环境
文章插图
准备工作配置ansible(deploy 主机执行)
# ssh-keygen# for i in 192.168.3.{21..28}; dossh-copy-id-i ~/.ssh/id_rsa.pub $i; done[root@deploy ~]# cat /etc/ansible/hosts[etcd]192.168.3.21192.168.3.22192.168.3.23[k8s-master]192.168.3.24192.168.3.25192.168.3.26[k8s-worker]192.168.3.27192.168.3.28[k8s:children]k8s-masterk8s-worker优化主机配置关闭防火墙和selinux# ansible all -m shell -a "systemctl stop firewalld && systemctl disable firewalld"# ansible all -m shell -a "sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config"修改limit关闭交换分区
# swapoff -a# ansiblek8s-m shell -a "yes | cp /etc/fstab /etc/fstab_bak"# ansiblek8s-m shell -a "cat /etc/fstab_bak | grep -v swap > /etc/fstab"# ansiblek8s-m shell -a "echo vm.swappiness = 0 >> /etc/sysctl.d/k8s.conf"# ansiblek8s-m shell -a "sysctl -p /etc/sysctl.d/k8s.conf"配置ipvs# cat /root/ipvs.sh#!/bin/bashyum -y install ipvsadm ipset####创建ipvs脚本cat > /etc/sysconfig/modules/ipvs.modules << EOF#!/bin/bashmodprobe -- ip_vsmodprobe -- ip_vs_rrmodprobe -- ip_vs_wrrmodprobe -- ip_vs_shmodprobe -- nf_conntrack_ipv4EOF####执行脚本,验证配置chmod 755 /etc/sysconfig/modules/ipvs.modulesbash /etc/sysconfig/modules/ipvs.moduleslsmod | grep -e ip_vs -e nf_conntrack_ipv4########################## ansible k8s-m script -a "/root/ipvs.sh"配置网桥转发规则# cat sysctl.sh#!/bin/bashcat > /etc/sysctl.d/k8s.conf << EOFnet.bridge.bridge-nf-call-ip6tables = 1net.bridge.bridge-nf-call-iptables = 1net.ipv4.ip_forward = 1EOFcat <<EOF | tee /etc/modules-load.d/crio.confoverlaybr_netfilterEOFmodprobe overlaymodprobe br_netfiltersysctl --system# ansible k8s-m script -a "/root/sysctl.sh"配置etcd集群生成证书(ansible 主机操作)# curl -o /usr/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64# curl -o /usr/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64# curl -o /usr/bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64# chmod +x /usr/bin/cfssl*创建 CA 配置文件# mkdir p ssl# cd /root/ssl# cat >ca-config.json <<EOF{"signing": {"default": {"expiry": "876000h"},"profiles": {"etcd": {"usages": ["signing","key encipherment","server auth","client auth"],"expiry": "876000h"}}}}EOF创建 CA 证书签名请求# cat >ca-csr.json <<EOF{"CN": "etcd","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "beijing","L": "beijing","O": "jdt","OU": "iot"}]}EOF生成 CA 证书和私钥# cfssl gencert -initca ca-csr.json | cfssljson -bare ca创建etcd的TLS认证证书# cat > etcd-csr.json <<EOF{"CN": "etcd","hosts": ["192.168.3.21","192.168.3.22","192.168.3.23","192.168.3.24","192.168.3.23","192.168.3.26","etcd1","etcd2","etcd3","master1","master2","master3"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "beijing","L": "beijing","O": "jdt","OU": "iot"}]EOF生成 etcd证书和私钥并分发# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd# ansibleetcd -m copy -a "src=https://www.huyubaike.com/root/ssl/ dest=/export/Data/certs/"【京东云开发者|IoT运维 - 如何部署一套高可用K8S集群】ETCD安装以及配置创建数据目录
# ansible etcd -m shell -a "mkdir -p /export/Data/etcd_data"下载etcd并分发# wget https://github.com/etcd-io/etcd/releases/download/v3.5.1/etcd-v3.5.1-linux-amd64.tar.gz# tar xf etcd-v3.5.1-linux-amd64.tar.gz&& cd etcd-v3.5.1-linux-amd64# ansible etcd -m copy -a "src=https://www.huyubaike.com/biancheng/etcddest=/usr/bin/"# ansible etcd -m copy -a "src=https://www.huyubaike.com/biancheng/etcdutldest=/usr/bin/"# ansible etcd -m copy -a "src=https://www.huyubaike.com/biancheng/etcdctldest=/usr/bin/"# ansible etcd -m shell -a "chmod +x /usr/bin/etcd*"
经验总结扩展阅读
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 云电视功能介绍 人脸识别的年代已到来
- 云电视哪个牌子好 价格一般多少
- 10月31日湖南未来三天多云到晴天为主 后天晚上湘南有降雨
- 谁是最容易出轨星座男生?
- 11月1日浙江今明天多云间阴为主 南部地区偶有小雨“叨扰”
- 未来一个月里将会月运气青云直上 状态极佳的3个星座
- 2022京东双十二优惠力度有双十一大吗 双十二和双十一有什么区别
- 2022京东买黄金双十一便宜还是双十二便宜 买黄金要注意什么
- tcl液晶电视质量怎样 tcl智能云电视哪款好
- 云小课|MRS基础原理之MapReduce介绍
