1.基础环境安装

1.1 修改操作系统源、docker 源

将 centos7.5 的系统源修改为国内主流站点的系统源

国内主流系统源

  • 中科大 linux 各类源 http://mirrors.ustc.edu.cn/
  • 阿里 linux 各类源 https://developer.aliyun.com/mirror
  • 163 linux 各类源 http://tel.mirrors.163.com/
    配置方法打开相应的网站有教程,按照教程配置就好。我的配置的是中科大的源
    配置命令如下,
    1
    2
    3
    [root@jiuwo-master ~]# sudo sed -e 's|^mirrorlist=|#mirrorlist=|g' \
             -e 's|^#baseurl=http://mirror.centos.org/centos|baseurl=https://mirrors.ustc.edu.cn/centos|g' \         -i.bak \
             /etc/yum.repos.d/CentOS-Base.repo
    配置完成后如下
    cat /etc/yum.repos.d/Centos_base.pro
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    # CentOS-Base.repo
    #
    # The mirror system uses the connecting IP address of the client and the
    # update status of each mirror to pick mirrors that are updated to and
    # geographically close to the client.  You should use this for CentOS updates
    # unless you are manually picking other mirrors.
    #
    # If the mirrorlist= does not work for you, as a fall back you can try the
    # remarked out baseurl= line instead.
    #
    #
    [base]
    name=CentOS-$releasever - Base
    #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
    baseurl=https://mirrors.ustc.edu.cn/centos/$releasever/os/$basearch/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
    #released updates
    [updates]
    name=CentOS-$releasever - Updates
    #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
    baseurl=https://mirrors.ustc.edu.cn/centos/$releasever/updates/$basearch/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
    #additional packages that may be useful
    [extras]
    name=CentOS-$releasever - Extras
    #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras&infra=$infra
    baseurl=https://mirrors.ustc.edu.cn/centos/$releasever/extras/$basearch/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
    #additional packages that extend functionality of existing packages
    [centosplus]
    name=CentOS-$releasever - Plus
    #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
    baseurl=https://mirrors.ustc.edu.cn/centos/$releasever/centosplus/$basearch/
    gpgcheck=1
    enabled=0
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
    配置完成后更新源缓存
    [root@jiuwo-master ~]# yum makecache

    设置 docker 国内源

    由于 dockerhub 在国外,收到 GFW 和网速的影响,在安装过程中容易出现各种问题,影响心情,所以修改 docker 源为国内的,前文提到的三个网站均提供国内的 docker 源。我使用的是阿里云的源,配置如下。
    1
    2
    [root@jiuwo-master ~]# yum install wget(如果已安装wget,此步可以忽略)
    [root@jiuwo-master ~]# wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

    1.2 安装 docker

    1
    2
    3
    4
    5
    6
    [root@jiuwo-master ~]yum install docker-ce docker-ce-cli
    …………此处省略一万字需要安装依赖的请输入YES
    [root@jiuwo-master ~]# systemctl start docker
    [root@jiuwo-master ~]# systemctl enable docker
    [root@jiuwo-master ~]# docker -v
    Docker version 19.03.8, build afacb8b
    如果遇到 Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?的问题可尝试以下方式解决
    1
    2
    3
    $ systemctl daemon-reload
    $ sudo service docker restart
    $ sudo service docker status (should see active (running))

    2、安装 k8s

    内网加固

对于etcd节点,运行以下命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@jiuwo-master ~]# firewall-cmd --list-rich-rule
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="2376" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="2379" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="2380" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="8472" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="9099" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="10250" protocol="tcp" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="139.130.99.162/28" port port="6643" protocol="tcp" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="139.130.99.162/28" port port="10254" protocol="tcp" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="139.130.99.162/28" port port="2380" protocol="tcp" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="139.130.99.162/28" port port="8472" protocol="tcp" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="139.130.99.162/28" port port="9099" protocol="tcp" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="139.130.99.162/28" port port="10250" protocol="tcp" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="139.130.99.162/28" port port="1180" protocol="tcp" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="139.130.99.162/28" port port="11443" protocol="tcp" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="139.130.99.162/28" port port="30000-32767" protocol="tcp" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="139.130.99.162/28" port port="30000-32767" protocol="udp" accept"

对于control plane节点,运行以下命令:

1
2
3
4
5
6
7
8
9
10
11
[root@jiuwo-master ~]# firewall-cmd --list-rich-rule
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="1180" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="11443" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="2376" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="6443" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="8472" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="9099" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="10250" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="10254" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="30000-32767" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="30000-32767" protocol="udp" accept"

对于worker nodes节点,运行以下命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
firewall-cmd --list-rich-rule
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="80" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="443" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="1180" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="11443" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="2376" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="6443" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="8472" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="9099" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="10250" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="10254" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="30000-32767" protocol="tcp" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.99.162/28" port port="30000-32767" protocol="udp" accept"

firewall-cmd –permanent –add-rich-rule=”rule family=”ipv4” source address=”192.168.99.162” accept”

参考文献