k8s-base03

自签Etcd SSL证书

配置主机名

cat >> /etc/hosts << EOF
172.17.70.251 k8s-master1
172.17.70.253 k8s-node1
172.17.70.254 k8s-node2
EOF

生成ca证书

[root@k8s-master opt]# tar -zxvf TLS.tar.gz
[root@k8s-master opt]# cd TLS
[root@k8s-master TLS]# sh cfssl.sh 
[root@k8s-master TLS]# ls /usr/local/bin/
cfssl  cfssl-certinfo  cfssljson

# 自建CA 
[root@k8s-master etcd]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
[root@k8s-master etcd]# ls -l *.pem
-rw------- 1 root root 1675 Nov  6 08:40 ca-key.pem       # ca的私钥
-rw-r--r-- 1 root root 1265 Nov  6 08:40 ca.pem           # ca的数字证书 可以拿着这两个去办法域名证书

生成 etcd 证书

# 指定etcd 可信任的IP地址 也就是当前要部署etcd的所有节点IP
# 最关键的是 要包含每个etcd节点的ip

[root@k8s-master1 etcd]# vim server-csr.json 

{
    "CN": "etcd",
    "hosts": [
        "172.17.70.251",
        "172.17.70.253",
        "172.17.70.254"
        ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        }
    ]
}

# 请求ca颁发证书
[root@k8s-master1 etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
[root@k8s-master1 etcd]# ls -l
total 40
-rw-r--r-- 1 root root  287 Oct  3 13:12 ca-config.json
-rw-r--r-- 1 root root  956 Nov 12 11:05 ca.csr
-rw-r--r-- 1 root root  209 Oct  3 13:12 ca-csr.json
-rw------- 1 root root 1675 Nov 12 11:05 ca-key.pem
-rw-r--r-- 1 root root 1265 Nov 12 11:05 ca.pem
-rwxr-xr-x 1 root root  178 Oct  3 13:58 generate_etcd_cert.sh
-rw-r--r-- 1 root root 1013 Nov 12 11:10 server.csr                 
-rw-r--r-- 1 root root  306 Nov 12 11:10 server-csr.json
-rw------- 1 root root 1679 Nov 12 11:10 server-key.pem               # etcd 使用
-rw-r--r-- 1 root root 1338 Nov 12 11:10 server.pem                   # etcd 使用
```  

## 部署 etcd 节点

```html
# 环境
172.17.70.251   k8s-master 	etcd
172.17.70.253   k8s-node1  	etcd
172.17.70.254   k8s-node2  	etcd

下载解压和配置

[root@k8s-master1 src]# tar -zxvf etcd-v3.2.28-linux-amd64.tar.gz 
[root@k8s-master1 src]# chown -R root:root etcd-v3.2.28-linux-amd64
[root@k8s-master1 src]# mkdir -p /opt/etcd/{cfg,bin,ssl} -p
[root@k8s-master1 src]# cd etcd-v3.2.28-linux-amd64
[root@k8s-master1 etcd-v3.2.28-linux-amd64]# mv etcd etcdctl /opt/etcd/bin/

# 证书拷贝
[root@k8s-master1 cfg]# cd /opt/etcd/ssl/
[root@k8s-master1 ssl]# cp /opt/TLS/etcd/{ca,server-key,server}.pem  .

[root@k8s-master1 ssl]# ls -l
total 12
-rw-r--r-- 1 root root 1265 Nov 12 11:43 ca.pem
-rw------- 1 root root 1679 Nov 12 11:43 server-key.pem
-rw-r--r-- 1 root root 1338 Nov 12 11:43 server.pem

# 配置文件
# 其他两个etcd节点 需要修改 ETCD_NAME 和 IP地址

[root@k8s-master1 cfg]# vim /opt/etcd/cfg/etcd.conf

#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://172.17.70.251:2380"
ETCD_LISTEN_CLIENT_URLS="https://172.17.70.251:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://172.17.70.251:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://172.17.70.251:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://172.17.70.251:2380,etcd-2=https://172.17.70.253:2380,etcd-3=https://172.17.70.254:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

# 服务启动文件
# 一会也传给另外两个etcd 

[root@k8s-master1 cfg]# vim /usr/lib/systemd/system/etcd.service 

[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
        --name=${ETCD_NAME} \
        --data-dir=${ETCD_DATA_DIR} \
        --listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
        --listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
        --advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
        --initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
        --initial-cluster=${ETCD_INITIAL_CLUSTER} \
        --initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
        --initial-cluster-state=new \
        --cert-file=/opt/etcd/ssl/server.pem \
        --key-file=/opt/etcd/ssl/server-key.pem \
        --peer-cert-file=/opt/etcd/ssl/server.pem \
        --peer-key-file=/opt/etcd/ssl/server-key.pem \
        --trusted-ca-file=/opt/etcd/ssl/ca.pem \
        --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

1
2
3

# 启动服务 加入开机自启动
[root@k8s-master1 cfg]# systemctl start etcd
[root@k8s-master1 cfg]# systemctl enable etcd

1 2	# 查看日志 [root@k8s-master1 cfg]# tailf /var/log/messages

# 传送etcd给另外两个节点 etcd和启动服务
[root@k8s-master1 ~]# scp /usr/lib/systemd/system/etcd.service root@172.17.70.253:/usr/lib/systemd/system/
[root@k8s-master1 ~]# scp /usr/lib/systemd/system/etcd.service root@172.17.70.254:/usr/lib/systemd/system/
[root@k8s-master1 ~]# scp -r /opt/etcd/ root@172.17.70.253:/opt/
[root@k8s-master1 ~]# scp -r /opt/etcd/ root@172.17.70.254:/opt/
# 修改name和ip 启动服务
[root@k8s-node1 cfg]# vim etcd.conf 
[root@k8s-node1 cfg]# systemctl start etcd
[root@k8s-node1 cfg]# systemctl enable etcd
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.

验证etcd集群

/opt/etcd/bin/etcdctl \
--ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem \
--endpoints="https://172.17.70.251:2379,https://172.17.70.253:2379,https://172.17.70.254:2379" \
cluster-health

/opt/etcd/bin/etcdctl \
--ca-file=/opt/etcd/ssl/ca.pem --cert-file=/opt/etcd/ssl/server.pem --key-file=/opt/etcd/ssl/server-key.pem \
--endpoints="https://172.17.70.251:2379,https://172.17.70.253:2379,https://172.17.70.254:2379" \
member list

Node安装 Docker

1
2

K8S网络模型 CNI

# 容器网络接口
# kubernetes网络模型设计基本要求
1. 一个POD一个IP
2. 每个Pod独立IP，Pod内所有容器共享网络(同一个IP)
3. 所有容器可以与其他容器通信 跨主机通信
4. 所有节点都可以与所有容器通信