K8S集群学习笔记整理(一)

1、vagrant创建5台机器

#节点主机规划
10.4.7.11 master-11
10.4.7.12 master-12
10.4.7.21 worker-21
10.4.7.22 worker-22
10.4.7.200 tool-200
master-11='10.4.7.11'
master-12='10.4.7.12'
worker-21='10.4.7.21'
worker-22='10.4.7.22'

‘控制面板网络和 Internet网络连接’ 找不到 适配器,卸载、重新安装VirtualBox、选择加载 host-only驱动
重要:如果vagrant创建私有网络失败,卸载、重装virtual-box、选择加载net驱动

1.1 环境初始化

xshell 多窗口并行执行,机器批量初始化设置。

#!/bin/bash
### 0 允许密码认证登录
if [[ $(id | grep root) == "" ]]; then
  sudo su
  echo "go to root"
fi
id

### 1、环境初始化
# 1.1 关闭防火墙功能
systemctl stop firewalld
systemctl disable firewalld
# 1.2.关闭selinux
sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config
setenforce 0
# 1.3 关闭swap,启动项
swapoff -a
sed -i.bak '/swap/s/^/#/' /etc/fstab
# 1.4 服务器规划
result=$(cat /etc/hosts | grep "节点主机")
if [[ "$result" != "" ]]; then
    echo
else
    cat <<EOF >>  /etc/hosts
#节点主机
10.4.7.11 master-11
10.4.7.12 master-12
10.4.7.21 worker-21
10.4.7.22 worker-22
10.4.7.200 tool-200

# GitHub githubusercontent 超时备用
199.232.68.133 raw.githubusercontent.com
EOF
fi
# 1.5 临时主机名配置方法,vagrant设置、略 hostnamectl set-hostname master1
# 1.6 时间同步:ntp、chrony
timedatectl set-timezone Asia/Shanghai
yum install chrony -y
cat <<EOF >  /etc/chrony.conf
server ntp1.aliyun.com iburst minpoll 4 maxpoll 10
server ntp2.aliyun.com iburst minpoll 4 maxpoll 10
server ntp3.aliyun.com iburst minpoll 4 maxpoll 10
EOF
systemctl start chronyd.service
systemctl enable chronyd.service
# 1.7 开启转发,即要求iptables不对bridge的数据进行处理
cat <<EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p /etc/sysctl.d/k8s.conf

### 2、docker安装
# 2.1 更新主机源
yum install -y yum-utils device-mapper-persistent-data lvm2 wget bash-completion.noarchdocker-ce.repo
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -P /etc/yum.repos.d/ http://mirrors.aliyun.com/repo/epel-7.repo
wget -O /etc/yum.repos.d/docker-ce.repo "https://download.docker.com/linux/centos/docker-ce.repo"
sed -i 's+download.docker.com+mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
# 2.2 安装docker,kubelet kubeadm kubectl
#yum remove docker docker-common docker-selinux docker-engine -y
yum clean all && yum makecache fast
yum install -y docker-ce kubelet kubeadm kubectl 
systemctl start kubelet 
systemctl enable kubelet
# 2.3 docker配置cgroup驱动
mkdir -p /etc/docker 
cat <<EOF > /etc/docker/daemon.json
{
    "graph": "/data/docker",
    "storage-driver": "overlay2",
    "registry-mirrors": ["https://kuogup1r.mirror.aliyuncs.com"],
    "exec-opts": ["native.cgroupdriver=systemd"]
}
EOF
##-b, --bridge=""    桥接一个系统上的网桥设备到 Docker 容器里,当使用 none 可以停用容器里的网络
##--bip=""    使用 CIDR 地址来设定网络桥的 IP。此参数和 -b 不能一起使用。每个容器使用一个段:172.7.xx.1--255,桥地址是1
##"live-restore": true,//dockerd挂掉是否保活容器(避免了docker服务异常而造成容器退出)
systemctl daemon-reload 
systemctl start docker 
systemctl enable docker


echo ">> 完成!"

./core.sh
初始化脚本允许重复执行。
以下操作,主要在操作主机 tool-200 进行。

1.2 ssh免登录

yum install -y vim wget tree lrzsz sshpass

ssh-keygen -f /root/.ssh/id_rsa -N ""
yum install -y sshpass
result=$(cat /etc/ssh/ssh_config | grep "StrictHostKeyChecking no")
if [[ "$result" == "" ]]; then
    echo -e "\n\nStrictHostKeyChecking no" >> /etc/ssh/ssh_config
fi
for host in '10.4.7.11' '10.4.7.12' '10.4.7.21' '10.4.7.22'; do
    sshpass -p 'vagrant' ssh-copy-id -i /root/.ssh/id_rsa.pub root@$host
done

免登陆以方便使用远程命令。

2、配置DNS域名服务

bind9是一种架设DNS服务器的软件。

yum install -y bind net-tools telnet nmap dos2unix sysstat
ssh root@10.4.7.11 'yum install -y bind bind-utils net-tools telnet nmap dos2unix sysstat'

2.1 bind9配置

配置修改

[10.4.7.11]# vi /etc/named.conf:
    listen-on port 53 { ${host}; }; //1.修改为内网IP
    allow-query     { any; }; //2.localhost->any
    forwarders      { 10.4.7.253; };    //3.改为实际网关
    recursion yes; //4.递归,注意保持yes
    dnssec-enable no; //5、yes->no
    dnssec-validation no; //5、yes->no

2.2 添加DNS主机

(单机)DNS主机配置即可

[10.4.7.11]# vi /etc/named.rfc1912.zones
#自定义DNS,新追加
zone "host.com" IN {
    type master;
    file "host.com.zone";
    allow-update { 10.4.7.11; };
};

zone "od.com" IN {
    type master;
    file "od.com.zone";
    allow-update { 10.4.7.11; };
};
[10.4.7.11]# vi /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.host.com. dnsadmin.host.com. (
        2020053001  ; serial (0->)
        3H          ; refresh (1D->3 hours)
        15M         ; retry (1H->15minutes)
        1W          ; expire (1W->1 week 604800)
        3H )        ; minimum 
        NS dns.host.com.
$TTL 60 ; 1 minute
dns                  A   10.4.7.11
HDSS1-11             A   10.4.7.11
HDSS1-12             A   10.4.7.12
HDSS1-21             A   10.4.7.21
HDSS1-22             A   10.4.7.22
HDSS1-200            A   10.4.7.200
[10.4.7.11]# vi /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
        2020053001  ; serial (0->) ;后面添加修改2020053001-2
        3H          ; refresh (1D->3 hours)
        15M         ; retry (1H->15minutes)
        1W          ; expire (1W->1 week 604800)
        3H )        ; minimum 
        NS dns.od.com.
$TTL 60 ; 1 minute
dns                  A   10.4.7.11
harbor               A   10.4.7.200 ;后面添加

2.3 确认主机名、网卡设置

确认DNS主机名,并加入vagrantfile或auto.sh启动设置。PEERDNS:是否指定DNS。

主机名
hostnamectl set-hostname hdss1-200
ssh root@10.4.7.11 'hostnamectl set-hostname hdss1-11'
ssh root@10.4.7.21 'hostnamectl set-hostname hdss1-21'
ssh root@10.4.7.12 'hostnamectl set-hostname hdss1-12'
ssh root@10.4.7.22 'hostnamectl set-hostname hdss1-22'
网卡DNS设置
sed -i 's/PEERDNS=no/PEERDNS=yes/' /etc/sysconfig/network-scripts/ifcfg-eth1
echo 'DNS1=10.4.7.11' >> /etc/sysconfig/network-scripts/ifcfg-eth1
systemctl restart network
echo 'search host.com' >> /etc/resolv.conf
for host in '10.4.7.11' '10.4.7.12' '10.4.7.21' '10.4.7.22'; do
    ssh root@$host "sed -i 's/PEERDNS=no/PEERDNS=yes/' /etc/sysconfig/network-scripts/ifcfg-eth1"
    ssh root@$host "echo 'DNS1=10.4.7.11' >> /etc/sysconfig/network-scripts/ifcfg-eth1"
    ssh root@$host "systemctl restart network"
    ssh root@$host "echo 'search host.com' >> /etc/resolv.conf"
done
开关机设置保持

主机名:在vagrantfile修改,这样reload固定,否则挂起、启动也不会变化。
网卡设置

#加入开机启动:vagrant开关机reload重置网络了**
vim auto.sh:
#!/bin/bash
#关闭多余网卡
#sed -i 's/ONBOOT="yes"/ONBOOT="no"/' /etc/sysconfig/network-scripts/ifcfg-eth0
#ifdown ifcfg-eth0
#使用DNS主机
echo 'DNS1=10.4.7.11' >> /etc/sysconfig/network-scripts/ifcfg-eth1
#短域名
echo 'search host.com' >> /etc/resolv.conf
--
chmod +x auto.sh
echo '/root/auto.sh' >> /etc/rc.d/rc.local && chmod +x /etc/rc.d/rc.local
for host in '10.4.7.11' '10.4.7.12' '10.4.7.21' '10.4.7.22'; do
    scp /root/auto.sh root@$host:/root  #明确上级目录是强制覆盖
    ssh root@$host "echo '/root/auto.sh' >> /etc/rc.d/rc.local && chmod +x /etc/rc.d/rc.local"
done

2.4 虚拟机域名测试

[10.4.7.11]# 
systemctl start named && systemctl enable named
#检测域名配置
named-checkzone od.com /var/named/od.com.zone  #ok
dig -t A hdss1-200.host.com @10.4.7.11 +short
10.4.7.200
dig -t A hdss1-200.host.com +short
10.4.7.200
双网卡dns冲突:如果不同于上面显示结果
/etc/sysconfig/network-scripts/ifcfg-eth0 #默认的DHCP通过主机上网
/etc/sysconfig/network-scripts/ifcfg-eth1 #自定义
在网口配置文件增加 PERSISTENT_DHCLIENT 参数,该参数可以控制续约失败不退出,而是继续请求分配新地址。
for host in '10.4.7.12' '10.4.7.21' '10.4.7.22'; do
    ssh root@$host 'ifdown ifcfg-eth0'
    ssh root@$host 'ifup ifcfg-eth0'
done
ping hdss1-12.host.com
ping harbor.od.com
#ifup|ifdown 至此,虚拟机内域名ping(200: ping hdss1-12|ping hdss1-12.host.com)成功

2.5 win10主机:主机设置

win10主机: VirtualBox Host-Only Ethernet Adapter #7
10.4.7.1 网卡添加DNS 10.4.7.11

ping hdss1-11.host.com|ping dns.od.com 成功

3、签发证书

目前HTTPS是主流,所以证书是必备。
证书(Certificate).cer .crt
私钥(Private Key).key
证书签名请求(Certificate sign request).csr
至于pem和der,是编码方式

类型:client(发给客户端的证书),server(发给服务端的),peer(双向证书)
基础文件:CA(ca-config.json、ca-csr.json)
应用文件:client(client.json),peer(peer.json)

#安装cfssl证书生成工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

3.1 创建ca证书

#所有机器证书预备保存目录
mkdir -p /opt/certs && cd /opt/certs
基础配置
[json格式固定]
#配置ca配置文件:ca-config+.json-权限设置、ca-csr.json-属性和加密算法
cat > ca-config.json << EOF
 {
     "signing": {
         "default": {
             "expiry": "175200h"
         },
         "profiles": {
             "server": {
                 "expiry": "175200h",
                 "usages": [
                     "signing",
                     "key encipherment",
                     "server auth"
                 ]
             },
             "client": {
                 "expiry": "175200h",
                 "usages": [
                     "signing",
                     "key encipherment",
                     "client auth"
                 ]
             },
             "peer": {
                 "expiry": "175200h",
                 "usages": [
                     "signing",
                     "key encipherment",
                     "server auth",
                     "client auth"
                 ]
             }
         }
     }
 }
EOF
cat > ca-csr.json << EOF
{
    "CN": "China Learn",
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [{
        "C": "CN",
        "ST": "ZJ",
        "L": "HangZhou",
        "O": "k8s",
        "OU": "System"
    }],
    "ca": {
        "expiry": "175200h"
    }
}
EOF
生成证书文件
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
-rw-r--r--. 1 root root  997 Jun  1 09:02 ca.csr
-rw-r--r--. 1 root root  201 Jun  1 09:01 ca-csr.json #配置文件,CA 证书:内含公钥和私钥
-rw-r--r--. 1 root root 1675 Jun  1 09:02 ca-key.pem
-rw-r--r--. 1 root root 1350 Jun  1 09:02 ca.pem

3.2 client应用证书

profiles.client 的算法参数,省略hosts,server要加。
加密配置一般选:rsa-2048、ecdsa-256。

配置
cat > client.json <<EOF
{
    "CN": "client",
    "key": {
        "algo": "ecdsa",
        "size": 256
    }
}
EOF
生成证书文件

这里生产 peer 证书时使用了 -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json 参数

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client
-rw-r--r--. 1 root root  351 May 30 21:28 client.csr
-rw-r--r--. 1 root root   95 May 30 21:27 client.json           #配置文件
-rw-------. 1 root root  227 May 30 21:28 client-key.pem        #certificate
-rw-r--r--. 1 root root  985 May 30 21:28 client.pem            #key

3.3 server应用证书

profiles.server 的算法参数同client,添加hosts字段。
略,使用可以由peer替代。

3.4 双向peer应用证书

profiles.peer 的算法参数

配置
cat > etcd-peer-csr.json <<EOF
{
    "CN": "k8s-etcd-peer",
    "hosts": [
        "127.0.0.1",
        "10.4.7.11",
        "10.4.7.12",
        "10.4.7.21",
        "10.4.7.22",
        "10.4.7.200"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [{
        "C": "CN",
        "ST": "ZJ",
        "L": "HangZhou",
        "O": "k8s",
        "OU": "System"
    }]
}
EOF
生成证书文件

这里生产 peer 证书时使用了 -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json 参数

# `注意加密方法要一致,ca使用ecdsa、这里也要用`
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json | cfssljson -bare etcd-peer
-rw-r--r--. 1 root root  538 Jun  1 11:35 etcd-peer.csr
-rw-r--r--. 1 root root  244 Jun  1 11:35 etcd-peer-csr.json    #配置文件
-rw-r--r--. 1 root root  227 Jun  1 11:35 etcd-peer-key.pem
-rw-r--r--. 1 root root 1164 Jun  1 11:35 etcd-peer.pem

4、更新 docker 配置

其实就是配置一个指定的虚拟网卡网关,为集群使用作为固定地址域,方便多主机docker内多应用互联互通。

更新 docker0 网桥配置。修改配置文件:

vim /etc/docker/daemon.json:
{
    "graph": "/data/docker",
    "storage-driver": "overlay2",
    "registry-mirrors": ["https://kuogup1r.mirror.aliyuncs.com"],
    "insecure-registries": ["registry.access.rethat.com", "quay.io", "harbor.od.com"],
    "bip": "172.7.200.1/24",
    "exec-opts": ["native.cgroupdriver=systemd"],
    "live-restore": true
}
--
#修改big/-b网络参数,每个容器使用一个段:172.7.xx.1--255,网关地址是1
for host in '11' '12' '21' '22'; do
    scp /etc/docker/daemon.json root@10.4.7.$host:/etc/docker/daemon.json
    ssh root@10.4.7.$host "sed -i 's/172.7.200.1/172.7.$host.1/' /etc/docker/daemon.json"
done
systemctl daemon-reload && systemctl restart docker
systemctl命令到主机去执行

如果配置冲突连不上网,先关闭、重启docker网络:

ifconfig docker0 down && ifconfig docker0 up

5、搭建harbor私有仓库 [2.0.0-RC3]

Harbor(港口,港湾)是一个用于存储和分发Docker镜像的企业级Registry服务器。

5.1 配置安装

wget -O harbor-v2.0.0.tgz 'https://storage.googleapis.com/harbor-releases/release-2.0.0/harbor-offline-installer-v2.0.0.tgz' #太慢
wget -O harbor-v2.0.0.tgz 'https://codeload.github.com/goharbor/harbor/tar.gz/v2.0.0-rc3'
tar xf harbor-v2.0.0.tgz -C /opt/
ln -s /opt/harbor-2.0.0-rc3 /opt/harbor
cd /opt/harbor/make
cp harbor.yml.tmpl harbor.yml
配置
vim harbor.yml:
hostname: harbor.od.com
http:
    port: 180 #curl测试用
https:
  port: 443 #自动监听443端口,不通过Nginx
  certificate: /opt/certs/client.pem
  private_key: /opt/certs/client-key.pem

database:
    password: root123 #默认
harbor_admin_password: Harbor12345 #默认
log:
    location: /data/harbor/logs
data_volume: /data/harbor/
安装依赖
yum install docker-compose -y

5.2 执行安装

随着版本的更新发布,需要修改安装文件。

./install.sh
#ERROR: manifest for goharbor/harbor-log:v2.0.0-build.3458 not found: manifest unknown: manifest unknown
vim install.sh      #找到prepare增加替换之前版本的组件
#grep -rn 'v2.0.0-build.3458' .. , 把 build.3458 批量改成 rc2
直接替换发现不行,在脚本执行过程中重新生成了配置文件,所以修改 install.sh、以及 prepare :
找到行 ./prepare $prepare_para 添加
sed -i 's/build.3458/rc2/g' docker-compose.yml #第二次 sed -i 's/v2.1.0-build.3493/v2.0.0-rc2/g'
如果镜像源拉取错误 bug.fix

1、检查外网是否畅通;
2、查看rc3版的组件在 hub.docker.com 仓库文件是否存在,当前最新文件是 rc2版的。

5.3 配置Nginx,测试UI界面访问

yum install nginx -y
vim /etc/nginx/conf.d/harbor.od.com.conf
server {
    server_name harbor.od.com;
    location / {
        proxy_pass http://127.0.0.1:180; 
    }
}
systemctl start nginx && systemctl enable nginx
curl harbor.od.com #308 永久

浏览器访问: https://harbor.od.com

admin Harbor12345 
#新建一个项目public 目录

5.4 测试提交镜像

docker pull openresty/openresty
docker tag openresty/openresty harbor.od.com/public/nginx:1.15.8
docker login harbor.od.com #admin Harbor12345
docker push harbor.od.com/public/nginx:1.15.8

到此,私有仓库搭建完毕。

阅读 170

推荐阅读
目录