编译安装kubernetes 1.15.3

环境：

操作系统： win10 on Ubuntu 18.04.3 LTS (GNU/Linux 4.4.0-18362-Microsoft x86_64)
GO 版本 go version go1.12.9 linux/amd64
GCC 版本 gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)
make 版本 Make 4.1
部署服务器： etcd 192.168.30.31 kubernetes 192.168.30.32
部署环境：centos 7.6
业务部署目录：/apps/业务
K8S 网段 10.66.0.0/16
docker pod 网段 10.67.0.0/16
使用kube-router 提供网络服务

go 环境部署

cd /usr/local/src
wget https://dl.google.com/go/go1.12.9.linux-amd64.tar.gz
tar -xvf go1.12.9.linux-amd64.tar.gz
mv go ../
vi /etc/profile
export GOPATH=/mnt/e/work/go
export GOBIN=/mnt/e/work/go/bin
PATH=$PATH:/usr/local/go/bin:$HOME/bin:$GOBIN
export PATH
source /etc/profile
go version 
root@Qist:~# go version
go version go1.12.9 linux/amd64
创建go 工作目录BIN目录
mkdir -p /mnt/e/work/go/{bin,src,pkg}

安装编译kubernetes 1.15.3 依赖

apt -y install make gcc

编译kubernetes 1.15.3

wget https://github.com/kubernetes/kubernetes/archive/v1.15.3.tar.gz
tar -xvf v1.15.3.tar.gz
cd kubernetes-1.15.3/
make
cd ./_output/local/bin/linux/amd64
mkdir -p /mnt/e/work/k8s/bin
cp -pdr kube* /mnt/e/work/k8s/bin/

编译证书生成工具

go get  github.com/cloudflare/cfssl/cmd/cfssl
go get  github.com/cloudflare/cfssl/cmd/cfssljson

部署etcd

#etcd 使用二进制方式部署编译依赖会用到墙外的东西环境设置比较麻烦 etcd 节点服务器操作
wget https://github.com/etcd-io/etcd/releases/download/v3.4.0/etcd-v3.4.0-linux-amd64.tar.gz
mkdir -p /apps/etcd/{bin,conf,ssl,data}
# 数据存储目录
mkdir -p /apps/etcd/data/default.etcd
# 创建 etcd 用户
 useradd etcd -s /sbin/nologin -M
 # 解压etcd
 tar -xvf  etcd-v3.4.0-linux-amd64.tar.gz
 # cp 可执行文件到工作目录
 cd etcd-v3.4.0-linux-amd64/
 cp -pdr etcd  etcdctl /apps/etcd/bin/
 # etcd 证书 在win on Ubuntu 操作
 mkdir -p /apps/work/k8s/cfssl/ && \
cat << EOF | tee /apps/work/k8s/cfssl/ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
# 创建etcd ca证书配置
mkdir -p /apps/work/k8s/cfssl/etcd
cat << EOF | tee /apps/work/k8s/cfssl/etcd/etcd-ca-csr.json
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "cluster",
"OU": "cluster"
}
]
}
EOF
# 生成 ETCD CA 证书和私钥
mkdir -p /apps/work/k8s/cfssl/pki/etcd
cfssl gencert -initca /apps/work/k8s/cfssl/etcd/etcd-ca-csr.json | cfssljson -bare /apps/work/k8s/cfssl/pki/etcd/etcd-ca
# 创建 ETCD Server 证书 
export ETCD_SERVER_IPS=" \
\"192.168.30.31\" \
" && \
export ETCD_SERVER_HOSTNAMES=" \
\"etcd\" \
" && \
cat << EOF | tee /apps/work/k8s/cfssl/etcd/etcd_server.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
${ETCD_SERVER_IPS},
${ETCD_SERVER_HOSTNAMES}
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "cluster",
"OU": "cluster"
}
]
}
EOF
# 生成 ETCD Server 证书和私钥
cfssl gencert \
-ca=/apps/work/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/apps/work/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/apps/work/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/apps/work/k8s/cfssl/etcd/etcd_server.json | \
cfssljson -bare /apps/work/k8s/cfssl/pki/etcd/etcd_server
# 创建 ETCD Member 证书
export ETCD_MEMBER_1_IP=" \
    \"192.168.30.31\" \
" && \
export ETCD_MEMBER_1_HOSTNAMES="etcd\
" && \
cat << EOF | tee /apps/work/k8s/cfssl/etcd/${ETCD_MEMBER_1_HOSTNAMES}.json
{
  "CN": "etcd",
  "hosts": [
    "127.0.0.1",
    ${ETCD_MEMBER_1_IP},
    "${ETCD_MEMBER_1_HOSTNAMES}"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "GuangDong",
      "L": "GuangZhou",
      "O": "cluster",
      "OU": "cluster"
    }
  ]
}
EOF
##### 生成 ETCD Member 1 证书和私钥
cfssl gencert \
    -ca=/apps/work/k8s/cfssl/pki/etcd/etcd-ca.pem \
    -ca-key=/apps/work/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
    -config=/apps/work/k8s/cfssl/ca-config.json \
    -profile=kubernetes \
    /apps/work/k8s/cfssl/etcd/${ETCD_MEMBER_1_HOSTNAMES}.json | \
    cfssljson -bare /apps/work/k8s/cfssl/pki/etcd/etcd_member_${ETCD_MEMBER_1_HOSTNAMES}
# 创建 ETCD Client 配置文件
cat << EOF | tee /apps/work/k8s/cfssl/etcd/etcd_client.json
{
"CN": "client",
"hosts": [""], 
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "cluster",
"OU": "cluster"
}
]
}
EOF
#生成 ETCD Client 证书和私钥
 
cfssl gencert \
-ca=/apps/work/k8s/cfssl/pki/etcd/etcd-ca.pem \
-ca-key=/apps/work/k8s/cfssl/pki/etcd/etcd-ca-key.pem \
-config=/apps/work/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/apps/work/k8s/cfssl/etcd/etcd_client.json | \
cfssljson -bare /apps/work/k8s/cfssl/pki/etcd/etcd_client
# 复制证书到etcd 节点服务器
scp -r /apps/work/k8s/cfssl/pki/etcd/*  192.168.30.31:/apps/etcd/ssl
# 配置etcd 启动文件 etcd 服务器操作
vi /apps/etcd/conf/etcd
ETCD_OPTS="--name=etcd \
           --data-dir=/apps/etcd/data/default.etcd \
           --listen-peer-urls=https://192.168.30.31:2380 \
           --listen-client-urls=https://192.168.30.31:2379,https://127.0.0.1:2379 \
           --advertise-client-urls=https://192.168.30.31:2379 \
           --initial-advertise-peer-urls=https://192.168.30.31:2380 \
           --initial-cluster=etcd=https://192.168.30.31:2380\
           --initial-cluster-token=node4=etcd=https://192.168.30.31:2380 \
           --initial-cluster-state=new \
           --heartbeat-interval=6000 \
           --election-timeout=30000 \
           --snapshot-count=5000 \
           --auto-compaction-retention=1 \
           --max-request-bytes=33554432 \
           --quota-backend-bytes=17179869184 \
           --trusted-ca-file=/apps/etcd/ssl/etcd-ca.pem \
           --cert-file=/apps/etcd/ssl/etcd_server.pem \
           --key-file=/apps/etcd/ssl/etcd_server-key.pem \
           --peer-cert-file=/apps/etcd/ssl/etcd_member_etcd.pem \
           --peer-key-file=/apps/etcd/ssl/etcd_member_etcd-key.pem \
           --peer-client-cert-auth \
           --peer-trusted-ca-file=/apps/etcd/ssl/etcd-ca.pem"
# 配置etcd 启动service 文件
vi /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
LimitNOFILE=1024000
LimitNPROC=1024000
LimitCORE=infinity
LimitMEMLOCK=infinity
User=etcd
Group=etcd
EnvironmentFile=-/apps/etcd/conf/etcd
ExecStart=/apps/etcd/bin/etcd $ETCD_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
 
# etcd 目录 etcd 用户权限
chown -R etcd.etcd /apps/etcd
# 启动 etcd
systemctl start etcd
# 设置开机启动
systemctl enable etcd
# 设置环境变量
 /etc/profile
 export ETCDCTL_API=3
export ENDPOINTS=https://192.168.30.31:2379
#执行
source /etc/profile
vim ~/.bashrc
alias etcdctl='/apps/etcd/bin/etcdctl --endpoints=${ENDPOINTS} --cacert=/apps/etcd/ssl/etcd-ca.pem'
source ~/.bashrc
# 查看状态
etcdctl endpoint health
[root@etcd ~]# etcdctl endpoint health
https://192.168.30.31:2379 is healthy: successfully committed proposal: took = 16.707114ms

kube-apiserver 部署

# win on Ubuntu 操作
#创建kube-apiserver ca证书配置
mkdir -p /apps/work/k8s/cfssl/k8s
cat << EOF | tee /apps/work/k8s/cfssl/k8s/k8s-ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "cluster",
"OU": "cluster"
}
]
}
EOF
#生成 Kubernetes CA 证书和私钥
 
mkdir -p /apps/work/k8s/cfssl/pki/k8s
cfssl gencert -initca /apps/work/k8s/cfssl/k8s/k8s-ca-csr.json | \
cfssljson -bare /apps/work/k8s/cfssl/pki/k8s/k8s-ca
#创建 Kubernetes API Server 证书配置文件
export K8S_APISERVER_VIP=" \
\"192.168.30.32\" \
" && \
export K8S_APISERVER_SERVICE_CLUSTER_IP="10.66.0.1" && \
export K8S_APISERVER_HOSTNAME="api.k8s.cluster.local" && \
export K8S_CLUSTER_DOMAIN_SHORTNAME="cluster" && \
export K8S_CLUSTER_DOMAIN_FULLNAME="cluster.local" && \
cat << EOF | tee /apps/work/k8s/cfssl/k8s/k8s_apiserver.json
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
${K8S_APISERVER_VIP}
"${K8S_APISERVER_SERVICE_CLUSTER_IP}", 
"${K8S_APISERVER_HOSTNAME}",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.${K8S_CLUSTER_DOMAIN_SHORTNAME}",
"kubernetes.default.svc.${K8S_CLUSTER_DOMAIN_FULLNAME}" 
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangDong",
"L": "GuangZhou",
"O": "cluster",
"OU": "cluster"
}
]
}
EOF
#生成 Kubernetes API Server 证书和私钥
 
cfssl gencert \
-ca=/apps/work/k8s/cfssl/pki/k8s/k8s-ca.pem \
-ca-key=/apps/work/k8s/cfssl/pki/k8s/k8s-ca-key.pem \
-config=/apps/work/k8s/cfssl/ca-config.json \
-profile=kubernetes \
/apps/work/k8s/cfssl/k8s/k8s_apiserver.json | \
cfssljson -bare /apps/work/k8s/cfssl/pki/k8s/k8s_server
# 创建 Kubernetes webhook 证书配置文件
cat << EOF | tee /apps/work/k8s/cfssl/k8s/aggregator.json
{
  "CN": "aggregator",
  "hosts": [""], 
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "GuangDong",
      "L": "GuangZhou",
      "O": "cluster",
      "OU": "cluster"
    }
  ]
}
EOF
 
##### 生成 Kubernetes webhook 证书和私钥
cfssl gencert \
    -ca=/apps/work/k8s/cfssl/pki/k8s/k8s-ca.pem \
    -ca-key=/apps/work/k8s/cfssl/pki/k8s/k8s-ca-key.pem \
    -config=/apps/work/k8s/cfssl/ca-config.json \
    -profile=kubernetes \
    /apps/work/k8s/cfssl/k8s/aggregator.json | \
    cfssljson -bare /apps/work/k8s/cfssl/pki/k8s/aggregator
    # 远程服务器创建目录
    mkdir -p /apps/kubernetes/{bin,conf,config,kubelet-plugins,log,ssl}
 #证书到分发到 192.168.30.32
 scp -r /apps/work/k8s/cfssl/pki/k8s 192.168.30.32:/apps/kubernetes/ssl/k8s
 # cp  etcd_client 证书
  scp -r /apps/work/k8s/cfssl/pki/etcd/etcd_client* 192.168.30.32:/apps/kubernetes/ssl/etcd
    scp -r /apps/work/k8s/cfssl/pki/etcd/etcd-ca.pem 192.168.30.32:/apps/kubernetes/ssl/etcd
# 分发kubernetes 二进制文件到远程服务器把所有的二进制都cp 过去
scp -r /mnt/e/work/k8s/bin/* 192.168.30.32:/apps/kubernetes/bin
# 远程服务器操作192.168.30.32
 # 创建 k8s 用户
 useradd k8s -s /sbin/nologin -M
 # encryption-config.yaml 生成
 cd /apps/kubernetes/config
 export ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
 cat > encryption-config.yaml <<EOF
kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: ${ENCRYPTION_KEY}
      - identity: {}
EOF
# Apiserver配置文件生成
cd  /apps/kubernetes/conf
vi  kube-apiserver
KUBE_APISERVER_OPTS="--logtostderr=false \
        --bind-address=192.168.30.32 \
        --advertise-address=192.168.30.32 \
        --secure-port=5443 \
        --insecure-port=0 \
        --service-cluster-ip-range=10.66.0.0/16 \
        --service-node-port-range=30000-65000 \
        --etcd-cafile=/apps/kubernetes/ssl/etcd/etcd-ca.pem \
        --etcd-certfile=/apps/kubernetes/ssl/etcd/etcd_client.pem \
        --etcd-keyfile=/apps/kubernetes/ssl/etcd/etcd_client-key.pem \
        --etcd-prefix=/registry \
        --etcd-servers=https://192.168.30.31:2379 \
        --client-ca-file=/apps/kubernetes/ssl/k8s/k8s-ca.pem \
        --tls-cert-file=/apps/kubernetes/ssl/k8s/k8s_server.pem \
        --tls-private-key-file=/apps/kubernetes/ssl/k8s/k8s_server-key.pem \
        --kubelet-client-certificate=/apps/kubernetes/ssl/k8s/k8s_server.pem \
        --kubelet-client-key=/apps/kubernetes/ssl/k8s/k8s_server-key.pem \
        --service-account-key-file=/apps/kubernetes/ssl/k8s/k8s-ca.pem \
        --requestheader-client-ca-file=/apps/kubernetes/ssl/k8s/k8s-ca.pem \
        --proxy-client-cert-file=/apps/kubernetes/ssl/k8s/aggregator.pem \
        --proxy-client-key-file=/apps/kubernetes/ssl/k8s/aggregator-key.pem \
        --requestheader-allowed-names=aggregator \
        --requestheader-group-headers=X-Remote-Group \
        --requestheader-extra-headers-prefix=X-Remote-Extra- \
        --requestheader-username-headers=X-Remote-User \
        --enable-aggregator-routing=true \
        --anonymous-auth=false \
        --allow-privileged=true \
        --experimental-encryption-provider-config=/apps/kubernetes/config/encryption-config.yaml \
        --enable-admission-plugins=AlwaysPullImages,DefaultStorageClass,DefaultTolerationSeconds,LimitRanger,NamespaceExists,NamespaceLifecycle,NodeRestriction,OwnerReferencesPermissionEnforcement,PodNodeSelector,PersistentVolumeClaimResize,PodPreset,PodTolerationRestriction,ResourceQuota,ServiceAccount,StorageObjectInUseProtection MutatingAdmissionWebhook ValidatingAdmissionWebhook \
        --disable-admission-plugins=DenyEscalatingExec,ExtendedResourceToleration,ImagePolicyWebhook,LimitPodHardAntiAffinityTopology,NamespaceAutoProvision,Priority,EventRateLimit,PodSecurityPolicy \
        --cors-allowed-origins=.* \
        --enable-swagger-ui \
        --runtime-config=api/all=true \
        --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \
        --authorization-mode=Node,RBAC \
        --apiserver-count=1 \
        --audit-log-maxage=30 \
        --audit-log-maxbackup=3 \
        --audit-log-maxsize=100 \
        --kubelet-https \
        --event-ttl=1h \
        --feature-gates=RotateKubeletServerCertificate=true,RotateKubeletClientCertificate=true \
        --enable-bootstrap-token-auth=true \
        --audit-log-path=/apps/kubernetes/log/api-server-audit.log \
        --alsologtostderr=true \
        --log-dir=/apps/kubernetes/log \
        --v=2 \
        --endpoint-reconciler-type=lease \
        --max-mutating-requests-inflight=100 \
        --max-requests-inflight=500 \
        --target-ram-mb=6000"
#  kube-apiserver systemd文件
vi /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
Type=notify
LimitNOFILE=1024000
LimitNPROC=1024000
LimitCORE=infinity
LimitMEMLOCK=infinity
EnvironmentFile=-/apps/kubernetes/conf/kube-apiserver
ExecStart=/apps/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
RestartSec=5
User=k8s
[Install]
WantedBy=multi-user.target
# /apps/kubernetes 目录k8s 权限
chown -R k8s.k8s /apps/kubernetes
# 启动kube-apiserver
systemctl start kube-apiserver
# 设置开机启动
systemctl enable kube-apiserver
#创建admin管理员证书  win on Ubuntu  操作
cat << EOF | tee /apps/work/k8s/cfssl/k8s/k8s_apiserver_admin.json
{
  "CN": "admin",
  "hosts": [""], 
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "GuangDong",
      "L": "GuangZhou",
      "O": "system:masters",
      "OU": "Kubernetes-manual"
    }
  ]
}
EOF
 
cfssl gencert -ca=/apps/work/k8s/cfssl/pki/k8s/k8s-ca.pem \
    -ca-key=/apps/work/k8s/cfssl/pki/k8s/k8s-ca-key.pem \
    -config=/apps/work/k8s/cfssl/ca-config.json \
    -profile=kubernetes \
        /apps/work/k8s/cfssl/k8s/k8s_apiserver_admin.json | \
        cfssljson -bare /apps/work/k8s/cfssl/pki/k8s/k8s_apiserver_admin
 
# 创建admin管理员登录 admin.kubeconfig
export KUBE_APISERVER="https://192.168.30.32:5443"
kubectl config set-cluster kubernetes \
--certificate-authority=/apps/work/k8s/cfssl/pki/k8s/k8s-ca.pem \
--embed-certs=true  \
--server=${KUBE_APISERVER} \
--kubeconfig=admin.kubeconfig
 
 kubectl config set-credentials admin \
 --client-certificate=/apps/work/k8s/cfssl/pki/k8s/k8s_apiserver_admin.pem \
 --client-key=/apps/work/k8s/cfssl/pki/k8s/k8s_apiserver_admin-key.pem \
 --embed-certs=true \
 --kubeconfig=admin.kubeconfig
 
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin \
--namespace=kube-system \
--kubeconfig=admin.kubeconfig
 
kubectl config use-context kubernetes --kubeconfig=admin.kubeconfig
# cp 证书到当前用户目录
cp admin.kubeconfig ~/.kube/config
# 验证kube-apiserver 是否正常
kubectl cluster-info 
[root@]~]#kubectl cluster-info
Kubernetes master is running at https://192.168.30.32:5443

kube_scheduler 部署

#  生成kube_scheduler访问kube-apiserver 证书win on Ubuntu  操作
cat << EOF | tee /apps/work/k8s/cfssl/k8s/k8s_scheduler.json
{
  "CN": "system:kube-scheduler",
  "hosts": [""], 
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "GuangDong",
      "L": "GuangZhou",
      "O": "system:kube-scheduler",
      "OU": "Kubernetes-manual"
    }
  ]
}
EOF
 
##  生成 Kubernetes Scheduler 证书和私钥
cfssl gencert \
    -ca=/apps/work/k8s/cfssl/pki/k8s/k8s-ca.pem \
    -ca-key=/apps/work/k8s/cfssl/pki/k8s/k8s-ca-key.pem \
    -config=/apps/work/k8s/cfssl/ca-config.json \
    -profile=kubernetes \
    /apps/work/k8s/cfssl/k8s/k8s_scheduler.json | \
    cfssljson -bare /apps/work/k8s/cfssl/pki/k8s/k8s_scheduler
#创建kube_scheduler.kubeconfig
kubectl config set-cluster kubernetes \
    --certificate-authority=/apps/work/k8s/cfssl/pki/k8s/k8s-ca.pem \
    --embed-certs=true \
    --server=${KUBE_APISERVER} \
    --kubeconfig=kube_scheduler.kubeconfig
 
kubectl config set-credentials system:kube-scheduler \
    --client-certificate=/apps/work/k8s/cfssl/pki/k8s/k8s_scheduler.pem \
    --embed-certs=true \
    --client-key=/apps/work/k8s/cfssl/pki/k8s/k8s_scheduler-key.pem \
    --kubeconfig=kube_scheduler.kubeconfig
kubectl config set-context kubernetes \
    --cluster=kubernetes \
    --user=system:kube-scheduler \
    --kubeconfig=kube_scheduler.kubeconfig
 
kubectl config use-context kubernetes --kubeconfig=kube_scheduler.kubeconfig
# cp kube_scheduler.kubeconfig 到远程服务器
scp kube_scheduler.kubeconfig 192.168.30.32:/apps/kubernetes/config
# 远程服务器操作
cd /apps/kubernetes/conf
# 创建kube-scheduler 启动配置文件
vi kube-scheduler
KUBE_SCHEDULER_OPTS=" \
                   --logtostderr=false \
                   --address=0.0.0.0 \
                   --leader-elect=true \
                   --kubeconfig=/apps/kubernetes/config/kube_scheduler.kubeconfig \
                   --authentication-kubeconfig=/apps/kubernetes/config/kube_scheduler.kubeconfig \
                   --authorization-kubeconfig=/apps/kubernetes/config/kube_scheduler.kubeconfig \
                   --alsologtostderr=true \
                   --kube-api-qps=100 \
                   --kube-api-burst=100 \
                   --log-dir=/apps/kubernetes/log \
                   --v=2"
# 创建/kube-scheduler 启动文件
 
vi /usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
LimitNOFILE=1024000
LimitNPROC=1024000
LimitCORE=infinity
LimitMEMLOCK=infinity
EnvironmentFile=-/apps/kubernetes/conf/kube-scheduler
ExecStart=/apps/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
RestartSec=5
User=k8s
[Install]
WantedBy=multi-user.target
# 给新创建文件 k8s 用户权限
chown -R k8s.k8s /apps/kubernetes
# 启动 kube-scheduler
systemctl start kube-scheduler
# 设置开启启动
systemctl enable kube-scheduler
# 验证状态
 kubectl get cs
 [root@]~]# kubectl get cs
NAME                 STATUS    MESSAGE             ERROR
controller-manager   Healthy   ok
scheduler            Healthy   ok
etcd-0               Healthy   {"health":"true"}

kube-controller-manager部署

# 生成kube-controller-manager访问kube-apiserver 证书 win on Ubuntu  操作
cat << EOF | tee /apps/work/k8s/cfssl/k8s/k8s_controller_manager.json
{
  "CN": "system:kube-controller-manager",
  "hosts": [""], 
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "GuangDong",
      "L": "GuangZhou",
      "O": "system:kube-controller-manager",
      "OU": "Kubernetes-manual"
    }
  ]
}
EOF
 
## 生成 Kubernetes Controller Manager 证书和私钥
cfssl gencert \
    -ca=/apps/work/k8s/cfssl/pki/k8s/k8s-ca.pem \
    -ca-key=/apps/work/k8s/cfssl/pki/k8s/k8s-ca-key.pem \
    -config=/apps/work/k8s/cfssl/ca-config.json \
    -profile=kubernetes \
    /apps/work/k8s/cfssl/k8s/k8s_controller_manager.json | \
    cfssljson -bare /apps/work/k8s/cfssl/pki/k8s/k8s_controller_manager
# 创建kube_controller_manager.kubeconfig
kubectl config set-cluster kubernetes \
   --certificate-authority=/apps/work/k8s/cfssl/pki/k8s/k8s-ca.pem \
   --embed-certs=true \
   --server=${KUBE_APISERVER} \
   --kubeconfig=kube_controller_manager.kubeconfig
 
kubectl config set-credentials system:kube-controller-manager \
   --client-certificate=/apps/work/k8s/cfssl/pki/k8s/k8s_controller_manager.pem \
   --embed-certs=true \
   --client-key=/apps/work/k8s/cfssl/pki/k8s/k8s_controller_manager-key.pem \
   --kubeconfig=kube_controller_manager.kubeconfig
 
kubectl config set-context kubernetes \
   --cluster=kubernetes \
   --user=system:kube-controller-manager \
   --kubeconfig=kube_controller_manager.kubeconfig
 
kubectl config use-context kubernetes --kubeconfig=kube_controller_manager.kubeconfig
# cp kube_controller_manager.kubeconfig 到远程服务器
scp kube_controller_manager.kubeconfig 192.168.30.32:/apps/kubernetes/config
#  远程服务器操作
cd /apps/kubernetes/conf
vi kube-controller-manager
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \
 --leader-elect=true \
 --address=0.0.0.0 \
 --service-cluster-ip-range=10.66.0.0/16 \
 --cluster-cidr=10.67.0.0/16 \
 --node-cidr-mask-size=24 \
 --cluster-name=kubernetes \
 --allocate-node-cidrs=true \
 --kubeconfig=/apps/kubernetes/config/kube_controller_manager.kubeconfig \
 --authentication-kubeconfig=/apps/kubernetes/config/kube_controller_manager.kubeconfig \
 --authorization-kubeconfig=/apps/kubernetes/config/kube_controller_manager.kubeconfig \
 --use-service-account-credentials=true \
 --client-ca-file=/apps/kubernetes/ssl/k8s/k8s-ca.pem \
 --requestheader-client-ca-file=/apps/kubernetes/ssl/k8s/k8s-ca.pem \
 --node-monitor-grace-period=40s \
 --node-monitor-period=5s \
 --pod-eviction-timeout=5m0s \
 --terminated-pod-gc-threshold=50 \
 --alsologtostderr=true \
 --cluster-signing-cert-file=/apps/kubernetes/ssl/k8s/k8s-ca.pem \
 --cluster-signing-key-file=/apps/kubernetes/ssl/k8s/k8s-ca-key.pem  \
 --deployment-controller-sync-period=10s \
 --experimental-cluster-signing-duration=86700h0m0s \
 --enable-garbage-collector=true \
 --root-ca-file=/apps/kubernetes/ssl/k8s/k8s-ca.pem \
 --service-account-private-key-file=/apps/kubernetes/ssl/k8s/k8s-ca-key.pem \
 --feature-gates=RotateKubeletServerCertificate=true,RotateKubeletClientCertificate=true \
 --controllers=*,bootstrapsigner,tokencleaner \
 --horizontal-pod-autoscaler-use-rest-clients=true \
 --horizontal-pod-autoscaler-sync-period=10s \
 --flex-volume-plugin-dir=/apps/kubernetes/kubelet-plugins/volume \
 --tls-cert-file=/apps/kubernetes/ssl/k8s/k8s_controller_manager.pem \
 --tls-private-key-file=/apps/kubernetes/ssl/k8s/k8s_controller_manager-key.pem \
 --kube-api-qps=100 \
 --kube-api-burst=100 \
 --log-dir=/apps/kubernetes/log \
 --v=2"
 # 创建启动文件kube-controller-manager
 vi /usr/lib/systemd/system/kube-controller-manager.service
 [Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
LimitNOFILE=1024000
LimitNPROC=1024000
LimitCORE=infinity
LimitMEMLOCK=infinity
EnvironmentFile=-/apps/kubernetes/conf/kube-controller-manager
ExecStart=/apps/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
RestartSec=5
User=k8s
[Install]
WantedBy=multi-user.target
# 给新创建文件 k8s 用户权限
chown -R k8s.k8s /apps/kubernetes
# 启动kube-controller-manager
systemctl start kube-controller-manager
# 设置开机启动
systemctl enable kube-controller-manager
# 验证状态
[root@]~]#kubectl get cs
NAME                 STATUS    MESSAGE             ERROR
scheduler            Healthy   ok
controller-manager   Healthy   ok
etcd-0               Healthy   {"health":"true"}
# 配置 kube-controller-manager，kubelet 、kube-scheduler 访问kube-api 用户授权
授予 kubernetes API 的权限
kubectl create clusterrolebinding controller-node-clusterrolebing --clusterrole=system:kube-controller-manager  --user=system:kube-controller-manager
kubectl create clusterrolebinding scheduler-node-clusterrolebing  --clusterrole=system:kube-scheduler --user=system:kube-scheduler
kubectl create clusterrolebinding controller-manager:system:auth-delegator --user system:kube-controller-manager --clusterrole system:auth-delegator
授予 kubernetes 证书访问 kubelet API 的权限
kubectl create clusterrolebinding --user system:serviceaccount:kube-system:default kube-system-cluster-admin --clusterrole cluster-admin
kubectl create clusterrolebinding kubelet-node-clusterbinding --clusterrole=system:node --group=system:nodes
kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes

docker 部署

# 远程服务器节点操作
# 使用阿里源
cat > /etc/yum.repos.d/docker-ce.repo << EOF
[docker-ce-stable]
name=Docker CE Stable - \$basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/\$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
 
[docker-ce-stable-debuginfo]
name=Docker CE Stable - Debuginfo \$basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-\$basearch/stable
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
 
[docker-ce-stable-source]
name=Docker CE Stable - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/stable
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
 
[docker-ce-edge]
name=Docker CE Edge - \$basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/\$basearch/edge
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
 
[docker-ce-edge-debuginfo]
name=Docker CE Edge - Debuginfo \$basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-\$basearch/edge
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
 
[docker-ce-edge-source]
name=Docker CE Edge - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/edge
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
 
[docker-ce-test]
name=Docker CE Test - \$basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/\$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
 
[docker-ce-test-debuginfo]
name=Docker CE Test - Debuginfo \$basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-\$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
 
[docker-ce-test-source]
name=Docker CE Test - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
 
[docker-ce-nightly]
name=Docker CE Nightly - \$basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/\$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
 
[docker-ce-nightly-debuginfo]
name=Docker CE Nightly - Debuginfo \$basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/debug-\$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
 
[docker-ce-nightly-source]
name=Docker CE Nightly - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/source/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
EOF
# 安装docker依赖
yum install -y    python-pip python-devel yum-utils device-mapper-persistent-data lvm2 
# 安装docker
yum install -y docker-ce
# 修改docker 启动配置
vi /lib/systemd/system/docker.service
ExecStart= 修改成
ExecStart=/usr/bin/dockerd -H fd:// --graph /apps/docker -H unix:///var/run/docker.sock  --max-concurrent-downloads=20 --log-opt max-size=200M --log-opt max-file=10 --default-ulimit nofile=1024000 --default-ulimit nproc=1024000
# reload service 配置
systemctl daemon-reload
# 重启docker
systemctl restart docker
# 设置开机启动
systemctl enable docker

安装kubelet 依赖

# 远程服务器节点操作
cni 插件安装
mkdir -p /apps/cni/bin
cd  /apps/cni/bin
wget https://github.com/containernetworking/plugins/releases/download/v0.8.2/cni-plugins-linux-amd64-v0.8.2.tgz
tar -xvf cni-plugins-linux-amd64-v0.8.2.tgz
rm -f cni-plugins-linux-amd64-v0.8.2.tgz
# 创建/etc/cni/net.d 目录
mkdir -p /etc/cni/net.d
vi  /etc/cni/net.d/10-kuberouter.conflist
{
   "cniVersion":"0.3.0",
   "name":"mynet",
   "plugins":[
      {
         "name":"kubernetes",
         "type":"bridge",
         "bridge":"kube-bridge",
         "isDefaultGateway":true,
         "ipam":{
            "type":"host-local"
         }
      },
      {
         "type":"portmap",
         "capabilities":{
            "snat":true,
            "portMappings":true
         }
      }
   ]
}
 
# lxcfs 安装
yum install -y git automake libtool fuse-devel
git clone git://github.com/lxc/lxcfs 
cd lxcfs/
./bootstrap.sh
./configure
make
make install 
# 创建目录
mkdir -p /var/lib/lxcfs/
# 配置 lxcfs 启动文件
vi /usr/lib/systemd/system/lxcfs.service
[Unit]
Description=FUSE filesystem for LXC
ConditionVirtualization=!container
Before=lxc.service
Documentation=man:lxcfs(1)
[Service]
ExecStart=/usr/local/bin/lxcfs /var/lib/lxcfs/
KillMode=process
Restart=on-failure
ExecStopPost=-/bin/fusermount -u /var/lib/lxcfs
Delegate=yes
[Install]
WantedBy=multi-user.target
# 启动lxcfs
systemctl start lxcfs 
# 设置开机启动
systemctl enable lxcfs
# 安装 kubelet 依赖
yum install -y  epel-release
yum install -y   yum-utils  ipvsadm  telnet  wget  net-tools  conntrack  ipset  jq  iptables  curl  sysstat  libseccomp  socat  nfs-utils  fuse  fuse-devel 

kubelet 部署

# win on Ubuntu  操作
# 生成 bootstrap Token
# Bootstrap Token 生成
echo "$(head -c 6 /dev/urandom | md5sum | head -c 6)"."$(head -c 16 /dev/urandom | md5sum | head -c 16)"
9dad00.2ac445bf1cc5e9c2
vi bootstrap.secret.yaml
apiVersion: v1
kind: Secret
metadata:
  # Name MUST be of form "bootstrap-token-<token id>"
  name: bootstrap-token-9dad00
  namespace: kube-system
 
# Type MUST be 'bootstrap.kubernetes.io/token'
type: bootstrap.kubernetes.io/token
stringData:
  # Human readable description. Optional.
  description: "The default bootstrap token generated by 'kubelet '."
 
  # Token ID and secret. Required.
  token-id: 9dad00
  token-secret: 2ac445bf1cc5e9c2
 
  # Allowed usages.
  usage-bootstrap-authentication: "true"
  usage-bootstrap-signing: "true"
 
  # Extra groups to authenticate the token as. Must start with "system:bootstrappers:"
  auth-extra-groups: system:bootstrappers:worker,system:bootstrappers:ingress
### 创建k8s资源
kubectl create -f bootstrap.secret.yaml
### 创建bootstrap.clusterrole.yaml
vi bootstrap.clusterrole.yaml
# A ClusterRole which instructs the CSR approver to approve a node requesting a
# serving cert matching its client cert.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
rules:
- apiGroups: ["certificates.k8s.io"]
  resources: ["certificatesigningrequests/selfnodeserver"]
  verbs: ["create"]
 
kubectl create -f bootstrap.clusterrole.yaml
### 创建 apiserver-to-kubelet.yaml
vi apiserver-to-kubelet.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:kubernetes-to-kubelet
rules:
  - apiGroups:
      - ""
    resources:
      - nodes/proxy
      - nodes/stats
      - nodes/log
      - nodes/spec
      - nodes/metrics
    verbs:
      - "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: system:kubernetes
  namespace: ""
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:kubernetes-to-kubelet
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: kubernetes
kubectl create -f apiserver-to-kubelet.yaml
### 查看创建的token
kubeadm token list
# 允许 system:bootstrappers 组用户创建 CSR 请求
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --group=system:bootstrappers
# 自动批准 system:bootstrappers 组用户 TLS bootstrapping 首次申请证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-approve-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --group=system:bootstrappers
# 自动批准 system:nodes 组用户更新 kubelet 自身与 apiserver 通讯证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeclient --group=system:nodes
 
# 自动批准 system:nodes 组用户更新 kubelet 10250 api 端口证书的 CSR 请求
kubectl create clusterrolebinding node-server-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeserver --group=system:nodes
# 创建bootstrap.kubeconfig
# 设置集群参数
kubectl config set-cluster kubernetes \
  --certificate-authority=/apps/work/k8s/cfssl/pki/k8s/k8s-ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=bootstrap.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials system:bootstrap:9dad00 \
  --token=9dad00.2ac445bf1cc5e9c2 \
  --kubeconfig=bootstrap.kubeconfig
# 设置上下文参数
kubectl config set-context default \
  --cluster=kubernetes \
  --user=system:bootstrap:9dad00 \
  --kubeconfig=bootstrap.kubeconfig
# 设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
# 分发 bootstrap.kubeconfig 到远程节点
scp bootstrap.kubeconfig 192.168.30.32:/apps/kubernetes/conf
# 创建kubelet 启动配置文件 远程节点 操作
cd /apps/kubernetes/conf
vi  kubelet
KUBELET_OPTS="--bootstrap-kubeconfig=/apps/kubernetes/conf/bootstrap.kubeconfig \
              --fail-swap-on=false \
              --network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/apps/cni/bin \
              --kubeconfig=/apps/kubernetes/conf/kubelet.kubeconfig \
              --address=192.168.30.32 \
              --node-ip=192.168.30.32 \
              --hostname-override=master \
              --cluster-dns=10.66.0.2 \
              --cluster-domain=cluster.local \
              --authorization-mode=Webhook \
              --authentication-token-webhook=true \
              --client-ca-file=/apps/kubernetes/ssl/k8s/k8s-ca.pem \
              --rotate-certificates=true \
              --cgroup-driver=cgroupfs \
              --healthz-port=10248 \
              --healthz-bind-address=192.168.30.32 \
              --cert-dir=/apps/kubernetes/ssl \
              --feature-gates=RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true \
              --node-labels=node-role.kubernetes.io/k8s-node=true \
              --serialize-image-pulls=false \
              --enforce-node-allocatable=pods,kube-reserved,system-reserved \
              --pod-manifest-path=/apps/work/kubernetes/manifests \
              --runtime-cgroups=/systemd/system.slice/kubelet.service \
              --kube-reserved-cgroup=/systemd/system.slice/kubelet.service \
              --system-reserved-cgroup=/systemd/system.slice \
              --root-dir=/apps/work/kubernetes/kubelet \
              --log-dir=/apps/kubernetes/log \
              --alsologtostderr=true \
              --logtostderr=false \
              --anonymous-auth=true \
              --image-gc-high-threshold=70 \
              --image-gc-low-threshold=50 \
              --kube-reserved=cpu=500m,memory=512Mi,ephemeral-storage=1Gi \
              --system-reserved=cpu=1000m,memory=1024Mi,ephemeral-storage=1Gi \
              --eviction-hard=memory.available<500Mi,nodefs.available<10% \
              --serialize-image-pulls=false \
              --sync-frequency=30s \
              --resolv-conf=/etc/resolv.conf \
              --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 \
              --image-pull-progress-deadline=30s \
              --v=2 \
              --event-burst=30 \
              --event-qps=15 \
              --kube-api-burst=30 \
              --kube-api-qps=15 \
              --max-pods=200 \
              --pods-per-core=10 \
              --read-only-port=0 \
              --allowed-unsafe-sysctls 'kernel.msg*,kernel.shm*,kernel.sem,fs.mqueue.*,net.*' \
              --volume-plugin-dir=/apps/kubernetes/kubelet-plugins/volume"
# 创建 kubelet 服务文件
vi /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
After=docker.service
Requires=docker.service
[Service]
LimitNOFILE=1024000
LimitNPROC=1024000
LimitCORE=infinity
LimitMEMLOCK=infinity
EnvironmentFile=-/apps/kubernetes/conf/kubelet
ExecStart=/apps/kubernetes/bin/kubelet $KUBELET_OPTS
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
# 启动 kubelet
systemctl start kubelet 
# 设置开机启动
systemctl enable kubelet
#查看证书是否签发
cd /apps/kubernetes/ssl/
[root@master ssl]# ll
total 12
drwxr-xr-x 2 k8s k8s   75 Jul  4 15:06 etcd
drwxr-xr-x 2 k8s k8s  310 Sep  3 11:18 k8s
-rw------- 1 k8s k8s 1277 Sep  3 10:25 kubelet-client-2019-09-03-10-25-10.pem
lrwxrwxrwx 1 k8s k8s   59 Sep  3 10:25 kubelet-client-current.pem -> /apps/kubernetes/ssl/kubelet-client-2019-09-03-10-25-10.pem
-rw-r--r-- 1 k8s k8s 2153 Sep  3 10:25 kubelet.crt
-rw------- 1 k8s k8s 1675 Sep  3 10:25 kubelet.key
# 查看节点是否正常
kubectl get node
[root@]~]#kubectl get node
NAME     STATUS   ROLES      AGE   VERSION
master   Ready    k8s-node   27h   v1.15.3