on-failure#Type=notifyLimitNOFILE=65536[Install]WantedBy=multi-user.target

Client certificate created by multiplexing Kube-controller-manager

Configure boot-up parameters

cat /etc/kubernetes/schedulerKUBE_SCHEDULER_ARGS="--master=https://192.168.142.161 --kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/lib/kubernetes --v=2"

This completes the master-side installation. Start all services:

systemctl start kube-apiserver systemctl start kube-controller-manager systemctl start kube-kube-scheduler
Configure the Kubelet and Kube-proxy on node

Kubelet service relies on Docker, here we need to install Docker. The installation process is as follows:

如果你之前安装过 docker,请先删掉yum remove docker docker-common docker-selinux docker-engine安装依赖yum install -y yum-utils device-mapper-persistent-data lvm2下载repo文件wget -O /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo替换为国内的源镜像站sed -i ‘s+download-stage.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+‘ /etc/yum.repos.d/docker-ce.repo安装dockeryum install docker-ce启动systemctl enable dockersystemctl start docker

1: First copy Kube-apiserver's ca.crt and Ca.key files to node,-ca parameters and-cakey parameters are used Apiserver ca.crt and Ca.key files when generating kubelet_client.crt. The "/cn" in the-SUBJ parameter is set to the IP address of node when generating KUBE_LET.CSR.

openssl genrsa -out kubelet_client.key 2048openssl req -new -key kubelet_client.key -subj "/CN=192.168.142.162" -out kubelet_client.csropenssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000

2: Then create the/etc/kubernetes/kubeconfig file. (Kubelet and Kube-proxy processes are common), configure client certificates and other related parameters:

cat /etc/kubernetes/kubeconfigapiVersion: v1kind: Configusers:- name: kubelet  user:    client-certificate: /var/run/kubernetes/kubelet_client.crt    client-key: /var/run/kubernetes/kubelet_client.keyclusters:- name: local  cluster:    server: https://192.168.142.161    certificate-authority: /var/run/kubernetes/ca.crtcontexts:- context:    cluster: local    user: kubelet  name: my-contextcurrent-context: my-context

3: Set startup parameters for the Kubelet service

cat /etc/kubernetes/kubeletKUBELET_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig --hostname-override=192.168.142.162 --pod-infra-container-image=registry-vpc.cn-beijing.aliyuncs.com/k8s_len/pause-amd64:3.0 --fail-swap-on=false --logtostderr=false --log-dir=/var/log/kubernetes --v=2"

4: Set Startup parameters for Kube-proxy

cat /etc/kubernetes/kube-proxyKUBE_PROXY_ARGS="--master=https://192.168.142.161 --kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/log/kubernetes --v=2"

5: Define boot entry for boot service

cat /usr/lib/systemd/system/kubelet.service[Unit]Description=Kubernetes Kubelet ServerDocumentation=https://github.com/kubernetes/kubernetesAfter=docker.serviceWants=docker.service[Service]WorkingDirectory=/var/lib/kubeletEnvironmentFile=/etc/kubernetes/kubeconfig.yamlEnvironmentFile=/etc/kubernetes/kubeletExecStart=/usr/bin/kubelet $KUBELET_ARGSRestart=on-failure#Type=notify#LimitNOFILE=65536[Install]WantedBy=multi-user.target
cat /usr/lib/systemd/system/kube-proxy.service[Unit]Description=Kubernetes Kube-proxy ServerDocumentation=https://github.com/kubernetes/kubernetesAfter=network.serviceWants=network.service[Service]EnvironmentFile=/etc/kubernetes/kube-proxyExecStart=/usr/bin/kube-proxy $KUBE_PROXY_ARGSRestart=on-failure#Type=notifyLimitNOFILE=65536[Install]WantedBy=multi-user.target

Installation of Kubernetes

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.