{"id":213,"date":"2025-12-15T21:24:00","date_gmt":"2025-12-15T13:24:00","guid":{"rendered":"https:\/\/www.gshcmy.top\/?p=213"},"modified":"2026-01-05T09:28:38","modified_gmt":"2026-01-05T01:28:38","slug":"kubernetes%e4%ba%8c%e8%bf%9b%e5%88%b6%e9%83%a8%e7%bd%b2%ef%bc%88%e6%9c%ac%e6%96%87%e5%8f%af%e8%83%bd%e6%9c%89%e9%94%99%e8%af%af%ef%bc%8c%e5%ad%a6%e4%b9%a0k8s%e7%8a%b6%e6%80%81%ef%bc%89","status":"publish","type":"post","link":"https:\/\/www.gshcmy.top\/?p=213","title":{"rendered":"Kubernetes\u4e8c\u8fdb\u5236\u90e8\u7f72\uff08\u672c\u6587\u53ef\u80fd\u6709\u9519\u8bef\uff0c\u5b66\u4e60k8s\u72b6\u6001\uff09"},"content":{"rendered":"\n

\u672c\u6587\u73af\u5883\uff1aVMware\u521b\u5efa\u7684\u865a\u62df\u673a<\/strong><\/p>\n\n\n\n

\u64cd\u4f5c\u7cfb\u7edf\uff1aubuntu22.04.4<\/strong><\/p>\n\n\n\n

\u8fdc\u7a0b\u8fde\u63a5\u5de5\u5177xshell8<\/strong><\/p>\n\n\n\n

\u4e3b\u673a\u73af\u5883\u51c6\u5907<\/h1>\n\n\n\n

1.\u4e3b\u673a<\/h2>\n\n\n\n
\u4e3b\u673a\u540d<\/td>ip<\/td>\u5185\u5bb9<\/td>\u914d\u7f6e\uff08\u73b0\u5b9e\u7cfb\u7edf1t\uff0c\u6570\u636e2t\uff09<\/td><\/tr>
master141<\/td>10.0.0.141<\/td>api-server\uff0ccontrol manager\uff0cscheduler\uff0cetcd<\/td>2\u6838\uff0c4G\uff0c60G<\/td><\/tr>
master142<\/td>10.0.0.142<\/td>api-server\uff0ccontrol manager\uff0cscheduler\uff0cetcd<\/td>2\u6838\uff0c4G\uff0c60G<\/td><\/tr>
master143<\/td>10.0.0.143<\/td>api-server\uff0ccontrol manager\uff0cscheduler\uff0cetcd<\/td>2\u6838\uff0c4G\uff0c60G<\/td><\/tr>
worker144<\/td>10.0.0.244<\/td>kubelet\uff0ckube-proxy<\/td>2\u6838\uff0c4G\uff0c60G<\/td><\/tr>
worker145<\/td>10.0.0.245<\/td>kubelet\uff0ckube-proxy<\/td>2\u6838\uff0c4G\uff0c60G<\/td><\/tr>
apiserver-lb140<\/td>10.0.0.140<\/td>apiserver\u7684\u8d1f\u8f7d\u5747\u8861\u5668IP\u5730\u5740<\/td>2\u6838\uff0c4G\uff0c60G<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

2.\u5404\u8282\u70b9\u5b89\u88c5\u5e38\u7528\u7684\u8f6f\u4ef6\u5305<\/h2>\n\n\n\n
apt update\napt -y install bind9-utils expect rsync jq psmisc net-tools lvm2 vim unzip rename<\/code><\/pre>\n\n\n\n
3.\u5728master141\u6267\u884c<\/h2>\n\n\n\n
cat >> \/etc\/hosts <<'EOF'\n10.0.0.140 apiserver-lb140\n10.0.0.141 master141\n10.0.0.142 master142\n10.0.0.143 master143\n10.0.0.144 worker144\n10.0.0.145 worker145\nEOF<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
cat > password_free_login.sh <<'EOF'\n#!\/bin\/bash\n\nssh-keygen -t rsa -P \"\" -f \/root\/.ssh\/id_rsa -q\n\nexport mypasswd=gshcmy\n\nk8s_host_list=(master142 master143 worker144 worker145)\n\nfor i in ${k8s_host_list[@]};do\nexpect -c \"\nspawn ssh-copy-id -i \/root\/.ssh\/id_rsa.pub root@$i\n  expect {\n    \\\"*yes\/no*\\\" {send \\\"yes\\r\\\"; exp_continue}\n    \\\"*password*\\\" {send \\\"$mypasswd\\r\\\"; exp_continue}\n  }\"\ndone\nEOF<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
bash password_free_login.sh<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
cat > \/usr\/local\/sbin\/data_rsync.sh <<'EOF'\n#!\/bin\/bash\n\nif  [ $# -lt 1 ];then\n   echo \"Usage: $0 \/path\/to\/file(\u7edd\u5bf9\u8def\u5f84) [mode: m|w]\"\n   exit\nfi \n\nif [ ! -e $1 ];then\n    echo \"[ $1 ] dir or file not find!\"\n    exit\nfi\n\nfullpath=`dirname $1`\n\nbasename=`basename $1`\n\ncd $fullpath\n\ncase $2 in\n    WORKER_NODE|w)\n      K8S_NODE=(master142 master143 worker144 worker145)\n      ;;\n    MASTER_NODE|m)\n      K8S_NODE=(master142 master143)\n      ;;\n    *)\n      K8S_NODE=(master142 master143 worker144 worker145)\n     ;;\nesac\n\nfor host in ${K8S_NODE[@]};do\n  tput setaf 2\n    echo ===== rsyncing ${host}: $basename =====\n    tput setaf 7\n    rsync -az $basename  `whoami`@${host}:$fullpath\n    if [ $? -eq 0 ];then\n      echo \"\u547d\u4ee4\u6267\u884c\u6210\u529f!\"\n    fi\ndone\nEOF<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
chmod +x \/usr\/local\/sbin\/data_rsync.sh<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
data_rsync.sh \/etc\/hosts             #\u5bc6\u7801\u662froot\u7528\u6237\u7684\u5bc6\u7801<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
4.\u6240\u6709\u8282\u70b9\u73af\u5883\u4f18\u5316<\/h2>\n\n\n\n
root@master141:~# systemctl disable --now NetworkManager ufw\nroot@master142:~# systemctl disable --now NetworkManager ufw\nroot@master143:~# systemctl disable --now NetworkManager ufw\nroot@master144:~# systemctl disable --now NetworkManager ufw\nroot@master145:~# systemctl disable --now NetworkManager ufw\n\u4e0b\u56fe\u662f\u64b0\u5199\u680fXshell 8\u4e2d\u4f4d\u4e8e\uff1a\u67e5\u770b\u2192\u64b0\u5199\u2192\u64b0\u5199\u680f  \u70b9\u51fb\u4e0b\u56fe\u6700\u5de6\u8fb9\u56fe\u6807\u53ef\u4ee5\u9009\u62e9\uff0c\u4e0b\u56fe\u9009\u62e9\u4e3a\u5168\u90e8Xshell\uff0c\u4f7f\u7528\u8fd9\u4e2a\u53ef\u4ee5\u4e0d\u7528\u4e00\u4e2a\u4e2a\u53bb\u5199<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
swapoff -a && sysctl -w vm.swappiness=0<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
sed -ri '\/^[^#]*swap\/s@^@#@' \/etc\/fstab<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
ln -svf \/usr\/share\/zoneinfo\/Asia\/Shanghai \/etc\/localtime<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
cat >> \/etc\/security\/limits.conf <<'EOF'\n* soft nofile 655360\n* hard nofile 131072\n* soft nproc 655350\n* hard nproc 655350\n* soft memlock unlimited\n* hard memlock unlimited\nEOF\n\n\u6bcf\u4e2a\u8282\u70b9\u90fd\u8981\u6267\u884c<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
sed -i 's@#UseDNS yes@UseDNS no@g' \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
sed -i 's@^GSSAPIAuthentication yes@GSSAPIAuthentication no@g' \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
cat > \/etc\/sysctl.d\/k8s.conf <<'EOF'\nnet.ipv4.ip_forward = 1\nnet.bridge.bridge-nf-call-iptables = 1\nnet.bridge.bridge-nf-call-ip6tables = 1\nnet.ipv6.conf.all.disable_ipv6 = 1\nfs.may_detach_mounts = 1\nvm.overcommit_memory=1\nvm.panic_on_oom=0\nfs.inotify.max_user_watches=89100\nfs.file-max=52706963\nfs.nr_open=52706963\nnet.netfilter.nf_conntrack_max=2310720\nnet.ipv4.tcp_keepalive_time = 600\nnet.ipv4.tcp_keepalive_probes = 3\nnet.ipv4.tcp_keepalive_intvl =15\nnet.ipv4.tcp_max_tw_buckets = 36000\nnet.ipv4.tcp_tw_reuse = 1\nnet.ipv4.tcp_max_orphans = 327680\nnet.ipv4.tcp_orphan_retries = 3\nnet.ipv4.tcp_syncookies = 1\nnet.ipv4.tcp_max_syn_backlog = 16384\nnet.ipv4.ip_conntrack_max = 65536\nnet.ipv4.tcp_max_syn_backlog = 16384\nnet.ipv4.tcp_timestamps = 0\nnet.core.somaxconn = 16384\nEOF\n\n\u6240\u6709\u8282\u70b9<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
sysctl --system\n\u6240\u6709\u8282\u70b9<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
cat <<EOF >>  ~\/.bashrc\nPS1='[\\[\\e[35;1m\\]\\u@\\[\\e[0m\\]\\[\\e[32;1m\\]\\H\\[\\e[0m\\]\\[\\e[34;1m\\] \\W\\[\\e[0m\\]]# '\nEOF\n\n\u4fee\u6539\u989c\u8272\u987a\u5e8f\u4e3a\u7d2b\uff0c\u7eff\uff0c\u84dd<\/code><\/pre>\n\n\n\n
source ~\/.bashrc<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
5.\u6240\u6709\u8282\u70b9\u5b89\u88c5ipvsadm\u4ee5\u5b9e\u73b0kube-proxy\u8d1f\u8f7d\u5747\u8861<\/h2>\n\n\n\n
apt -y install ipvsadm ipset sysstat conntrack libseccomp2<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
cat > \/etc\/modules-load.d\/ipvs.conf << 'EOF'\nip_vs\nip_vs_lc\nip_vs_wlc\nip_vs_rr\nip_vs_wrr\nip_vs_lblc\nip_vs_lblcr\nip_vs_dh\nip_vs_sh\nip_vs_fo\nip_vs_nq\nip_vs_sed\nip_vs_ftp\nip_vs_sh\nnf_conntrack\nip_tables\nip_set\nxt_set\nipt_set\nipt_rpfilter\nipt_REJECT\nipip\nEOF<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
vim \/etc\/default\/grub\n\u6240\u6709\u8282\u70b9\uff1a\u4e0b\u9762\u4e24\u4e2a\u56fe\u7247\u662f\u6267\u884c\u7684\u547d\u4ee4\u548c\u8981\u6539\u7684\u5185\u5bb9\uff0c\u53ea\u5728\u4e8c\u56fe\u6700\u540e\u4e00\u884c\n... net.ifnames=0 biosdevname=0<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
grub-mkconfig -o \/boot\/grub\/grub.cfg<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
vim \/etc\/netplan\/00-installer-config.yaml       #\u4e0b\u9762\u662f\u5185\u5bb9141-145\u90fd\u8981<\/code><\/pre>\n\n\n\n
network:\n  ethernets:\n    eth0:\n      dhcp4: false\n      addresses:\n        - 10.0.0.141\/24\n      routes:\n        - to: default\n          via: 10.0.0.2\n      nameservers:\n        addresses:\n          - 223.5.5.5\n            # 114 DNS\n          - 114.114.114.114\n          - 114.114.115.115\n            # \u963f\u91cc\u4e91DNS\n          - 223.5.5.5\n          - 223.6.6.6\n            # \u817e\u8baf\u4e91DNS\n          - 119.29.29.29\n          - 119.28.28.28\n            # \u767e\u5ea6DNS\n          - 180.76.76.76\n            # Google DNS\n          - 8.8.8.8\n          - 4.4.4.4\n  version: 2<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
reboot\n\u91cd\u542f<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
lsmod | grep --color=auto -e ip_vs -e nf_conntrack<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
uname -r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
ifconfig<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u5b89\u88c5containerd\u7ec4\u4ef6 \uff08\u6240\u6709\u8282\u70b9\uff09<\/h1>\n\n\n\n
1.\u5b89\u88c5\u7cfb\u7edf\u5de5\u5177<\/p>\n\n\n\n
apt-get -y install apt-transport-https ca-certificates curl software-properties-common<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
2.\u5b89\u88c5GPG\u8bc1\u4e66<\/p>\n\n\n\n
curl -fsSL https:\/\/mirrors.aliyun.com\/docker-ce\/linux\/ubuntu\/gpg | apt-key add -<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
3.\u5199\u5165\u8f6f\u4ef6\u6e90\u4fe1\u606f<\/p>\n\n\n\n
add-apt-repository \"deb [arch=amd64] https:\/\/mirrors.aliyun.com\/docker-ce\/linux\/ubuntu $(lsb_release -cs) stable\"<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
4.\u66f4\u65b0\u8f6f\u4ef6\u6e90<\/p>\n\n\n\n
apt-get update<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
5.\u5b89\u88c5containerd\u7ec4\u4ef6<\/p>\n\n\n\n
apt-get -y install containerd.io<\/code><\/pre>\n\n\n\n
6.\u914d\u7f6econtainerd\u9700\u8981\u7684\u6a21\u5757<\/p>\n\n\n\n
modprobe -- overlay\nmodprobe -- br_netfilter<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
cat > \/etc\/modules-load.d\/containerd.conf <<EOF\noverlay\nbr_netfilter\nEOF\n\u6240\u6709\u8282\u70b9<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
7.\u4fee\u6539containerd\u7684\u914d\u7f6e\u6587\u4ef6<\/p>\n\n\n\n
containerd config default | tee \/etc\/containerd\/config.toml<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
sed -ri 's#(SystemdCgroup = )false#\\1true#' \/etc\/containerd\/config.toml<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
grep SystemdCgroup \/etc\/containerd\/config.toml<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u4fee\u6539pause\u7684\u57fa\u7840\u955c\u50cf\u540d\u79f0<\/p>\n\n\n\n
sed -i 's#registry.k8s.io\/pause:3.6#registry.cn-hangzhou.aliyuncs.com\/google_containers\/pause:3.7#' \/etc\/containerd\/config.toml\n\u6216\u8005\nsed -i 's#registry.k8s.io\/pause:3.10.1#registry.cn-hangzhou.aliyuncs.com\/google_containers\/pause:3.7#' \/etc\/containerd\/config.toml\n\nsed -i 's#sandbox =#sandbox_image =#' \/etc\/containerd\/config.toml<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
grep sandbox_image \/etc\/containerd\/config.toml<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u6240\u6709\u8282\u70b9\u542f\u52a8<\/p>\n\n\n\n
systemctl daemon-reload\nsystemctl enable --now containerd\nsystemctl status containerd<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
<\/p>\n\n\n\n
cat > \/etc\/crictl.yaml <<EOF\nruntime-endpoint: unix:\/\/\/run\/containerd\/containerd.sock\nimage-endpoint: unix:\/\/\/run\/containerd\/containerd.sock\ntimeout: 10\ndebug: false\nEOF\n<\/code><\/pre>\n\n\n\n
\u67e5\u770bcontainerd\u7684\u7248\u672c<\/p>\n\n\n\n
ctr version<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
containerd\u7684\u540d\u79f0\u7a7a\u95f4\uff0c\u955c\u50cf\u548c\u5bb9\u5668\uff0c\u4efb\u52a1\u7ba1\u7406<\/h1>\n\n\n\n
\u67e5\u770b\u5f53\u524d\u540d\u79f0\u7a7a\u95f4<\/p>\n\n\n\n
ctr ns ls<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u540d\u79f0\u7a7a\u95f4<\/h2>\n\n\n\n
\u521b\u5efa\u540d\u79f0\u7a7a\u95f4<\/p>\n\n\n\n
ctr ns c gshcmy-k8s\nctr ns ls<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u5220\u9664\u540d\u79f0\u7a7a\u95f4(\u5220\u9664\u7684\u540d\u79f0\u7a7a\u95f4\u5fc5\u987b\u4e3a\u7a7a\uff0c\u5426\u5219\u65e0\u6cd5\u5220\u9664)<\/p>\n\n\n\n
ctr ns rm gshcmy-k8s\nctr ns ls<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u955c\u50cf\u7ba1\u7406<\/h2>\n\n\n\n
\u5c06\u955c\u50cf\u62c9\u53d6\u5230\u540d\u79f0\u7a7a\u95f4(\u4e0b\u65b9\u4e3a\u7ec3\u4e60\u955c\u50cf\u6ca1\u6709\u7684)<\/h3>\n\n\n\n
ctr ns c gshcmy-k8s\nctr ns ls\nctr image pull registry.cn-hangzhou.aliyuncs.com\/gshcmy-k8s\/apps:v1\nctr i ls\nctr -n default i ls\nctr  -n gshcmy-k8s i ls\nctr  -n gshcmy-k8s image pull registry.cn-hangzhou.aliyuncs.com\/gshcmy-k8s\/apps:v2\nctr  -n gshcmy-k8s i ls<\/code><\/pre>\n\n\n\n
\u5220\u9664\u955c\u50cf<\/h3>\n\n\n\n
ctr -n default i ls\nctr i rm registry.cn-hangzhou.aliyuncs.com\/gshcmy-k8s\/apps:v1<\/code><\/pre>\n\n\n\n
\u5bb9\u5668\u7ba1\u7406<\/h2>\n\n\n\n
\u8fd0\u884c\u5bb9\u5668<\/p>\n\n\n\n
ctr -n gshcmy-k8s run registry.cn-hangzhou.aliyuncs.com\/gshcmy-k8s\/apps:v2 haha<\/code><\/pre>\n\n\n\n
\u67e5\u770b\u5bb9\u5668\u5217\u8868<\/p>\n\n\n\n
[root@master141 ~]# ctr -n gshcmy-k8s c ls\nCONTAINER    IMAGE                                                        RUNTIME                  \nhaha         registry.cn-hangzhou.aliyuncs.com\/gshcmy-k8s\/apps:v2    io.containerd.runc.v2    <\/code><\/pre>\n\n\n\n
\u67e5\u770b\u8fd0\u884c\u7684\u5bb9\u5668ID<\/p>\n\n\n\n
[root@master141 ~]# ctr -n gshcmy-k8s t ls\nTASK    PID      STATUS    \nhaha    19041    RUNNING\n[root@master141 ~]# \n<\/code><\/pre>\n\n\n\n
\u8fde\u63a5\u6b63\u5728\u8fd0\u884c\u7684\u5bb9\u5668<\/p>\n\n\n\n
[root@master141 ~]# ctr -n gshcmy-k8s t exec -t --exec-id 2024 haha sh\n\/ # ifconfig\nlo        Link encap:Local Loopback  \n          inet addr:127.0.0.1  Mask:255.0.0.0\n          inet6 addr: ::1\/128 Scope:Host\n          UP LOOPBACK RUNNING  MTU:65536  Metric:1\n          RX packets:0 errors:0 dropped:0 overruns:0 frame:0\n          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0\n          collisions:0 txqueuelen:1000 \n          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)\n\n\/ # \n<\/code><\/pre>\n\n\n\n
\u6740\u6b7b\u8fd0\u884c\u7684\u5bb9\u5668<\/p>\n\n\n\n
[root@master141 ~]# ctr -n gshcmy-k8s t kill haha\n[root@master141 ~]# ctr -n gshcmy-k8s t ls\nTASK    PID    STATUS    <\/code><\/pre>\n\n\n\n
\u5220\u9664\u5bb9\u5668<\/p>\n\n\n\n
[root@master141 ~]# ctr -n gshcmy-k8s c ls\nCONTAINER    IMAGE                                                        RUNTIME                  \nhaha         registry.cn-hangzhou.aliyuncs.com\/gshcmy-k8s\/apps:v2    io.containerd.runc.v2   \n\n[root@master141 ~]# ctr -n gshcmy-k8s c rm haha\n[root@master141 ~]# ctr -n gshcmy-k8s c ls\nCONTAINER    IMAGE    RUNTIME    <\/code><\/pre>\n\n\n\n
\u5b89\u88c5etcd\u7a0b\u5e8f\uff08\u9700\u8981\u79d1\u5b66\u4e0a\u7f51\uff09<\/h1>\n\n\n\n
wget https:\/\/github.com\/etcd-io\/etcd\/releases\/download\/v3.5.14\/etcd-v3.5.14-linux-amd64.tar.gz<\/code><\/pre>\n\n\n\n
\u89e3\u538betcd\u7684\u4e8c\u8fdb\u5236\u7a0b\u5e8f\u5305<\/p>\n\n\n\n
tar -xf etcd-v3.5.14-linux-amd64.tar.gz --strip-components=1 -C \/usr\/local\/bin etcd-v3.5.14-linux-amd64\/etcd{,ctl}\nll \/usr\/local\/bin\/\n[root@master141 ~]# etcdctl version     #\u67e5\u770b\u7248\u672c\netcdctl version: 3.5.14\nAPI version: 3.5<\/code><\/pre>\n\n\n\n
\u5c06\u8f6f\u4ef6\u5305\u4e0b\u53d1\u5230\u6240\u6709\u8282\u70b9<\/h2>\n\n\n\n
[root@master141 ~]# data_rsync.sh \/usr\/local\/bin\/etcd m\n===== rsyncing master142: etcd =====\nroot@master142's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n===== rsyncing master143: etcd =====\nroot@master143's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n[root@master141 ~]# data_rsync.sh \/usr\/local\/bin\/etcdctl m\n===== rsyncing master142: etcdctl =====\nroot@master142's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n===== rsyncing master143: etcdctl =====\nroot@master143's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n[root@master141 ~]# <\/code><\/pre>\n\n\n\n
\u5b89\u88c5k8s\u7a0b\u5e8f<\/h1>\n\n\n\n
wget https:\/\/dl.k8s.io\/v1.30.2\/kubernetes-server-linux-amd64.tar.gz<\/code><\/pre>\n\n\n\n
\u89e3\u538bK8S\u7684\u4e8c\u8fdb\u5236\u7a0b\u5e8f\u5305<\/p>\n\n\n\n
\u89e3\u538b\ntar -xf kubernetes-server-linux-amd64.tar.gz  --strip-components=3 -C \/usr\/local\/bin kubernetes\/server\/bin\/kube{let,ctl,-apiserver,-controller-manager,-scheduler,-proxy}\n\n\u67e5\u770b\u7248\u672c\n[root@master141 ~]# kubelet --version \nKubernetes v1.30.2\n[root@master141 ~]# \n\n\u5206\u53d1\u8f6f\u4ef6\u5305\n[root@master141 ~]# data_rsync.sh \/usr\/local\/bin\/kube-apiserver m\n[root@master141 ~]# data_rsync.sh \/usr\/local\/bin\/kube-scheduler m\n[root@master141 ~]# data_rsync.sh \/usr\/local\/bin\/kube-controller-manager m\n[root@master141 ~]# data_rsync.sh \/usr\/local\/bin\/kubectl m\n[root@master141 ~]# data_rsync.sh \/usr\/local\/bin\/kubelet w\n[root@master141 ~]# data_rsync.sh \/usr\/local\/bin\/kube-proxy w<\/code><\/pre>\n\n\n\n
\u751f\u6210etcd\u8bc1\u4e66\u6587\u4ef6<\/h1>\n\n\n\n
wget https:\/\/github.com\/cloudflare\/cfssl\/releases\/download\/v1.6.5\/cfssl-certinfo_1.6.5_linux_amd64\nwget https:\/\/github.com\/cloudflare\/cfssl\/releases\/download\/v1.6.5\/cfssljson_1.6.5_linux_amd64\nwget https:\/\/github.com\/cloudflare\/cfssl\/releases\/download\/v1.6.5\/cfssl_1.6.5_linux_amd64\n\u4e0b\u8f7d\u540e\u62cd\u6444\u5feb\u7167<\/code><\/pre>\n\n\n\n
\u91cd\u547d\u540dcfssl\u7684\u7248\u672c\u53f7\u4fe1\u606f<\/p>\n\n\n\n
[root@master141 ~]# ll cfssl*\n-rw-r--r-- 1 root root 11890840 Jun 15  2024 cfssl_1.6.5_linux_amd64\n-rw-r--r-- 1 root root  8413336 Jun 15  2024 cfssl-certinfo_1.6.5_linux_amd64\n-rw-r--r-- 1 root root  6205592 Jun 15  2024 cfssljson_1.6.5_linux_amd64<\/code><\/pre>\n\n\n\n
[root@master141 ~]# rename -v \"s\/_1.6.5_linux_amd64\/\/g\" cfssl*\ncfssl_1.6.5_linux_amd64 renamed as cfssl\ncfssl-certinfo_1.6.5_linux_amd64 renamed as cfssl-certinfo\ncfssljson_1.6.5_linux_amd64 renamed as cfssljson\n[root@master141 ~]#<\/code><\/pre>\n\n\n\n
[root@master141 ~]# ll cfssl*\n-rw-r--r-- 1 root root 11890840 Jun 15  2024 cfssl\n-rw-r--r-- 1 root root  8413336 Jun 15  2024 cfssl-certinfo\n-rw-r--r-- 1 root root  6205592 Jun 15  2024 cfssljson\n<\/code><\/pre>\n\n\n\n
\u5c06cfssl\u8bc1\u4e66\u62f7\u8d1d\u5230\u73af\u5883\u53d8\u91cf\u5e76\u6388\u6743\u6267\u884c\u6743\u9650<\/p>\n\n\n\n
[root@master141 ~]# mv cfssl* \/usr\/local\/bin\/\n[root@master141 ~]# chmod +x \/usr\/local\/bin\/cfssl*\n[root@master141 ~]# ll \/usr\/local\/bin\/cfssl*\n-rwxr-xr-x 1 root root 11890840 Jun 15  2024 \/usr\/local\/bin\/cfssl*\n-rwxr-xr-x 1 root root  8413336 Jun 15  2024 \/usr\/local\/bin\/cfssl-certinfo*\n-rwxr-xr-x 1 root root  6205592 Jun 15  2024 \/usr\/local\/bin\/cfssljson*\n<\/code><\/pre>\n\n\n\n
master141\u8282\u70b9\u521b\u5efaetcd\u8bc1\u4e66\u5b58\u50a8\u76ee\u5f55<\/p>\n\n\n\n
[root@master141 ~]# mkdir -pv \/gshcmy\/certs\/{etcd,pki}\/ && cd \/gshcmy\/certs\/pki\/<\/code><\/pre>\n\n\n\n
[root@master141 pki]# cat > etcd-ca-csr.json <<EOF\n{\n  \"CN\": \"etcd\",\n  \"key\": {\n    \"algo\": \"rsa\",\n    \"size\": 2048\n  },\n  \"names\": [\n    {\n      \"C\": \"CN\",\n      \"ST\": \"Beijing\",\n      \"L\": \"Beijing\",\n      \"O\": \"etcd\",\n      \"OU\": \"Etcd Security\"\n    }\n  ],\n  \"ca\": {\n    \"expiry\": \"876000h\"\n  }\n}\nEOF<\/code><\/pre>\n\n\n\n
\u751f\u6210etcd CA\u8bc1\u4e66\u548cCA\u8bc1\u4e66\u7684key<\/p>\n\n\n\n
[root@master141 pki]# cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare \/gshcmy\/certs\/etcd\/etcd-ca\n2025\/12\/23 16:58:16 [INFO] generating a new CA key and certificate from CSR\n2025\/12\/23 16:58:16 [INFO] generate received request\n2025\/12\/23 16:58:16 [INFO] received CSR\n2025\/12\/23 16:58:16 [INFO] generating key: rsa-2048\n2025\/12\/23 16:58:16 [INFO] encoded CSR\n2025\/12\/23 16:58:16 [INFO] signed certificate with serial number 670358402125359505823061965820939276734710307322\n[root@master141 pki]# pwd\n\/gshcmy\/certs\/pki\n[root@master141 pki]# ll \/gshcmy\/certs\/etcd\/\ntotal 20\ndrwxr-xr-x 2 root root 4096 Dec 23 16:58 .\/\ndrwxr-xr-x 4 root root 4096 Dec 23 16:57 ..\/\n-rw-r--r-- 1 root root 1050 Dec 23 16:58 etcd-ca.csr\n-rw------- 1 root root 1675 Dec 23 16:58 etcd-ca-key.pem\n-rw-r--r-- 1 root root 1318 Dec 23 16:58 etcd-ca.pem\n[root@master141 pki]#<\/code><\/pre>\n\n\n\n
master141\u8282\u70b9\u57fa\u4e8e\u81ea\u5efaca\u8bc1\u4e66\u9881\u53d1etcd\u8bc1\u4e66<\/h2>\n\n\n\n
[root@master141 pki]# cat > ca-config.json <<EOF\n{\n  \"signing\": {\n    \"default\": {\n      \"expiry\": \"876000h\"\n    },\n    \"profiles\": {\n      \"kubernetes\": {\n        \"usages\": [\n            \"signing\",\n            \"key encipherment\",\n            \"server auth\",\n            \"client auth\"\n        ],\n        \"expiry\": \"876000h\"\n      }\n    }\n  }\n}\nEOF\n\n\n[root@master141 pki]# cat > etcd-csr.json <<EOF\n{\n  \"CN\": \"etcd\",\n  \"key\": {\n    \"algo\": \"rsa\",\n    \"size\": 2048\n  },\n  \"names\": [\n    {\n      \"C\": \"CN\",\n      \"ST\": \"Beijing\",\n      \"L\": \"Beijing\",\n      \"O\": \"etcd\",\n      \"OU\": \"Etcd Security\"\n    }\n  ]\n}\nEOF\n\n\n[root@master141 pki]# cfssl gencert \\\n  -ca=\/gshcmy\/certs\/etcd\/etcd-ca.pem \\\n  -ca-key=\/gshcmy\/certs\/etcd\/etcd-ca-key.pem \\\n  -config=ca-config.json \\\n  --hostname=127.0.0.1,master141,master142,master143,10.0.0.141,10.0.0.142,10.0.0.143 \\\n  --profile=kubernetes \\\n  etcd-csr.json  | cfssljson -bare \/gshcmy\/certs\/etcd\/etcd-server\n\n[root@master141 pki]# ll \/gshcmy\/certs\/etcd\/etcd-server*\n-rw-r--r-- 1 root root 1119 Dec 23 17:07 \/gshcmy\/certs\/etcd\/etcd-server.csr\n-rw------- 1 root root 1675 Dec 23 17:07 \/gshcmy\/certs\/etcd\/etcd-server-key.pem\n-rw-r--r-- 1 root root 1452 Dec 23 17:07 \/gshcmy\/certs\/etcd\/etcd-server.pem\n[root@master141 pki]# \n<\/code><\/pre>\n\n\n\n
master141\u8282\u70b9\u5c06etcd\u8bc1\u4e66\u62f7\u8d1d\u5230\u5176\u4ed6\u4e24\u4e2amaster\u8282\u70b9<\/p>\n\n\n\n
[root@master141 pki]# MasterNodes='master142 master143'\n[root@master141 pki]# for NODE in $MasterNodes; do ssh $NODE \"mkdir -pv \/gshcmy\/certs\/etcd\/\"; done\nroot@master142's password: \nmkdir: created directory '\/gshcmy'\nmkdir: created directory '\/gshcmy\/certs'\nmkdir: created directory '\/gshcmy\/certs\/etcd\/'\nroot@master143's password: \nmkdir: created directory '\/gshcmy'\nmkdir: created directory '\/gshcmy\/certs'\nmkdir: created directory '\/gshcmy\/certs\/etcd\/'\n\n[root@master141 pki]# data_rsync.sh \/gshcmy\/certs\/etcd\/etcd-ca-key.pem m\n===== rsyncing master142: etcd-ca-key.pem =====\nroot@master142's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n===== rsyncing master143: etcd-ca-key.pem =====\nroot@master143's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n[root@master141 pki]# data_rsync.sh \/gshcmy\/certs\/etcd\/etcd-ca.pem m\n===== rsyncing master142: etcd-ca.pem =====\nroot@master142's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n===== rsyncing master143: etcd-ca.pem =====\nroot@master143's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n[root@master141 pki]# data_rsync.sh \/gshcmy\/certs\/etcd\/etcd-server-key.pem m\n===== rsyncing master142: etcd-server-key.pem =====\nroot@master142's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n===== rsyncing master143: etcd-server-key.pem =====\nroot@master143's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n[root@master141 pki]# data_rsync.sh \/gshcmy\/certs\/etcd\/etcd-server.pem m\n===== rsyncing master142: etcd-server.pem =====\nroot@master142's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n===== rsyncing master143: etcd-server.pem =====\nroot@master143's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n\n<\/code><\/pre>\n\n\n\n
\u542f\u52a8etcd\u96c6\u7fa4<\/h1>\n\n\n\n
\u521b\u5efaetcd\u96c6\u7fa4\u5404\u8282\u70b9<\/strong>\u914d\u7f6e\u6587\u4ef6<\/p>\n\n\n\n
[root@master141 ~]# mkdir -pv \/gshcmy\/softwares\/etcd<\/code><\/pre>\n\n\n\n
[root@master141 ~]# cat > \/gshcmy\/softwares\/etcd\/etcd.config.yml <<'EOF'\nname: 'master141'\ndata-dir: \/var\/lib\/etcd\nwal-dir: \/var\/lib\/etcd\/wal\nsnapshot-count: 5000\nheartbeat-interval: 100\nelection-timeout: 1000\nquota-backend-bytes: 0\nlisten-peer-urls: 'https:\/\/10.0.0.141:2380'\nlisten-client-urls: 'https:\/\/10.0.0.141:2379,http:\/\/127.0.0.1:2379'\nmax-snapshots: 3\nmax-wals: 5\ncors:\ninitial-advertise-peer-urls: 'https:\/\/10.0.0.141:2380'\nadvertise-client-urls: 'https:\/\/10.0.0.141:2379'\ndiscovery:\ndiscovery-fallback: 'proxy'\ndiscovery-proxy:\ndiscovery-srv:\ninitial-cluster: 'master141=https:\/\/10.0.0.141:2380,master142=https:\/\/10.0.0.142:2380,master143=https:\/\/10.0.0.143:2380'\ninitial-cluster-token: 'etcd-k8s-cluster'\ninitial-cluster-state: 'new'\nstrict-reconfig-check: false\nenable-v2: true\nenable-pprof: true\nproxy: 'off'\nproxy-failure-wait: 5000\nproxy-refresh-interval: 30000\nproxy-dial-timeout: 1000\nproxy-write-timeout: 5000\nproxy-read-timeout: 0\nclient-transport-security:\n  cert-file: '\/gshcmy\/certs\/etcd\/etcd-server.pem'\n  key-file: '\/gshcmy\/certs\/etcd\/etcd-server-key.pem'\n  client-cert-auth: true\n  trusted-ca-file: '\/gshcmy\/certs\/etcd\/etcd-ca.pem'\n  auto-tls: true\npeer-transport-security:\n  cert-file: '\/gshcmy\/certs\/etcd\/etcd-server.pem'\n  key-file: '\/gshcmy\/certs\/etcd\/etcd-server-key.pem'\n  peer-client-cert-auth: true\n  trusted-ca-file: '\/gshcmy\/certs\/etcd\/etcd-ca.pem'\n  auto-tls: true\ndebug: false\nlog-package-levels:\nlog-outputs: [default]\nforce-new-cluster: false\nEOF<\/code><\/pre>\n\n\n\n
[root@master142 ~]# mkdir -pv \/gshcmy\/softwares\/etcd<\/code><\/pre>\n\n\n\n
[root@master142 ~]# cat > \/gshcmy\/softwares\/etcd\/etcd.config.yml << 'EOF'\nname: 'master142'\ndata-dir: \/var\/lib\/etcd\nwal-dir: \/var\/lib\/etcd\/wal\nsnapshot-count: 5000\nheartbeat-interval: 100\nelection-timeout: 1000\nquota-backend-bytes: 0\nlisten-peer-urls: 'https:\/\/10.0.0.142:2380'\nlisten-client-urls: 'https:\/\/10.0.0.142:2379,http:\/\/127.0.0.1:2379'\nmax-snapshots: 3\nmax-wals: 5\ncors:\ninitial-advertise-peer-urls: 'https:\/\/10.0.0.142:2380'\nadvertise-client-urls: 'https:\/\/10.0.0.142:2379'\ndiscovery:\ndiscovery-fallback: 'proxy'\ndiscovery-proxy:\ndiscovery-srv:\ninitial-cluster: 'master141=https:\/\/10.0.0.141:2380,master142=https:\/\/10.0.0.142:2380,master143=https:\/\/10.0.0.143:2380'\ninitial-cluster-token: 'etcd-k8s-cluster'\ninitial-cluster-state: 'new'\nstrict-reconfig-check: false\nenable-v2: true\nenable-pprof: true\nproxy: 'off'\nproxy-failure-wait: 5000\nproxy-refresh-interval: 30000\nproxy-dial-timeout: 1000\nproxy-write-timeout: 5000\nproxy-read-timeout: 0\nclient-transport-security:\ncert-file: '\/gshcmy\/certs\/etcd\/etcd-server.pem'\nkey-file: '\/gshcmy\/certs\/etcd\/etcd-server-key.pem'\nclient-cert-auth: true\ntrusted-ca-file: '\/gshcmy\/certs\/etcd\/etcd-ca.pem'\nauto-tls: true\npeer-transport-security:\ncert-file: '\/gshcmy\/certs\/etcd\/etcd-server.pem'\nkey-file: '\/gshcmy\/certs\/etcd\/etcd-server-key.pem'\npeer-client-cert-auth: true\ntrusted-ca-file: '\/gshcmy\/certs\/etcd\/etcd-ca.pem'\nauto-tls: true\ndebug: false\nlog-package-levels:\nlog-outputs: [default]\nforce-new-cluster: false\nEOF<\/code><\/pre>\n\n\n\n
[root@master143 ~]# mkdir -pv \/gshcmy\/softwares\/etcd<\/code><\/pre>\n\n\n\n
[root@master143 ~]# cat > \/gshcmy\/softwares\/etcd\/etcd.config.yml << 'EOF'\nname: 'master143'\ndata-dir: \/var\/lib\/etcd\nwal-dir: \/var\/lib\/etcd\/wal\nsnapshot-count: 5000\nheartbeat-interval: 100\nelection-timeout: 1000\nquota-backend-bytes: 0\nlisten-peer-urls: 'https:\/\/10.0.0.143:2380'\nlisten-client-urls: 'https:\/\/10.0.0.143:2379,http:\/\/127.0.0.1:2379'\nmax-snapshots: 3\nmax-wals: 5\ncors:\ninitial-advertise-peer-urls: 'https:\/\/10.0.0.143:2380'\nadvertise-client-urls: 'https:\/\/10.0.0.143:2379'\ndiscovery:\ndiscovery-fallback: 'proxy'\ndiscovery-proxy:\ndiscovery-srv:\ninitial-cluster: 'master141=https:\/\/10.0.0.141:2380,master142=https:\/\/10.0.0.142:2380,master143=https:\/\/10.0.0.143:2380'\ninitial-cluster-token: 'etcd-k8s-cluster'\ninitial-cluster-state: 'new'\nstrict-reconfig-check: false\nenable-v2: true\nenable-pprof: true\nproxy: 'off'\nproxy-failure-wait: 5000\nproxy-refresh-interval: 30000\nproxy-dial-timeout: 1000\nproxy-write-timeout: 5000\nproxy-read-timeout: 0\nclient-transport-security:\n  cert-file: '\/gshcmy\/certs\/etcd\/etcd-server.pem'\n  key-file: '\/gshcmy\/certs\/etcd\/etcd-server-key.pem'\n  client-cert-auth: true\n  trusted-ca-file: '\/gshcmy\/certs\/etcd\/etcd-ca.pem'\n  auto-tls: true\npeer-transport-security:\n  cert-file: '\/gshcmy\/certs\/etcd\/etcd-server.pem'\n  key-file: '\/gshcmy\/certs\/etcd\/etcd-server-key.pem'\n  peer-client-cert-auth: true\n  trusted-ca-file: '\/gshcmy\/certs\/etcd\/etcd-ca.pem'\n  auto-tls: true\ndebug: false\nlog-package-levels:\nlog-outputs: [default]\nforce-new-cluster: false\nEOF<\/code><\/pre>\n\n\n\n
master[141-143]\u7f16\u5199etcd\u542f\u52a8\u811a\u672c(141-143\u90fd\u8981\u6709)<\/p>\n\n\n\n
cat > \/usr\/lib\/systemd\/system\/etcd.service <<'EOF'\n[Unit]\nDescription=Gsh cmy's Etcd Service\nDocumentation=https:\/\/coreos.com\/etcd\/docs\/latest\/\nAfter=network.target\n\n[Service]\nType=notify\nExecStart=\/usr\/local\/bin\/etcd --config-file=\/gshcmy\/softwares\/etcd\/etcd.config.yml\nRestart=on-failure\nRestartSec=10\nLimitNOFILE=65536\n\n[Install]\nWantedBy=multi-user.target\nAlias=etcd3.service\nEOF<\/code><\/pre>\n\n\n\n
\u542f\u52a8etcd\u96c6\u7fa4<\/p>\n\n\n\n
systemctl daemon-reload && systemctl enable --now etcd\nsystemctl status etcd\n\n\u67e5\u770b\u72b6\u6001\netcdctl --endpoints=\"10.0.0.141:2379,10.0.0.142:2379,10.0.0.143:2379\" --cacert=\/gshcmy\/certs\/etcd\/etcd-ca.pem --cert=\/gshcmy\/certs\/etcd\/etcd-server.pem --key=\/gshcmy\/certs\/etcd\/etcd-server-key.pem  endpoint status --write-out=table\n\n\u53ef\u4ee5\u505c\u6389\u4e00\u4e2a\u8282\u70b9\u9a8c\u8bc1\u9ad8\u53ef\u7528\u662f\u5426\u6210\u529f systemctl stop etcd<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u751f\u6210k8s\u7ec4\u4ef6\u8bc1\u4e66<\/h1>\n\n\n\n
\u6240\u6709\u8282\u70b9\uff08master,worker\uff09\u521b\u5efak8s\u8bc1\u4e66\u5b58\u50a8\u76ee\u5f55<\/h2>\n\n\n\n
mkdir -pv \/gshcmy\/certs\/kubernetes\/<\/code><\/pre>\n\n\n\n
master141\u8282\u70b9\u751f\u6210kubernetes\u81ea\u5efaca\u8bc1\u4e66<\/h2>\n\n\n\n
1.\u751f\u6210\u8bc1\u4e66\u7684CSR\u6587\u4ef6\uff1a \u8bc1\u4e66\u7b7e\u53d1\u8bf7\u6c42\u6587\u4ef6\uff0c\u914d\u7f6e\u4e86\u4e00\u4e9b\u57df\u540d\uff0c\u516c\u53f8\uff0c\u5355\u4f4d\n[root@master141 pki]# pwd\n\/gshcmy\/certs\/pki\n\n[root@master141 pki]# cat > k8s-ca-csr.json  <<EOF\n{\n\"CN\": \"kubernetes\",\n\"key\": {\n  \"algo\": \"rsa\",\n  \"size\": 2048\n},\n\"names\": [\n  {\n    \"C\": \"CN\",\n    \"ST\": \"Beijing\",\n    \"L\": \"Beijing\",\n    \"O\": \"Kubernetes\",\n    \"OU\": \"Kubernetes-manual\"\n  }\n],\n\"ca\": {\n  \"expiry\": \"876000h\"\n}\n}\nEOF\n\n[root@master141 pki]# cfssl gencert -initca k8s-ca-csr.json | cfssljson -bare \/gshcmy\/certs\/kubernetes\/k8s-ca\n2025\/12\/23 21:10:47 [INFO] generating a new CA key and certificate from CSR\n2025\/12\/23 21:10:47 [INFO] generate received request\n2025\/12\/23 21:10:47 [INFO] received CSR\n2025\/12\/23 21:10:47 [INFO] generating key: rsa-2048\n2025\/12\/23 21:10:47 [INFO] encoded CSR\n2025\/12\/23 21:10:47 [INFO] signed certificate with serial number 172725731318857238528414959316294645059717357847\n\n[root@master141 pki]# ll \/gshcmy\/certs\/kubernetes\/\ntotal 20\ndrwxr-xr-x 2 root root 4096 Dec 23 21:10 .\/\ndrwxr-xr-x 5 root root 4096 Dec 23 20:56 ..\/\n-rw-r--r-- 1 root root 1070 Dec 23 21:10 k8s-ca.csr\n-rw------- 1 root root 1679 Dec 23 21:10 k8s-ca-key.pem\n-rw-r--r-- 1 root root 1363 Dec 23 21:10 k8s-ca.pem<\/code><\/pre>\n\n\n\n
k8s-master01\u8282\u70b9\u57fa\u4e8e\u81ea\u5efaca\u8bc1\u4e66\u9881\u53d1apiserver\u76f8\u5173\u8bc1\u4e66<\/h2>\n\n\n\n
\u751f\u6210k8s\u8bc1\u4e66\u7684\u6709\u6548\u671f\u4e3a100\u5e74\n[root@master141 pki]# cat > k8s-ca-config.json <<EOF\n{\n  \"signing\": {\n    \"default\": {\n      \"expiry\": \"876000h\"\n    },\n    \"profiles\": {\n      \"kubernetes\": {\n        \"usages\": [\n            \"signing\",\n            \"key encipherment\",\n            \"server auth\",\n            \"client auth\"\n        ],\n        \"expiry\": \"876000h\"\n      }\n    }\n  }\n}\nEOF\n\n\n\u751f\u6210apiserver\u8bc1\u4e66\u7684CSR\u6587\u4ef6\uff1a \u8bc1\u4e66\u7b7e\u53d1\u8bf7\u6c42\u6587\u4ef6\uff0c\u914d\u7f6e\u4e86\u4e00\u4e9b\u57df\u540d\uff0c\u516c\u53f8\uff0c\u5355\u4f4d\n[root@master141 pki]# cat > apiserver-csr.json <<EOF\n{\n  \"CN\": \"kube-apiserver\",\n  \"key\": {\n    \"algo\": \"rsa\",\n    \"size\": 2048\n  },\n  \"names\": [\n    {\n      \"C\": \"CN\",\n      \"ST\": \"Beijing\",\n      \"L\": \"Beijing\",\n      \"O\": \"Kubernetes\",\n      \"OU\": \"Kubernetes-manual\"\n    }\n  ]\n}\nEOF\n\n\n\u81ea\u5efaca\u8bc1\u4e66\u751f\u6210apiServer\u7684\u8bc1\u4e66\u6587\u4ef6\n[root@master141 pki]# cfssl gencert \\\n  -ca=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem \\\n  -ca-key=\/gshcmy\/certs\/kubernetes\/k8s-ca-key.pem \\\n  -config=k8s-ca-config.json \\\n  --hostname=10.200.0.1,10.0.0.140,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.gshcmy,kubernetes.default.svc.gshcmy.com,master141,master142,master143,worker144,worker145,10.0.0.141,10.0.0.142,10.0.0.143,10.0.0.144,10.0.0.145 \\\n  --profile=kubernetes \\\n   apiserver-csr.json  | cfssljson -bare \/gshcmy\/certs\/kubernetes\/apiserver\n\n[root@master141 pki]# ll \/gshcmy\/certs\/kubernetes\/apiserver*\n-rw-r--r-- 1 root root 1301 Dec 23 21:30 \/gshcmy\/certs\/kubernetes\/apiserver.csr\n-rw------- 1 root root 1675 Dec 23 21:30 \/gshcmy\/certs\/kubernetes\/apiserver-key.pem\n-rw-r--r-- 1 root root 1696 Dec 23 21:30 \/gshcmy\/certs\/kubernetes\/apiserver.pem\n\n\"10.200.0.1\"\u4e3asvc\u7f51\u6bb5\u7684\u7b2c\u4e00\u4e2a\u5730\u5740\uff0c\u9700\u8981\u6839\u636e\u81ea\u5df1\u7684\u573a\u666f\u7a0d\u4f5c\u4fee\u6539\u3002\n\t\"10.0.0.240\"\u662f\u8d1f\u8f7d\u5747\u8861\u5668\u7684VIP\u5730\u5740\u3002\n\t\"kubernetes,...,kubernetes.default.svc.gshcmy.com\"\u5bf9\u5e94\u7684\u662fapiServer\u89e3\u6790\u7684A\u8bb0\u5f55\u3002\n\t\"10.0.0.241,...,10.0.0.245\"\u5bf9\u5e94\u7684\u662fK8S\u96c6\u7fa4\u7684\u5730\u5740\u3002 <\/code><\/pre>\n\n\n\n
\u751f\u6210\u7b2c\u4e09\u65b9\u7ec4\u4ef6\u4e0eapiServer\u901a\u4fe1\u7684\u805a\u5408\u8bc1\u4e66<\/h2>\n\n\n\n
\u751f\u6210\u805a\u5408\u8bc1\u4e66\u7684\u7528\u4e8e\u81ea\u5efaca\u7684CSR\u6587\u4ef6\n[root@master141 pki]# cat > front-proxy-ca-csr.json <<EOF\n{\n  \"CN\": \"kubernetes\",\n  \"key\": {\n     \"algo\": \"rsa\",\n     \"size\": 2048\n  }\n}\nEOF\n\n\n\u751f\u6210\u805a\u5408\u8bc1\u4e66\u7684\u81ea\u5efaca\u8bc1\u4e66\n[root@master141 pki]# cfssl gencert -initca front-proxy-ca-csr.json | cfssljson -bare \/gshcmy\/certs\/kubernetes\/front-proxy-ca\n[root@master141 pki]# ll \/gshcmy\/certs\/kubernetes\/front-proxy-ca*\n-rw-r--r-- 1 root root  891 Dec 23 21:37 \/gshcmy\/certs\/kubernetes\/front-proxy-ca.csr\n-rw------- 1 root root 1675 Dec 23 21:37 \/gshcmy\/certs\/kubernetes\/front-proxy-ca-key.pem\n-rw-r--r-- 1 root root 1094 Dec 23 21:37 \/gshcmy\/certs\/kubernetes\/front-proxy-ca.pem\n\n\u6210\u805a\u5408\u8bc1\u4e66\u7684\u7528\u4e8e\u5ba2\u6237\u7aef\u7684CSR\u6587\u4ef6\n[root@master141 pki]# cat > front-proxy-client-csr.json <<EOF\n{\n  \"CN\": \"front-proxy-client\",\n  \"key\": {\n     \"algo\": \"rsa\",\n     \"size\": 2048\n  }\n}\nEOF\n\n4 \u57fa\u4e8e\u805a\u5408\u8bc1\u4e66\u7684\u81ea\u5efaca\u8bc1\u4e66\u7b7e\u53d1\u805a\u5408\u8bc1\u4e66\u7684\u5ba2\u6237\u7aef\u8bc1\u4e66\n[root@master141 pki]# cfssl gencert \\\n  -ca=\/gshcmy\/certs\/kubernetes\/front-proxy-ca.pem \\\n  -ca-key=\/gshcmy\/certs\/kubernetes\/front-proxy-ca-key.pem \\\n  -config=k8s-ca-config.json \\\n  -profile=kubernetes \\\n  front-proxy-client-csr.json | cfssljson -bare \/gshcmy\/certs\/kubernetes\/front-proxy-client\n\n[root@master141 pki]# ll \/gshcmy\/certs\/kubernetes\/front-proxy-client*\n-rw-r--r-- 1 root root  903 Dec 23 22:08 \/gshcmy\/certs\/kubernetes\/front-proxy-client.csr\n-rw------- 1 root root 1679 Dec 23 22:08 \/gshcmy\/certs\/kubernetes\/front-proxy-client-key.pem\n-rw-r--r-- 1 root root 1188 Dec 23 22:08 \/gshcmy\/certs\/kubernetes\/front-proxy-client.pem\n<\/code><\/pre>\n\n\n\n
\u751f\u6210controller-manager\u8bc1\u4e66\u53cakubeconfig\u6587\u4ef6<\/h2>\n\n\n\n
\u751f\u6210controller-manager\u7684CSR\u6587\u4ef6\n[root@master141 pki]# cat > controller-manager-csr.json <<EOF\n{\n  \"CN\": \"system:kube-controller-manager\",\n  \"key\": {\n    \"algo\": \"rsa\",\n    \"size\": 2048\n  },\n  \"names\": [\n    {\n      \"C\": \"CN\",\n      \"ST\": \"Beijing\",\n      \"L\": \"Beijing\",\n      \"O\": \"system:kube-controller-manager\",\n      \"OU\": \"Kubernetes-manual\"\n    }\n  ]\n}\nEOF\n\n\u751f\u6210controller-manager\u8bc1\u4e66\u6587\u4ef6\n[root@master141 pki]# cfssl gencert \\\n  -ca=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem \\\n  -ca-key=\/gshcmy\/certs\/kubernetes\/k8s-ca-key.pem \\\n  -config=k8s-ca-config.json \\\n  -profile=kubernetes \\\n  controller-manager-csr.json | cfssljson -bare \/gshcmy\/certs\/kubernetes\/controller-manager\n\n[root@master141 pki]# ll \/gshcmy\/certs\/kubernetes\/controller-manager*\n-rw-r--r-- 1 root root 1082 Dec 23 22:20 \/gshcmy\/certs\/kubernetes\/controller-manager.csr\n-rw------- 1 root root 1675 Dec 23 22:20 \/gshcmy\/certs\/kubernetes\/controller-manager-key.pem\n-rw-r--r-- 1 root root 1501 Dec 23 22:20 \/gshcmy\/certs\/kubernetes\/controller-manager.pem\n\n\u521b\u5efa\u4e00\u4e2akubeconfig\u76ee\u5f55\n[root@master141 pki]# mkdir -pv \/gshcmy\/certs\/kubeconfig\n\n\u8bbe\u7f6e\u4e00\u4e2a\u96c6\u7fa4\n[root@master141 pki]# kubectl config set-cluster gshcmy-k8s \\\n  --certificate-authority=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem \\\n  --embed-certs=true \\\n  --server=https:\/\/10.0.0.140:8443 \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-controller-manager.kubeconfig\n\n\u8bbe\u7f6e\u4e00\u4e2a\u7528\u6237\u9879\n[root@master141 pki]# kubectl config set-credentials system:kube-controller-manager \\\n  --client-certificate=\/gshcmy\/certs\/kubernetes\/controller-manager.pem \\\n  --client-key=\/gshcmy\/certs\/kubernetes\/controller-manager-key.pem \\\n  --embed-certs=true \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-controller-manager.kubeconfig\n\n\u8bbe\u7f6e\u4e00\u4e2a\u4e0a\u4e0b\u6587\u73af\u5883\n[root@master141 pki]# kubectl config set-context system:kube-controller-manager@kubernetes \\\n  --cluster=gshcmy-k8s \\\n  --user=system:kube-controller-manager \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-controller-manager.kubeconfig\n\n\u4f7f\u7528\u9ed8\u8ba4\u7684\u4e0a\u4e0b\u6587\n[root@master141 pki]# kubectl config use-context system:kube-controller-manager@kubernetes \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-controller-manager.kubeconfig<\/code><\/pre>\n\n\n\n
\u751f\u6210scheduler\u8bc1\u4e66\u53cakubeconfig\u6587\u4ef6<\/h2>\n\n\n\n
\u751f\u6210scheduler\u7684CSR\u6587\u4ef6\n[root@master141 pki]# cat > scheduler-csr.json <<EOF\n{\n  \"CN\": \"system:kube-scheduler\",\n  \"key\": {\n    \"algo\": \"rsa\",\n    \"size\": 2048\n  },\n  \"names\": [\n    {\n      \"C\": \"CN\",\n      \"ST\": \"Beijing\",\n      \"L\": \"Beijing\",\n      \"O\": \"system:kube-scheduler\",\n      \"OU\": \"Kubernetes-manual\"\n    }\n  ]\n}\nEOF\n\n\u751f\u6210scheduler\u8bc1\u4e66\u6587\u4ef6\n[root@master141 pki]# cfssl gencert \\\n  -ca=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem \\\n  -ca-key=\/gshcmy\/certs\/kubernetes\/k8s-ca-key.pem \\\n  -config=k8s-ca-config.json \\\n  -profile=kubernetes \\\n  scheduler-csr.json | cfssljson -bare \/gshcmy\/certs\/kubernetes\/scheduler\n\n[root@master141 pki]# ll \/gshcmy\/certs\/kubernetes\/scheduler*\n-rw-r--r-- 1 root root 1058 Dec 23 22:33 \/gshcmy\/certs\/kubernetes\/scheduler.csr\n-rw------- 1 root root 1675 Dec 23 22:33 \/gshcmy\/certs\/kubernetes\/scheduler-key.pem\n-rw-r--r-- 1 root root 1476 Dec 23 22:33 \/gshcmy\/certs\/kubernetes\/scheduler.pem\n\n\u8bbe\u7f6e\u4e00\u4e2a\u96c6\u7fa4\n[root@master141 pki]# kubectl config set-cluster gshcmy-k8s \\\n  --certificate-authority=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem \\\n  --embed-certs=true \\\n  --server=https:\/\/10.0.0.140:8443 \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-scheduler.kubeconfig\n\n\u8bbe\u7f6e\u4e00\u4e2a\u7528\u6237\u9879\n[root@master141 pki]# kubectl config set-credentials system:kube-scheduler \\\n  --client-certificate=\/gshcmy\/certs\/kubernetes\/scheduler.pem \\\n  --client-key=\/gshcmy\/certs\/kubernetes\/scheduler-key.pem \\\n  --embed-certs=true \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-scheduler.kubeconfig\n\n\u8bbe\u7f6e\u4e00\u4e2a\u4e0a\u4e0b\u6587\u73af\u5883\n[root@master141 pki]# kubectl config set-context system:kube-scheduler@kubernetes \\\n  --cluster=gshcmy-k8s \\\n  --user=system:kube-scheduler \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-scheduler.kubeconfig\n\n\u4f7f\u7528\u9ed8\u8ba4\u7684\u4e0a\u4e0b\u6587\n[root@master141 pki]# kubectl config use-context system:kube-scheduler@kubernetes \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-scheduler.kubeconfig\n<\/code><\/pre>\n\n\n\n
\u914d\u7f6ek8s\u96c6\u7fa4\u7ba1\u7406\u5458\u8bc1\u4e66\u53cakubeconfig\u6587\u4ef6<\/h2>\n\n\n\n
\u751f\u6210\u7ba1\u7406\u5458\u7684CSR\u6587\u4ef6\n[root@master141 pki]# cat > admin-csr.json <<EOF\n{\n  \"CN\": \"admin\",\n  \"key\": {\n    \"algo\": \"rsa\",\n    \"size\": 2048\n  },\n  \"names\": [\n    {\n      \"C\": \"CN\",\n      \"ST\": \"Beijing\",\n      \"L\": \"Beijing\",\n      \"O\": \"system:masters\",\n      \"OU\": \"Kubernetes-manual\"\n    }\n  ]\n}\nEOF\n\n\u751f\u6210k8s\u96c6\u7fa4\u7ba1\u7406\u5458\u8bc1\u4e66\n[root@master141 pki]# cfssl gencert \\\n  -ca=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem \\\n  -ca-key=\/gshcmy\/certs\/kubernetes\/k8s-ca-key.pem \\\n  -config=k8s-ca-config.json \\\n  -profile=kubernetes \\\n  admin-csr.json | cfssljson -bare \/gshcmy\/certs\/kubernetes\/admin\n\n[root@master141 pki]# ll \/gshcmy\/certs\/kubernetes\/admin*\n-rw-r--r-- 1 root root 1025 Dec 23 22:47 \/gshcmy\/certs\/kubernetes\/admin.csr\n-rw------- 1 root root 1675 Dec 23 22:47 \/gshcmy\/certs\/kubernetes\/admin-key.pem\n-rw-r--r-- 1 root root 1444 Dec 23 22:47 \/gshcmy\/certs\/kubernetes\/admin.pem\n\n\u8bbe\u7f6e\u4e00\u4e2a\u96c6\u7fa4\n[root@master141 pki]#  kubectl config set-cluster gshcmy-k8s \\\n  --certificate-authority=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem \\\n  --embed-certs=true \\\n  --server=https:\/\/10.0.0.140:8443 \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-admin.kubeconfig\n  \n  \n\t\t\u8bbe\u7f6e\u4e00\u4e2a\u7528\u6237\u9879\n[root@master141 pki]# kubectl config set-credentials kube-admin \\\n  --client-certificate=\/gshcmy\/certs\/kubernetes\/admin.pem \\\n  --client-key=\/gshcmy\/certs\/kubernetes\/admin-key.pem \\\n  --embed-certs=true \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-admin.kubeconfig\n  \n\t\t\u8bbe\u7f6e\u4e00\u4e2a\u4e0a\u4e0b\u6587\u73af\u5883\n[root@master141 pki]# kubectl config set-context kube-admin@kubernetes \\\n  --cluster=gshcmy-k8s \\\n  --user=kube-admin \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-admin.kubeconfig\n  \n\t\t\u4f7f\u7528\u9ed8\u8ba4\u7684\u4e0a\u4e0b\u6587\n[root@master141 pki]# kubectl config use-context kube-admin@kubernetes \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-admin.kubeconfig\n<\/code><\/pre>\n\n\n\n
\u521b\u5efaServiceAccount<\/h2>\n\n\n\n
ServiceAccount\u662fk8s\u4e00\u79cd\u8ba4\u8bc1\u65b9\u5f0f\uff0c\u521b\u5efaServiceAccount\u7684\u65f6\u5019\u4f1a\u521b\u5efa\u4e00\u4e2a\u4e0e\u4e4b\u7ed1\u5b9a\u7684secret\uff0c\u8fd9\u4e2asecret\u4f1a\u751f\u6210\u4e00\u4e2atoken\n[root@master141 pki]# openssl genrsa -out \/gshcmy\/certs\/kubernetes\/sa.key 2048\n\n\n\u57fa\u4e8esa.key\u521b\u5efasa.pub\n[root@master141 pki]# openssl rsa -in \/gshcmy\/certs\/kubernetes\/sa.key -pubout -out \/gshcmy\/certs\/kubernetes\/sa.pub\n\n[root@master141 pki]# ll \/gshcmy\/certs\/kubernetes\/sa*\n-rw------- 1 root root 1704 Dec 23 22:53 \/gshcmy\/certs\/kubernetes\/sa.key\n-rw-r--r-- 1 root root  451 Dec 23 22:54 \/gshcmy\/certs\/kubernetes\/sa.pub<\/code><\/pre>\n\n\n\n
k8s-master01\u8282\u70b9K8S\u7ec4\u4ef6\u8bc1\u4e66\u62f7\u8d1d\u5230\u5176\u4ed6\u4e24\u4e2amaster\u8282\u70b9<\/h2>\n\n\n\n
k8s-master01\u8282\u70b9\u5c06etcd\u8bc1\u4e66\u62f7\u8d1d\u5230\u5176\u4ed6\u4e24\u4e2amaster\u8282\u70b9\n[root@master141 pki]# data_rsync.sh \/gshcmy\/certs\/kubernetes m\n===== rsyncing master142: kubernetes =====\nroot@master142's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n===== rsyncing master143: kubernetes =====\nroot@master143's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n\n[root@master141 pki]# data_rsync.sh \/gshcmy\/certs\/kubeconfig m\n===== rsyncing master142: kubeconfig =====\nroot@master142's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n===== rsyncing master143: kubeconfig =====\nroot@master143's password: \n\u547d\u4ee4\u6267\u884c\u6210\u529f!\n\n\u5176\u4ed6\u4e24\u4e2a\u8282\u70b9\u9a8c\u8bc1\u6587\u4ef6\u6570\u91cf\u662f\u5426\u6b63\u786e\n[root@master142 ~]# ls \/gshcmy\/certs\/kubernetes  | wc -l\n23\n[root@master142 ~]# ls \/gshcmy\/certs\/kubeconfig | wc -l\n3\n[root@master143 ~]# ls \/gshcmy\/certs\/kubernetes  | wc -l\n23\n[root@master143 ~]# ls \/gshcmy\/certs\/kubeconfig | wc -l\n3<\/code><\/pre>\n\n\n\n
\u9ad8\u53ef\u7528\u7ec4\u4ef6haproxy+keepalived\u5b89\u88c5<\/h1>\n\n\n\n
\u6240\u6709master\u3010k8s-master[01-03]\u3011\u8282\u70b9\u5b89\u88c5\u9ad8\u53ef\u7528\u7ec4\u4ef6\n\u6e29\u99a8\u63d0\u793a:\n\t- \u5bf9\u4e8e\u9ad8\u53ef\u7528\u7ec4\u4ef6\uff0c\u5176\u5b9e\u6211\u4eec\u4e5f\u53ef\u4ee5\u5355\u72ec\u627e\u4e24\u53f0\u865a\u62df\u673a\u6765\u90e8\u7f72\uff0c\u4f46\u6211\u4e3a\u4e86\u8282\u77012\u53f0\u673a\u5668\uff0c\u5c31\u76f4\u63a5\u5728master\u8282\u70b9\u590d\u7528\u4e86\u3002\n\t- \u5982\u679c\u5728\u4e91\u4e0a\u5b89\u88c5K8S\u5219\u65e0\u5b89\u88c5\u9ad8\u53ef\u7528\u7ec4\u4ef6\u4e86\uff0c\u6bd5\u7adf\u516c\u6709\u4e91\u5927\u90e8\u5206\u90fd\u662f\u4e0d\u652f\u6301keepalived\u7684\uff0c\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528\u4e91\u4ea7\u54c1\uff0c\u6bd4\u5982\u963f\u91cc\u7684\"SLB\"\uff0c\u817e\u8baf\u7684\"ELB\"\u7b49SAAS\u4ea7\u54c1;\n\t- \u63a8\u8350\u4f7f\u7528ELB\uff0cSLB\u6709\u56de\u73af\u7684\u95ee\u9898\uff0c\u4e5f\u5c31\u662fSLB\u4ee3\u7406\u7684\u670d\u52a1\u5668\u4e0d\u80fd\u53cd\u5411\u8bbf\u95eeSLB\uff0c\u4f46\u662f\u817e\u8baf\u4e91\u4fee\u590d\u4e86\u8fd9\u4e2a\u95ee\u9898;\n\u6240\u6709master\n\napt-get -y install keepalived haproxy<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u6240\u6709master\u8282\u70b9\u914d\u7f6ehaproxy\n\u6e29\u99a8\u63d0\u793a:\n\t- haproxy\u7684\u8d1f\u8f7d\u5747\u8861\u5668\u76d1\u542c\u5730\u5740\u6211\u914d\u7f6e\u662f8443\uff0c\u4f60\u53ef\u4ee5\u4fee\u6539\u4e3a\u5176\u4ed6\u7aef\u53e3\uff0chaproxy\u4f1a\u7528\u6765\u53cd\u5411\u4ee3\u7406\u5404\u4e2amaster\u7ec4\u4ef6\u7684\u5730\u5740;\n\t- \u5982\u679c\u4f60\u771f\u7684\u4fee\u6539\u6674\u4e00\u5b9a\u6ce8\u610f\u4e0a\u9762\u7684\u8bc1\u4e66\u914d\u7f6e\u7684kubeconfig\u6587\u4ef6\uff0c\u4e5f\u8981\u4e00\u8d77\u4fee\u6539\uff0c\u5426\u5219\u5c31\u4f1a\u51fa\u73b0\u94fe\u63a5\u96c6\u7fa4\u5931\u8d25\u7684\u95ee\u9898;\n\t\n\t\n\u5177\u4f53\u5b9e\u64cd:\n\t\t2.1 \u5907\u4efd\u914d\u7f6e\u6587\u4ef6\ncp \/etc\/haproxy\/haproxy.cfg{,`date +%F`}\n\n\n\t\t2.2 \u6240\u6709\u8282\u70b9\u7684\u914d\u7f6e\u6587\u4ef6\u5185\u5bb9\u76f8\u540c\ncat > \/etc\/haproxy\/haproxy.cfg << 'EOF'\nglobal\n  maxconn  2000\n  ulimit-n  16384\n  log  127.0.0.1 local0 err\n  stats timeout 30s\n\ndefaults\n  log global\n  mode  http\n  option  httplog\n  timeout connect 5000\n  timeout client  50000\n  timeout server  50000\n  timeout http-request 15s\n  timeout http-keep-alive 15s\n\nfrontend monitor-haproxy\n  bind *:9999\n  mode http\n  option httplog\n  monitor-uri \/ruok\n\nfrontend gshcmy-k8s\n  bind 0.0.0.0:8443\n  bind 127.0.0.1:8443\n  mode tcp\n  option tcplog\n  tcp-request inspect-delay 5s\n  default_backend gshcmy-k8s\n\nbackend gshcmy-k8s\n  mode tcp\n  option tcplog\n  option tcp-check\n  balance roundrobin\n  server master141   10.0.0.141:6443 check inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100\n  server master142   10.0.0.142:6443 check inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100\n  server master143   10.0.0.143:6443 check inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100\nEOF\n\n<\/code><\/pre>\n\n\n\n
\u6240\u6709master\u8282\u70b9\u914d\u7f6ekeepalived\n\u6e29\u99a8\u63d0\u793a:\n\t- \u6ce8\u610f\"interface\"\u5b57\u6bb5\u4e3a\u4f60\u7684\u7269\u7406\u7f51\u5361\u7684\u540d\u79f0\uff0c\u5982\u679c\u4f60\u7684\u7f51\u5361\u662fens33\uff0c\u8bf7\u5c06\"eth0\"\u4fee\u6539\u4e3a\"ens33\"\u54df;\n\t- \u6ce8\u610f\"mcast_src_ip\"\u5404master\u8282\u70b9\u7684\u914d\u7f6e\u5747\u4e0d\u76f8\u540c\uff0c\u4fee\u6539\u6839\u636e\u5b9e\u9645\u73af\u5883\u8fdb\u884c\u4fee\u6539\u54df;\n\t- \u6ce8\u610f\"virtual_ipaddress\"\u6307\u5b9a\u7684\u662f\u8d1f\u8f7d\u5747\u8861\u5668\u7684VIP\u5730\u5740\uff0c\u8fd9\u4e2a\u5730\u5740\u4e5f\u8981\u548ckubeconfig\u6587\u4ef6\u7684Apiserver\u5730\u5740\u8981\u4e00\u81f4\u54df;\n\t- \u6ce8\u610f\"script\"\u5b57\u6bb5\u7684\u811a\u672c\u7528\u4e8e\u68c0\u6d4b\u540e\u7aef\u7684apiServer\u662f\u5426\u5065\u5eb7;\n\t- \u6ce8\u610f\"router_id\"\u5b57\u6bb5\u4e3a\u8282\u70b9ip\uff0cmaster\u6bcf\u4e2a\u8282\u70b9\u914d\u7f6e\u81ea\u5df1\u7684IP\n\nmaster141\u8282\u70b9\u521b\u5efa\u914d\u7f6e\u6587\u4ef6\n[root@master141 ~]# ifconfig\neth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500\n        inet 10.0.0.141  netmask 255.255.255.0  broadcast 10.0.0.255\n        inet6 fe80::20c:29ff:feda:2a78  prefixlen 64  scopeid 0x20<link>\n        ether 00:0c:29:da:2a:78  txqueuelen 1000  (Ethernet)\n        RX packets 87124  bytes 14793699 (14.7 MB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 87498  bytes 10987285 (10.9 MB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n\n[root@master141 ~]# cat > \/etc\/keepalived\/keepalived.conf <<'EOF'\n! Configuration File for keepalived\nglobal_defs {\n   router_id 10.0.0.141\n}\nvrrp_script chk_nginx {\n    script \"\/etc\/keepalived\/check_port.sh 8443\"\n    interval 2\n    weight -20\n}\nvrrp_instance VI_1 {\n    state MASTER\n    interface eth0\n    virtual_router_id 251\n    priority 100\n    advert_int 1\n    mcast_src_ip 10.0.0.141\n    nopreempt\n    authentication {\n        auth_type PASS\n        auth_pass gshcmy_k8s\n    }\n    track_script {\n         chk_nginx\n    }\n    virtual_ipaddress {\n        10.0.0.140\n    }\n}\nEOF\n\nmaster142\u8282\u70b9\u521b\u5efa\u914d\u7f6e\u6587\u4ef6\n[root@master142 ~]#  ifconfig\neth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500\n        inet 10.0.0.142  netmask 255.255.255.0  broadcast 10.0.0.255\n        inet6 fe80::20c:29ff:feb2:8da0  prefixlen 64  scopeid 0x20<link>\n        ether 00:0c:29:b2:8d:a0  txqueuelen 1000  (Ethernet)\n        RX packets 67794  bytes 12957944 (12.9 MB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 67085  bytes 9454780 (9.4 MB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n\n[root@master142 ~]# cat > \/etc\/keepalived\/keepalived.conf <<EOF\n! Configuration File for keepalived\nglobal_defs {\n   router_id 10.0.0.142\n}\nvrrp_script chk_nginx {\n    script \"\/etc\/keepalived\/check_port.sh 8443\"\n    interval 2\n    weight -20\n}\nvrrp_instance VI_1 {\n    state MASTER\n    interface eth0\n    virtual_router_id 251\n    priority 100\n    advert_int 1\n    mcast_src_ip 10.0.0.142\n    nopreempt\n    authentication {\n        auth_type PASS\n        auth_pass gshcmy_k8s\n    }\n    track_script {\n         chk_nginx\n    }\n    virtual_ipaddress {\n        10.0.0.140\n    }\n}\nEOF\n\nmaster143\u8282\u70b9\u521b\u5efa\u914d\u7f6e\u6587\u4ef6\n[root@master143 ~]# ifconfig\neth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500\n        inet 10.0.0.143  netmask 255.255.255.0  broadcast 10.0.0.255\n        inet6 fe80::20c:29ff:fe55:5971  prefixlen 64  scopeid 0x20<link>\n        ether 00:0c:29:55:59:71  txqueuelen 1000  (Ethernet)\n        RX packets 76007  bytes 14125808 (14.1 MB)\n        RX errors 0  dropped 0  overruns 0  frame 0\n        TX packets 75099  bytes 10609607 (10.6 MB)\n        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0\n\n[root@master143 ~]# cat > \/etc\/keepalived\/keepalived.conf <<EOF\n! Configuration File for keepalived\nglobal_defs {\n   router_id 10.0.0.143\n}\nvrrp_script chk_nginx {\n    script \"\/etc\/keepalived\/check_port.sh 8443\"\n    interval 2\n    weight -20\n}\nvrrp_instance VI_1 {\n    state MASTER\n    interface eth0\n    virtual_router_id 251\n    priority 100\n    advert_int 1\n    mcast_src_ip 10.0.0.143\n    nopreempt\n    authentication {\n        auth_type PASS\n        auth_pass gshcmy_k8s\n    }\n    track_script {\n         chk_nginx\n    }\n    virtual_ipaddress {\n        10.0.0.140\n    }\n}\nEOF\n\n\u6240\u6709keepalived\u8282\u70b9\u521b\u5efa\u5065\u5eb7\u68c0\u67e5\u811a\u672c\uff08141-143\uff09\ncat > \/etc\/keepalived\/check_port.sh <<'EOF'\n#!\/bin\/bash\nCHK_PORT=$1\nif [ -n \"$CHK_PORT\" ];then\n    PORT_PROCESS=`ss -lt|grep $CHK_PORT|wc -l`\n    if [ $PORT_PROCESS -eq 0 ];then\n        echo \"Port $CHK_PORT Is Not Used,End.\"\n        systemctl stop keepalived\n    fi\nelse\n    echo \"Check Port Cant Be Empty!\"\nfi\nEOF\n\n\u7ed9\u6743\u9650\uff08141-143\uff09\nchmod +x \/etc\/keepalived\/check_port.sh<\/code><\/pre>\n\n\n\n
\u542f\u52a8keepalived\u670d\u52a1\u5e76\u9a8c\u8bc1<\/h2>\n\n\n\n
\u542f\u52a8keepalived\u670d\u52a1\nsystemctl daemon-reload\nsystemctl enable --now keepalived\nsystemctl status keepalived\n<\/code><\/pre>\n\n\n\n
\u9a8c\u8bc1\u670d\u52a1\u662f\u5426\u6b63\u5e38<\/h2>\n\n\n\n
\u6240\u6709master(141-143)\ntee -a \/etc\/sysctl.conf << EOF\nnet.ipv6.conf.eth0.disable_ipv6 = 1\nnet.ipv6.conf.all.disable_ipv6 = 1\nnet.ipv6.conf.default.disable_ipv6 = 1\nEOF\n\nsysctl -p\n\n[root@master\uff08141-143\uff09 ~]# ip a\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000\n    link\/ether 00:0c:29:da:2a:78 brd ff:ff:ff:ff:ff:ff\n    altname enp2s1\n    altname ens33\n    inet 10.0.0.141\/24 brd 10.0.0.255 scope global eth0\n       valid_lft forever preferred_lft forever\n    inet 10.0.0.140\/32 scope global eth0\n       valid_lft forever preferred_lft forever\n3: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000\n    link\/ipip 0.0.0.0 brd 0.0.0.0\n\n[root@master141 ~]# ping 10.0.0.140\nPING 10.0.0.140 (10.0.0.140) 56(84) bytes of data.\n64 bytes from 10.0.0.140: icmp_seq=1 ttl=64 time=0.016 ms\n64 bytes from 10.0.0.140: icmp_seq=2 ttl=64 time=0.029 ms<\/code><\/pre>\n\n\n\n
\u627e\u4e00\u4e2a\u8282\u70b9\u505c\u6b62<\/p>\n\n\n\n
[root@master141 ~]# systemctl stop keepalived\n\n[root@master141 ~]# ping 10.0.0.140\nPING 10.0.0.140 (10.0.0.140) 56(84) bytes of data.\n64 bytes from 10.0.0.140: icmp_seq=1 ttl=64 time=0.697 ms\n64 bytes from 10.0.0.140: icmp_seq=2 ttl=64 time=0.529 ms\n64 bytes from 10.0.0.140: icmp_seq=3 ttl=64 time=0.504 ms\n64 bytes from 10.0.0.140: icmp_seq=4 ttl=64 time=0.338 ms\n\n\n[root@master141 ~]# ip a\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000\n    link\/ether 00:0c:29:da:2a:78 brd ff:ff:ff:ff:ff:ff\n    altname enp2s1\n    altname ens33\n    inet 10.0.0.141\/24 brd 10.0.0.255 scope global eth0\n       valid_lft forever preferred_lft forever\n3: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000\n    link\/ipip 0.0.0.0 brd 0.0.0.0\n\n\u9a8c\u8bc1vip\u662f\u5426\u98d8\u9038\u5230\u5176\u4ed6\u8282\u70b9\uff0c\u679c\u4e0d\u5176\u7136\uff0c\u771f\u7684\u98d8\u9038\u5230\u5176\u4ed6master\u8282\u70b9\n[root@master143 ~]# ip a\n1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\n    link\/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n    inet 127.0.0.1\/8 scope host lo\n       valid_lft forever preferred_lft forever\n2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000\n    link\/ether 00:0c:29:55:59:71 brd ff:ff:ff:ff:ff:ff\n    altname enp2s1\n    altname ens33\n    inet 10.0.0.143\/24 brd 10.0.0.255 scope global eth0\n       valid_lft forever preferred_lft forever\n    inet 10.0.0.140\/32 scope global eth0\n       valid_lft forever preferred_lft forever\n3: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000\n    link\/ipip 0.0.0.0 brd 0.0.0.0\n<\/code><\/pre>\n\n\n\n
\u9a8c\u8bc1haproxy\u670d\u52a1\u5e76\u9a8c\u8bc1<\/h2>\n\n\n\n
\u6240\u6709\u8282\u70b9\u542f\u52a8haproxy\u670d\u52a1\nsystemctl enable --now haproxy \nsystemctl restart haproxy \nsystemctl status haproxy \n\n\u6240\u6709\u8282\u70b9\u542f\u52a8keepalived \nsystemctl start keepalived\n\n\u57fa\u4e8etelnet\u9a8c\u8bc1haporxy\u662f\u5426\u6b63\u5e38\n[root@k8s-master02 ~]# telnet 10.0.0.140 8443\n\n\u7531\u4e8e\u521a\u624d141\u505c\u6b62\u6240\u4ee5\u8981\u6267\u884c\u4e0b\u65b9\u547d\u4ee4\n[root@master141 ~]# ip neigh del 10.0.0.140 dev eth0\n[root@master141 ~]# arp -an | grep \"10.0.0.140\"\n[root@master141 ~]# arping -c 2 -I eth0 10.0.0.140\nCommand 'arping' not found, but can be installed with:\napt install iputils-arping  # version 3:20211215-1ubuntu0.1, or\napt install arping          # version 2.22-1\n[root@master141 ~]# arp -an | grep \"10.0.0.140\"\n[root@master141 ~]# telnet 10.0.0.140 8443\nTrying 10.0.0.140...\nConnected to 10.0.0.140.\nEscape character is '^]'.\nConnection closed by foreign host.\n\n\u57fa\u4e8ewebUI\u8fdb\u884c\u9a8c\u8bc1\n[root@master141 ~]# curl http:\/\/10.0.0.140:9999\/ruok\n<html><body><h1>200 OK<\/h1>\nService ready.\n<\/body><\/html><\/code><\/pre>\n\n\n\n
\u90e8\u7f72ApiServer\u7ec4\u4ef6<\/h1>\n\n\n\n
- \"--advertise-address\"\u662f\u5bf9\u5e94\u7684master\u8282\u70b9\u7684IP\u5730\u5740;\n\t- \"--service-cluster-ip-range\"\u5bf9\u5e94\u7684\u662fsvc\u7684\u7f51\u6bb5\n\t- \"--service-node-port-range\"\u5bf9\u5e94\u7684\u662fsvc\u7684NodePort\u7aef\u53e3\u8303\u56f4;\n\t- \"--etcd-servers\"\u6307\u5b9a\u7684\u662fetcd\u96c6\u7fa4\u5730\u5740\n\n\u914d\u7f6e\u6587\u4ef6\u53c2\u8003\u94fe\u63a5:\n\thttps://kubernetes.io\/zh-cn\/docs\/reference\/command-line-tools-reference\/kube-apiserver\/\n<\/code><\/pre>\n\n\n\n
master141\u8282\u70b9<\/p>\n\n\n\n
\u521b\u5efamaster141\u8282\u70b9\u7684\u914d\u7f6e\u6587\u4ef6\ncat > \/usr\/lib\/systemd\/system\/kube-apiserver.service << 'EOF'\n[Unit]\nDescription=gshcmy's Kubernetes API Server\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\nAfter=network.target\n\n[Service]\nExecStart=\/usr\/local\/bin\/kube-apiserver \\\n      --v=2  \\\n      --bind-address=0.0.0.0  \\\n      --secure-port=6443  \\\n      --allow_privileged=true \\\n      --advertise-address=10.0.0.141 \\\n      --service-cluster-ip-range=10.200.0.0\/16  \\\n      --service-node-port-range=3000-50000  \\\n      --etcd-servers=https:\/\/10.0.0.141:2379,https:\/\/10.0.0.142:2379,https:\/\/10.0.0.143:2379 \\\n      --etcd-cafile=\/gshcmy\/certs\/etcd\/etcd-ca.pem  \\\n      --etcd-certfile=\/gshcmy\/certs\/etcd\/etcd-server.pem  \\\n      --etcd-keyfile=\/gshcmy\/certs\/etcd\/etcd-server-key.pem  \\\n      --client-ca-file=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem  \\\n      --tls-cert-file=\/gshcmy\/certs\/kubernetes\/apiserver.pem  \\\n      --tls-private-key-file=\/gshcmy\/certs\/kubernetes\/apiserver-key.pem  \\\n      --kubelet-client-certificate=\/gshcmy\/certs\/kubernetes\/apiserver.pem  \\\n      --kubelet-client-key=\/gshcmy\/certs\/kubernetes\/apiserver-key.pem  \\\n      --service-account-key-file=\/gshcmy\/certs\/kubernetes\/sa.pub  \\\n      --service-account-signing-key-file=\/gshcmy\/certs\/kubernetes\/sa.key \\\n      --service-account-issuer=https:\/\/kubernetes.default.svc.gshcmy.com \\\n      --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname  \\\n      --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota  \\\n      --authorization-mode=Node,RBAC  \\\n      --enable-bootstrap-token-auth=true  \\\n      --requestheader-client-ca-file=\/gshcmy\/certs\/kubernetes\/front-proxy-ca.pem  \\\n      --proxy-client-cert-file=\/gshcmy\/certs\/kubernetes\/front-proxy-client.pem  \\\n      --proxy-client-key-file=\/gshcmy\/certs\/kubernetes\/front-proxy-client-key.pem  \\\n      --requestheader-allowed-names=aggregator  \\\n      --requestheader-group-headers=X-Remote-Group  \\\n      --requestheader-extra-headers-prefix=X-Remote-Extra-  \\\n      --requestheader-username-headers=X-Remote-User\n\nRestart=on-failure\nRestartSec=10s\nLimitNOFILE=65535\n\n[Install]\nWantedBy=multi-user.target\nEOF\n\n\u542f\u52a8\u670d\u52a1\n[root@master141 ~]# systemctl daemon-reload && systemctl enable --now kube-apiserver\n[root@master141 ~]# systemctl status kube-apiserver\n[root@master141 ~]# ss -ntl | grep 6443\nLISTEN 0      16384              *:6443             *:*     <\/code><\/pre>\n\n\n\n
master142\u8282\u70b9<\/p>\n\n\n\n
\u521b\u5efamaster142\u8282\u70b9\u7684\u914d\u7f6e\u6587\u4ef6\ncat > \/usr\/lib\/systemd\/system\/kube-apiserver.service << 'EOF'\n[Unit]\nDescription=gshcmy's Kubernetes API Server\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\nAfter=network.target\n\n[Service]\nExecStart=\/usr\/local\/bin\/kube-apiserver \\\n      --v=2  \\\n      --bind-address=0.0.0.0  \\\n      --secure-port=6443  \\\n      --advertise-address=10.0.0.142 \\\n      --service-cluster-ip-range=10.200.0.0\/16  \\\n      --service-node-port-range=3000-50000  \\\n      --etcd-servers=https:\/\/10.0.0.141:2379,https:\/\/10.0.0.142:2379,https:\/\/10.0.0.143:2379 \\\n      --etcd-cafile=\/gshcmy\/certs\/etcd\/etcd-ca.pem  \\\n      --etcd-certfile=\/gshcmy\/certs\/etcd\/etcd-server.pem  \\\n      --etcd-keyfile=\/gshcmy\/certs\/etcd\/etcd-server-key.pem  \\\n      --client-ca-file=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem  \\\n      --tls-cert-file=\/gshcmy\/certs\/kubernetes\/apiserver.pem  \\\n      --tls-private-key-file=\/gshcmy\/certs\/kubernetes\/apiserver-key.pem  \\\n      --kubelet-client-certificate=\/gshcmy\/certs\/kubernetes\/apiserver.pem  \\\n      --kubelet-client-key=\/gshcmy\/certs\/kubernetes\/apiserver-key.pem  \\\n      --service-account-key-file=\/gshcmy\/certs\/kubernetes\/sa.pub  \\\n      --service-account-signing-key-file=\/gshcmy\/certs\/kubernetes\/sa.key \\\n      --service-account-issuer=https:\/\/kubernetes.default.svc.gshcmy.com \\\n      --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname  \\\n      --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota  \\\n      --authorization-mode=Node,RBAC  \\\n      --enable-bootstrap-token-auth=true  \\\n      --requestheader-client-ca-file=\/gshcmy\/certs\/kubernetes\/front-proxy-ca.pem  \\\n      --proxy-client-cert-file=\/gshcmy\/certs\/kubernetes\/front-proxy-client.pem  \\\n      --proxy-client-key-file=\/gshcmy\/certs\/kubernetes\/front-proxy-client-key.pem  \\\n      --requestheader-allowed-names=aggregator  \\\n      --requestheader-group-headers=X-Remote-Group  \\\n      --requestheader-extra-headers-prefix=X-Remote-Extra-  \\\n      --requestheader-username-headers=X-Remote-User\n\nRestart=on-failure\nRestartSec=10s\nLimitNOFILE=65535\n\n[Install]\nWantedBy=multi-user.target\nEOF\n\n\u542f\u52a8\u670d\u52a1\n\u542f\u52a8\u670d\u52a1\n[root@master142 ~]# systemctl daemon-reload && systemctl enable --now kube-apiserver\n[root@master142~]# systemctl status kube-apiserver\n[root@master142~]# ss -ntl | grep 6443\nLISTEN 0      16384              *:6443             *:*  <\/code><\/pre>\n\n\n\n
master143\u8282\u70b9<\/p>\n\n\n\n
\u521b\u5efamaster143\u8282\u70b9\u7684\u914d\u7f6e\u6587\u4ef6\ncat > \/usr\/lib\/systemd\/system\/kube-apiserver.service << 'EOF'\n[Unit]\nDescription=gshcmy's Kubernetes API Server\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\nAfter=network.target\n\n[Service]\nExecStart=\/usr\/local\/bin\/kube-apiserver \\\n      --v=2  \\\n      --bind-address=0.0.0.0  \\\n      --secure-port=6443  \\\n      --advertise-address=10.0.0.143 \\\n      --service-cluster-ip-range=10.200.0.0\/16  \\\n      --service-node-port-range=3000-50000  \\\n      --etcd-servers=https:\/\/10.0.0.141:2379,https:\/\/10.0.0.142:2379,https:\/\/10.0.0.143:2379 \\\n      --etcd-cafile=\/gshcmy\/certs\/etcd\/etcd-ca.pem  \\\n      --etcd-certfile=\/gshcmy\/certs\/etcd\/etcd-server.pem  \\\n      --etcd-keyfile=\/gshcmy\/certs\/etcd\/etcd-server-key.pem  \\\n      --client-ca-file=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem  \\\n      --tls-cert-file=\/gshcmy\/certs\/kubernetes\/apiserver.pem  \\\n      --tls-private-key-file=\/gshcmy\/certs\/kubernetes\/apiserver-key.pem  \\\n      --kubelet-client-certificate=\/gshcmy\/certs\/kubernetes\/apiserver.pem  \\\n      --kubelet-client-key=\/gshcmy\/certs\/kubernetes\/apiserver-key.pem  \\\n      --service-account-key-file=\/gshcmy\/certs\/kubernetes\/sa.pub  \\\n      --service-account-signing-key-file=\/gshcmy\/certs\/kubernetes\/sa.key \\\n      --service-account-issuer=https:\/\/kubernetes.default.svc.gshcmy.com \\\n      --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname  \\\n      --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota  \\\n      --authorization-mode=Node,RBAC  \\\n      --enable-bootstrap-token-auth=true  \\\n      --requestheader-client-ca-file=\/gshcmy\/certs\/kubernetes\/front-proxy-ca.pem  \\\n      --proxy-client-cert-file=\/gshcmy\/certs\/kubernetes\/front-proxy-client.pem  \\\n      --proxy-client-key-file=\/gshcmy\/certs\/kubernetes\/front-proxy-client-key.pem  \\\n      --requestheader-allowed-names=aggregator  \\\n      --requestheader-group-headers=X-Remote-Group  \\\n      --requestheader-extra-headers-prefix=X-Remote-Extra-  \\\n      --requestheader-username-headers=X-Remote-User\n\nRestart=on-failure\nRestartSec=10s\nLimitNOFILE=65535\n\n[Install]\nWantedBy=multi-user.target\n\n\u542f\u52a8\u670d\u52a1\n[root@master143 ~]# systemctl daemon-reload && systemctl enable --now kube-apiserver\n[root@master143 ~]# systemctl status kube-apiserver\n[root@master143 ~]# ss -ntl | grep 6443\nLISTEN 0      16384              *:6443             *:*<\/code><\/pre>\n\n\n\n
\u90e8\u7f72ControlerManager\u7ec4\u4ef6<\/h1>\n\n\n\n
\u6240\u6709\u8282\u70b9\uff08master\uff09\u521b\u5efa\u914d\u7f6e\u6587\u4ef6\n\u6e29\u99a8\u63d0\u793a:\n\t- \"--cluster-cidr\"\u662fPod\u7684\u7f51\u6bb5\u5730\u5740\uff0c\u6211\u4eec\u53ef\u4ee5\u81ea\u884c\u4fee\u6539\u3002\n\n\u914d\u7f6e\u6587\u4ef6\u53c2\u8003\u94fe\u63a5:\n\thttps://kubernetes.io\/zh-cn\/docs\/reference\/command-line-tools-reference\/kube-controller-manager\/<\/code><\/pre>\n\n\n\n
\u6240\u6709\u8282\u70b9\u7684controller-manager\u7ec4\u4ef6\u914d\u7f6e\u6587\u4ef6\u76f8\u540c: (\u524d\u63d0\u662f\u8bc1\u4e66\u6587\u4ef6\u5b58\u653e\u7684\u4f4d\u7f6e\u4e5f\u8981\u76f8\u540c\u54df!)\ncat > \/usr\/lib\/systemd\/system\/kube-controller-manager.service << 'EOF'\n[Unit]\nDescription=gshcmy's Kubernetes Controller Manager\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\nAfter=network.target\n\n[Service]\nExecStart=\/usr\/local\/bin\/kube-controller-manager \\\n      --v=2 \\\n      --root-ca-file=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem \\\n      --cluster-signing-cert-file=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem \\\n      --cluster-signing-key-file=\/gshcmy\/certs\/kubernetes\/k8s-ca-key.pem \\\n      --service-account-private-key-file=\/gshcmy\/certs\/kubernetes\/sa.key \\\n      --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-controller-manager.kubeconfig \\\n      --leader-elect=true \\\n      --use-service-account-credentials=true \\\n      --node-monitor-grace-period=40s \\\n      --node-monitor-period=5s \\\n      --controllers=*,bootstrapsigner,tokencleaner \\\n      --allocate-node-cidrs=true \\\n      --cluster-cidr=10.100.0.0\/16 \\\n      --requestheader-client-ca-file=\/gshcmy\/certs\/kubernetes\/front-proxy-ca.pem \\\n      --node-cidr-mask-size=24\n\nRestart=always\nRestartSec=10s\n\n[Install]\nWantedBy=multi-user.target\nEOF\n\n\u542f\u52a8controller-manager\u670d\u52a1\nsystemctl daemon-reload\nsystemctl enable --now kube-controller-manager\nsystemctl  status kube-controller-manager\nss -ntl | grep 10257\n<\/code><\/pre>\n\n\n\n
\u90e8\u7f72Scheduler\u7ec4\u4ef6<\/h1>\n\n\n\n
\u914d\u7f6e\u6587\u4ef6\u53c2\u8003\u94fe\u63a5:\n\thttps://kubernetes.io\/zh-cn\/docs\/reference\/command-line-tools-reference\/kube-scheduler\/<\/code><\/pre>\n\n\n\n
\u6240\u6709\u8282\u70b9(master)\u521b\u5efa\u914d\u7f6e\u6587\u4ef6\n\u6240\u6709\u8282\u70b9\u7684controller-manager\u7ec4\u4ef6\u914d\u7f6e\u6587\u4ef6\u76f8\u540c: (\u524d\u63d0\u662f\u8bc1\u4e66\u6587\u4ef6\u5b58\u653e\u7684\u4f4d\u7f6e\u4e5f\u8981\u76f8\u540c)\ncat > \/usr\/lib\/systemd\/system\/kube-scheduler.service <<'EOF'\n[Unit]\nDescription=gshcmy's Kubernetes Scheduler\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\nAfter=network.target\n\n[Service]\nExecStart=\/usr\/local\/bin\/kube-scheduler \\\n      --v=2 \\\n      --leader-elect=true \\\n      --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-scheduler.kubeconfig\n\nRestart=always\nRestartSec=10s\n\n[Install]\nWantedBy=multi-user.target\nEOF\n\n\u542f\u52a8scheduler\u670d\u52a1\nsystemctl daemon-reload\nsystemctl enable --now kube-scheduler\nsystemctl  status kube-scheduler\nss -ntl | grep 10259\nLISTEN 0      16384              *:10259            *:*<\/code><\/pre>\n\n\n\n
\u521b\u5efaBootstrapping\u81ea\u52a8\u9881\u53d1kubelet\u8bc1\u4e66\u914d\u7f6e<\/h1>\n\n\n\n
master141\u8282\u70b9\u521b\u5efabootstrap-kubelet.kubeconfig\u6587\u4ef6\n\u6e29\u99a8\u63d0\u793a:\n\t- \"--server\"\u53ea\u60f3\u7684\u662f\u8d1f\u8f7d\u5747\u8861\u5668\u7684IP\u5730\u5740\uff0c\u7531\u8d1f\u8f7d\u5747\u8861\u5668\u5bf9master\u8282\u70b9\u8fdb\u884c\u53cd\u5411\u4ee3\u7406\u54df\u3002\n\t- \"--token\"\u4e5f\u53ef\u4ee5\u81ea\u5b9a\u4e49\uff0c\u4f46\u4e5f\u8981\u540c\u65f6\u4fee\u6539\"bootstrap\"\u7684Secret\u7684\"token-id\"\u548c\"token-secret\"\u5bf9\u5e94\u503c;<\/code><\/pre>\n\n\n\n
\u8bbe\u7f6e\u96c6\u7fa4master141\n\nkubectl config set-cluster gshcmy-k8s \\\n  --certificate-authority=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem \\\n  --embed-certs=true \\\n  --server=https:\/\/10.0.0.140:8443 \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/bootstrap-kubelet.kubeconfig\n\n\u521b\u5efa\u7528\u6237\nkubectl config set-credentials tls-bootstrap-token-user  \\\n  --token=gshcmy.gshcmy \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/bootstrap-kubelet.kubeconfig\n\n\u5c06\u96c6\u7fa4\u548c\u7528\u6237\u8fdb\u884c\u7ed1\u5b9a\nkubectl config set-context tls-bootstrap-token-user@kubernetes \\\n  --cluster=gshcmy-k8s \\\n  --user=tls-bootstrap-token-user \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/bootstrap-kubelet.kubeconfig\n\n\u914d\u7f6e\u9ed8\u8ba4\u7684\u4e0a\u4e0b\u6587\nkubectl config use-context tls-bootstrap-token-user@kubernetes \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/bootstrap-kubelet.kubeconfig\n\n<\/code><\/pre>\n\n\n\n
\u6240\u6709master\u8282\u70b9\u62f7\u8d1d\u7ba1\u7406\u8bc1\u4e66<\/h2>\n\n\n\n
\u6240\u6709master\u90fd\u62f7\u8d1d\u7ba1\u7406\u5458\u7684\u8bc1\u4e66\u6587\u4ef6\n[root@master141-143 ~]# mkdir -p \/root\/.kube\n[root@master141-143 ~]# cp \/gshcmy\/certs\/kubeconfig\/kube-admin.kubeconfig \/root\/.kube\/config\n[root@master141-143~]# kubectl get cs\nWarning: v1 ComponentStatus is deprecated in v1.19+\nNAME                 STATUS    MESSAGE   ERROR\ncontroller-manager   Healthy   ok        \netcd-0               Healthy   ok        \nscheduler            Healthy   ok\nscheduler            Healthy   ok\n\n\u67e5\u770b\u96c6\u7fa4\u72b6\u6001\uff0c\u5982\u679c\u672a\u6765cs\u7ec4\u4ef6\u79fb\u9664\u4e86\u4e5f\u6ca1\u5173\u7cfb\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\"cluster-info\"\u5b50\u547d\u4ee4\u67e5\u770b\u96c6\u7fa4\u72b6\u6001\n[root@master141 ~]# kubectl cluster-info\nKubernetes control plane is running at https:\/\/10.0.0.140:8443\n\nTo further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.\n<\/code><\/pre>\n\n\n\n
\u521b\u5efabootstrap-secret\u6388\u6743<\/h2>\n\n\n\n
\u521b\u5efa\u914dbootstrap-secret\u6587\u4ef6\u7528\u4e8e\u6388\u6743\ncat > bootstrap-secret.yaml <<EOF\napiVersion: v1\nkind: Secret\nmetadata:\n  name: bootstrap-token-gshcmy\n  namespace: kube-system\ntype: bootstrap.kubernetes.io\/token\nstringData:\n  description: \"The default bootstrap token generated by 'kubelet '.\"\n  token-id: gshcmy\n  token-secret: gshcmy\n  usage-bootstrap-authentication: \"true\"\n  usage-bootstrap-signing: \"true\"\n  auth-extra-groups:  system:bootstrappers:default-node-token,system:bootstrappers:worker,system:bootstrappers:ingress\n \n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: kubelet-bootstrap\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: system:node-bootstrapper\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n  kind: Group\n  name: system:bootstrappers:default-node-token\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: node-autoapprove-bootstrap\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: system:certificates.k8s.io:certificatesigningrequests:nodeclient\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n  kind: Group\n  name: system:bootstrappers:default-node-token\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: node-autoapprove-certificate-rotation\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n  kind: Group\n  name: system:nodes\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRole\nmetadata:\n  annotations:\n    rbac.authorization.kubernetes.io\/autoupdate: \"true\"\n  labels:\n    kubernetes.io\/bootstrapping: rbac-defaults\n  name: system:kube-apiserver-to-kubelet\nrules:\n  - apiGroups:\n      - \"\"\n    resources:\n      - nodes\/proxy\n      - nodes\/stats\n      - nodes\/log\n      - nodes\/spec\n      - nodes\/metrics\n    verbs:\n      - \"*\"\n---\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: system:kube-apiserver\n  namespace: \"\"\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: system:kube-apiserver-to-kubelet\nsubjects:\n  - apiGroup: rbac.authorization.k8s.io\n    kind: User\n    name: kube-apiserver\nEOF\n\n\u5e94\u7528bootstrap-secret\u914d\u7f6e\u6587\u4ef6\n[root@master141 ~]# kubectl apply -f bootstrap-secret.yaml\nsecret\/bootstrap-token-gshcmy created\nclusterrolebinding.rbac.authorization.k8s.io\/kubelet-bootstrap created\nclusterrolebinding.rbac.authorization.k8s.io\/node-autoapprove-bootstrap created\nclusterrolebinding.rbac.authorization.k8s.io\/node-autoapprove-certificate-rotation created\nclusterrole.rbac.authorization.k8s.io\/system:kube-apiserver-to-kubelet created\nclusterrolebinding.rbac.authorization.k8s.io\/system:kube-apiserver created<\/code><\/pre>\n\n\n\n
\u90e8\u7f72worker\u8282\u70b9\u4e4bkubelet\u542f\u52a8\u5b9e\u6218<\/h1>\n\n\n\n
\u590d\u5236\u8bc1\u4e66<\/p>\n\n\n\n
 k8s-master01\u8282\u70b9\u5206\u53d1\u8bc1\u4e66\u5230\u5176\u4ed6\u8282\u70b9\n[root@master141 ~]# cd \/gshcmy\/certs\/\nfor NODE in master142 master143 worker144 worker145; do\n     echo $NODE\n     ssh $NODE \"mkdir -p \/gshcmy\/certs\/kube{config,rnetes}\"\n     for FILE in k8s-ca.pem k8s-ca-key.pem front-proxy-ca.pem; do\n       scp kubernetes\/$FILE $NODE:\/gshcmy\/certs\/kubernetes\/${FILE}\n         done\n     scp kubeconfig\/bootstrap-kubelet.kubeconfig $NODE:\/gshcmy\/certs\/kubeconfig\/\ndone\n<\/code><\/pre>\n\n\n\n
worker\u8282\u70b9\u9a8c\u8bc1<\/p>\n\n\n\n
[root@worker145 certs]# ll \/gshcmy\/ -R\n\/gshcmy\/:\ntotal 12\ndrwxr-xr-x  3 root root 4096 Dec 23 20:56 .\/\ndrwxr-xr-x 21 root root 4096 Dec 23 20:56 ..\/\ndrwxr-xr-x  4 root root 4096 Dec 24 21:38 certs\/\n\n\/gshcmy\/certs:\ntotal 16\ndrwxr-xr-x 4 root root 4096 Dec 24 21:38 .\/\ndrwxr-xr-x 3 root root 4096 Dec 23 20:56 ..\/\ndrwxr-xr-x 2 root root 4096 Dec 24 21:40 kubeconfig\/\ndrwxr-xr-x 2 root root 4096 Dec 24 21:40 kubernetes\/\n\n\/gshcmy\/certs\/kubeconfig:\ntotal 12\ndrwxr-xr-x 2 root root 4096 Dec 24 21:40 .\/\ndrwxr-xr-x 4 root root 4096 Dec 24 21:38 ..\/\n-rw------- 1 root root 2223 Dec 24 21:40 bootstrap-kubelet.kubeconfig\n\n\/gshcmy\/certs\/kubernetes:\ntotal 20\ndrwxr-xr-x 2 root root 4096 Dec 24 21:40 .\/\ndrwxr-xr-x 4 root root 4096 Dec 24 21:38 ..\/\n-rw-r--r-- 1 root root 1094 Dec 24 21:40 front-proxy-ca.pem\n-rw------- 1 root root 1679 Dec 24 21:40 k8s-ca-key.pem\n-rw-r--r-- 1 root root 1363 Dec 24 21:40 k8s-ca.pem\n<\/code><\/pre>\n\n\n\n
\u542f\u52a8kubelet\u670d\u52a1<\/h2>\n\n\n\n
- \u5728\"10-kubelet.con\"\u6587\u4ef6\u4e2d\u4f7f\u7528\"--kubeconfig\"\u6307\u5b9a\u7684\"kubelet.kubeconfig\"\u6587\u4ef6\u5e76\u4e0d\u5b58\u5728\uff0c\u8fd9\u4e2a\u8bc1\u4e66\u6587\u4ef6\u540e\u671f\u4f1a\u81ea\u52a8\u751f\u6210;\n\t- \u5bf9\u4e8e\"clusterDNS\"\u662fNDS\u5730\u5740\uff0c\u6211\u4eec\u53ef\u4ee5\u81ea\u5b9a\u4e49\uff0c\u6bd4\u5982\"10.200.0.154\";\n\t- \u201cclusterDomain\u201d\u5bf9\u5e94\u7684\u662f\u57df\u540d\u4fe1\u606f\uff0c\u8981\u548c\u6211\u4eec\u8bbe\u8ba1\u7684\u96c6\u7fa4\u4fdd\u6301\u4e00\u81f4\uff0c\u6bd4\u5982\"gshcmy.com\";\n\t- \"10-kubelet.conf\"\u6587\u4ef6\u4e2d\u7684\"ExecStart=\"\u9700\u8981\u51992\u6b21\uff0c\u5426\u5219\u53ef\u80fd\u65e0\u6cd5\u542f\u52a8kubelet;\n<\/code><\/pre>\n\n\n\n
\u6240\u6709\u8282\u70b9\u521b\u5efa\u5de5\u4f5c\u76ee\u5f55\uff08master,worker\uff09\nmkdir -p \/var\/lib\/kubelet \/var\/log\/kubernetes \/etc\/systemd\/system\/kubelet.service.d \/etc\/kubernetes\/manifests\/\n\n\ncat > \/etc\/kubernetes\/kubelet-conf.yml <<'EOF'\napiVersion: kubelet.config.k8s.io\/v1beta1\nkind: KubeletConfiguration\naddress: 0.0.0.0\nport: 10250\nreadOnlyPort: 10255\nauthentication:\n  anonymous:\n    enabled: false\n  webhook:\n    cacheTTL: 2m0s\n    enabled: true\n  x509:\n    clientCAFile: \/gshcmy\/certs\/kubernetes\/k8s-ca.pem\nauthorization:\n  mode: Webhook\n  webhook:\n    cacheAuthorizedTTL: 5m0s\n    cacheUnauthorizedTTL: 30s\ncgroupDriver: systemd\ncgroupsPerQOS: true\nclusterDNS:\n- 10.200.0.254\nclusterDomain: gshcmy.com\ncontainerLogMaxFiles: 5\ncontainerLogMaxSize: 10Mi\ncontentType: application\/vnd.kubernetes.protobuf\ncpuCFSQuota: true\ncpuManagerPolicy: none\ncpuManagerReconcilePeriod: 10s\nenableControllerAttachDetach: true\nenableDebuggingHandlers: true\nenforceNodeAllocatable:\n- pods\neventBurst: 10\neventRecordQPS: 5\nevictionHard:\n  imagefs.available: 15%\n  memory.available: 100Mi\n  nodefs.available: 10%\n  nodefs.inodesFree: 5%\nevictionPressureTransitionPeriod: 5m0s\nfailSwapOn: true\nfileCheckFrequency: 20s\nhairpinMode: promiscuous-bridge\nhealthzBindAddress: 127.0.0.1\nhealthzPort: 10248\nhttpCheckFrequency: 20s\nimageGCHighThresholdPercent: 85\nimageGCLowThresholdPercent: 80\nimageMinimumGCAge: 2m0s\niptablesDropBit: 15\niptablesMasqueradeBit: 14\nkubeAPIBurst: 10\nkubeAPIQPS: 5\nmakeIPTablesUtilChains: true\nmaxOpenFiles: 1000000\nmaxPods: 110\nnodeStatusUpdateFrequency: 10s\noomScoreAdj: -999\npodPidsLimit: -1\nregistryBurst: 10\nregistryPullQPS: 5\nresolvConf: \/etc\/resolv.conf\nrotateCertificates: true\nruntimeRequestTimeout: 2m0s\nserializeImagePulls: true\nstaticPodPath: \/etc\/kubernetes\/manifests\nstreamingConnectionIdleTimeout: 4h0m0s\nsyncFrequency: 1m0s\nvolumeStatsAggPeriod: 1m0s\nEOF\n\n\u6240\u6709\u8282\u70b9\u914d\u7f6ekubelet service\ncat >  \/usr\/lib\/systemd\/system\/kubelet.service <<'EOF'\n[Unit]\nDescription=gshcmy's Kubernetes Kubelet\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\nAfter=containerd.service\nRequires=containerd.service\n\n[Service]\nExecStart=\/usr\/local\/bin\/kubelet\nRestart=always\nStartLimitInterval=0\nRestartSec=10\n\n[Install]\nWantedBy=multi-user.target\nEOF\n\n\u6240\u6709\u8282\u70b9\u914d\u7f6ekubelet service\u7684\u914d\u7f6e\u6587\u4ef6\ncat > \/etc\/systemd\/system\/kubelet.service.d\/10-kubelet.conf <<'EOF'\n[Service]\nEnvironment=\"KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=\/gshcmy\/certs\/kubeconfig\/bootstrap-kubelet.kubeconfig --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kubelet.kubeconfig\"\nEnvironment=\"KUBELET_CONFIG_ARGS=--config=\/etc\/kubernetes\/kubelet-conf.yml\"\nEnvironment=\"KUBELET_SYSTEM_ARGS=--container-runtime-endpoint=unix:\/\/\/run\/containerd\/containerd.sock\"\nEnvironment=\"KUBELET_EXTRA_ARGS=--node-labels=node.kubernetes.io\/node='' \"\nExecStart=\nExecStart=\/usr\/local\/bin\/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_SYSTEM_ARGS $KUBELET_EXTRA_ARGS\nEOF\n\n\u542f\u52a8\u6240\u6709\u8282\u70b9kubelet\nsystemctl daemon-reload\nsystemctl enable --now kubelet\nsystemctl status kubelet\n<\/code><\/pre>\n\n\n\n
\u51fa\u73b0\u9519\u8bef\u89e3\u51b3\u65b9\u6848<\/p>\n\n\n\n
\u5982\u679c\u51fa\u73b0\u62a5\u9519\uff1a\nnodes is forbidden: User \\\"system:anonymous\\\" cannot create resource \\\"nodes\\\" in API group \\\"\\\" at the cluster scope\" node=\"k8s-master141\"\n\n\n\u89e3\u51b3\u65b9\u6848:\n[root@master143 ~]# cat test-rbac.yaml\napiVersion: rbac.authorization.k8s.io\/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: gshcmy-kubelet-rbac\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: cluster-admin\nsubjects:\n- apiGroup: rbac.authorization.k8s.io\n  kind: User\n  name: system:anonymous\n[root@master143 ~]# \n[root@master143 ~]# kubectl apply -f test-rbac.yaml\nclusterrolebinding.rbac.authorization.k8s.io\/oldboyedu-kubelet-rbac created\n[root@master143 ~]# <\/code><\/pre>\n\n\n\n
\u90e8\u7f72worker\u8282\u70b9\u4e4bkube-proxy\u670d\u52a1<\/h1>\n\n\n\n
[root@master141 pki]# cat > kube-proxy-csr.json  <<EOF\n{\n  \"CN\": \"system:kube-proxy\",\n  \"key\": {\n    \"algo\": \"rsa\",\n    \"size\": 2048\n  },\n  \"names\": [\n    {\n      \"C\": \"CN\",\n      \"ST\": \"Beijing\",\n      \"L\": \"Beijing\",\n      \"O\": \"system:kube-proxy\",\n      \"OU\": \"Kubernetes-manual\"\n    }\n  ]\n}\nEOF\n\n\u521b\u5efakube-proxy\u9700\u8981\u7684\u8bc1\u4e66\u6587\u4ef6\n[root@master141 pki]# cfssl gencert \\\n  -ca=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem \\\n  -ca-key=\/gshcmy\/certs\/kubernetes\/k8s-ca-key.pem \\\n  -config=k8s-ca-config.json \\\n  -profile=kubernetes \\\n  kube-proxy-csr.json | cfssljson -bare \/gshcmy\/certs\/kubernetes\/kube-proxy\n\n[root@master141 pki]# ll \/gshcmy\/certs\/kubernetes\/kube-proxy*\n-rw-r--r-- 1 root root 1045 Dec 24 22:45 \/gshcmy\/certs\/kubernetes\/kube-proxy.csr\n-rw------- 1 root root 1679 Dec 24 22:45 \/gshcmy\/certs\/kubernetes\/kube-proxy-key.pem\n-rw-r--r-- 1 root root 1464 Dec 24 22:45 \/gshcmy\/certs\/kubernetes\/kube-proxy.pem\n\n\u8bbe\u7f6e\u96c6\u7fa4\n[root@master141 pki]# kubectl config set-cluster gshcmy-k8s \\\n  --certificate-authority=\/gshcmy\/certs\/kubernetes\/k8s-ca.pem \\\n  --embed-certs=true \\\n  --server=https:\/\/10.0.0.140:8443 \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-proxy.kubeconfig\n\n\u8bbe\u7f6e\u4e00\u4e2a\u7528\u6237\u9879\n[root@master141 pki]# kubectl config set-credentials system:kube-proxy \\\n  --client-certificate=\/gshcmy\/certs\/kubernetes\/kube-proxy.pem \\\n  --client-key=\/gshcmy\/certs\/kubernetes\/kube-proxy-key.pem \\\n  --embed-certs=true \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-proxy.kubeconfig\n\n\u8bbe\u7f6e\u4e00\u4e2a\u4e0a\u4e0b\u6587\u73af\u5883\n[root@master141 pki]# kubectl config set-context kube-proxy@kubernetes \\\n  --cluster=gshcmy-k8s \\\n  --user=system:kube-proxy \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-proxy.kubeconfig\n\n\u4f7f\u7528\u9ed8\u8ba4\u7684\u4e0a\u4e0b\u6587\n[root@master141 pki]# kubectl config use-context kube-proxy@kubernetes \\\n  --kubeconfig=\/gshcmy\/certs\/kubeconfig\/kube-proxy.kubeconfig\n\n\u5c06kube-proxy\u7684systemd Service\u6587\u4ef6\u53d1\u9001\u5230\u5176\u4ed6\u8282\u70b9\n[root@master141 pki]# for NODE in master142 master143 worker144 worker145; do\n     echo $NODE\n     scp \/gshcmy\/certs\/kubeconfig\/kube-proxy.kubeconfig $NODE:\/gshcmy\/certs\/kubeconfig\/\ndone\n\n\u6240\u6709\u8282\u70b9\u521b\u5efakube-proxy.conf\u914d\u7f6e\u6587\u4ef6\ncat > \/etc\/kubernetes\/kube-proxy.yml << EOF\napiVersion: kubeproxy.config.k8s.io\/v1alpha1\nkind: KubeProxyConfiguration\nbindAddress: 0.0.0.0\nmetricsBindAddress: 127.0.0.1:10249\nclientConnection:\n  acceptConnection: \"\"\n  burst: 10\n  contentType: application\/vnd.kubernetes.protobuf\n  kubeconfig: \/gshcmy\/certs\/kubeconfig\/kube-proxy.kubeconfig\n  qps: 5\nclusterCIDR: 10.100.0.0\/16\nconfigSyncPeriod: 15m0s\nconntrack:\n  max: null\n  maxPerCore: 32768\n  min: 131072\n  tcpCloseWaitTimeout: 1h0m0s\n  tcpEstablishedTimeout: 24h0m0s\nenableProfiling: false\nhealthzBindAddress: 0.0.0.0:10256\nhostnameOverride: \"\"\niptables:\n  masqueradeAll: false\n  masqueradeBit: 14\n  minSyncPeriod: 0s\nipvs:\n  masqueradeAll: true\n  minSyncPeriod: 5s\n  scheduler: \"rr\"\n  syncPeriod: 30s\nmode: \"ipvs\"\nnodeProtAddress: null\noomScoreAdj: -999\nportRange: \"\"\nudpIdelTimeout: 250ms\nEOF\n\n\u6240\u6709\u8282\u70b9\u4f7f\u7528systemd\u7ba1\u7406kube-proxy\ncat > \/usr\/lib\/systemd\/system\/kube-proxy.service << EOF\n[Unit]\nDescription=gshcmy's Kubernetes Proxy\nAfter=network.target\n\n[Service]\nExecStart=\/usr\/local\/bin\/kube-proxy \\\n  --config=\/etc\/kubernetes\/kube-proxy.yml \\\n  --v=2 \nRestart=on-failure\nLimitNOFILE=65536\n\n[Install]\nWantedBy=multi-user.target\nEOF\n\n\u6240\u6709\u8282\u70b9\u542f\u52a8kube-proxy\nsystemctl daemon-reload && systemctl enable --now kube-proxy\nsystemctl status kube-proxy\nss -ntl |grep 10249\n<\/code><\/pre>\n\n\n\n
\u7f51\u7edc\u63d2\u4ef6calico\u90e8\u7f72\u6848\u4f8b<\/h1>\n\n\n\n
\u53c2\u8003\u94fe\u63a5:\n\thttps://docs.tigera.io\/calico\/latest\/getting-started\/kubernetes\/quickstart<\/code><\/pre>\n\n\n\n
1.\u4e0b\u8f7d\u8d44\u6e90\u6e05\u5355\n[root@master142 ~]# wget https:\/\/raw.githubusercontent.com\/projectcalico\/calico\/v3.28.0\/manifests\/tigera-operator.yaml\n\n[root@master142 ~]# wget https:\/\/raw.githubusercontent.com\/projectcalico\/calico\/v3.28.0\/manifests\/custom-resources.yaml@yuanbao\n\n\u6839\u636e\u81ea\u5df1\u7684K8S\u60c5\u51b5\u4fee\u6539Pod\u7f51\u6bb5\n[root@master142 ~]# grep cidr custom-resources.yaml \n      cidr: 192.168.0.0\/16\n[root@master142 ~]# \n[root@master142 ~]# sed -i '\/cidr\/s#192.168#10.100#' custom-resources.yaml \n[root@master142 ~]# \n[root@master142 ~]# grep cidr custom-resources.yaml \n      cidr: 10.100.0.0\/16\n\n\u90e8\u7f72calico \n[root@master142 ~]# kubectl create -f tigera-operator.yaml \n[root@master142 ~]# \n[root@master142 ~]# kubectl create -f custom-resources.yaml \n\n\u67e5\u770bcalico\u662f\u5426\u90e8\u7f72\u6210\u529f\n[root@master141 pki]# kubectl get pods -A -o wide\n\u6e29\u99a8\u63d0\u793a:\n\t\u53ef\u80fd\u4f1a\u51fa\u73b0\u955c\u50cf\u4e0b\u8f7d\u5931\u8d25\u7684\u60c5\u51b5\uff0c\u56e0\u6b64\u9700\u8981\u624b\u52a8\u62c9\u53d6\u955c\u50cf\uff01\n\n\u5378\u8f7dcalico \n[root@master142 ~]# kubectl delete -f custom-resources.yaml  -f  tigera-operator.yaml\n<\/code><\/pre>\n\n\n\n
\u90e8\u7f72Flannel<\/h1>\n\n\n\n
\u4e0b\u8f7d\u8d44\u6e90\u6e05\u5355\n[root@master141 ~]# wget https:\/\/github.com\/flannel-io\/flannel\/releases\/latest\/download\/kube-flannel.ym\n\n\u4fee\u6539\u8d44\u6e90\u6e05\u5355\n[root@k8s-master01 ~]# grep 16 kube-flannel.yml \n      \"Network\": \"10.144.0.0\/16\",\n\n[root@k8s-master01 ~]# sed -i '\/Network\/s#144#100#' kube-flannel.yml \n\n[root@k8s-master01 ~]# grep 16 kube-flannel.yml \n      \"Network\": \"10.100.0.0\/16\",\n\n[root@k8s-master01 ~]# grep image kube-flannel.yml \n        image: docker.io\/flannel\/flannel:v0.25.4\n        image: docker.io\/flannel\/flannel-cni-plugin:v1.4.1-flannel1\n        image: docker.io\/flannel\/flannel:v0.25.4\n\n[root@k8s-master01 ~]# sed -i 's#docker.io\/flannel\/flannel:v0.25.4#docker.io\/flannel\/flannel:v0.25.3#' kube-flannel.yml \n\n[root@k8s-master01 ~]# grep image kube-flannel.yml \n        image: docker.io\/flannel\/flannel:v0.25.3\n        image: docker.io\/flannel\/flannel-cni-plugin:v1.4.1-flannel1\n        image: docker.io\/flannel\/flannel:v0.25.3\n\n\u90e8\u7f72Flannel\nkubectl apply -f kube-flannel.yml \n\u67e5\u770bflannel \u7ec4\u4ef6\nkubectl get pods -A -o wide\n\n\u67e5\u770b\u96c6\u7fa4\u662f\u5426\u6b63\u5e38\n kubectl get nodes<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u672c\u6587\u73af\u5883\uff1aVMware\u521b\u5efa\u7684\u865a\u62df\u673a \u64cd\u4f5c\u7cfb\u7edf\uff1aub …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-213","post","type-post","status-publish","format-standard","hentry","category-k8s"],"_links":{"self":[{"href":"https:\/\/www.gshcmy.top\/index.php?rest_route=\/wp\/v2\/posts\/213","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gshcmy.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gshcmy.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gshcmy.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gshcmy.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=213"}],"version-history":[{"count":36,"href":"https:\/\/www.gshcmy.top\/index.php?rest_route=\/wp\/v2\/posts\/213\/revisions"}],"predecessor-version":[{"id":309,"href":"https:\/\/www.gshcmy.top\/index.php?rest_route=\/wp\/v2\/posts\/213\/revisions\/309"}],"wp:attachment":[{"href":"https:\/\/www.gshcmy.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gshcmy.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gshcmy.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}