Latest installation package, GitHub
The experiment of the 1.10.0 binary package download, Baidu network disk
Kubernetes Roles |
IP Address |
Hostname |
Master |
192.168.142.161 |
Kubernetes-node1.example.com |
Node |
192.168.142.162 |
Kubernetes-node2.example.com |
Node |
192.168.142.163 |
Kubernetes-node3.example.com |
Master-side Configuration
- Configuring the Kube-apiserver Service
将kube-apiserver的可执行文件复制到/usr/bin目录下然后编辑systemd的服务文件vim /usr/lib/systemd/system/kube-apiserver.service[Unit]Description=Kubernetes API ServerDocumentation=https://github.com/kubernetes/kubernetesAfter=etcd.serviceWants=etcd.service[Service]EnvironmentFile=/etc/kubernetes/apiserverExecStart=/usr/bin/kube-apiserver $KUBE_API_ARGSRestart=on-failureLimitNOFILE=65536[Install]WantedBy=multi-user.target
Authentication of two-way digital certificate authentication method based on CA signature
The build process is as follows:
(1)为kube-apiserver生成一个数字证书,并用CA证书进行签名。(2)为kube-apiserver进程配置证书相关的启动参数,包括CA证书(用于验证客户端证书的签名真伪、自己经过CA签名后的证书及私钥)。(3)为每个访问Kubernetes API Server的客户端进程生成自己的数字证书,也都用CA证书进行签名,在相关程序的启动参数中增加CA证书、自己的证书等相关参数。
Set Kube-apiserver CA certificate-related files and startup parameters
OpenSSL工具在Master服务器上创建CA证书和私钥相关的文件openssl genrsa -out ca.key 2048openssl req -x509 -new -nodes -key ca.key -subj "/CN=example.com" -days 5000 -out ca.crtopenssl genrsa -out server.key 2048
The resulting file is as follows:
ca.crt ca.key server.key
Create a master_ssl.cnf file and generate a X509 V3 version certificate. In this file, you need to set the HOSTNAME,IP address of the master server and the Kubernetes master The virtual server name of the service and the Clusterip address of the virtual server.
Dns.5 is the HOSTNAME,IP.1 of the master server for Kubernetes Master Service cluster IP,IP.2 is the IP of the master server.
[req]req_extensions = v3_reqdistinguished_name = req_distinguished_name[req_distinguished_name][ v3_req ]basicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEnciphermentsubjectAltName = @alt_names[alt_names]DNS.1 = kubernetesDNS.2 = kubernetes.defaultDNS.3 = kubernetes.default.svcDNS.4 = kubernetes.default.svc.cluster.localDNS.5 = kubernets-node1.example.comIP.1 = 169.169.0.1IP.2 = 192.168.142.161
Generates SERVER.CSR and SERVER.CRT based on MASTER_SSL.CNF.
when generating SERVER.CSR, the name specified/cn in the-SUBJ parameter needs to be the host name where Master resides .
openssl req -new -key server.key -subj "/CN=kubernets-node1.example.com" -config /etc/kubernetes/master_ssl.cnf -out server.csropenssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile /etc/kubernetes/master_ssl.cnf -out server.crt
There are now 6 files:
ca.crt ca.key ca.srl server.crt server.csr server.keycp ca.crt ca.key ca.srl server.crt server.csr server.key /var/run/kubernetes/
Specify the contents of the configuration file/etc/kubernetes/apiserver as follows:
vim /etc/kubernetes/apiserverKUBE_API_ARGS="--etcd-servers=http://192.168.142.161:2379,http://192.168.142.162:2379,http://192.168.142.163:2379 --bind-address=0.0.0.0 --secure-port=443 --insecure-port=0 --client-ca-file=/var/run/kubernetes/ca.crt --tls-private-key-file=/var/run/kubernetes/server.key --tls-cert-file=/var/run/kubernetes/server.crt --service-cluster-ip-range=169.169.0.0/16 --service-node-port-range=1-65535 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ResourceQuota --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
- Configuring the Kube-controller-manager Service
Kube-controller-manager relies on kube-apiserver services.
Configuring Startup files
cat /usr/lib/systemd/system/kube-controller-manager.service [Unit]Description=Kubernetes Controller ManagerDocumentation=https://github.com/kubernetes/kubernetesAfter=kube-apiserver.serviceWants=kube-apiserver.service[Service]EnvironmentFile=/etc/kubernetes/controller-managerExecStart=/usr/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_ARGSRestart=on-failure#Type=notifyLimitNOFILE=65536[Install]WantedBy=multi-user.target
Set the Kube-controller-manager client certificate, private key
openssl genrsa -out cs_client.key 2048openssl req -new -key cs_client.key -subj "/CN=kubernets-node1.example.com" -out cs_client.csropenssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cs_client.crt -days 5000
Where CS_CLIENT.CRT is generated, the-CA parameter and-cakey parameters use Apiserver ca.crt and Ca.key files, and then copy the files into a directory (/var/run/kubernetes)
Next Create the/etc/kubernetes/kubeconfig file (Kube-controller-manager and Kube-scheduler share)
The contents are as follows
cat /etc/kubernetes/kubeconfigapiVersion: v1kind: Configusers:- name: controllermanager user: client-certificate: /var/run/kubernetes/cs_client.crt client-key: /var/run/kubernetes/cs_client.keyclusters:- name: local cluster: certificate-authority: /var/run/kubernetes/ca.crtcontexts:- context: cluster: local user: controllermanager name: my-contextcurrent-context: my-contex
Then set the startup parameters of the Kube-controller-manager
cat /etc/kubernetes/controller-managerKUBE_CONTROLLER_MANAGER_ARGS="--master=https://192.168.142.161 --service-account-private-key-file=/var/run/kubernetes/server.key --root-ca-file=/var/run/kubernetes/ca.crt --kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
- Configuring the Kube-scheduler Service
Kube-scheduler service also relies on kube-apiserver services
cat /usr/lib/systemd/system/kube-scheduler.service[Unit]Description=Kubernetes SchedulerDocumentation=https://github.com/kubernetes/kubernetesAfter=kube-apiserver.serviceWants=kube-apiserver.service[Service]EnvironmentFile=/etc/kubernetes/schedulerExecStart=/usr/bin/kube-scheduler $KUBE_SCHEDULER_ARGSRestart=on-failure#Type=notifyLimitNOFILE=65536[Install]WantedBy=multi-user.target
Client certificate created by multiplexing Kube-controller-manager
Configure boot-up parameters
cat /etc/kubernetes/schedulerKUBE_SCHEDULER_ARGS="--master=https://192.168.142.161 --kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/lib/kubernetes --v=2"
This completes the master-side installation. Start all services:
systemctl start kube-apiserver systemctl start kube-controller-manager systemctl start kube-kube-scheduler
Configure the Kubelet and Kube-proxy on node
Kubelet service relies on Docker, here we need to install Docker. The installation process is as follows:
如果你之前安装过 docker,请先删掉yum remove docker docker-common docker-selinux docker-engine安装依赖yum install -y yum-utils device-mapper-persistent-data lvm2下载repo文件wget -O /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo替换为国内的源镜像站sed -i ‘s+download-stage.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+‘ /etc/yum.repos.d/docker-ce.repo安装dockeryum install docker-ce启动systemctl enable dockersystemctl start docker
1: First copy Kube-apiserver's ca.crt and Ca.key files to node,-ca parameters and-cakey parameters are used Apiserver ca.crt and Ca.key files when generating kubelet_client.crt. The "/cn" in the-SUBJ parameter is set to the IP address of node when generating KUBE_LET.CSR.
openssl genrsa -out kubelet_client.key 2048openssl req -new -key kubelet_client.key -subj "/CN=192.168.142.162" -out kubelet_client.csropenssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet_client.crt -days 5000
2: Then create the/etc/kubernetes/kubeconfig file. (Kubelet and Kube-proxy processes are common), configure client certificates and other related parameters:
cat /etc/kubernetes/kubeconfigapiVersion: v1kind: Configusers:- name: kubelet user: client-certificate: /var/run/kubernetes/kubelet_client.crt client-key: /var/run/kubernetes/kubelet_client.keyclusters:- name: local cluster: server: https://192.168.142.161 certificate-authority: /var/run/kubernetes/ca.crtcontexts:- context: cluster: local user: kubelet name: my-contextcurrent-context: my-context
3: Set startup parameters for the Kubelet service
cat /etc/kubernetes/kubeletKUBELET_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig --hostname-override=192.168.142.162 --pod-infra-container-image=registry-vpc.cn-beijing.aliyuncs.com/k8s_len/pause-amd64:3.0 --fail-swap-on=false --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
4: Set Startup parameters for Kube-proxy
cat /etc/kubernetes/kube-proxyKUBE_PROXY_ARGS="--master=https://192.168.142.161 --kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
5: Define boot entry for boot service
cat /usr/lib/systemd/system/kubelet.service[Unit]Description=Kubernetes Kubelet ServerDocumentation=https://github.com/kubernetes/kubernetesAfter=docker.serviceWants=docker.service[Service]WorkingDirectory=/var/lib/kubeletEnvironmentFile=/etc/kubernetes/kubeconfig.yamlEnvironmentFile=/etc/kubernetes/kubeletExecStart=/usr/bin/kubelet $KUBELET_ARGSRestart=on-failure#Type=notify#LimitNOFILE=65536[Install]WantedBy=multi-user.target
cat /usr/lib/systemd/system/kube-proxy.service[Unit]Description=Kubernetes Kube-proxy ServerDocumentation=https://github.com/kubernetes/kubernetesAfter=network.serviceWants=network.service[Service]EnvironmentFile=/etc/kubernetes/kube-proxyExecStart=/usr/bin/kube-proxy $KUBE_PROXY_ARGSRestart=on-failure#Type=notifyLimitNOFILE=65536[Install]WantedBy=multi-user.target
Installation of Kubernetes