Kubernetes
Arquitectura Kubernetes (I)
Existen herramientas para la creación automática de clusters de Kubernetes pero es interesante una vez que se tiene conocimiento de cómo funciona Kubernetes intentar crear un cluster manualmente y ver toda su arquitectura paso por paso. Vamos a crear un cluster con cinco nodos 3 master y 2 Workers. Master1 172.20.20.10 Master2 172.20.20.11 Master3 172.20.20.12 Nodo1 172.20.20.13 Nodo2 172.20.20.14 Todos los componentes de Kubernetes se comunican mediante certificados cifrados TLS. Por este motivo es necesario crear esos certificados. Podemos utilizar varias utilidades que nos permiten firmar certificados, las más conocidas open source son openssl y cfssl. En nuestro caso utilizaremos cfssl. Primeros configuraremos los nodos Master y mas tarde empezaremos con los Workers. Añadimos en /etc/hosts las direcciones de las maquinas: 172.20.20.10 master1 master1.scmsi.es 172.20.20.11 master2 master2.scmsi.es 172.20.20.12 master3 master3.scmsi.es El primer paso es generar una llave CA (certificate authority). Nos bajamos el software cfssl y lo dejamos en un directorio que creamos /usr/kubernetes
1 2 3 4 5 6 |
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 mv cfssl* /usr/kubernetes chmod +x /usr/kubernetes/cfssl* |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
cfssl_linux-amd64 print-defaults config > ca.json { "signing": { "default": { "expiry": "168h" }, "profiles": { "kubernetes": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "client auth" ] } } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
cfssl_linux-amd64 print-defaults csr > csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "ES", "L": "MADRID", "ST": "MADRID", "O": "SCM", "OU": "ClusterK8s" } ] } |
1 |
cfssl_linux-amd64 gencert -initca csr.json | cfssljson_linux-amd64 -bare ca |
1 2 |
mkdir -p /etc/kubernetes/ssl cp ca* /etc/kubernetes/ssl |
1 2 3 |
wget https://github.com/coreos/etcd/releases/download/v3.2.9/etcd-v3.2.9-linux-amd64.tar.gz tar xzvf etcd-v3.2.9-linux-amd64.tar.gz cp etcd etcdctl /usr/kubernetes/ |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
{ "CN": "etcd", "hosts": [ "127.0.0.1", "172.20.20.10" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "ES", "ST": "MADRID", "L": "MADRID", "O": "SCM", "OU": "ClusterK8s" } ] } cfssl_linux-amd64 gencert -ca=/etc/kubernetes/ssl/ca.pem -ca-key=/etc/kubernetes/ssl/ca-key.pem -config=/etc/kubernetes/ssl/ca.json -profile=kubernetes etcd-cert.json | cfssljson_linux-amd64 -bare etcd mkdir -p /etc/etcd/ssl cp etcd*pem /etc/etcd/ssl mkdir -p /var/lib/etcd |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
[Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target Documentation=https://github.com/coreos [Service] Type=notify WorkingDirectory=/var/lib/etcd/ ExecStart=/usr/kubernetes/etcd --name=master1 --cert-file=/etc/etcd/ssl/etcd.pem --key-file=/etc/etcd/ssl/etcd-key.pem --peer-cert-file=/etc/etcd/ssl/etcd.pem --peer-key-file=/etc/etcd/ssl/etcd-key.pem --trusted-ca-file=/etc/kubernetes/ssl/ca.pem --peer-trusted-ca-file=/etc/kubernetes/ssl/ca.pem --initial-advertise-peer-urls=https://172.20.20.10:2380 --listen-peer-urls=https://172.20.20.10:2380 --listen-client-urls=https://172.20.20.10:2379,http://scmsi.es:2379 --advertise-client-urls=https://172.20.20.10:2379 --initial-cluster-token=etcd-cluster-0 --initial-cluster=master1=https://172.20.20.10:2380,master2=https://172.20.20.11:2380,master3=https://172.20.20.12:2380 --initial-cluster-state=new --data-dir=/var/lib/etcd Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target systemctl daemon-reload systemctl enable etcd systemctl start etcd systemctl status etcd |
1 |
ETCDCTL_API=3 /usr/kubernetes/etcdctl --endpoints=https://172.20.20.12:2379 --cacert=/etc/kubernetes/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem member list |