公众号关注「WeiyiGeek」
设为「特别关注」,每天带你玩转网络安全运维、应用开发、物联网IOT学习!
[图片上传失败...(image-1b0721-1652954316553)]
本章目录:
-
0x00 前言简述
-
0x01 环境准备
-
主机规划
-
软件版本
-
网络规划
- 0x02 安装部署
-
1.基础主机环境准备配置
-
2.负载均衡管理工具安装与内核加载
-
3.高可用HAproxy与Keepalived软件安装配置
-
4.配置部署etcd集群与etcd证书签发
-
5.Containerd 运行时安装部署
温馨提示: 由于实践篇幅太长,此处分为上下两节进行发布。
0x00 前言简述
描述: 在我博客以及前面的文章之中讲解Kubernetes相关集群环境的搭建, 随着K8S及其相关组件的迭代, 与读者当前接触的版本有所不同,所以在当前【2022年4月26日 10:08:29】时间节点,博主使用ubuntu 20.04 、haproxy、keepalive、containerd、etcd、kubeadm、kubectl 等相关工具插件【最新或者稳定的版本】进行实践高可用的kubernetes集群的搭建,这里不再对k8s等相关基础知识做介绍,如有新入门的童鞋,请访问如下【博客文章】(https://blog.weiyigeek.top/tags/k8s/) 或者【B站专栏】(https://www.bilibili.com/read/readlist/rl520875?spm_id_from=333.999.0.0) 按照顺序学习。
简述
Kubernetes(后续简称k8s)是 Google(2014年6月) 开源的一个容器编排引擎,使用Go语言开发,它支持自动化部署、大规模可伸缩、以及云平台中多个主机上的容器化应用进行管理。其目标是让部署容器化的应用更加简单并且高效,提供了资源调度、部署管理、服务发现、扩容缩容、状态 监控、维护等一整套功能, 努力成为跨主机集群的自动化部署、自动化扩展以及运行应用程序容器的平台,它支持一些列CNCF毕业项目,包括 Containerd、calico 等 。
0x01 环境准备
主机规划
主机地址 | 主机名称 | 主机配置 | 主机角色 | 软件组件 |
---|---|---|---|---|
10.10.107.223 | master-223 | 4C/4G/ | 控制节点 | |
10.10.107.224 | master-224 | 4C/4G | 控制节点 | |
10.10.107.225 | master-225 | 4C/8G | 控制节点 | |
10.10.107.226 | node-1 | 4C/2G | 工作节点 | |
10.10.107.227 | node-2 | 4C/2G | 工作节点 | |
10.10.107.222 | weiyigeek.cluster.k8s | - | 虚拟VIP | 虚拟网卡地址 |
温馨提示: 此处使用的是 Ubuntu 20.04 操作系统, 该系统已做安全加固和内核优化符合等保2.0要求【SecOpsDev/Ubuntu-InitializeSecurity.sh at master · WeiyiGeek/SecOpsDev (github.com)】, 如你的Linux未进行相应配置环境可能与读者有些许差异, 如需要进行(windows server 、Ubuntu、CentOS)安全加固请参照如下加固脚本进行加固, 请大家疯狂的 star 。
加固脚本地址:【 https://github.com/WeiyiGeek/SecOpsDev/blob/master/OS-操作系统/Linux/Ubuntu/Ubuntu-InitializeSecurity.sh 】
软件版本
操作系统
- Ubuntu 20.04 LTS - 5.4.0-107-generic
TLS证书签发
-
cfssl - v1.6.1
-
cfssl-certinfo - v1.6.1
-
cfssljson - v1.6.1
高可用软件
-
ipvsadm - 1:1.31-1
-
haproxy - 2.0.13-2
-
keepalived - 1:2.0.19-2
ETCD数据库
- etcd - v3.5.4
容器运行时
- containerd.io - 1.6.4
Kubernetes
-
kubeadm - v1.23.6
-
kube-apiserver - v1.23.6
-
kube-controller-manager - v1.23.6
-
kubectl - v1.23.6
-
kubelet - v1.23.6
-
kube-proxy - v1.23.6
-
kube-scheduler - v1.23.6
网络插件&辅助软件
calico - v3.22
coredns - v1.9.1
kubernetes-dashboard - v2.5.1
k9s - v0.25.18
网络规划
子网 Subnet | 网段 | 备注 |
---|---|---|
nodeSubnet | 10.10.107.0/24 | C1 |
ServiceSubnet | 10.96.0.0/16 | C2 |
PodSubnet | 10.128.0.0/16 | C3 |
温馨提示: 上述环境所使用的到相关软件及插件我已打包, 方便大家进行下载,可访问如下链接(访问密码请访问 WeiyiGeek 公众号回复【k8s二进制】获取)。
下载地址: http://share.weiyigeek.top/f/36158960-578443238-a1a5fa (访问密码:点击访问 WeiyiGeek 公众号回复【k8s二进制】)
[图片上传失败...(image-8424b3-1652954316553)]
/kubernetes-cluster-binary-install# tree ..├── calico│ └── calico-v3.22.yaml├── certificate│ ├── admin-csr.json│ ├── apiserver-csr.json│ ├── ca-config.json│ ├── ca-csr.json│ ├── cfssl│ ├── cfssl-certinfo│ ├── cfssljson│ ├── controller-manager-csr.json│ ├── etcd-csr.json│ ├── kube-scheduler-csr.json│ ├── proxy-csr.json│ └── scheduler-csr.json├── containerd.io│ └── config.toml├── coredns│ ├── coredns.yaml│ ├── coredns.yaml.sed│ └── deploy.sh├── cri-containerd-cni-1.6.4-linux-amd64.tar.gz├── etcd-v3.5.4-linux-amd64.tar.gz├── k9s├── kubernetes-dashboard│ ├── kubernetes-dashboard.yaml│ └── rbac-dashboard-admin.yaml├── kubernetes-server-linux-amd64.tar.gz└── nginx.yaml
0x02 安装部署
1.基础主机环境准备配置
步骤 01.【所有主机】主机名设置按照上述主机规划进行设置。
# 例如, 在10.10.107.223主机中运行。hostnamectl set-hostname master-223# 例如, 在10.10.107.227主机中运行。hostnamectl set-hostname node-2
步骤 02.【所有主机】将规划中的主机名称与IP地址进行硬解析。
sudo tee -a /etc/hosts <<'EOF'10.10.107.223 master-22310.10.107.224 master-22410.10.107.225 master-22510.10.107.226 node-110.10.107.227 node-210.10.107.222 weiyigeek.cluster.k8sEOF
步骤 03.验证每个节点上IP、MAC 地址和 product_uuid 的唯一性,保证其能相互正常通信
# 使用命令 ip link 或 ifconfig -a 来获取网络接口的 MAC 地址ifconfig -a# 使用命令 查看 product_uuid 校验sudo cat /sys/class/dmi/id/product_uuid
步骤 04.【所有主机】系统时间同步与时区设置
date -Rsudo ntpdate ntp.aliyun.comsudo timedatectl set-timezone Asia/Shanghai# 或者# sudo dpkg-reconfigure tzdatasudo timedatectl set-local-rtc 0timedatectl
步骤 05.【所有主机】禁用系统交换分区
swapoff -a && sed -i 's|^/swap.img|#/swap.ing|g' /etc/fstab# 验证交换分区是否被禁用free | grep "Swap:"
步骤 07.【所有主机】系统内核参数调整
# 禁用 swap 分区egrep -q "^(#)?vm.swappiness.*" /etc/sysctl.conf && sed -ri "s|^(#)?vm.swappiness.*|vm.swappiness = 0|g" /etc/sysctl.conf || echo "vm.swappiness = 0" >> /etc/sysctl.conf# 允许转发egrep -q "^(#)?net.ipv4.ip_forward.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv4.ip_forward.*|net.ipv4.ip_forward = 1|g" /etc/sysctl.conf || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf# - 允许 iptables 检查桥接流量egrep -q "^(#)?net.bridge.bridge-nf-call-iptables.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.bridge.bridge-nf-call-iptables.*|net.bridge.bridge-nf-call-iptables = 1|g" /etc/sysctl.conf || echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.confegrep -q "^(#)?net.bridge.bridge-nf-call-ip6tables.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.bridge.bridge-nf-call-ip6tables.*|net.bridge.bridge-nf-call-ip6tables = 1|g" /etc/sysctl.conf || echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf
步骤 07.【所有主机】禁用系统防火墙
ufw disable && systemctl disable ufw && systemctl stop ufw
步骤 08.【master-225 主机】使用 master-225 主机的公钥免账号密码登陆其它主机(可选)方便文件在各主机上传下载。
# 生成ed25519格式的公密钥sh-keygen -t ed25519# 例如,在master-225 主机上使用密钥登录到 master-223 设置 (其它主机同样)ssh-copy-id -p 20211 weiyigeek@10.10.107.223 # /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_ed25519.pub" # Are you sure you want to continue connecting (yes/no/[fingerprint])? yes # 输入yes # weiyigeek@10.10.107.223s password: # 输入主机密码 # Number of key(s) added: 1 # Now try logging into the machine, with: "ssh -p '20211' 'weiyigeek@10.10.107.223'" # and check to make sure that only the key(s) you wanted were added.ssh-copy-id -p 20211 weiyigeek@10.10.107.224ssh-copy-id -p 20211 weiyigeek@10.10.107.226ssh-copy-id -p 20211 weiyigeek@10.10.107.227
2.负载均衡管理工具安装与内核加载
步骤 01.安装ipvs模块以及负载均衡相关依赖。
# 查看可用版本sudo apt-cache madison ipvsadm # ipvsadm | 1:1.31-1 | http://mirrors.aliyun.com/ubuntu focal/main amd64 Packages# 安装sudo apt -y install ipvsadm ipset sysstat conntrack# 锁定版本 apt-mark hold ipvsadm # ipvsadm set on hold.
步骤 02.将模块加载到内核中(开机自动设置-需要重启机器生效)
tee /etc/modules-load.d/k8s.conf <<'EOF'# netfilterbr_netfilter# containerdoverlay# nf_conntracknf_conntrack# ipvsip_vsip_vs_lcip_vs_lblcip_vs_lblcrip_vs_rrip_vs_wrrip_vs_ship_vs_dhip_vs_foip_vs_nqip_vs_sedip_vs_ftpip_tablesip_setipt_setipt_rpfilteript_REJECTipipxt_setEOF
步骤 03.手动加载模块到内核中
mkdir -vp /etc/modules.d/tee /etc/modules.d/k8s.modules <<'EOF'#!/bin/bash# netfilter 模块 允许 iptables 检查桥接流量modprobe -- br_netfilter# containerdmodprobe -- overlay# nf_conntrackmodprobe -- nf_conntrack# ipvsmodprobe -- ip_vsmodprobe -- ip_vs_lcmodprobe -- ip_vs_lblcmodprobe -- ip_vs_lblcrmodprobe -- ip_vs_rrmodprobe -- ip_vs_wrrmodprobe -- ip_vs_shmodprobe -- ip_vs_dhmodprobe -- ip_vs_fomodprobe -- ip_vs_nqmodprobe -- ip_vs_sedmodprobe -- ip_vs_ftpmodprobe -- ip_tablesmodprobe -- ip_setmodprobe -- ipt_setmodprobe -- ipt_rpfiltermodprobe -- ipt_REJECTmodprobe -- ipipmodprobe -- xt_setEOFchmod 755 /etc/modules.d/k8s.modules && bash /etc/modules.d/k8s.modules && lsmod | grep -e ip_vs -e nf_conntrack # ip_vs_sh 16384 0 # ip_vs_wrr 16384 0 # ip_vs_rr 16384 0 # ip_vs 155648 6 ip_vs_rr,ip_vs_sh,ip_vs_wrr # nf_conntrack 139264 1 ip_vs # nf_defrag_ipv6 24576 2 nf_conntrack,ip_vs # nf_defrag_ipv4 16384 1 nf_conntrack # libcrc32c 16384 5 nf_conntrack,btrfs,xfs,raid456,ip_vssysctl --system
温馨提示: 在 kernel 4.19 版本及以上将使用 nf_conntrack 模块, 则在 4.18 版本以下则需使用nf_conntrack_ipv4 模块。
3.高可用HAproxy与Keepalived软件安装配置
描述: 由于是测试学习环境, 此处我未专门准备两台HA服务器, 而是直接采用master节点机器,如果是正式环境建议独立出来。
步骤 01.【Master节点机器】安装下载 haproxy (HA代理健康检测) 与 keepalived (虚拟路由协议-主从)。
# 查看可用版本sudo apt-cache madison haproxy keepalived # haproxy | 2.0.13-2ubuntu0.5 | http://mirrors.aliyun.com/ubuntu focal-security/main amd64 Packages # keepalived | 1:2.0.19-2ubuntu0.2 | http://mirrors.aliyun.com/ubuntu focal-updates/main amd64 Packages# 安装sudo apt -y install haproxy keepalived# 锁定版本 apt-mark hold haproxy keepalived
步骤 02.【Master节点机器】进行 HAProxy 配置,其配置目录为 /etc/haproxy/
,所有节点配置是一致的。
sudo cp /etc/haproxy/haproxy.cfg{,.bak}tee /etc/haproxy/haproxy.cfg<<'EOF'global user haproxy group haproxy maxconn 2000 daemon log /dev/log local0 log /dev/log local1 err chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-ticketsdefaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 timeout http-request 15s timeout http-keep-alive 15s # errorfile 400 /etc/haproxy/errors/400.http # errorfile 403 /etc/haproxy/errors/403.http # errorfile 408 /etc/haproxy/errors/408.http # errorfile 500 /etc/haproxy/errors/500.http # errorfile 502 /etc/haproxy/errors/502.http # errorfile 503 /etc/haproxy/errors/503.http # errorfile 504 /etc/haproxy/errors/504.http# 注意: 管理HAproxy (可选)# frontend monitor-in# bind *:33305# mode http# option httplog# monitor-uri /monitor# 注意: 基于四层代理, 1644 3为VIP的 ApiServer 控制平面端口, 由于是与master节点在一起所以不能使用6443端口.frontend k8s-master bind 0.0.0.0:16443 bind 127.0.0.1:16443 mode tcp option tcplog tcp-request inspect-delay 5s default_backend k8s-master# 注意: Master 节点的默认 Apiserver 是6443端口backend k8s-master mode tcp option tcplog option tcp-check balance roundrobin default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100 server master-223 10.10.107.223:6443 check server master-224 10.10.107.224:6443 check server master-225 10.10.107.225:6443 checkEOF
步骤 03.【Master节点机器】进行 置KeepAlived 配置 ,其配置目录为 /etc/haproxy/
# 创建配置目录,分别在各个master节点执行。mkdir -vp /etc/keepalived# __ROLE__ 角色: MASTER 或者 BACKUP# __NETINTERFACE__ 宿主机物理网卡名称 例如我的ens32# __IP__ 宿主机物理IP地址# __VIP__ 虚拟VIP地址sudo tee /etc/keepalived/keepalived.conf <<'EOF'! Configuration File for keepalivedglobal_defs { router_id LVS_DEVELscript_user root enable_script_security}vrrp_script chk_apiserver { script "/etc/keepalived/check_apiserver.sh" interval 5 weight -5 fall 2 rise 1}vrrp_instance VI_1 { state __ROLE__ interface __NETINTERFACE__ mcast_src_ip __IP__ virtual_router_id 51 priority 101 advert_int 2 authentication { auth_type PASS auth_pass K8SHA_KA_AUTH } virtual_ipaddress { __VIP__ } # HA 健康检查 # track_script { # chk_apiserver # }}EOF# 此处 master-225 性能较好所以配置为Master (master-225 主机上执行)# master-225 10.10.107.225 => MASTERsed -i -e 's#__ROLE__#MASTER#g' \ -e 's#__NETINTERFACE__#ens32#g' \ -e 's#__IP__#10.10.107.225#g' \ -e 's#__VIP__#10.10.107.222#g' /etc/keepalived/keepalived.conf # master-224 10.10.107.224 => BACKUP (master-224 主机上执行)sed -i -e 's#__ROLE__#BACKUP#g' \ -e 's#__NETINTERFACE__#ens32#g' \ -e 's#__IP__#10.10.107.224#g' \ -e 's#__VIP__#10.10.107.222#g' /etc/keepalived/keepalived.conf # master-223 10.10.107.223 => BACKUP (master-223 主机上执行)sed -i -e 's#__ROLE__#BACKUP#g' \ -e 's#__NETINTERFACE__#ens32#g' \ -e 's#__IP__#10.10.107.223#g' \ -e 's#__VIP__#10.10.107.222#g' /etc/keepalived/keepalived.conf
温馨提示: 注意上述的健康检查是关闭注释了的,你需要将K8S集群建立完成后再开启。
track_script { chk_apiserver}
步骤 04.【Master节点机器】进行配置 KeepAlived 健康检查文件。
sudo tee /etc/keepalived/check_apiserver.sh <<'EOF'#!/bin/basherr=0for k in $(seq 1 3)do check_code=$(pgrep haproxy) if [[ $check_code == "" ]]; then err=$(expr $err + 1) sleep 1 continue else err=0 break fidoneif [[ $err != "0" ]]; then echo "systemctl stop keepalived" /usr/bin/systemctl stop keepalived exit 1else exit 0fiEOFsudo chmod +x /etc/keepalived/check_apiserver.sh
步骤 05.【Master节点机器】启动 haproxy 、keepalived 相关服务及测试VIP漂移。
# 重载 Systemd 设置 haproxy 、keepalived 开机自启以及立即启动sudo systemctl daemon-reloadsudo systemctl enable --now haproxy && sudo systemctl enable --now keepalived# Synchronizing state of haproxy.service with SysV service script with /lib/systemd/systemd-sysv-install.# Executing: /lib/systemd/systemd-sysv-install enable haproxy# Synchronizing state of keepalived.service with SysV service script with /lib/systemd/systemd-sysv-install.# Executing: /lib/systemd/systemd-sysv-install enable keepalived# 在 master-223 主机中发现vip地址在其主机上。root@master-223:~$ ip addr # 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 # link/ether 00:0c:29:00:0f:8f brd ff:ff:ff:ff:ff:ff # inet 10.10.107.223/24 brd 10.10.107.255 scope global ens32 # valid_lft forever preferred_lft forever # inet 10.10.107.222/32 scope global ens32 # valid_lft forever preferred_lft forever# 其它两台主机上通信验证。root@master-224:~$ ping 10.10.107.222root@master-225:~$ ping 10.10.107.222
# 手动验证VIP漂移,我们将该服务器上keepalived停止掉。root@master-223:~$ pgrep haproxy # 6320 # 6321root@master-223:~$ /usr/bin/systemctl stop keepalived# 此时,发现VIP已经飘到master-225主机中root@master-225:~$ ip addr show ens32 # 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 # link/ether 00:0c:29:93:28:61 brd ff:ff:ff:ff:ff:ff # inet 10.10.107.225/24 brd 10.10.107.255 scope global ens32 # valid_lft forever preferred_lft forever # inet 10.10.107.222/32 scope global ens32 # valid_lft forever preferred_lft forever
至此,HAProxy 与 Keepalived 配置就告一段落了,下面将学习 ETCD 集群配置与证书签发。
4.配置部署etcd集群与etcd证书签发
描述: 创建一个高可用的ETCD集群,此处我们在【master-225】机器中操作。
步骤 01.【master-225】创建一个配置与相关文件存放的目录, 以及下载获取cfssl工具进行CA证书制作与签发(cfssl工具往期文章参考地址: https://blog.weiyigeek.top/2019/10-21-12.html#3-CFSSL-生成 )。
# 工作目录创建mkdir -vp /app/k8s-init-work && cd /app/k8s-init-work# cfssl 最新下载地址: https://github.com/cloudflare/cfssl/releases# cfssl 相关工具拉取 (如果拉取较慢,建议使用某雷下载,然后上传到服务器里)curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 -o /usr/local/bin/cfsslcurl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 -o /usr/local/bin/cfssljsoncurl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl-certinfo_1.6.1_linux_amd64 -o /usr/local/bin/cfssl-certinfo# 赋予执行权限chmod +x /usr/local/bin/cfssl*/app# cfssl version# Version: 1.2.0# Revision: dev# Runtime: go1.6
温馨提示:
-
cfssl : CFSSL 命令行工具
-
cfssljson : 用于从cfssl程序中获取JSON输出并将证书、密钥、证书签名请求文件CSR和Bundle写入到文件中,
步骤 02.利用上述 cfssl 工具创建 CA 证书。
# - CA 证书签名请求配置文件fssl print-defaults csr > ca-csr.jsontee ca-csr.json <<'EOF'{ "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "ChongQing", "ST": "ChongQing", "O": "k8s", "OU": "System" } ], "ca": { "expiry": "87600h" }}EOF# 关键参数解析:CN: Common Name,浏览器使用该字段验证网站是否合法,一般写的是域名,非常重要。浏览器使用该字段验证网站是否合法key:生成证书的算法hosts:表示哪些主机名(域名)或者IP可以使用此csr申请的证书,为空或者""表示所有的都可以使用(本例中没有`"hosts": [""]`字段)names:常见属性设置 * C: Country, 国家 * ST: State,州或者是省份 * L: Locality Name,地区,城市 * O: Organization Name,组织名称,公司名称(在k8s中常用于指定Group,进行RBAC绑定) * OU: Organization Unit Name,组织单位名称,公司部门# - CA 证书策略配置文件cfssl print-defaults config > ca-config.jsontee ca-config.json <<'EOF'{ "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] }, "etcd": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } }}EOF# 关键参数解析:default 默认策略,指定了证书的默认有效期是10年(87600h)profile 自定义策略配置 * kubernetes:表示该配置(profile)的用途是为kubernetes生成证书及相关的校验工作 * signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE * server auth:表示可以该CA 对 server 提供的证书进行验证 * client auth:表示可以用该 CA 对 client 提供的证书进行验证 * expiry:也表示过期时间,如果不写以default中的为准# - 执行cfssl gencert 命令生成CA证书# 利用CA证书签名请求配置文件 ca-csr.json 生成CA证书和CA私钥和CSR(证书签名请求):cfssl gencert -initca ca-csr.json | cfssljson -bare ca # 2022/04/27 16:49:37 [INFO] generating a new CA key and certificate from CSR # 2022/04/27 16:49:37 [INFO] generate received request # 2022/04/27 16:49:37 [INFO] received CSR # 2022/04/27 16:49:37 [INFO] generating key: rsa-2048 # 2022/04/27 16:49:37 [INFO] encoded CSR # 2022/04/27 16:49:37 [INFO] signed certificate with serial number 245643466964695827922023924375276493244980966303$ ls # ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem$ openssl x509 -in ca.pem -text -noout | grep "Not" # Not Before: Apr 27 08:45:00 2022 GMT # Not After : Apr 24 08:45:00 2032 GMT
温馨提示: 如果将 expiry 设置为87600h 表示证书过期时间为十年。
步骤 03.配置ETCD证书相关文件以及生成其证书,
# etcd 证书请求文件tee etcd-csr.json <<'EOF'{ "CN": "etcd", "hosts": [ "127.0.0.1", "10.10.107.223", "10.10.107.224", "10.10.107.225", "etcd1", "etcd2", "etcd3" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "ChongQing", "ST": "ChongQing", "O": "etcd", "OU": "System" } ]}EOF# 利用ca证书签发生成etcd证书cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd$ ls etcd*etcd.csr etcd-csr.json etcd-key.pem etcd.pem$ openssl x509 -in etcd.pem -text -noout | grep "X509v3 Subject Alternative Name" -A 1 # X509v3 Subject Alternative Name: # DNS:etcd1, DNS:etcd2, DNS:etcd3, IP Address:127.0.0.1, IP Address:10.10.107.223, IP Address:10.10.107.224, IP Address:10.10.107.225
步骤 04.【所有Master节点主机】下载部署ETCD集群, 首先我们需要下载etcd软件包, 可以 Github release 找到最新版本的etcd下载路径(https://github.com/etcd-io/etcd/releases/)。
# 下载wget -L https://github.com/etcd-io/etcd/releases/download/v3.5.4/etcd-v3.5.4-linux-amd64.tar.gztar -zxvf etcd-v3.5.4-linux-amd64.tar.gzcp -a etcd* /usr/local/bin/# 版本 etcd --version # etcd Version: 3.5.4 # Git SHA: 08407ff76 # Go Version: go1.16.15 # Go OS/Arch: linux/amd64# 复制到其它master主机上scp -P 20211 ./etcd-v3.5.4-linux-amd64.tar.gz weiyigeek@master-223:~scp -P 20211 ./etcd-v3.5.4-linux-amd64.tar.gz weiyigeek@master-224:~# 分别在master-223与master-224执行, 解压到 /usr/local/ 目录同样复制二进制文件到 /usr/local/bin/tar -zxvf /home/weiyigeek/etcd-v3.5.4-linux-amd64.tar.gz -C /usr/local/cp -a /usr/local/etcd-v3.5.4-linux-amd64/etcd* /usr/local/bin/
温馨提示: etcd 官网地址 ( https://etcd.io/)
步骤 05.创建etcd集群所需的配置文件。
# 证书准备mkdir -vp /etc/etcd/pki/cp *.pem /etc/etcd/pki/ls /etc/etcd/pki/ # ca-key.pem ca.pem etcd-key.pem etcd.pem# 上传到~家目录,并需要将其复制到 /etc/etcd/pki/ 目录中scp -P 20211 *.pem weiyigeek@master-224:~scp -P 20211 *.pem weiyigeek@master-223:~ # ****************** [ 安全登陆 (Security Login) ] ***************** # Authorized only. All activity will be monitored and reported.By Security Center. # ca-key.pem 100% 1675 3.5MB/s 00:00 # ca.pem 100% 1375 5.2MB/s 00:00 # etcd-key.pem 100% 1679 7.0MB/s 00:00 # etcd.pem 100% 1399 5.8MB/s 00:00# master-225 执行tee /etc/etcd/etcd.conf <<'EOF'# [成员配置]# member 名称ETCD_NAME=etcd1# 存储数据的目录(注意需要建立)ETCD_DATA_DIR="/var/lib/etcd/data"# 用于监听客户端etcdctl或者curl连接ETCD_LISTEN_CLIENT_URLS="https://10.10.107.225:2379,https://127.0.0.1:2379"# 用于监听集群中其它member的连接ETCD_LISTEN_PEER_URLS="https://10.10.107.225:2380"# [证书配置]# ETCD_CERT_FILE=/etc/etcd/pki/etcd.pem# ETCD_KEY_FILE=/etc/etcd/pki/etcd-key.pem# ETCD_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.pem# ETCD_CLIENT_CERT_AUTH=true# ETCD_PEER_CLIENT_CERT_AUTH=true# ETCD_PEER_CERT_FILE=/etc/etcd/pki/etcd.pem# ETCD_PEER_KEY_FILE=/etc/etcd/pki/etcd-key.pem# ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.pem# [集群配置]# 本机地址用于通知客户端,客户端通过此IPs与集群通信;ETCD_ADVERTISE_CLIENT_URLS="https://10.10.107.225:2379"# 本机地址用于通知集群member与member通信ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.10.107.225:2380"# 描述集群中所有节点的信息,本member根据此信息去联系其他memberETCD_INITIAL_CLUSTER="etcd1=https://10.10.107.225:2380,etcd2=https://10.10.107.224:2380,etcd3=https://10.10.107.223:2380"# 集群状态新建集群时候设置为new,若是想加入某个已经存在的集群设置为existingETCD_INITIAL_CLUSTER_STATE=newEOF# master-224 执行tee /etc/etcd/etcd.conf <<'EOF'# [成员配置]# member 名称ETCD_NAME=etcd2# 存储数据的目录(注意需要建立)ETCD_DATA_DIR="/var/lib/etcd/data"# 用于监听客户端etcdctl或者curl连接ETCD_LISTEN_CLIENT_URLS="https://10.10.107.224:2379,https://127.0.0.1:2379"# 用于监听集群中其它member的连接ETCD_LISTEN_PEER_URLS="https://10.10.107.224:2380"# [集群配置]# 本机地址用于通知客户端,客户端通过此IPs与集群通信;ETCD_ADVERTISE_CLIENT_URLS="https://10.10.107.224:2379"# 本机地址用于通知集群member与member通信ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.10.107.224:2380"# 描述集群中所有节点的信息,本member根据此信息去联系其他memberETCD_INITIAL_CLUSTER="etcd1=https://10.10.107.225:2380,etcd2=https://10.10.107.224:2380,etcd3=https://10.10.107.223:2380"# 集群状态新建集群时候设置为new,若是想加入某个已经存在的集群设置为existingETCD_INITIAL_CLUSTER_STATE=newEOF# master-223 执行tee /etc/etcd/etcd.conf <<'EOF'# [成员配置]# member 名称ETCD_NAME=etcd3# 存储数据的目录(注意需要建立)ETCD_DATA_DIR="/var/lib/etcd/data"# 用于监听客户端etcdctl或者curl连接ETCD_LISTEN_CLIENT_URLS="https://10.10.107.223:2379,https://127.0.0.1:2379"# 用于监听集群中其它member的连接ETCD_LISTEN_PEER_URLS="https://10.10.107.223:2380"# [集群配置]# 本机地址用于通知客户端,客户端通过此IPs与集群通信;ETCD_ADVERTISE_CLIENT_URLS="https://10.10.107.223:2379"# 本机地址用于通知集群member与member通信ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.10.107.223:2380"# 描述集群中所有节点的信息,本member根据此信息去联系其他memberETCD_INITIAL_CLUSTER="etcd1=https://10.10.107.225:2380,etcd2=https://10.10.107.224:2380,etcd3=https://10.10.107.223:2380"# 集群状态新建集群时候设置为new,若是想加入某个已经存在的集群设置为existingETCD_INITIAL_CLUSTER_STATE=newEOF
步骤 06.【所有Master节点主机】创建配置 etcd 的 systemd 管理配置文件,并启动其服务。
mkdir -vp /var/lib/etcd/cat > /usr/lib/systemd/system/etcd.service <<EOF[Unit]Description=Etcd ServerDocumentation=https://github.com/etcd-io/etcdAfter=network.targetAfter=network-online.targetwants=network-online.target[Service]Type=notifyWorkingDirectory=/var/lib/etcd/EnvironmentFile=-/etc/etcd/etcd.confExecStart=/usr/local/bin/etcd \ --client-cert-auth \ --trusted-ca-file /etc/etcd/pki/ca.pem \ --cert-file /etc/etcd/pki/etcd.pem \ --key-file /etc/etcd/pki/etcd-key.pem \ --peer-client-cert-auth \ --peer-trusted-ca-file /etc/etcd/pki/ca.pem \ --peer-cert-file /etc/etcd/pki/etcd.pem \ --peer-key-file /etc/etcd/pki/etcd-key.pemRestart=on-failureRestartSec=5LimitNOFILE=65535LimitNPROC=65535[Install]WantedBy=multi-user.targetEOF# 重载 systemd && 开机启动与手动启用etcd服务systemctl daemon-reload && systemctl enable --now etcd.service
步骤 07.【所有Master节点主机】查看各个master节点的etcd集群服务是否正常及其健康状态。
# 服务查看systemctl status etcd.service# 利用 etcdctl 工具查看集群成员信息export ETCDCTL_API=3etcdctl --endpoints=https://10.10.107.225:2379,https://10.10.107.224:2379,https://10.10.107.223:2379 \--cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem" \--write-out=table member list # +------------------+---------+-------+----------------------------+----------------------------+------------+ # | ID | STATUS | NAME | PEER ADDRS | CLIENT ADDRS | IS LEARNER | # +------------------+---------+-------+----------------------------+----------------------------+------------+ # | 144934d02ad45ec7 | started | etcd3 | https://10.10.107.223:2380 | https://10.10.107.223:2379 | false | # | 2480d95a2df867a4 | started | etcd2 | https://10.10.107.224:2380 | https://10.10.107.224:2379 | false | # | 2e8fddd3366a3d88 | started | etcd1 | https://10.10.107.225:2380 | https://10.10.107.225:2379 | false | # +------------------+---------+-------+----------------------------+----------------------------+------------+# 集群节点信息etcdctl --endpoints=https://10.10.107.225:2379,https://10.10.107.224:2379,https://10.10.107.223:2379 \--cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem" \--write-out=table endpoint status # +----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+ # | ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS | # +----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+ # | https://10.10.107.225:2379 | 2e8fddd3366a3d88 | 3.5.4 | 20 kB | false | false | 3 | 12 | 12 | | # | https://10.10.107.224:2379 | 2480d95a2df867a4 | 3.5.4 | 20 kB | true | false | 3 | 12 | 12 | | # | https://10.10.107.223:2379 | 144934d02ad45ec7 | 3.5.4 | 20 kB | false | false | 3 | 12 | 12 | | # +----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+# 集群节点健康状态etcdctl --endpoints=https://10.10.107.225:2379,https://10.10.107.224:2379,https://10.10.107.223:2379 \--cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem" \--write-out=table endpoint health # +----------------------------+--------+-------------+-------+ # | ENDPOINT | HEALTH | TOOK | ERROR | # +----------------------------+--------+-------------+-------+ # | https://10.10.107.225:2379 | true | 9.151813ms | | # | https://10.10.107.224:2379 | true | 10.965914ms | | # | https://10.10.107.223:2379 | true | 11.165228ms | | # +----------------------------+--------+-------------+-------+# 集群节点性能测试etcdctl --endpoints=https://10.10.107.225:2379,https://10.10.107.224:2379,https://10.10.107.223:2379 \--cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem" \--write-out=tableendpoint check perf# 59 / 60 Boooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooom ! 98.33%PASS: Throughput is 148 writes/s# Slowest request took too long: 1.344053s# Stddev too high: 0.143059s# FAIL
5.Containerd 运行时安装部署
步骤 01.【所有节点】在各主机中安装二进制版本的 containerd.io 运行时服务,Kubernertes 通过 CRI 插件来连接 containerd 服务中, 控制容器的生命周期。
# 从 Github 中下载最新的版本的 cri-containerd-cni wget -L https://github.com/containerd/containerd/releases/download/v1.6.4/cri-containerd-cni-1.6.4-linux-amd64.tar.gz# 解压到当前cri-containerd-cni目录中。mkdir -vp cri-containerd-cnitar -zxvf cri-containerd-cni-1.6.4-linux-amd64.tar.gz -C cri-containerd-cni
步骤 02.查看其文件以及配置文件路径信息。
$ tree ./cri-containerd-cni/.├── etc│ ├── cni│ │ └── net.d│ │ └── 10-containerd-net.conflist│ ├── crictl.yaml│ └── systemd│ └── system│ └── containerd.service├── opt│ ├── cni│ │ └── bin│ │ ├── bandwidth│ │ ├── bridge│ │ ├── dhcp│ │ ├── firewall│ │ ├── host-device│ │ ├── host-local│ │ ├── ipvlan│ │ ├── loopback│ │ ├── macvlan│ │ ├── portmap│ │ ├── ptp│ │ ├── sbr│ │ ├── static│ │ ├── tuning│ │ ├── vlan│ │ └── vrf│ └── containerd│ └── cluster│ ├── gce│ │ ├── cloud-init│ │ │ ├── master.yaml│ │ │ └── node.yaml│ │ ├── cni.template│ │ ├── configure.sh│ │ └── env│ └── version└── usr └── local ├── bin │ ├── containerd │ ├── containerd-shim │ ├── containerd-shim-runc-v1 │ ├── containerd-shim-runc-v2 │ ├── containerd-stress │ ├── crictl │ ├── critest │ ├── ctd-decoder │ └── ctr └── sbin └── runc# 然后在所有节点上复制到上述文件夹到对应目录中cd ./cri-containerd-cni/cp -r etc/ /cp -r opt/ /cp -r usr/ /
步骤 03.【所有节点】进行containerd 配置创建并修改 config.toml .
mkdir -vp /etc/containerd# 默认配置生成containerd config default >/etc/containerd/config.tomlls /etc/containerd/config.toml # /etc/containerd/config.toml# pause 镜像源sed -i "s#k8s.gcr.io/pause#registry.cn-hangzhou.aliyuncs.com/google_containers/pause#g" /etc/containerd/config.toml# 使用 SystemdCgroupsed -i 's#SystemdCgroup = false#SystemdCgroup = true#g' /etc/containerd/config.toml# docker.io mirrorsed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]' /etc/containerd/config.tomlsed -i '/registry.mirrors."docker.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://xlx9erfu.mirror.aliyuncs.com","https://docker.mirrors.ustc.edu.cn"]' /etc/containerd/config.toml# gcr.io mirrorsed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]' /etc/containerd/config.tomlsed -i '/registry.mirrors."gcr.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://gcr.mirrors.ustc.edu.cn"]' /etc/containerd/config.toml# k8s.gcr.io mirrorsed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]' /etc/containerd/config.tomlsed -i '/registry.mirrors."k8s.gcr.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://gcr.mirrors.ustc.edu.cn/google-containers/","https://registry.cn-hangzhou.aliyuncs.com/google_containers/"]' /etc/containerd/config.toml# quay.io mirrorsed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]' /etc/containerd/config.tomlsed -i '/registry.mirrors."quay.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://quay.mirrors.ustc.edu.cn"]' /etc/containerd/config.toml
步骤 04.客户端工具 runtime 与 镜像 端点配置:
# 手动设置临时生效# crictl config runtime-endpoint /run/containerd/containerd.sock# /run/containerd/containerd.sock # 配置文件设置永久生效cat <<EOF > /etc/crictl.yamlruntime-endpoint: unix:///run/containerd/containerd.sockimage-endpoint: unix:///run/containerd/containerd.socktimeout: 10debug: falseEOF
步骤 05.重载 systemd自启和启动containerd.io服务。
systemctl daemon-reload && systemctl enable --now containerd.servicesystemctl status containerd.servicectr version # Client: # Version: 1.5.11 # Revision: 3df54a852345ae127d1fa3092b95168e4a88e2f8 # Go version: go1.17.8 # Server: # Version: 1.5.11 # Revision: 3df54a852345ae127d1fa3092b95168e4a88e2f8 # UUID: 71a28bbb-6ed6-408d-a873-e394d48b35d8
步骤 06.用于根据OCI规范生成和运行容器的CLI工具 runc 版本查看
runc -v # runc version 1.1.1 # commit: v1.1.1-0-g52de29d7 # spec: 1.0.2-dev # go: go1.17.9 # libseccomp: 2.5.1
温馨提示: 当默认 runc 执行提示 runc: symbol lookup error: runc: undefined symbol: seccomp_notify_respond
时,由于上述软件包中包含的runc对系统依赖过多,所以建议单独下载安装 runc 二进制项目(https://github.com/opencontainers/runc/)
wget https://github.com/opencontainers/runc/releases/download/v1.1.1/runc.amd64# 执行权限赋予chmod +x runc.amd64# 替换掉 /usr/local/sbin/ 路径原软件包中的 runcmv runc.amd64 /usr/local/sbin/runc
本文至此完毕,更多技术文章,尽情期待下一章节!
欢迎各位志同道合的朋友一起学习交流,如文章有误请在下方留下您宝贵的经验知识,个人邮箱地址【master#weiyigeek.top】
或者个人公众号【WeiyiGeek】
联系我。
更多文章来源于【WeiyiGeek Blog 个人博客 - 为了能到远方,脚下的每一步都不能少 】
个人主页: 【 https://weiyigeek.top】
博客地址: 【 https://blog.weiyigeek.top 】
专栏书写不易,如果您觉得这个专栏还不错的,请给这篇专栏 【点个赞、投个币、收个藏、关个注,转个发,留个言】(人间六大情),这将对我的肯定,谢谢!。
-
echo "【点个赞】,动动你那粗壮的拇指或者芊芊玉手,亲!"
-
printf("%s", "【投个币】,万水千山总是情,投个硬币行不行,亲!")
-
fmt.Printf("【收个藏】,阅后即焚不吃灰,亲!")
-
console.info("【转个发】,让更多的志同道合的朋友一起学习交流,亲!")
-
System.out.println("【关个注】,后续浏览查看不迷路哟,亲!")
-
cout << "【留个言】,文章写得好不好、有没有错误,一定要留言哟,亲! " << endl;
往期相关文章
记一次在k8s集群搭建的Harbor私有仓库无法提供服务之镜像迁移恢复实践
4.如何使用nerdctl工具并配合Containerd容器运行时来替代Docker容器环境
WeiyiGeek
Always keep a beginner's mind, don't forget the beginner's mind. Blog :【https://weiyigeek.top】
174篇原创内容
更多网络安全、系统运维、应用开发、全栈文章,尽在【个人博客 - https://blog.weiyigeek.top】站点,谢谢支持!
↓↓↓ 更多文章,请点击下方阅读原文。
网友评论