免费视频淫片aa毛片_日韩高清在线亚洲专区vr_日韩大片免费观看视频播放_亚洲欧美国产精品完整版

0. 環(huán)境介紹
三臺(tái)主機(jī)，主機(jī)名和IP地址如下
VIP: 172.18.0.200
主機(jī)名：k8s-master01 IP: 172.18.0.142 做主 做證書服務(wù)器
主機(jī)名：k8s-master02 IP: 172.18.0.143 做從
主機(jī)名：k8s-master03 IP: 172.18.0.146 做從

網(wǎng)絡(luò)規(guī)劃：
服務(wù)器網(wǎng)段：172.18.0.0/16
容器網(wǎng)段：172.30.0.0/16
service網(wǎng)段：169.169.0.0/16

1. 關(guān)閉selinux和firewalld（三臺(tái)都需要操作）
[root@k8s-master01 ~]# setenforce 0 > /dev/null 2>&1 && sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@k8s-master01 ~]# systemctl stop firewalld
[root@k8s-master01 ~]# systemctl disable firewalld

2. 安裝ntp（三臺(tái)都需要操作）
[root@k8s-master01 ~]# yum -y install ntp
[root@k8s-master01 ~]# systemctl enable ntpd
[root@k8s-master01 ~]# systemctl start ntpd

3. docker安裝（三臺(tái)都需要操作）
[root@k8s-master01 ~]# yum -y install docker
[root@k8s-master01 ~]# systemctl start docker
[root@k8s-master01 ~]# systemctl enable docker

4. 生成證書（k8s-master01上操作即可，然后把證書復(fù)制到其他兩臺(tái)的/etc/kubernetes/ssl下）
4.1 生成CA證書和私鑰
[root@k8s-master01 ~]# mkdir /root/ssl
[root@k8s-master01 ~]# cd /root/ssl/
[root@k8s-master01 ssl]# openssl genrsa -out ca.key 2048
[root@k8s-master01 ssl]# openssl req -x509 -new -nodes -key ca.key -subj "/CN=heyjava.com" -days 3650 -out ca.crt
4.2 生成apiserver用的證書和私鑰
[root@k8s-master01 ssl]# openssl genrsa -out kube-apiserver.key 2048
[root@k8s-master01 ssl]# vim kube-apiserver.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = k8s-master
DNS.6 = k8s-master01
DNS.7 = k8s-master02
DNS.8 = k8s-master03
IP.1 = 169.169.0.1
IP.2 = 172.18.0.142
IP.3 = 172.18.0.143
IP.4 = 172.18.0.146
IP.5 = 172.18.0.200
[root@k8s-master01 ssl]# openssl req -new -key kube-apiserver.key -subj "/CN=k8s-master" -config kube-apiserver.cnf -out kube-apiserver.csr
[root@k8s-master01 ssl]# openssl x509 -req -in kube-apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -extensions v3_req -extfile kube-apiserver.cnf -out kube-apiserver.crt
4.3 生成kube-controller-manager的客戶端證書和私鑰
[root@k8s-master01 ssl]# openssl genrsa -out kube-controller-manager.key 2048
[root@k8s-master01 ssl]# openssl req -new -key kube-controller-manager.key -subj "/CN=k8s-controller-manager" -out kube-controller-manager.csr
[root@k8s-master01 ssl]# openssl x509 -req -in kube-controller-manager.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-controller-manager.crt -days 3650
4.4 生成kube-scheduler的客戶端證書和私鑰
這里可以參照4.3生成，也可以和controller-manager使用同一個(gè)證書。由于我們會(huì)選擇controller-manager和scheduler部署在同一臺(tái)機(jī)器，所以沒必要再生成一個(gè)正式，完全可以使用同一個(gè)，這里我們選擇使用同一個(gè)
4.5 生成kubelet的客戶端證書和私鑰
[root@k8s-master01 ssl]# openssl genrsa -out kubelet.key 2048
[root@k8s-master01 ssl]# openssl req -new -key kubelet.key -subj "/CN=k8s-kubelet" -out kubelet.csr
[root@k8s-master01 ssl]# openssl x509 -req -in kubelet.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kubelet.crt -days 3650
4.6 生成kube-proxy的客戶端證書和私鑰
這里可以參照4.5生成，也可以和kubelet使用同一個(gè)證書。由于我們會(huì)選擇kube-proxy和kubelet部署在同一臺(tái)機(jī)器，所以沒必要再生成一個(gè)正式，完全可以使用同一個(gè)，這里我們選擇使用同一個(gè)
4.7 拷貝所有證書到/etc/kuberntes/ssl/下
[root@k8s-master01 bin]# mkdir /etc/kubernetes/ssl -pv
[root@k8s-master01 ssl]# cp ./*.crt ./*.key /etc/kubernetes/ssl/
[root@k8s-master01 ssl]# ls /etc/kubernetes/ssl/
ca.crt ca.key kube-apiserver.crt kube-apiserver.key kube-controller-manager.crt kube-controller-manager.key kubelet.crt kubelet.key

5. 部署kube-apiserver服務(wù)（三臺(tái)都需要操作）
5.1 將kube-apiserver的二進(jìn)制文件拷貝到/usr/bin/下
[root@k8s-master01 bin]# ls /usr/bin/kube-apiserver
/usr/bin/kube-apiserver
[root@k8s-master01 bin]# chmod +x /usr/bin/kube-apiserver
5.2 生成kube-apiserver的service unit文件
[root@k8s-master01 bin]# vim /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
After=etcd.service

[Service]
Type=notify
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/apiserver
ExecStart=/usr/bin/kube-apiserver $KUBE_API_ARGS
Restart=on-failure
LimitNOFILE=65535

[Install]
WantedBy=multi-user.target
5.3 編輯配置文件
[root@k8s-master01 bin]# vim /etc/kubernetes/apiserver
KUBE_API_ARGS="--etcd-servers=http://172.18.0.142:2379,172.18.0.143:2379,172.18.0.146:2379 --bind-address=0.0.0.0 --secure-port=6443 --service-cluster-ip-range=169.169.0.0/16 --service-node-port-range=1-65535 --admission-control=Namesp
aceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --logtostderr=false --log-dir=/opt/logs/kubernetes --v=2 --client-ca-file=/etc/kubernetes/ssl/ca.crt --tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver.key --tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.crt --tls-ca-file=/etc/kubernetes/ssl/ca.crt --allow-privileged=true"
5.4 創(chuàng)建日志目錄
[root@k8s-master01 ssl]# mkdir /opt/logs/kubernetes -pv
5.4 啟動(dòng)服務(wù)
[root@k8s-master01 ssl]# systemctl daemon-reload
[root@k8s-master01 ssl]# systemctl enable kube-apiserver
[root@k8s-master01 ssl]# systemctl start kube-apiserver

6. 部署keeperalive做高可用
6.1 安裝keepalived
[root@k8s-master01 ssl]# yum -y install keepalived
[root@k8s-master01 ssl]# cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak

6.2 配置主節(jié)點(diǎn)(k8s-master01)的keepalived
[root@k8s-master01 ssl]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
notification_email {
hdb@tzg.cn
}
notification_email_from admin@tzg.cn
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id KUBE_APISERVER_HA
}

vrrp_script chk_kube_apiserver {
script "curl -k https://127.0.0.1:6443"
interval 3
timeout 9
fall 2
rise 2
}

vrrp_instance VI_1 {
state BACKUP
interface eno16777728
virtual_router_id 111
priority 100
advert_int 1
nopreempt
authentication {
auth_type PASS
auth_pass heyjava
}
virtual_ipaddress {
172.18.0.200
}
track_script {
chk_kube_apiserver
}
notify_master "/etc/keepalived/notify.py -n master -a 172.18.0.200"
notify_backup "/etc/keepalived/notify.py -n backup -a 172.18.0.200"
notify_fault "/etc/keepalived/notify.py -n fault -a 172.18.0.200"
}
6.3 配置從節(jié)點(diǎn)(k8s-master02)的keepalived
! Configuration File for keepalived

global_defs {
notification_email {
hdb@tzg.cn
}
notification_email_from admin@tzg.cn
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id KUBE_APISERVER_HA
}

vrrp_script chk_kube_apiserver {
script "curl -k https://127.0.0.1:6443"
interval 3
timeout 9
fall 2
rise 2
}

vrrp_instance VI_1 {
state BACKUP
interface eno16777728
virtual_router_id 111
priority 99
advert_int 1
nopreempt
authentication {
auth_type PASS
auth_pass heyjava
}
virtual_ipaddress {
172.18.0.200
}
track_script {
chk_kube_apiserver
}
notify_master "/etc/keepalived/notify.py -n master -a 172.18.0.200"
notify_backup "/etc/keepalived/notify.py -n backup -a 172.18.0.200"
notify_fault "/etc/keepalived/notify.py -n fault -a 172.18.0.200"
}
6.4 配置從節(jié)點(diǎn)(k8s-master03)的keepalived
! Configuration File for keepalived

global_defs {
notification_email {
hdb@tzg.cn
}
notification_email_from admin@tzg.cn
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id KUBE_APISERVER_HA
}

vrrp_script chk_kube_apiserver {
script "curl -k https://127.0.0.1:6443"
interval 3
timeout 9
fall 2
rise 2
}

vrrp_instance VI_1 {
state BACKUP
interface eno16777728
virtual_router_id 111
priority 98
advert_int 1
nopreempt
authentication {
auth_type PASS
auth_pass heyjava
}
virtual_ipaddress {
172.18.0.200
}
track_script {
chk_kube_apiserver
}
notify_master "/etc/keepalived/notify.py -n master -a 172.18.0.200"
notify_backup "/etc/keepalived/notify.py -n backup -a 172.18.0.200"
notify_fault "/etc/keepalived/notify.py -n fault -a 172.18.0.200"
}
6.5 編寫通知腳本（三臺(tái)機(jī)器都需要）
[root@k8s-master01 ssl]# vi /etc/keepalived/notify.py
#/usr/bin/python
#-*- coding:utf-8 -*-

'''
@file: notify.py
@author: Hu Dongbiao
@date: 2016/12/15 11:24
@version: 1.0
@email: hdb@tzg.cn
'''

import argparse
import sys
import smtplib
from email.mime.text import MIMEText

#解析傳進(jìn)來(lái)的參數(shù)
parser = argparse.ArgumentParser(description=u"vrrp狀態(tài)切換通知腳本")
parser.add_argument("-n", "--notify", choices=["master", "backup", "fault"], help=u"指定通知的類型，即vrrp角色切換的目標(biāo)角色")
parser.add_argument("-a", "--address", help=u"指定相關(guān)虛擬路由器的VIP地址")
args = parser.parse_args()
# notify是當(dāng)前角色，為master，backup，fault中的一個(gè)
notify = args.notify
# address是vrrp虛擬地址
address = args.address

# 發(fā)送告警郵件
smtp_host = 'smtp.exmail.qq.com'
smtp_user = 'admin@tzg.cn'
smtp_password = 'Tzg2014'
mail_from = 'admin@tzg.cn'
mail_to = 'hdb@tzg.cn,hxf@tzg.cn,clb@tzg.cn'
mail_subject = u'[監(jiān)控]VRRP角色切換'
mail_body = '''
<p>管理員，你好:</p>
<p style="text-indent:2em;"><strong>您的HA地址{vrrp_address}已切換角色為{vrrp_role}，請(qǐng)及時(shí)處理</strong></p>
'''.format(vrrp_address=address, vrrp_role=notify)
msg = MIMEText(mail_body, 'html', 'utf-8')
msg['From'] = mail_from
msg['To'] = mail_to
msg['Subject'] = mail_subject
smtp = smtplib.SMTP()
smtp.connect(smtp_host)
smtp.login(smtp_user,smtp_password)
smtp.sendmail(mail_from, mail_to, msg.as_string())
smtp.quit()
[root@k8s-master01 ssl]# chmod +x /etc/keepalived/notify.py
6.6 啟動(dòng)keepalived服務(wù)（三臺(tái)都需要）
[root@k8s-master01 ssl]# systemctl enable keepalived
[root@k8s-master01 ssl]# systemctl start keepalived
[root@k8s-master01 ssl]# systemctl status keepalived
6.7 驗(yàn)證keepalived是否工作正常
1）驗(yàn)證主節(jié)點(diǎn)是否接管VIP 172.18.0.200
2）停止主節(jié)點(diǎn)的kube-apiserver服務(wù)，驗(yàn)證從節(jié)點(diǎn)1是否接管VIP
3）再停止從節(jié)點(diǎn)1，驗(yàn)證從節(jié)點(diǎn)2是否接管VIP
注：這里通知郵件沒發(fā)出來(lái)，以后再來(lái)排查

故障1：
Sep 8 11:26:08 k8s-master01 systemd: Starting Kubernetes API Server...
Sep 8 11:26:09 k8s-master01 kube-apiserver: Unable to find suitable network address.error='Unable to select an IP.'. Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.
Sep 8 11:26:09 k8s-master01 systemd: kube-apiserver.service: main process exited, code=exited, status=1/FAILURE
Sep 8 11:26:09 k8s-master01 systemd: Failed to start Kubernetes API Server.
Sep 8 11:26:09 k8s-master01 systemd: Unit kube-apiserver.service entered failed state.
Sep 8 11:26:09 k8s-master01 systemd: kube-apiserver.service failed.
Sep 8 11:26:10 k8s-master01 systemd: kube-apiserver.service holdoff time over, scheduling restart.
解決：設(shè)置默認(rèn)網(wǎng)關(guān)