k8s-bootstrap/kubeadm-photon-os
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
8130713576db0894b84c13ac833563b014078cac
kubeadm-photon-os/README.md
jorgeboti 8130713576 Actualizar 'README.md'
2021-07-29 13:10:30 +00:00

178 lines
5.1 KiB
Markdown
Raw Blame History

# kubeadm-photon-os
### Pre-Requisitos
sed -i -e "s/^PermitRootLogin *no$/PermitRootLogin yes/" /etc/ssh/sshd_config && systemctl restart sshd
mkdir /etc/docker
cat > /etc/docker/daemon.json <<EOF
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
]
}
EOF
systemctl daemon-reload
systemctl enable docker
systemctl restart docker
tdnf install -y tar wget ebtables ethtool socat conntrack-tools
CNI_VERSION="v0.8.2"
mkdir -p /opt/cni/bin
curl -L "https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-amd64-${CNI_VERSION}.tgz" | tar -C /opt/cni/bin -xz
DOWNLOAD_DIR=/usr/local/bin
CRICTL_VERSION="v1.21.3"
curl -L "https://github.com/kubernetes-sigs/cri-tools/releases/download/${CRICTL_VERSION}/crictl-${CRICTL_VERSION}-linux-amd64.tar.gz" | tar -C $DOWNLOAD_DIR -xz
RELEASE="$(curl -sSL https://dl.k8s.io/release/stable.txt)"
cd $DOWNLOAD_DIR
curl -L --remote-name-all https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/amd64/{kubeadm,kubelet,kubectl}
chmod +x {kubeadm,kubelet,kubectl}
RELEASE_VERSION="v0.2.7"
curl -sSL "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/kubepkg/templates/latest/deb/kubelet/lib/systemd/system/kubelet.service" | sed "s:/usr/bin:${DOWNLOAD_DIR}:g" | tee /etc/systemd/system/kubelet.service
mkdir -p /etc/systemd/system/kubelet.service.d
curl -sSL "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf" | sed "s:/usr/bin:${DOWNLOAD_DIR}:g" | tee /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
systemctl enable --now kubelet
systemctl daemon-reload
cat <<EOF > /etc/sysctl.d/k8s.conf
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
systemctl disable iptables
systemctl stop iptables
### Instalación de ETCD Externo
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssl*
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mkdir /opt/bootstrap
cd /opt/bootstrap/
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname=172.16.100.100,172.16.100.111,172.16.100.112,172.16.100.113,127.0.0.1,kubernetes.default -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
scp ca.pem kubernetes.pem kubernetes-key.pem root@<"PeerIPx">:~
scp ca.pem kubernetes.pem kubernetes-key.pem root@172.16.2.63>:/tmp
scp ca.pem kubernetes.pem kubernetes-key.pem root@172.16.2.64>:/tmp
scp ca.pem kubernetes.pem kubernetes-key.pem root@172.16.2.65>:/tmp
mkdir /etc/etcd
cp ca.pem kubernetes.pem kubernetes-key.pem /etc/etcd
cd /tmp
wget https://github.com/coreos/etcd/releases/download/v3.5.0/etcd-v3.5.0-linux-amd64.tar.gz
tar -zxvf etcd-v3.5.0-linux-amd64.tar.gz
mv etcd-v3.5.0-linux-amd64/etcd* /usr/local/bin/
cd /opt/bootstrap
mv etcd.service /etc/systemd/system/etcd.service
systemctl daemon-reload
systemctl enable etcd
systemctl start etcd
### Actualizar la configuración
kubeadm config migrate --old-config config.yaml --new-config config1.yaml
### Inicializar el cluster
kubeadm init --config=config.yaml
kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}'
kubectl patch node photon-kubectr01 -p '{"spec":{"podCIDR":"10.244.0.0/24"}}'
### Copiar certificados al resto de nodos master
scp -r /etc/kubernetes/pki root@172.16.100.112:/etc/kubernetes/.
scp -r /etc/kubernetes/pki root@172.16.100.113:/etc/kubernetes/.
### Realizar en los nuevos nodos
rm /etc/kubernetes/pki/apiserver.*
### Incorporar nuevos master
kubeadm join 172.16.100.100:6443 --token colmta.7uxl2adqk6x6w6wu \
--discovery-token-ca-cert-hash sha256:87497e41439ff2d7c620eff16c534d1c67c8dc0a9b6c43543bc4e008305f7106 \
--control-plane
### Incorporar nuevos workers
kubeadm join 172.16.100.100:6443 --token colmta.7uxl2adqk6x6w6wu \
--discovery-token-ca-cert-hash sha256:87497e41439ff2d7c620eff16c534d1c67c8dc0a9b6c43543bc4e008305f7106
### Despliegue de calico
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
### Ajustar iptables /etc/systemd/scripts/ip4save
# init
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow local-only connections
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#keep commented till upgrade issues are sorted
#-A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2379:2380 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10250:10252 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4789 -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Wed Jul 28 18:36:00 2021
Reference in New Issue View Git Blame Copy Permalink