-首先需要一个etcd服务
工具下载不再介绍了 创建 ca 证书
tee ca-config.json<<-'EOF'
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"server": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
},
"client": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
tee ca-csr.json <<-‘EOF’
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
}
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
生成客户端证书
tee client.json <<-'EOF'
{
"CN": "client",
"key": {
"algo": "ecdsa",
"size": 256
}
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client -
生成server,peer证书
tee etcd.json <<'EOF'
{
"CN": "etcd",
"hosts": [
"192.168.10.28",
"192.168.10.82",
"192.168.10.128"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "CN",
"L": "BJ",
"ST": "BJ"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server etcd.json | cfssljson -bare server
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd.json | cfssljson -bare peer
证书生成完毕真麻烦没有办法 开始配置etcd
tee /lib/systemd/system/etcd.service <<-'EOF'
[Unit]
Description=Etcd Server
After=network.target
[Service]
Type=notify
#EnvironmentFile=/usr/local/tools/cfg/etcd.conf
ExecStart=/usr/local/etcd-v3.5.2-linux-amd64/etcd \
--data-dir=/data/etcd/default.etcd \
--name=etcd-0 \
--cert-file=/usr/local/tools/server.pem \
--key-file=/usr/local/tools/server-key.pem \
--peer-cert-file=/usr/local/tools/server.pem \
--peer-key-file=/usr/local/tools/server-key.pem \
--trusted-ca-file=/usr/local/tools/ca.pem \
--peer-trusted-ca-file=/usr/local/tools/ca.pem \
--peer-client-cert-auth \
--client-cert-auth \
--listen-peer-urls=https://192.168.10.28:2380 \
--initial-advertise-peer-urls=https://192.168.10.28:2379 \
--listen-client-urls=https://192.168.10.28:2379 \
--advertise-client-urls=https://192.168.10.28:2379 \
--logger=zap
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
systemctl status etcd
确认可以正常访问
etcdctl --endpoints="https://192.168.10.28:2379" \
--cacert=/usr/local/tools/ca.pem \
--cert=/usr/local/tools/server.pem \
--key=/usr/local/tools/server-key.pem \
member list -w table
etcdctl --endpoints="https://192.168.10.28:2379" \
--cacert=/usr/local/tools/ca.pem \
--cert=/usr/local/tools/server.pem \
--key=/usr/local/tools/server-key.pem \
endpoint status -w table
最后交给k8s使用
kubeadm config print init-defaults > kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1beta3
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 192.168.10.30 本机IP
bindPort: 6443
nodeRegistration:
criSocket: /run/containerd/containerd.sock
imagePullPolicy: IfNotPresent
name: master
taints: null
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
external: 使用外部etcd
endpoints:
- https://192.168.10.28:2379 使用外部etcd
caFile: /usr/local/tools/ca.pem
certFile: /usr/local/tools/client.pem
keyFile: /usr/local/tools/client-key.pem
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: 1.23.0
networking:
dnsDomain: cluster.local
podSubnet: 172.16.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: "ipvs"
初始化
kubeadm init --config=kubeadm-config.yaml
实验1
1.创建一组容器
2.做个etcd快照
etcdctl --endpoints="https://192.168.10.28:2379" \
--cacert=/usr/local/tools/ca.pem \
--cert=/usr/local/tools/server.pem \
--key=/usr/local/tools/server-key.pem \
snapshot save /tmp/etcd3.db
3.将刚才那组pods删除
4.再回到etcd恢复刚才那组pod
etcdctl --endpoints="https://192.168.10.28:2379" \
--cacert=/usr/local/tools/ca.pem \
--cert=/usr/local/tools/server.pem \
--key=/usr/local/tools/server-key.pem \
snapshot restore /tmp/etcd3.db
当前会出现一个新的目录
将老的目录备份
mv /data/etcd/default.etcd /data/etcd/default.etcd-789
将刚才的快照移到此处即可,不用重启任何服务
mv default.etcd/ /data/etcd/
回到k8s
|