### 1.环境准备
* * * * *
master:192.168.11.212 etcd
master:192.168.11.213 etcd
master:192.168.11.214 etcd
node:192.168.11.220
node:192.168.11.221
node:192.168.11.222
haproxy:192.168.11.215
haproxy:192.168.11.216
keealived(vip):192.168.11.230
jenkins-master:
jenkins-slave:
jenkins-slave:
harbo:
harbo:
zookeeper+kafka
zookeeper+kafka
zookeeper+kafka
elk:
elk:
elk:
* * * * *
### 2.以上环境均为ubuntu18.04系统
因为centos上docker的devicemapper性能问题
上产环境最好也使用ubuntu18.04服务器版
* * * * *
### 3.安装master节点:
* [ ] 创建目录:mkdir -p /opt/kubernetes/{bin,ssl,cfg,log}
* [ ] master和node节点必须都创建统一
* [ ] bin目录:二进制可执行文件安放
* [ ] ssl:生成的证书安放
* [ ] cfg:配置文件及kubeconfig文件安放
* [ ] log:容器日志统一安放地点,便于为以后elf日志收集
* [ ] 在这里直接使用cfssl工具来实现证书配置,cfssl工具安装如下:
* * * * *
~~~
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /opt/kubernetes/bin/cfssl
mv cfssljson_linux-amd64 /opt/kubernetes/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /opt/kubernetes/bin/cfssl-certinfo
~~~
* [ ] 临时导入环境变量:export PATH=/opt/kubernetes/bin:$PATH
* [ ] 永久可以写入/etc/profile
生成证书我们需要如下配置文件:
ca-config.json文件内容如下:
```sh
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"kubernetes": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
},
"etcd": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
```
字段说明:
* ca-config.json:可以定义多个Profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书的时候使用某个Profile。这里定义了两个Profile,一个用于kubernetes,一个用于etcd,我这里etcd没有使用证书,所以另一个不使用。
* signing:表示该 证书可用于签名其他证书;生成的ca.pem证书中CA=TRUE
* server auth:表示client可以使用该ca对server提供的证书进行验证
* client auth:表示server可以用该ca对client提供的证书进行验证
* * * * *
ca-csr.json内容如下:
~~~
{
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Wuhan",
"ST": "Hubei",
"O": "k8s",
"OU": "System"
}
]
}
~~~
### 生成ca证书:
```
cfssl gencert --initca=true ca-csr.json | cfssljson --bare ca
```
### 生成kubernetes证书
kubernetes-csr.json内容如下:
```sh
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"localhost",
"10.1.61.175",
"10.1.61.176",
"10.1.61.177",
"10.254.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "k8s",
"OU": "System"
}
]
}
这个内容需要做下简要说明:
上面配置hosts字段中指定授权使用该证书的IP和域名列表,因为现在要生成的证书需要被Kubernetes Master集群各个节点使用,所以这里指定了各个节点的IP和hostname。
生成kubernetes证书:
```
cfssl gencert --ca ca.pem --ca-key ca-key.pem --config ca-config.json --profile kubernetes kubernetes-csr.json | cfssljson --bare kubernetes
```
### 生成kubectl证书
admin-csr.json内容如下:
```
```
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "system:masters",
"OU": "System"
}
]
}
```
* kube-apiserver会提取**CN**作为客户端的用户名,这里是admin,将提取**O**作为用户的属组,这里是system:masters
* 后续kube-apiserver使用RBAC对客户端(如kubelet、kube-proxy、pod)请求进行授权
* apiserver预定义了一些RBAC使用的ClusterRoleBindings,例如cluster-admin将组system:masters与CluasterRole cluster-admin绑定,而cluster-admin拥有访问apiserver的所有权限,因此admin用户将作为集群的超级管理员。
### 生成kubectl证书:
```
cfssl gencert --ca ca.pem --ca-key ca-key.pem --config ca-config.json --profile kubernetes admin-csr.json | cfssljson --bare admin
```
### 生成kube-proxy证书
kube-proxy-csr.json内容如下:
```
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hubei",
"L": "Wuhan",
"O": "k8s",
"OU": "System"
}
]
}
```
* CN指定该证书的user为system:kube-proxy
* kube-apiserver预定义的RoleBinding cluster-admin将User system:kube-proxy与Role system:node-proxier绑定,该role授予了调用kube-apiserver Proxy相关API的权限;
### 生成kube-proxy证书:
```
cfssl gencert --ca ca.pem --ca-key ca-key.pem --config ca-config.json --profile kubernetes kube-proxy-csr.json | cfssljson --bare kube-proxy
```
上面所有证书,都可以通过如下方法一下子全部生成:
```
cfssl gencert --initca=true ca-csr.json | cfssljson --bare ca
for targetName in kubernetes admin kube-proxy; do
cfssl gencert --ca ca.pem --ca-key ca-key.pem --config ca-config.json --profile kubernetes $targetName-csr.json | cfssljson --bare $targetName
done
```
cfssl的用法中,--profile就用于指定ca-config里的哪个profiles
生成的证书列表如下:
```
ll *.pem
total 48
-rw------- 1 kube kube 1679 Aug 30 16:49 admin-key.pem
-rw-r--r-- 1 kube kube 1363 Aug 30 16:49 admin.pem
-rw------- 1 kube kube 1675 Aug 30 16:49 ca-key.pem
-rw-r--r-- 1 kube kube 1289 Aug 30 16:49 ca.pem
-rw------- 1 kube kube 1679 Aug 30 16:49 kube-proxy-key.pem
-rw-r--r-- 1 kube kube 1363 Aug 30 16:49 kube-proxy.pem
-rw------- 1 kube kube 1679 Sep 13 13:46 kubernetes-key.pem
-rw-r--r-- 1 kube kube 1586 Sep 13 13:46 kubernetes.pem
将生成好的证书移动到创建后的ssl目录
检验证书:
~~~
#以kubernetes证书为例
openssl x509 -noout -text -in kubernetes.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7a:a2:fa:da:4c:7a:0d:7d:fa:c1:f4:a8:af:f7:77:24:04:54:19:3f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = Hubei, L = Wuhan, O = k8s, OU = System
Validity
Not Before: Aug 27 11:50:00 2018 GMT
Not After : Aug 22 11:50:00 2038 GMT
Subject: C = CN, ST = Hubei, L = Wuhan, O = k8s, OU = System, CN = kubernetes
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b8:00:1e:bb:a8:75:2c:07:32:5b:da:d5:23:25:
c2:0f:c9:10:08:5b:78:40:78:90:4a:59:e3:cc:64:
36:1a:29:c1:ea:fe:01:f4:88:2f:73:be:20:98:b9:
09:e9:c1:13:a7:b8:26:5f:54:52:21:0a:89:03:c8:
d3:33:a1:be:20:bb:03:d7:5b:e4:19:46:e2:e9:67:
e7:89:3a:68:2d:f9:c8:66:54:ce:dd:7d:99:fd:1b:
a7:32:e2:44:b5:ba:14:f0:60:94:38:51:ff:2b:2c:
fe:7c:f3:55:1b:4c:19:d8:ad:10:10:08:c3:db:2e:
65:46:36:e9:63:ea:7c:3a:75:b7:59:a5:90:7f:16:
2d:be:56:16:c8:f0:fe:40:6d:1e:bf:9f:ff:4c:9c:
cb:57:4b:a9:04:7a:61:ce:9b:91:86:c2:19:1b:a5:
be:82:b2:75:e5:8c:fb:65:ce:cf:ad:72:c6:6d:85:
19:c7:ce:a9:86:72:79:51:bf:4f:2f:c2:03:e8:34:
9a:12:8c:0b:57:ac:90:39:69:56:0e:00:3b:15:32:
fd:fa:77:de:a8:7e:46:5e:86:e3:60:ac:41:56:80:
00:59:4c:a7:a1:f5:78:0f:1e:1c:a6:9e:7e:f8:93:
c5:aa:f8:22:b0:c4:e3:f9:24:92:f8:b7:09:ad:e9:
76:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
F8:B2:8A:9F:D7:42:A5:33:D1:A0:23:29:FD:42:06:4A:80:2F:1D:F6
X509v3 Authority Key Identifier:
keyid:8E:DD:D0:C9:6B:3D:D8:CA:ED:5B:FD:86:48:65:AD:CC:D6:3F:B6:B6
X509v3 Subject Alternative Name:
DNS:localhost, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:192.168.11.212, IP Address:192.168.11.213, IP Address:192.168.11.214, IP Address:192.168.11.215, IP Address:192.168.11.216, IP Address:192.168.11.222, IP Address:192.168.11.221, IP Address:192.168.11.220, IP Address:192.168.11.230, IP Address:172.16.0.1
Signature Algorithm: sha256WithRSAEncryption
11:4f:5c:44:5b:0c:d1:ca:d4:aa:d8:47:16:63:f9:4b:8f:b0:
a7:7c:58:42:2f:ea:dd:80:b6:ae:0e:1d:8b:72:b7:40:ba:9e:
a2:3b:9f:fb:04:10:4d:bd:59:0c:08:ea:2e:54:a8:0d:63:02:
6d:94:78:be:72:b2:2f:8d:b1:c2:c0:bf:a4:19:45:8d:b6:b4:
d8:28:58:c6:e9:75:c8:4a:49:51:72:33:04:6e:52:25:60:57:
cc:fe:0e:83:35:b8:cb:1d:28:ed:cd:9d:7b:5b:49:8b:3a:56:
09:3f:ea:80:8a:ca:bd:4f:d9:c4:f7:90:bb:f0:55:be:c6:86:
bc:0a:7a:2c:41:a1:19:42:b3:51:ee:f9:7d:7b:70:f7:46:2b:
40:f0:25:e2:2d:f7:fc:00:50:7a:7f:48:e1:7d:81:2b:f6:dd:
f4:59:35:df:f9:af:2c:be:c3:c3:19:7b:94:9f:94:ec:e9:05:
74:29:c7:e8:40:f2:0b:ac:8c:df:81:8e:d4:0c:aa:ad:71:49:
99:71:d6:b3:f3:28:92:e5:9d:d8:1f:ad:a4:6e:43:d3:67:40:
5a:64:26:d3:0b:0a:79:90:50:1f:13:c7:99:90:14:d2:d5:ad:
82:96:63:ca:3d:21:79:9c:a7:26:0f:a2:1c:5c:d4:b8:5c:13:
fb:bf:87:cc
```
* 确认 Issuer 字段的内容和 ca-csr.json 一致;
* 确认 Subject 字段的内容和 kubernetes-csr.json 一致;
* 确认 X509v3 Subject Alternative Name 字段的内容和 kubernetes-csr.json 一致;
* 确认 X509v3 Key Usage、Extended Key Usage 字段的内容和 ca-config.json 中 kubernetesprofile 一致;
# 生成token及kubeconfig
在本次配置中,我们将会同时启用证书认证,token认证,以及http basic认证。所以需要提前生成token认证文件,basic认证文件以及kubeconfig
## 生成客户端使用的token
```
export BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
cat > bootstrap-token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
```
生成bashboard使用的http basic认证文件
```
cat > basic_auth.csv <<EOF
123456,admin,1,"system:masters"
EOF
```
生成kubeconfig
```
export KUBE_APISERVER="https://keepalived的虚拟ip:6443"
```
**#### # 设置集群参数,即api-server的访问方式,给集群起个名字就叫kubernetes**
```
kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=bootstrap.kubeconfig
```
**#### # 设置客户端认证参数,这里采用token认证**
```
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=bootstrap.kubeconfig
```
**#### # 设置上下文参数,用于连接用户kubelet-bootstrap与集群kubernetes**
```
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=bootstrap.kubeconfig
```
#### # 设置默认上下文
```
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
```
#### kube-proxy的kubeconfig配置如下,与上面基本相同:**
```
# 设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials kube-proxy \
--client-certificate=kube-proxy.pem \
--client-key=kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
# 设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
# 设置默认上下文
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
```
# 部署master
master端涉及kube-apiserver, kube-controller-manager以及kube-scheduler三个组件。所有组件我们都使用二进制包的方式安装。kubernetes源代码地址:https://github.com/kubernetes/kubernetes
我们可以通过git clone的方式把源代码下载到本地,并checkout出1.10版本。然后执行编译,编译之后,所有的二进制文件都未于源代码目录的_output目录中。我们获取我们所需要的二进制组件即可。另外需要说明的是,编译需要依赖go开发环境。
```
git clone https://github.com/kubernetes/kubernetes.git
cd kubernetes
git checkout release-1.11
make
```
另外,我们还需要将前面生成的ca证书及key,kubernetes的证书及key以及kubectl的证书及key分发到各个master节点的/opt/kubernetes/ssl目录中。
我这里使用的的是下载编译好的二进制安装包
server 的 tarball kubernetes-server-linux-amd64.tar.gz 已经包含了 client(kubectl) 二进制文件,所以不用单独下载kubernetes-client-linux-amd64.tar.gz文件;
```
wget https://dl.k8s.io/v1.11.1/kubernetes-server-linux-amd64.tar.gz
tar -xzvf kubernetes-server-linux-amd64.tar.gz
cd kubernetes
tar -xzvf kubernetes-src.tar.gz
cp -r server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kube-proxy,kubelet} /opt/kubernetes/bin/
chomd +x *
```