在开始安装 Kubernetes 之前,需要先将一些必要系统创建完成,其中 Etcd 就是 Kubernetes 最重要的一环,Kubernetes会将大部分信息储存于Etcd上,来提供给其他节点索取,以确保整个集群运作与沟通正常。
创建集群 CA 与 Certificates
在这部分,将会需要产生 client 与 server 的各组件 certificates,并且替 Kubernetes admin user 产生 client 证书。
- 建立/etc/etcd/ssl文件夹,然后进入目录。
mkdir -p /etc/etcd/ssl && cd /etc/etcd/ssl
-
生成ca-config.json与etcd-ca-csr.json文件,并产生 CA 密钥: 生成ca-config.json文件
cat <
ca-config.json{ "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } }}EOF 生成etcd-ca-csr.json文件
cat <
etcd-ca-csr.json{ "CN": "etcd", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "SC", "ST": "ChengDu", "L": "ChengDu", "O": "etcd", "OU": "Etcd Security" } ]}EOF 生成证书
cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare etcd-ca
- 生成etcd-csr.json文件,并产生 kube-apiserver certificate 证书: 生成etcd-csr.json文件
cat <
etcd-csr.json{ "CN": "etcd", "hosts": [ "127.0.0.1", "10.0.0.162" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "SC", "ST": "ChengDu", "L": "ChengDu", "O": "etcd", "OU": "Etcd Security" } ]}EOF 注意hosts更换成自己的IP,这里我的etcd只有一个节点并且在162节点上。
- 生成证书
cfssl gencert \ -ca=etcd-ca.pem \ -ca-key=etcd-ca-key.pem \ -config=ca-config.json \ -profile=kubernetes \ etcd-csr.json | cfssljson -bare etcd
Etcd 安装与设定
- 首先在master(162)节点下载 Etcd,并解压缩放到 /opt 底下与安装:
export ETCD_URL="https://github.com/coreos/etcd/releases/download" cd && wget -qO- "${ETCD_URL}/v3.2.9/etcd-v3.2.9-linux-amd64.tar.gz" | tar -zxmv etcd-v3.2.9-linux-amd64/etcd* /usr/local/bin/ && rm -rf etcd-v3.2.9-linux-amd64 - 完成后新建 Etcd Group 与 User,并建立 Etcd 配置文件目录:
groupadd etcd && useradd -c "Etcd user" -g etcd -s /sbin/nologin -r etcd
- 配置etcd.conf和etcd.service 生成etcd.conf
cat <
/etc/etcd/etcd.conf# [member]ETCD_NAME=node162ETCD_DATA_DIR=/var/lib/etcdETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379ETCD_PROXY=off# [cluster]ETCD_ADVERTISE_CLIENT_URLS=https://10.0.0.162:2379ETCD_INITIAL_ADVERTISE_PEER_URLS=https://10.0.0.162:2380ETCD_INITIAL_CLUSTER=node162=https://10.0.0.162:2380ETCD_INITIAL_CLUSTER_STATE=newETCD_INITIAL_CLUSTER_TOKEN=etcd-k8s-cluster# [security]ETCD_CERT_FILE="/etc/etcd/ssl/etcd.pem"ETCD_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"ETCD_CLIENT_CERT_AUTH="true"ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/etcd-ca.pem"ETCD_AUTO_TLS="true"ETCD_PEER_CERT_FILE="/etc/etcd/ssl/etcd.pem"ETCD_PEER_KEY_FILE="/etc/etcd/ssl/etcd-key.pem"ETCD_PEER_CLIENT_CERT_AUTH="true"ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/etcd-ca.pem"ETCD_PEER_AUTO_TLS="true"EOF 若与该教程 IP 不同的话,请用自己 IP 取代10.0.0.162。
生成etcd.servicecat <
/lib/systemd/system/etcd.service[Unit]Description=Etcd ServiceAfter=network.target[Service]Environment=ETCD_DATA_DIR=/var/lib/etcd/defaultEnvironmentFile=-/etc/etcd/etcd.confType=notifyUser=etcdPermissionsStartOnly=trueExecStart=/usr/local/bin/etcdRestart=on-failureRestartSec=10LimitNOFILE=65536[Install]WantedBy=multi-user.targetEOF -
通过简单指令验证:
export CA="/etc/etcd/ssl"ETCDCTL_API=3 etcdctl \ --cacert=${CA}/etcd-ca.pem \ --cert=${CA}/etcd.pem \ --key=${CA}/etcd-key.pem \ --endpoints="https://10.0.0.162:2379" \ endpoint health若与该教程 IP 不同的话,请用自己 IP 取代10.0.0.162。