系统环境初始化
1.安装Docker
第一步:使用国内Docker源
[root@linux-node1 ~]# cd /etc/yum.repos.d/
[root@linux-node1 yum.repos.d]# wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
第二步:Docker安装
[root@linux-node1 ~]# yum install -y docker-ce
第三步:启动后台进程
[root@linux-node1 ~]# systemctl start docker
[root@linux-node1 ~]# docker -v
Docker version 18.06.1-ce, build e68fc7a
2.准备部署目录
[root@linux-node1 src]# mkdir -p /opt/kubernetes/{cfg,bin,ssl,log}
[root@linux-node1 src]# tree /opt/kubernetes/
/opt/kubernetes/
├── bin #存放二进制文件
├── cfg #存放配置文件
├── log #存放日志文件
└── ssl #存放证书文件
#设置环境变量
[root@linux-node1 src]# vim ~/.bash_profile
PATH=$PATH:$HOME/bin:/opt/kubernetes/bin
[root@linux-node1 src]# source ~/.bash_profile
node1和node2,node3做好ssh互信
#三台机器都需要执行这些操作
3.解压软件包
生产中下载包:https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.10.md
[root@linux-node1 src]# tar zxf kubernetes.tar.gz
[root@linux-node1 src]# tar zxf kubernetes-server-linux-amd64.tar.gz
[root@linux-node1 src]# tar zxf kubernetes-client-linux-amd64.tar.gz
[root@linux-node1 src]# tar zxf kubernetes-node-linux-amd64.tar.gz
#解压后目录
[root@linux-node1 kubernetes]# tree -L 1
.
├── addons
├── client
├── cluster
├── docs
├── examples
├── hack
├── kubernetes-src.tar.gz
├── LICENSES
├── node
├── README.md
├── server
├── third_party
└── version
手动制作CA证书
Kubernetes 系统各组件需要使用 TLS 证书对通信进行加密。因此选用简单的cfssl来创建证书。
1.安装 CFSSL
官方下载地址:http://pkg.cfssl.org/
[root@linux-node1 ~]# cd /usr/local/src
[root@linux-node1 src]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@linux-node1 src]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@linux-node1 src]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@linux-node1 src]# chmod +x cfssl*
[root@linux-node1 src]# mv cfssl-certinfo_linux-amd64 /opt/kubernetes/bin/cfssl-certinfo
[root@linux-node1 src]# mv cfssljson_linux-amd64 /opt/kubernetes/bin/cfssljson
[root@linux-node1 src]# mv cfssl_linux-amd64 /opt/kubernetes/bin/cfssl
复制cfssl命令文件到k8s-node1和k8s-node2节点。如果实际中多个节点,就都需要同步复制。
[root@linux-node1 ~]# scp /opt/kubernetes/bin/cfssl* 192.168.56.12:/opt/kubernetes/bin
[root@linux-node1 ~]# scp /opt/kubernetes/bin/cfssl* 192.168.56.13:/opt/kubernetes/bin
2.初始化cfssl
[root@linux-node1 src]# mkdir ssl && cd ssl
[root@linux-node1 ssl]# cfssl print-defaults config > config.json
[root@linux-node1 ssl]# cfssl print-defaults csr > csr.json
3.创建用来生成 CA 文件的 JSON 配置文件
[root@linux-node1 ssl]# cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
EOF
4.创建用来生成 CA 证书签名请求(CSR)的 JSON 配置文件
[root@linux-node1 ssl]# cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
5.生成CA证书(ca.pem)和密钥(ca-key.pem)
[root@linux-node1 ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2018/09/23 10:34:22 [INFO] generating a new CA key and certificate from CSR
2018/09/23 10:34:22 [INFO] generate received request
2018/09/23 10:34:22 [INFO] received CSR
2018/09/23 10:34:22 [INFO] generating key: rsa-2048
2018/09/23 10:34:22 [INFO] encoded CSR
2018/09/23 10:34:22 [INFO] signed certificate with serial number 161286743416433900753457100736307286744657350542
[root@linux-node1 ssl]# ls -l ca*
-rw-r--r-- 1 root root 290 Sep 23 10:32 ca-config.json
-rw-r--r-- 1 root root 1001 Sep 23 10:34 ca.csr
-rw-r--r-- 1 root root 208 Sep 23 10:33 ca-csr.json
-rw------- 1 root root 1679 Sep 23 10:34 ca-key.pem
-rw-r--r-- 1 root root 1359 Sep 23 10:34 ca.pem
6.分发证书
[root@linux-node1 ssl]# cp ca.csr ca.pem ca-key.pem ca-config.json /opt/kubernetes/ssl
SCP证书到k8s-node1和k8s-node2节点
[root@linux-node1 ssl]# scp ca.csr ca.pem ca-key.pem ca-config.json 192.168.56.12:/opt/kubernetes/ssl
[root@linux-node1 ssl]# scp ca.csr ca.pem ca-key.pem ca-config.json 192.168.56.13:/opt/kubernetes/ssl
#以后添加node都需要分发证书
