公众号关注「WeiyiGeek」

设为「特别关注」，每天带你玩转网络安全运维、应用开发、物联网IOT学习！

[图片上传失败...(image-1b0721-1652954316553)]

本章目录：

• 0x00 前言简述

• 0x01 环境准备

• 主机规划

• 软件版本

• 网络规划

• 0x02 安装部署

• 1.基础主机环境准备配置

• 2.负载均衡管理工具安装与内核加载

• 3.高可用HAproxy与Keepalived软件安装配置

• 4.配置部署etcd集群与etcd证书签发

• 5.Containerd 运行时安装部署

温馨提示: 由于实践篇幅太长，此处分为上下两节进行发布。

0x00 前言简述

描述: 在我博客以及前面的文章之中讲解Kubernetes相关集群环境的搭建, 随着K8S及其相关组件的迭代, 与读者当前接触的版本有所不同，所以在当前【2022年4月26日 10:08:29】时间节点，博主使用ubuntu 20.04 、haproxy、keepalive、containerd、etcd、kubeadm、kubectl 等相关工具插件【最新或者稳定的版本】进行实践高可用的kubernetes集群的搭建，这里不再对k8s等相关基础知识做介绍，如有新入门的童鞋，请访问如下【博客文章】(https://blog.weiyigeek.top/tags/k8s/) 或者【B站专栏】(https://www.bilibili.com/read/readlist/rl520875?spm_id_from=333.999.0.0) 按照顺序学习。

简述
Kubernetes(后续简称k8s)是 Google(2014年6月) 开源的一个容器编排引擎，使用Go语言开发，它支持自动化部署、大规模可伸缩、以及云平台中多个主机上的容器化应用进行管理。其目标是让部署容器化的应用更加简单并且高效，提供了资源调度、部署管理、服务发现、扩容缩容、状态 监控、维护等一整套功能, 努力成为跨主机集群的自动化部署、自动化扩展以及运行应用程序容器的平台，它支持一些列CNCF毕业项目，包括 Containerd、calico 等 。

0x01 环境准备

主机规划

温馨提示: 此处使用的是 Ubuntu 20.04 操作系统, 该系统已做安全加固和内核优化符合等保2.0要求【SecOpsDev/Ubuntu-InitializeSecurity.sh at master · WeiyiGeek/SecOpsDev (github.com)】, 如你的Linux未进行相应配置环境可能与读者有些许差异, 如需要进行(windows server 、Ubuntu、CentOS)安全加固请参照如下加固脚本进行加固, 请大家疯狂的 star 。

加固脚本地址:【 https://github.com/WeiyiGeek/SecOpsDev/blob/master/OS-操作系统/Linux/Ubuntu/Ubuntu-InitializeSecurity.sh 】

软件版本

操作系统

• Ubuntu 20.04 LTS - 5.4.0-107-generic

TLS证书签发

• cfssl - v1.6.1

• cfssl-certinfo - v1.6.1

• cfssljson - v1.6.1

高可用软件

• ipvsadm - 1:1.31-1

• haproxy - 2.0.13-2

• keepalived - 1:2.0.19-2

ETCD数据库

• etcd - v3.5.4

容器运行时

• containerd.io - 1.6.4

Kubernetes

• kubeadm - v1.23.6

• kube-apiserver - v1.23.6

• kube-controller-manager - v1.23.6

• kubectl - v1.23.6

• kubelet - v1.23.6

• kube-proxy - v1.23.6

• kube-scheduler - v1.23.6

网络插件&辅助软件
calico - v3.22
coredns - v1.9.1
kubernetes-dashboard - v2.5.1
k9s - v0.25.18

网络规划

温馨提示: 上述环境所使用的到相关软件及插件我已打包, 方便大家进行下载，可访问如下链接（访问密码请访问 WeiyiGeek 公众号回复【k8s二进制】获取）。

下载地址: http://share.weiyigeek.top/f/36158960-578443238-a1a5fa （访问密码：点击访问 WeiyiGeek 公众号回复【k8s二进制】）

[图片上传失败...(image-8424b3-1652954316553)]

/kubernetes-cluster-binary-install# tree ..├── calico│   └── calico-v3.22.yaml├── certificate│   ├── admin-csr.json│   ├── apiserver-csr.json│   ├── ca-config.json│   ├── ca-csr.json│   ├── cfssl│   ├── cfssl-certinfo│   ├── cfssljson│   ├── controller-manager-csr.json│   ├── etcd-csr.json│   ├── kube-scheduler-csr.json│   ├── proxy-csr.json│   └── scheduler-csr.json├── containerd.io│   └── config.toml├── coredns│   ├── coredns.yaml│   ├── coredns.yaml.sed│   └── deploy.sh├── cri-containerd-cni-1.6.4-linux-amd64.tar.gz├── etcd-v3.5.4-linux-amd64.tar.gz├── k9s├── kubernetes-dashboard│   ├── kubernetes-dashboard.yaml│   └── rbac-dashboard-admin.yaml├── kubernetes-server-linux-amd64.tar.gz└── nginx.yaml

0x02 安装部署

1.基础主机环境准备配置

步骤 01.【所有主机】主机名设置按照上述主机规划进行设置。

# 例如, 在10.10.107.223主机中运行。hostnamectl set-hostname master-223# 例如, 在10.10.107.227主机中运行。hostnamectl set-hostname node-2

步骤 02.【所有主机】将规划中的主机名称与IP地址进行硬解析。

sudo tee -a /etc/hosts <<'EOF'10.10.107.223 master-22310.10.107.224 master-22410.10.107.225 master-22510.10.107.226 node-110.10.107.227 node-210.10.107.222 weiyigeek.cluster.k8sEOF

步骤 03.验证每个节点上IP、MAC 地址和 product_uuid 的唯一性,保证其能相互正常通信

# 使用命令 ip link 或 ifconfig -a 来获取网络接口的 MAC 地址ifconfig -a# 使用命令 查看 product_uuid 校验sudo cat /sys/class/dmi/id/product_uuid

步骤 04.【所有主机】系统时间同步与时区设置

date -Rsudo ntpdate ntp.aliyun.comsudo timedatectl set-timezone Asia/Shanghai# 或者# sudo dpkg-reconfigure tzdatasudo timedatectl set-local-rtc 0timedatectl

步骤 05.【所有主机】禁用系统交换分区

swapoff -a && sed -i 's|^/swap.img|#/swap.ing|g' /etc/fstab# 验证交换分区是否被禁用free | grep "Swap:"

步骤 07.【所有主机】系统内核参数调整

# 禁用 swap 分区egrep -q "^(#)?vm.swappiness.*" /etc/sysctl.conf && sed -ri "s|^(#)?vm.swappiness.*|vm.swappiness = 0|g"  /etc/sysctl.conf || echo "vm.swappiness = 0" >> /etc/sysctl.conf# 允许转发egrep -q "^(#)?net.ipv4.ip_forward.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.ipv4.ip_forward.*|net.ipv4.ip_forward = 1|g"  /etc/sysctl.conf || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf# - 允许 iptables 检查桥接流量egrep -q "^(#)?net.bridge.bridge-nf-call-iptables.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.bridge.bridge-nf-call-iptables.*|net.bridge.bridge-nf-call-iptables = 1|g" /etc/sysctl.conf || echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.confegrep -q "^(#)?net.bridge.bridge-nf-call-ip6tables.*" /etc/sysctl.conf && sed -ri "s|^(#)?net.bridge.bridge-nf-call-ip6tables.*|net.bridge.bridge-nf-call-ip6tables = 1|g" /etc/sysctl.conf || echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf

步骤 07.【所有主机】禁用系统防火墙

ufw disable && systemctl disable ufw && systemctl stop ufw

步骤 08.【master-225 主机】使用 master-225 主机的公钥免账号密码登陆其它主机（可选）方便文件在各主机上传下载。

# 生成ed25519格式的公密钥sh-keygen -t ed25519# 例如,在master-225 主机上使用密钥登录到 master-223 设置 (其它主机同样)ssh-copy-id -p 20211 weiyigeek@10.10.107.223  # /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_ed25519.pub"  # Are you sure you want to continue connecting (yes/no/[fingerprint])? yes # 输入yes  # weiyigeek@10.10.107.223s password: # 输入主机密码  # Number of key(s) added: 1  # Now try logging into the machine, with:   "ssh -p '20211' 'weiyigeek@10.10.107.223'"  # and check to make sure that only the key(s) you wanted were added.ssh-copy-id -p 20211 weiyigeek@10.10.107.224ssh-copy-id -p 20211 weiyigeek@10.10.107.226ssh-copy-id -p 20211 weiyigeek@10.10.107.227

2.负载均衡管理工具安装与内核加载

步骤 01.安装ipvs模块以及负载均衡相关依赖。

# 查看可用版本sudo apt-cache madison ipvsadm  # ipvsadm |   1:1.31-1 | http://mirrors.aliyun.com/ubuntu focal/main amd64 Packages# 安装sudo apt -y install ipvsadm ipset sysstat conntrack# 锁定版本 apt-mark hold ipvsadm  # ipvsadm set on hold.

步骤 02.将模块加载到内核中(开机自动设置-需要重启机器生效)

tee /etc/modules-load.d/k8s.conf <<'EOF'# netfilterbr_netfilter# containerdoverlay# nf_conntracknf_conntrack# ipvsip_vsip_vs_lcip_vs_lblcip_vs_lblcrip_vs_rrip_vs_wrrip_vs_ship_vs_dhip_vs_foip_vs_nqip_vs_sedip_vs_ftpip_tablesip_setipt_setipt_rpfilteript_REJECTipipxt_setEOF

步骤 03.手动加载模块到内核中

mkdir -vp /etc/modules.d/tee /etc/modules.d/k8s.modules <<'EOF'#!/bin/bash# netfilter 模块 允许 iptables 检查桥接流量modprobe -- br_netfilter# containerdmodprobe -- overlay# nf_conntrackmodprobe -- nf_conntrack# ipvsmodprobe -- ip_vsmodprobe -- ip_vs_lcmodprobe -- ip_vs_lblcmodprobe -- ip_vs_lblcrmodprobe -- ip_vs_rrmodprobe -- ip_vs_wrrmodprobe -- ip_vs_shmodprobe -- ip_vs_dhmodprobe -- ip_vs_fomodprobe -- ip_vs_nqmodprobe -- ip_vs_sedmodprobe -- ip_vs_ftpmodprobe -- ip_tablesmodprobe -- ip_setmodprobe -- ipt_setmodprobe -- ipt_rpfiltermodprobe -- ipt_REJECTmodprobe -- ipipmodprobe -- xt_setEOFchmod 755 /etc/modules.d/k8s.modules && bash /etc/modules.d/k8s.modules && lsmod | grep -e ip_vs -e nf_conntrack  # ip_vs_sh               16384  0  # ip_vs_wrr              16384  0  # ip_vs_rr               16384  0  # ip_vs                 155648  6 ip_vs_rr,ip_vs_sh,ip_vs_wrr  # nf_conntrack          139264  1 ip_vs  # nf_defrag_ipv6         24576  2 nf_conntrack,ip_vs  # nf_defrag_ipv4         16384  1 nf_conntrack  # libcrc32c              16384  5 nf_conntrack,btrfs,xfs,raid456,ip_vssysctl --system

温馨提示: 在 kernel 4.19 版本及以上将使用 nf_conntrack 模块, 则在 4.18 版本以下则需使用nf_conntrack_ipv4 模块。

3.高可用HAproxy与Keepalived软件安装配置

描述: 由于是测试学习环境, 此处我未专门准备两台HA服务器, 而是直接采用master节点机器，如果是正式环境建议独立出来。

步骤 01.【Master节点机器】安装下载 haproxy (HA代理健康检测) 与 keepalived (虚拟路由协议-主从)。

# 查看可用版本sudo apt-cache madison haproxy keepalived  #  haproxy | 2.0.13-2ubuntu0.5 | http://mirrors.aliyun.com/ubuntu focal-security/main amd64 Packages  # keepalived | 1:2.0.19-2ubuntu0.2 | http://mirrors.aliyun.com/ubuntu focal-updates/main amd64 Packages# 安装sudo apt -y install haproxy keepalived# 锁定版本 apt-mark hold haproxy keepalived

步骤 02.【Master节点机器】进行 HAProxy 配置，其配置目录为 /etc/haproxy/，所有节点配置是一致的。

sudo cp /etc/haproxy/haproxy.cfg{,.bak}tee /etc/haproxy/haproxy.cfg<<'EOF'global  user haproxy  group haproxy  maxconn 2000  daemon  log /dev/log local0  log /dev/log local1 err  chroot /var/lib/haproxy  stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners  stats timeout 30s  # Default SSL material locations  ca-base /etc/ssl/certs  crt-base /etc/ssl/private  # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384  ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256  ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-ticketsdefaults  log     global  mode    http  option  httplog  option  dontlognull  timeout connect 5000  timeout client  50000  timeout server  50000  timeout http-request 15s  timeout http-keep-alive 15s  # errorfile 400 /etc/haproxy/errors/400.http  # errorfile 403 /etc/haproxy/errors/403.http  # errorfile 408 /etc/haproxy/errors/408.http  # errorfile 500 /etc/haproxy/errors/500.http  # errorfile 502 /etc/haproxy/errors/502.http  # errorfile 503 /etc/haproxy/errors/503.http  # errorfile 504 /etc/haproxy/errors/504.http# 注意: 管理HAproxy (可选)# frontend monitor-in#   bind *:33305#   mode http#   option httplog#   monitor-uri /monitor# 注意: 基于四层代理, 1644 3为VIP的 ApiServer 控制平面端口, 由于是与master节点在一起所以不能使用6443端口.frontend k8s-master  bind 0.0.0.0:16443  bind 127.0.0.1:16443  mode tcp  option tcplog  tcp-request inspect-delay 5s  default_backend k8s-master# 注意: Master 节点的默认 Apiserver 是6443端口backend k8s-master  mode tcp  option tcplog  option tcp-check  balance roundrobin  default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100  server master-223 10.10.107.223:6443 check  server master-224 10.10.107.224:6443 check  server master-225 10.10.107.225:6443 checkEOF

步骤 03.【Master节点机器】进行 置KeepAlived 配置 ，其配置目录为 /etc/haproxy/

# 创建配置目录，分别在各个master节点执行。mkdir -vp /etc/keepalived# __ROLE__ 角色: MASTER 或者 BACKUP# __NETINTERFACE__ 宿主机物理网卡名称 例如我的ens32# __IP__ 宿主机物理IP地址# __VIP__ 虚拟VIP地址sudo tee /etc/keepalived/keepalived.conf <<'EOF'! Configuration File for keepalivedglobal_defs {  router_id LVS_DEVELscript_user root  enable_script_security}vrrp_script chk_apiserver {  script "/etc/keepalived/check_apiserver.sh"  interval 5  weight -5  fall 2    rise 1}vrrp_instance VI_1 {  state __ROLE__  interface __NETINTERFACE__  mcast_src_ip __IP__  virtual_router_id 51  priority 101  advert_int 2  authentication {    auth_type PASS    auth_pass K8SHA_KA_AUTH  }  virtual_ipaddress {    __VIP__  }  # HA 健康检查  # track_script {  #   chk_apiserver  # }}EOF# 此处 master-225 性能较好所以配置为Master (master-225 主机上执行)# master-225 10.10.107.225 => MASTERsed -i -e 's#__ROLE__#MASTER#g' \  -e 's#__NETINTERFACE__#ens32#g' \  -e 's#__IP__#10.10.107.225#g' \  -e 's#__VIP__#10.10.107.222#g' /etc/keepalived/keepalived.conf # master-224 10.10.107.224 => BACKUP  (master-224 主机上执行)sed -i -e 's#__ROLE__#BACKUP#g' \  -e 's#__NETINTERFACE__#ens32#g' \  -e 's#__IP__#10.10.107.224#g' \  -e 's#__VIP__#10.10.107.222#g' /etc/keepalived/keepalived.conf # master-223 10.10.107.223 => BACKUP  (master-223 主机上执行)sed -i -e 's#__ROLE__#BACKUP#g' \  -e 's#__NETINTERFACE__#ens32#g' \  -e 's#__IP__#10.10.107.223#g' \  -e 's#__VIP__#10.10.107.222#g' /etc/keepalived/keepalived.conf

温馨提示: 注意上述的健康检查是关闭注释了的，你需要将K8S集群建立完成后再开启。

track_script {  chk_apiserver}

步骤 04.【Master节点机器】进行配置 KeepAlived 健康检查文件。

sudo tee /etc/keepalived/check_apiserver.sh <<'EOF'#!/bin/basherr=0for k in $(seq 1 3)do  check_code=$(pgrep haproxy)  if [[ $check_code == "" ]]; then    err=$(expr $err + 1)    sleep 1    continue  else    err=0    break  fidoneif [[ $err != "0" ]]; then  echo "systemctl stop keepalived"  /usr/bin/systemctl stop keepalived  exit 1else  exit 0fiEOFsudo chmod +x /etc/keepalived/check_apiserver.sh

步骤 05.【Master节点机器】启动 haproxy 、keepalived 相关服务及测试VIP漂移。

# 重载 Systemd 设置 haproxy 、keepalived 开机自启以及立即启动sudo systemctl daemon-reloadsudo systemctl enable --now haproxy && sudo systemctl enable --now keepalived# Synchronizing state of haproxy.service with SysV service script with /lib/systemd/systemd-sysv-install.# Executing: /lib/systemd/systemd-sysv-install enable haproxy# Synchronizing state of keepalived.service with SysV service script with /lib/systemd/systemd-sysv-install.# Executing: /lib/systemd/systemd-sysv-install enable keepalived# 在 master-223 主机中发现vip地址在其主机上。root@master-223:~$ ip addr  # 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000  #     link/ether 00:0c:29:00:0f:8f brd ff:ff:ff:ff:ff:ff  #     inet 10.10.107.223/24 brd 10.10.107.255 scope global ens32  #        valid_lft forever preferred_lft forever  #     inet 10.10.107.222/32 scope global ens32  #        valid_lft forever preferred_lft forever# 其它两台主机上通信验证。root@master-224:~$ ping 10.10.107.222root@master-225:~$ ping 10.10.107.222

# 手动验证VIP漂移,我们将该服务器上keepalived停止掉。root@master-223:~$ pgrep haproxy  # 6320  # 6321root@master-223:~$ /usr/bin/systemctl stop keepalived# 此时,发现VIP已经飘到master-225主机中root@master-225:~$ ip addr show ens32  # 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000  #     link/ether 00:0c:29:93:28:61 brd ff:ff:ff:ff:ff:ff  #     inet 10.10.107.225/24 brd 10.10.107.255 scope global ens32  #       valid_lft forever preferred_lft forever  #     inet 10.10.107.222/32 scope global ens32  #       valid_lft forever preferred_lft forever

至此，HAProxy 与 Keepalived 配置就告一段落了,下面将学习 ETCD 集群配置与证书签发。

4.配置部署etcd集群与etcd证书签发

描述: 创建一个高可用的ETCD集群，此处我们在【master-225】机器中操作。

步骤 01.【master-225】创建一个配置与相关文件存放的目录, 以及下载获取cfssl工具进行CA证书制作与签发(cfssl工具往期文章参考地址: https://blog.weiyigeek.top/2019/10-21-12.html#3-CFSSL-生成 )。

# 工作目录创建mkdir -vp /app/k8s-init-work && cd /app/k8s-init-work# cfssl 最新下载地址: https://github.com/cloudflare/cfssl/releases# cfssl 相关工具拉取 (如果拉取较慢，建议使用某雷下载，然后上传到服务器里)curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 -o /usr/local/bin/cfsslcurl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 -o /usr/local/bin/cfssljsoncurl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl-certinfo_1.6.1_linux_amd64 -o /usr/local/bin/cfssl-certinfo# 赋予执行权限chmod +x /usr/local/bin/cfssl*/app# cfssl version# Version: 1.2.0# Revision: dev# Runtime: go1.6

温馨提示:

• cfssl : CFSSL 命令行工具

• cfssljson : 用于从cfssl程序中获取JSON输出并将证书、密钥、证书签名请求文件CSR和Bundle写入到文件中，

步骤 02.利用上述 cfssl 工具创建 CA 证书。

# - CA 证书签名请求配置文件fssl print-defaults csr > ca-csr.jsontee ca-csr.json <<'EOF'{  "CN": "kubernetes",  "key": {    "algo": "rsa",    "size": 2048  },  "names": [    {      "C": "CN",      "L": "ChongQing",      "ST": "ChongQing",      "O": "k8s",      "OU": "System"    }  ],  "ca": {    "expiry": "87600h"  }}EOF# 关键参数解析:CN: Common Name，浏览器使用该字段验证网站是否合法，一般写的是域名，非常重要。浏览器使用该字段验证网站是否合法key：生成证书的算法hosts：表示哪些主机名(域名)或者IP可以使用此csr申请的证书，为空或者""表示所有的都可以使用(本例中没有`"hosts": [""]`字段)names：常见属性设置  * C: Country， 国家  * ST: State，州或者是省份  * L: Locality Name，地区，城市  * O: Organization Name，组织名称，公司名称(在k8s中常用于指定Group，进行RBAC绑定)  * OU: Organization Unit Name，组织单位名称，公司部门# - CA 证书策略配置文件cfssl print-defaults config > ca-config.jsontee ca-config.json <<'EOF'{  "signing": {    "default": {      "expiry": "87600h"    },    "profiles": {      "kubernetes": {        "expiry": "87600h",        "usages": [            "signing",            "key encipherment",            "server auth",            "client auth"        ]      },      "etcd": {        "expiry": "87600h",        "usages": [            "signing",            "key encipherment",            "server auth",            "client auth"        ]      }    }  }}EOF# 关键参数解析:default 默认策略，指定了证书的默认有效期是10年(87600h)profile 自定义策略配置  * kubernetes：表示该配置(profile)的用途是为kubernetes生成证书及相关的校验工作  * signing：表示该证书可用于签名其它证书；生成的 ca.pem 证书中 CA=TRUE  * server auth：表示可以该CA 对 server 提供的证书进行验证  * client auth：表示可以用该 CA 对 client 提供的证书进行验证  * expiry：也表示过期时间，如果不写以default中的为准# - 执行cfssl gencert 命令生成CA证书# 利用CA证书签名请求配置文件 ca-csr.json 生成CA证书和CA私钥和CSR(证书签名请求):cfssl gencert -initca ca-csr.json | cfssljson -bare ca  # 2022/04/27 16:49:37 [INFO] generating a new CA key and certificate from CSR  # 2022/04/27 16:49:37 [INFO] generate received request  # 2022/04/27 16:49:37 [INFO] received CSR  # 2022/04/27 16:49:37 [INFO] generating key: rsa-2048  # 2022/04/27 16:49:37 [INFO] encoded CSR  # 2022/04/27 16:49:37 [INFO] signed certificate with serial number 245643466964695827922023924375276493244980966303$ ls  # ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem$ openssl x509 -in ca.pem -text -noout | grep "Not"  # Not Before: Apr 27 08:45:00 2022 GMT  # Not After : Apr 24 08:45:00 2032 GMT

温馨提示: 如果将 expiry 设置为87600h 表示证书过期时间为十年。

步骤 03.配置ETCD证书相关文件以及生成其证书,

# etcd 证书请求文件tee etcd-csr.json <<'EOF'{  "CN": "etcd",  "hosts": [    "127.0.0.1",    "10.10.107.223",    "10.10.107.224",    "10.10.107.225",    "etcd1",    "etcd2",    "etcd3"  ],  "key": {    "algo": "rsa",    "size": 2048  },  "names": [    {      "C": "CN",      "L": "ChongQing",      "ST": "ChongQing",      "O": "etcd",      "OU": "System"    }  ]}EOF# 利用ca证书签发生成etcd证书cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd$ ls etcd*etcd.csr  etcd-csr.json  etcd-key.pem  etcd.pem$ openssl x509 -in etcd.pem -text -noout | grep  "X509v3 Subject Alternative Name" -A 1  # X509v3 Subject Alternative Name:  #   DNS:etcd1, DNS:etcd2, DNS:etcd3, IP Address:127.0.0.1, IP Address:10.10.107.223, IP Address:10.10.107.224, IP Address:10.10.107.225

步骤 04.【所有Master节点主机】下载部署ETCD集群, 首先我们需要下载etcd软件包, 可以 Github release 找到最新版本的etcd下载路径(https://github.com/etcd-io/etcd/releases/)。

# 下载wget -L https://github.com/etcd-io/etcd/releases/download/v3.5.4/etcd-v3.5.4-linux-amd64.tar.gztar -zxvf etcd-v3.5.4-linux-amd64.tar.gzcp -a etcd* /usr/local/bin/# 版本 etcd --version  # etcd Version: 3.5.4  # Git SHA: 08407ff76  # Go Version: go1.16.15  # Go OS/Arch: linux/amd64# 复制到其它master主机上scp -P 20211 ./etcd-v3.5.4-linux-amd64.tar.gz weiyigeek@master-223:~scp -P 20211 ./etcd-v3.5.4-linux-amd64.tar.gz weiyigeek@master-224:~# 分别在master-223与master-224执行, 解压到 /usr/local/ 目录同样复制二进制文件到 /usr/local/bin/tar -zxvf /home/weiyigeek/etcd-v3.5.4-linux-amd64.tar.gz -C /usr/local/cp -a /usr/local/etcd-v3.5.4-linux-amd64/etcd* /usr/local/bin/

温馨提示: etcd 官网地址 ( https://etcd.io/)

步骤 05.创建etcd集群所需的配置文件。

# 证书准备mkdir -vp /etc/etcd/pki/cp *.pem /etc/etcd/pki/ls /etc/etcd/pki/  # ca-key.pem  ca.pem  etcd-key.pem  etcd.pem# 上传到~家目录,并需要将其复制到 /etc/etcd/pki/ 目录中scp -P 20211 *.pem weiyigeek@master-224:~scp -P 20211 *.pem weiyigeek@master-223:~  # ****************** [ 安全登陆 (Security Login) ] *****************  # Authorized only. All activity will be monitored and reported.By Security Center.  # ca-key.pem             100% 1675     3.5MB/s   00:00  # ca.pem                 100% 1375     5.2MB/s   00:00  # etcd-key.pem           100% 1679     7.0MB/s   00:00  # etcd.pem               100% 1399     5.8MB/s   00:00# master-225 执行tee /etc/etcd/etcd.conf <<'EOF'# [成员配置]# member 名称ETCD_NAME=etcd1# 存储数据的目录(注意需要建立)ETCD_DATA_DIR="/var/lib/etcd/data"# 用于监听客户端etcdctl或者curl连接ETCD_LISTEN_CLIENT_URLS="https://10.10.107.225:2379,https://127.0.0.1:2379"# 用于监听集群中其它member的连接ETCD_LISTEN_PEER_URLS="https://10.10.107.225:2380"# [证书配置]# ETCD_CERT_FILE=/etc/etcd/pki/etcd.pem# ETCD_KEY_FILE=/etc/etcd/pki/etcd-key.pem# ETCD_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.pem# ETCD_CLIENT_CERT_AUTH=true# ETCD_PEER_CLIENT_CERT_AUTH=true# ETCD_PEER_CERT_FILE=/etc/etcd/pki/etcd.pem# ETCD_PEER_KEY_FILE=/etc/etcd/pki/etcd-key.pem# ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.pem# [集群配置]# 本机地址用于通知客户端，客户端通过此IPs与集群通信;ETCD_ADVERTISE_CLIENT_URLS="https://10.10.107.225:2379"# 本机地址用于通知集群member与member通信ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.10.107.225:2380"# 描述集群中所有节点的信息，本member根据此信息去联系其他memberETCD_INITIAL_CLUSTER="etcd1=https://10.10.107.225:2380,etcd2=https://10.10.107.224:2380,etcd3=https://10.10.107.223:2380"# 集群状态新建集群时候设置为new,若是想加入某个已经存在的集群设置为existingETCD_INITIAL_CLUSTER_STATE=newEOF# master-224 执行tee /etc/etcd/etcd.conf <<'EOF'# [成员配置]# member 名称ETCD_NAME=etcd2# 存储数据的目录(注意需要建立)ETCD_DATA_DIR="/var/lib/etcd/data"# 用于监听客户端etcdctl或者curl连接ETCD_LISTEN_CLIENT_URLS="https://10.10.107.224:2379,https://127.0.0.1:2379"# 用于监听集群中其它member的连接ETCD_LISTEN_PEER_URLS="https://10.10.107.224:2380"# [集群配置]# 本机地址用于通知客户端，客户端通过此IPs与集群通信;ETCD_ADVERTISE_CLIENT_URLS="https://10.10.107.224:2379"# 本机地址用于通知集群member与member通信ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.10.107.224:2380"# 描述集群中所有节点的信息，本member根据此信息去联系其他memberETCD_INITIAL_CLUSTER="etcd1=https://10.10.107.225:2380,etcd2=https://10.10.107.224:2380,etcd3=https://10.10.107.223:2380"# 集群状态新建集群时候设置为new,若是想加入某个已经存在的集群设置为existingETCD_INITIAL_CLUSTER_STATE=newEOF# master-223 执行tee /etc/etcd/etcd.conf <<'EOF'# [成员配置]# member 名称ETCD_NAME=etcd3# 存储数据的目录(注意需要建立)ETCD_DATA_DIR="/var/lib/etcd/data"# 用于监听客户端etcdctl或者curl连接ETCD_LISTEN_CLIENT_URLS="https://10.10.107.223:2379,https://127.0.0.1:2379"# 用于监听集群中其它member的连接ETCD_LISTEN_PEER_URLS="https://10.10.107.223:2380"# [集群配置]# 本机地址用于通知客户端，客户端通过此IPs与集群通信;ETCD_ADVERTISE_CLIENT_URLS="https://10.10.107.223:2379"# 本机地址用于通知集群member与member通信ETCD_INITIAL_ADVERTISE_PEER_URLS="https://10.10.107.223:2380"# 描述集群中所有节点的信息，本member根据此信息去联系其他memberETCD_INITIAL_CLUSTER="etcd1=https://10.10.107.225:2380,etcd2=https://10.10.107.224:2380,etcd3=https://10.10.107.223:2380"# 集群状态新建集群时候设置为new,若是想加入某个已经存在的集群设置为existingETCD_INITIAL_CLUSTER_STATE=newEOF

步骤 06.【所有Master节点主机】创建配置 etcd 的 systemd 管理配置文件，并启动其服务。

mkdir -vp /var/lib/etcd/cat > /usr/lib/systemd/system/etcd.service <<EOF[Unit]Description=Etcd ServerDocumentation=https://github.com/etcd-io/etcdAfter=network.targetAfter=network-online.targetwants=network-online.target[Service]Type=notifyWorkingDirectory=/var/lib/etcd/EnvironmentFile=-/etc/etcd/etcd.confExecStart=/usr/local/bin/etcd \  --client-cert-auth \  --trusted-ca-file /etc/etcd/pki/ca.pem \  --cert-file /etc/etcd/pki/etcd.pem \  --key-file /etc/etcd/pki/etcd-key.pem \  --peer-client-cert-auth \  --peer-trusted-ca-file /etc/etcd/pki/ca.pem \  --peer-cert-file /etc/etcd/pki/etcd.pem \  --peer-key-file /etc/etcd/pki/etcd-key.pemRestart=on-failureRestartSec=5LimitNOFILE=65535LimitNPROC=65535[Install]WantedBy=multi-user.targetEOF# 重载 systemd && 开机启动与手动启用etcd服务systemctl daemon-reload && systemctl enable --now etcd.service

步骤 07.【所有Master节点主机】查看各个master节点的etcd集群服务是否正常及其健康状态。

# 服务查看systemctl status etcd.service# 利用 etcdctl 工具查看集群成员信息export ETCDCTL_API=3etcdctl --endpoints=https://10.10.107.225:2379,https://10.10.107.224:2379,https://10.10.107.223:2379 \--cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem" \--write-out=table member list  # +------------------+---------+-------+----------------------------+----------------------------+------------+  # |        ID        | STATUS  | NAME  |         PEER ADDRS         |        CLIENT ADDRS        | IS LEARNER |  # +------------------+---------+-------+----------------------------+----------------------------+------------+  # | 144934d02ad45ec7 | started | etcd3 | https://10.10.107.223:2380 | https://10.10.107.223:2379 |      false |  # | 2480d95a2df867a4 | started | etcd2 | https://10.10.107.224:2380 | https://10.10.107.224:2379 |      false |  # | 2e8fddd3366a3d88 | started | etcd1 | https://10.10.107.225:2380 | https://10.10.107.225:2379 |      false |  # +------------------+---------+-------+----------------------------+----------------------------+------------+# 集群节点信息etcdctl --endpoints=https://10.10.107.225:2379,https://10.10.107.224:2379,https://10.10.107.223:2379 \--cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem"  \--write-out=table endpoint status  # +----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+  # |          ENDPOINT          |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |  # +----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+  # | https://10.10.107.225:2379 | 2e8fddd3366a3d88 |   3.5.4 |   20 kB |     false |      false |         3 |         12 |                 12 |        |  # | https://10.10.107.224:2379 | 2480d95a2df867a4 |   3.5.4 |   20 kB |      true |      false |         3 |         12 |                 12 |        |  # | https://10.10.107.223:2379 | 144934d02ad45ec7 |   3.5.4 |   20 kB |     false |      false |         3 |         12 |                 12 |        |  # +----------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+# 集群节点健康状态etcdctl --endpoints=https://10.10.107.225:2379,https://10.10.107.224:2379,https://10.10.107.223:2379 \--cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem"  \--write-out=table endpoint health  # +----------------------------+--------+-------------+-------+  # |          ENDPOINT          | HEALTH |    TOOK     | ERROR |  # +----------------------------+--------+-------------+-------+  # | https://10.10.107.225:2379 |   true |  9.151813ms |       |  # | https://10.10.107.224:2379 |   true | 10.965914ms |       |  # | https://10.10.107.223:2379 |   true | 11.165228ms |       |  # +----------------------------+--------+-------------+-------+# 集群节点性能测试etcdctl --endpoints=https://10.10.107.225:2379,https://10.10.107.224:2379,https://10.10.107.223:2379 \--cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem"  \--write-out=tableendpoint check perf# 59 / 60 Boooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooom   !  98.33%PASS: Throughput is 148 writes/s# Slowest request took too long: 1.344053s# Stddev too high: 0.143059s# FAIL

5.Containerd 运行时安装部署

步骤 01.【所有节点】在各主机中安装二进制版本的 containerd.io 运行时服务，Kubernertes 通过 CRI 插件来连接 containerd 服务中, 控制容器的生命周期。

# 从 Github 中下载最新的版本的 cri-containerd-cni wget -L https://github.com/containerd/containerd/releases/download/v1.6.4/cri-containerd-cni-1.6.4-linux-amd64.tar.gz# 解压到当前cri-containerd-cni目录中。mkdir -vp cri-containerd-cnitar -zxvf cri-containerd-cni-1.6.4-linux-amd64.tar.gz -C cri-containerd-cni

步骤 02.查看其文件以及配置文件路径信息。

$ tree ./cri-containerd-cni/.├── etc│   ├── cni│   │   └── net.d│   │       └── 10-containerd-net.conflist│   ├── crictl.yaml│   └── systemd│       └── system│           └── containerd.service├── opt│   ├── cni│   │   └── bin│   │       ├── bandwidth│   │       ├── bridge│   │       ├── dhcp│   │       ├── firewall│   │       ├── host-device│   │       ├── host-local│   │       ├── ipvlan│   │       ├── loopback│   │       ├── macvlan│   │       ├── portmap│   │       ├── ptp│   │       ├── sbr│   │       ├── static│   │       ├── tuning│   │       ├── vlan│   │       └── vrf│   └── containerd│       └── cluster│           ├── gce│           │   ├── cloud-init│           │   │   ├── master.yaml│           │   │   └── node.yaml│           │   ├── cni.template│           │   ├── configure.sh│           │   └── env│           └── version└── usr    └── local        ├── bin        │   ├── containerd        │   ├── containerd-shim        │   ├── containerd-shim-runc-v1        │   ├── containerd-shim-runc-v2        │   ├── containerd-stress        │   ├── crictl        │   ├── critest        │   ├── ctd-decoder        │   └── ctr        └── sbin            └── runc# 然后在所有节点上复制到上述文件夹到对应目录中cd ./cri-containerd-cni/cp -r etc/ /cp -r opt/ /cp -r usr/ /

步骤 03.【所有节点】进行containerd 配置创建并修改 config.toml .

mkdir -vp /etc/containerd# 默认配置生成containerd config default >/etc/containerd/config.tomlls /etc/containerd/config.toml  # /etc/containerd/config.toml# pause 镜像源sed -i "s#k8s.gcr.io/pause#registry.cn-hangzhou.aliyuncs.com/google_containers/pause#g"  /etc/containerd/config.toml# 使用 SystemdCgroupsed -i 's#SystemdCgroup = false#SystemdCgroup = true#g' /etc/containerd/config.toml# docker.io mirrorsed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]' /etc/containerd/config.tomlsed -i '/registry.mirrors."docker.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://xlx9erfu.mirror.aliyuncs.com","https://docker.mirrors.ustc.edu.cn"]' /etc/containerd/config.toml# gcr.io mirrorsed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]' /etc/containerd/config.tomlsed -i '/registry.mirrors."gcr.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://gcr.mirrors.ustc.edu.cn"]' /etc/containerd/config.toml# k8s.gcr.io mirrorsed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]' /etc/containerd/config.tomlsed -i '/registry.mirrors."k8s.gcr.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://gcr.mirrors.ustc.edu.cn/google-containers/","https://registry.cn-hangzhou.aliyuncs.com/google_containers/"]' /etc/containerd/config.toml# quay.io mirrorsed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]' /etc/containerd/config.tomlsed -i '/registry.mirrors."quay.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://quay.mirrors.ustc.edu.cn"]' /etc/containerd/config.toml

步骤 04.客户端工具 runtime 与 镜像 端点配置:

# 手动设置临时生效# crictl config runtime-endpoint /run/containerd/containerd.sock# /run/containerd/containerd.sock # 配置文件设置永久生效cat <<EOF > /etc/crictl.yamlruntime-endpoint: unix:///run/containerd/containerd.sockimage-endpoint: unix:///run/containerd/containerd.socktimeout: 10debug: falseEOF

步骤 05.重载 systemd自启和启动containerd.io服务。

systemctl daemon-reload && systemctl enable --now containerd.servicesystemctl status containerd.servicectr version  # Client:  #   Version:  1.5.11  #   Revision: 3df54a852345ae127d1fa3092b95168e4a88e2f8  #   Go version: go1.17.8  # Server:  #   Version:  1.5.11  #   Revision: 3df54a852345ae127d1fa3092b95168e4a88e2f8  #   UUID: 71a28bbb-6ed6-408d-a873-e394d48b35d8

步骤 06.用于根据OCI规范生成和运行容器的CLI工具 runc 版本查看

runc -v  # runc version 1.1.1  # commit: v1.1.1-0-g52de29d7  # spec: 1.0.2-dev  # go: go1.17.9  # libseccomp: 2.5.1

温馨提示: 当默认 runc 执行提示 runc: symbol lookup error: runc: undefined symbol: seccomp_notify_respond 时，由于上述软件包中包含的runc对系统依赖过多，所以建议单独下载安装 runc 二进制项目(https://github.com/opencontainers/runc/)

wget https://github.com/opencontainers/runc/releases/download/v1.1.1/runc.amd64# 执行权限赋予chmod +x runc.amd64# 替换掉 /usr/local/sbin/ 路径原软件包中的 runcmv runc.amd64 /usr/local/sbin/runc

本文至此完毕，更多技术文章，尽情期待下一章节！

欢迎各位志同道合的朋友一起学习交流，如文章有误请在下方留下您宝贵的经验知识，个人邮箱地址【master#weiyigeek.top】或者个人公众号【WeiyiGeek】联系我。

更多文章来源于【WeiyiGeek Blog 个人博客 - 为了能到远方，脚下的每一步都不能少 】

个人主页: 【 https://weiyigeek.top】

博客地址: 【 https://blog.weiyigeek.top 】

专栏书写不易，如果您觉得这个专栏还不错的，请给这篇专栏 【点个赞、投个币、收个藏、关个注，转个发，留个言】(人间六大情)，这将对我的肯定，谢谢！。

• echo "【点个赞】，动动你那粗壮的拇指或者芊芊玉手，亲！"

• printf("%s", "【投个币】，万水千山总是情，投个硬币行不行，亲！")

• fmt.Printf("【收个藏】，阅后即焚不吃灰，亲！")

• console.info("【转个发】，让更多的志同道合的朋友一起学习交流，亲！")

• System.out.println("【关个注】，后续浏览查看不迷路哟，亲！")

• cout << "【留个言】，文章写得好不好、有没有错误，一定要留言哟，亲! " << endl;

往期相关文章

记一次在k8s集群搭建的Harbor私有仓库无法提供服务之镜像迁移恢复实践

K9s之Kubernetes集群管理交互工具实践

K9s之Kuberntes集群管理交互工具实践

3.Containerd容器运行时的配置浅析与知识扩充实践

4.如何使用nerdctl工具并配合Containerd容器运行时来替代Docker容器环境

WeiyiGeek

Always keep a beginner's mind, don't forget the beginner's mind. Blog :【https://weiyigeek.top】

174篇原创内容

更多网络安全、系统运维、应用开发、全栈文章，尽在【个人博客 - https://blog.weiyigeek.top】站点，谢谢支持！

↓↓↓ 更多文章，请点击下方阅读原文。